On August 26, healthcare technology services company QRS, Inc. (“QRS”) discovered that an attacker had compromised a patient portal and exfiltrated some files from that client’s server. The compromise had been detected within three days of the attack. The information the threat actor may have accessed or acquired may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username, and/or medical treatment or diagnosis information. This attack did not involve any other QRS systems or the systems of any of QRS’s clients.
Read more from the QRS notification. This incident was reported as impacting 319,788 patients.
New York Psychotherapy and Counseling Center
On September 11, The New York Psychotherapy and Counseling Center (NYPCC) discovered that a computer server in their offices had been accessed by an unauthorized third-party. The impacted server contained internal reports and files which may have contained some of patients’ protected health information, including name, dates of service, address, Medicaid ID and date of birth.
NYPCC will be sending out letters to those impacted, so if you were a patient of theirs, keep an eye out for any mail.
Baywood Medical Associates, PLC dba Desert Pain Institute
Desert Pain Institute in Arizona also disclosed a breach this week. DPI reports that on September 13, they detected unauthorized access that investigation subsequently revealed began July 3. DPI does not provide further details about what kind of network security incident this was, but reports that various types of protected health information may have been exposed: full name, address, date of birth, Social Security number, tax identification number, driver’s license/state-issued identification card number, military identification number, financial account number, medical information, and health insurance policy number. The type of information varied by person.
Read the article