Author Archives: HIPAA Journal

Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack

Ohio-based Memorial Health System has recently confirmed the ransomware attack it experienced in August 2021 potentially involved the protected health information of 216,478 patients. The ransomware attack forced the health system to divert certain patients to other facilities and cancel some appointments to ensure patient safety. The attack was announced shortly after the breach, which occurred on August 14, 2021. The investigation revealed its network was first breached on July 10, 2021.

The incident was reported to the HHS’ Office for Civil Rights promptly, although at the time it was not known how many individuals had been affected. Memorial Health System discovered patient data may have been involved on or around September 17, 2021, then followed a comprehensive review of all affected files. On November 1, 2021, the scope of the incident was determined but it took until December 9, 2021, to confirm the individuals affected and the specific types of data involved, hence the delay in issuing notifications. Written notices were sent to affected individuals on or around January 12, 2022.

The information exposed and potentially exfiltrated included names, addresses, Social Security numbers, medical/treatment information, and health insurance information. Affected individuals have been offered a complimentary 12-month membership to Kroll’s credit monitoring service. Memorial Health System has since implemented additional safeguards to improve its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 Individuals

In mid-December, MedQuest Pharmacy started notifying 39,447 patients that some of their protected health information had potentially been compromised in a cyberattack that was detected on November 18, 2021. Assisted by its parent companies – UpHealth Inc and Innovations Group – and independent cybersecurity experts, MedQuest determined the attackers first gained access to its systems on October 27, 2021, and that unauthorized access to its environment was blocked on October 30, 2021.

A comprehensive review of all affected systems revealed the following types of information had potentially been accessed and/or acquired in the attack: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, health information, prescription information, referring doctor names, date(s) of treatment, health insurance policy numbers (including Medicare or Medicaid number), and internal MedQuest patient identification number.

MedQuest said a very small number of individuals also had their Social Security Number, driver’s license number, financial account/payment card information, health insurance claim number, policy information, and/or claim/appeal information exposed. All affected individuals have been offered a complimentary 12-month membership to Equifax’s credit and identity monitoring services.

Oscar Health Plan of California Notifies Members About 3rd Party Mismailing Incident

Oscar Health Plan of California has started notifying 7,632 individuals about an error at a printing vendor that resulted in their statements being sent to another health plan member.

According to a recent press release, the error affected mailings between October 28, 2021, and November 16, 2021. The statements included a limited amount of plan member information including name, claim number, health plan ID number, provider information, date(s) of service, procedure/service name, and plan name/affiliation only. In each case, the statement was sent to only one other plan member.

Oscar Health Plan has worked with its printing vendor to implement additional safeguards to prevent further mailing errors and has received no reports of any misuse of plan members’ information.

The post Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack appeared first on HIPAA Journal.

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine.

The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible.

The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected device is powered down and generates the ransom note. The second stage of the malware, stage2.exe, is a file corruptor that runs in the memory and corrupts files based on hardcoded file extensions to prevent the files from being recovered.

The attacks have so far been conducted on targets in Ukraine, but there is a risk of much broader attacks. Wiper malware such as this has been used to attack organizations in Ukraine in the past and in much broader attacks worldwide. In 2017, the NotPetya wiper was used to attack organizations in Ukraine and was delivered in a supply chain attack via legitimate tax software. NotPetya attacks were also conducted globally causing major damage to IT systems and significant data loss. NotPetya is believed to have been used by a Russian hacking group known as Voodoo Bear/Sandworm.

The current theory of the Ukrainian government is the attacks are being conducted by an Advanced Persistent Threat (APT) group known to have strong links with Belarus. There is a legitimate concern that similar attacks may occur in the United States using Whispergate, especially on critical infrastructure organizations and companies with links to Ukraine.

CISA has issued an Insights bulletin providing information on steps that can be taken to protect against the malware threat and reduce the likelihood of a damaging cyber intrusion. The bulletin also includes guidance on how to quickly detect and respond to a potential intrusion, and how to maximize resilience to a destructive cyber threat.

The post CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks appeared first on HIPAA Journal.

Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million

An $18.4 million settlement has been approved that resolves a class action lawsuit against Mass General Brigham over the use of cookies, pixels, website analytics tools, and associated technologies on several websites without first obtaining the consent of website visitors.

