Humana lately reported the potential compromise of the protected health information (PHI) of 22,767 persons in a security incident at Choice Health. This business associate is Humana’s vendor of its Medicare products. On May 18, 2022, Choice Health discovered that one of its databases can be accessed online. The investigation confirmed there was a misconfiguration that was triggered by a third-party service provider.
An unauthorized person obtained access to the system, took some database files, and made a threat to publish the stolen information to the public. Choice Health discovered the compromised database on May 14, 2022 and learned about the stolen database files on May 18. However, the unauthorized access and theft of data happened more or less on May 7, 2022.
In the beginning, it was believed that the breach only affected the lead generation and marketing data of Choice Health; then again, deeper investigations revealed that the information of a few of its carrier partners had likewise been exposed, such as first and last names, Medicare beneficiary ID numbers, Social Security numbers, birth dates, addresses, other contact details, and medical insurance data.
Choice Health, together with its service provider, made sure that the database was kept safe and extra data security procedures were carried out to avoid the same incidences later on. Free credit monitoring and identity theft protection services were provided to impacted persons.
Email Account Breach at Tessie Cleveland Community Services Corp
The mental health clinic based in Los Angeles, CA, Tessie Cleveland Community Services Corp (TCCSC), lately reported that an unauthorized third party obtained access to some employees’ email accounts and possibly viewed or acquired the PHI of patients.
On July 20, 2022, TCCSC discovered the unauthorized access and with the help of a cybersecurity agency, confirmed the compromise of the email accounts from June 17, 2022 to June 30, 2022. The investigation revealed that the goal of the attackers is not to obtain patient data but to attempt a business email compromise attack and complete business fraud against TCCSC. Nevertheless, the possibility of theft of patient information cannot be excluded.
The analysis of the breached email accounts showed that they held the following information: names, demographic data, medical insurance ID numbers, restricted data concerning patient care at Tessie, and in certain cases, Social Security numbers. Around 9,747 individuals were informed about the exposure of their information. Credit monitoring services were provided to qualified persons.
Email Accounts Breach at Easterseals-Goodwill Northern Rocky Mountain
Easterseals-Goodwill Northern Rocky Mountain based in Great Falls, MT reported a breach of the email accounts of eight employees resulting in the exposure of the PHI of 3,886 patients.
This provider of services to children and adults with disabilities didn’t say in its notification letters the date it discovered the unauthorized access but mentioned the forensic investigation ended on July 20, 2022. It was confirmed that an unauthorized individual accessed the email accounts from October 12, 2021 to November 11, 2021. The email accounts included names, other personal data, and Social Security numbers. There was no marketing email subscriber listing, store transaction data, or donor details involved.
The provider sent notifications to impacted persons on September 16, 2022. Free credit monitoring services were provided to persons whose Social Security numbers were compromised. Internal controls were improved to avoid the same breaches later on.