Cyberattacks and Data Breaches Reported by Ernest Health Hospitals, Wyndemere Senior Care, Baylor College of Medicine and Harvard Pilgrim Health Care

Patient Data Theft from Several Ernest Health Hospitals

Ernest Health manages rehabilitation and long-term acute care hospitals located in Arizona, Colorado, California, Indiana, Idaho, Montana, Ohio, New Mexico, South Carolina, Texas, Utah, Wyoming, and Wisconsin. Ernest Health patients were recently notified about a data security incident that affected their personal and protected health information (PHI).

On February 1, 2024, Ernest Health discovered unauthorized activity inside its computer systems. According to the forensic investigation, there was an unauthorized access to systems that contained patient information from January 16, 2024 to February 4, 2024. The files stolen during the attack included patient data. For most of the impacted persons, the exposed information was restricted to names, addresses, birth dates, medical record numbers, medical insurance plan member IDs, claims information, diagnosis, and prescription details. The Social Security and/or driver’s license numbers of some patients were likewise compromised.

The security incident impacted patients at the following hospitals in the system:

  • Advanced Care Hospital of Southern New Mexico
  • Greenwood Regional Rehabilitation Hospital
  • Lafayette Regional Rehabilitation Hospital
  • Denver Regional Rehabilitation Hospital
  • Northern Idaho Rehabilitation Hospital
  • Northern Colorado Rehabilitation Hospital
  • Northern Utah Rehabilitation Hospital
  • Mountain Valley Regional Rehabilitation Hospital
  • Summa Rehabilitation Hospital
  • Rehabilitation Hospital of the Northwest
  • Rehabilitation Hospital of Southern New Mexico
  • Trustpoint Rehabilitation Hospital of Lubbock

Ernest Health started mailing notification letters to the impacted persons on March 29, 2024, and offered free credit monitoring and identity theft protection services for two years. The hospital already reported the data breach to government bodies, however, it is unknown how many individuals were currently impacted.

Wyndemere Senior Care Cyberattack

Wyndemere Senior Care LLC based in Wheaton, IL provides skilled nursing, & memory care to independent & assisted living neighborhoods. It has informed 6,846 persons that their personal data was compromised in a cyberattack. The healthcare provider detected suspicious activity in its computer network on September 8, 2023. The forensic investigation confirmed the unauthorized system access from September 1, 2023 to September 8, 2023. On February 21, 2024, an analysis of the files on the breached system confirmed the exposure of names and financial account numbers. Affected individuals received notifications by mail on March 28, 2024. Wyndemere stated it is applying extra cybersecurity measures and is offering more HIPAA training to its workforce.

Baylor College of Medicine and Advarra Data Breach

Baylor College of Medicine based in Houston, TX, has reported that the personal data of some participants in breast cancer clinical trials were compromised in a data breach at Advarra, its vendor. The information was included in the email account of an Advarra staff that was viewed by an unauthorized third party last October 2023. Baylor College of Medicine first knew about the email security incident in November 2023. In February 2024, the Advarra investigation confirmed that the data of research participants were compromised. Advarra sent the breach report to the Maine Attorney General in February indicating that 4,656 persons were affected. The names, Social Security numbers, and other personal identifiers were exposed. It is uncertain if the data of research contributors were already included.

Baylor College of Medicine mentioned that the exposed data of research participants in the attack were associated with breast cancer research and clinical assessments at the Dan L Duncan Comprehensive Cancer Center from 1999 to 2013. Baylor College of Medicine stated that Advarra has provided free credit monitoring, identify theft restoration services, and fraud consultation to the affected individuals.

2.86 Million Victims of Harvard Pilgrim Health Care Cyber Attack

In February, Harvard Pilgrim Health Care changed the total number of persons impacted by an April 2023 ransomware attack, raising the total by over 81,000 to 2,632,275 people. That total was raised for the fourth time on March 27, 2024, seeing that the continuing investigation found more information that was exposed in the attack. Today, no less than 2,860,795 persons were affected.

The ransomware attack was uncovered on April 17, 2023, with the forensic investigation finding unauthorized access to its system from March 28, 2023 to April 17, 2023. The added 228,520 impacted people were informed through mail. The notification letters said the particular types of data that were possibly exposed in the attack. Harvard Pilgrim Health Care stated it is providing free credit monitoring and identity protection services with IDX.

It is not strange for data breach inspections to discover more breached information. More information determined as having been viewed in the attack involved the data of patients of Brigham and Women’s Physician Organization (BWPO). BWPO is not connected to Harvard Pilgrim, however, a worker of Harvard Pilgrim Health Care Institute was likewise a part-time worker at BWPO. The employee had copied the contents of their laptop computer to Harvard Pilgrim’s servers, and the saved file included BWPO records. BWPO found out about the data breach in January 2024.

BWPO mentioned the copied file contained details from January 1, 2017, to May 1, 2019, such as names, telephone numbers, addresses, birth dates, medical record numbers, medical insurance numbers, and restricted clinical details, such as laboratory results, processes, prescription drugs, and diagnoses linked to care given at BWPO. A BWPO representative explained proper steps were undertaken to tackle the breach and avoid the same incidents from happening down the road.


Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X