Third-Party Data Breaches Announced by Apple Valley Clinic & BioTel Heart

A ransomware attack on one of the IT vendors of Apple Valley Clinic in Minnesota resulted in the potential compromise of the protected health information of 157,939 of its patients.

Apple Valley Clinic, which is with Allina Health, utilized Netgain Technology LLC for hosting its IT network and computer networks. In November 2020, Netgain encountered a ransomware attack that led to the taking down of its data off the web. Netgain informed Apple Valley Clinic on December 2, 2020 concerning the exposure of patient information during the ransomware attack. Allina Health acquired affirmation on January 29, 2021 regarding the impact on patient information.

The types of data breached included names, Social Security numbers, birth dates, bank account and routing numbers, patient billing details, and certain health information which includes symptoms and diagnoses. Although various healthcare companies had PHI affected, Apple Valley Clinic was the sole Allina Health site to be affected.

After the breach, Apple Valley Clinic already took action to enhance data security, which includes shifting to the electronic health record system employed by Allina Health. Netgain is still looking into the attack and is keeping track of any unfavorable consequences from the breach.

Thus far, Apple Valley Clinic has not acquired any information that indicates the improper use of any PHI due to the attack; nonetheless, to be able to make certain impacted patients are safe, free credit monitoring and identity theft protection services are being given.

BioTel Heart Warns 38,575 Patients Regarding Online PHI Exposure

BioTel Heart, a cardiac data firm, reported that the PHI of 38,575 patients was exposed on the internet due to a breach at one of its providers.

BioTel Heart, a trading name that is likewise employed by LifeWatch Services Inc. and CardioNet, LLC, was notified of a breach that happened on January 28, 2021 when a patient learned that some of their PHI could be accessed on the web from Google search results. An investigation was started to ascertain the source of the breach which indicated that one of its vendors did not protect an Amazon S3 bucket, which led to the accessibility of patient information from the search engine listings. The investigation affirmed that patient data was open to the public between October 17, 2019 and August 9, 2020.

These types of data viewable by way of the search engines: names, contact data, birth date, medical insurance details, and health data linked to remote cardiac monitoring services, for instance, diagnoses, diagnostic testing, prescribing doctors’ names, and treatment details. Though BioTel Heart doesn’t access Social Security numbers, certain Social Security numbers were additionally exposed.

BioTel Heart has ascertained that the vendor resolved the matter and kept the data secure on August 9, 2020. Any business connection with the vendor is discontinued.

The vendor was advised concerning the breach via Amazon right after the knowledge of the compromised information by a security researcher, as noted in the August 2020 report. The vendor seems not to have told BioTel Heart regarding the breach.