Roundup of Recent Data Breaches and Cyber Attacks

mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years

The mobile pharmacy company, mscripts, has just reported that its misconfigured cloud storage environment resulted in the exposure of client information on the internet for the last 6 years. mscripts discovered the misconfiguration and fixed it on November 18, 2022. Since September 30, 2016, the cloud storage environment was unsecured, according to the third-party forensics investigation.

An analysis of the files kept in that environment revealed that they included the protected health information (PHI) of 66,372 patients of partner pharmacies. The data includes those associated with locker pickups from pharmacies, such as photos of insurance cards and prescription bottles that were submitted using the mscripts web or mobile application. The data possibly viewed at that time includes names, birth dates, telephone numbers, addresses, medicine names, prescription numbers, originating pharmacy data, medical insurance firm names, group numbers, member IDs, and, in selected instances, names of dependents.

mscripts stated the problem is now fixed and security processes were improved to make sure the same data compromise incidents do not happen later on. Impacted persons already received breach notification letters. They were instructed to keep track of their billing statements and notices of prescriptions to check for unauthorized activities.

Care Dimensions Reports Website Exposure and Theft of Payment Card Data

Care Dimensions based in Danvers, MA provides palliative, hospice, and home primary care services. It just submitted a data breach report to the Maine Attorney General indicating that up to 1,713 patients were affected. Care Dimensions noticed the alterations on its donation page and the installation of malicious code to steal the payment card information of donors.

According to the forensic investigation, the malicious code was installed on February 18, 2022, and enabled an unidentified threat actor to steal payment card details whenever there were donations. The stolen data included cardholder names, contact details, debit and credit card numbers, CVV codes, and expiration dates. Care Dimensions removed the malicious code on December 8, 2022.

The breach impacts all persons who donated via the website from February 18, 2022 to December 8, 2022. Those people were instructed to consistently check their financial account statements for bogus or unusual activity and to quickly report any unauthorized transactions. It was also recommended to get credit agencies to execute security freezes and issue fraud alerts. Care Dimension said third-party cybersecurity professionals have done a complete evaluation of the code on its website and conducted penetration tests to remedy all the exploited vulnerabilities.

Brooks Rehabilitation Announces Impermissible PHI Disclosure Due to Website Tracking Technology

Medical rehabilitation services network, Brooks Rehabilitation based in Florida, has just informed 1,554 patients regarding the impermissible disclosure of PHI to third parties as a result of using pixels and cookies on its site.

Adding pixels and cookies to a website is for monitoring user activities to improve user experience on its website. Brooks Rehabilitation lately discovered that those technologies took and sent user data to the technology firms that gave the code. The investigation revealed that these types of data could have been impermissibly disclosed to tech firms: name, telephone number, computer IP address, email address, other data available in the website’s comments section, and any Brooks pages visited while on its website. Brooks Rehabilitation stated it could not ascertain if any of that data was further exposed or employed by the tech firms, for instance for targeted marketing.

Brooks Rehabilitation mentioned the tracking technologies were removed in December 2022 and will not be used again except if it is certain not to transmit any user data.

Email Account Breach at Minuteman Senior Services

The provider of senior care, Minuteman Senior Services based in Bedford, MA has reported unauthorized access to an employee’s email account from November 21 to November 30, 2022. Third-party data analysis experts are presently doing a programmatic and manual evaluation of all email messages and file attachments in the account to find out the scope of the privacy breach.

The data likely compromised includes complete name, address, birth date, gender, medical insurance details, diagnosis, and service usage. The data exposed differs from one patient to another. Considering that the number of affected individuals is not yet known, Minuteman Senior Services reported the incident to the HHS’ Office for Civil Rights having a placeholder of 500 persons. It will send the notification letters as soon as the assessment is finished and update the number submitted to OCR when the magnitude of the event is affirmed.

This is Minuteman Senior Services’ second report of an email account breach in the past 12 months. The first incident happened on June 1, 2022, though the unauthorized access was identified and stopped up in 24 hours. Around 4,000 individuals were affected by that breach.

Data Breach at the Center for Autism and Related Disorders

The Center for Autism and Related Disorders (CARD) located in Portland, OR sent notifications to selected patients concerning an impermissible disclosure of some of their personal data as a result of an error committed by a third-party billing merchant. The computer error occurred when the software program used for creating patient invoices was updated. The problem led to the sending of invoices by certain caregivers to unrelated patients.

The invoices contained HIPAA-protected data for instance names of patients, CARD internal reference number, and payment records, including patient payments, adjustments, account balances, and insurance payments. There was no other data involved. The mistake was quickly identified, and resolved, and it merely impacted the patient cost-sharing sums of its January 2023 billing statements. Processes were already improved for finding errors like this to avoid any more mailing problems.

The incident is not yet posted on the HHS’ breach website. Hence, the number of affected individuals is not clear at the moment.

Ransomware Attacks on Lehigh Valley Health Network and MKS Instruments

Lehigh Valley Health Network (LVHN) based in Pennsylvania has reported a ransomware attack that it discovered on February 6, 2023. It was confirmed that BlackCat, the Russian-speaking ransomware group, was responsible for the attack. The attacker asked for a ransom, but LVHN did not pay the ransom.

LVHN President and CEO Brian A. Nester said that the attack did not have any effect on its operations. The healthcare provider continued to accept patients for care and treatment. Although the attack is still under investigation, Nester has announced that the attack targeted a network that is helping a certain physician practice located in Lackawanna County. The network stored a system that was employed for storing sensitive data including clinically appropriate patient photos related to radiation oncology treatment. That practice is likely Delta Medix located in Scranton, PA. At this time, it is uncertain whether other physician practices were impacted.

The LVHN technology team started an investigation upon detecting suspicious system activity. It quickly secured its network and engaged third-party cybersecurity professionals to carry out a forensic investigation to find out the nature and extent of the attack. As soon as the cybersecurity professionals have finished evaluating the data involved, LVHN will send notifications to the affected individuals. Attacks such as this are reprehensible and the company is investing in the right resources to address this incident.