Atrium Health has issued notifications to nearly 586,000 individuals regarding a data breach related to its use of online tracking technologies in its patient portal. The healthcare provider conducted an initial review of its online technologies in June 2022, prompted by revelations regarding the use of third-party tracking tech by healthcare organizations. This review, however, focused solely on current technologies rather than historical data usage.
In a further examination conducted in 2024, Atrium expanded its review to assess the tracking technologies used from January 2015 to July 2019. This analysis revealed that certain tracking technologies had been implemented in sections of the Patient Portal during that timeframe. Atrium stated that these technologies were employed to enhance user experience and support various functionalities of the Patient Portal.
The data tracked may have included personal information transmitted to third-party vendors such as Google and Facebook (now Meta). However, Atrium acknowledged that it could not determine the specific data shared with these external entities. Consequently, breach notifications were sent to users of the MyAtriumHealth portal during that period, alerting them to potential risks based on their browser settings and third-party affiliations.
Potentially shared information encompassed IP addresses, cookies, and details about medical providers or treatments. Notably, Atrium found no evidence suggesting that any transmitted information had been misused. It is crucial to point out that this incident is separate from a previously reported data breach involving a phishing scheme in September 2024.
Massachusetts hospital reports data security incident
Anna Jaques Hospital, a community hospital in Massachusetts with 119 beds, has notified approximately 316,000 individuals of a data security incident that took place around December 25, 2023. Upon discovering that specific systems had been compromised, the hospital swiftly secured its environment and initiated a comprehensive investigation.
In January 2024, Anna Jaques posted a notification on its website, continuing its investigation into the breach. By November 4, 2024, following a forensic examination and a detailed document review, the hospital confirmed unauthorized access to certain files.
Information potentially compromised in the incident may include demographic data, medical records, health insurance details, Social Security numbers, driver’s license numbers, and financial information. Despite the breach, Anna Jaques reported that there is no evidence of fraud arising from this incident, urging both employees and patients to remain vigilant and monitor their accounts for suspicious activity.
Colonial Behavioral Health suffers data breach
Colonial Behavioral Health (CBH), based in Virginia, has informed nearly 30,000 individuals about a data breach stemming from a ransomware attack that occurred in October 2024. The organization experienced significant disruptions in its computer systems but managed to continue providing patient care during this period.
Investigation revealed that an unauthorized user had infiltrated CBH’s systems back in May 2024 and remained undetected until their activities culminated in the encryption of the organization’s IT systems on October 4, 2024. During this breach, the perpetrator could have accessed a range of sensitive information, including demographic, clinical, and claims data.
In response to the incident, CBH reported the breach to relevant state and federal authorities, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. Affected individuals were notified, and the organization is offering complimentary credit monitoring to those impacted by the breach.
This incident illustrates potential tactics and techniques relevant to the MITRE ATT&CK framework, particularly in areas such as initial access, persistence, and credential access, highlighting the ongoing risks associated with cybersecurity lapses in healthcare settings.
Jill McKeon has been reporting on healthcare cybersecurity and privacy issues since 2021.
