Moffitt Cancer Center Affected by Vendor Security Breach
Moffitt Cancer Center located in Florida reported a security incident at a vendor that affected its data. The law company, Gunster, Yoakley, and Stewart, was furnished with patient information to provide legal services to Moffitt Cancer Center. Hackers acquired access to the network of the law company and potentially acquired information including names, birth dates, financial account data, Social Security numbers, passport numbers, driver’s license numbers, other government-issued ID numbers, medical data, including medical records numbers, medical insurance benefit data, claims information, and diagnosis and treatment details.
The law company began informing impacted persons in April 2023; but as the investigation moved on, other people were found to have been impacted. More breach notification letters were sent in the succeeding months. Moffitt Cancer Center patients received notifications in April 2024. The number of Moffitt Cancer Center patients that were affected is still unclear.
Zuckerberg San Francisco General Lost Medical Record Book
Zuckerberg San Francisco General in California reported the loss of a medical record book containing patient data in December 2023. The record book included the information of patients from January 11, 2022 to December 12, 2023, which included names, genders, birth dates, medical record numbers, consultation dates, reason for specimen collection, dates of specimen collection, the release of the result, and other types of medical data.
During the announcement, there was no report obtained that suggested any patient data misuse. Zuckerberg San Francisco Hospital is reviewing its guidelines and procedures and giving extra HIPAA training to workers, including security awareness. The incident report submitted to the HHS Office for Civil Rights indicated that 755 individuals were affected.
Database Error Caused Highmark to Send Letters to Previous Addresses
Highmark found out that a database update on August 2023 triggered the sending of care and case management letters to the previous addresses of members. The identified error was fixed in February 2024, but letters from August 2023 to February 2024 were unintentionally sent by mail to the previous addresses of members. The problem only impacted the 5,356 individuals who changed their addresses.
The letters contained the member’s name and Highmark ID number and based on the type of letter sent, possibly a reference number, birth date, employer group name, and number, a range of service dates, a service or procedure code and description, prescription drugs name, and dosage, and the company or facility name. The affected individuals received the notification letters on April 2, 2024.
Highmark stated the problem has been fixed and additional settings were applied to prevent the same incidents later on, which include database adjustments to ensure the correctness of member addresses, tags for the present active address, and verification checks to ensure that only one active address is recorded on the database per member.
North Carolina Dental Practice Encounters a Ransomware Attack
Mary H. Makhlouf, DMD, MS, PA in Burlington, NC recently reported that her practice suffered a ransomware attack on January 24, 2024. Upon discovery of the attack, the network was promptly made secure to avoid extended unauthorized access, and third-party cybersecurity professionals inspected the attack.
The investigation discovered information that parts of patient files had been accessed. Though it cannot be known precisely what information was viewed or stolen from the system, the compromised files included names and at least one of these types of data: address, telephone number, birth date, email address, state ID/driver’s license number, Social Security Number, financial account details, treatment/diagnosis data, prescription details, provider name, Medicaid/Medicare ID number, health record/case number, medical insurance details, and treatment price.
Notification letters will immediately be sent to the impacted people when updated address data has been acquired. The breach report was just filed with the HHS’ Office for Civil Rights indicating that approximately 1,797 persons were affected.
