June 26, 2023
An unauthorized third party gained access to thousands of medical records at Mercy Medical Center in Clinton, Iowa. The security breach occurred between March 7 and April 4, 2023, and affected at least 20,865 patients.
Accordingly, the patient data breach incident prevented individuals from accessing their personal records in the hospital’s healthcare systems. During the investigation, it was confirmed that massive confidential information was compromised, including names, addresses, birth dates, Social Security numbers, financial account numbers, driver’s license numbers, Medicare or Medicaid identification numbers, billing or claims information, and other health insurance information.
News Highlights
Mercy Medical Center – Clinton: Patient Data Breach and Loss
Although a significant amount of data that had been restored from backups was lost, the Mercy Medical Center did not specifically acknowledge the presence of ransomware. Also, despite the ongoing efforts to restore the network, the severe effects of the data loss remain. The Clinton-based hospital further claims that they have already hired third-party forensic specialists to investigate the problem.
While patient care remains business as usual, various types of PHI already got exposed during the cybersecurity incident. Currently, the Mercy Medical Center is taking action to implement robust privacy and security measures to prevent similar attacks from happening again in the future.
Pioneer Valley Ophthalmic Consultants: Business Associate Data Breaches
In 2021, a malware attack happened at Pioneer Valley Ophthalmic Consultants (PVOC) in Holyoke, Massachusetts. However, PVOC only discovered a series of data hackers illegally accessing their systems on March 3, 2022, a year after the first incident occurred. Around 36,275 patients lost some of their PHI from Alta Medical Management and ECL Group, third-party billing and accounting vendors.
The breach notice dated May 22, 2023, reiterated that these cybersecurity incidents started in 2021. But it was only in March 2022 that PVOC discovered the breach incident that occurred back in November 2021. More so, the investigation revealed that Alta’s online patient portal was vulnerable to unauthorized access to payment receipts until October 26, 2021.
The patient data breaches exposed valuable information, including names, addresses, transaction dates, ID numbers, payment cards, and other vital details embedded in the medical records. As a response, PVOC offered complimentary credit monitoring services to the affected individuals. They also implemented additional security measures and hired new personnel to monitor the situation.
Topcon Healthcare Solutions: Breach of Protected Health Information
On February 5, 2023, Topcon Healthcare Solutions reported a security breach to the Maine Attorney General, where thousands of documents were compromised. Afterward, a forensic investigation confirmed that a hacking incident occurred between January 7 and February 5, 2023.
Topcon Healthcare Solutions released a breach notification on May 22, 2023, stating that further investigation was underway. The said cybersecurity incident affected approximately 4,209 individuals. All of them received a notification letter immediately after the breach.
Canopy Children’s Solutions: Ransomware Attack and Ongoing Investigation
Last April 2023, Canopy Children’s Solutions, including Mississippi Children’s Home Society, CARES Center Inc, and Mississippi Children’s Home Services Inc., suffered a devastating ransomware attack on their electronic healthcare systems. Third-party forensics experts are now looking into the nature and scope of the incident.
After the initial investigation, Canopy Children’s Solutions released a breach notice dated June 2, 2023. According to the officials, they are still investigating the matter to determine how many individuals were affected. Furthermore, they will be sending notification letters to the potential victims once they complete the investigation.
Meanwhile, the Nokoyawa threat group claimed liability for the incident. They immediately included Canopy Children’s Solutions in their data leak site, claiming to have exfiltrated around 150 GB of files.
Reports of Data Breaches Continue to Rise
In the past two years, statistics have shown an alarming increase in cybersecurity attacks involving electronic healthcare systems. According to the 2021 annual report of the U.S. Department of Health and Human Services Office of Civil Rights (OCR), HIPAA-related complaints increased by 39%, which affected 5% of more than 500 individuals.
The most common cause of data breaches happened to be the hacking of network servers and electronic equipment. These attacks could also originate from improper disposal of PHI, loss of paper records, and unauthorized access or disclosure of patient-related data.
With the alarming increase in data breaches, OCR reminds healthcare providers to remain vigilant and compliant with HIPAA privacy and security regulations. As such, securing the patient’s consent and written authorization is fundamental before distributing or disclosing protected health information. Investing in technologies that can help safeguard confidential medical data, such as encryption and firewalls, is also crucial.