Technology vendor, mental health services provider, and pain management clinic all report breaches involving protected health information

QRS

On August 26, healthcare technology services company QRS, Inc. (“QRS”) discovered that an attacker had compromised a patient portal and exfiltrated some files from that client’s server. The compromise had been detected within three days of the attack. The information the threat actor may have accessed or acquired may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username, and/or medical treatment or diagnosis information. This attack did not involve any other QRS systems or the systems of any of QRS’s clients.

Read more from the QRS notification. This incident was reported to HHS as impacting 319,788 patients.

Updated Nov. 30: Snatch ransomware threat actors claimed QRS on their dedicated leak site. Also, Gregory Brewer, MD PLLC reported the incident as impacting 6,027 of their patients. It is not clear whether their number was included in QRS’s report to HHS.

New York Psychotherapy and Counseling Center

On September 11, The New York Psychotherapy and Counseling Center (NYPCC) discovered that a computer server in their offices had been accessed by an unauthorized third-party. The impacted server contained internal reports and files which may have contained some of patients’ protected health information, including name, dates of service, address, Medicaid ID and date of birth.

NYPCC will be sending out letters to those impacted, so if you were a patient of theirs, keep an eye out for any mail.

Read more from the NYPCC notification. Although reported to HHS, this has not shown up on their breach tool yet.

Baywood Medical Associates, PLC dba Desert Pain Institute

Desert Pain Institute in Arizona also disclosed a breach this week. DPI reports that on September 13, they detected unauthorized access that investigation subsequently revealed began July 3. DPI does not provide further details about what kind of network security incident this was, but reports that various types of protected health information may have been exposed: full name, address, date of birth, Social Security number, tax identification number, driver’s license/state-issued identification card number, military identification number, financial account number, medical information, and health insurance policy number. The type of information varied by person.

Read more from the DPI notification. This incident was reported as impacting 45,262 patients.