Around December 13, 2024, Primary Health-SMMPP and U.S. Healthworks-SMMPP, two HIPAA business associates based in Arizona, detected unusual activity in their server. Ultimately, the business associates determined they had experienced a data breach.
Soon after the unusual activity was detected, a third-party digital forensics firm was engaged to investigate the potential data breach, confirming that an unauthorized third party had breached the server's defenses and may have accessed or copied stored data. On January 7th, 2025, the data review concluded. Ultimately, the team determined that compromised data included names, dates of birth, dates of service, and, in some cases, Social Security numbers.
Primary Health-SMMPP reported the breach to the HHS Office for Civil Rights (OCR), affecting 67,567 individuals, while U.S. Healthworks-SMMPP reported 10,673 affected individuals. In response, both entities are offering complimentary credit monitoring and identity theft protection services for 12 to 24 months.
The recent incidents, like these and others reported in Kansas, Ohio, and New York, reveal a trend of increasingly sophisticated cyberattacks targeting both covered entities and business associates. At a time when digital records gain popularity amongst healthcare providers, these attacks stand to place the vast amounts of electronic protected health information (ePHI) in danger. Organizations have to constantly adapt to use more advanced cybersecurity measures in line with those recommended by regulatory organizations like the HHS and the CISA.
Related: HIPAA Compliant Email: The Definitive Guide
Cyberattacks often target healthcare organizations' IT systems, medical devices, and patient data, aiming to disrupt operations or steal sensitive information like medical records and financial data.
Cyberattacks can lead to disruptions in patient care, delays in billing and insurance claims processing.
Ransomware attacks, such as those by groups like BlackCat, are common. These attacks involve encrypting data and demanding payment for decryption keys.