Author Archives: Steve Alder

Continuum Health Alliance Data Breach Affects 377,000 Consensus Medical Group Patients

Marlton, NJ-based Continuum Health Alliance has recently confirmed that it has experienced a security incident that exposed the data of 377,119 patients of its client, Consensus Medical Group, a physician-owned medical group in Evesham, NJ. Continuum identified unauthorized activity within its network on October 19, 2023, and after taking steps to secure its systems, third-party cybersecurity specialists were engaged to identify the suspicious activity. The forensic investigation confirmed that an unauthorized third party had gained access to some of its systems between October 18 and October 19, and acquired certain files.

On February 16, 2024, Continuum announced on its website that it was investigating the incident while the investigation was ongoing. The file review was completed on March 8, 2024, when it was confirmed that the exposed data included patients’ names and Social Security numbers. Continuum then worked to verify the information and obtain up-to-date address information, and notification letters were mailed on April 29, 2024.

Continuum has implemented additional safeguards to prevent further security incidents and has provided additional training to its workforce. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Guardant Health Discovers Online Exposure of Patient Data

Guardant Health, a medical laboratory in Redwood City, CA, that performs cancer screening tests on samples provided by physicians and hospitals, has recently notified patients of some of its clients that their protected health information has been exposed online. Guardant Health did not state in its notification letters when it discovered the data exposure, only that an employee inadvertently uploaded a file containing patient data to an online platform in October 2020. Guardant Health immediately removed the file when the error was discovered, and on March 4, 2024, it was confirmed that unidentified third parties downloaded the file between September 8, 2023, and February 28, 2024.

The protected health information in the file varied from patient to patient and included some or all of the following: name, age, medical record and identification numbers, and medical information such as treatment information, dates of treatment, and test results. No financial information or Social Security numbers were present in the file. Guardant Health said it has enhanced its technical controls and has provided further employee training to prevent similar incidents in the future. The breach has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Continuum Health Alliance Data Breach Affects 377,000 Consensus Medical Group Patients appeared first on HIPAA Journal.

BioPlus Specialty Pharmacy Services Proposes Settlement to Resolve Data Breach Lawsuit

BioPlus Specialty Pharmacy Services has proposed a settlement to resolve a class action lawsuit that was filed in response to a 2021 data breach that exposed the data of up to 350,000 patients. Hackers gained access to the BioPlus network for more than 2 weeks between October and November 2021, and potentially stole names, dates of birth, contact information, health insurance information, prescription information, and Social Security numbers. The Florida specialty pharmacy chain notified the affected individuals within a month and offered them complimentary credit monitoring services.

A lawsuit was filed over the data breach alleging BioPlus should have prevented the breach and could have if reasonable cybersecurity measures had been implemented and industry-standard security best practices had been followed. BioPlus disagreed with the allegations; however, a settlement has been proposed to bring the legal action to an end. BioPlus has not admitted liability or any wrongdoing related to the cyberattack and data breach.

Under the terms of the proposed settlement, class members may submit claims of up to $7,550 and will be reimbursed for out-of-pocket expenses incurred as a result of the data breach. The maximum claim permitted depends on whether Social Security numbers were compromised. If they were, class members can claim a cash payment of $50 and can claim up to $7,500 for documented expenses incurred as a result of the data breach, including 3 hours of lost time at $25 per hour, and any unreimbursed losses to identity theft and fraud.

Class members whose Social Security numbers were not breached cannot claim a cash payment and claims will be limited to a maximum of $750, including 2 hours of lost time at $25 per hour. Any individual who wishes to object to or be excluded from the settlement must do so by June 18, 2024, and all claims must be submitted by the same date. The settlement has received preliminary approval from the court and the final settlement hearing is scheduled for August 22, 2024. The plaintiff and class were represented by attorneys at Morgan & Morgan and Markovits, Stock, & DeMarco LLC.

The post BioPlus Specialty Pharmacy Services Proposes Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

BakerHostetler Report Identifies Healthcare Data Breach and Litigation Trends

BakerHostetler has released the 10th edition of its Data Security Incident Response Report, which shares data from the incidents the law firm has helped to manage. The report provides insights into the current cyber threat landscape and litigation trends.

