The weekly SC Media healthcare data breach roundup includes multiple incidents reported outside the 60-day requirement outlined in HIPAA. (Photo credit: "EMT/Nursing Pediatric Emergency Simulation - April 2013 3" by COD Newsroom is licensed under CC BY 2.0.)

Practice Resources recently notified 942,138 patients that their data was accessed or stolen ahead of a ransomware attack deployed in April. The New York-based vendor provides billing and professional services to a range of healthcare entities. 

Its notice does not explain the delay in notification. Under the Health Insurance Portability and Accountability Act, covered entities and business associates are required to inform patients within 60 days of discovering a breach of protected health data and without undue delay.

The ransomware attack was launched against Practice Resources on April 12, prompting the vendor to secure the systems and investigate the incident. They found personally identifiable information and health data was likely subjected to access and/or acquisition. The exposed data included names, contact details, dates of treatment, and health plan or medical record numbers.

All impacted patients will receive up to two years of free credit monitoring and related services. Practice Resources has since enhanced its existing cybersecurity and intends to implement additional measures.

Approximately 28 healthcare providers were affected by the security incident. It’s among at least three other vendor breaches reported within the last month alone to include dozens of impacted providers, including the ransomware attack on vendor OneTouchPoint that included data from more than 326,000 Aetna ACE patients.

Data of 97K patients accessed amid cyberattack on iCare vendor

A cyberattack on Onyx led to the access of health information tied to 96,814 patients tied to Independent Care Health Plan, or iCare, a wholly-owned subsidiary of Humana. Onyx is contracted with iCare to support patients with accessing their health information.

First discovered on June 28, a cyberattack blocked access to Onyx’s systems for more than a week until July 7. A subsequent investigation led with support from an outside security firm found “a server may have been removed or accessed” beginning several months prior on March 29.

Onyx discovered the patient data was accessed on July 15, which included names, dates of birth, contact information, iCare member and Medicare ID numbers, provider names, and dates of service. All affected patients are being offered two years of credit monitoring.

Karakurt threat actors steal data from Methodist McKinney Hospital

Earlier in August, Methodist McKinney Hospital, Methodist Allen Surgical Center, and Methodist Craig Ranch Surgical Center recently notified an undisclosed number of patients that their data was stolen during a systems hack by Karakurt threat actors.

The provider first discovered “unusual activity on certain systems” on July 5 and promptly took steps to secure the network. The investigation has since confirmed the systems access that led to the attackers copying certain files from the network for more than two months between May 20 and July 7, when it was discovered.

Reports show Karakurt threatened to leak the data ahead of the notice issued to patients. As such, the investigation and response to the incident is ongoing. Methodist McKinney is still assessing what information was present in the impacted systems during the hack.

Currently, the hospitals are conducting a detailed review and will inform patients as it identifies the stolen data. What’s known is that the data varies by patient and could include names, SSNs, dates of birth, contact details, medical histories, diagnoses, treatments, medical record numbers, and health insurance information.

The hospitals are reviewing and enhancing the existing security policies and procedures and intend to add further safeguards to bolster the protective measures for its data. The incident has been reported to law enforcement.

San Diego American Indian Health reports May data theft incident

Approximately 27,000 patients of San Diego American Indian Health Center were only recently notified that their data was accessed and potentially stolen during a cyberattack deployed in May. A two-month investigation into the incident may have caused the delay in notifications.

On May 5, SDAIHC first discovered the “sophisticated cybersecurity attack” on its digital network and worked to secure its digital environment. The provider also contacted the FBI and is cooperating with its investigation.

The subsequent forensic analysis was supported by a third-party cybersecurity firm, which found that a hacker accessed and obtained data from the network. The stolen data could include names, SSNs, driver’s licenses, state or tribal ID numbers, medical data, health insurance information, and/or dates of birth.

Patients are being offered complimentary credit monitoring and identity protection services. In response to the incident, SDAIHC implemented additional security measures to reduce the risk of a recurrence.

Lamoille Health ransomware incident spurs data theft for 59K

The data belonging to 59,381 patients was accessed and possibly stolen ahead of a ransomware attack on Vermont-based Lamoille Health Partners on June 13.

The malware locked the provider out of some of its files during the attack, with LHP using its established protocols to maintain care as it began to securely restore the impacted systems from backups. Law enforcement was also notified.

Working with an outside cybersecurity firm, the investigation confirmed that an attacker may have accessed or acquired “certain documents” from the LHP systems during a two-day hack of its system. Those compromised documents contained Social Security numbers, dates of birth, contact details, health insurance information, and medical treatment details.

All patients whose SSNs were involved will receive complimentary identity protection and credit monitoring services.

Vendor breach impacts Lee County Emergency Medical Services

An undisclosed number of individuals tied to Lee County EMS are being informed that their data was compromised after a security incident on a former vendor. The EMS previously contracted with Intermedix for its ambulance billing service, which lasted 15 years until September 2014.

A law firm hired by Intermedix, Smith, Gambrell & Russell (SGR), experienced a hack in August 2021 that led to client data being stolen from its IT systems. The investigation concluded in May 2022 and identified a “number of documents” that were taken from the network.

The review shows the data varied by individual and could include names, contact details, SSNs, driver’s license numbers, government IDs, and medical data, such as treatments, medical histories, and diagnoses.

The Lee County EMS staff received a notice on Aug. 4 that revealed a “customer data breach” tied to Intermedix was included in the breached data. Its own notice shows “of all the records the firm handled, less than 2% of the total may have been compromised.”

The EMS’ notice does not disclose why the law firm had data from a vendor it stopped using eight years ago, nor does the law firm detail why it delayed notifying individuals far outside of the initial hack and data theft.

Business associate cyberattack leads to data access for 31K patients

A cyberattack against a business associate of St. Luke’s Health System enabled the attacker to potentially access the protected health information of 31,513 patients. The impacted vendor was tasked with statement processing and billing services for the Idaho health system.

The attack was launched and discovered in late May and St. Lukes was not informed of the breach until July 6. The notice does not disclose the type or duration of the attack, only informs patients of the type of data that could have been accessed, such as guarantor names, contact details, and ID numbers.

For patients, the accessed data could also include dates of birth, the last five digits of the social security number, description, dates, and location of services, provider names, patient account numbers, billing amounts, outstanding balances, payment due dates, and account status.

St. Luke’s has since “suspended all processing activities with the vendor,” while its security and compliance teams work with the vendor “concerning its internal investigation.” The impacted vendor has been working with the FBI and contracted with an outside forensics team to understand the scope of the incident and implemented additional security improvements.