SuperCare Health, a California-based respiratory care provider, has announced a data breach that affected over 300,000 people. According to a data security alert posted on its website, SuperCare claimed the incident was detected on July 27, 2021, when it saw illegal activity on various systems. An investigation of the incident disclosed that someone got access to specific systems between July 23 and July 27, 2021.
The company didn’t realize the exposed files contained patient information until February 4, 2022, when they discovered names, addresses, dates of birth, hospitals or medical groups, medical record numbers, patient account numbers, health-related information, and claim information. In some instances, the hacked files also contained social security numbers and driver’s license information.
“Please note that to date, we have no reason to believe that any information was published, shared, or misused as a result of this incident,” said the company.
SuperCare finally informed those affected about the unfortunate incident on March 25. According to the US Department of Health and Human Services, the breach harmed 318,379 persons. Based on the number of people affected, this is presently among the top 50 healthcare breaches disclosed in the last two years.
In recent months, several healthcare institutions have suffered massive data breaches. Monongalia Health System (400,000 affected) is on the list, as is Broward Health (1.3 million), Norwood Clinic (228,000), and South Denver Cardiology Associates (287,000). Last week, the Health Department released an advisory to healthcare groups, warning them about the consequences of a recent cybercrime attack by the Lapsus$ cybercrime gang.
In recent months, the hackers have targeted Samsung, Ubisoft, NVIDIA, Microsoft, Vodafone, Globant, and Okta. The group takes information, often source code, and threatens to release it unless they are paid.
The Health Department’s advisory says that it is aware of healthcare institutions hacked as a part of the Okta attack; Okta has verified that more than 300 of its clients have been affected by the breach. Police in the United Kingdom has identified and charged several accused members of the Lapsus$ gang.