Data Breach Insights

Healthcare accounted for 28% of data breach incidents, followed by finance and insurance (17%), business and professional services (15%), and education (13%). The biggest known root cause of all incidents was the exploitation of unpatched vulnerabilities (23% of incidents) followed by phishing (20%). By far the most common cause of security incidents in 2023 was network intrusions, which accounted for 51% of security incidents the law firm helped to manage, followed by business email compromise incidents (26%), and inadvertent disclosures (26%).

Cybercriminals are getting better at covering their tracks, as the root cause of 36% of network intrusions could not be determined. The main known cause of these incidents was vulnerability exploitation (25% of attacks). Phishing was involved in 9% of network intrusions, 5% involved brute force or credential stuffing, 4% were due to misconfigurations, 3% were due to RDP compromise, and 3% due to social engineering. 72% of successful network intrusions involved the deployment of ransomware, 57% involved data exfiltration, and 46% saw malware installed.

The average ransom demand was $2,644,647 and the average ransom payment was $747,651 but these were considerably higher in healthcare with an average demand of $3,492,434 and an average ransom payment of $857,933. In healthcare, it took an average of 13.4 days to acceptable data restoration and an average of 158,362 notifications had to be sent. As has been seen in other data, the percentage of victims paying a ransom is falling. 27% of attacked companies paid a ransom in 2023, compared to 40% in 2022.

The was a significant increase in data breaches at vendors. In 2023, business associates were responsible for 60% of the breaches of 500 or more records that were reported to the HHS’ Office for Civil Rights (OCR), compared to 35% in 2022. There was also a major increase in the size of healthcare data breaches, jumping by almost 200% from 2022 to 2023, from 56.9 million individuals to 144.5 million in 2023. The median time from incident to discovery was 2 days, 0 days to containment, 33 days to complete the forensic investigation, and 60 days from discovery to notification. The average time from occurrence to detection was 42 days and from detection to notice was 75 days.

Phishing and social engineering attacks have been getting more sophisticated. New social engineering scams that have become common involve threat actors contacting IT helpdesks to request password resets and enroll new devices to accept MFA codes. Several business email compromise attacks occurred as a result of QR code phishing attacks (Quishing), and many phishing attacks occurred via SMS messages (smishing). While multifactor authentication was sufficient to keep threat actors out of email accounts, MFA is increasingly bypassed in attacks. 43% of incidents required notifications to be issued, with an average of 98,504 notifications required. Out of the 493 incidents that required notifications to be issued, 58% resulted in lawsuits being filed, up from 42 in 2022.

Class Action Lawsuits Over Tracking Technologies Soar

Class action lawsuits over website tracking technology breaches are increasingly being filed, especially against healthcare organizations following guidance from the HHS’ Office for Civil Rights warning that the technologies violated HIPAA. The Federal Trade Commission (FTC) is also cracking down on organizations that use the technology without informing consumers.

BakerHostetler is currently defending more than 300 privacy or data security lawsuits and over 100 of those lawsuits involve data breaches due to the use of tracking technologies. More than 200 lawsuits have now been filed against healthcare organizations as a result of the use of tracking technologies, 75% of which were filed in the past year. Many of these lawsuits are still in the early stages, with only one case so far granted class certification and one that has had class certification denied. The first trial in a healthcare website tracking technology lawsuit is due to take place this summer. Several lawsuits have been quickly settled, with each individual due to receive an average of between $4 and $5. Since those settlements have been announced there has been an increase in the initial demands for damages.

OCR Enforcement Insights

After three years of relatively high numbers of enforcement actions, 2023 saw a fall in OCR enforcement activity. In 2023 there was a notable reduction in enforcement actions over HIPAA Right of Access violations (4) than the average of 14 over the previous three years. While there was an increase in enforcement actions for other HIPAA violations – 10 in 2023 vs 5 in 2022 and 3 in 2021 – OCR only imposed 11 penalties in 2023 to resolve HIPAA violations, compared to an average of 19 in the three previous years. BakerHostetler suggests the drop off in enforcement actions may be due to OCR focusing on another enforcement priority. OCR has issued guidance on HIPAA compliance with respect to website tracking technologies, and BakerHostelter suggests that may now be an enforcement focus for OCR.

