34,000 Patients Impacted by Grand River Medical Group Email Breach


It has been discovered that an unauthorized individual gained access to the email account of an employee at Grand River Medical Group in Dubuque in Ohio, resulting in the possibility that someone could have viewed or obtained the protected health information of 34,000 patients.

After uncovering the breach, a password reset was carried out to stop any additional unauthorized access and an internal investigation was begun to see what other systems were impacted. The Grand River Medical Group IT team discovered that only one email account was impacted and no other systems were infiltrated.

Third-party breach response specialists were hired to complete an in-depth forensic analysis to determine whether any patient data in the email account in question was accessed or downloaded. Data theft could not be completely eliminated, although no proof was identified to indicate patient data was illegally taken as part of the attack.

The data contained in the email account was not the same for every patient and included one or more of the following types of protected health information along with patient names: Address, date of birth, patient’s balance and balance type, visit type, claim amount and status code, medications, and guarantor’s name. Some Social Security numbers were also infiltrated.

Notifications were sent to any patients that had their PHI impacted between February 8 and February 11, 2021. Affected people have been provided with a free 12-month membership to credit monitoring and identity theft recovery services supplied by MyIDCare, which includes a $1,000,000 identity theft insurance policy.

Elsewhere Granite Wellness Centers in Northern California were hit by a ransomware attack that took place on January 5, 2021 in which patient information was encrypted. The attack was first discovered as it was still live and systems were disabled to stop the removal of data.

A ransom demand was sent, however no ransom was handed over. Granite Wellness Centers was able to retrieve all encrypted files from backups. An audit of the systems affected showed that included patient data such as names, dates of birth, dates of service, treatment and health information, treatment provider, and health insurer address.

Granite Wellness Centers has not been made aware that indicate patient information has been illegally used; however, impacted people have been warned to monitor their accounts and explanation of benefits statements for suspicious behavior. Extra security moments are being put in place to stop additional cyberattacks and to secure data stored on its systems.

It is estimated that ehe PHI of up to 15,600 people could have been impacted in the attack.