13,345 Pomona Valley Hospital Medical Center Patients Affected by Data Breach
Pomona Valley Hospital Medical Center based in California is informing 13,345 people about a data breach that occurred at a subcontractor of a business associate. The hospital hired a provider to work on its patient-management program, and the provider subcontracted another company to work on the safekeeping of the information. In November 2023, the provider could not access the patient management program and worked with its subcontractor to deal with the issue. The cause of the access problems was a ransomware attack.
The attacker was found to have viewed patient information, which included names, birth dates, medical record numbers, and clinical data like doctors’ notes, allergies, diagnoses, and prescription drugs. The hospital reviewed the information that was affected, confirmed contact details, and sent notification letters to the impacted persons. The hospital has stated that the vendor or subcontractor is no longer involved in working on patient information.
Massachusetts Department of Developmental Services Announces PHI Exposure
The Massachusetts Department of Developmental Services (DDS) is a state bureau that supports people with developmental and intellectual handicaps throughout the state. It identified a compromise of its physical files which were viewed by unauthorized persons.
Personal records comprising protected health information (PHI) were accidentally left in structures that belong to the former Walter E. Fernald Developmental Center campus based in Waltham, MA, which the city of Waltham bought in 2014. The documents contained the PHI of people served by the DSS at the Fernald Developmental Center, along with certain employee records. DDS got a complaint concerning the files on January 11, 2024, and stopped at the facilities to get back the records the next day.
The records were erroneously put away in the properties since 2014 and many records were worn out, thus it wasn’t possible to say the specific types of information that were breached. Several documents included names, birth dates, health data, diagnoses, prescription drug data, and other treatment details. Financial account data or Social Security numbers were not identified, yet DDS stated it could not validate if those types of data were compromised considering the state of the records. Also, it might not be possible to know the exact number of persons that were impacted. An interim number of 500 persons was employed when filing the breach report. DDS is currently waiting for tips from the State Archivist and the Secretary of State’s Office on the preservation time of the documents.
Lindsay Municipal Hospital Cyberattack by Bian Lian Hacking Group
Lindsay Municipal Hospital located in Oklahoma submitted a hacking incident report to the HHS’ Office for Civil Rights (OCR) indicating that 500 individuals were affected. That figure is only used as a placeholder to comply with HIPAA breach reporting requirements in case the number of impacted persons is not yet confirmed.
Other than the report submitted to OCR, Lindsay Municipal Hospital has no additional information regarding the cyberattack and data security breach. But the Bian Lian hacking group professed to be responsible for the attack and included Lindsay Municipal Hospital on its data leak website with proof to back up its claims.
Bian Lian started operations in 2021 and prefers to attack healthcare companies, manufacturing firms, and law agencies because of their greater potential for high ransom payments. The group uses double extortion tactics, which means data theft is involved, and payment is demanded to stop the exposure of the stolen data and to get the keys to decrypt the files. Based on the listing, the stolen information will be published soon. It is not clear if Lindsay Municipal Hospital is bargaining with the attacker.
Health Plan Intermediaries Holdings (Benefytt) Impacted by Vendor Cyberattack
Health Plan Intermediaries Holdings, also known as Benefytt, recently reported being impacted by a data breach that occurred at a business associate of Multiplan Inc., its vendor. Multiplan hired the law firm, Orrick, Herrington & Sutcliffe, LLP, which experienced a ransomware attack. According to Benefytt, the attack did not affect its network and those of Multiplan; nevertheless, the information given to the law agency to carry out its contracted responsibilities was potentially compromised. Orrick, Herrington & Sutcliffe detected the cyberattack on March 13, 2023, and confirmed on March 10, 2023 the theft of files that contain sensitive information. Benefytt mentioned neither Orrick nor MultiPlan could know which medical insurance plans were impacted. It is collaborating with the two providers to get the required data to send notifications.
Benefytt stated it is informing all impacted people and is providing them with free credit monitoring services. Orrick, Herrington & Sutcliffe submitted the breach report to the HHS’ Office for Civil Rights on June 30, 2023 indicating that 40,823 individuals were affected; nevertheless, the total was changed to 152,818 persons, and the breach notification sent to the Maine attorney General in December 2023 indicated that 637,620 persons were impacted. The number of impacted Multiplan/Benefytt health plan members is currently uncertain.
