PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches

The protected health information (PHI) of 1,271,642 people was compromised and possibly stolen in two healthcare hacking events that were lately documented by the Department of Health and Human Services’ Office for Civil Rights.

PHI of 688,000 Persons Exposed Because of the Sea Mar Community Health Centers Hacking Incident

Sea Mar Community Health Centers is a charity provider of housing, health, human, cultural and educational services to underserved towns in Washington.

On June 24, 2021, Sea Mar found out that an unauthorized person exfiltrated sensitive data from its IT environment. With the assistance of a prominent third-party cybersecurity agency, Sea Mar confirmed the access of its systems between December 2020 and March 2021. As per the breach notice uploaded on its webpage, an audit was done on the information likely stolen from its system, which verified the theft of these types of data:

Name, address, birth date, Social Security number, client ID number, diagnostic and treatment data, insurance details, claim details, and/or pictures related to the dental procedure.

Sea Mar explained the process of getting the contact data necessary to send notification letters to impacted persons was finalized on August 30, 2021. Following two months of getting the contact details, the provider delivered the notification letters to the affected people. The report sent to the Maine Attorney General states that breach notification letters had been mailed from October 29, 2021, to November 5, 2021.

Sea Mar claimed has no information regarding any proof of the misuse of data compromised during the incident, nevertheless has given credit monitoring, identity theft protection, along with fraud consultation services to persons whose Social Security number was compromised.

The breach notification letters didn’t say anything about the stolen information being posted for purchase on Marketo, which is a darknet site where stolen data are presented for sale. Marketo is not a marketplace that is ransomware-associated, however, information stolen in ransomware attacks was listed in the past for purchase on the webpage, like the data compromised during the Navistar ransomware attack.

The posting on Marketo states that the hackers exfiltrated 3TB of information, like email messages, photos, contact data, and photographs of agreements. The particular date of notification furnished by Sea Mar matches with the date when DataBreaches.net alerted Sea Mar of the post on Marketo.

583,643-Record Compromised at Utah Imaging Associates

Utah Imaging Associates submitted a data breach report on November 3, 2021, to the HHS’ Office for Civil Rights that impacted the PHI of 583,643 people. The breach was stated as a hacking/IT incident affecting the PHI saved on a network server.

There is presently no posting of the data breach on the Utah Imaging Associates’ site, the breach has not been reported by the mass media during this time, and the incident hasn’t appeared on the web pages of state attorneys general that release breach summaries, and so the details of the Utah Imaging Associates data breach is uncertain at this stage.

Updates will be provided as soon as more details are available.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.