Pittsburg, PA-based Highmark Health, the second largest integrated delivery and financing system in the U.S., has recently announced that an unauthorized individual has accessed the email account of one of its employees following a response to a phishing email. After the employee clicked the link in the email and disclosed their credentials, the account was accessed remotely by an unauthorized third party who potentially viewed and exfiltrated emails and attachments from the account.
The unauthorized account activity was detected by Highmark Health on December 15, 2022, with the initial compromise occurring on December 13, 2022. A review of the emails and attachments revealed they contained the protected health information of health plan members, such as group name, identification numbers, claim numbers, dates of service, procedures, prescription information, addresses, phone numbers, email addresses, and financial information. The Social Security numbers of a subset of individuals were also exposed.
When the breach was detected, the affected mailbox was immediately deactivated, network blocking was implemented, and passwords were reset. Email security controls have also been enhanced and further training has been provided to employees on how to identify phishing attempts and other cyber threats. While no evidence of misuse of the affected data has been identified, affected individuals are being offered complimentary credit monitoring and identity theft protection services, irrespective of whether their Social Security numbers were involved.
According to the data breach notice sent to the Maine Attorney General, up to 300,000 individuals have been affected, including 2,774 Maine residents. Notification letters are being mailed on February 13, 2023.
Cardiovascular Associates Reports Cyberattack Involving Data Theft
On December 5, 2022, Cardiovascular Associates (CVA) in Birmingham, AL discovered suspicious activity within its computer systems. The systems were isolated while the potential intrusion was investigated, with the forensic analysis confirming hackers first gained access to its IT environment on November 28, 2022. Between that date and December 5, files containing patient data were exfiltrated from its systems.
The review of the affected files confirmed they contained names, dates of birth, addresses, Social Security numbers, health insurance information, medical and treatment information, billings and claims information, passport numbers, driver’s license numbers, credit/ debit card information, and financial account information and, for a limited number of individuals, usernames and passwords. CVA said its systems were secured as soon as the unauthorized activity was detected and its security and monitoring capabilities have been improved to prevent similar breaches in the future. Affected individuals have been offered complimentary credit monitoring and identity restoration services.
The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Patient Data Potentially Stolen in Cyberattack on Aspire Surgical
UT Specialty Dental Services, PLLC, which operates several oral and maxillofacial surgery centers in Utah under the name, Aspire Surgical, has recently confirmed it was the victim of a cyberattack in December 2022, which may have involved unauthorized access to and the theft of sensitive patient data.
The cyberattack was detected on December 7, 2022, and third-party cybersecurity experts were immediately engaged to contain, assess, and remediate the attack. The investigation confirmed the attackers had access to parts of its IT environment that contained patient data such as names, patient account numbers, dates of service, and amounts paid. Medical treatment records, Social Security numbers, and financial information were not exposed.
While no evidence has been found to indicate any misuse of patient data, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Aspire Surgical has reviewed and enhanced its data security policies and procedures to protect against similar security breaches in the future.
The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post Highmark Health Phishing Attack Affects 300,000 Patients appeared first on HIPAA Journal.