Thousands of present and past patients have been notified of data breaches including troves of their sensitive information by online pharmacy Ravkoo and Fertility Centers of Illinois (FCI).
According to the HIPAA Journal, breach notification letters were sent to 79,943 current and former patients, informing them that their passport numbers, Social Security numbers, financial account information, payment card information, treatment information, treating physicians, medical billing/claims information, prescription/medication information, and Medicare/Medicaid identification information had been leaked.
There was also a lot more patient information about treatment and health insurance coverage, as well as some staff information, in the hack.
On February 1, FCI “got aware of questionable activities on its internal systems,” and by August, it had concluded that patient information was involved. The firm did not reply to queries for comment on the delay in contacting victims, but the message said that they would provide one year of free credit monitoring and identity theft protection.
FCI wasn’t the first healthcare organisation to suffer a data leak. Ravkoo, an online pharmacy, also informed clients of a data breach affecting their personal information.
Ravkoo, located in Florida, claimed in a letter to New Hampshire Attorney General Gordon McDonald that hackers attempted to breach its AWS-hosted cloud prescription gateway on September 27. The issue compromised 105,000 people’s prescription and healthcare information, including roughly 400 in Maine.
CEO Alpesh Patel said the business was informed on October 27 that names, postal addresses, phone numbers, prescriptions, and medical information had been leaked after contracting a cybersecurity consultancy.
According to a note on the Ravkoo website, breach notification letters were sent out on January 3 and the FBI was contacted. Kroll Information Assurance is providing victims with a one-year free online identity monitoring service.
The hacker who carried out the Ravkoo assault told The Intercept’s infosec director Micah Lee in September that the firm was “hilariously simple” to hack and that they have access to hundreds of thousands of prescriptions registered with it since 2020.
Ravkoo’s website, according to the hacker, has “a secret admin panel that any user can go in to and access all the info.”
In 2021, many fertility clinics, including Quest-owned ReproSource and Georgia-based Reproductive Biology Associates, as well as its partner My Egg Bank North America, revealed data breaches.
It’s very unusual for medical institutions to keep patient data outside of their electronic health record system, according to Jake Williams, CTO of BreachQuest, and it seems that’s what occurred in the FCI instance.
According to nVisium’s Ben Pick, the theft of administrator and other high-privilege accounts gives hackers access to a lot of data and frequently acts as a single point of failure.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover