Author Archives: Steve Alder

CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General

Posted by Steve Alder

In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.

CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.

AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.

CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.

AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.

The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,

The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.

Urgent Action Required to Address Critical ownCloud Vulnerabilities

Posted by Steve Alder

Three critical vulnerabilities in the ownCloud platform have been identified, one of which is being actively exploited. Urgent action is required to address the vulnerabilities to protect sensitive networks and sensitive data.

The ownCloud platform is used extensively in healthcare for storing, synchronizing, and sharing files and collaborating and consolidating work processes. As such, the platform is a prime target for malicious actors as it allows them to access highly sensitive data. The Clop hacking groups demonstrated how serious vulnerabilities in file sharing platforms can be, having mass exploited vulnerabilities in Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution earlier this year.

Security advisories were issued by ownCloud on November 21, 2023, about three vulnerabilities, the most serious of which has a maximum CVSS v3.1 severity score of 10. The remaining two vulnerabilities have been assigned CVSS scores of 9.8 and 9. Evidence of active exploitation of the flaws was identified by the cybersecurity firm Greynoise from November 25, 2023, with the malicious activity originating from 32 unique IP addresses.

  • CVE-2023-49103 – A critical vulnerability in versions 0.2.0 – 0.3.0 of the graphapi app that allows disclosure of sensitive credentials and configuration in containerized deployments. The graphapi app relies on a third-party library that provides a URL. When the URL is accessed, it reveals the configuration details of the PHP environment, which includes environment variables for the webserver. In containerized deployments, the disclosed information can include the ownCloud admin password, mail server credentials, and license key. The vulnerability has a CVSS severity score of 10 out of 10.
  • CVE-2023-49105 – A critical WebDAV API authentication bypass vulnerability using pre-signed URLs. The vulnerability affects core 10.6.0 – 10.13.0 and can be exploited to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured, which is the default setting. The vulnerability has a CVSS severity score of 9.8 out of 10.
  • CVE-2023-49104 – A critical subdomain validation bypass vulnerability in oauth2 < 0.6.1. An attacker can pass in a specially crafted redirect-URL that bypasses the validation code, allowing the attacker to redirect callbacks to a TLD controlled by the attacker. The vulnerability has a CVSS severity score of 9.0 out of 10.

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning on December 5, 2023, urging HPH sector organizations to take immediate action and apply the actions recommended by ownCloud. “The nature of this platform is such that it needs to be integrated into the information infrastructure of a customer organization to function, which provides attackers with a target that can potentially provide access to sensitive information, as well as a staging point for further attacks,” explained HC3.

At present, only the CVE-2023-49103 is believed to have been actively exploited in attacks in the wild. This vulnerability should therefore be treated with the highest priority; however, the remaining vulnerabilities should also be addressed as soon as possible as exploitation is likely.

ownCloud notes that while the graphapi app can be disabled, that will not fully address the CVE-2023-49103 vulnerability. The owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file should also be deleted and the phpinfo function should be disabled in Docker containers. Owncloud also recommends changing potentially exposed secrets such as the credentials for ownCloud administration, the mail server, the database, and the Object-Store/S3 access key. Owncloud’s mitigations for the vulnerabilities can be found on the following links:

The post Urgent Action Required to Address Critical ownCloud Vulnerabilities appeared first on HIPAA Journal.

Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks

Posted by Steve Alder

Concern is growing as ransomware groups ramp up exploitation of a critical vulnerability in NetScaler ADS (formerly Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, dubbed Citrix Bleed.

Citrix issued a security advisory about the vulnerability on October 10, 2023, and issued a patch to correct the flaw, which can be exploited to bypass password protection and multifactor authentication. The buffer overflow vulnerability is tracked as CVE-2023-4966 and has a CVSS severity score of 9.4 out of 10. The vulnerability appears to have been exploited in the wild since August 2023. The vulnerability is easy to exploit and allows threat actors to take over legitimate user sessions. Once initial access has been gained, threat actors can elevate privileges, harvest credentials, move laterally, and access sensitive data and resources.

The vulnerability affects the following NetScaler ADC and Gateway versions:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
  • NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers still using these versions should upgrade their appliances to one of the supported versions.

