Two HIPAA-regulated entities have recently started notifying individuals whose protected health information was potentially compromised in cyberattacks that occurred more than 12 months ago, including one where it took 18 months to notify affected individuals that their protected health information had been accessed and potentially acquired.
Comprehensive Health Services Notifies 94,449 Patients About September 2020 Cyberattack
Comprehensive Health Services, a Cape Canaveral, FL-based provider of workforce medical services and subsidiary of Acuity International, has recently announced it was the victim of a cyberattack that was detected on September 30, 2020.
The security incident came to light after multiple fraudulent wire transfers had been made from its accounts. Third-party forensics experts were engaged to determine the extent of the security incident, secure its digital environment, identify how the attacker gained access to its systems, and whether any sensitive data had been exfiltrated from those systems.
Comprehensive Health Services explained in its breach notification letter to the Maine Attorney general that it determined on November 3, 2021, that the personal information of a limited number of individuals employed by one of its customers may have been accessed and stolen in the attack. Notification letters were sent to those affected individuals on February 15, 2022. Those individuals have been offered either 12 or 24 months of credit monitoring and identity theft protection services. It is unclear why it took 15 months to determine protected health information had been compromised, and then a further three months to send notification letters to affected individuals.
According to the breach report sent to the Maine Attorney General, the protected health information of 94,449 individuals was potentially compromised.
Minimally Invasive Surgery of Hawaii Notifies Patients About February 2021 Cyberattack
Orthopedic Associates of Hawaii, All Access Ortho, and Specialty Suites, doing business as Minimally Invasive Surgery of Hawaii (MISH), has started notifying patients that were affected by “a recent event” in which their protected health information may have been compromised.
The recent event was a ransomware attack that was detected on February 19, 2021. According to the breach notifications, the threat actor encrypted data on systems that contained patient data. Steps were taken to quickly restore data and determine whether the unauthorized actor accessed or obtained files containing patient data.
MISH said the investigation confirmed on or around April 2, 2021, that the attacker accessed its systems between February 12, 2021, and February 19, 2021, and obtained limited data. A review was then conducted to determine which patients had been affected and the types of data that had been obtained, and then the contact information of those individuals had to be confirmed.
Notification letters dated February 19, 2021, were sent to the California attorney general, although the breach was reported to the HHS’ Office for Civil Rights in April 2021. The breach report states 500 individuals have been affected, although 500 is often used as a placeholder until the final total of affected individuals is known. This post will be updated should the breach total change.
MISH said the following types of information had been compromised: full names, addresses, dates of birth, medical treatment and diagnosis information, health insurance information, and a limited number of Social Security numbers. No evidence has been found to indicate any misuse of patient data. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.
MISH said it reviewed its policies and procedures and has implemented additional administrative and technical safeguards to improve security.
The post Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks appeared first on HIPAA Journal.