Activate Healthcare breach compromised healthcare data of over 93,000 patients

Indianapolis, US-based healthcare provider Activate Healthcare admitted to suffering a cyber security incident that resulted in the theft of sensitive personal information of more than 93,000 patients. 

Activate Healthcare said in a press release that on 27th April, it identified suspicious activity within its internal network. It immediately initiated an incident response process and launched an investigation with the assistance from external cyber security experts to understand the nature and scope of the incident.

“The investigation determined that an unauthorised party accessed our network and, between April 22, 2023 and April 28, 2023, copied some of the documents from the system,” the notice read.

The investigation also revealed that the data accessed by the threat actors contained patients’ names, dates of birth, addresses, social security numbers, driver’s license numbers, and clinical information, such as provider names, dates of service, and diagnoses.

After identifying that patients’ data had been compromised, the healthcare company started notifying all affected individuals as well as law enforcement agencies and also filed a data breach notification with the office of the Attorney General of Montana.

Activate Healthcare also informed the HHS’ Office for Civil Rights that the data security incident compromised the personal and healthcare information of up to 93,761 patients.

The company said there is no evidence of the compromised information being misused, but the possibility of the same cannot be ruled out. It has urged all affected individuals to remain vigilant and report any suspicious activity found in their credit reports.

It has also set up a dedicated hotline for patients affected by the security incident, where they can call and clarify all their queries.

“Activate Healthcare remains committed to protecting the confidentiality and security of patient information. We will continue to take steps to enhance the security of our computer systems and the data we maintain,” the healthcare provider added.

Earlier this month, Atlantic General Hospital, a Berlin, Maryland-based healthcare provider, said it suffered a cyber attack that compromised the sensitive personal information of its patients and employees.

The hospital revealed in a notice of data breach posted on its website that on 29th January, it discovered “encrypted files on certain computer systems” and immediately launched an investigation with the assistance of third-party forensic experts to understand the nature and scope of the security incident.

It added that after completing a comprehensive review of the compromised files on 6th March, it concluded that the files contained sensitive personal information related to its patients and employees.

The compromised information included names, social security numbers, driver’s license numbers, financial account information, dates of birth, medical record numbers, treating/referring physicians, health insurance information, subscriber numbers, medical history information, diagnosis, and treatment information.

In an initial filing with the office of the Attorney General of Maine in March, AGH said that up to 30,704 individuals were affected by the data breach. The healthcare provider in a later filing with the Attorney General’s office revised the number of affected individuals to 136,981 people.