Kaiser Permanente Health Plan Inc. is notifying 13.4 million individuals that some of their personal data has been disclosed to third parties such as Microsoft (Bing), Google, and X (Twitter) via tracking technologies on its websites and apps. This is the largest healthcare data breach to be reported so far in 2024 and the largest confirmed healthcare data breach to date involving website tracking technologies.

Kaiser Permanente said the tracking technologies were identified during a voluntary internal investigation and they have now been removed from its websites and mobile applications. Additional measures have been implemented to prevent similar occurrences in the future. Notifications are being sent to all individuals who have potentially been affected “out of an abundance of caution,” including current and former health plan members in all markets that Kaiser Permanente operates, and individuals who used its websites and mobile apps. Notifications are expected to be issued in May 2024.

The types of data potentially disclosed to tech companies included names, IP addresses, sign-in statuses, and information about users navigated through the websites and apps. Other information was potentially disclosed based on individuals’ usage of the websites and apps, including search terms when using its health encyclopedia such as symptoms, drugs, injuries, and exercises.  No highly sensitive information such as Social Security numbers, financial information, and usernames/passwords were disclosed. Kaiser Permanente said it is not aware of any misuse of the disclosed data; however, it is possible that individuals may have been served targeted ads based on their interactions on Kaiser Permanente’s websites and apps.

The privacy violation has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as a breach of the Health Insurance Portability and Accountability Act (HIPAA). In December 2022, OCR published guidance on HIPAA and tracking technologies and recently updated its guidance to clarify when these technologies can be used and how they can be made HIPAA-compliant. OCR and the Federal Trade Commission (FTC) have been cracking down on the use of these technologies and sent around 130 warning letters to hospitals and telehealth companies last year reminding them of their obligations under HIPAA and the FTC Act, and the FTC has settled 5 complaints – Easy Healthcare (Premom), GoodRx, BetterHelp, Monument, and Cerebral – that alleged violations of the FTC Act related to the use of these technologies without consumers’ consent. State attorneys general have also investigated privacy violations related to the use of tracking technologies, including the New York Attorney General, who settled alleged violations of HIPAA and state laws with New York Presbyterian Hospital over the use of these tools.

The post Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals appeared first on HIPAA Journal.

Politzer and Durocher, PLC, which does business as Optometric Physicians of Middle Tennessee (OPMT), has recently reported a hacking incident to the HHS Office for Civil Rights involving the personal and protected health information of 29,000 individuals. The Lebanon, TN-based eye clinic chain said it detected unauthorized access to its network on March 25, 2024. The attackers had circumvented its security controls, and accessed one of its servers and exfiltrated files containing “a very limited amount of healthcare information.” The investigation confirmed that other identifying information may have been accessed in the attack. A forensic investigation is currently underway to determine the exact types of information involved and notification letters will be mailed to the affected individuals when that process is completed. OPMT said, “Even though it is not specifically required by HIPAA, we will offer identity theft protection services to all affected individuals; we feel that this is an important precaution to protect our patients.”

The BianLian group has claimed responsibility for the attack. Like several other cybercriminal groups, BianLian tends not to use ransomware anymore and just steals data and demands payment to prevent the exposure or sale of the data. The BianLian has added OPMT to its leak site and claims to have exfiltrated 1.5TB of data in the attack, including financial information, HR data, biometric data, contracts and confidential agreements, SQL databases, and patients’ PII and PHI.

Moffitt Cancer Center Affected by Data Breach at Advarra

Moffitt Cancer Center has recently announced that it has been affected by a security breach at one of its vendors, Advarra.  Advarra provided services to Moffitt Cancer Center related to the care and treatment of patients and a research study. On October 26, 2023, Advarra discovered suspicious activity in an employee’s user account. The forensic investigation confirmed it had been accessed by an unauthorized individual on October 25, 2023, who acquired a limited amount of data. On or around February 8, 2024, Advarra completed its file review and confirmed that the compromised data belonged to Moffitt Cancer Center.

Moffitt Cancer Center was notified about the breach by Advarra on February 21, 2024, and completed its review of the affected data on March 13, 2024. Moffitt Cancer Center has confirmed that its own systems were not accessed and that the information exposed was limited to names, dates of birth, and Social Security numbers. Advarra is notifying the affected individuals on behalf of Moffitt Cancer Center.

Advarra has recently reported the breach to the HHS’ Office for Civil Rights as affecting 596 individuals and Moffit Cancer Center has reported the breach to the Maine Attorney General as affecting 26,577 individuals. Advarra said it has implemented additional measures to further strengthen its internal files system and is offering the affected individuals complimentary identity theft monitoring through Kroll. Moffitt Cancer Center also recently announced that it was affected by a data breach at another vendor, the law firm Gunster, Yoakley, and Stewart.

