Chambersburg, PA-based Keystone Health has recently announced that it fell victim to a cyberattack on August 19, 2022, which caused temporary disruption to its computer systems. Steps were immediately taken to restore the security of its systems and prevent further unauthorized access, and a third-party cybersecurity firm was engaged to investigate the breach and determine how the hackers gained access to its systems and the scope of the breach.
The forensic investigation revealed the hackers first gained access to its systems on July 28, 2022, with access terminated on August 19. During that time, files were accessed that contained patients’ protected health information, including names, Social Security numbers, and clinical information. A comprehensive review of those files confirmed they contained the information of 235,237 patients.
Law enforcement was notified about the cyberattack and all affected individuals have been notified by mail. Credit monitoring services are being offered to eligible patients. Keystone Health said it is implementing additional security measures to prevent further incidents of this nature, and employees have been provided with additional security awareness training.
Lifespire Services Provides Update on February 2022 Cyberattack
Lifespire Services, a New York-based provider of services to people with developmental disabilities, has provided an update on a security incident that was first disclosed in April 2022. The incident in question was detected on February 8, 2022, and caused disruption to its computer systems. Lifespire engaged a digital forensics company that determined that unauthorized individuals had access to its systems between January 14, 2022, and February 8, 2022, and during that time patient information may have been accessed.
A comprehensive review was conducted on all files on the compromised parts of its network, and that process took until October 7, 2022. Lifespire confirmed that the protected health information of 15,375 patients was compromised, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, bank account information, credit card information, medical diagnosis/treatment information, Medicare/Medicaid numbers, and health insurance information.
Lifespire said it is unaware of any instances of misuse of patient data but has offered affected individuals free access to credit monitoring and identity protection services. Policies and procedures related to network security have also been updated in response to the data breach.
Investigations into data breaches and reviews of affected files can take several weeks or months. Lifespire should be commended for issuing a notification to patients about the attack in April, even though the file review had yet to be completed. Prompt notification is a requirement of the HIPAA Breach Notification Rule and is important for patients, as it allows them to take appropriate steps to protect themselves against misuse of their information. Many healthcare organizations wait until the document review is completed before announcing a breach, which could be several months after data has been stolen.
Patient Information Potentially Compromised in Phishing Attack on Presbyterian Healthcare Services
Albuquerque, NM-based Presbyterian Healthcare Services recently said the protected health information of 2,624 patients was stored in an employee email account that was accessed by an unauthorized third party following a response to a phishing email.
The security breach was detected on July 8, 2022, with the subsequent investigation determining a single email account was accessed intermittently between March 21, 2022, and July 8, 2022. A review of the account confirmed no financial information was compromised; however, there may have been unauthorized access to names, dates of birth, Social Security numbers, medical record numbers, health insurance information, and limited clinical information related to billing, such as diagnosis codes and treatment information.
The review of the account is ongoing, but notification letters have started to be sent to affected individuals. Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security numbers were exposed. Additional security awareness training has been provided to the workforce and email security enhancements are being implemented.
This is not the first incident of this nature to be reported by Presbyterian Healthcare Services. In August 2019, a major email breach was reported that affected 1,120,629 patients. Just over a year later, a hacking incident resulted in the exposure of the PHI of 193,223 patients.
The post 235,000 Keystone Health Patients Affected by August 2022 Cyberattack appeared first on HIPAA Journal.