Reports of Cyberattacks and Data Breaches by Valley Oaks Health, Sycamore Rehabilitation Services, Humana Inc., and Jewish Home Lifecare

50,000-Record Data Breach at Valley Oaks Health, Indiana

Valley Oaks Health based in Niles, IL recently informed 50,352 persons concerning a breach of its system environment. Unauthorized persons acquired access to sections of its system from June 8, 2023 to June 13, 2023. After securing its system, third-party cybersecurity specialists assisted in the investigation and reported that files including patient information were compromised and possibly stolen.

The healthcare provider completed the forensic investigation and document analysis on February 2, 2024. The breach notification submitted to the Maine Attorney General includes the particular types of breached data redacted, however, the notification confirmed the potential exposure of names together with Social Security numbers. Valley Oaks Health mailed consumer notifications on March 18, 2024, and offered free credit monitoring services to those who had their Social Security numbers compromised.

Sycamore Rehabilitation Services Data Breach Impacts 3,414 Individuals

Sycamore Rehabilitation Services, Inc. based in Danville, IL announced an email system breach, which resulted in the exposure of the personal information of 3,414 persons. The company discovered the breach on September 21, 2023, and the forensic investigation revealed that unauthorized access occurred on its network from July 29, 2023 to August 9, 2023. At that time, the following data may have been accessed: names, birth dates, driver’s license/state ID numbers, Social Security numbers, routing numbers, account numbers, health data, and medical insurance data. It was not possible to determine exactly what types of information were acquired in the attack.

Sycamore Rehabilitation Services stated that it had enforced the following security steps before the breach happened:

  • All email accounts had multi-factor authentication activated
  • Access to internal resources by users outside of the organization required a VPN
  • Critical patches were implemented every month
  • Email security solutions were alls set up
  • All endpoints had protections set up with Sentinel One anti-virus
  • Azure PowerShell access was inactive by default
  • POP/IMAP was inactive by default.

The following measures are already set up to improve security: Breach Secure Now phishing testing, Proofpoint email scanning and security, and DUO MFA on VPN accounts.

The impacted persons received notification letters by mail on March 1, 2024 and free credit monitoring and identity theft protection services. Sycamore Rehabilitation Services stated that the late sending of notifications was a result of the long investigation of the breach and identifying the impacted persons.

Humana’s Mailing Errors Impacted Over 10,000 Individuals

Three incidents of mailing error at health insurance company Humana Inc. in Kentucky led to the impermissible PHI disclosure affecting 10,688 Humana members. On December 8, 2023, a programming problem triggered the sending of Explanation of Payment documents to the wrong address. The docs contained first and last names, names of providers, claim payment data, dates of service, and Humana ID numbers.

On December 14, 2023, large print/braille health plan messages were sent by mail to the wrong people. An error occurred when correcting an unrelated coding problem that put in a date/time stamp to the naming custom, which wasn’t a unique identifier. Consequently, the system started overwriting data files as duplicates, which triggered the sending of another member’s letter. The data impermissibly disclosed involved first and last names, Humana ID numbers, addresses, names of providers, dates of service, claim payment data, prescription drug details, and copay and premium data.

On January 12, 2024, Broadridge Output Solutions, Inc., Humana’s printing supplier in Louisiana, encountered a printing problem that triggered the printing of the explanation of benefits information of Humana members on the opposite of other members’ statements. The data impermissibly disclosed contained names, claim data, name of the provider, gender, copay data, deductible and coinsurance details. Humana stated all of the issues were fixed and it did not receive any report of misuse of members’ data.

Jewish Home Lifecare Hacking

On January 7, 2023, Jewish Home Lifecare, Inc., a senior health care system in New York, discovered strange activity in its computer systems. Computer forensics specialists confirmed the unauthorized access to its systems and the potential theft of patient data by hackers. The data exposed contained names, addresses, Social Security numbers, birth dates, passport numbers, medical record details, medical treatment data, payment card data, and financial account data. Jewish Home Lifecare has submitted the incident report to the HHS Office for Civil Rights indicating that 501 people were affected. 501 is a placeholder usually employed to satisfy HIPAA law‘s breach reporting requirements if the total number of impacted persons is not yet confirmed.

Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.