Data Breach Reports by Electrostim Medical Services, Meridian Behavioral Healthcare and Network 180

543,000 Electrostim Medical Services Patients Affected by Data Breach

The medical device firm Electrostim Medical Services, Inc. in Florida, which is also called EMSI, has reported that it encountered a cyberattack in May 2023 which involved access to sections of the network that contain patient files. Electrostim Medical Services has submitted the data breach report to the HHS’ Office for Civil Rights indicating that 542,990 patients were affected.

Suspicious activity was discovered in its system on May 13, 2023. After securing its network, third-party cybersecurity experts assessed the nature and extent of the breach. The investigation revealed that unauthorized persons got access to its system for approximately two weeks from April 27, 2023 to May 13, 2023. Although there’s no data theft confirmed, the unauthorized persons got access to sections of the system that contain patients’ PHI, and that data may have been stolen. Electrostim Medical Services stated it did not get any report of any attempted or actual patient data misuse due to the security breach.

The breach notices mentioned that the late notifications were because of a thorough analysis of its system to identify the persons and information types affected, and an evaluation of internal files to determine contact details to send notification letters. The types of data affected differed from one person to another and possibly contained these: name, telephone number(s), address, email address, diagnosis, insurance details, subscriber number, and item(s) prescribed and invoiced.

Electrostim Medical Services stated notification letters were sent by mail in late December and action was taken to enhance system security.

99,000-Record Data Breach at Meridian Behavioral Healthcare

Meridian Behavioral Healthcare, Inc. located in Florida has reported the exposure of PHI in a security breach discovered on August 11, 2023. On December 4, 2023, the third-party cybersecurity experts investigating the breach revealed that 98,808 people were impacted. The provider mailed written notifications on December 22, 2023. The breached data varied from person to person and could have contained names, addresses, birth dates, Social Security numbers, medical diagnosis and treatment data, medical insurance data, and prescription details.

Meridian Behavioral Healthcare stated it does not know of any patient data misuse incident but provided free credit monitoring services to the affected people. Extra security steps were applied inside its system, and data security guidelines and procedures are being evaluated and will be updated to better protect patient data.

PHI of 59,334 Individuals Exposed in Network 180 Phishing Attack

The Kent County Community Mental Health Authority, also known as Network 180, has alerted 59,334 persons regarding unauthorized access to their PHI. The healthcare provider detected a security breach on October 18, 2023 and the IT department contained the attack on the same day. Third-party cybersecurity specialists investigated the breach. On October 25, 2023, the unauthorized activity was confirmed as a phishing attack.

A staff clicked a malicious hyperlink in an email message that led them to a web page that prompted them to input their credentials, which the attacker captured and utilized to gain access to the staff’s email account. Network 180 stated that multi-factor authentication was activated on the staff’s account; nevertheless, the MFA security was bypassed during the cyberattack. The threat actor had accessed the staff’s email account from September 28, 2023 to October 18, 2023, and in that period extracted information from the email account, such as names, addresses, birth dates, complete or partial Social Security Numbers, medical insurance policy data, medical details, other demographic data (i.e., race or sexuality), and in some cases, driver’s license numbers, payment card numbers and/or financial account numbers.

Network 180 stated it has taken action to enhance the security of its Office 365 email accounts and has engaged cybersecurity experts to keep track of its systems. The impacted persons were informed and provided free credit monitoring services for a year. Network 180 was transparent concerning the data breach and gave precise details in its breach notification to the impacted persons.

Patient Reminders Printing Error by Erie VA Medical Center

In mid-November 2023, Erie VA Medical Center reported an impermissible disclosure of patient information. There was a printing error in the appointment booking and reminders to patients that resulted in sending the reminders to the wrong patients. The postcards just contained data regarding the appointment and didn’t have any sensitive or other identifying data. The affected patients included 2,380 veterans from Delaware, Maryland, Kentucky, New York, New Jersey, Pennsylvania, Ohio, Virginia, and West Virginia. The postcards had been mailed already to the right recipients last November 16, 2023.

Fred Hutchinson Cancer Center Cyber Attack

Fred Hutchinson Cancer Center has informed 544 patients about the potential exposure of some of their sensitive information. On October 27, 2023, Fred Hutch was informed by a provider about the loss of their laptop computer while traveling. The laptop was employed to get into Microsoft Outlook software through which patient data can be accessed. The provider stated the laptop had password protection and was set up to start an automatic deletion of the hard drive in case it goes live on the web. Fred Hutch carried out an analysis to know the types of information accessed through the laptop computer and established that names, addresses, dates of birth, telephone numbers, patient account numbers, health record numbers, dates of service, and selected clinical data were exposed. Some patients also had their Social Security numbers exposed.

The cancer center sent notification letters on December 26, 2023, and offered free credit monitoring services to those whose Social Security numbers were compromised. Fred Hutch has given extra training to the employees about protecting mobile devices. This is Fred Hutchinson Cancer Center’s second data breach report in the last couple of weeks. A more serious breach happened from November 19 to November 25, 2023, which was due to a cybercriminal group attacking its network and possibly stealing patient data. Fred Hutchinson has not confirmed the number of patients impacted although the hackers professed to have accessed the information of approximately 800,000 patients. Because no ransom was paid, the threat actors began threatening the patients.