Ransomware, Email security, Breach

Family Medical informs 234K patients of possible data compromise

A donor's blood pressure is taken during a blood drive event.
Nearly 234,000 patients were informed that their data may have been compromised in a network security incident at Family Medical Center Services in Texas. (Navy)

Family Medical Center Services recently informed 233,948 patients that their data was potentially compromised after a “network data security incident” on July 26. FMC is a network of 75 primary care clinics in Amarillo and Canyon, Texas.

Upon discovering the incident, FMC deployed measures to stop the proliferation and launched an investigation. The forensics did not show whether any information was “specifically accessed for misuse.” However, patients were told it was possible their data was exposed as a result of the “attack.”

The compromised data included names, Social Security numbers, contact details, and protected health information. All impacted patients will receive identity monitoring services. The brief notice contains no further details on the threat behind the attack.

FMC is “continuously improving the security of our network environment by monitoring the evolving cybersecurity landscape and taking appropriate actions.” 

WellMed informs 11K patients of insider wrongdoing

In a notice sent to 10,506 patients in the Dallas-Fort Worth area, WellMed reported that a provider obtained some patient medical records with the intent to contact those individuals to join the provider’s new clinic between Feb. 6 and May 17. The individual was no longer an employee at the time of discovery.

The data included demographic details, contact information, health insurance data, medical record numbers, provider names, diagnoses, treatments, prescriptions, and lab results. No SSNs, financial account details, or driver’s licenses were involved.

Upon discovering the unauthorized disclosure, WellMed launched an investigation and identified the impacted information, while confirming the information was secured. WellMed also ensured the data was returned or deleted by the provider and “stopped further unauthorized outreach to patients based on the use of the information.” 

“We have also recovered all the information,” officials stressed. However, WellMed is advising the impacted patients to regularly monitor healthcare statements for any unfamiliar activity. And “any suspicious activity should immediately be reported to their health plan or other relevant institution.”

The physician’s actions of removing WellMed patient records without authorization is prohibited by the Health Insurance Portability and Accountability Act, as well as state privacy statutes and WellMed’s internal policies and employment agreements. WellMed has notified the relevant authorities.

In response to the incident, WellMed is reinforcing its existing policies and practices with employees, in addition to evaluating its safeguards to prevent a recurrence.

Mental health provider reports hack of employee email accounts

The hack of multiple employee email accounts at Tessie Cleveland Community Services in July possibly led to the exposure of information tied to 9,747 patients.

First discovered on July 20, an unknown actor accessed information from some email accounts. Tessie began working with an outside cybersecurity firm to assess the scope of the incident and found the accounts were hacked for about two weeks between June 17 and June 30.

The accounts contained patient names, demographic details, health insurance identification numbers, limited care data, and some SSNs. The forensics determined it was likely the email hack was meant as an attempt to conduct business fraud and not to compromise patient data. However, access could not be ruled out.

Tessie is offering patients free credit monitoring services and has since deployed additional measures to its network and email environment.

Data accessed during cyberattack on Neurology Center of Nevada

A cyberattack launched against Neurology Center of Nevada on July 17 caused certain systems to become inaccessible. The investigation into the incident found the data of 11,700 patients was accessed by the attacker.

After discovering the attack, NCN worked quickly to restore access to the impacted systems that contained patient information to “continue patient care without disruption.” The forensics showed that the intrusion began five days before the attack was deployed, which enabled the actor to access certain files containing patient information.

NCN is still conducting a comprehensive review to determine just what information was contained in the affected systems and the patients involved. For now, the evidence shows the impacted data varies by patient and may include names, SSNs, dates of birth, gender, contact information, driver’s licenses, health insurance details, and medical data, like diagnoses, treatments, medications, and lab results.

The provider is currently reviewing its policies and procedures, while bolstering its administrative and technical safeguards. The incident has also been reported to federal law enforcement.

Northern California Fertility Medical Center discloses possible data compromise

An undisclosed number of patients tied to Northern California Fertility Medical Center were recently notified that their protected health information was potentially compromised after a “network security incident” on July 24, where a threat actor infiltrated the network and attempted to encrypt data.

Upon discovering the intrusion, NCFMC immediately shut off all access to the network and launched an investigation with support from an outside IT security and forensic specialist firm. The evidence did not suggest any data misuse, but all affected patients were notified due to the network compromise. 

The impacted data included patient names, status of ultrasounds performed at NCFMC, and/or the cryopreserved tissue stored at NCFMC. The provider did not find evidence that its medical record system was compromised during the incident and does not store SSNs or credit card information on its servers.

NCFMC reported the attack to law enforcement and has since reviewed and modified the tools, policies, and procedures for the security of its systems and servers.

After misconfiguration, QM Services reports plan member exposure

A notice from QM Services, the third-party consultant of the Maryland Institute College of Art’s student health insurance compliance program, shows the personal and health information of certain students who use these services was exposed due to a misconfiguration that inadvertently made the private data publicly available.

QM first discovered the expose on May 13 and took steps to correct the error. The subsequent investigation led with assistance from a third-party investigative firm determined MICA’s health insurance data was indeed exposed from the time it was provided to QM until the error was corrected on May 14.

The notice does not detail when the error was first made, just that there were multiple systems impacted by the configuration error. Further, the forensics could not rule out access or exfiltration of the data. As such, QM performed a review of the systems’ contents that concluded on Sept. 9. QM did not disclose the impacted data in its notice filed with the Montana Attorney General’s office.

QM has since confirmed the security of the impacted systems and reviewed its policies and procedures, while adding measures to its information security.

Columbia River Mental Health Services reports yearlong email hack

The data of an undisclosed number of patients tied to Columbia River Mental Health Services in Washington was potentially accessed, after a near yearlong hack of multiple employee email accounts.

The notice does not explain when the access was first discovered, just that it detected “suspicious activity related to certain CRMHS email accounts” and launched an investigation with support from a third-party forensic firm. They determined the account access occurred between May 14, 2021, to April 8, 2022.

The determination led to a systematic review of the impacted accounts to verify the scope and just what information was contained in the accounts. The investigation could not conclusively determine or rule out whether the data was actually accessed by the hacker.

The scope of the incident was confirmed on Aug. 26, which found the affected data varied by patient and could include SSNs, dates of birth, contact details, driver’s license numbers, medical data, health insurance information, financial account details, and usernames and passwords.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.