Author Archives: Steve Alder

LivaNova Facing Multiple Class Action Lawsuits Over October 2023 Cyberattack

Posted by Steve Alder

The Houston, TX-based medical device company, LivaNova, is facing multiple class action lawsuits over an October 2023 cyberattack that exposed the protected health information of 180,000 patients.

The attack was detected on November 19, 2023, and the investigation confirmed that unauthorized individuals first accessed its network on October 26, 2023. The data compromised in the incident included names, addresses, phone numbers, Social Security numbers, birth dates, diagnoses, treatment information, prescriptions, physician names, medical record numbers, device serial numbers, and health insurance information. Notifications were issued in May 2024, and complimentary credit monitoring services were offered to the affected individuals.

At least two lawsuits have now been filed by patients whose information was exposed in the incident. One of those lawsuits was filed in the U.S. District Court for the Southern District of Texas, Houston Division, on behalf of J.W., by and through her guardian, Angela Johnson. The lawsuit alleges LivaNova maintained sensitive information in a reckless manner and despite its legal obligations and promises to secure the data it held, failed to implement reasonable and appropriate cybersecurity measures. The lawsuit alleges the cyberattack and data breach were foreseeable and preventable, and occurred as a result of inadequate cybersecurity measures.

The lawsuit also accuses the defendant of failing to issue prompt and accurate breach notifications to the affected individuals. The notification letters were sent 6 months after the security breach was detected and 7 months after it occurred. The lawsuit alleges the plaintiff and class members face an ongoing risk of fraud, identity theft, and other misuses of their sensitive information as a result of the data breach.

The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud Act and seeks damages, injunctive relief, an award of attorneys’ fees, court costs, and litigation costs, and equitable relief, including an order from the court compelling LivaNove to implement a long list of security measures to prevent similar breaches in the future. The plaintiff and class are represented by Joe Kendall of Kendall Law Group PLLC and Mariya Weekes of Millberg, Coleman, Bryson, Phillips, Grossman PLLC.

Another lawsuit was filed by plaintiff Arthur Podroykin in the U.S. District Court for the Southern District of Texas that alleges LivaNova breached its duties under common law, contract, the Federal Trade Commission Act, and the Health Insurance Portability and Accountability Act.

The post LivaNova Facing Multiple Class Action Lawsuits Over October 2023 Cyberattack appeared first on The HIPAA Journal.

SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks

Posted by Steve Alder

SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.

South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.

A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.

Call 4 Health Issues Notifications About March 2024 Cyberattack

Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.

Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.

In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.

Clear Spring Health Notifies Patients About Change Healthcare Data Breach

Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.

Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.

The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.

SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks

Posted by Steve Alder

SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.

South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.

A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.

Call 4 Health Issues Notifications About March 2024 Cyberattack

Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.

Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.

In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.

Clear Spring Health Notifies Patients About Change Healthcare Data Breach

Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.

Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.

The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.

RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data

Posted by Steve Alder

The Florida Department of Health has confirmed to FOX 35 in Orlando that it is investigating a cyberattack. The attack has affected its Vital Statistics System, which is used to process birth and death certificates. The disruption to the system has been causing problems for funeral homes across the state for the past two weeks. Some funeral homes have postponed their services or have been forced to physically visit healthcare providers to get signed copies of death certificates.

The Department of Health has released few details about the attack but this appears to have been a ransomware attack involving the exfiltration of a large volume of data. The RansomHub group claimed responsibility for the attack and said it had stolen around 100 gigabytes of data from the Department and started to leak the stolen data when the ransom was not paid by its deadline of July 1, 2024. The Department of Health has not commented on the validity of the group’s claims nor the extent of any data breach.

The failure to pay the ransom should not have come as a surprise, as Florida amended its State Cybersecurity Act to prohibit state agencies, counties, and municipalities that experience a ransomware attack from paying or otherwise complying with a ransom demand. The ban on ransom payments took effect on July 1, 2022.

