July 10, 2023
There were recent reports of healthcare security breaches within the IT systems of Active Healthcare, Community Research Foundation, and Henrietta Johnson Medical Center. Suspicious activities were detected from unauthorized third parties who allegedly hacked patient information affecting thousands of individuals.
Following the HIPAA-related complaints, the Office for Civil Rights (OCR), a component of the U.S. Department of Health and Human Services, immediately conducted an investigation to find the cause and impact of the said cybersecurity incidents.
Table of Contents
Activate Healthcare Security Breach: Patient Data Theft and Precautionary Measures
Activate Healthcare, an Illinois-based healthcare provider of holistic and primary care services, filed a notice of data security breach with the Attorney General of Montana after suffering a patient data theft within its network on April 27, 2023. According to an article posted in JD Supra, the healthcare provider immediately began working with third-party data security specialists to conduct a forensic investigation confirming the unauthorized access between April 22, 2023, and April 28, 2023.
As for the extracted files, it is worth noting that they included valuable patient information, including names, birthdates, addresses, Social Security numbers, and driver’s license numbers. It also came with confidential clinical data such as provider names, dates of service, and diagnoses. Around 93,761 patients were affected by the said data breach.
Data breaches like these pose a serious concern to healthcare organizations, putting at risk a significant amount of sensitive healthcare data. They illustrate the vulnerabilities that many institutions within the healthcare industry are currently dealing with when it comes to protecting their patients’ data.
As a precaution, Activate Healthcare provided complimentary credit monitoring and identity protection services to the patients. The Illinois-based healthcare provider also notified the patients who were affected by the data breach incident. They also urged them to be extra careful and report any suspicious activity should they encounter one.
While they continue to strengthen their data security measures, Activate Healthcare might also consider moving away from potentially vulnerable systems. For instance, replacing a traditional fax machine with a cloud-based fax service can add an extra layer of security.
In its statement, as quoted on teiss, the holistic healthcare provider mentioned that it “remains committed to protecting the confidentiality and security of patient information.” Activate Healthcare also added that it will continue to take steps to enhance the security of its computer systems and the data it maintains.
Community Research Foundation Data Breach: Sensitive Health Data Access Incident
Community Research Foundation (CRF), a nonprofit mental health research foundation in California, recently announced a data breach incident affecting up to 30,057 individuals. CFR started identifying a data security breach within its systems on October 13, 2022. Since then, third-party cybersecurity experts have been working closely to investigate the matter. However, they only confirmed the unauthorized access to the foundation’s sensitive health records last year.
The investigation concluded on April 19, 2023, when CFR found the PHI of patients under medical and social service programs was affected. Aside from names, the extracted information included birthdates, Social Security numbers, driver’s license numbers, medical treatment records, diagnoses, and health insurance details.
This breach is one in a worrying trend of healthcare data breaches which are causing considerable harm to patients and significant reputational damage to healthcare providers. The fallout from these incidents often includes regulatory penalties and the costs associated with remediation efforts.
On June 20, 2023, the CFR filed a breach notice to the HHS Office for Civil Rights regarding the recent hacking incident. Despite confirming the data breach, the foundation provided little information about it. There was also no mention of when the unauthorized access took place.
It is important that CRF consider the implementation of a reliable fax provider to secure the transmission of confidential data. The traditional modes of data transmission, like emails, are no longer safe, especially when dealing with sensitive health data. A credible fax service can ensure that every fax document sent or received is encrypted and protected.
The CFR also delayed issuing notification letters. According to them, they needed to verify the contact information first, which could include fax numbers as well. It was also unclear whether these individuals would get free credit monitoring services.
Henrietta Johnson Medical Center Data Breach: Security Incident at Delaware Health Network
The Henrietta Johnson Medical Center (HJMC) in Wilmington, Delaware, suffered a data breach within its EHR management provider, Delaware Health Network (DHN).
On June 27, 2023, HJMC filed a security breach notice notifying 500 affected individuals. According to the report, unauthorized third-party actors gained access to DHN systems and copied files on April 5, 2023.
After the forensic investigation, HJMC and DHN identified some information that may have been exposed. These included names, birthdates, ethnicities, medical record numbers, diagnosis codes, lab information, and health insurance information.
Fortunately, there were no records of Social Security numbers and financial account details being stolen. In a statement, the Henrietta Johnson Medical Center said they will continue to review their privacy policies and security procedures to prevent the same incident from happening.
To further fortify their data protection, HJMC should consider implementing secure faxing solutions in their communication processes. In the healthcare sector, the transmission of sensitive data is a routine activity. Deploying robust faxing solutions can greatly help in ensuring data security by providing end-to-end encryption and complying with healthcare-specific regulations such as HIPAA.
The Alarming Prevalence of Healthcare Security Breaches in Hospitals and Medical Providers
The Active Healthcare, Community Research Foundation, and Henrietta Johnson Medical Center data breaches serve as a wake-up call for healthcare providers to prioritize implementing cybersecurity measures to ensure secure patient data access.
Thousands of PHI have been exposed. Add to that the significant financial losses and other ethical implications. It should also be noted that hacking incidents for the purpose of information disclosure are among the most common forms of data breaches in the healthcare industry. Thus, maintaining robust security measures and privacy procedures is of absolute necessity. It helps prevent cybercriminals from gaining unauthorized patient data access to PHI for malicious purposes such as identity theft and medical fraud.