Recent Data Breaches Reported by Santa Clara Family Health Plan and Other Healthcare Organizations

Santa Clara Family Health Plan Encountered a Clop GoAnywhere Hack

On March 30, 2023, Santa Clara Family Health Plan reported a 276,993-record data breach to the HHS’ Office for Civil Rights that was a result of a Clop ransomware group hacking incident involving Fortra’s GoAnywhere MFT solution. The group took advantage of an earlier unidentified (zero-day) vulnerability, and extracted information, but didn’t encrypt files. There were 130 organizations affected by the attack in a period of 10 days at the end of January and at the beginning of February 2023.

The incident impacted NationsBenefits, which is a supplemental benefits management services provider to a number of health plans, such as Santa Clara Family Health Plan. Fortra informed NationsBenefits about the attack on February 7, 2023 saying that the attack happened on or about January 30, 2023. NationsBenefits confirmed the compromise of its data during the attack on February 13, 2023. The exposed protected health information (PHI) included names, addresses, telephone numbers, gender, birth dates, medical insurance number, medical ID number, date(s) of service, medical device or product bought, name of provider/caregiver, and Social Security numbers. NationsBenefits stated it is not using the GoAnywhere solution anymore and is using a selection of extra measures to reinforce security.

38,000 Health Plan Members Affected by United Steelworkers Local 286 Security Breach

United Steelworkers Local 286 learned that an authorized person acquired access to the email account of an employee that stored the PHI of 37,965 health plan members. The company detected the email account breach on February 13, 2023. Based on the forensic investigation results, the hacker accessed the email account from June 16, 2022 to July 18, 2022.

A manual document analysis affirmed the inclusion of the following data in the account: complete names, Social Security numbers, birth dates, financial account numbers, driver’s license numbers, passport numbers, and/or state ID numbers, financial account numbers, medical treatment data, medical record numbers, biometric data, and medical insurance details.

There is no evidence found regarding the misuse of plan member data; nevertheless, as a safety measure against identity theft and fraud, those who had their Social Security numbers exposed were provided free credit monitoring services. United Steelworkers Local 286 stated that security procedures were in place and are continuously assessed and revised to protect the privacy and security of employee information.

Microsoft 365 Account Breach at Two Rivers Public Health Department

Two Rivers Public Health Department (TRPHD) based in Nebraska has lately affirmed that an unauthorized third party accessed the PHI of 15,168 patients, which was held in an employee Office365 account.

TRPHD detected suspicious activity in its server on November 9, 2022. The preliminary investigation done by a third-party IT company determined that there was no compromise of patient data; nonetheless, as a safety precaution, an external forensic investigation company conducted a full investigation of the security breach. It was confirmed that an unauthorized individual accessed the Office 365 account from September 14, 2022 to November 8, 2022. The analysis of the account showed it included PHI, but the press release did not mention which information was exposed.

TRPHD stated the document analysis was finished on March 15, 2023. It mailed the notifications to impacted persons on April 14, 2023. Extra security measures were enforced to better protect its systems against suspicious access.

Malware Infection at Robeson Health Care Corporation

Robeson Health Care Corporation based in Pembroke, NC reported a data breach to the Maine Attorney General that has impacted around 15,045 people. The notification states the detection of malware within its network on February 21, 2023. The succeeding forensic investigation affirmed that an unauthorized third party accessed its systems from February 17, 2023 to February 21, 2023.

Although there was no proof of data theft found, it cannot be excluded. The document analysis affirmed the exposure of these types of data: name, address, birth date, Social Security number, treatment data/diagnosis, treating doctor, patient ID number, medical record number, Medicare/Medicaid number, prescription data, medical insurance data, and treatment costs. Robeson Health Care Corporation mailed the notifications on April 21, 2023, and provided free credit monitoring and identity theft protection services. It has enhanced security with multi-factor authentication for all users to avoid the same incidents later on.

1,457 Individuals Affected by NewBridge Services Hacking Incident

The counseling service provider, NewBridge Services, based in Pequannock, NJ stated that an unauthorized person acquired access to its systems and possibly accessed and acquired the PHI of 1,457 people. It detected the security breach on January 26, 2023 upon noticing the disruption of certain systems. The forensic investigation affirmed on January 28, 2023 the exposure of PHI, but there was no proof of actual or attempted data misuse uncovered.

The compromised data included names, Social Security numbers, birth dates, treatment data, provider data, prescription details, payment details, and medical insurance data. NewBridge Services mailed written notifications to impacted persons on April 17, 2023, and enforced extra security to avoid the same incidents later on.

Adelanto HealthCare Ventures Phishing Attack Impacts Patients of UHS of Delaware

UHS of Delaware, Inc. has just informed 40,290 people regarding a data breach at a consulting firm. In November 2021, Adelanto HealthCare Ventures (AHCV) encountered a phishing attack allowing unauthorized persons to gain access to employee email accounts. The investigation of the phishing incident confirmed that there was no PHI exposed or stolen; but it was confirmed on August 19, 2022 that some PHI was actually exposed.

AHCV has enhanced its security steps after the incident to better defend against identical attacks later on. It also provided additional training to its workforce. The incident impacted a number of its healthcare customers.

Northeast Behavioral Health Care Consortium Phishing Attack

Northeast Behavioral Health Care Consortium (NBHCC) located in Moosic, PA, has informed 13,240 patients regarding the exposure and potential theft of some of their PHI. On February 20, 2023, NBHCC found out that an unauthorized individual accessed an employee email account after responding to a phishing email.

An analysis of the impacted email account affirmed the inclusion of the following PHI in the account: names, Medicaid numbers, member numbers, diagnoses, detailed descriptions of the incident, and levels of care. NBHCC stated it did not find any patient data misuse and is convinced the principal intention of the attackers was to get other companies’ data; nevertheless, the misuse of patient information cannot be excluded. A third-party cybersecurity company helped with the investigation and took steps to minimize the risk and stop the same incidents later on.