There are no reasons to believe that the hacking group’s data theft claims are not genuine. RansomHub has conducted many attacks in the United States, including attacks on healthcare organizations and government departments. The group was also indirectly involved in the February ransomware attack on Change Healthcare, having obtained the data stolen in the attack from a BlackCat ransomware group affiliate after BlackCat performed an exit scam, pocketed the $22 million ransom, and refused to pay the affiliate.

The post RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data appeared first on The HIPAA Journal.

Patient Data Compromised in Palomar Health Medical Group Cyberattack

Posted by Steve Alder

Palomar Health Medical Group has warned patients that they may have been affected by an April 2024 cyberattack, and DaVita has learned that tracking tools on its website and mobile app may have sent user data to third-party vendors.

Palomar Health Medical Group Announces April 2024 Cyberattack

Palomar Health Medical Group, a provider of primary and specialty care to communities in North San Diego County, has informed patients about a recent cyberattack that exposed some of their protected health information. A security breach was detected on or around May 5, 2024, and immediate action was taken to prevent further unauthorized access to its systems. An investigation was launched to determine the nature and scope of the incident, which confirmed that hackers had access to its network from April 23, 2024, to May 5, 2024.

Palomar Health Medical Group said the attack “may have caused certain files to files to become unrecoverable,” which suggests that ransomware was used. Palomar Health Medical Group has confirmed that certain files were exfiltrated from its network and the review of those files is ongoing, as is the process of restoring the affected files. A full recovery of the affected systems was expected by July 1, 2024; however, the recovery process is taking longer than anticipated.

It is still not possible to tell exactly how many patients have been affected or the specific types of data that have been exposed or obtained in the attack; however, Palomar Health Medical Group has identified the categories of data involved. The compromised data varies from individual to individual and, based on the initial findings of the investigation, will include patient names in combination with one or more of the following: address, date of birth, Social Security number, medical history information, disability information, diagnostic information, treatment information, prescription information, physician information, medical record number, health insurance information, subscriber number, health insurance group/plan number, credit/debit card number, security code/PIN number, expiration date, email address and password, and username and password.

The breach has affected current and former patients of Palomar Health Medical Group and its affiliates Graybill Medical Group and Pacific Accountable Care. Individual notification letters will be mailed to the affected individuals when the file review is completed.

DaVita Notifies Patients About Tracking Technology Privacy Incident

DaVita Inc., a Denver, CO-based provider of kidney dialysis services, notified 67,443 patients on July 2, 2024, about a pixel-related data breach.  Pixels are online tracking technologies that are used on websites and mobile applications for recording visitor activity. DaVita explained that it learned on June 17, 2024, that tracking tools had been installed on its website health portal and Care Connect mobile application that they may have transmitted data to third-party vendors.

The types of information disclosed varied from individual to individual based on their interactions on the website and use of the mobile application. That information may have included usernames and third-party identifiers/cookies, employment status, patient classification/reference, information about the use of the app or pages visited on the website, and information indicating whether the user was signed into a DaVita account, but not the account password. For certain users, limited demographic information may also have been disclosed and, potentially, lab test names or lab test resources viewed on the website but no lab test results. The above types of information could be tied to an individual via their IP address and third-party identifiers, such as if a user was logged into their Google or Facebook account at the time. First and last names would only have been disclosed if they were used to create a username.

DaVita said it has removed all third-party tracking technologies that are not part of a HIPAA-compliant service and has implemented new policies and procedures and provided additional training to members of its workforce to prevent similar privacy breaches in the future. DaVita said it is not aware of any misuse of the disclosed information that is likely to result in financial or similar harm.

The post Patient Data Compromised in Palomar Health Medical Group Cyberattack appeared first on The HIPAA Journal.

Pennsylvania’s Updated Breach Notification Law Requires Credit Monitoring Services for Breach Victims

Posted by Steve Alder

Pennsylvania has updated its data breach notification law, narrowing the definition of personal information, adding the requirement to notify the state Attorney General, and requiring credit monitoring services to be provided to data breach victims in certain circumstances. The Breach of Personal Information Notification Act was amended by Senate Bill 824 and was signed into law by state Governor Josh Shapiro on June 28, 2024. The amended law takes effect on September 26, 2024.

