Security Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital

Lakeshore Bone & Joint Institute, an Orthopedic practice located in Indiana, has suffered a breach that impacted its Microsoft Office 365 account, including email messages and attachments that have the protected health information (PHI) of some patients.

On July 7, 2021, the practice noticed strange activity in a staff member’s email account and promptly took action to avert further unauthorized access. There was a cybersecurity and digital forensic agency hired to check out the incident and help with remediation work.

The breach investigator established that an unauthorized individual had obtained access to one worker’s email account. An evaluation of the account was done on October 21, 2021, and showed that the attacker may have accessed or possessed these types of patient data:

Birthdate, treatment details, Diagnosis MRN/patient ID, name of provider, medical insurance data, treatment cost details, and, for a number of persons, Social Security numbers.

Persons whose Social Security numbers were likely exposed have been provided a complimentary one-year membership to identity theft monitoring services.

According to the breach report sent to the Maine attorney general, the breach possibly affected 23,627 individuals.

PHI Possibly Exposed in Putnam County Memorial Hospital Ransomware Attack

Putnam County Memorial Hospital has begun informing 6,916 people regarding a July 2021 cyberattack that triggered the possible exposure of protected health information.

The attack was discovered on July 18, 2021 when an employee was unable to gain access to selected computer systems and data files. A forensic investigation affirmed that an unauthorized person acquired access to its network sometime from July 16 to July 18, used various network reconnaissance software to find systems and data of interest, after that employed ransomware to encrypt data files.

The forensic investigation established the threat actor got access to some areas of the system including patient and staff data such as names, Social Security numbers, addresses, doctor-patient evaluations and reports, patient consent, and laboratory and radiology data. It is deemed that financial data was not exposed.

Right after the breach, the hospital enforced new security procedures to better secure patient information. Free credit monitoring services were given to impacted people for one year. Those services comprise darknet and clearnet tracking, fraud consult, quick cash scan, and identity theft insurance, and restoration services.