New Jersey Brain and Spine
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
New Jersey Brain and Spine (NJBS) experienced a significant data breach in November 2021, which impacted the personal and medical information of 92,453 individuals. The cyberattack involved encryption of some of NJBS’s data, prompting the practice to undertake a comprehensive investigation to determine the extent of the information compromised. The potentially exposed data included names, email addresses, birth dates, addresses, Social Security numbers, driver’s license numbers, telephone numbers, financial account information, and medical information. In response to the breach, NJBS has taken several steps to enhance its data security measures. These include migrating to a third-party hosted cloud-based platform for secure patient data storage, implementing two-factor authentication, installing a new server, and establishing ongoing monitoring to track user activity, services, and ports while coordinating logging. NJBS has encouraged affected individuals to remain vigilant against identity theft, although it has stated there is no evidence to suggest that the compromised information has been misused[3].
Additionally, the breach has led to legal scrutiny and a class action investigation by Ahdoot & Wolfson, PC. The law firm is seeking individuals who received notification from NJBS about the breach, as the unauthorized access to sensitive personal and medical information could potentially violate data privacy and consumer protection laws. The investigation aims to address NJBS’s failure to safeguard sensitive personal and medical information, which may have exposed patients to risks of identity theft and fraud[4].
This incident is part of a broader trend of cyberattacks targeting healthcare organizations, as observed in 2021 with a significant uptick in attacks against outpatient facilities and specialty clinics. Cybercriminals appear to be shifting their focus from high-profile health system attacks to smaller facilities and business associates, exploiting vulnerabilities in their security systems to access protected health information (PHI)[3].
Citations:
- https://www.doj.nh.gov/consumer/security-breaches/documents/new-jersey-brain-spine-20220414.pdf
- https://www.neurosurgeonsofnewjersey.com/data-security-incident/
- https://healthitsecurity.com/news/nj-dialysis-center-neurosurgery-practice-both-face-cyberattacks
- https://www.ahdootwolfson.com/blog/new-jersey-brain-and-spine-data-breach-class-action-investigation/
- https://www.hipaajournal.com/data-breaches-reported-by-new-jersey-brain-and-spine-highmark-inc-and-dialyze-direct/
- https://www.healthcarecompliancejournal.com/data-breach-reports-submitted-by-new-jersey-brain-and-spine-highmark-inc-and-dialyze-direct/?amp=1
- https://www.beckersspine.com/spine/54972-new-jersey-hospital-must-pay-neurosurgeons-24-3m-appeals-court-rules.html
- https://www.jdsupra.com/legalnews/data-breach-alert-new-jersey-brain-and-8133983/
- https://www.thelyonfirm.com/class-action/data-breach/new-jersey-brain-and-spine/
- https://www.law.com/njlawjournal/2022/08/11/appeals-court-upholds-24-3m-jury-verdict-over-breach-of-implied-covenant-by-hospital/
- https://casetext.com/case/n-jersey-brain-spine-ctr-v-united-healthcare-ins-co