Reported Data Breaches by Prime Healthcare, American Vision Partners, Colorado Department of Health Care Policy & Financing, and Lexington Medical Center

by

2.35M Individuals Impacted by American Vision Partners Breach

Medical Management Resource Group, LLC (MMRG), also known as American Vision Partners, has affirmed in a breach notification letter sent to the HHS’ Office for Civil Rights that the protected health information (PHI) of 2,350,236 persons was exposed in a hacking incident. MMRG discovered unauthorized activity in its system on November 14, 2023, and took instantaneous action to limit the threat. A third-party cybersecurity company investigated the breach to find out the nature and extent of the unauthorized activity, and on or approximately December 6, 2023, MMRG stated that there was unauthorized access to its network, and the taking away of records made up of patient data.

Those files comprised data like names, contact details, dates of birth, medical details such as the services gotten, medical files, and prescription drugs, and for some individuals, Social Security numbers and health insurance data. MMRG is working on informing the affected persons and has provided no-cost credit monitoring and identity protection services to the impacted people.

Data Breach at Business Associate Affects Prime Healthcare Worker Health Plan Members

Prime Healthcare has lately announced the compromise of the PHI of 101,135 persons in a cyberattack on Keenan & Associates, its business associate, and the manager of its worker benefit health plan. Keenan & Associates noticed the breach at the end of August 2023 and explained that an unauthorized third party accessed its system between August 21, 2023, and August 27, 2023.

Keenan & Associates advised Prime Healthcare concerning the breach in December 2023. The breached information includes names, birth dates, passport numbers, Social Security numbers, driver’s license numbers, medical insurance data, and health details, like diagnosis and treatment data. Keenan & Associates is giving the affected people complimentary credit monitoring and identity theft protection services for 2 years.

Welfare Benefits Plan Data Exposed at AGC Flat Glass North America

AGC Flat Glass North America, Inc. just reported a hacking incident that upset its manufacturing and deliveries. The cyberattack was discovered on December 15, 2023, and is still under inspection; nevertheless, it has been affirmed that the hackers obtained access to sections of its system comprising the records of members of its Welfare Benefits Plan from December 12, 2023to December 17, 2023.

The exposed information includes names, Driver’s license numbers, passport Numbers, Social Security numbers, financial account details, and health insurance plan enrollment data. The breach report was sent to the Maine Attorney General indicating that 20,415 individuals were impacted, with the HHS’ Office for Civil Rights breach report validating that the PHI of 13,079 Welfare Benefits Plan members was breached.

Colorado Department of Health Care Policy & Financing Confirms Affected by MOVEit Hack

The Colorado Department of Health Care Policy & Financing has sent the latest breach notice to the Maine Attorney General stating the exposure of the sensitive information of 4,662,668 persons because of the Clop hacking group’s taking advantage of a vulnerability present in MOVEit Transfer solution of Progress Software in May 2023. MOVEit was employed by its business associate, IBM, for transmitting files. Progress Software released a patch to correct the vulnerability on May 31, 2023; but, the vulnerability exploitation already occurred.

The Colorado Department of Health Care Policy & Financing looked into the breach to find out what data was affected and has affirmed that the PHI of Health First Colorado and CHP+ members was impacted, together with the information of applicants, providers, provider and member-affiliated individuals, and people who may give supplemental protection to Health First Colorado and CHP+ members. The exposed information involved full names, Social Security numbers, and insurance policy identifiers.

Past notifications were given by the Colorado Department of Health Care Policy & Financing on August 11, 2023, and October 3, 2023, with the newest batch of notices sent on February 19, 2024, to even more persons whose data was affirmed on January 17, 2024, as being affected. The affected persons were given free credit monitoring and identity theft protection services.

April 2023 Ransomware Attack Affirmed by Aspen Dental

Dental service organization Aspen Dental Management based in Chicago, IL has announced suffering a ransomware attack on April 25, 2023. The attackers likely viewed and extracted files containing the sensitive patient information. The exposed data includes names, Social Security numbers, dates of birth, state ID/driver’s license details, medical and insurance details, banking data, and biometric information.

There was no evidence identified that signifies the misuse of any patient details; nonetheless, as a safety measure, folks whose Social Security numbers were impacted were provided complimentary credit monitoring services. Aspen Dental Management offers administrative and business support assistance to Aspen Dental-branded practices and facilitates over 1,000 clinics in America. Though the breach is confirmed, the number of impacted individuals is at this time unclear.

Lexington Medical Center Experiences Email Account Breach

Lexington Medical Center based in South Carolina has encountered a compromise of the email account and data drive of a staff. Suspicious activity was noticed in the email account and the forensic investigation established that an unauthorized person accessed the account initially on October 4, 2023. On January 18, 2024, Lexington Medical Center reported that the email account and data drive included a small number of files that contained patients’ PHI.

The data in those files contained complete names, birth dates, health record numbers, medical insurance ID numbers, patient charge descriptor details, billing codes, and for a few individuals, Social Security numbers. There was no proof received that suggested actual or attempted improper use of the affected records. Notification letters were sent by mail to the affected people on February 12, 2024, and the people whose Social Security numbers were compromised were given free credit monitoring services.

The incident report is not yet published on the HHS’ Office for Civil Rights breach website, and the number of impacted persons remains uncertain.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone