On October 14, 2024, Arizona-based OnePoint Patient Care, a leading hospice pharmacy, disclosed a data breach that compromised the personal information of more than 795,000 individuals.
On August 8, 2024, OnePoint Patient Care detected suspicious network activity, prompting an investigation confirming a data breach. OnePoint concluded that, between August 6 and August 8, 2024, unauthorized parties gained access to their systems and obtained access to some files containing patients’ PHI. Exposed information includes patient names, addresses, Social Security numbers, and medical information like diagnosis and medication history.
Inc Ransom group has since claimed responsibility for the attack, leaving the breached data publicly accessible on the group's Tor-based site.
On October 14, 2024, OnePoint Patient Care issued a breach notification on the company website to all affected persons, offering them credit monitoring services free of charge.
The notice also states, "OPPC is committed to maintaining the privacy and security of the information entrusted to it. OPPC has taken, and is taking, additional steps, including changes to make its safeguards even better and to help reduce the likelihood of a similar event from happening in the future."
As ransomware groups like Inc Ransom increasingly target healthcare organizations, providers must improve their cybersecurity defenses to uphold patient privacy and mitigate the risk of data breaches.
Affected individuals who receive a breach notification from OnePoint Patient Care should monitor their accounts and promptly report suspicious activity.
Read also: HHS identifies healthcare’s most urgent cyber threats
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information, like email login credentials, with unauthorized individuals.
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.