The defendants in the case operate informational websites that provide information about the healthcare services they provide and the programs they operate. Those websites can be accessed by the general public and do not require visitors to register or create accounts.

The lawsuit was filed against Partners Healthcare System, now Mass General Brigham, by two plaintiffs – John Doe and Jane Doe – who alleged the websites contained third party analytics tools, cookies, and pixels that caused their web browsers to divulge information about their use of the Internet, and that the information was transferred and sold to third parties without their consent.

While it is normal for websites to use third-party analytics tools like those on the defendants’ websites, the plaintiffs alleged they were not informed that their information would be collected and transferred and that they did not provide consent to have their data harvested.

The defendants denied any wrongdoing or liability and maintained the plaintiffs and class members suffered no damages or injuries as a result of visiting the websites. No protected health information was disclosed, there was no data breach, and the defendants denied all allegations in the class action lawsuit; however, the plaintiffs maintained they were prepared to vigorously defend the lawsuit and the decision was taken to settle the case to avoid the costs and uncertainty of a trial and any related appeals.

The settlement names 38 healthcare providers including Massachusetts General Hospital, Brigham and Women’s Hospital, Dana-Farber Cancer Institute, and Wentworth-Douglass Hospital, and covers visitors to the website between May 23, 2016, and July 31, 2021. The $18.4 million settlement will cover attorneys’ fees and other expenses, and class members are eligible to receive a payment of up to $100, based on the number of claims filed.

The post Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million appeared first on HIPAA Journal.

Healthcare Providers and Health Plans Report Phishing-Related PHI Breaches

Email accounts containing the protected health information (PHI) of thousands of patients have been compromised at Loyola University Medical Center, Advent Health Partners, Signature Healthcare Brockton Hospital, and Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E.

Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E

Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E has recently notified 20,579 individuals about an email security incident that resulted in the exposure of sensitive data. On December 21, 2021, suspicious activity was detected in an employee email account. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the nature and scope of the breach.

The investigation determined on October 25, 2021, that the email account had been accessed by an unauthorized individual between May 11, 2021, and August 2, 2021, as a result of the employee responding to a phishing email. A manual review of the emails and attachments confirmed they contained the following types of information:

Names, dates of birth, government identification numbers, Social Security numbers, financial account information, and medical information that potentially includes healthcare provider information, diagnostic and conditions information, treatment and medication information, medical identification number(s), and/or health insurance plan information. I.A.T.S.E Local ONE said it has found no evidence of misuse of any sensitive information.

Following the breach, I.A.T.S.E Local ONE worked with its IT managed services provider and has implemented further security measures to harden email security to prevent further data breaches.

Loyola University Medical Center

Loyola University Medical Center (LUMC) has notified 16,934 patients that some of their PHI has been exposed and potentially accessed by an unauthorized individual who gained access to an employee email account. LUMC detected suspicious activity in the email account on October 31, 2021. The account was immediately secured, and an investigation was launched to determine the nature and scope of the attack.

The investigation revealed the account was accessed between October 29, 2021, and October 31, 2021, but it was not possible to determine if any emails or attachments had been viewed or acquired. No evidence has been found of any actual or attempted misuse of patient information.

A review of the emails in the account confirmed they contained the following types of patient information: Full name, address, telephone, date of birth, email, and medical information such as medical record number, conditions, medications, test results, medical facility, type of service and some health plan information.

While there is believed to be a low risk of identity theft and fraud, affected individuals have been provided with a complimentary membership to a credit monitoring and dark web monitoring service for 12 months.

LUMC said it has made significant investments in cybersecurity and has a strong security program that includes a dedicated cybersecurity team, 24/7/365 monitoring, and testing of security controls.

Signature Healthcare Brockton Hospital

Massachusetts-based Signature Healthcare has recently announced a data breach that has affected 9,798 Brockton Hospital patients. Suspicious activity was detected in its email environment on November 4, 2021, with the investigation confirming the email accounts of several clinicians had been accessed by unauthorized individuals from October 16, 2021, to November 4, 2021.

A leading forensic security firm was engaged to investigate the breach and confirm its computer systems and network were secure. Signature Healthcare said the email accounts did not appear to have been accessed in order to obtain patient data and there has been no evidence of misuse of any protected health information; however, unauthorized PHI access could not be ruled out.