Patient Data Stolen in Cyberattack on Somerset Dental Las Vegas

Somerset Dental Las Vegas in Nevada has notified 11,321 patients that some of their protected health information has been exposed. The security breach was detected on February 16, 2024, and a third-party forensic investigation confirmed that certain files were exfiltrated from its network in the attack. The stolen data varied from individual to individual and may have included names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, driver’s license numbers, health information, and dental insurance information.  Somerset Dental Las Vegas said it is reviewing its security safeguards and will strengthen security. Complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers and/or driver’s license numbers were involved.

The post BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network appeared first on HIPAA Journal.

Notification letters have been sent to more than 34,500 individuals about ransomware attacks that occurred more than 9 months ago. Kisco Senior Living experienced its attack in June 2023, and Island Ambulatory Surgery Center suffered an attack in July.

Kisco Senior Living

Kisco Senior Living is a Carlsbad, CA-based operator of 20 senior living communities in 6 U.S. States. According to the notification letters mailed to the affected individuals in April 2024, a cyberattack was detected on June 6, 2023, when its network was disrupted. A cybersecurity firm was engaged to investigate the disruption and confirmed that unauthorized individuals accessed its network and exfiltrated files containing the personal information of residents. It took more than 10 months (April 10, 2024) to determine the types of information involved and the number of individuals affected.

According to the notification sent to the Maine Attorney General, the breach included names and Social Security numbers and affected 26,663 individuals. Kisco Senior Living said additional security features have been implemented to prevent similar breaches in the future and the affected individuals have been offered 12 months of complimentary credit monitoring services, which include a $1 million identity fraud loss reimbursement policy.

Island Ambulatory Surgery Center

Island Ambulatory Surgery Center in Brooklyn, NY, has recently notified 7,900 individuals about a cyberattack that was detected on or around July 31, 2023. Cybersecurity experts were engaged to investigate the breach and determined that an unauthorized actor had access to its network and acquired certain files, some of which contained patients’ personal and health information.

The review of the affected files was completed on February 7, 2024, and confirmed some or all of the following information was compromised: name, date of birth, Social Security number, driver’s license number, medical information, and/or health insurance information. Notification letters were mailed to the affected individuals on April 5, 2024. Island Ambulatory Surgery Center said it takes privacy and security seriously and has implemented measures to prevent similar incidents in the future.

The post Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks appeared first on HIPAA Journal.

Knowles Smith & Associates, which does business as Village Family Dental and operates 7 dentistry offices in North Carolina, recently notified 240,214 current and former patients that some of their protected health information was exposed in a November 2023 cyberattack.

Village Family Dental said anomalous activity was detected within its network on November 17, 2023. The affected systems were immediately taken offline and third-party cybersecurity experts were engaged to investigate the activity. The forensic investigation confirmed that there had been unauthorized access to its network, and on February 8, 2024, it was confirmed that files containing patient data were potentially viewed or acquired.

Dental records and other health information were not exposed, with the compromised data limited to names, patient ID numbers, provider names, addresses, dates of birth, chart numbers, telephone numbers, and email addresses. Village Family Dental said no evidence has been found to indicate any attempted or actual misuse of patient data. Notification letters were mailed to the affected individuals on April 8, 2024.

Village Family Dental said it has been working with third-party cybersecurity experts to evaluate and enhance its security practices to prevent similar incidents in the future and confirmed that “significant steps” have been taken to mitigate the risk to persons impacted by the cyberattack.

Valley Mountain Regional Center

On April 19, 2024, Valley Mountain Regional Center in California announced a data security incident that was detected on August 1, 2023. Unusual activity was detected within its network and immediate action was taken to secure its systems. The forensic investigation confirmed that unauthorized individuals had access to its network and exfiltrated files containing patient information on or around July 29, 2023.

A third-party vendor was engaged to review the affected files, and on February 20, 2024, confirmed that personal and protected health information was involved. The types of data involved varied from individual to individual and may have included names, Social Security numbers, taxpayer identification numbers, dates of birth, driver’s license numbers, username and password, biometric data, medical treatment and/or diagnosis information, and/or health insurance information. Valley Mountain Regional Center said it is unaware of any misuse of patient data. The affected individuals have been offered complimentary identity protection services through Cyberscout.

The breach has been reported to the HHS’ Office for Civil Rights, but it is not yet displayed on OCR’s breach portal, so it is currently unclear how many individuals have been affected.

Blackstone Valley Community Health Center

Blackstone Valley Community Health Center in Pawtucket, RI, has announced a cyberattack that occurred on November 11, 2023, which disrupted its computer network. After securing its network, third-party cybersecurity experts were engaged to investigate the cause of the disruption and determined that an unauthorized third party had access to its network.

The review of the exposed files was concluded on March 11, 2024, and confirmed that they contained patient data including names, Social Security numbers, and medical information. Notification letters were mailed to the affected individuals on April 18, 2024. The affected individuals have been offered single bureau monitoring, credit reporting, and credit score services at no charge, and network security has been enhanced to prevent similar breaches in the future. The breach was recently reported to the Maine Attorney General as affecting up to 34,416 individuals.

