Data Breaches Reported by Cummins Behavior Health, Redwood Coast Regional Center and Other Healthcare Entities

Data of 4 Million Coloradans Exposed in MOVEit Transfer Attack

The Colorado Department of Health Care Policy and Financing (HCPF), which supervises the Medicaid program of the state and the Child Health Plan Plus (CHP+) program, has just reported the compromise of the protected health information (PHI) of 4,091,794 people. The attack happened at IBM, its vendor, which uses the MOVEit Transfer app for transferring files. HCPF stated the attack did not affect its own systems.

The Clop group took advantage of a zero-day vulnerability present in the MOVEit Transfer file transfer tool and extracted information and made an effort to extort cash from the victims. The data security company Kon Briefing has been monitoring the occurrences and stated that about 670 organizations were victimized by the attacks and the data of 46 million individuals are identified to have been affected.

HCPF said the breach affected the information of Health First Colorado and CHP+ users, such as, Social Security numbers, Medicare and Medicaid IUD numbers, dates of birth, addresses and other contact details, demographic/income data, medical insurance data and clinical and medical data, which include diagnoses, disorders, laboratory results, prescription drugs, and other treatment details. Two years of free credit monitoring and identity theft protection services were provided to the impacted persons.

A few other HIPAA-covered entities have reported that they were impacted. Radius Global Solutions based in Minnesota, a HIPAA business associate offering client engagement and technology services, has reported the compromise of the PHI of 600,794 people in the Clop MOVEit Transfer attacks, including names, birth dates, Social Security numbers, treatment locations, treatment codes, medical insurance company names, and treatment payment records. Two years of free credit monitoring and identity theft protection services were provided to the impacted persons.

Indiana Family and Social Services Administration also reported that the MOVEit server of Maximus Health Services Inc., the state Medicaid enrollment broker, was hacked and the PHI of 744,000 Indiana Medicaid members had been exposed which include names, case numbers, addresses, and Medicaid numbers. Maximus manages the department’s communications with the recipients of Medicaid. The Clop group acquired access to the MOVEIt server between May 27 and May 31, 2023.

Florida Healthy Kids, a health and dental insurance provider to kids in Florida was likewise affected by the Maximus breach, though the number of people who had their data exposed in the incident is still unknown. Maximus mentioned that the affected people were provided with two years of free credit monitoring and identity theft protection services.

Johns Hopkins Health System also reported the investigation of a cyberattack that affected systems employed by Johns Hopkins Health System and Johns Hopkins University. It has reported the data breach to the HHS’ Office for Civil Rights as impacting 2584 persons. Howard County General Hospital reported the breach as impacting 2975 persons. Johns Hopkins already confirmed the attack on its MOVEit server. Johns Hopkins Medicine already informed the HHS’ Office for Civil Rights the compromise of the PHI of 310,405 persons in the attack and stated it is notifying those persons and will be providing them with free credit monitoring and identity theft protection services.

157K Record Data Breach at Cummins Behavioral Health

Cummins Behavioral Health Systems Inc. located in Avon, IN, lately reported to the Maine attorney general a data security incident that has impacted 157,688 individuals. An unauthorized individual placed a ransom note within its computer environment on March 9, 2023. There was no file encryption, but the attacker professed to have infiltrated sensitive information.

Based on the forensic investigation, an unauthorized person got access to its system from February 2, 2023 to March 9, 2023. The data taken from its systems contained names, addresses, birth dates, State ID/driver’s license numbers, Social Security numbers, financial account details, payment card data, usernames/passwords, medical insurance data, and medical data. System security has been toughened to avoid identical incidents later on and impacted persons were provided free credit monitoring and identity theft protection services.

Client Data Exposed at Redwood Coast Regional Center Due to Email Encryption Failure

Redwood Coast Regional Center (RCRC), a company offering services to people with developmental disabilities in Del Norte, Lake, Humboldt, and Mendocino Counties in California, has notified 1,345 people concerning the breach of some of their information. On June 14, RCRC experienced the failure of its mail server encryption software because of a system outage, resulting in the disclosure of public health data in plain text messages. Unauthorized individuals could have intercepted the data. The breached information only included client names, addresses, birth dates, UCI numbers, and/or authorized service data. There was no data exposed that would allow its clients to be at risk of identity theft. RCRC stated it is going over its procedures and protocols to avoid the same data breach later on.

Cyberattack and Data Breach Reported by Coastal Orthopedics

Coastal Orthopedics & Sports Medicine of Southwest Florida based in Bradenton, FL lately reported that hackers acquired access to its system and possibly acquired patient information. The healthcare provider discovered the cyberattack on June 11, 2023. The following forensic investigation confirmed the network unauthorized access from June 6, 2023 to June 11, 2023, and data theft.

The breach investigation is in progress, therefore it is presently uncertain how many people were impacted or the specific types of data affected; Nevertheless, the compromised information probably consisted of a mix of names, medical record numbers, Social Security numbers, patient ID numbers, diagnosis data, other health data, addresses, driver’s license number, medical insurance details, financial account data, and birth dates. Guidelines, procedures, and processes are under review to lessen the probability of an identical event later on and notification letters will be delivered to the impacted persons when the file evaluation is finished.

Email Account Breach Reported by Capital Neurological Surgeons

Capital Neurological Surgeons located in Sacramento, CA recently found that an unauthorized person acquired access to a staff email account and possibly acquired patient data. The email account access occurred on January 17, 2023. On July 20, 2023, the forensic investigation affirmed the inclusion of PHI in the account.

The data possibly breached differed from one person to another and might have contained names along with at least one of the following data: birth date, Social Security numbers, driver’s license numbers or state ID numbers, health data (diagnosis/clinical details, treatment type or location, physician name, medical process data, patient account number, medical record number, and/or medication details), and/or medical insurance policy details. Impacted persons were informed through mail on August 4, 2023. The late issuance of notification letters was because of the lengthy file evaluation. Free credit monitoring services were provided to people whose Social Security numbers were affected.

The HHS’ Office for Civil Rights breach website has no information yet about the email account breach incident. It is still not known how many persons were impacted.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.