Henderson & Walton Women’s Center (HWWC) based in Birmingham, AL lately advised 34,306 patients about the potential compromise of some of their protected health information (PHI) due to a hacker getting access to an employee’s email account. HWWC stated the forensic investigation into the data breach revealed the attacker didn’t access the email server and only one employee email account was affected by the breach.
HWWC didn’t mention when the compromise of the email account happened but stated that sending notification letters was delayed because of the long process of going over all email messages in the account to know the types of data and particular persons that were impacted. That process finished on June 24, 2022.
HWWC stated it had applied encryption on all external email messages, however, the forensic investigation learned that stored email messages might have been accessed. Those email messages comprised patient data for example names, birth dates, Social Security numbers, health data, medical insurance details, state ID numbers, and driver’s license numbers. The exposed data was different from individual to individual.
All affected persons received notification letters in August. As a preventative measure against identity theft and fraud, free credit monitoring service memberships were provided for one year. Steps were likewise taken to enhance its email system security, such as using a new process of automatic deletion of emails that contain PHI after 3 days, and implementing a system is that will not allow the sharing of any personal data through email.
Cyberattack and Data Breach at Genesis Health Care
The nonprofit Federally Qualified Health Center based in Columbia, SC, Genesis Health Care Inc., lately advised the Montana Attorney General regarding a cyberattack that was discovered on April 11, 2022.
The discovery of suspicious activity in selected IT systems prompted an extensive investigation. Third-party experts in digital forensics helped to find out the nature and extent of the incident and reestablish the functions of its systems. The investigation affirmed on June 9, 2022 the potential access or extraction of files from its systems from January 19, 2022 to April 11, 2022. The affected files had a programmatic and manual audit confirming on July 13, 2022 the patient data they contained.
Based on the substitute breach notice posted on the Genesis Health Care website, these types of data were exposed in the breach: Names, driver’s license numbers, Social Security numbers, passport numbers, payment card details, financial account data, employer ID number, medical insurance data, username and password, PIN, or account sign in details, birth date, and medical data which include billing or claims details, diagnosis, Medicare/Medicaid details, doctor details, medical record number, prescription drugs details, and treatment details.
Genesis Health Care mentioned it is going over its guidelines and procedures and will assess extra safety measures to avoid the same breaches later on.
The breach is not yet posted on the HHS’ Office for Civil Rights breach website, thus it is presently uncertain how many persons were impacted.