[BreachExchange] Dynasplint Systems Data Breach Impacts Almost 103, 000 Individuals

[Destry Winant]

https://www.hipaajournal.com/dynasplint-systems-data-breach-impacts-almost-103000-individuals/

Severna Park, MD-based Dynasplint Systems, a manufacturer of
proprietary stretching devices to improve joint motion, has
experienced a cyberattack in which personal and protected health
information may have been accessed or stolen.

The security breach occurred on May 16, 2020 and prevented employees
from accessing computer systems. In a letter to the Iowa Attorney
General, a lawyer representing Dynasplint explained that the company
had suffered “an encryption attack” which prevented employees from
accessing computer systems.

Assisted by a digital forensics firm, Dynasplint Systems determined on
June 4, 2020 that information such as names, addresses, dates of
birth, Social Security numbers, and medical information may have been
accessed and acquired by the attackers. The cyberattack was reported
to the FBI and Dynasplint Systems is cooperating with the
investigation to hold the individuals responsible accountable.

The breach report submitted to the Department of Health and Human
Services’ Office for Civil Rights indicates 102,800 individuals were
potentially affected by the attack. Those individuals started to be
notified about the breach on August 7, 2020 and have been offered
complimentary identity monitoring and recovery services for 12 months
through Kroll. While customer information may have been compromised,
no evidence has been found to suggest that customer data has been
misused.

Dynasplint is working with leading cybersecurity experts to enhance
the security of its computer systems to prevent further cyberattacks
in the future.

Texas Medical Clinical Research Organization Suffers Phishing Attack

Pinnacle Clinical Research, a San Antonio, TX-based medical clinical
research organization that runs hepatological and gastroenterological
clinical trials in San Antonio and Austin, TX has announced it has
suffered a phishing attack.

The email account breach was detected in April 2020. Assisted by
independent IT security and forensic investigators, Pinnacle Clinical
Research determined on or around May 8, 2020 that the compromised
email account contained the sensitive information of clinical trial
participants.

The breach was limited to a single email account which was found to
contain information such as names, mailing addresses, telephone
numbers, medical histories, and treatment information. A subset of
affected individuals may also have had one or more of the following
data elements exposed: Date of birth, Social Security number, driver’s
license number, state ID number, taxpayer ID number, passport number,
credit card/financial account number, associated PIN or password,
email address, and/or health insurance individual policy number.

The compromised email account was immediately secured when the breach
was discovered and steps have since been taken to improve the privacy
and security of information stored in its systems. Affected
individuals have been offered complimentary identity theft protection
and credit monitoring services for 12 months.

Phishing Attack Reported by the Institute for Integrative Nutrition

The Institute for Integrative Nutrition in New York City has
discovered personal information has potentially been compromised in a
March 2020 phishing attack. The email account breach was detected on
June 22, 2020. The investigation revealed a single email account was
accessed by an unauthorized individual between March 3-4, 2020.

Third party cybersecurity professionals assisted with an extensive
forensic investigation and the manual document review confirmed that
names and personal information, including Social Security numbers, had
potentially been accessed, although no evidence was found suggesting
data were stolen in the attack.

Out of an abundance of caution, affected individuals have been offered
complimentary identity theft protection services and “significant
measures” have been implemented to prevent further breaches in the
future.

PHI Potentially Compromised in Phishing Attack on Colorado Mental Health Center

Lafayette, CO-based Mental Health Center of Boulder County Inc., aka
Mental Health Partners, experienced a phishing attack in late March in
which employee information and the protected health information of
some of its clients were potentially compromised.

Assisted by forensic investigators, Mental Health Partners determined
on July 22, 2020 that the following information may have been
subjected to unauthorized access or could have been stolen in the
attack: names; dates of birth; Social Security numbers; driver’s
license or state identification card numbers; passport numbers;
financial account information; medical record numbers; medical
treatment information, including symptom, diagnosis, treatment,
medication, and doctor information; and/or health insurance
information.

Affected individuals have been offered complimentary credit monitoring
services. No evidence was found to indicate data were stolen or
misused. Mental Health Partners has reviewed its internal policies and
procedures following the attack and additional safeguards are being
implemented to enhance digital security.

Boxes of Medical Records Found at Texas Recycling Center

More than 2 dozen boxes of old medical records have been found at an
Odessa, TX recycling center. The records appear to have come from West
Texas Orthopedics, which is part of Midland Health. It is not known
how the records came to be at the recycling center and why they were
not disposed of securely in accordance with HIPAA Rules.

“We have a team on-site at Odessa Recycling Center. They have looked
through all records and determined that they do not belong to us. The
name West Texas Orthopedics has been used by other entities in the
past, but these records predate our ownership,” said Midland Health in
a statement issued about the breach.