The law requires organizations that maintain computerized data that includes personal information to issue notifications to the affected individuals in the event of a breach of their unencrypted and unredacted personal information, or if personal information is reasonably believed to have been accessed or obtained by an unauthorized individual. Notifications must be sent without unreasonable delay, but there is no fixed time frame for issuing those notifications unless the breach occurs at a Pennsylvania state agency or state agency contractor, in which case the notifications must be issued within 7 days of the determination of a data breach.

Personal information is defined as an individual’s name combined with any of the following: Social Security number, driver’s license number, state identification card number, financial account /credit card/debit card number along with information that would allow the account to be accessed, medical information, health insurance information, or a username/email address and password combination that would allow the online account to be accessed. The amendment changes the term “medical information” to “medical information in the possession of a state agency or state agency contractor.”

In addition to issuing individual notifications, entities are now required to notify the Pennsylvania Attorney General at the same time that individual notifications are sent if the breach requires notification to more than 500 individuals in the Commonwealth, with exemptions for certain insurance companies. The Attorney General should be informed about the date of the breach, the known or estimated number of affected individuals, the known or estimated number of affected Pennsylvania residents, and a summary of the breach incident.

Previously, entities that suffered a breach subject to the Breach of Personal Information Notification Act were required to notify consumer reporting agencies about the breach if it affected more than 1,000 individuals. The threshold for notification has now been reduced to 500 individuals. The most important change for Pennsylvania residents is the legal requirement for a breached entity to provide credit monitoring services for 12 months, under certain circumstances.

Credit monitoring services must be provided if a consumer reporting agency is required to be notified by law and if the breach involved an individual’s Social Security number, bank account number, driver’s license number, or state identification number. The services must include access to an independent credit report from a consumer reporting agency if the individual is not eligible to obtain a free credit report and access to credit monitoring services for 12 months from the date of notification. If the individual is eligible to receive those services free of charge for 12 months, it is an acceptable alternative to advise them of the availability of those free services.

The post Pennsylvania’s Updated Breach Notification Law Requires Credit Monitoring Services for Breach Victims appeared first on The HIPAA Journal.

Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements

Posted by Steve Alder

In April, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) introducing new requirements for critical infrastructure entities to report certain cybersecurity incidents. CISA sought comment from the public, and several healthcare stakeholders have provided feedback on the proposed rule.

Background

The proposed rule requires critical infrastructure entities to report cybersecurity incidents to CISA within 72 hours of detecting a cybersecurity incident and within 24 hours of making a ransomware payment. The types of covered incidents include:

  • Unauthorized system access
  • Denial of Service (DOS) attacks with a duration of more than 12 hours
  • Malicious code on systems, including variants if known
  • Targeted and repeated scans against services on systems
  • Repeated attempts to gain unauthorized access to systems
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware attacks against critical infrastructure, including the variant and ransom details if known

The types of information that must be submitted to CISA include:

  • Incident date and time
  • Incident location
  • Type of observed activity
  • Detailed narrative of the event
  • Number of people or systems affected
  • Company/Organization name
  • Point of Contact details
  • Severity of event
  • Critical infrastructure sector
  • Anyone else who has been informed

CISA will share the information with federal and non-federal partners to improve detection and the minimization of the harmful impacts on critical infrastructure entities, accelerate mitigation of exploited vulnerabilities, and allow software developers and vendors to develop more secure products. The information will also be shared with law enforcement to help with the investigation, identification, capture, and prosecution of the perpetrators of cybercrime.

Healthcare Industry Groups Give Feedback to CISA

The Workgroup for Electronic Data Interchange (WEDI) and the Medical Group Management Association (MGMA) have called for CISA to align the reporting time frame with the HHS’ Office for Civil Rights, as having to submit reports to multiple agencies will place a considerable administrative burden on healthcare organizations. MGMA believes the new reporting requirements will be overly burdensome for medical groups, and the duplicative reporting requirements may affect the ability of those groups to operate effectively, especially when dealing with a cyberattack.

