Cyberattacks Impact ConsensioHealth, Southeastern Orthopaedic Specialists, Sharp Health Plan and Rebekah Children’s Services

by

61,000 ConsensioHealth Patients Affected by Ransomware Attack

Medical billing service, ConsensioHealth, based in Wisconsin recently informed 60,871 persons regarding a ransomware attack in July 2023. The attack was detected on July 3, 2023, when employees could not access files on its system. Steps were quickly undertaken to stop the unauthorized access. Third-party cybersecurity professionals helped with the investigation to find out if the attackers accessed or stole patient data from its systems and their investigation confirmed the data theft. On November 7, 2023, it was reported that some files included the information of patients from the covered entities listed below:

  • Ascension Wisconsin
  • Emergency Medicine Specialists, S.C.
  • Dr. Linda Jingle
  • Fox Valley Emergency Medicine
  • Kenosha Urgicare
  • Woundcare Innovations of Golf Land
  • Wisconsin Urgent Care

The affected data differed from one person to another and might have involved these data elements: name, address, birth date, Social Security number, driver’s license or other state ID number, account access details, medical insurance data, medical treatment and diagnosis details, medical treatment cost details, Medicare or Medicaid number, patient account number, data of healthcare provider, and prescription details.

ConsensioHealth stated it evaluated and updated its data security procedures. Additional security options were put in place.

35,500 Southeastern Orthopaedic Specialists Patients Affected by Data Breach

Southeastern Orthopaedic Specialists based in Greensboro, NC, have discovered unauthorized access to its system that potentially resulted in the theft of the PHI of 35,533 patients.

The substitute breach notice published on December 19, 2023 by Southeastern Orthopaedic Specialists lacks meaningful information regarding the data incident. The breach notice doesn’t say when the breach happened, when it was discovered, for how long the attackers got access to the system, if they got access to patient information if there was data theft, what types of information were compromised or stolen, or the nature of the cyberattack.

The notice only mentioned that there was no proof of fraud or identity theft found, which could lead the impacted people to think that there is minimal risk. The inadequate details in the substitute breach notice make it hard for the impacted persons to measure the level of risk they are dealing with. The breach was severe enough to prompt the offer of free credit monitoring and identity theft protection services to the affected individuals. The victims are strongly advised to use those services because the NoEscape ransomware group professed to be responsible for the attack and claimed it exfiltrated 3 GB of data from its system.

Data of Healthcare Clients Exposed in Burr & Forman Cyberattack

The Burr & Forman law firm in Birmingham, Alabama recently reported encountering a cyberattack in October 2023 which led to unauthorized access to client information, which includes two HIPAA-covered clients. It discovered suspicious activity on one of its laptop computers in October. The laptop was instantly secured to stop further access.

Based on the law company Constangy, Brooks, Smith & Prophete, which represents Burr & Forman, the cyberattack was discovered quickly and was immediately secured. However, it was impossible to stop the unauthorized access to the files stored on its systems. Confirmation was given on November 10, 2023 that the data of its client Oceans Healthcare was accessed, and another unnamed HIPAA-covered entity. The personal data and PHI of 19,893 people were compromised.

Burr & Forman received the personal data as part of the legal services it offered to its healthcare clients and that data contained names, dates of service, medical coding data, insurance details, and Social Security numbers. Burr & Forman confirmed in its substitute breach notification that it is informing the affected people and has offered resources to help them. It also has improved network security to stop the same breaches later on.

MOVEit Hack and Mismailing Incident at Sharp Health Plan

Sharp Health Plan has reported the compromise of the PHI of 9,255 members in a hacking incident that happened at Delta Dental of California, its business associate and affiliate. Delta Dental of California utilized the MOVEit Transfer solution of Progress Software for file transfers. Progress Software released a patch on May 31 to fix a zero-day vulnerability, but the Clop hacking group already exploited the vulnerability from May 27 to May 30, 2023. So the data exfiltration occurred even before applying the patch.

According to the result of the investigation of Delta Dental of California on July 6, 2023, the information of Sharp Health Plan members was accessed and extracted from the MOVEit Transfer solution with no permission. Delta Dental of California immediately called third-party specialists in computer forensics, analytics, and data mining to identify the breached data and the client it was connected to. The specialists finished the investigation on Nov. 27, 2023 and gave Delta Dental of California the data needed to inform the affected clients. Sending of the notification to the clients began in mid-December. The compromised Sharp Health Plan information only included the members’ first and last names, dental provider names, medical insurance, treatment cost data, and Social Security numbers. Delta Dental of California and its affiliates are directly notifying the impacted individuals.

Sharp Health Plan has likewise reported a privacy breach that happened on December 26, 2023 at its mailing vendor. Sharp Health Plan stated there was a system error in the mailing vendor’s software resulting in the sending of letters to 8,200 Sharp Health Plan members without printing the recipients’ names on the envelopes. The letters were mailed to the right addresses, but without the recipient’s name on the envelopes, the letters were opened by other household members. The letters contained the name of the intended recipient, address, name of behavioral health provider, and the confirmation of the member’s visit to Sharp Health Plan in 2023.

Rebekah Children’s Services Cyberattack in September 2023

Rebekah Children’s Services based in Gilroy, CA, discovered suspicious activity on its system on September 5, 2023, and called a third-party forensics company to investigate and find out the nature of the cyberattack. As per the forensic investigation, the hackers acquired access to sections of the system where PHI was kept. The file analysis revealed the potential theft of names, addresses, Social Security numbers, birth dates, health data, medical insurance details, treatment data, prescription drugs, and driver’s license numbers. Improvement of the security measures had been undertaken and the 2,805 impacted persons were informed and provided free single bureau credit monitoring services.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone