Healthcare Data Breaches at Cardiothoracic and Vascular Surgeons, Health Diagnostic Management, Erie Family Health Centers, and BlueCross BlueShield of Tennesse

The following companies have reported data breaches in December 2023: Cardiothoracic and Vascular Surgeons, Erie Family Health Centers, ZOLL Medical Corporation, Health Diagnostic Management, Rush System for Health, and BlueCross BlueShield of Tennesse.

Cyberattack on Cardiothoracic and Vascular Surgeons

Cardiothoracic and Vascular Surgeons based in Texas learned on October 13, 2023 that an unauthorized individual accessed its systems. As per the forensic investigation, there was unauthorized access to its IT systems from October 12 to October 13, 2023, and at that time, an unauthorized third party potentially accessed or acquired files that contained patient data.

The analysis of the compromised files is in progress, but these types of data are likely to have been exposed: names of individuals, Social Security Numbers, credit card data, financial account data, account numbers and passwords, driver’s licenses, birth dates, medical record numbers, medical insurance data, patient account numbers, names of doctor or medical professional, treatment details, diagnosis codes,
procedure codes, Medicaid/Medicare numbers, dates of treatment, prescription details, diagnosis and symptoms data.

Cardiothoracic and Vascular Surgeons stated they are going over their policies, procedures, and processes associated with the safe-keeping and access of sensitive data to minimize the possibilities of the same future occurrence. Since the number of people impacted is not yet certain, the breach report submitted to the HHS’ Office for Civil Rights includes a temporary number of 500 persons and will be modified when the file analysis is done.

ZOLL Medical Corporation Phishing Attack

ZOLL Medical Corporation has recently reported that it suffered a sophisticated phishing attack after an employee replied to a phishing email and exposed credentials that allowed access to the email account. Based on the breach notice sent to the Maine Attorney General, the phishing attack happened on August 2, 2023, and was discovered on November 1, 2023.

The analysis of the email account affirmed it included names, Social Security numbers, and addresses. The breach report submitted to the Maine Attorney General indicated that 15,276 persons were affected. The HHS’ Office for Civil Rights breach website listed the compromise of 8,898 individuals’ protected health information (PHI). ZOLL Medical has provided the impacted persons with credit monitoring and identity theft protection services for 36 months.

Erie Family Health Centers Email Account Breach

Erie Family Health Centers recently reported the potential access or theft of the PHI of 6,351 patients by an unidentified threat actor who acquired access to an employee’s email account on October 1, 2023. The healthcare provider detected the email account breach on October 19, 2023 and immediately secured the account. A cybersecurity firm helped to find out if patient information was viewed. No proof was found indicating the unauthorized access to patient information nor the exposure of patient information to the dark web. The data in the account contained names, birth dates, medical record numbers, lab test tracking numbers, dates of service, and insurance ID numbers. Impacted patients were provided with free credit monitoring services.

Patient Portal Breach at Health Diagnostic Management

Health Diagnostic Management (HDM) based in New York offers non-medical administration services for diagnostic imaging centers. It experienced a security breach of its patient website on October 12, 2023. The vendor that manages the HDM patient website discovered suspicious activity on October 13, 2023. Upon investigation, it was found that the credentials of a referring doctor from Brooklyn Premiere Orthopedics had been employed to gain access to the patient portal. Brooklyn Premiere Orthopedics reported that it had experienced a data breach the previous week, detecting the unauthorized activity that led HDM to deduce the theft of the credentials in that breach.

The analysis of the impacted accounts ended on November 21, 2023, and impacted persons received notifications on October 16, 2023. Impacted persons were provided free credit monitoring services. HDM put extra security measures, and a third-party vendor performs penetration tests on the patient website after adding the security updates. The breach report submitted to the HHS Office for Civil Rights indicated that 1,863 individuals were affected.

MOVEit Hack Impacts BlueCross BlueShield of Tennessee

BlueCross BlueShield of Tennessee (BCBST) has reported the theft of the PHI of 1,665 members by the Clop hacking group via exploiting a zero-day vulnerability identified in the MOVEit Transfer tool of Progress Software. BCBST business associate NASCO used MOVEit Transfer for file transfers. The exploitation of the vulnerability happened on May 30, 2023, and NASCO found out about the breach on July 12, 2023, and informed BCBST regarding the incident on October 20, 2023. The compromised data was confined to medical insurance numbers, claim details, group numbers and names, medical ID numbers, procedure codes, dates of service, and names of providers. NASCO informs the impacted BCBST members and provides identity monitoring service for 24 months.

Email Error by Rush System for Health

Rush University System for Health made an email error that led to the misdirection of research surveys on October 25, 2023. Only the names of patients were exposed being obvious to another survey recipient. The mistake happened because of an error in a spreadsheet that was erroneously aligned while sorting information and thus the names of 4,961 patients were impermissibly disclosed.