Four healthcare providers have recently announced their IT systems have been compromised and patient data may have been accessed.
Hacker Gains Access to Server of New York Psychotherapy and Counseling Center
New York Psychotherapy and Counseling Center (NYPCC), an NYC-based non-profit mental health services provider, has announced it was the victim of a cyberattack that was discovered on September 11, 2021.
Steps were immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. NYPCC said its electronic medical record system was not compromised; however, the attacker is believed to have accessed some files on the server that contained patients’ protected health information.
A review of the files on the server revealed the following information may have been compromised: names, dates of service, addresses, Medicaid IDs, and dates of birth. NYPCC said it is committed to continually reviewing and updating its security protocols related to the protected health information of patients.
Affected individuals have been notified by mail and have been offered complimentary identity monitoring, credit monitoring, and other related services to protect them against any misuse of their information.
The incident has been reported to the HHS’ Office for Civil Rights, but it has not year appeared on the OCR breach portal, so it is currently unclear how many individuals have been affected.
The Urology Center of Colorado Network Accessed by Unauthorized Individual
The Urology Center of Colorado (TUCC) has discovered parts of its computer network have been accessed by an unauthorized individual. The security breach was detected and blocked on September 8, 2021, with the breach investigation confirming the attack started the previous day.
The compromised parts of its network were reviewed to determine whether any patient data may have been accessed. TUCC said the review found the following types of protected health information had been exposed: name, date of birth, Social Security number, address, phone number, email address, medical record number, diagnosis, treating physician, insurance provider, treatment cost, and/or guarantor name.
TUCC said account passwords were changed to prevent further unauthorized access and additional security measures are being considered to prevent further data breaches. Out of an abundance of caution, TUCC is offering complimentary credit monitoring and identity protection services to affected individuals.
The incident has been reported to the HHS’ Office for Civil Rights, but it has not year appeared on the OCR breach portal, so it is currently unclear how many individuals have been affected.
Mowery Clinic Alerts Patients About September 2021 Cyberattack
Mowery Clinic in Salina, KS, has started notifying certain patients about a cyberattack that was detected on September 14, 2021. Action was immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation.
The forensic investigation confirmed the attacker had not accessed the electronic health record system, but malware had been deployed that allowed the attacker to access and acquire documents that contained employee and patient information.
At this stage of the investigation, no evidence has been found of any actual or attempted misuse of patient data. The types of information potentially obtained include names, addresses, dates of birth, medical information such as office/diagnostic notes, and a limited number of Social Security numbers. In some cases, information about an employee’s spouse, dependents, beneficiaries, or minor children may have been compromised.
The clinic is still investigating the incident to determine exactly how access to its network was gained. Appropriate measures will be implemented to prevent similar breaches in the future.
Prairie Lakes Healthcare System Says Hacker Gained Access to Some of Its IT Systems
Watertown, S.D.-based Prairie Lakes Healthcare System has discovered an unauthorized individual has gained access to a small number of its IT systems.
The healthcare system learned of the attack on October 6, 2021, when it experienced disruption to parts of its network. Rapid action was taken to isolate the affected systems and prevent further unauthorized access, and a third-party cybersecurity firm was engaged to investigate the incident and assist with remediation efforts.
Prairie Lakes Healthcare said all the affected systems have now been restored; however, the investigation into the security breach is ongoing. At this stage of the investigation, no evidence of unauthorized access or exfiltration of patient data has been found. If patient data is believed to have been compromised, notification letters will be sent to affected individuals.
The post PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers appeared first on HIPAA Journal.