Data breaches have recently been reported by Acuity Brands in Georgia, San Gorgonio Memorial Hospital in California, and Receivables Performance Management in Washington. The latter appears to have affected more than 3.7 million individuals.
Receivables Performance Management
Receivables Performance Management (RPM) in Lynnwood, WA, a business associate of several HIPAA-covered entities, has recently started notifying individuals affected by a 2021 ransomware attack. The incident was detected on May 12, 2021, with the investigation confirming its systems were first breached on April 8, 2021. Files only started to be encrypted on May 12.
RPM said it was able to stop the attack and restore its systems within 36 hours and retained a computer forensics firm to investigate the breach and determine the nature and scope of the attack; however, it took until October 2, 2022, to determine the types of information and individuals affected. RPM said that the length of time it took to fully investigate the breach was due to the complexities of RPM’s server infrastructure. RPM said it “obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.”
RPM said personal information was potentially compromised, including Social Security numbers. Affected individuals are being offered complimentary credit monitoring services. RPM said it is continuing to work with security experts to improve its defenses to prevent similar breaches in the future. At this stage, the number of people affected by the breach has yet to be confirmed. The breach report submitted to the Maine Attorney general indicates 3,766,573 individuals have been affected in total, with approximately 500,000 of those individuals residing in Texas. The incident is not yet appearing on the HHS’ Office for Civil Rights breach portal.
Acuity Brands
Acuity Brands, a lighting and building management firm in Georgia, has announced that unauthorized individuals had access to its network on December 7 and December 8, 2021, and exfiltrated some files. While investigating that breach, Acuity Brands discovered an earlier security breach that occurred on October 6 and October 7, 2020, and in that earlier incident, unauthorized individuals had attempted to copy files from its systems.
A review of all documents potentially accessed in both incidents was then conducted, which revealed the files contained the information of current and former employees and members of its health plan. The incident was limited to employees. No customer information was compromised.
Both incidents resulted in the exposure and possible theft of files containing names, Social Security numbers, driver’s license numbers, financial account information, and limited health information related to other aspects of an individual’s employment with Acuity, such as injury information related to workers compensation claims, or related to requests for leave under the Family and Medical Leave Act. The types of information involved varied from individual to individual. Complimentary memberships to credit monitoring services are being offered to eligible individuals. Additional safeguards have been implemented to prevent further data breaches.
The incidents have yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
San Gorgonio Memorial Hospital
San Gorgonio Memorial Hospital in Banning, CA, has started notifying certain patients about a computer intrusion and data theft incident. A security incident was detected on November 10, 2022, and prompt action was taken to isolate and shut down its systems. The forensic investigation confirmed that an unauthorized individual gained access to its network on October 29, 2022, with access confirmed as terminating on November 10. During that period of access, files were copied from its systems, and on November 14, 2022, it was confirmed that those files contained patient information.
A prompt notification was sent to the California Attorney General, although the document review and investigation are ongoing. It has been confirmed that the documents contained information such as names, addresses, birth dates, medical record numbers, visit ID numbers, health insurance information, and/or clinical information, including diagnosis and treatment information.
San Gorgonio Memorial Hospital said additional safeguards have been implemented to prevent further data breaches. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post Receivables Performance Management Data Breach Affects More Than 3.7 Million Individuals appeared first on HIPAA Journal.