The post BakerHostetler Report Identifies Healthcare Data Breach and Litigation Trends appeared first on HIPAA Journal.

Healthcare Ransomware Attacks Involve 20% of Stored Sensitive Data

Ransomware groups target the healthcare sector because a successful attack gives them access to large amounts of sensitive data that can be easily monetized and used as leverage to get a ransom paid. Healthcare organizations are also heavily reliant on access to data to operate, therefore there is a higher probability that a ransom will be paid to regain access to encrypted data. Attacks on the sector are also increasing. According to Recorded Future, there were 358 ransomware attacks on healthcare organizations in 2023, a year-on-year increase of 46%.

A recent study by the cybersecurity firm Rubrik assessed the impact of ransomware attacks and found that attacks on healthcare providers impact more data than other industry sectors. Researchers at Rubrik Zero Labs determined that 20% of a healthcare organization’s sensitive data holdings are affected by a ransomware encryption event, compared to 6% in other industry sectors. That means 20% of healthcare data is encrypted, deleted, or stolen in an attack.

Healthcare organizations generally hold more sensitive data than other industry sectors. According to Rubrik’s analysis, healthcare organizations typically need to secure 50% more data than the global average, with healthcare organizations holding an average of 42 million sensitive data records compared to the global average of 28 million sensitive records.  The amount of data stored grows at a faster rate than other industries. In 2023, a typical healthcare organization saw its data estate grow by 27% compared to 23% for a typical global organization, and the number of sensitive data records in healthcare grew by 63% in the past year compared to the global average of 13%.

The data for Rubrik’s report – The State of Data Security: Measuring Your Data’s Risk – came from telemetry across the company’s customer base of 6,100 organizations and a study conducted by the Wakefield Research of more than 1,600 IT and security leaders. Across all industry sectors, 94% of IT security leaders said they had experienced a significant cyberattack in 2023, and an average of 30 attacks in the past year. One-third of IT security leaders said they had been affected by at least one ransomware attack, and 93% of organizations paid a ransom, with 58% of those paying to prevent the leaking of stolen data.

Dependence on the cloud is growing, with cloud architecture used to store 13 % of an organization’s data on average, compared to 9% the previous year. According to Rubrik’s telemetry, cloud storage has inherent risks as there are security blind spots. Rubrik reports that 70% of all cloud-stored data is in object storage, which typically has much lower security coverage than other areas. 88% of all data stored in object storage is not confirmed as machine-readable or is not covered by prominent security technologies and services, and more than 25% of object storage data is subject to regulatory or legal requirements, such as HIPAA.

“Despite the fallout of cyberattacks dominating headlines, data risk is an issue that continues to be murky — especially in terms of what security teams can actually change and what they cannot,” said Steven Stone, Head of Rubrik Zero Labs. “With this report, we aim to provide quantifiable insights that IT and security leaders can bring back to their organization to drive greater cyber resilience-in particular with their partners in the business and governance teams.”

The post Healthcare Ransomware Attacks Involve 20% of Stored Sensitive Data appeared first on HIPAA Journal.

Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing

A federal court judge has recommended a class action lawsuit against CommonSpririt Health over its 2022 data breach should be dismissed due to the failure of the plaintiff to demonstrate that they had been harmed by the data breach.

CommonSpirit Health suffered a ransomware attack on October 2, 2022, that affected more than 100 CommonSpirit Health facilities across the United States. A threat actor gained access to its systems on September 16, 2022, and had access to those systems until October 3, 2022. The forensic investigation and document review confirmed that the protected health information of more than 623,000 patients had been exposed. The exposed data included full names, addresses, healthcare providers, medical record numbers, treatment/prescription information, dates of medical services, other health insurance information, and patient’s facility/account numbers.

Multiple class action lawsuits were filed against CommonSpririt Health over the cyberattack and data breach which made similar claims. The lawsuits alleged CommonSpirit Health was negligent due to the failure to implement reasonable and appropriate safeguards to ensure the privacy of the protected health information it held and delayed issuing breach notifications, which were not sent until April 5, 2023.

