And as this work week drew to a close, we also learned about these breaches involving patient data that were reported to HHS earlier this month:
Dialyze Direct, LLC in New Jersey notified HHS that 14,203 patients were impacted by an incident they coded as a hacking/IT incident involving email. There is no statement on the provider’s website at this time.
New Jersey Brain and Spine notified HHS that 92,453 patients were impacted by an incident. A notice on their website describes the incident as a ransomware attack they discovered on November 16, 2021. As of their March 10 notice, they were still trying to determine who needed to be notified and individual letters had not yet gone out. The types of patient information involved included: individual names, addresses, dates of birth, email addresses, telephone numbers, social security numbers, financial account information, debit or credit card information, driver’s license numbers or other ID numbers, and medical information.
Horizon Actuarial Services, LLC (“Horizon Actuarial”), a business associate in Georgia, notified HHS that 39,418 patients were impacted by what they described as a hacking/IT incident. A statement on their website explains that threat actors contacted them on November 12 about an attack on November 10 and 11 that impacted plan members and families of two clients:
- Local 295 IBT Employer Group Welfare Fund
- Major League Baseball Players Benefit Plan
Horizon forthrightly acknowledged that they paid the ransom demand:
During the course of the investigation, Horizon Actuarial negotiated with and paid the group in exchange for an agreement that they would delete and not distribute or otherwise misuse the stolen information.
They do not reveal who the threat actors were.
Update: Clinic of North Texas LLP notified the California AG’s office today about an October 4, 2021 breach that they discovered on Nov. 9.
And I am still trying to get a response from Highmark Inc. that explains the breach they reported to HHS this month as impacting 67,147 members.