Data Breach Reports by Columbus Regional Healthcare System, Senior PsychCare, and Aria Care Partners

133K Record Data Breach at Columbus Regional Healthcare System

Columbus Regional Healthcare System located in Whiteville, NC, has informed the Maine Attorney General about a patient data theft due to a cybersecurity incident. Unauthorized people got access to its system from May 19, 2023, to May 21, 2023 and extracted files.

The file analysis was finished on December 28, 2023, and personal notifications were mailed to the impacted people. The types of data involved differed from person to person and might have contained names along with at least one of these data: birth date, driver’s license number, Social Security number, state ID number, alien registration number, passport number, financial account details, medical data (date(s) of service, treatment/diagnosis details, patient account number, medical record number, and/or prescription details) and/or medical insurance policy data.

The breach notification submitted to the Maine Attorney General shows that 132,887 people were impacted. The healthcare system stated no proof was found that suggests actual or attempted data misuse. As a safety measure against identity theft and fraud, free credit monitoring services were provided to people whose Social Security numbers were exposed. Columbus Regional Healthcare stated it had put in place safeguards to safeguard against unauthorized access and regularly checks and changes its procedures and internal settings to improve the protection and privacy of personal data.

75,000 Senior PsychCare Patients Affected by December 2022 Data Breach

Psychological Holdings, PLLC based in Texas, which is also known as Senior PsychCare (SPC), has informed 75,000 patients about the exposure of some of their PHI in a December 2022 security breach. Based on the breach notification letters, access by unauthorized people to its network occurred from December 13, 2022 to December 22, 2022.

Third-party cybersecurity specialists conducted a forensic investigation and a manual evaluation of all records on the sections of its network accessed by the attackers. Senior PsychCare had the process done on November 20, 2023, and reported that the compromised data included names, Social Security numbers, addresses, medical data, and medical insurance details.

Senior PsychCare stated it does not know of any actual or attempted patient data misuse and has provided the impacted persons with free credit monitoring services as a safety measure. SPC stated it had cybersecurity procedures set up to safeguard against unauthorized data access and regularly checks and changes its practices and internal settings to improve the security and confidentiality of personal information.

Primary Health & Wellness Center Discloses October 2023 Ransomware Attack

Primary Health & Wellness Center located in Baltimore County, MD, has recently informed 4,792 people about the potential compromise of some of their PHI in a ransomware attack that was discovered on October 20, 2023. Based on the substitute breach notice, the impacted server included the health data of patients since 2018, which included names, addresses, birth dates, Social Security numbers, and health record information. The forensic investigation found no proof that suggests the exfiltration of data from the server prior to the encryption of files, and usually threat actors that utilize Phobos ransomware do not exfiltrate files. Nevertheless, it can’t be certain that no data theft occurred.

Although data theft is not considered to have taken place, the impacted patients were told to keep track of their account statements and credit reports for possible bogus transactions and to immediately report any alleged fraudulent activity to authorities. Primary Health & Wellness Center stated it is serious when it comes to its responsibilities under HIPAA and the Maryland Confidentiality of Medical Records Act and it is truly sorry for the incident and trouble experienced.

PHI Exposed Due to Cyberattack on Coastal Hospice & Palliative Care

Coastal Hospice & Palliative Care located in Salisbury, MD, has reported a cyberattack on July 24, 2023, that resulted in network interruption. Cybersecurity specialists investigated the incident and established that its system had been viewed by unauthorized persons. A review was carried out on all files on the system that were compromised and/or stolen by the attackers. That course of action was done on November 20, 2023. The healthcare provider mailed notification letters to the impacted persons on January 22, 2023.

The data compromised and possibly stolen included names, birth dates, Social Security numbers, medical diagnosis data, medical insurance policy numbers, doctor or medical facility details, patient account numbers, and health condition or treatment data. The incident was reported to the proper government bodies, however, it is not presently posted on the HHS’ Office for Civil Rights breach website. It is uncertain how many people were impacted.

Aria Care Partners Cyberattack on May 2023

Aria Care Partners located in Overland Park, KS has reported a cybersecurity incident that happened in May 2023. According to the forensic investigation, its vision file server was accessed without authorization. The detailed analysis of all files contained on the server was finished in December 2023 and confirmed the exposure of files that included patient names, birth dates, driver’s license numbers,
Social Security numbers, diagnosis, treatment data, and medical insurance details.

Aria Care Partners mailed notification letters to the impacted persons on January 19, 2024, and the impacted persons were provided free credit monitoring and identity theft protection services, plus an identity theft insurance policy, identity theft recovery, and dark web monitoring services worth $1 million.

The incident report was submitted to the proper authorities, however, it is not yet posted on the HHS’ Office for Civil Rights breach website. It is uncertain how many people were impacted.