MGMA explained that under HIPAA, covered entities must report cybersecurity incidents to the HHS’ Office for Civil Rights within 60 days for HIPAA compliance. Rather than layering different reporting requirements on each other, MGMA suggests that CISA should work closely with the HHS to seamlessly incorporate data that must reported under HIPAA. This will promote collaboration and prevent covered entities from reporting the same incident multiple times in different formats. MGMA said the sized-based criteria for reporting means small medical groups will not have the burden of reporting incidents but using the SBA definition means that many small physician offices will be impacted, even practices with annual revenues as low as $9 million.

The short timeframe for reporting incidents was criticized by WEDI, which said it could take longer than 72 hours to gather all the necessary information for the initial report. WEDI has called for CISA to be flexible with the reporting timeframe, such as allowing the initial report to be submitted with as much information as it has been possible to gather within 72 hours and allowing additional information to be submitted after that deadline as it becomes available. WEDI also proposes a carve-out for certain ransomware attacks. WEDI has requested that CISA not consider an attack to be a data breach if no protected health information has been accessed, provided the entity has made a good faith effort to deploy a recognized security program and has implemented security policies and procedures.

CHIME/AEHIS Members Express Concern

The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have urged CISA to consider that the core mission of healthcare is patient safety and not to implement regulatory requirements that could jeopardize that mission.

One concern from their members is the reporting requirements under HIPAA, which require security breaches to be reported to OCR within 60 days of the discovery of a data breach. They are concerned that the clock would start ticking for reporting under HIPAA on the date of submission of the incident report to CISA, and that could create considerable additional burdens for HIPAA-regulated entities. CHIME and AEHIS have asked CISA to clarify the reporting requirements for managed service providers and other third-party service providers that provide products or services to HIPAA-covered entities, requesting that the service provider be considered the covered entity for reporting under CIRCIA.

After the initial incident report, critical infrastructure entities are required to submit supplemental reports following a significant cybersecurity incident, with those supplemental reports submitted without delay or as soon as possible. There is concern that with the threat of enforcement, HIPAA-covered entities may feel compelled to prioritize reporting of incidents over patient safety. CHIME/AEHIS have requested that the supplemental reports be submitted every 72 hours at a minimum or every 5 days, and for those reports to only be required if substantial new or different information becomes available.

CHIME/AEHIS point out that the definition of larger hospitals – those with 100 or more beds – is inadequate and that a more nuanced approach is required with other factors considered other than bed count, and not require reporting of incidents by critical access hospitals (CAHs), which are already under considerable financial strain. Making CAHs report incidents could increase the financial strain on the hospitals, leading to more closures and reduced access to healthcare for patients.

CHIME/AEHIS have received feedback from their members about the level of detail required by CISA about the security architecture of breached entities. “If CISA requires hospitals and healthcare systems to define their entire security architecture, that is a tremendous amount of information to include in a report,” explained the industry groups. “Our members do not believe that CISA needs to know an entire description of an organization’s security program – as it is not helpful to fulfill the purpose of CIRCIA, is potentially considered intellectual property (IP), and/or sensitive for the organization.”

The post Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements appeared first on The HIPAA Journal.

Protected Health Information Stolen in HealthEquity SharePoint Breach

Posted by Steve Alder

HealthEquity has confirmed a breach of its SharePoint data, which included protected health information. Data breaches have also been reported by Kairos Health Arizona and Ambulnz.

HealthEquity

HealthEquity, a Draper, UT-based financial technology and business services company, has suffered a cyberattack that has exposed protected health information. HealthEquity provides health savings account (HSA) services and other consumer-directed benefits solutions, including health reimbursement arrangements (HRAs), and manages millions of HSAs, HRAs, and other benefit accounts.

HealthEquity explained in an 8-K filing with the Securities and Exchange Commission (SEC) that it recently identified anomalous behavior in a business partner’s device, and said the initial investigation indicates that the device had been compromised and was used to access members’ information. No malware was found on its systems and business operations were unaffected, and while the company is still evaluating the financial impact of the incident, it does not believe that the incident will have any material effect on its business or financial results.

