Catholic Health System

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Catholic Health System in New York experienced multiple data breaches affecting its patients’ protected health information (PHI). These incidents involved unauthorized access to electronic health records and patient information through third-party vendors and consulting services.

Data Breach Involving Minimum Data Set Consultants, LLC (MDS)

In late March 2023, Catholic Health became aware of unusual activity involving certain electronic health records files managed by Minimum Data Set Consultants, LLC (MDS), a firm providing consulting services to skilled nursing facilities. An investigation revealed that the files were accessed without authorization around August 27, 2022, by a former MDS employee. The breach potentially included medical record information from some long-term care residents within Catholic Health. The files contained names, birthdates, demographic information, Social Security and Medicare numbers, and diagnosis information. While there was no indication that the information was misused for identity theft, affected individuals were advised to remain vigilant against identity theft and fraud[1][6][10][23][24].

Data Breach Involving CaptureRx

Another breach occurred when Catholic Health was notified by CaptureRx, a third-party pharmaceutical software vendor, of a data breach on June 3, 2021. This breach impacted patients from Mount St. Mary’s and Sisters of Charity hospitals, involving patient information such as names, dates of birth, and prescription data accessed on February 6, 2021. No financial information was included in the breach. CaptureRx began an investigation and confirmed that private information was compromised. Catholic Health stated that there was no evidence of misuse of this information as a result of the incident[2][3][7].

Response and Measures

Following these incidents, Catholic Health and the involved third parties took steps to enhance security measures and prevent future breaches. This included notifying affected individuals, offering credit monitoring services, and reviewing and enhancing security policies and procedures. Catholic Health emphasized its commitment to protecting the privacy of its patients and any information related to their care[1][2][3].

Legal and Consumer Actions

Affected individuals were advised on steps to protect themselves from potential fraud and identity theft, including monitoring their accounts and credit reports, and placing fraud alerts or credit freezes on their credit files. Data breach attorneys also offered consultations to those impacted, highlighting the seriousness of the situation and the potential for legal action[22].

These breaches underscore the importance of robust cybersecurity measures and the need for constant vigilance by healthcare providers and their third-party vendors to protect sensitive patient information from unauthorized access.

Citations:

  1. https://blog.chsbuffalo.org/mds-data-breach/
  2. https://blog.chsbuffalo.org/catholic-health-notified-of-data-breach-by-third-party-vendor/
  3. https://healthitsecurity.com/news/catholic-health-impacted-by-capturerx-data-breach-patients-phi-exposed
  4. https://www.wivb.com/news/local-news/buffalo/catholic-health-shares-information-on-data-breach-that-impacted-health-system/
  5. https://www.torrancememorial.org
  6. https://www.wivb.com/news/local-news/buffalo/catholic-health-patients-may-have-fallen-victim-to-data-breach/
  7. https://www.wgrz.com/article/news/local/catholic-health-patients-from-mount-saint-marys-sisters-of-charity-hospitals-impacted-by-data-breach/71-5aa750ff-b1ea-40d6-a889-2d4ec538eec7
  8. https://www.chsbuffalo.org/about-us/compliance-program/notice-privacy-practice
  9. https://abcnews.go.com
  10. https://www.jdsupra.com/legalnews/catholic-health-announces-third-party-7280678/
  11. https://www.fiercehealthcare.com/health-tech/commonspirit-health-reported-it-security-incident-affecting-facilities-wash-neb-and
  12. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  13. https://torontosun.com/opinion/columnists/thkinsella-enforce-laws-designed-to-stop-anti-semitic-mobs-from-attacking-hospitals
  14. https://www.beckershospitalreview.com/cybersecurity/new-york-health-system-notifies-patient-of-3rd-party-data-breach-2.html
  15. https://www.idstrong.com/sentinel/people-panicking-in-the-aftermath-of-commonspirit-health-parent-company-hack/
  16. https://www.hipaajournal.com/healthcare-data-breach-round-up-november-16-2023/
  17. https://spectrumlocalnews.com/nys/buffalo/news/2022/03/31/catholic-health-suffers-data-breach-of-more-than-1-000-patients
  18. https://www.beckershospitalreview.com/cybersecurity/the-commonspirit-ransomware-attack-1-year-later.html
  19. https://www.paubox.com/blog/catholic-charities-neighborhood-services-inc-suffers-hipaa-email-breach
  20. https://www.wkbw.com/news/local-news/approximately-1-300-catholic-health-patients-impacted-by-data-breach
  21. https://www.govtech.com/security/buffalo-ny-area-hospitals-disclose-recent-data-breach.html
  22. https://www.myinjuryattorney.com/catholic-health-data-breach/
  23. https://proteuscyber.com/pt/privacy-database/news/7270-catholic-health-patients-may-have-fallen-victim-to-data-breach
  24. https://www.databreaches.net/ny-catholic-health-patients-may-have-fallen-victim-to-data-breach-by-a-consultants-employee/
  25. https://www.hipaajournal.com/managed-care-of-north-america-hacking-incident-impacts-8-9-million-individuals/
Breach Submission Date May 11, 2023
Converted Entity Name Catholic Health System
Converted Entity Type Healthcare Provider
State NY
Individuals Affected 12,759
Breach Type Unauthorized Access/Disclosure

Breach Information Location Electronic Medical Record

Business Associate Present Yes