On October 18, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog, and a security advisory about the flaw was issued on November 21, 2023, as it became clear that the vulnerability was being exploited more widely, including by the LockBit 3.0 ransomware group in attacks on critical infrastructure.

On November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an urgent security advisory to the healthcare and public health (HPH) sector about the flaw along with a further advisory on November 30, 2023, urging healthcare organizations to patch the vulnerability as soon as possible to protect against exploitation. Applying the patch will prevent the vulnerability from being exploited; however, if it has already been exploited, the compromised sessions will remain active. Steps must therefore also be taken to ensure all active sessions are removed.

To remove active and persistent sessions after the patch has been applied, admins should run the following commands:

  • kill aaa session -all
  • kill icaconnection -all
  • kill rdp connection -all
  • kill pcoipConnection -all
  • clear lb persistentSessions

Steps should also be taken to investigate potential exploits of the vulnerability. NetScaler has issued guidance for investigations and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation steps for defending against ransomware attacks.

The American Hospital Association has recently issued a security advisory urging hospitals to take immediate action to protect against exploitation of the Citrix Bleed vulnerability, given that hospitals are prime targets for ransomware groups. “This urgent warning by HC3 signifies the seriousness of the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems.  Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”

The post Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks appeared first on HIPAA Journal.

Proliance Surgeons Sued Over Ransomware Attack and Data Breach

Posted by Steve Alder

A class action lawsuit has been filed against Proliance Surgeons, a Seattle, Washington-based surgery group over a recently disclosed ransomware attack and data breach that has affected almost 437,400 individuals.

The group operates around 100 surgery centers in the state and treats more than 800,000 patients each year. On May 24, 2023, a third-party forensic investigation into a cyberattack confirmed that hackers had access to files containing patient data and that they had removed “a limited number of files” from its network on February 11, 2023.  The data compromised in the attack included names, contact information, Social Security numbers, financial information, treatment information, driver’s license numbers, and usernames and passwords. Notifications were issued on November 21, 2023.

A lawsuit has been filed in federal court in Seattle by plaintiff and former patient, Alicia Berend, and similarly situated individuals whose sensitive information was compromised in the cyberattack. The lawsuit alleges Proliance Surgeons failed to adequately protect patient data as required by federal and state law and in accordance with its internal security policies, and that the data security failures constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit also references an earlier security breach where unauthorized individuals had access to its online payment system for seven months between November 2019 and June 2020, allowing access to be gained to names, zip codes, and payment card information. Following that incident Proliance Surgeons said it would be enhancing its security measures to prevent similar incidents in the future. The earlier security breach is not shown on the HHS’ Office for Civil Rights (OCR) website, which indicates either the breach was not reported to OCR, that Proliance Surgeons determined protected health information had not been compromised, or the breach affected fewer than 500 individuals. The lawsuit claims that two major security breaches in a little over 3 years demonstrates a pattern of negligence with respect to data security.

The lawsuit also takes issue with the length of time taken to discover that patient data was involved, which occurred 102 days after the security breach was detected, and Proliance Surgeons then failed to issue notification letters to the affected individuals until November 21, 2023 – 283 days after the data breach occurred. The lawsuit claims that the plaintiff and class were kept in the dark about the breach, thus depriving them of the opportunity to mitigate their injuries in a timely manner.

The lawsuit claims the plaintiff and class have suffered widespread injury and monetary damages, and that the plaintiff has already suffered from identity theft and fraud. She has received emails indicating someone has used her identity for various out-of-state activities, including inquiries into properties in Florida, and has also received an increased number of spam messages and phone calls and now fears for her personal and financial security. The plaintiff claims that she has suffered anxiety, sleep disruption, stress, fear, and frustration and that these injuries go far beyond mere worry or inconvenience.

The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and violations of the Washington Consumer Protection Act, Washington Data Breach Disclosure Law, and Washington Uniform Health Care Information Act (UHCIA). The lawsuit seeks class action certification, a jury trial, compensatory, exemplary, punitive, and statutory damages, and attorneys’ fees and legal costs.

The plaintiff and class are represented by Samuel J. Strauss of the law firm, Turke & Strauss LLP.

