Select Health Network and Solara Medical Supplies disclosed data incidents caused by breaches of their employees' email accounts that lead to exposure of both personally identifiable information (PII) and protected health information (PHI).
In both cases, the number of individuals who had their information exposed was not disclosed, however current and former members, patients, and, in some cases, employees are known to be affected.
Select Health and Solara urge potentially affected individuals to remain vigilant against future identity theft or fraud incidents, as well as carefully review their account statements, credit reports, and explanation of benefits forms following these incidents.
Health network data exposed in breach
Select Health Network is an Indiana health network from St. Joseph and Marshall Counties, and collaboration between Saint Joseph Health System and 770 health care providers, including 619 specialists and 151 primary care physicians.
Select Health disclosed on November 13 that one of its employee's email accounts was accessed by a not yet known actor without authorization from May 22, 2019 to June 13, 2019.
Select Health discovered the intrusion after learning of suspicious activity on the email account—the date when the unusual activity was spotted was not disclosed—which prompted an investigation in collaboration with third-party forensic experts after immediately securing the account first.
While the investigation was not able to determine what emails and info were accessed in the incident, if any, after reviewing the data stored in the account.
However, Select Health was able to identify the affected individuals after going through the third-party audit's results received on October 1, 2019, and started contacting them with info about this breach incident on November 1, 2019.
The following types of information were present in the email account and accessible to the unknown actor, which may include: Name, Address, Date of Birth, Member ID Number, Treating/Referring Physician, Health Insurance Information, Medical History Information, Treatment Information, Treatment Cost Information, Health Insurance Policy Number, and Medical Record Number. For a limited number of individuals, Social Security number may have also been impacted.
"At this time, there is no evidence of any actual or attempted misuse of the information accessible within the email account," Select Health adds. "No financial account information was impacted as a result of this event."
"As an added precaution, we are also offering complimentary access to 12 months of credit monitoring services to those individuals who may have had their Social Security number impacted by this event," the notice says [PDF].
Select Health also recommends affected parties to immediately report any suspicious activity on their account statements and explanations of benefits to their insurance company, financial institution, or health care provider.
PII, PHI, and financial data breach
Solara Medical Supplies is the largest U.S. independent supplier of Insulin Pumps and Continuous Glucose Monitors (CGMs) according to its website.
The supplier found on June 28, 2019, that a number of its employees' Office 365 accounts were accessed without authorization between April 2, 2019, and June 20, 2019 after a series of phishing attacks.
Solara also discovered that "certain information present within the employee Office 365 accounts may have been accessed or acquired by an unknown actor at the time of the incident."
Solara was able to discover which were the individuals that had their information exposed in this incident after manually reviewing the compromised accounts with the help of a team of third-party forensic experts.
The personal information present in the accounts at the time of the incident varied by individual but may have included first and last names and one or more of the following data elements: name, address, date of birth, Social Security number, Employee Identification Number, medical information, health insurance information, financial information, credit / debit card information, driver's license / state ID, passport information, password / PIN or account login information, billing / claims information, and Medicare ID / Medicaid ID.
Potentially impacted individuals were notified by Solara after the investigation concluded and the provider also reset relevant account passwords in response to this security breach incident.
"In an abundance of caution, Solara is offering access to credit monitoring and identity protection services at no cost to impacted individuals," Solara's data breach notification says.
More US healthcare entities breached in November
Select Health Network and Solara Medical Supplies were not the only US entities from the healthcare sector that disclosed data incidents during November.
Earlier this month, Delta Dental of Arizona and InterMed disclosed security breaches November 8 and November 4, respectively, involving employee email accounts that led to various degrees of sensitive information being exposed.
Delta Dental of Arizona's investigation following the incident was able to determine "that the information present in the affected email account may include one or more of the following: name, address, date of birth, Social Security number, Member or Subscription identification number, driver's license number, government-issued identification number, state identification number, passport number, financial account information, credit and/or debit card information, dental/treatment information, dental insurance information, digital signature, and/or username and password."
InterMed found that the compromised email accounts "contained some patient information, which may have included patient names, dates of birth, health insurance information, and/or clinical information. Social Security numbers belonging to a very limited number of patients were also found in the accounts."
On November 1, The Brooklyn Hospital Center notified some of its patients that a ransomware attack disrupted the operation of certain hospital systems and led to the impossibility of recovering patient data encrypted in the incident.
BleepingComputer reached out to all healthcare entities mentioned in this article for comment but only heard back from Delta Dental of Arizona until the time of this publication. This article will be updated when responses are received from the others.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now