277,000 Santa Clara Household Well being Plan Members Affected by GoAnywhere Hack

Posted By HIPAA Journal on Apr 25, 2023

Information breaches have not too long ago been introduced by Santa Clara Household Well being Plan, United Steelworkers Native 286, Robeson Well being Care Company, Two Rivers Public Well being Division, and NewBridge Companies.

Santa Clara Household Well being Plan Confirmed as Sufferer of Clop GoAnywhere Hack

Santa Clara Household Well being Plan has confirmed the 276,993-record information breach reported to the HHS’ Workplace for Civil Rights on March 30, 2023, was as a result of hacking of Fortra’s GoAnywhere MFT answer by the Clop ransomware group. The group exploited a beforehand unknown (zero-day) vulnerability, exfiltrated information, however didn’t encrypt recordsdata. 130 organizations fell sufferer to the assaults over a 10-day interval in late January/early February this yr.

The incident affected NationsBenefits, which offers supplemental advantages administration companies to a number of well being plans, together with Santa Clara Household Well being Plan. NationsBenefits discovered of the assault on February 7, 2023, and was knowledgeable by Fortra that the assault occurred on or round January 30, 2023. On February 13, 2023, NationsBenefits confirmed that the information compromised within the assault included protected well being data akin to title, handle, telephone quantity, gender, date of start, medical health insurance quantity, medical ID quantity, Social Safety quantity, date(s) of service, medical gadget or product bought, and supplier/caregiver title. NationsBenefits stated it has stopped utilizing the GoAnywhere answer and is implementing a spread of further measures to strengthen safety.

United Steelworkers Native 286 Safety Breach Impacts Nearly 38,000 Well being Plan Members

United Steelworkers Native 286 has found an unauthorized particular person gained entry to an worker e mail account that included the protected well being data of 37,965 members of its well being plan. The e-mail account breach was detected on February 13, 2023, and the forensic investigation confirmed the e-mail account was accessed between June 16, 2022, and July 18, 2022.

A guide doc evaluation confirmed the account contained full names, Social Safety numbers, dates of start, monetary account numbers, driver’s license and/or state identification numbers, passport numbers, monetary account numbers, medical remedy data, medical file numbers, biometric data, and medical health insurance data.

No proof of misuse of plan member information has been uncovered; nonetheless, as a precaution in opposition to id theft and fraud, people whose Social Safety numbers have been uncovered have been supplied complimentary credit score monitoring companies. United Steelworkers Native 286 stated safety measures have been in place and are frequently evaluated and modified to make sure the privateness and safety of worker information.

Two Rivers Public Well being Division Stories Microsoft 365 Account Breach

Two Rivers Public Well being Division (TRPHD) in Nebraska has not too long ago confirmed that the protected well being data of 15,168 sufferers was saved in an worker Office365 account that was accessed by an unauthorized third celebration.

TRPHD stated suspicious exercise was detected inside its server infrastructure on November 9, 2022. The preliminary investigation carried out by a third-party IT agency concluded that affected person information had not been compromised; nonetheless, out of an abundance of warning, an exterior forensic investigation agency was engaged to totally examine the safety breach and confirmed that an Workplace 365 account was accessed by an unauthorized particular person between September 14, 2022, by means of November 8, 2022. The evaluation of the account confirmed it contained protected well being data, though the press launch issued didn’t state what forms of data had been uncovered.

TRPHD stated the doc evaluation was accomplished on March 15, 2023, and notifications have been mailed to affected people on April 14, 2023. Further safety measures have been applied to higher safe its methods in opposition to unauthorized entry.

Robeson Well being Care Company Discovers Malware An infection

Robeson Well being Care Company in Pembroke, NC, has reported a knowledge breach to the Maine Legal professional Common that has affected as much as 15,045 people. Based on the notification, malware was detected inside its community on February 21, 2023. The following forensic investigation confirmed that an unauthorized third celebration had entry to its methods between February 17, 2023, and February 21, 2023.

Whereas proof of information theft was not discovered, it couldn’t be dominated out. The doc evaluation confirmed the next forms of data have been uncovered: title, handle, Social Safety quantity, date of start, remedy data/prognosis, treating doctor, medical file quantity, affected person ID quantity, Medicare/Medicaid quantity, prescription data, medical health insurance data, and remedy prices. Notifications have been mailed on April 21, 2023, and complimentary credit score monitoring and id theft safety companies have been supplied. Safety has been enhanced to forestall related incidents sooner or later, together with implementing multi-factor authentication for all customers.

NewBridge Companies Hacking Incident Impacts 1,457 People

The Pequannock, NJ-based counseling service supplier, NewBridge Companies, stated an unauthorized particular person gained entry to its methods and doubtlessly accessed and obtained the protected well being data of 1,457 people. The safety breach was detected on January 26, 2023, when sure methods have been disrupted. The forensic investigation confirmed on January 28, 2023, that protected well being data had been uncovered, though no proof was discovered of precise or tried misuse of that data.

The uncovered data included names, Social Safety numbers, dates of start, remedy data, supplier data, prescription data, fee data, and medical health insurance data. Written notifications have been mailed to affected people on April 17, 2023, and safety has been augmented to forestall related incidents sooner or later.