The compromised email accounts contained the following types of information: First and last names, sex, birthdates, dates of visits, test results, medical record numbers, diagnoses, and medical histories. Signature Healthcare is reviewing its technical controls and procedures and will take steps to improve security to prevent further breaches in the future.

Advent Health Partners

Advent Health Partners, a Nashville, TN-based provider of claims management services to hospital groups, discovered in early September 2021 that an unauthorized individual had gained access to certain employee email accounts. An investigation was launched to determine the extent and nature of the breach, and it was determined on December 8, 2021, that certain files in the compromised email accounts had potentially been accessed.

Advent Health Partners is provided with limited data sets for routine operational purposes related to communications with health insurance companies, and some of that information was stored in email attachments.

Notifications have now been sent to all affected individuals and free access to credit monitoring and identity theft protection services is being provided. Advent Health Partners said it has reviewed and updated its security policies and has implemented additional safeguards to improve email security.

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Healthcare Providers and Health Plans Report Phishing-Related PHI Breaches appeared first on HIPAA Journal.

Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack

A Minnesota network of family medicine practices started notifying almost 200,000 patients that some of their personal and protected health information was potentially compromised in a cyberattack on a business associate more than a year ago.

Entira Family Clinics explained in the notification letters, which were sent to affected individuals on January 13, 2022, that the breach occurred at Netgain Technologies, which provides hosting and cloud IT solutions to companies in the healthcare and accounting sectors. Entira Family Clinics used Netgain’s services for hosting and email.

The healthcare provider said the information potentially compromised included names, addresses, Social Security numbers, and medical histories. In the notification letters, Entira said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”

The investigation uncovered no evidence of actual or attempted misuse of any personal information. Entira Family Clinics said it is working to improve security and mitigate risk, and that process has involved a review and update of policies and procedures related to the security of its systems, servers, and life cycle management. A security audit was also conducted of the Netgain environment to ensure stricter security of the cloud hosting site.

Affected individuals have been offered a complimentary membership to online credit monitoring services through IDX. The breach report submitted to the Maine Attorney General indicates 199,628 individuals were affected.

The notification letters sent to affected individuals state, “We recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information,” and that “Netgain was recently the target of a cybersecurity incident.”

There was no mention of the date of the breach in the notification letters, so affected individuals would not be aware that the ransomware attack and data theft incident had occurred more than 12 months previously on November 4, 2020.

Netgain announced the data breach in December 2020, and most affected companies were notified by February 2021. Most of the affected Netgain clients sent notification letters in the spring and summer of 2021. It is unclear why there was such a long delay in Entira Family Clinics issuing notification letters, and whether this was due to late notification from Netgain.

Also this month, Caring Communities, an Illinois-based member-owned liability insurance company serving not-for-profit senior housing and care organizations, also sent notification letters about the Netgain data breach. The notification letters were sent on January 14, 2022, and closely mirror those sent by Entira.

Caring Communities also said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”

Caring Communities said it replaced Netgain as its hosting provider and migrated its environment to another service provider after being notified about the data breach and the same steps are being taken to improve security. Affected individuals have similarly been offered credit monitoring and identity theft protection services through IDX. It is currently unclear how many individuals have been affected. The notification letters also refer to the recent cyberattack on Netgain and do not mention when the attack occurred nor why there was such a long delay in issuing notification letters.

The post Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack appeared first on HIPAA Journal.

Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients

Roanoke, VA-based Jefferson Surgical Clinic has started notifying patients that some of their protected health information has potentially been compromised in a cyberattack that was detected on June 5, 2021.

According to the breach notification letter provided to the Maine Attorney General, the attacker gained access to parts of the network that contained patient data such as names, birth dates, Social Security numbers, and health and treatment information.  Jefferson Surgical Clinic promptly notified the Federal Bureau of Investigation about the breach and engaged third-party cybersecurity and forensics specialists to assist with the investigation.

The investigation uncovered no evidence to suggest any patient data has been or will be misused as a result of the security breach; however, as a precaution against identity theft and fraud, Jefferson Surgical Clinic has offered affected individuals 12 months of complimentary credit monitoring and identity theft protection services.