One of those lawsuits, Bonnie Maser v. CommonSpirit Health, alleged that the plaintiff suffered injuries as a result of the breach, including more than $3,000 in bank account fraud that led to the closure of her account. As a result of the fraud, the plaintiff could not afford to pay her rent, lost her housing, her credit score dropped 60 points, and she claimed to continue to suffer harm, including panic attacks caused by the stress of the data breach. Maser’s lawsuit alleged negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment.

CommonSpirit Health argued that the plaintiff failed to allege a concrete or imminent harm to support Article III standing, failed to adequately allege the minimum amount in controversy under the Class Action Fairness Act, and failed to state a claim upon which relief could be granted. U.S. Magistrate Judge Suan Prose recommended that the lawsuit be dismissed due to a lack of Article III standing, as the plaintiff failed to demonstrate that the fraudulent charges were fairly traceable to the data breach.

This was the second such lawsuit against CommonSpirit Health to be tossed due to a lack of standing.  Two lawsuits against CommonSpirit Health that were filed in Illinois and were consolidated into a single lawsuit – Jose Antonio Koch individually and on behalf of his two minor children, and another by Leeroy Perkins – was also dismissed due to a lack of standing by District Court Judge Harry D. Leineweber.

The post Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing appeared first on HIPAA Journal.

Verizon 2024 DBIR: 70% of Healthcare Data Breaches Caused by Insiders

On May 1, 2024, the 2024 Verizon Data Breach Investigations Report (DBIR) was released, which this year involved an analysis of a record number of security incidents (30,458), and more than double the number of confirmed data breaches as last year (10,626). The report includes 1,378 security incidents at healthcare organizations and 1,220 confirmed healthcare data breaches.

Credential theft was the most common method of breaching networks and was the initial access vector in 38% of all data breaches, followed by phishing (15%). Vulnerability exploitation was the third most common initial access vector and the root cause of 14% of breaches, but what is particularly concerning is the increase in exploit-related data breaches, which are up 180% year over year. Also concerning is the time it takes organizations to patch disclosed vulnerabilities. On average, it took 55 days for organizations to patch 50% of their critical vulnerabilities, which gives threat actors a significant window for exploiting vulnerabilities.

Top causes of non-erro, non-misuse data breaches. Source Verizon 2024 DBIR

Top causes of non-erro, non-misuse data breaches. Source Verizon 2024 DBIR

Ransomware groups were behind many of the attacks targeting unpatched vulnerabilities, with the Clop ransomware group’s mass exploitation of a zero day vulnerability in Progress Software’s MoveIT Transfer solution a significant factor in the large increase in exploit-related breaches. Clop also mass exploited a zero-day vulnerability in GoAnywhere MFT in January and a SysAid zero-day flaw in November.

While ransomware groups were a major threat in 2023 and were behind some of 2023’s largest data breaches, there was a slight decline in attacks year-over-year. Law enforcement actions against ransomware groups, non-payment of affiliates, and falling numbers of victims paying ransoms have resulted in some ransomware affiliates reconsidering their options; however, Verizon’s figures suggest that threat actors are simply switching to extortion-only attacks, where sensitive data is stolen without file encryption.

In response to the threat of ransomware attacks, organizations have improved their backup processes and disaster recovery plans, and an increasing number of victims do not need to pay to recover their files; however, the threat of the sale or publication of stolen data is often enough to get victims to pay. The attack on Change Healthcare shows that there is no guarantee that data will be deleted if the ransom is paid. In 2023, 23% of data breaches were due to ransomware attacks, and around one in three data breaches (32%) involved extortion, with two-thirds of financial-motivated attacks involving either ransomware or extortion. 15% of data breaches involved third parties such as software supply chains, hosting providers, and data custodians, up 68% year-over-year.

Over the past few years, Verizon has highlighted the extent to which the human element is involved in data breaches, such as accidental misconfigurations, falling for social engineering scams, and phishing attacks. In 2021, the human element was a factor in 85% of data breaches, falling to 82% in 2022. In the 2024 DBIR, Verizon changed how these incidents are recorded, eliminating actions by malicious insiders. Non-malicious human error was involved in 68% of data breaches, however, if malicious insiders were included in the figures, the percentage of incidents involving the human factor would have been at around the same level.

