Cyberattack and Data Breaches at Anna Jaques Hospital, NYC Health + Hospitals, and Corewell Health Business Associate

Anna Jaques Hospital Cyberattack on Christmas Day

Anna Jaques Hospital located in Newburyport, MA, encountered a cyberattack on Christmas Day that caused an interruption to its health record system. It was decided to redirect ambulances to other nearby hospitals until the restoration of systems. On December 26, 2023, patients were accepted in the emergency department again. Little information was published at this time concerning the particular nature of the attack and it is too soon to say whether the attackers acquired access to patient data. Third-party cybersecurity professionals were involved and are looking at the attack. More details will be published while the investigation moves along.

Patient Data Impermissibly Accessed by Volunteer at NYC Health + Hospitals

NYC Health + Hospitals reported there was an unauthorized disclosure of patients’ protected health information (PHI). NYC Health + Hospitals stated it found out on October 23, 2023, that a worker of NYC Health + Hospitals/Kings County permitted a Kings County volunteer to help with handling lab test specimens for patients of Kings County; but the volunteer wasn’t authorized to do any job in the lab and wasn’t allowed to view patients’ PHI.

When the volunteer helped in the lab, he/she viewed patients’ names, birth dates, medical record numbers, places inside the hospital, and the lab tests requested. Impacted persons had lab tests done from October 2, 2021 to August 14, 2023. Although PHI was impermissibly viewed, no evidence suggests the misuse of any of the data.

NYC Health + Hospitals stated it already took action to stop the same events from happening later on, which includes informing all lab staff that they aren’t allowed to give non-employees any access to NYC Health + Hospitals labs. NYC Health + Hospitals likewise announced that the staff doesn’t work for NYC Health + Hospitals and is banned from having a career at NYC Health + Hospitals, and the volunteer is not volunteering anymore at NYC Health + Hospitals and is prohibited from any other volunteer job at NYC Health + Hospitals.

The PHI breach is not yet published on HHS’ Office for Civil Rights breach portal, hence it is the number of affected people is still not certain.

Million-Record Data Breach at Corewell Health Business Associate

The Michigan Attorney General’s Office reported the compromise of the PHI of over one million patients of Corewell Health in a cyberattack that occurred at one vendor of Corewell Health. Corewell Health used HealthEC population health management system for identifying high-risk individuals in southeastern Michigan to provide healthcare and determine limitations to optimal patient care.

HealthEC described in its breach notification letters the suspicious activity inside its system and the forensic investigation confirmed that an unidentified, unauthorized threat actor got access to certain internal systems from July 14, 2023 to July 23, 2023. During that time, files that contain PHI were extracted from its network. HealthEC performed an analysis of all files on the breached portion of the system and informed its impacted customers on October 26, 2023. HealthEC after that helped those customers to send their notification letters. As per the notification sent to the Maine Attorney General, HealthEC began sending breach notification letters to 112,005 people on December 22, 2023. Some HealthEC’s covered entity customers have decided to give their own notification letters.

The following types of HealthEC data were compromised: names, addresses, birth dates, medical record numbers, Social Security numbers, diagnoses and diagnosis codes, physical/mental condition, prescription details, names of providers, subscriber numbers, beneficiary numbers, Medicaid/Medicare ID numbers, patient ID numbers, patient account numbers, and treatment cost details. HealthEC has provided free credit monitoring and identity theft protection services to the impacted people for A year.

Data breaches that happen at business associates of HIPAA-regulated entities usually impact a lot of their customers. One more HealthEC customer identified to have been impacted is Beaumont ACO based in Michigan. Affected persons might get two notification letters associated with this event when they have gotten services from Beaumont ACO and Corewell Health in the past.

This is the second big data breach that affected the patients of Corewell Health in 2023. In November, Welltok Inc., its patient communication services provider, began informing about one million patients of Corewell Health concerning their stolen PHI during the exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution of Progress Software. The two occurrences are not related and were carried out by different threat actors. The Clop hacking group the following data of Corewell Health patients: names, birth dates, email addresses, telephone numbers, diagnoses, medical insurance data, and Social Security numbers. Priority Health was also affected by the same breach. Priority Health is the health insurance plan of Corewell Health.

Health data is a very personal data. Michigan residents were put through a spike of healthcare-associated data breaches and should have strong security. It is important for the Michigan legislature, together with other states, to demand that healthcare organizations who encounter a data breach to promptly alert the Department of Attorney General.