July 24, 2023
Kannact Inc., a home care service based in Albany, reported a major data breach affecting over 103,000 individuals, which took place on March 13, 2023. The unauthorized access exposed a massive chunk of confidential and sensitive patient information.
Similarly, Vincera Institute, a Philadelphia-based orthopedic clinic, confirmed a ransomware attack affecting around 25,000 individuals on April 29, 2023. Like Kannact Inc., Vincera Institute hired third-party cybersecurity specialists to investigate the incident.
Recent News Headlines
Kannact Inc. Cyberattack
A digital healthcare company specializing in remote patient monitoring and chronic care management recently sent a data security incident notice to the Office for Civil Rights (OCR). The announcement also states that the investigation is ongoing, and while it remains unconfirmed, unauthorized actors may have gained access to sensitive information. The digital health company is also working on identifying all the individuals affected to provide sufficient notice about the cyber incident.
Unauthorized access detected
Kannact Inc. said there was unauthorized access to its computer network last March 2023. Even though the severity of the breach was not yet clearly identified, some potentially compromised information included names, birth dates, phone numbers, health plan records, medical diagnoses, treatment information, ID numbers, and more.
Investigation findings and patient data exposure
After the data breach discovery, Kannact Inc. immediately sought help from a specialized cybersecurity firm to conduct a risk assessment. According to the investigation findings on the Kannact Inc cyberattack, around 103,547 individuals were affected by the data breach. Moreover, the unauthorized access revealed vulnerabilities in the company’s third-party managed file transfer software. As a result, the incident exposed massive amounts of confidential patient information, including Social Security and driver’s license numbers.
Read: The Importance of Risk-Based Assessments in HIPAA Compliance
Measures taken and services offered
In response, Kannact Inc. immediately ceased using third-party managed file transfer software and deactivated all its related API keys. To prevent further damage, the digital health company took several security measures to mitigate the breach’s impact. Additionally, the company also made a promise to enhance its patient data ingestion process. They even offered complimentary credit monitoring and identity theft protection services to affected individuals.
Report to the HHS Office for Civil Rights (OCR)
Immediately after detecting the incident, Kannact Inc. filed a breach report to the US Department of Health & Human Services (HHS). Under the HIPAA Breach Notification Rule, covered entities and their business associates must notify the OCR after discovering unauthorized access to PHI.
“Kannact is committed to ensuring the privacy and security of all personal information in our care,” the company said in a statement. “Since the discovery of the Incident, Kannact has taken and will continue to take steps to mitigate the risk of future issues,” they reiterated.
Vincera Institute Ransomware Attack
On April 29, 2023, Vincera Institute fell victim to cyberattackers and compromised a massive amount of confidential patient information. The ransomware attack targeted the company’s IT network, and even encrypted files were accessed by the hackers. However, the cyber investigators did not receive any reports pertaining to patient information misuse.
Confirmation of the attack
Upon discovering the ransomware attack, Vincera Institute sent out data breach letters to all affected individuals last June 20, 2023. Accordingly, the company filed the data breach on the HHS-OCR data breach portal under four entity names: Vincera Imaging, LLC, Vincera Rehab, LLC, Vincera Surgery, LLC, and Core Performance Physicians d/b/a Vincera Core Physicians.
Response and investigation
In a press release, Vincera Institute said they started further investigating the data breach. According to the evaluation, the threat actors behind the ransomware attack accessed parts of the company’s network containing relevant patient information.
Potential sensitive patient information accessed
The ransomware attack on Vincera Institute’s network exfiltrated sensitive patient personal information such as names, phone numbers, addresses, emails, birth dates, medical histories, treatment records, insurance information, and Social Security numbers.
Security enhancements and monitoring
In response, Vincera Institute took some security enhancements to prevent unauthorized access to its network from happening in the future. Moreover, the company also improved its monitoring processes and security safeguards to protect PHI.
Breach reports to HHS OCR
Following the hacking incident, Vincera Institute filed a data breach notice to the HHS Office for Civil Rights (OCR) on June 20, 2023. The incident announcement covered four breach reports, including 5,000 affected individuals from Vincera Imaging LLC, with the same number as Vincera Surgery Center and Vincera Rehab LLC. Meanwhile, around 10,000 individual records from Vincera Core Physicians were affected.
All in all, the hacking incident affected 25,000 individuals from Vincera Institute’s various healthcare departments.