CareFirst Administrators (CFA) has notified 14,538 individuals about a phishing attack on its revenue cycle management vendor, Conifer. CFA was one of several healthcare organizations to be affected by the incident. A security breach was identified by Conifer in late March, with the investigation determining several Microsoft 365 had been accessed by unauthorized individuals between March 17 and March 22, 2022. CFA was informed about the breach on June 23, 2022.
One of the compromised email accounts was determined to contain the protected health information of CFA members, including names, addresses, birth dates, Social Security numbers, health insurance information, medical information, and billing and claims information.
Conifer said it has implemented additional security measures to better protect its Microsoft 365 email environment to reduce the risk of further breaches.
Legacy Health Identifies Insider Breach
Legacy Health in Oregon has recently reported a breach of the protected health information of 7,983 patients. According to the substitute breach notice, the Privacy Office learned on July 25, 2022, that an employee had saved files containing patients’ protected health information to external devices without authorization. An internal investigation was launched, and it was determined that the employee had transferred files containing patient data to a personal storage device via external drives and email.
The employee had access to patient data suspended while the investigation was conducted. In multiple interviews, the employee was unable to provide a valid work reason for those actions. A review of the files revealed they contained patients’ names, birth dates, medical record numbers, dates of service, provider names, health insurance information, diagnosis and/or treatment information, and some Social Security numbers. Patients started to be notified on November 23, 2022.
Legacy Health does not believe patient information has been further disclosed or misused, although patients have been advised to monitor their credit reports and account statements for signs of misuse of their data. Free credit monitoring services are being offered to affected patients. Legacy Health has reinforced training with its workforce regarding appropriate uses and disclosures of patient data.
Maryland Senior Living Facility Announces Data Breach
Blakehurst, a senior living facility in Towson, MD, has recently announced that the personal and protected health information of current and former employees and patients has potentially been compromised in a cyberattack. Around February 7, 2022, unusual activity was detected in its email environment. The forensic investigation determined several employee email accounts had been subjected to unauthorized access., and on August 4, 2022, Blakehurst confirmed that the email accounts contained patient data.
The review of emails and attachments was completed on September 20, 2022, and revealed names, dates of birth, medical information, Social Security numbers, health insurance information, driver’s license numbers, and financial account numbers had potentially been compromised. Affected individuals were notified about the breach on December 6, 2022, and have been offered complimentary credit monitoring and identity theft protection services and will be covered by a $1,000,000 identity theft insurance policy. Blakehurst said it has taken steps to improve the security of its email environment to prevent similar breaches in the future.
The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post Data Breaches Reported by CareFirst Administrators, Legacy Health & Blakehurst appeared first on HIPAA Journal.