The Maine Attorney General was notified that the parts of the network accessed by the attacker contained the protected health information of 174,769 patients and that names or other personal identifiers were obtained in combination with Social Security numbers. No reason was provided as to why it took 7 months to issue notifications to patients and regulators.

Ransomware Attack on Non-Profit Affects 10,438 Individuals

A New Leaf, Inc., a Broken Arrow, OK, non-profit provider of services to individuals with developmental disabilities, has started notifying 10,438 individuals that some of their protected health information was potentially compromised in a March 2021 ransomware attack.

The attack was detected on March 30, 2021, when files on its network were encrypted.  Assisted by a leading cybersecurity firm, A New Leaf discovered that prior to file encryption, certain files were exfiltrated from its network.

Initially, due to the nature of the incident and the systems that had been affected, it was not believed that any protected health information had been compromised, but the investigation revealed on June 23, 2021, that some of the documents obtained by the attackers did include personal and protected health information. A manual review had to be conducted to determine what information had been obtained and where the affected people resided. That review was completed on October 11, 2021, and notification letters were sent to affected individuals on December 30, 2021.

A New Leaf has offered affected individuals a 2-year membership to Experian IdentityWorks Credit 3B’s identity theft protection and credit monitoring services.

The post Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients appeared first on HIPAA Journal.

HHS Releases Final Trusted Exchange Framework and Common Agreement

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has released the final version of its Trusted Exchange Framework and the Common Agreement (TEFCA) – a governance framework for nationwide health information exchange. Two previous versions of TEFCA have been released, the first in 2018 and the second in 2019, with the final version taking into consideration feedback provided by healthcare industry stakeholders. TEFCA was a requirement of the 21st Century Cures Act and has been 5 years in the making. The announcement this week sees the HHS finally move into the implementation phase of TEFCA.

The Trusted Exchange Framework is a set of non-binding foundational principles for health information exchange and outlines propositions for standardization, cooperation, privacy, security, access, equity, openness and transparency, and public health. The second component is the common agreement, which is a legal contract that a Qualified Health Information Network (QHIN) enters into with the ONC’s Recognized Coordinating Entity (RCE). The RCE, the Sequoia Project, is a body charged with developing, updating, and maintaining the Common Agreement and overseeing QHINs.

The framework promotes secure health information exchange across the United States and is intended to improve the interoperability of health information technology, including the electronic health record systems used by hospitals, health centers, and ambulatory practices, and health information exchange with federal government agencies, health information networks, public health agencies, and payers.

“The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road,” explained ONC in a press release. The Common Agreement supports multiple exchange purposes that are required to improve healthcare and should benefit a wide variety of healthcare entities. The Common Agreement operationalizes electronic health information exchange and provides easier ways for individuals and organizations to securely connect. TEFCA will also provide benefits to patients, such as allowing them to obtain access to their healthcare data through third parties that offer individual access services.

ONC’s RCE will sign a legal contract with each QHIN and entities will be able to apply to be designated as QHINs shortly. When designated as a QHIN they will be able to connect with each other and their participants will be able to participate in health information exchange across the country. ONC has released a QHIN Technical Framework which details the functional and technical requirements that QHINs will need to bring the new connectivity online. The HHS has also announced that the TEFCA Health Level Seven (HL7) Fast Healthcare Interoperability Resource (FHIR) Roadmap (TEFCA FHIR Roadmap) is now available, which explains how TEFCA will accelerate the adoption of FHIR-based exchange across the industry.

“Operationalizing TEFCA within the Biden Administration’s first year was a top priority for ONC and is critical to realizing the 21st Century Cures Act’s goal of a secure, nationwide health information exchange infrastructure,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “Simplified nationwide connectivity for providers, health plans, individuals, and public health is finally within reach. We are excited to help the industry reap the benefits of TEFCA as soon as they are able.”

ONC said its RCE will be hosting a series of public engagement webinars to provide further information on the Trusted Exchange Framework and the Common Agreement, which will explain how they work to help prospective QHINs determine whether to sign the Common Agreement

The post HHS Releases Final Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020.

2021 healthcare data breaches

Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009.

