cyberattacks on Kannact and Vincera Institute

Cyberattacks Hit Kannact & Vincera Institute, Data Compromised

July 24, 2023

Kannact Inc., a home care service based in Albany, reported a major data breach affecting over 103,000 individuals, which took place on March 13, 2023. The unauthorized access exposed a massive chunk of confidential and sensitive patient information. 

Similarly, Vincera Institute, a Philadelphia-based orthopedic clinic, confirmed a ransomware attack affecting around 25,000 individuals on April 29, 2023. Like Kannact Inc., Vincera Institute hired third-party cybersecurity specialists to investigate the incident.

Cyberattacks Hit Kannact & Vincera Institute, Data Compromised

Kannact Inc. Cyberattack

A digital healthcare company specializing in remote patient monitoring and chronic care management recently sent a data security incident notice to the Office for Civil Rights (OCR). The announcement also states that the investigation is ongoing, and while it remains unconfirmed, unauthorized actors may have gained access to sensitive information. The digital health company is also working on identifying all the individuals affected to provide sufficient notice about the cyber incident.

Unauthorized access detected

Kannact Inc. said there was unauthorized access to its computer network last March 2023. Even though the severity of the breach was not yet clearly identified, some potentially compromised information included names, birth dates, phone numbers, health plan records, medical diagnoses, treatment information, ID numbers, and more.

Investigation findings and patient data exposure

After the data breach discovery, Kannact Inc. immediately sought help from a specialized cybersecurity firm to conduct a risk assessment. According to the investigation findings on the Kannact Inc cyberattack, around 103,547 individuals were affected by the data breach. Moreover, the unauthorized access revealed vulnerabilities in the company’s third-party managed file transfer software. As a result, the incident exposed massive amounts of confidential patient information, including Social Security and driver’s license numbers.

Read: The Importance of Risk-Based Assessments in HIPAA Compliance

Cyberattacks Hit Kannact & Vincera Institute, Data Compromised

Measures taken and services offered

In response, Kannact Inc. immediately ceased using third-party managed file transfer software and deactivated all its related API keys. To prevent further damage, the digital health company took several security measures to mitigate the breach’s impact. Additionally, the company also made a promise to enhance its patient data ingestion process. They even offered complimentary credit monitoring and identity theft protection services to affected individuals.

Report to the HHS Office for Civil Rights (OCR)

Immediately after detecting the incident, Kannact Inc. filed a breach report to the US Department of Health & Human Services (HHS). Under the HIPAA Breach Notification Rule, covered entities and their business associates must notify the OCR after discovering unauthorized access to PHI.

“Kannact is committed to ensuring the privacy and security of all personal information in our care,” the company said in a statement. “Since the discovery of the Incident, Kannact has taken and will continue to take steps to mitigate the risk of future issues,” they reiterated.

Cyberattacks Hit Kannact & Vincera Institute, Data Compromised

Vincera Institute Ransomware Attack

On April 29, 2023, Vincera Institute fell victim to cyberattackers and compromised a massive amount of confidential patient information. The ransomware attack targeted the company’s IT network, and even encrypted files were accessed by the hackers. However, the cyber investigators did not receive any reports pertaining to patient information misuse.

Confirmation of the attack

Upon discovering the ransomware attack, Vincera Institute sent out data breach letters to all affected individuals last June 20, 2023. Accordingly, the company filed the data breach on the HHS-OCR data breach portal under four entity names: Vincera Imaging, LLC, Vincera Rehab, LLC, Vincera Surgery, LLC, and Core Performance Physicians d/b/a Vincera Core Physicians.

Response and investigation

In a press release, Vincera Institute said they started further investigating the data breach. According to the evaluation, the threat actors behind the ransomware attack accessed parts of the company’s network containing relevant patient information.

Potential sensitive patient information accessed

The ransomware attack on Vincera Institute’s network exfiltrated sensitive patient personal information such as names, phone numbers, addresses, emails, birth dates, medical histories, treatment records, insurance information, and Social Security numbers.

Security enhancements and monitoring

In response, Vincera Institute took some security enhancements to prevent unauthorized access to its network from happening in the future. Moreover, the company also improved its monitoring processes and security safeguards to protect PHI.

Breach reports to HHS OCR

Following the hacking incident, Vincera Institute filed a data breach notice to the HHS Office for Civil Rights (OCR) on June 20, 2023. The incident announcement covered four breach reports, including 5,000 affected individuals from Vincera Imaging LLC, with the same number as Vincera Surgery Center and Vincera Rehab LLC. Meanwhile, around 10,000 individual records from Vincera Core Physicians were affected. 

All in all, the hacking incident affected 25,000 individuals from Vincera Institute’s various healthcare departments.

More great articles
who needs to be hipaa compliant
Who Needs to Be HIPAA Compliant?

Understanding who should and who needs to be HIPAA compliant is a must for any organization handling sensitive health information.

Read Story
privacy breach washington
Privacy Breach Fallout: Washington Hospital Slapped with $240,000 HIPAA Penalty for Unauthorized Access to Medical Records

A memorial hospital located in Washington faces a $240,000 monetary penalty after alleged privacy breach involving security guards.

Read Story
Building an Effective Compliance Program: Key Elements and Best Practices
Building an Effective Compliance Program: Key Elements and Best Practices

By knowing the key elements of a compliance program, organizations can demonstrate their commitment to following ethical and responsible practices.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.
    Arrow-up