The post Proliance Surgeons Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

East River Medical Imaging Cyberattack Affects 606,000 Patients

Posted by Steve Alder

East River Medical Imaging in New York has started notifying 605,809 patients that some of their protected health information has been exposed or stolen in a cyberattack that was detected on September 20, 2023. The network was immediately taken offline, and a forensic investigation was launched to determine the nature and scope of the incident. The investigation determined there had been unauthorized access to its network between August 31, 2023, and September 20, 2023, and during that time, files containing patient data had been accessed and copied from its network.

The compromised information varied from individual to individual and may have included names, contact information, insurance information, exam and/or procedure information, referring physician names, imaging results, and/or Social Security numbers. Employee data was also compromised, including names, contact information, financial account information, Social Security numbers, and/or driver’s license numbers.

East River Medical Imaging said it has enhanced its network monitoring capabilities and will continue to assess and supplement its security controls. Notification letters started to be mailed to the affected individuals on November 22, 2023. Individuals whose Social Security numbers and/or driver’s license numbers were compromised have been offered complimentary credit monitoring services.

The Fred Hutchinson Cancer Center Suffers Thanksgiving Cyberattack

The Fred Hutchinson Cancer Center in Seattle, WA, has confirmed that it detected unauthorized network activity on its clinical network during Thanksgiving week. An investigation into the unauthorized activity is ongoing and it is not yet clear if any patient data has been compromised. The network was taken offline within 72 hours of the security incident being identified and the clinical network is currently still offline. The MyChart online patient portal and its research network were unaffected. Care continued to be provided to patients and staff are working round the clock to resolve the issue and bring systems back online. No time frame could be provided on how long that process will take.

The Fred Hutchinson Cancer Center was one of several healthcare providers to be attacked at Thanksgiving. Several hospitals operated by Ardent Health Services were affected by a ransomware attack and were forced to cancel appointments and divert ambulances.

1st Source Bank Confirms MOVEit Transfer Hack

1st Source Bank has confirmed that the protected health information of 1,477 individuals was stolen in May 2023 when hackers exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution. The breach was discovered on June 1, 2023, and the review of the affected files and the collection of information required to issue notifications was completed on or around October 27, 2023. The compromised information includes names and Social Security numbers. Complimentary identity monitoring services have been provided to the affected individuals for 12 months.

The post East River Medical Imaging Cyberattack Affects 606,000 Patients appeared first on HIPAA Journal.

6.9 Million 23andMe Users Affected by Data Breach

Posted by Steve Alder

The genetic testing company, 23andMe, has confirmed in a recent filing with the Securities and Exchange Commission (SEC) that a hacker gained access to a very small percentage of user accounts. 23andMe has around 14 million users worldwide, and 0.1% of accounts were compromised – approximately 14,000 accounts. However, through those accounts, the hacker obtained the data of around 6.9 million users.

The account breaches first came to light on October 1, 2023, when a hacker claimed in an online forum to have the profile information of millions of 23andMe users. 23andMe launched an investigation into a potential data breach and determined that its own systems had not been compromised. Certain accounts had been accessed in a credential stuffing attack. A credential stuffing attack involves using credentials from data breaches at one or more companies to try to access accounts at another, unrelated company.

Access was gained to the 14,000 accounts as those users had used the password for their 23andMe account at another company that had suffered a data breach and had failed to implement 2-factor authentication for their 23andMe account. The information accessed varied from account to account, and generally included ancestry information and health information based on the user’s genetics.

Those accounts were then used to “access a significant number of files” that included the profiles of other users’ ancestry. The 23andMe DNA Relatives feature allows users to share information with others to find genetic relatives. Through this feature, the 14,000 accounts were used to obtain information from around 5.5 million users. The information obtained varied from user to user,  depending on the information they chose to share with others. That information generally included display names, the last login time, the percentage of DNA shared with their DNA relatives’ matches, and the predicted relationship with each person. In some cases, the information also included birth year, geographic information, family tree, and any uploaded photos.

Additionally, the family tree information of a further 1.4 million users who participated in the DNA Relatives feature was compromised. In these cases, the compromised information included display names and relationship labels and, in some cases, display name, geographic location, and birth year. In total, approximately 6.9 million individuals had their data stolen.

