Exposure of PHI of Hypertension-Nephrology Associates Patients and Allina Health Patients

Hypertension-Nephrology Associates Patients Affected by Data Theft Incident

Hypertension-Nephrology Associates based in Michigan reported recently that it was targeted by a cyberattack last February 2024. An unidentified threat actor left a ransom note on its computer program requiring payment to stop exposing patient information stolen during the cyberattack.

Ransomware groups still target the healthcare sector by stealing data and encrypting files, requiring payment in exchange for the decryption keys and to stop the exposure of stolen information; nevertheless, many threat actors omit file encryption and perform extortion-only cyberattacks. An example is the cyberattack on Hypertension-Nephrology Associates. After finding the ransom note, the healthcare provider launched an investigation to confirm the claims of the threat actor. Third-party cybersecurity specialists helped with the investigation and reported the threat actor’s access to its systems from January 20, 2024 to February 6, 2024. In that time frame, files that contain patients’ protected health information (PHI) were extracted from its network.

A detailed review was done of the breached section of the network; nevertheless, the degree to which patient information was viewed or stolen cannot be confirmed. Hypertension-Nephrology Associates thus assumes that all PHI kept on the system was compromised. That data consists of names, birth dates, diagnosis and treatment data, Social Security numbers, and medical insurance ID numbers.

The practice called in third-party security specialists and external consultants on HIPAA compliance and has applied extra security procedures to stop the same incidents down the road. The impacted patients are informed about the breach and offered free credit monitoring services. Hypertension-Nephrology Associates already reported the incident to the governing bodies however is not yet posted on the HHS’ Office for Civil Rights breach website. The actual number of affected patients is currently uncertain.

PHI of 715 Allina Health Patients Improperly Accessed

Allina Health System based in Minneapolis, MN found out that some patients’ health data were improperly accessed by an ex-employee. In January 2024, the unauthorized access was discovered and a thorough review of access logs was conducted to determine which patient files were improperly accessed. The review was completed in March 2024, which confirmed the access to the medical records of 715 individuals without authorization. Information likely compromised included names, photo IDs, addresses, insurance data, some clinical data, and the last 4 numbers of Social Security numbers. Allina Health stated the old employee stopped working for Allina Health in 2022. All impacted patients were sent breach notifications and provided free identity theft and credit monitoring services for 2 years. Workers were provided refresher HIPAA training on security and internal guidelines.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA