Healthcare provider CRG Lynwood, LLC based in Adrian, MI, which manages the Lynwood Manor skilled nursing and rehabilitation center, sent notification letters to 6,566 persons concerning the compromise of data due to a cyberattack that was discovered about three years ago on July 12, 2021.
The cyberattack happened at Lynwood Manor’s business associate. The company provided the following services to Lynwood Manor and other senior-assisted facilities: administrative services, staffing, backend operations, and system infrastructure. The investigation determined that the Lynwood Manor information was not affected, however, in September 2022, after 14 months, Lynwood Manor was informed that residents’ data was accessed. In November 2022, Lynwood Manor posted a substitute breach notice on its site, which mentioned that Lynwood Manor asked a data mining provider to determine the individuals and types of data impacted by the cyberattack.
The data mining procedure lasted until January 31, 2024. On February 1, 2024, a third-party vendor helped with the mailings. Lynwood Manor then verified patient data and mailing addresses. Lynwood sent the notifications to the impacted people on June 7, 2024. Lynwood Manor stated that the data mining procedure took a while considering the improvements in the types and format of the data examined, needing many stages of automated and manual evaluation.
The breached protected health information (PHI) included names, healthcare data, driver’s license numbers, and other ID card details. Lynwood Manor stated it is not aware of any real or attempted improper disposal of the information. The impacted persons were offered one year of free credit monitoring and identity theft protection services as a preventative measure. The company has already begun informing people about the incident and might be giving more updates when additional data is available. The business has also advised, at least, one state Attorney General so that to begin public can begin to protect itself.
Lynwood Maner stated it uses extra monitoring tools but will still assess and improve its systems security. The company has already began informing people of the incident and might be sending out additional services as further data comes up. The company has additionally informed, no less than, one state Attorney General in order for the public to begin protecting itself.