The protected health information of 1,271,642 individuals has been exposed and potentially stolen in two healthcare hacking incidents that were recently been reported to the Department of Health and Human Services’ Office for Civil Rights.
PHI of 688,000 Individuals Compromised in Sea Mar Community Health Centers Hack
Sea Mar Community Health Centers is a nonprofit community-based provider of health, human, housing, educational, and cultural services to underserved communities in Washington state.
On June 24, 2021, Sea Mar learned sensitive data had been exfiltrated from its IT systems by an unauthorized individual. Assisted by a leading third-party cybersecurity firm, Sea Mar determined its systems had been accessed between December 2020 and March 2021. According to the breach notice posted on its website, a review was conducted of the information potentially stolen from its network, which confirmed the following data types had been stolen:
Name, address, Social Security number, date of birth, client identification number, diagnostic and treatment information, insurance information, claims information, and/or images associated with dental treatment.
Sea Mar said the process of collecting the contact information required to issue notification letters to affected individuals was completed on August 30, 2021. Two months after obtaining the contact information, notification letters were sent to affected individuals. The notification sent to the Maine Attorney General indicates breach notification letters were sent between October 29, 2021, and November 5, 2021.
Sea Mar said it is not aware of any evidence of the misuse of information stolen in the incident, but has offered credit monitoring, identity theft protection, and fraud consultation services to individuals whose Social Security number was involved.
No mention is made in the breach notification letters about the stolen data being listed for sale on Marketo. Marketo is a darknet marketplace where stolen data are offered for sale. Marketo is not a ransomware-affiliated marketplace, although data stolen in ransomware attacks have previously been listed for sale on the site, including the data stolen in the Navistar ransomware attack.
The post on Marketo claims 3TB of data were exfiltrated in the attack, including emails, photographs, contact information, and photographs of agreements. The date of notification provided by Sea Mar corresponds with the date DataBreaches.net notified Sea Mar of the listing on Marketo.
Utah Imaging Associates Reports 583,643-Record Data Breach
On November 3, 2021, Utah Imaging Associates reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 583,643 individuals. The breach has been listed as a hacking/IT incident involving PHI stored on a network server.
There is currently no mention of the data breach on the Utah Imaging Associates’ website, the breach has not been covered by the media at this stage, and the incident has not appeared on the websites of state attorneys general that publish breach summaries, so the nature of the Utah Imaging Associates data breach is currently unclear.
This post will be updated with further information as and when it becomes available.
The post PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches appeared first on HIPAA Journal.