More Than 233,000 Patients Affected by Cyberattack on FMC Services

By | October 3, 2022

FMC (Family Medicine Centers) Services, an Amarillo, TX-based network of primary care clinics in Amarillo and Canyon, has recently announced it was the victim of a hacking incident that was detected and blocked on July 26, 2022. A forensic investigation was conducted by a third-party cybersecurity firm to determine the nature and scope of the attack. That investigation did not uncover any evidence to suggest the cyberattack was conducted with a view to misusing patient information; however, files containing patients’ protected health information were exposed and may have been viewed. FMC Services said that at the time of issuing notifications to affected individuals, it had not been made aware of any cases of identity theft or other misuses as a result of the incident.

A comprehensive review of the exposed files confirmed they contained information such as names, mailing addresses, birth dates, and Social Security numbers, and potentially other types of protected health information. Affected individuals have been offered a complimentary membership to an identity theft monitoring service as a precaution.

FMC Services said cybersecurity is taken very seriously and steps are continuously made to improve security to protect against evolving cyber threats, and appropriate actions will be taken in response to this data security incident to further improve its security posture. The incident was reported to the HHS’ Office for Civil Rights as affecting up to 233,948 patients.

Geisinger & Seattle Children’s Hospital Affected by Ransomware Attack on Mail Service Vendor

Danville, PA-based Geisinger Health System and Seattle Children’s Hospital in Washington have both announced that they have been affected by a ransomware attack on their mail service vendor, Kaye-Smith.

Geisinger uses VisitPay for its online billing services, and VisitPay uses the marketing vendor Kaye-Smith. In Late May 2022, Kaye-Smith suffered a ransomware attack that rendered data in its systems unavailable. After conducting an investigation into the attack and a risk assessment, Kaye Smith determined that the threat actors behind the attack potentially accessed and obtained files that contained information provided by its clients for use in marketing and communications campaigns.

Geisinger and Seattle Children’s were notified in September that the data of their patients had potentially been compromised. Geisinger said names, addresses, medical record numbers, dates of service, and payment installment plans had potentially been compromised. Seattle Children’s said the breach involved names, addresses, provider names, medical record numbers, visit details, lab information, guarantor numbers, and the names of insurance carriers.

Kaye Smith, Geisinger, and Seattle Children’s said they are unaware of any cases of misuse of patient data as a result of the incident. Geisinger and Seattle Children’s are working with Kaye Smith to ensure new safeguards are implemented to prevent further security breaches, and Kaye Smith has offered credit monitoring services to affected individuals.

The breach was reported to OCR as affecting 6,750 Seattle Children’s Hospital patients and 2,857 Geisinger patients.

Johnson Memorial Hospital Victim of Malware Attack

Johnson Memorial Hospital in Stafford Springs, CT, part of Trinity Health of New England, has recently announced that the personal and protected health information of some of its patients has been exposed as a result of a malware infection at the Hartford, CT-based law firm, Reid and Riege.

The law firm detected the security breach on March 21, 2022, with the investigation confirming its systems were subjected to unauthorized access between March 21, and March 27, 2022. Johnson Memorial Hospital was notified about the incident on May 27, 2022. At the time of writing, it is unclear how many patients have been affected or the types of information potentially compromised in the attack.

The post More Than 233,000 Patients Affected by Cyberattack on FMC Services appeared first on HIPAA Journal.