Bits ‘n pieces, Saturday edition
The following are four more incident reports DataBreaches has noted. It is not yet clear whether some of them involve patient data or not.
CAROLINA BEHAVIORAL HEALTH ALLIANCE in North Carolina has been notifying law enforcement, state regulators, and patients about a ransomware attack they detected on March 20, the day after it began. Covered entities were notified on May 9 (see below), and parents of minor children were notified that CBHA had found no evidence of misuse of data, but it was possible that children’s names, addresses, health plan ID numbers, and gender might have been accessed. The incident has not yet appeared on HHS’s public breach tool so we do not have any total number as yet, but CBHA reports:
We advised LiveWELL Health Plan, Wake Forest University Baptist Medical Center and Affiliates Employee Benefits Plan, and Wake Forest University Health and Welfare Benefit Plan of this incident between May 5, 2022 and May 9, 2022, and have been working diligently to identify which individuals and what information were potentially impacted.
We found no evidence that personal information has been misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, date of birth, date(s) of service, level of care, provider name(s), health plan identification information, and/or Social Security number.
FLORIDA BIRTH-RELATED NEUROLOGICAL INJURY COMPENSATION ASSOCIATION (NICA) has notified the Massachusetts Attorney General’s Office that they are notifying an unspecified number of people after two employees’ email accounts were compromised. Within 48 hours of the initial compromise, unauthorized access to both accounts was detected and stopped, and the accounts were secured. NICA believes that the motivation behind the attack was financial and not for the personal or protected health information itself.
NICA is a statutory organization that manages the Florida Birth Related Neurological Injury Compensation Plan (“Plan”) used to pay for the care of infants born with certain neurological injuries. It’s not clear yet what data elements may have been involved, but given the nature of the association’s work, it is possible that we will eventually be told that personal and medically related information is involved.
CHILD AND FAMILY SERVICES, INC. in Massachusetts notified the Massachusetts Attorney General’s Office that 1,681 were impacted by an incident that occurred between November 16-18, 2021. CFS discovered the attack on November 18, 2021. The data elements were not specified in the template notice. There is no notice on CFS’s website as of the time of this posting.
NORTH AMERICAN SPINE SOCIETY appears to be a professional association. As such, I wouldn’t necessarily expect them to be storing any protected health information. But in a notification template sent to the Montana Attorney General’s Office, NASS notes that some personal information may have been accessed in a cybersecurity incident that they learned about on February 13. Data elements were not enumerated in that template, but NASS also reported the incident to the Texas Attorney General’s Office, who summarized the submission as including the following data elements: Name of individual; Address; Social Security Number Information; Driver’s License number; Government-issued ID number (e.g. passport, state ID card); Financial Information (e.g. account number, credit or debit card number); and Health Insurance Information. NASS reported that 345 Texans were being notified; but the total number being notified was not provided. There is no notice on NASS’s website at this time.