2021 healthcare data breaches - records breached

Largest Healthcare Data Breaches in December 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware
Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware
Monongalia Health System, Inc. WV Healthcare Provider 398,164 Business Email Compromise/Phishing
BioPlus Specialty Pharmacy Services, LLC FL Healthcare Provider 350,000 Hacked network server
Florida Digestive Health Specialists, LLP FL Healthcare Provider 212,509 Business Email Compromise/Phishing
Daniel J. Edelman Holdings, Inc. IL Health Plan 184,500 Business associate hacking/IT incident
Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky KY Healthcare Provider 106,910 Compromised email account
Fertility Centers of Illinois, PLLC IL Healthcare Provider 79,943 Hacked network server
Bansley and Kiener, LLP IL Business Associate 50,119 Ransomware
Oregon Eye Specialists OR Healthcare Provider 42,612 Compromised email accounts
MedQuest Pharmacy, Inc. UT Healthcare Provider 39,447 Hacked network server
Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. NY Health Plan 20,579 Phishing
Loyola University Medical Center IL Healthcare Provider 16,934 Compromised email account
Bansley and Kiener, LLP IL Business Associate 15,814 Ransomware
HOYA Optical Labs of America, Inc. TX Business Associate 14,099 Hacked network server
Wind River Family and Community Health Care WY Healthcare Provider 12,938 Compromised email account
Ciox Health GA Business Associate 12,493 Compromised email account
A New Leaf, Inc. AZ Healthcare Provider 10,438 Ransomware

Causes of December 2021 Healthcare Data Breaches

18 data breaches of 10,000 or more records were reported in December, with the largest two breaches – two ransomware attacks – resulting in the exposure and potential theft of a total of 1,285,989 records. Ransomware continues to pose a major threat to healthcare organizations. There have been several successful law enforcement takedowns of ransomware gangs in recent months, the most recent of which saw authorities in Russia arrest 14 members of the notorious REvil ransomware operation, but there are still several ransomware gangs targeting the healthcare sector including Mespinoza, which the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about this month due to the high risk of attacks.

Phishing attacks continue to result in the exposure of large amounts of healthcare data. In December, email accounts were breached that contained the ePHI of 807,984 individuals. The phishing attack on Monongalia Health System gave unauthorized individuals access to email accounts containing 398,164 records.

8 of the largest breaches of the month involved compromised email accounts, two of which were business email compromise attacks where accounts were accessed through a phishing campaign and then used to send requests for changes to bank account information for upcoming payments.

Causes of December 2021 healthcare data breaches

Throughout 2021, hacking and other IT incidents have dominated the breach reports and December was no different. 82.14% of the breaches reported in December were hacking/IT incidents, and those breaches accounted for 91.84% of the records breached in December – 2,711,080 records. The average breach size was 58,937 records and the median breach size was 4,563 records. The largest hacking incident resulted in the exposure of the protected health information of 750,050 individuals.

The number of unauthorized access and disclosure incidents has been much lower in 2021 than in previous years. In December there were only 5 reported unauthorized access/disclosure incidents involving 234,476 records. The average breach size was 46,895 records and the median breach size was 4,109 records.

There were two reported cases of the loss of paper/films containing the PHI of 3,081 individuals and two cases of theft of paper/films containing the PHI of 2,129 individuals. There was also one breach involving the improper disposal of a portable electronic device containing the ePHI of 934 patients.

As the chart below shows, the most common location of breached PHI was network servers, followed by email accounts.

Location of breached PHUI in December 2021 healthcare data breaches

HIPAA Regulated Entities Reporting Data Breaches in December 2021

Healthcare providers suffered the most data breaches in December, with 36 breaches reported. There were 11 breaches reported by health plans, and 9 breaches reported by business associates. Six breaches were reported by healthcare providers (3) and health plans (3) that occurred at business associates. The adjusted figures are shown in the pie chart below.

December 2021 healthcare data breaches by HIPAA-regulated entity type

December 2021 Healthcare Data Breaches by U.S. State

Illinois was the worst affected state with 11 data breaches, four of which were reported by the accountancy firm Bansley and Kiener and related to the same incident – A ransomware attack that occurred in December 2020. the firm is now facing a lawsuit over the incident and the late notification to affected individuals – 12 months after the attack was discovered.

