Data Breaches at Bay Oral, Livanova and Santa Rosa Behavioral Healthcare Hospital

by

13,000 Patients Affected by the Wisconsin Dental Surgery Center Email Breach

Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers established in the Green Bay, Niagara and Marinette communities in Wisconsin, recently sent a data breach report to the HHS’ Office for Civil Rights (OCR) indicating that the protected health information (PHI) of 13,055 patients was involved.

On February 27, 2024, Bay Oral discovered suspicious activity in an employee’s email account. The account password was promptly modified to stop further unauthorized access. A third-party cybersecurity company investigated the incident. The forensic investigation revealed that an unauthorized individual had installed a program and acquired access to the email account of an employee on January 18, 2024.

The evaluation of the emails and file attachments showed that patients’ PHI was exposed. The types of information affected included names, addresses, dates of birth, email addresses, insurance card numbers, credit card numbers, banking account details, Social Security numbers, x-rays, patient health history forms, patient visit summaries, medical background questionnaires, and other types of patient health data that were shared via email. The investigation could not ascertain if the unauthorized person viewed or copied emails or file attachments in the account.

Besides quickly securing the email account, Bay Oral took a few other steps to avoid the same occurrences later. They include modifying IT businesses, implementing a 24/7 safety and monitoring solution, and applying new policies and procedures to make sure that patients’ PHI is not kept in email accounts.

Bay Oral stated it does not know of any reports of fraud or identity theft when notifications were sent. The impacted individuals have been advised to watch out for fraud and identity theft by routinely checking their credit reports, credit card statements, bank accounts, and other financial accounts for unauthorized activity.

Livanova Patient Data Theft During a Ransomware Attack in October 2023

Medical device company, Livanova headquartered in the UK, is a leader in developing cardiac surgery and neuromodulation devices. It encountered a ransomware attack that impaired parts of its IT network. Livanova identified the ransomware attack on November 19, 2023. Forensic investigation revealed that hackers accessed its system on October 26, 2023. The LockBit ransomware group professed to be behind the attack.

The impacted persons were instructed to keep track of their credit reports and statements of accounts and to watch out for unsolicited messages with personal data. Livnova has prepared free identity protection and credit monitoring services to be given to the impacted U.S. individuals. It is currently uncertain how many people were impacted. During the earnings call in February 2024, the company stated that it had sustained expenses of about $2.6 million in Q4 of 2023, because of the attack.

Cyberattack on Santa Rosa Behavioral Healthcare Hospital

Santa Rosa Behavioral Healthcare Hospital, which is under the Northern California Behavioral Health System (NCBHS), encountered a cyberattack that impaired parts of its IT network. The hospital identified the attack on January 28, 2024, and as per a third-party forensic investigation, an unauthorized third party viewed its system from January 27, 2024 to January 28, 2024. In that period, files made up of patient information were viewed or stolen

A review of the compromised files showed that these types of data were exposed or stolen: names, birth dates, medical record numbers, date of services, services received, treating doctor, and for certain patients, driver’s license numbers and/or Social Security numbers. Impacted patients were told to check the statements they get from their healthcare companies and medical insurance companies and report any services they have not received. People whose Social Security or driver’s license numbers were affected received free identity theft protection services. The hospital already sent the incident report to governing authorities but no information is listed on the Office for Civil Rights breach website yet. Therefore, the exact number of affected individuals is still uncertain

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone