In an update to its initial September 2021 breach notice, Smile Brands has assessed that the ransomware attack and subsequent data theft impacted approximately 2.6 million individuals. Smile Brands is a dental support services vendor.
Smile Brands reported the incident to the Department of Health and Human Services Office for Civil Rights on June 24, 2021, as impacting 199,683 individuals. The latest filing with the Maine Attorney General’s office shows the updated breach tally as 2,592,494 individuals, including employees.
As previously disclosed, a ransomware attack deployed on April 24, 2021, led to the access of certain systems containing personal data. Access was promptly terminated and law enforcement was notified.
The investigation that followed found that the attacker exfiltrated certain data ahead of the deployment of ransomware. The data included names, contact details, Social Security numbers, financial information, government-issued IDs, and/or personal health information.
At the time, Smile Brands notified the impacted individuals that the investigation was ongoing. The vendor has since bolstered its monitoring capabilities and security safeguards. According to SC Media’s tally, the Smile Brand incident was the fourth-largest healthcare data breach of 2021.
“Period of unauthorized access” at ARCare impacted patient data
ARCare in Arkansas recently began notifying 345,353 patients that their data was compromised during a “malware infection” that impacted its systems and temporarily disrupted some services. Despite the description, ransomware is not mentioned in the notice.
The investigation into the incident determined a hacker accessed and possibly acquired some patient data “during a period of unauthorized access” to the computer systems for more than a month between Jan. 18 and Feb. 24. The notice does not explain when the attack was first discovered.
ARCare conducted a review of the impacted data, which concluded on April 4. The potentially stolen data varied by patient and could include both medical and personal information, such as names, SSNs, driver's licenses or state IDs, dates of birth, financial account details, treatments, prescriptions, diagnoses or conditions, and health insurance data.
A team of third-party specialists has since helped ARcare enhance its systems security. ARcare is currently reviewing its existing policies and procedures, in addition to implementing internal training protocols to prevent a recurrence.
511K Adaptive Health patients reports October 2021 hack
The data of 510,574 Adaptive Health Integrations patients was possibly accessed during a systems hack in October 2021. The lengthy gap in notification was caused by an “extensive investigation and an internal review” that did not conclude until Feb. 23, 2022.
Under The Health Insurance Portability and Accountability Act, covered entities are required to notify patients of breaches to protected health information within 60 days of discovery, not after the conclusion of an investigation.
The notice does not detail the specific cause of the incident, just that it discovered the attacker accessed a limited amount of data stored on the AHI systems on Oct. 17, 2021. Upon discovery, the response team disable the actor’s access to contain the threat and launched an investigation with assistance from an outside cybersecurity firm.
The investigation determined the accessed data included patient names, dates of birth, SSNs, and contact information. Not all AHI patients were affected by the incident.
Illinois Gastroenterology reports possible October 2021 data theft
Exhibiting a similar attack timeframe and lag in notification as AHI, Illinois Gastroenterology Group recently began notifying an undisclosed number of patients that their data was potentially accessed or stolen during a systems hack in October 2021.
On Oct. 22, IGG discovered unusual network activity, which prompted an investigation with support from third-party cybersecurity specialists. About one month later, the team confirmed that the attacker gained access to certain IGG systems containing patient data, which may have been accessed or exfiltrated by the actor.
A review of the data concluded on March 22, which found the data impacted during the incident included names, SSNs, dates of birth, contact details, driver’s licenses, passports, financial account details, payment cards, employer-assigned identification numbers, medical data, and biometric data.
IGG has since enhanced its network security policies and procedures, while accelerating an ongoing enhancement of its managed security operations center.
Minnesota dental plan reports phishing-related breach
On April 15, HealthPlex notified 76,262 patients that their data was compromised after a successful phishing attempt against an employee in November 2021. HealthPlex is a dental plan provider based in Eagan, Minnesota.
The notice describes the incident as an employee falling victim to a phishing attack, which provided the hacker with access to their email account on Nov. 24, 2021. It’s unclear when the attack was launched, but the account was secured upon discovery and an investigation was launched to determine the scope of the incident.
A comprehensive review of the data contained in the account determined that the potentially accessed data included patient names, contact details, SSNs, dates of birther, member ID numbers, plan affiliation, dates of service, provider names, billed/paid amounts, prescriptions, banking details, credit cards, and a host of other sensitive information.
The lack of timely notice is likely tied to the extensive investigation. Healthplex has since bolstered the security of its environment.
Email hack of Contra Costa County, California impacts medical data
Contra Costa County, California recently began notifying certain individuals that the hack of several employee email accounts led to the access and potential theft of personal and medical data.
Upon discovering unusual activity, the impacted email accounts were secured. The subsequent investigation found that an actor accessed the accounts on various occasions for over a month between June 24, 2021, and Aug. 12, 2021. The notice does not detail when the incident was discovered, just that the investigation concluded on March 11, 2022.
The investigating team couldn’t determine whether the emails or attachments were accessed or downloaded by the attackers, nor were they able to rule out the possibility. The accounts contained a range of data tied to county employees and individuals who communicated with the county’s employment and human services department.
The data could include SSNs, driver’s licenses or state-issued IDs, financial account numbers, passport numbers, and medical data and/or health insurance information.