Recent high-profile cyberattacks on Medjet, the Native American Health Center, and Angels Neurological Centers have heightened concerns over the security of patient data.
Medjet
Birmingham, AL-based air medical transport and travel security membership program Medjet found itself at the center of a cyberattack in late 2023. On October 17th, the organization detected the presence of malware on its network, which had rendered certain systems unavailable. The forensic investigation, completed on December 5th, revealed that the threat actor may have gained unauthorized access to files from the network during the period of compromise.
The exposed information included the names, addresses, and Social Security numbers of Medjet's clients. While the organization was unaware of any actual or attempted misuse of the compromised data at the time of notification, the potential for identity theft and financial fraud posed a risk to the affected individuals.
Medjet swiftly addressed the incident, implementing complex password requirements and multifactor authentication. The organization also pledged to continue reviewing its cybersecurity measures to identify further opportunities for strengthening security. Affected individuals were offered 12 months of credit monitoring and identity theft protection services to mitigate the potential consequences of the breach.
Native American Health Center
The Native American Health Center, a nonprofit Federally Qualified Health Center serving the native community in the California Bay Area, faced a cybersecurity incident on November 19th, 2023. The organization took immediate action to secure its network and enlisted the help of third-party cybersecurity experts to investigate the incident.
The forensic investigation revealed that the unauthorized actor had accessed files containing sensitive information, including names, dates of birth, and medical data. However, Social Security numbers were not compromised. As a precautionary measure, the affected individuals were offered complimentary credit monitoring services.
In response to the breach, the Native American Health Center implemented multifactor authentication for all logins and is now working to deploy a system that replaces passwords with fingerprint scans and badge taps. Additionally, the organization has replaced all hard drives and will continue to conduct annual HIPAA privacy and security assessments, as well as regular reviews of its policies, procedures, and employee training programs related to cybersecurity.
Angels Neurological Centers
On April 9th, 2024, Angels Neurological Centers in Massachusetts identified suspicious activity in its computer systems. The organization acted swiftly to contain the attack and prevent further unauthorized access, engaging third-party cybersecurity professionals to investigate the incident.
The forensic investigation revealed that the unauthorized actor had gained access to files containing patient information on limited occasions between March 3rd and April 9th, 2024. The exposed data varied from individual to individual and may have included a range of sensitive information, such as names, addresses, birth dates, medical records, diagnoses, treatment details, insurance information, and Social Security numbers.
Angels Neurological Centers notified the affected individuals by mail on June 5th, 2024, providing them with details on the incident and the types of information that may have been compromised. The organization also reported the breach to regulators, although it was not yet listed on the HHS' Office for Civil Rights breach portal at the time of notification.
Why it matters
The cyberattacks experienced by Medjet, Native American Health Center, and Angels Neurological Centers show the challenges faced by the healthcare industry. As malicious actors continue to target these organizations, healthcare providers must prioritize cybersecurity and implement detailed strategies to safeguard patient data and ensure the continuity of urgent medical services.
Farah Amod
