Pennsylvania-based Gateway Rehabilitation Center (Gateway Rehab) has recently announced that it experienced “an incident disrupting access to certain systems.” The incident in question was detected by Gateway Rehab on June 13, 2022. Immediate action was taken to prevent further unauthorized access to its systems and a digital forensics firm was engaged to investigate the breach. The forensic investigation concluded on July 8, 2022, that the individuals behind the attack may have accessed or obtained patients’ information. The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of up to 130,000 patients.
The types of information compromised in the attack included names, birth dates, Social Security numbers, driver’s license numbers, state ID numbers, financial account and/or payment card numbers, medical information, and health insurance information. While Gateway Rehab did not disclose the exact nature of the attack, it was a BlackByte ransomware attack. Samples of files stolen in the attack were posted on the group’s data leak site, as confirmed by databreaches.net.
According to Gateway Rehab, the review of all affected files was completed on September 21, 2022, and patients were notified on November 18, 2022. The substitute breach notice on the Gateway Rehab website makes no mention of credit monitoring and identity theft protection services. Gateway Rehab did state that steps have been taken to prevent similar incidents in the future.
Former Kaiser Permanente Employee Impermissibly Accessed Patient Information
Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. has recently announced that an employee was discovered to have impermissibly accessed the protected health information of certain Kaiser Permanente patients. The unauthorized access was detected on September 21, 2022, with the investigation confirming that parts of the medical records of 8,556 patients had been accessed by the employee outside the scope of their job functions.
The types of information accessed included demographic information such as names, medical record numbers, addresses, email addresses, telephone numbers, birth dates, and some medical information, including medical images. Social Security numbers and financial information were not viewed.
According to the substitute breach notice, the individual is no longer employed by Kaiser Permanente and the investigation found no evidence to suggest that any of the viewed information was copied, misused, or further disclosed. Kaiser Permanente says it is reviewing its policies and procedures concerning access to patients’ medical records.
Impermissible Disclosure of PHI Reported by Yakima Neighborhood Health Services
Yakima Neighborhood Health Services (YNHS) in Washington state has recently reported an incident that resulted in an impermissible disclosure of the protected health information of 2,689 individuals. On October 4, 2022, a file containing patient information was mistakenly distributed to an individual who was not authorized to receive the information. The file contained information such as names, birth dates, medical record numbers, and treatment locations.
YNHS said as soon as the incident was detected, steps were taken to ensure the misdirected file was deleted, and there are no indications that any of the information in the file has been misused. It took until November 10, 2022, to verify up-to-date contact information for affected individuals, and they have now been notified about the privacy breach. Steps have also been taken to prevent incidents such as this from occurring in the future.
DOCS Medical Group Victim of Ransomware Attack
DOCS Medical Group in Connecticut has recently confirmed the protected health information of up to 3,146 was potentially compromised in a ransomware attack. The attack was detected on September 7, 2022, and was rapidly blocked; however, the server that was attacked contained the protected health information of patients, including names, contact information, medical histories, reason for visiting, Social Security numbers, health insurance information, and some financial information. DOCS Medical Group said its electronic medical record and billing systems were not affected, and medical services were unaffected by the incident.
The post Gateway Rehabilitation Center Reports Cyberattack Affecting 130,000 Patients appeared first on HIPAA Journal.