The post Cyberattacks Reported by Healthcare Providers in North Carolina, Rhode Island, & California appeared first on HIPAA Journal.

Cyberattacks have been reported by the University of Tennessee Health Science Center, SysInformation Healthcare Services (EqualizeRCM/1st Credentialing), and Jackson Medical Center. Moveable Feast has discovered the improper disposal of documents containing PHI.

University of Tennessee Health Science Center – Ransomware Attack

The University of Tennessee Health Science Center (UT-HSC) said a cyberattack on one of its vendors has resulted in the exposure and possible theft of the protected health information of 19,353 patients who received obstetrics and gynecology (OB/GYN) services at Regional One Health (ROH).

UT-HSC contracted with a company called KMJ Health Solutions which provided patient handoff software that is used to support OB/GYN patients and ensure they receive the appropriate care when they are transferred to another healthcare provider. UT-HSC was notified by KMJ on or around November 29, 2023, about a security incident discovered while investigating a server outage. KMJ erased and reformatted the server and hired a cybersecurity firm to investigate the incident but was unable to make a definitive determination about whether there had been unauthorized access. On January 18, 2024, KMJ’s hosting provider, Liquid Web, found evidence of a ransomware attack but could not determine whether the attackers downloaded a copy of the data stored in the eDocList.

The potentially affected individuals had received OB/GYN services at ROH between November 2014 and November 2023. The information potentially compromised included first and last name, medical record number, age, date of admission, allergies, service, resident assigned, parity, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, type of infant feeding, and information regarding follow up care.

KMJ has implemented new technical safeguards including vulnerability scans, penetration testing, and configuration reviews. Due to the nature of the exposed data, UT-HSC does not believe there is any significant risk of identity theft or harm to credit; however, the affected individuals have been advised to be on the lookout for any letters, emails, or phone calls, and other communications from unknown individuals wanting to discuss any of the services received from ROH.

SysInformation Healthcare Services (EqualizeRCM/1st Credentialing) – Cyberattack

SysInformation Healthcare Services (SysInformation), an Austin, TX-based provider of revenue cycle support to medical billing companies and hospitals that does business as EqualizeRCM and 1st Credentialing, has experienced a cyberattack that caused a network outage. SysInformation said suspicious activity was detected within its network in June 2023. IT systems were secured, and third-party forensics experts were engaged to investigate the incident. The investigation revealed unauthorized access to its network between June 3, 2023, and June 18, 2023, and certain files had been exfiltrated.

SysInformation said an extensive review was conducted to determine the types of information involved and the individuals affected and notification letters were mailed to the affected individuals on April 17, 2024. The types of data involved varied from individual to individual and may have included one or more of the following: name, government identification number, date of birth, Driver’s license number, employer identification number, electronic signature, financial account information, health insurance information, medical history/treatment information, login information, mother’s maiden name, government-issued identification number, passport information, Social Security number, and/or tax identification number.

Complimentary credit monitoring services have been offered to the affected individuals, security policies and procedures have been reviewed, and additional safeguards have been implemented to prevent similar incidents in the future. The breach has been reported to regulators; however, it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jackson Medical Center – Cyberattack

Jackson Medical Center in Alabama has notified 509 patients about the exposure of some of their protected health information in a cyberattack that disrupted some of its IT systems. The attack was detected on February 22, 2024, and third-party forensics experts were engaged to investigate the incident and confirmed that an unauthorized third party had access to its network between February 17, 2024, and February 22, 2024. During that time, files were accessed or removed from its network.

A review of the affected files confirmed on March 8, 2024, that they contained patients’ protected health information including names and one or more of the following: contact information, dates of birth, driver’s license or state identification numbers, diagnoses, treatment information, and/or health insurance information. Notification letters have been mailed to the affected individuals and complimentary identity monitoring services have been offered to patients whose Social Security numbers, driver’s license numbers, or state identification numbers were potentially involved. Jackson Medical Center said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

Moveable Feast – Improper Disposal of Documents

Moveable Feast, a Baltimore, MD-based non-profit that provides care to individuals living with HIV/AIDS and other life-threatening illnesses, has discovered that documents containing sensitive data were disposed of incorrectly. Moveable Feast’s policies require sensitive documents to be placed in shredding bins, but some were inadvertently disposed of in regular recycling bins. The HIPAA violation was discovered when a recycling bin awaiting curb pickup was blown over, scattering its contents.

Staff collected most of the documents, but some pages could not be retrieved. The missing pages contained the information of 568 individuals such as their client number, name, gender, race, and age, and for a subset of Moveable Feast clients, the last 4 digits of their Social Security numbers. Notification letters have been sent to all affected individuals and 12 months of credit monitoring services have been made available at no cost. Staff members have also been retrained on handling sensitive information.

The post Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center appeared first on HIPAA Journal.