Data Breach Reports by American Healthcare Systems, Rutgers Robert Wood Johnson Medical School and Cherry Health Services

by | Apr 18, 2024

American Healthcare Systems and Rutgers Robert Wood Johnson Medical School have spotted email incidents due to the unauthorized access/disclosure of patient information, while Cherry Health Services suffered a ransomware attack.

Email Security Incident at Randolph Health

American Healthcare Systems LLC, also known as Randolph Health in North Carolina, found a breached staff email account on February 14, 2024. The email account was quickly secured to stop unauthorized access. Third-party cybersecurity specialists were involved in investigating the incident. The investigation revealed that the breach was restricted to one email account, and analysis of the account showed that files were found to include the protected health information (PHI) of 899 individuals.

The compromised information included complete names, birth dates, medical record numbers, medical insurance ID numbers, and diagnosis codes. Randolph Health mentioned it wasn’t possible to say with certainty if the files were viewed or stolen, thus notification letters had been mailed to all possibly impacted patients. Randolph Health mentioned it is determined to keep the confidentiality of the personal data of its patients and has taken action to enhance security and will go over its security practices, which may include HIPAA training requirements.

Rutgers Robert Wood Johnson Medical School Email Account Breach

Rutgers Robert Wood Johnson Medical School located in New Brunswick, NJ, has discovered an email incident that affected the PHI of 543 individuals. On February 1, 2024, the medical school learned that an ex-employee had copied patient information from their work email account to a personal email account. Several files were emailed including spreadsheets with patient information, such as patient names, treatment data, medicine data, and medical record numbers. The data was transmitted to the personal email account on January 19, 2024.

The impacted persons were informed through mail on April 1, 2024, and the incident was reported to authorities for inspection and proper action. The impacted persons were informed to check the transaction reports they get from their healthcare companies and medical insurance plans for any offerings they have not acquired. In case they see something, they need to report it to the appropriate service provider or health plan.

Cherry Health Services Experiences Ransomware Attack Impacting 184,000 Patients

Cherry Street Services, Inc., operating as Cherry Health Services, suffered a ransomware attack last December 2023. Cherry Health is the biggest federally-qualitfied health center (FQHC) in Grand Rapids, MI. It manages 20 healthcare facilities in six counties in Michigan and offers healthcare services to underserved communities, irrespective of insurance standing or their capability to pay for medical care.

The healthcare company said it encountered network issues on December 21, 2024, that held back access to parts of its computer network. Third-party cybersecurity professionals investigated the incident and confirmed the access of unauthorized persons to some files on its system. The evaluation of the impacted files was finished on March 25, 2024. The results confirmed that the attack resulted in the breach of PHI, including names, addresses, telephone numbers, birth dates, medical insurance data, patient ID number, health insurance ID number, name of provider, service date, diagnosis/treatment details, prescription details, Social Security numbers and/or financial account data. The types of data compromised differed from person to person.

Although healthcare information was possibly stolen during the attack, Cherry Health stated it is not aware of any cases of actual or attempted patient data misuse; nevertheless, as a preventative measure, the impacted persons were provided a year of free credit monitoring services, which consists of dark web tracking for the posting or sale of sensitive personal data, an identity theft insurance coverage worth $1 million, and identity theft identity recovery solutions. Cherry Street mentioned it began taking action to enhance its technical safety measures to avoid the same incidents later. The incident report was submitted to the Maine Attorney General indicating that 184,372 people were affected.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy