Reported Data Breaches by Medical Management Resource Group, Prime Healthcare, AGC Flat Glass North America, and Aspen Dental

2.35M Patients Affected by Medical Management Resource Group Breach

Medical Management Resource Group, LLC (MMRG), also called American Vision Partners, has confirmed in a breach notification letter sent to the HHS’ Office for Civil Rights that the protected health information (PHI) of 2,350,236 persons was exposed in a hacking incident. MMRG discovered unauthorized activity inside its network on November 14, 2023, and took immediate action to control the threat. A third-party cybersecurity firm investigated the breach to know the nature and scope of the unauthorized activity, and on or about December 6, 2023, MMRG stated that there had been unauthorized access to its system, and the elimination of files that contained patient data.

Those files included information such as names, contact details, birth dates, medical data like the services obtained, clinical documents, and medicines, and for certain individuals, Social Security numbers and health insurance details. MMRG is sending notifications to the affected people and has provided free credit monitoring and identity protection services to the impacted persons.

Data Breach at Business Associate Impacts Prime Healthcare Employee Health Plan Members

Prime Healthcare has lately announced the compromise of the PHI of 101,135 individuals in a cyberattack on Keenan & Associates, its business associate, and the admin service provider of its employee benefit health plan. Keenan & Associates noticed the breach in late August 2023 and stated that an unauthorized third party accessed its network between August 21, 2023, and August 27, 2023.

Keenan & Associates informed Prime Healthcare regarding the breach in December 2023. The breached data includes names, dates of birth, passport numbers, Social Security numbers, driver’s license numbers, medical insurance data, and health data, such as diagnosis and treatment details. Keenan & Associates is providing the affected people with complimentary credit monitoring and identity theft protection services for 24 months.

Welfare Benefits Plan Data Exposed at AGC Flat Glass North America

AGC Flat Glass North America, Inc. just reported a hacking incident that interrupted its production and shipments. The cyberattack was discovered on December 15, 2023, and is still under investigation; nevertheless, it has been reported that the hackers acquired access to areas of its system that contain the information of members of its Welfare Benefits Plan from December 12, 2023to December 17, 2023.

The exposed information includes names, Driver’s license numbers, Social Security numbers, passport numbers, financial account data, and health insurance plan enrollment details. The breach report was submitted to the Maine Attorney General indicating that 20,415 persons were impacted, with the HHS’ Office for Civil Rights breach report verifying that the PHI of 13,079 Welfare Benefits Plan members was breached.

Colorado Department of Health Care Policy & Financing Reports Impacted by MOVEit Hack

The Colorado Department of Health Care Policy & Financing has reported a recent breach notification to the Maine Attorney General stating the compromise of the sensitive information of 4,662,668 individuals when the Clop hacking group’s exploit of a vulnerability found in MOVEit Transfer solution of Progress Software in May 2023. MOVEit was utilized by its business associate, IBM, for transferring files. Progress Software made a patch available to resolve the vulnerability on May 31, 2023; however, the flaw exploitation happened already.

The Colorado Department of Health Care Policy & Financing looked into the breach to determine what data was affected and has affirmed that the PHI of Health First Colorado and CHP+ members was impacted, along with the records of providers, applicants, provider and member-affiliated individuals, and those who may provide extra coverage to Health First Colorado and CHP+ members. The breached information contained full names, Insurance policy identifiers, and Social Security numbers.

Prior notifications were released by the Colorado Department of Health Care Policy & Financing on August 11, 2023, and October 3, 2023, with the most recent batch of notices sent on February 19, 2024, to additional people whose data was verified on January 17, 2024, as having been impacted. The affected persons were given free credit monitoring and identity theft protection services.

April 2023 Ransomware Attack Confirmed by Aspen Dental

Dental service organization Aspen Dental Management based in Chicago, IL has announced encountering a ransomware attack on April 25, 2023. The attackers possibly accessed and exfiltrated files that contained sensitive patient information. The exposed information includes names, Social Security numbers, birth dates, state ID/driver’s license details, medical and insurance data, banking data, and biometric records.

There was no evidence received that suggested the misuse of any patient details; nonetheless, as a precaution, those whose Social Security numbers were affected were provided complimentary credit monitoring services. Aspen Dental Management delivers administrative and business support solutions to Aspen Dental-branded practices and helps more than 1,000 practices in the U.S.. Although the breach has been confirmed, how many impacted individuals is presently unclear.

Lexington Medical Center Encounters Email Account Breach

Lexington Medical Center located in South Carolina has suffered a security breach of the email account and data drive of an employee. Suspicious activity was noticed in the email account and the forensic investigation affirmed that an unauthorized individual accessed the account first on October 4, 2023. On January 18, 2024, Lexington Medical Center reported that the email account and data drive comprised some files that held patients’ protected health information.

The details in those files included complete names, dates of birth, health record numbers, medical insurance identification numbers, patient charge descriptor data, billing codes, and for some persons, Social Security numbers. There was no proof found that indicates actual or attempted improper use of the impacted information. As required by the HIPAA Breach Notification Rules, notification letters were sent to the affected people on February 12, 2024, and those whose Social Security numbers were compromised were given free credit monitoring services.

The incident is not yet posted on the HHS’ Office for Civil Rights breach portal, the number of impacted individuals is still uncertain.

Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.