Two HIPAA-regulated entities have not long ago commenced sending notifications to persons whose protected health information (PHI) was likely jeopardized in cyberattacks that took place over 12 months ago. One entity took 18 months to inform impacted people that their PHI was accessed and possibly stolen.
Comprehensive Health Services Informs 94,449 Patients Concerning September 2020 Cyberattack
Comprehensive Health Services located in Cape Canaveral, FL offers employees medical services. It is additionally a part of Acuity International, which lately reported its encounter with a cyberattack that was discovered on September 30, 2020.
The security incident was observed after a number of fake wire transfers were made using its accounts. Third-party forensics professionals were employed to find out the severity of the security incident, safeguard its digital environment, distinguish how the attacker acquired systems’ access, and whether or not any sensitive data was copied from those systems.
Comprehensive Health Services mentioned in its breach notice to the Maine Attorney general that it established on November 3, 2021, that the personal information of some people hired by one of its clients could have been viewed and exfiltrated in the attack. The provider mailed notification letters to those affected persons on February 15, 2022 and provided those persons with either 12 or 24 months of credit monitoring and identity theft protection services. It is unknown why the company took 15 months to ensure the compromise of protected health information, and then an extra three months to send out notification letters to impacted people.
Based on the breach report forwarded to the Maine Attorney General, the PHI of 94,449 persons was likely affected.
Minimally Invasive Surgery of Hawaii Alerts Patients Regarding February 2021 Cyberattack
Orthopedic Associates of Hawaii, All Access Ortho, and Specialty Suites, dba Minimally Invasive Surgery of Hawaii (MISH), has commenced informing patients that were affected by an event leading to the breach of their PHI.
The recent occurrence was a ransomware attack noticed on February 19, 2021. As per the breach notifications, the attacker encrypted information on systems that comprised patient information. Steps were undertaken to speedily regain records and know if the unauthorized actor accessed or got files made up of patient information.
MISH stated the investigation established on or approximately April 2, 2021, that the threat actor viewed its systems between February 12, 2021, and February 19, 2021, and acquired limited files. An analysis was then performed to find out which patients were impacted and the types of data that were acquired, and then the contact data of those people must be verified.
Notification letters dated February 19, 2021, were mailed to the California attorney general, even though the breach report was sent to the HHS’ Office for Civil Rights last April 2021. According to the breach report, 500 persons were affected, even though 500 is usually utilized as a placeholder right until the finalized total of impacted people is known.
MISH explained these types of data were exposed: complete names, addresses, birth dates, medical treatment and diagnosis details, health insurance data, and a small number of Social Security numbers. There is no proof found that reveals the improper use of patient information. Impacted persons got offers of free credit monitoring and identity theft protection services.
MISH mentioned it evaluated its guidelines and procedures and has put in place further administrative and technical safety measures to strengthen security.