Data Breaches Reported by Dental Health Management Solutions, Nursing Rehab Centre, The Chautauqua Center, Northeast Surgical Group, and White Bird Clinic

Dental Health Management Solutions Alerted Patients About Historic Data Breach

Dental Health Management Solutions (DHMS) based in Cedar Park, TX provides the military/government and private individuals with dental services. It recently reported the exposure of the protected health information (PHI) of some patients as a result of a hacking incident in 2021. In the notification letter sent to the Maine Attorney General on February 2023, DHMS stated it discovered a network attack on or about August 20, 2021. The forensic investigation confirmed the compromise of its system on July 17, 2021.

A thorough assessment was done on all files that were possibly viewed or stolen during the attack. The assessment confirmed that 3,205 persons were impacted. The types of data compromised differed from one person to another and may have contained names, addresses, medical data, medical insurance details, Medicaid ID numbers, account and routing numbers, Social Security numbers, and driver’s licenses.

DHMS stated it has reset passwords and applied multifactor authentication. Affected persons received free credit monitoring and identity protection services. The notification letter did not explain the 18-months delay in sending the breach notifications. As per HIPAA rule, from the date of discovering a breach, notification letters must be issued within 60 days.

20,000 Patients Affected by Aloha Nursing Rehab Centre Breach

Aloha Nursing Rehab Centre located in Kaneohe, Hawaii lately submitted a data breach report to the HHS’ Office for Civil Rights that has impacted 20,216 individuals. As per the notification letter submitted to the Maine Attorney General, an unauthorized individual accessed its IT systems on or about July 8, 2022. That person accessed only some of the electronic records in its systems.

Aloha Nursing Rehab Centre stated that the investigation and review of records revealed on December 28, 2022 the inclusion of patient data in the compromised files. The types of data affected by the attack include names, birth dates, Social Security numbers, financial account data, state ID numbers, and driver’s license numbers. The rehab center notified the affected persons by mail in February 2023 and offered them free credit monitoring and identity theft protection services, which is covered by its $1,000,000 identity theft insurance plan.

The Chautauqua Center Reports Limited Exposure of Patient Data

The Chautauqua Center (TCC) in Jamestown New York has lately reported the exposure of the PHI of 747 persons due to a data breach that occurred at WebPT, its business associate. WebPT provides TCC with electronic medical record services.

Because of the incident, the data of Chautauqua Physical and Occupational Therapy patients were exposed to other healthcare clinics while upgrading its EMR system on December 22, 2022. The exposed information included in the referral report that became available to other healthcare clinics were names, treatment clinic, referring doctor/physician group name, case name/creation date, last seen/referral dates, insurance company, secondary insurance data, and a total number of visits for each case. WebPT reported that the clinical notes taken during the preliminary evaluation aren’t accessible.

Because of the limited information exposed during the attack, and the fact that the data was merely exposed to HIPAA-covered entities, there is minimal risks to patients; however, all persons were informed regarding the breach in January. TCC disabled access to the report within 19 hours of knowing about the exposure. TCC performed an analysis to determine the reason for the breach, retrained the employees, and obtained statements from all impacted clinics to confirm that the report was not misused or disclosed further.

Asante Reports Unauthorized Medical Record Access by a Doctor

Asante, a health system based in Oregon that manages three hospitals and over 30 primary care facilities, has begun informing a number of patients about the unauthorized access to their medical records by a local physician without a treatment relationship with them.

The investigation into the unauthorized access revealed that it had been ongoing for more than 9 years since 2014. Asante terminated the access of the doctor, Dr. Paul Hoffman, to the electronic medical record system. Asante is relieved to say that the doctor had no malicious intent in accessing the files and that it was simply out of curiosity. There is no reason to believe that the impacted patients are in danger of fraud or identity theft. The types of data viewed were names, demographic details, and treatment data. The doctor did not access any financial data, Social Security numbers, or driver’s license numbers. Asante stated it is currently looking at how its staff could enhance the identification of unauthorized medical record access.

The post on the HHS’ Office for Civil Rights website show that the doctor accessed 8,834 patients’ medical records without authorization.

Patient Information Compromised in Northeast Surgical Group Hacking Incident

Northeast Surgical Group based in Macomb Township, MI recently informed 15,298 patients about the compromise of some of their sensitive health data due to a hacking incident. The healthcare provider detected suspicious activity in its system on January 8, 2023, and engaged third-party cybersecurity experts to perform a forensic investigation.

Northeast Surgical Group mentioned in its notification letters that although the breach was discovered in January, determining the extent of affected patient data took over a month. The forensic investigation confirmed on February 13, 2023 the compromise of data including names, Social Security numbers, and addresses. The date of birth, medical data, and treatment details of some patients likewise were exposed. The group conducted a review to evaluate the security of its system and deployed extra monitoring tools.

Northeast Surgical Group stated it did not find any proof that suggests the misuse of any patient data as a result of the breach. Still, the affected persons were provided with free credit monitoring services for one year. The BianLian threat group seems to be responsible for the attack as it has uploaded part of the stolen information to its data leak website.

Patients’ PHI Exposed Due to Email Error

White Bird Clinic located in Oregon lately informed 584 dental patients about the impermissible disclosure of some of their personal data and PHI as a result of an email error. A report that contains patient names, birth dates, medical record numbers, and demographic data was sent to a patient by mistake. The patient stated that he/she did not open or further disclosed the attached file and had deleted the email and attached file.