On October 14, 2024, Arizona-based OnePoint Patient Care, a leading hospice pharmacy, disclosed a data breach that compromised the personal information of more than 795,000 individuals.
What happened
On August 8, 2024, OnePoint Patient Care detected suspicious network activity, prompting an investigation confirming a data breach. OnePoint concluded that, between August 6 and August 8, 2024, unauthorized parties gained access to their systems and obtained access to some files containing patients’ PHI. Exposed information includes patient names, addresses, Social Security numbers, and medical information like diagnosis and medication history.
Inc Ransom group has since claimed responsibility for the attack, leaving the breached data publicly accessible on the group's Tor-based site.
What was said
On October 14, 2024, OnePoint Patient Care issued a breach notification on the company website to all affected persons, offering them credit monitoring services free of charge.
The notice also states, "OPPC is committed to maintaining the privacy and security of the information entrusted to it. OPPC has taken, and is taking, additional steps, including changes to make its safeguards even better and to help reduce the likelihood of a similar event from happening in the future."
By the numbers
- Over 795,000 individuals were affected by this breach, according to their HHS report.
- OPPC serves more than 40,000 patients daily and has upwards of 100 locations around the country.
- They have a network of over 55,000 contracted pharmacies.
- Over 200 employees work for OPPC.
Why it matters
As ransomware groups like Inc Ransom increasingly target healthcare organizations, providers must improve their cybersecurity defenses to uphold patient privacy and mitigate the risk of data breaches.
The bottom line
Affected individuals who receive a breach notification from OnePoint Patient Care should monitor their accounts and promptly report suspicious activity.
Read also: HHS identifies healthcare’s most urgent cyber threats
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information, like email login credentials, with unauthorized individuals.
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
What are the penalties for violating HIPAA regulations?
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.
