American Healthcare Systems and Rutgers Robert Wood Johnson Medical School have spotted email incidents due to the unauthorized access/disclosure of patient information, while Cherry Health Services suffered a ransomware attack.
Email Security Incident at Randolph Health
American Healthcare Systems LLC, also known as Randolph Health in North Carolina, found a breached staff email account on February 14, 2024. The email account was quickly secured to stop unauthorized access. Third-party cybersecurity specialists were involved in investigating the incident. The investigation revealed that the breach was restricted to one email account, and analysis of the account showed that files were found to include the protected health information (PHI) of 899 individuals.
The compromised information included complete names, birth dates, medical record numbers, medical insurance ID numbers, and diagnosis codes. Randolph Health mentioned it wasn’t possible to say with certainty if the files were viewed or stolen, thus notification letters had been mailed to all possibly impacted patients. Randolph Health mentioned it is determined to keep the confidentiality of the personal data of its patients and has taken action to enhance security and will go over its security practices, which may include HIPAA training requirements.
Rutgers Robert Wood Johnson Medical School Email Account Breach
Rutgers Robert Wood Johnson Medical School located in New Brunswick, NJ, has discovered an email incident that affected the PHI of 543 individuals. On February 1, 2024, the medical school learned that an ex-employee had copied patient information from their work email account to a personal email account. Several files were emailed including spreadsheets with patient information, such as patient names, treatment data, medicine data, and medical record numbers. The data was transmitted to the personal email account on January 19, 2024.
The impacted persons were informed through mail on April 1, 2024, and the incident was reported to authorities for inspection and proper action. The impacted persons were informed to check the transaction reports they get from their healthcare companies and medical insurance plans for any offerings they have not acquired. In case they see something, they need to report it to the appropriate service provider or health plan.
Cherry Health Services Experiences Ransomware Attack Impacting 184,000 Patients
Cherry Street Services, Inc., operating as Cherry Health Services, suffered a ransomware attack last December 2023. Cherry Health is the biggest federally-qualitfied health center (FQHC) in Grand Rapids, MI. It manages 20 healthcare facilities in six counties in Michigan and offers healthcare services to underserved communities, irrespective of insurance standing or their capability to pay for medical care.
The healthcare company said it encountered network issues on December 21, 2024, that held back access to parts of its computer network. Third-party cybersecurity professionals investigated the incident and confirmed the access of unauthorized persons to some files on its system. The evaluation of the impacted files was finished on March 25, 2024. The results confirmed that the attack resulted in the breach of PHI, including names, addresses, telephone numbers, birth dates, medical insurance data, patient ID number, health insurance ID number, name of provider, service date, diagnosis/treatment details, prescription details, Social Security numbers and/or financial account data. The types of data compromised differed from person to person.
Although healthcare information was possibly stolen during the attack, Cherry Health stated it is not aware of any cases of actual or attempted patient data misuse; nevertheless, as a preventative measure, the impacted persons were provided a year of free credit monitoring services, which consists of dark web tracking for the posting or sale of sensitive personal data, an identity theft insurance coverage worth $1 million, and identity theft identity recovery solutions. Cherry Street mentioned it began taking action to enhance its technical safety measures to avoid the same incidents later. The incident report was submitted to the Maine Attorney General indicating that 184,372 people were affected.
