23,451 Individuals Affected by Pembina County Memorial Hospital Data Breach
Pembina County Memorial Hospital based in Cavalier, ND, has lately reported that unauthorized persons acquired access to its system and extracted sensitive patient information. It detected suspicious activity inside its system on April 13, 2023. Upon securing its network, the hospital launched a forensic investigation to find out the nature and extent of the unauthorized access. Based on the investigation, there was unauthorized access to its system from March 7, 2023, to April 13, 2023. The attacker exfiltrated files from the system.
As per the hospital breach notice, the one-year forensic investigation and file review were completed on March 4, 2024. The types of data affected differed from person to person and might have contained first and last names along with at least one of these data: address, email address, telephone number, birth date, driver’s license number, passport number, vehicle ID number, government ID number, Social Security number, medical data, patient ID account number, health information and/or medical insurance data.
Pembina County Memorial Hospital stated it has applied extra cybersecurity measures, improved its cybersecurity training, and edited and upgraded its guidelines, procedures, and practices. Free identity monitoring and protection services were provided to people who had their Social Security numbers affected. The breach is not yet posted on the HHS’ Office for Civil Rights breach website, however, the notification received by the Maine Attorney General shows that 23,451 people were impacted.
Massachusetts Department of Developmental Services Reports PHI Compromise
The Massachusetts Department of Developmental Services (DDS) is a state bureau that supports people with developmental and intellectual disabilities across the state. It discovered an exposure of its physical documents and was accessed by unauthorized persons.
Personal records that contain PHI were unintentionally left in properties that were part of the ex-Walter E. Fernald Developmental Center campus located in Waltham, MA, which the city of Waltham purchased in 2014. The records included the PHI of people served by the DSS at the Fernald Developmental Center, and also several workers’ records. DDS received a complaint regarding the files on January 11, 2024, and went to the facilities to retrieve the docs the following day.
The files were incorrectly kept in the buildings since 2014 and many were degraded, therefore it was not possible to tell the precise types of information that were compromised. A few documents contained names, dates of birth, medical data, diagnoses, medicine/prescription details, and other treatment data. Financial account details or Social Security numbers were not seen, however DDS said it could not affirm whether those data types were exposed because of the condition of the records. In the same way, it may not be possible to know specifically the number of individuals that were affected. An interim figure of 500 people was utilized when submitting the breach report. DDS is now awaiting advice from the State Archivist and Secretary of State’s Office on the retention time of the documents.
Rancho Family Medical Group Data Breach Impacts 13,345 Individuals
Rancho Family Medical Group, Inc. is a health system in California with 10 locations. It confirmed the impact of a data breach that occurred at KMJ Health Solutions, its business associate, which provides online systems for signout and charge capture.
On January 11, 2024, Rancho Family Medical Group received notification about the KMJ Health Solutions data breach on November 19, 2023. The exposed areas of the system stored the protected health information (PHI) of 10,480 persons, which include names, birth dates, hospital medical record numbers, procedure medical codes, dates of service, and hospital treatment areas. Rancho Family Medical Group sent the notifications via mail to the impacted persons on March 11, 2024, together with data concerning the steps that impacted persons need to take to safeguard themselves against data misuse.
Emergency Medical Services Authority Cyberattack and Patient Data Theft
The Emergency Medical Services Authority (EMSA) located in Oklahoma City, OK reported that it encountered a cyberattack that resulted in unauthorized persons gaining access to its system from February 10, 2024 to February 13, 2024. EMSA detected the attack on February 13, 2024, and shut down systems to avoid continuing unauthorized access. According to the forensic investigation, the attackers extracted files that contain patient information such as names, addresses, birth dates, dates of service, and, for certain persons, their Social Security number and/or the name of their primary care company.
EMSA started mailing the notification letters to the impacted persons, though EMSA has not publicly confirmed the number of individuals affected. Free credit monitoring and identity theft protection services were provided to those whose Social Security numbers were exposed.