Roundup: Four more breaches in the healthcare sector: Healthback Holdings, Zenith American Solutions, Bronx Accountable Healthcare Network, and Centerstone
On June 1, Healthback Holdings, LLC in Oklahoma discovered that they had been subject to a hacking incident that began in October 2021. “A limited number” of employee accounts were compromised. On July 29, Healthback notified HHS that 21,114 patients were affected. Their notice says that names, health insurance information, Social Security numbers, and clinical information was in the compromised email accounts.
Zenith American Solutions claims to be the largest independent Third Party Administrator in the United States with more than 47 offices nationwide. On June 24, there was a mailing error by an unnamed vendor that resulted in Social Security numbers being included in the mailing addresses of those sent letters that day. The error was discovered on June 28. Zenith reported the incident to HHS on July 20 as impacting 37,146 individuals, but it is not clear if that was the grand total or just on behalf of certain covered entities. Their notice to Sound Health and Wellness Trust provides more details about the types of data involved.
The Bronx Accountable Healthcare Network notified HHS on July 20 about a hacking incident involving email that impacted 17,161 patients. DataBreaches could find no notice on their site, and has written to them to ask if this report might be part of the Acacia Network breach in 2020 that was first disclosed in February of this year.
Centerstone is a nonprofit providing mental health, addiction recovery, residential care, therapeutic foster care, counseling, and crisis services at more than 200 locations in four states: Florida, Tennessee, Illinois, and Indiana. On February 14, they discovered a breach impacting their email environment that began in November 2021. The incident has not yet appeared on HHS’s public breach tool, but their press release indicates that the types of information of former and current clients that may have been accessed and acquired include: name, address, Social Security number, date of birth, client ID, medical diagnosis / treatment information, and/or health insurance information.