Freehold Township, NJ-based CentraState Healthcare System has recently confirmed that its network was compromised by unauthorized individuals in December 2022. Unusual activity was detected within its computer systems on December 29, and immediate action was taken to isolate the network and block unauthorized access. CentraState has been working with the Federal Bureau of Investigation and independent cybersecurity experts to investigate the breach and has determined that the unauthorized party exfiltrated a copy of an archived database that contained the protected health information of patients.
The database included the following information: names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and patient account numbers. Additionally, some information related to care received at CentraState, such as date(s) of service, physician names and departments, treatment plans, diagnoses, visit notes, and prescription information. CentraState said it continually enhances the security of its electronic systems and will continue to do so, and will also implement additional safeguards to prevent future attacks. Notification letters started to be sent to affected individuals on February 10, 2023, and complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security number exposed.
The incident has been reported to the HHS’ Office for Civil Rights but is not yet showing on the HHS Web Breach Portal, so it is currently unclear how many individuals have been affected. NJ.com has reported that the breach has affected approximately 671,000 patients of CentraState Medical Center.
Skin MD Reports Temporary Exposure of Paper Records
Skin MD, a Massachusetts-based provider of cosmetic and laser skin care treatments, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 7,558 patients. The breach involved paper records that were stored in a secured, off-site storage facility, which Skin MD learned had been disposed of in a non-secure manner on November 12, 2022.
Skin MD said a good Samaritan notified authorities about the improper disposal on November 14, 2022, and a law enforcement agent collected the records. Those records have been collected by Skin MD and are now secured. The records were unsecured for 2 days, during which time it is possible they were viewed by unauthorized individuals, although no evidence of theft, unauthorized access, or tampering has been discovered.
The records contained demographic information, medical information, Social Security numbers, and financial information. Affected individuals are now being notified and have been offered 24 months of complimentary credit monitoring and identity theft protection services.
Phishing Attack on Vitra Health Affects 1,600 Patients
The Braintree, MA-based home health service provider, Vitra Health, has notified 1,618 patients that some of their protected health information has been exposed and potentially stolen. On December 8, 2022, Vitra Health discovered an employee email account had been accessed by an unauthorized individual. The investigation revealed access was gained following a response to a phishing email on December 6. The account was immediately secured, and the forensic investigation confirmed only one email account was compromised.
A third-party review of the account confirmed it contained information such as names, addresses, dates of birth, phone numbers, referral information, diagnoses, and Health Plan ID numbers. Vitra Health has implemented additional email security measures, provided further workforce training, and engaged a third-party firm to conduct a HIPAA Risk assessment.
California Department of Social Services Discovers Insider Breach
The California Department of Social Services (CDSS) has recently notified certain individuals about an insider wrongdoing incident involving their Social Security numbers. On January 6, 2023, the CDSS discovered an employee had emailed a document to a personal email account that contained individuals’ first and last names, Social Security numbers, and bargaining unit numbers. The employee in question was immediately contacted and told to delete the email and the employee complied with that request.
The CDSS said it is in the process of implementing additional security controls to prevent similar incidents in the future. No reason was provided as to why the document was emailed, nor details of the sanctions in relation to the incident. It is currently unclear how many individuals have been affected.
The post Hacking and Data Theft Incident Reported by CentraState Healthcare System appeared first on HIPAA Journal.