Further information has been released on two cyberattacks on healthcare organizations: Goodman Campbell Brain and Spine and Behavioral Health Group.
Goodman Campbell Brain and Spine Notifies 363,000 Patients About Public Release of PHI on Dark Web
Carmel, IN-based Goodman Campbell Brain and Spine has started notifying 363,000 current and former patients that some of their protected health information was stolen prior to data being encrypted with ransomware and some of the stolen data has been published on the gang’s dark web data leak site.
The cyberattack was discovered by Goodman Campbell on May 20, 2022, and a third-party digital forensics firm was engaged to determine the nature and scope of the breach. The investigation confirmed that the electronic medical record system was not affected, but files containing patients’ protected health information had been exfiltrated from its systems. The stolen files contained information such as names, birthdates, addresses, telephone numbers, email addresses, medical record numbers, patient account numbers, diagnosis and treatment information, physician names, insurance information, dates of service, and Social Security numbers.
The attack caused disruption to its IT and phone systems. In a June 17, 2022, update on the attack, Goodman Campbell said that its phone system had been restored, but its email system remained down. In a July 19, 2022, update, Goodman Campbell said all clinical operations had been resumed and all communication systems had been restored.
While not confirmed by Goodman Campbell, the attack was conducted by the Hive ransomware operation, which has attacked many healthcare providers in the United States. Goodman Campbell said that the data was available on the dark web site for a period of 10 days. Data breach notification letters from healthcare providers rarely state that data has been made available on the dark web, even though patients should be made aware of the fact to allow them to take appropriate precautions to protect their identities. Goodman Campbell has offered affected individuals a 12-month membership to a credit monitoring and identity theft protection service.
Behavioral Health Group Confirms Patient Data Potentially Compromised in December 2021 Cyberattack
Behavioral Health Group (BHG), the operator of more than 80 outpatient opioid treatment centers in 17 U.S. states, has recently confirmed that it suffered a data security incident in 2021. The cyberattack forced BHG to take its systems offline, which caused disruption to operations for almost a week. BHG explained at the time that patients at some of its clinics were prevented from receiving their prescribed take-home methadone/suboxone doses; however, treatments were provided daily at its clinics. BHG did not disclose the exact nature of the cyberattack and if ransomware was used.
According to the BHG substitute breach notice, third-party cybersecurity experts were engaged to assist with the investigation and it was confirmed that unauthorized individuals removed certain files from its systems on December 5, 2021. The breach notice does not state when access to its network was first gained.
A comprehensive review of files on the parts of the network that were accessed confirmed they contained full names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, payment card information, passport numbers, biometrics, health insurance information, medical diagnosis and treatment information, medications, dates of service, and medical record numbers.
BHG said it has found no evidence to suggest any misuse of the above information but has offered complimentary credit monitoring services to individuals whose Social Security numbers were potentially compromised.
The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected. BHG said the breach did not affect all patients.
The post Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group appeared first on HIPAA Journal.