Recent Healthcare Data Breaches and Regulatory Actions in the United States
Multiple healthcare organizations across the United States have reported significant data breaches affecting the personal and protected health information of hundreds of thousands of patients and employees. Notable incidents include the compromise of NCH Corporation Employee Benefits Plan data via exploitation of a zero-day vulnerability in Oracle E-Business Suite, a ransomware attack on OrthopedicsNY resulting in a $500,000 fine by the New York Attorney General, and a major breach at Murfreesboro Medical Clinic & SurgiCenter attributed to the BianLian ransomware group. Other breaches involved unauthorized access to patient data at Fyzical Therapy & Balance Centers, exposure of client data through a law firm serving Goldman Sachs, and improper storage of thousands of medical records in a Memphis storage unit. Additionally, Health Share of Oregon and CareOregon notified members of unauthorized viewing of their information, though the exact nature of the incident remains unclear.
Regulatory responses have included state attorney general enforcement actions, such as the fine imposed on OrthopedicsNY for failing to implement adequate cybersecurity measures. Organizations affected by these breaches have taken steps such as patching vulnerabilities, enhancing security policies, notifying affected individuals, and offering credit monitoring services. The incidents highlight ongoing risks to healthcare data security from ransomware, insider threats, third-party exposures, and improper data handling, as well as the increasing role of state regulators in enforcing HIPAA compliance and data protection standards.
Related Entities
Vulnerabilities
Malware
Sources
2 more from sources like data breaches net
Related Stories
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
2 months ago
Healthcare Sector Data Breaches and Regulatory Action on Health Data Privacy
Multiple healthcare organizations have reported significant data breaches involving unauthorized access to patient information. CareOregon and Health Share of Oregon notified patients of a breach where protected health information, including names, dates of birth, health plan details, and Medicaid/Medicare numbers, was accessed without authorization, raising concerns about potential insurance fraud. Canopy Health, a major New Zealand oncology provider, disclosed a cyberattack that resulted in unauthorized access to administrative systems and possible data exfiltration, with the incident being contained and legal action taken to prevent misuse of the compromised data. Additionally, a Manhattan plastic surgery practice suffered a cyberattack in which sensitive patient images and personal information were stolen and published online, with extortion attempts made directly to patients; this attack is linked to a series of similar incidents targeting plastic surgery practices. In parallel to these incidents, California authorities have taken regulatory action against Datamasters, a marketing firm found to be illegally selling health and personal data of millions of individuals without proper registration as a data broker. The company was fined and banned from selling Californians' personal information after it was discovered to have traded in sensitive data, including health conditions and demographic details, for targeted advertising. These events highlight ongoing risks to health data privacy from both cyberattacks and improper commercial data practices, as well as the increasing regulatory scrutiny and enforcement in this sector.
2 months agoHealthcare Data Breaches and Legal Responses in the United States
Multiple healthcare organizations in the United States have experienced significant data breaches involving the exposure of protected health information (PHI) and other sensitive personal data. In Albemarle County, Virginia, a ransomware attack compromised the PHI of members of its self-insured health plan, as well as data belonging to current and former government and public school employees, their dependents, and individuals who interacted with the county. The compromised information included names, Social Security numbers, health insurance details, and other identifiers. The county has concluded its investigation, notified affected individuals, and is offering complimentary credit monitoring and identity theft protection services. Separately, class action settlements have been reached with three healthcare providers—Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood—following data breaches that exposed patient health and financial information. In one case, Hypertension Nephrology Associates agreed to a $625,000 settlement after a ransomware attack led to the theft of data from nearly 40,000 patients. The lawsuits alleged failures in security practices and delayed breach notifications, with affected individuals being offered credit monitoring services. These incidents highlight ongoing legal and regulatory consequences for healthcare organizations following data breaches involving PHI.
2 months ago