DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Technology vendor, mental health services provider, and pain management clinic all report breaches involving protected health information

Posted on November 5, 2021 by Dissent

QRS

On August 26, healthcare technology services company QRS, Inc. (“QRS”)  discovered that an attacker had compromised a patient portal and exfiltrated some files from that client’s server.  The compromise had been detected within three days of the attack. The information the threat actor may have accessed or acquired may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username, and/or medical treatment or diagnosis information. This attack did not involve any other QRS systems or the systems of any of QRS’s clients.

Read more from the QRS notification. This incident was reported to HHS as impacting 319,788 patients.

Updated Nov. 30:  Snatch ransomware threat actors claimed QRS on their dedicated leak site. Also, Gregory Brewer, MD PLLC reported the incident as impacting 6,027 of their patients. It is not clear whether their number was included in QRS’s report to HHS.

New York Psychotherapy and Counseling Center

On September 11, The New York Psychotherapy and Counseling Center (NYPCC) discovered that a computer server in their offices had been accessed by an unauthorized third-party.  The impacted server contained internal reports and files which may have contained some of patients’ protected health information, including name, dates of service, address, Medicaid ID and date of birth.

NYPCC will be sending out letters to those impacted, so if you were a patient of theirs, keep an eye out for any mail.
Read more from the NYPCC notification.  Although reported to HHS, this has not shown up on their breach tool yet.

Baywood Medical Associates, PLC dba Desert Pain Institute

Desert Pain Institute in Arizona also disclosed a breach this week. DPI reports that on September 13, they detected unauthorized access that investigation subsequently revealed began July 3.  DPI does not provide further details about what kind of network security incident this was, but reports that various types of protected health information may have been exposed:  full name, address, date of birth, Social Security number, tax identification number, driver’s license/state-issued identification card number, military identification number, financial account number, medical information, and health insurance policy number. The type of information varied by person.

Read more from the DPI notification.  This incident was reported as impacting 45,262 patients.

Related posts:

  • QRS Data Breach Exposed Psych Care Consultants Patient Information – Class Action Allegations
  • U.S. medical entities fall prey to Pysa threat actors, but many haven’t disclosed it – at least, not yet.
Category: HackHealth Data

Post navigation

← US Defense Contractor Discloses Data Breach
Update on impact of the Washington Central Unified Union School District ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.