In healthcare, the biggest cause of data breaches was miscellaneous errors, followed by privilege misuse, and system intrusions, with those three causes behind 83% of data breaches. In contrast to other sectors, 70% of the threat actors behind data breaches were internal, reversing a trend of declining breaches by malicious insiders in recent years.

Patterns in healthcare data breaches. Source: 2024 Verizon DBIR

Patterns in healthcare data breaches. Source: 2024 Verizon DBIR

98% of all healthcare attacks are financially motivated and personal data was compromised in 75% of incidents. Verizon said threat actors are increasingly targeting personal information over medical data. Verizon points out that privilege misuse by malicious insiders was not even a top three breach cause in 2022 but rose to 2nd place in 2023. The most common error resulting in a data breach was misdelivery of paper records or misdirected emails, followed by loss of data, with the third most common being gaffes – disclosures of patient information when others were in earshot.

The post Verizon 2024 DBIR: 70% of Healthcare Data Breaches Caused by Insiders appeared first on HIPAA Journal.

Almost 500,000 Individuals Affected by Designed Receivable Solutions Data Breach

The Cypress, CA-based revenue cycle management company, Designed Receivable Solutions (DRS), has recently confirmed the details of a data breach that was reported to the HHS’ Office for Civil Rights on March 23, 2024, as involving the protected health information of 129,584 individuals, and the Maine Attorney General as affecting 498,686 individuals.

On January 22, 2024, DRS identified suspicious activity within its network. Third-party cybersecurity specialists were engaged to investigate the incident and determine the cause of the activity. The investigation confirmed that an unauthorized actor accessed its systems and viewed and exfiltrated files from its systems. On March 8, 2024, after a time-consuming and detailed review of the files, DRS confirmed that they contained the personal and protected health information of current and former patients of its healthcare clients.

Following that determination, DRS has been working with the affected clients to review and verify the affected information and obtain up-to-date contact information to allow notification letters to be issued.  DRS said the types of data involved varied from individual to individual and may have included names, addresses, dates of birth, health insurance information, dates of service, and Social Security numbers. DRS has reviewed its policies and procedures related to data privacy and is taking steps to reduce the risk of a similar incident in the future and has offered the affected individuals complimentary credit monitoring services.

As OCR recently confirmed in a website Q&A regarding breach notification letters, HIPAA-covered entities are ultimately responsible for ensuring notification letters are sent to the affected individuals when there is a data breach at a business associate, but the covered entity may delegate the responsibility of providing individual notices to the business associate.

DRS is issuing notification letters on behalf of the following covered entity clients:

  • Air Methods
  • AMG Healthcare Management Services
  • CAN Emergency Physicians
  • Cedars-Sinai Medical Center
  • CHA Hollywood Presbyterian Medical Center, L.P.
  • Core Orthopaedics Medical Center
  • GEM Physicians Group
  • Marshall Medical Center
  • OptumCare Management, LLC
  • Redlands Community Hospital
  • Ridgecrest Regional Hospital
  • South Coast ER Medical Group
  • Southland Medical Corporation
  • Springhill Emergency Physicians
  • Sycamore Physicians, LLC
  • USC Arcadia Hospital (formerly Methodist Hospital of Southern California)
  • Valkyrie Clinical Trials, Inc.

The post Almost 500,000 Individuals Affected by Designed Receivable Solutions Data Breach appeared first on HIPAA Journal.

Patient Data Stolen from Livanova in October 2023 Ransomware Attack

The medical device manufacturer Livanova, the Massachusetts community behavioral health center Aspire Health Alliance, and Santa Rosa Behavioral Healthcare Hospital in California have experienced ransomware attacks that exposed patient data.

Livanova, London, UK

Livanova, a UK-headquartered medical device manufacturer specializing in cardiac surgery and neuromodulation devices, has suffered a ransomware attack that disrupted portions of its IT systems. The ransomware attack was discovered on November 19, 2023, and the forensic investigation confirmed that hackers gained access to its network on October 26, 2023. The LockBit ransomware group claimed responsibility for the attack.