The breach was detected on March 25, 2024, and immediate action was taken to prevent further unauthorized access. A forensic investigation was launched to determine the extent of the breach, which revealed an unauthorized actor accessed and exfiltrated HealthEquity’s SharePoint data. Its transactional systems, where integrations occur, were not affected. HealthEquity has started notifying the affected partners, clients, and members and is offering complimentary credit monitoring and identity theft protection services. The extent of the breach and the types of information involved has bot yet been publicly disclosed.

Kairos Health Arizona

Kairos Health Arizona, an employee benefits pool serving public entity employers in Arizona, has discovered that there has been unauthorized access to member data by a former third-party vendor. An investigation was launched which determined that between November 2, 2023, and March 29, 2024, the vendor accessed and downloaded information from a Kairos database.

A review was conducted to determine the types of data involved and confirmed that the downloaded data included names, insurance identification numbers, claims/coverage information, and health information. No Social Security numbers, driver’s license numbers, or financial account information were accessed or downloaded. Notification letters have now been sent to the 14,364 affected individuals and steps have been taken to enhance the security of its network, internal systems, and applications to prevent similar incidents in the future.

Ambulnz

Ambulnz, a subsidiary of DocGo that provides medical transportation and ambulance services, has discovered the protected health information of 4,742 patients has been exposed and potentially stolen in a cyberattack that was detected on April 22, 2024. The forensic investigation confirmed that a threat actor first accessed its network on April 21, 2024, and access was blocked the following day; however, the attack was not detected in time to prevent the threat actor from downloading patient data from its network. The stolen files included names, plus one or more of the following: dates of birth, address, medical record number, patient account number, health insurance identification number, and/or diagnosis and treatment information. A limited number of patients also had their Social Security numbers and/or driver’s license numbers stolen.

The post Protected Health Information Stolen in HealthEquity SharePoint Breach appeared first on The HIPAA Journal.

Email Breach Affects 22,000 Ambulatory Surgery Center of Westchester Patients

Posted by Steve Alder

The Mount Kisco Surgery Center, doing business as the Ambulatory Surgery Center of Westchester in New York, has recently notified 22,139 patients that some of their protected health information has been exposed and potentially stolen.

Suspicious activity was detected in an employee’s email account on November 3, 2023, and after securing the account, a forensic investigation was launched to determine the nature and scope of the activity. The investigation confirmed that the unauthorized third party had access to the account from October 23, 2023, to November 3, 2023, and that the account contained patient data.

A comprehensive review was then initiated to determine the individuals affected and the types of data involved. That process was completed on May 30, 2024, and then address information was verified. The affected individuals were notified by mail on June 26, 2024. The types of data involved varied from patient to patient and included names in combination with one or more of the following: Social Security number, driver’s license number, state identification number, date of birth, medical information, including diagnosis information, treatment information, and prescription information, and health insurance information, including claim information and health insurance number.

At the time of issuing notifications, no reports had been received to suggest there had been any misuse of patient data. Mount Kisco Surgery Center said it has enhanced network security to prevent similar breaches in the future.

Mobile Medical Response Warns Patients About PHI Breach

Mobile Medical Response, a Michigan-based provider of medical transportation and ambulance services, has announced that there has been an impermissible disclosure of patient information at one of its business associates. Mobile Medical Response contracted with CBM Services to provide collections services. CMB Services had issued a check to Mobile Medical Response, which an unauthorized individual attempted to cash.

When checks are issued to Mobile Medical Response by CMB Services, they are accompanied by a statement of accounts that includes the names of individuals to whom the payments relate. The statements include names, identify individuals as having received transportation services from Mobile Medical Response, and potentially include other information.

Mobile Medical Response has confirmed that addresses, dates of birth, Social Security numbers, driver’s license/state identification numbers, financial account information, payment card information, patient record information, medical diagnosis/condition information, medical treatment information, and health insurance information were not impermissibly disclosed.

Mobile Medical Response is currently investigating the incident to determine the full name, scope, and impact of the event. In the meantime, the breach has been reported as affecting 500 individuals. The total will be updated when the investigation has been completed.

The post Email Breach Affects 22,000 Ambulatory Surgery Center of Westchester Patients appeared first on The HIPAA Journal.