Third-Party Hack Leads To Theft Of Patient Data For Over 251,000

An Austin, Texas-based third-party administrator began notifying over 250,000 patients that their data was stolen. (U.S. Air Force)

Austin, Texas-based Bay Bridge Administrators, a third-party administrator of insurance products, recently began notifying more than 251,000 patients that their data was stolen after a network hack in September 2022.

The “network disruption” was first detected on Sept. 5, which prompted BAA to secure the network and engage with an outside cybersecurity firm to investigate. Forensics showed that the attacker had gained access more than a week before being discovered, which enabled them to exfiltrate “certain data” from the network on Sept. 3.

BBA appears to explain the lengthy delay in notifying patients to a “thorough investigation” that concluded on Dec. 5. Under the Health Insurance Portability and Accountability Act, covered entities have 60 days without undue delay to inform patients of possible data exposure.

The notice uses language to suggest that the breach was not discovered until months after the initial hack and data theft. The Department of Health and Human Services has warned against this type of notice, urging providers to inform patients of possible privacy violations “even if it is initially unclear whether the incident constitutes a breach as defined in the rule.”

For patients tied to BBA, the compromised data was tied to “individuals enrolled in some employment insurance benefits administered” by the business associate in 2022.

The stolen data varied by individual and could include Social Security numbers, contact details, driver’s licenses or state identification numbers, medical data, health insurance information, and/or dates of birth.

Behavioral health provider reports September hack, data exfiltration

In a similar notice to BBA, Circles of Care in Florida is beginning to notify 61,170 patients that their data was stolen after a network hack detected on Sept. 21, 2022.

An investigation deployed with support from a third-party independent cybersecurity team found the attacker first accessed the network on Sept. 6 and used the access to obtain certain information. The investigation concluded on Nov. 29, 2022.

The stolen data could include patient names, dates of birth, SSNs, contact information, driver’s license numbers, bank account and routing numbers, medical account numbers, provider names, dates of service, diagnoses, and procedure codes.

Circles of Care is currently working to bolster its existing cybersecurity safeguards and strengthening employee cybersecurity training and policies to prevent a recurrence.

Ransomware attack on Home Care Providers of Texas impacts 124K

The data of 124,363 patients of Home Care Providers of Texas was encrypted and potentially exfiltrated after a ransomware attack in 2022.

HCPT “learned a portion of the network environment was affected by a cyberattack that caused encryption of certain files stored on the network” on June 29. It’s unclear whether the attack was launched prior to that date. According to the notice, “in addition to encrypting files, an unauthorized party removed a limited number of files from our systems.” 

Upon discovery, the team notified law enforcement and launched an investigation. The “extensive forensic investigation and comprehensive review” of the impacted data concluded on Nov. 15, which could explain the lack of timely notification.

Regardless, the investigation confirmed personal and health information was indeed accessed by the attacker for two weeks in June. The data could include patient names, SSNs, dates of birth, contact information, treatments, diagnoses, and certain prescription data.

Captify Health reports three-year hack of patient credit card data

The credit card information of 244,296 patients who used the Your Patient Advisor by Captify Health was possibly accessed and misused over the course of three years, after a threat actor installed malicious code onto its payment portal. Your Patient Advisor is an online retailer of colonoscopy preparation kits.

The malicious code was only found after Your Patient Advisor was contacted in March 2021 “regarding fraudulent use of consumer credit cards potentially related” to its payment card environment. The news prompted an internal investigation with support from an outside forensics firm.

The team found that malicious code was first injected into the payment platform in May 2019, which led to the exfiltration of data that continued until April 20, 2022. Nearly 18 months later, the analysis, concluded on Oct. 13, 2022, found that some information was possibly exposed during the lengthy hack.

The data could include full names, addresses, dates of birth, payment card numbers, expiration dates, and security codes. Only payment card data was impacted.

Your Patient Advisor has since implemented additional measures to secure its online ordering platform and took “steps to ensure its platform is safe and secure for all purchases.” While it’s not a reportable HIPAA breach, it should serve as a reminder for providers to review all connected applications used by patients to ensure data privacy and security.

Mindpath Health just now reporting email hack from early 2022

An undisclosed number of patients with ties to Mindpath Health in California are learning that their data was possibly accessed by a threat actor during the hack of two employee email accounts during the first half of 2022.

Mindpath first discovered suspicious activity during a routine audit of its email environment, prompting the provider to secure the platform. A third-party forensic firm supported an audit into the account and found that the accounts were accessed on two separate occasions: once in March 2022 and again in June 2022.

The investigation concluded on Nov. 15, 2022, which could explain the delay in notifying patients. As SC Media previously reported, email hacks commonly lead to delayed patient notices due to the sheer time and effort needed for forensics.

For Mindpath, the compromised data varied by patient and could include names, SSNs, contact information,  dates of birth, diagnoses, treatments, health insurance information, and prescriptions.

The Elizabeth Hospice reports insider wrongdoing tied to 35,496 patients

California-based The Elizabeth Hospice (TEH) recently informed 35,496 current and former patients that their data was exposed after an employee forwarded email from her workforce account to a personal email account.

On Oct. 21, TEH discovered the employee was forwarding business emails to her personal account while employed at the hospice. The employee is no longer with TEH. The discovery prompted an internal review of the employee’s work account, which determined patient information was possibly exposed as a result of the employee’s wrongdoing.

The compromised data involved patient names, patient account numbers, dates of admissions and discharge, and basic health information. No SSNs, financial account information, or banking card information was involved.

Rose Hospital reports cyberattack, exfiltration of patient data

Hayward Sisters Hospital d/b/a St. Rose Hospital recently sent a supplemental notice to an undisclosed number of patients, describing a Nov. 29, 2022, cyberattack that led to the possible exfiltration of their personal information.

Upon discovering suspicious activity, an investigation was launched with help from third-party computer forensic specialists. They found that a hacker gained access to several computer systems on the network and “acquired certain files from those systems on or about Nov. 18, 2022.”

St. Rose Hospital has since identified the affected files and concluded a review of the data, which confirmed the stolen data could include patient names, SSNs, dates of birth, email addresses, and home addresses. The investigation is ongoing.

The hospital has since implemented additional security measures to prevent a recurrence and contacted federal law enforcement.