QRS
On August 26, healthcare technology services company QRS, Inc. (“QRS”) discovered that an attacker had compromised a patient portal and exfiltrated some files from that client’s server. The compromise had been detected within three days of the attack. The information the threat actor may have accessed or acquired may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username, and/or medical treatment or diagnosis information. This attack did not involve any other QRS systems or the systems of any of QRS’s clients.
Read more from the QRS notification. This incident was reported to HHS as impacting 319,788 patients.
Updated Nov. 30: Snatch ransomware threat actors claimed QRS on their dedicated leak site. Also, Gregory Brewer, MD PLLC reported the incident as impacting 6,027 of their patients. It is not clear whether their number was included in QRS’s report to HHS.
New York Psychotherapy and Counseling Center
On September 11, The New York Psychotherapy and Counseling Center (NYPCC) discovered that a computer server in their offices had been accessed by an unauthorized third-party. The impacted server contained internal reports and files which may have contained some of patients’ protected health information, including name, dates of service, address, Medicaid ID and date of birth.
Baywood Medical Associates, PLC dba Desert Pain Institute
Read more from the DPI notification. This incident was reported as impacting 45,262 patients.