State Number of Breaches
Illinois 11
Indiana 5
Florida, Oklahoma, and Texas 4
Arizona 3
California, Georgia, Kansas, Michigan, New York, Oregon, Utah, and Virginia 2
Alabama, Colorado, Kentucky, Maryland, North Carolina, Rhode Island, Wisconsin, West Virginia, and Wyoming 1

HIPAA Enforcement Activity in December 2021

There were no further HIPAA penalties imposed by the HHS’ Office for Civil Rights in December. The year closed with a total of 14 financial penalties paid to OCR to resolve violations of the HIPAA Rules. 13 of the cases were settled with OCR, and one civil monetary penalty was imposed. 12 of the OCR enforcement actions were for violations of the HIPAA Right of Access.

The New Jersey Attorney General imposed a $425,000 financial penalty on Regional Cancer Care Associates, which covered three separate Hackensack healthcare providers – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC – that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland.

The New Jersey Attorney General and the New Jersey Division of Consumer Affairs investigated a breach of the email accounts of several employees between April and June 2019 involving the protected health information of 105,000 individuals and a subsequent breach when the breach notification letters were sent to affected individuals’ next of kin in error.

The companies were alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, failing to protect against reasonably anticipated threats to the security/integrity of patient data, a failure to implement security measures to reduce risks and vulnerabilities to an acceptable level, the failure to conduct an accurate and comprehensive risk assessment, and the lack of a security awareness and training program for all members of its workforce. The case was settled with no admission of liability. There were 4 HIPAA enforcement actions by state attorneys general in 2021. New Jersey was involved in 3 of those enforcement actions.

The post December 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA).

The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack.

In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs.

Accellion clients affected by the breach included banks, law firms, universities, and healthcare organizations. Many of the files belonging to healthcare organizations contained sensitive patient and health plan member data. Healthcare organizations affected by the breach include Health Net Community Solutions, Health Net of California, California Health & Wellness, Trinity Health, The University of California, Stanford University School of Medicine, University of Miami Health, Kroger, Trillium, Community Health Plan, Arizona Complete Health, CalViva Health, and Health Employees’ Pension Plan.

Following the attack, several lawsuits were filed against Accellion and its clients over the data breach. The class action lawsuit against Accellion alleged the company had failed to implement and maintain appropriate data security practices to protect the sensitive data of its clients, failed to detect security vulnerabilities in the Accellion FTA, failed to disclose its security practices were inadequate and failed to prevent the data breach. As a result of the attack, highly sensitive information was stolen, including names, contact information, dates of birth, Social Security numbers, driver’s license numbers, and healthcare data.

Accellion denied all of the allegations in the lawsuit and accepts no liability for the data breach. The company said in the settlement agreement that it is not responsible for managing, updating, and maintaining customers’ instances of the FTA software. Accellion also said the company does not collect any customer data, does not access the content of files shared or stored via the FTA solution, and provided no guarantees to customers that the FTA software was secure.

It is unclear how many individuals will be covered by the settlement, but the number is certainly in excess of 9.2 million individuals. Accellion will attempt to obtain up-to-date contact information for those individuals in order to send notices of the proposed settlement. The proposed settlement includes a cash fund of $8.1 million to cover claims, notices, administration costs, and service awards to affected users of the Accellion FTA. $4.6 million of the fund will be made available within 10 days, with the remainder made available within 10 days of the settlement being approved.

Affected individuals will be entitled to sign up for 24 months of three-bureau credit monitoring and insurance services, or receive reimbursement for documented losses up to a maximum value of $10,000, or receive a cash payment, which is expected to be in the region of $15 to $50. Accellion will also fully retire the Accellion FTA and take steps to ensure the security of its replacement Kiteworks solution. Those measures include increasing its bug bounty program, maintaining FedRAMP certification, employing individuals with responsibility for cybersecurity, providing cybersecurity training to its workforce, and undergoing regular assessments to confirm continued compliance with the cybersecurity measures outlined in the settlement.

The proposed settlement will resolve all claims against Accellion only. There are still lawsuits and settlements outstanding against clients affected by the breach. The supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed on behalf of the 3.8 million employees and customers affected by the breach.

The post Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit appeared first on HIPAA Journal.