Livanova announced in a SEC filing in November that it was dealing with a cyberattack; however, it was initially unclear to what extent patient data was involved. On April 10, 2024, Livanova confirmed that the personal and protected health information of U.S. patients had been exfiltrated from its systems in the attack. In an April 25, 2024, announcement, Livanova said the investigation is ongoing however it has been determined that information such as names, contact information, dates of birth, Social Security numbers, health insurance information, and medical information such as diagnoses, conditions, treatment information, prescription information, medical record number, device serial numbers, and physician names were involved.

The affected individuals have been advised to monitor their credit reports and account statements and to be alert to unsolicited communications involving personal information. Livnova has arranged for complimentary identity protection and credit monitoring services to be provided to the affected U.S. patients. It is currently unclear how many individuals have been affected. In a February 2024 earnings call, the company confirmed that the company had incurred costs of around $2.6 million in Q4, 2023, as a result of the attack.

Aspire Health Alliance, Massachusetts

Aspire Health Alliance, a state-designated community behavioral health center with facilities in Quincy, Braintree, and Marshfield in Massachusetts, has notified 17,490 individuals about a cyberattack that was detected on September 13, 2023. Suspicious activity was identified within its computer network and a third-party forensic investigation confirmed that its systems had been accessed by an unauthorized third party that acquired certain files and data stored on its network.

A comprehensive review was conducted to determine the types of data involved, and that process was completed on February 26, 2024, when it was confirmed that personal and protected health information was involved. The types of data varied from individual to individual and may have included names, other personal identifiers, and Social Security numbers. While data was exposed or acquired, no reports have been received to indicate any patient data has been misused. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were impacted, and additional security measures have been implemented to reduce the risk of a similar incident occurring in the future.

Santa Rosa Behavioral Healthcare Hospital, California

Santa Rosa Behavioral Healthcare Hospital, part of the Northern California Behavioral Health System (NCBHS), has fallen victim to a cyberattack that disrupted some of its IT systems. The attack was detected on January 28, 2024, and a third-party forensic investigation confirmed that an unauthorized third party accessed its network between January 27, 2024, and January 28, 2024. During that time, files containing patient data were accessed or acquired.

The file review confirmed that the following types of information had been exposed or stolen: names, dates of birth, medical record numbers, services received, dates of services, treating physician, and for some patients, Social Security numbers and/or driver’s license numbers. Affected patients have been advised to monitor the statements they receive from their healthcare providers and health insurers and report any services they haven’t received. Individuals whose Social Security or driver’s license numbers were involved have been offered complimentary identity theft protection services. The incident has been reported to regulators but is not yet shown on the Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Data Stolen from Livanova in October 2023 Ransomware Attack appeared first on HIPAA Journal.

Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients

Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers serving the Green Bay, Marinette, and Niagara communities in Wisconsin, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that involved the protected health information of 13,055 patients.

On February 27, 2024, Bay Oral identified suspicious activity in an employee’s email account. The password for the account was immediately changed to prevent further unauthorized access and a third-party cybersecurity firm was engaged to investigate the incident. The forensic investigation confirmed that an unauthorized individual had installed software and gained access to an employee’s email account on January 18, 2024.

The review of the emails and attachments confirmed that patients’ protected health information had been exposed. The types of information involved included names, addresses, email addresses, dates of birth, Social Security numbers, insurance card numbers, credit card numbers, banking account information, x-rays, patient health history forms, patient visit summaries, medical history questionnaires, and other types of patient health information that had been shared via email. The investigation could not determine if the unauthorized individual viewed or copied emails or attachments in the account.

In addition to immediately securing the email account, Bay Oral has taken several other steps to prevent similar incidents in the future. They include changing IT companies, implementing a 24/7 protection and monitoring solution, and implementing new policies and procedures to ensure that patients’ protected health information is not stored in email accounts.

Bay Oral said it is unaware of any reports of fraud or identity theft at the time of issuing notifications. The affected patients have been advised to be vigilant for incidents of fraud and identity theft by regularly reviewing their credit reports, credit statements, bank accounts, and other financial accounts for unauthorized activity.

The post Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients appeared first on HIPAA Journal.