23andMe confirmed that notifications have started to be issued but could not say when that process will be completed. Steps have also been taken to improve security, including performing a forced password reset for all users and imposing mandatory 2-step verification for new and current users. The 2-step verification was previously optional. 23andMe estimated the cost of the incident to be between $1 million and $2 million, which has mostly been spent on technology consulting services, legal fees, and expenses of other third-party advisors. The expenses and direct and indirect business impacts of the incident could negatively affect its financial results.

The post 6.9 Million 23andMe Users Affected by Data Breach appeared first on HIPAA Journal.

Almost 440,000 Individuals Affected by Cyberattack on Proliance Surgeons

Posted by Steve Alder

Proliance Surgeons, a Seattle, WA-based surgical group that has around 100 locations in Washington state, has notified 437,392 individuals that some of their protected health information may have been stolen in a ransomware attack earlier this year. The breach notice on the website of Proliance Surgeons states that a forensic investigation was conducted by third party cybersecurity experts which confirmed that some files had been removed from its network before files were encrypted.

On May 24, 2023, it was confirmed that files containing patients’ protected health information may have been accessed or acquired on February 11, 2023. At the time it was unclear exactly how many individuals had been affected. A comprehensive review was conducted of all files potentially accessed or acquired in the attack, which confirmed they contained names in combination with one or more of the following: date of birth, Social Security number, medical treatment information, health insurance information, phone number, email address, financial account number, driver license or other identification information, and usernames and passwords.

Proliance Surgeons said immediate action was taken to protect patients’ private information and cybersecurity protocols have since been enhanced. There is no mention of credit monitoring or identity theft protection services. At least one lawsuit has already been filed against Proliance Surgeons in response to the breach.

Medical College of Wisconsin Says 240,000 Individuals Affected by MOVEIt Transfer Hack

The Medical College of Wisconsin (MCW) has confirmed that the protected health information of 240,667 individuals was stolen by the Clop hacking group, which exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution.  MCW was contacted on May 31 by Progress Software and implemented the patch and recommended mitigation measures but discovered the vulnerability had already been exploited on or around May 27, 2023.

The forensic investigation and document review was completed on or around September 21, 2023, and confirmed that the stolen data included full names, dates of birth, Social Security numbers, driver’s license/government identification numbers, financial account information, medical record/patient account number(s), medical diagnosis/treatment information, medical provider name(s), lab results, prescription information, and health insurance information.

Notification letters started to be mailed to the affected individuals on November 14, 2023. Individuals who had their Social Security numbers stolen have been offered complimentary credit monitoring and identity theft protection services.

Data Stolen in Ransomware Attack on Rock County, Wisconsin

Legal Counsel for Rock County in Wisconsin has issued notification letters about a cyberattack and data breach that affected 25,823 individuals. According to the notification letters, suspicious activity was detected within its computer systems on or around September 29, 2023. The forensic investigation confirmed that unauthorized individuals had access to its network between September 22, 2023, to September 30, 2023, and during that time, acquired certain files from its network.

A review of the affected files was initiated to determine the individuals affected and the types of data stolen in the attack. That review is ongoing, but it has been confirmed that the data impacted included names and Social Security numbers. Complimentary credit monitoring services have been offered to the affected individuals.

The nature of the attack was not disclosed, other than the attack involving data theft. The HIPAA Journal has confirmed that this was a ransomware attack by the Cuba ransomware group, which has listed Rock County on its data leak site. Victims are therefore strongly advised to take advantage of the credit monitoring services being offered.

The post Almost 440,000 Individuals Affected by Cyberattack on Proliance Surgeons appeared first on HIPAA Journal.

State of Maine Reports 450,000-Record Data Breach

Posted by Steve Alder

The State of Maine has confirmed that the protected health information of 453,894 individuals was stolen in the recent mass hacking of a zero-day vulnerability in Progress Software’s MoveIT Transfer solution. Progress Software released a patch to fix the vulnerability on May 31, 2023; however, the vulnerability had already been exploited. The State of Maine’s investigation confirmed that the vulnerability had been exploited between May 28, 2023, and May 29, 2023, and sensitive data had been stolen by the Clop hacking group.

The breach was limited to its MOVEit server, and no other systems were compromised. The Clop hacking group claimed they were only interested in hacking businesses and said they would delete all data stolen from governments; however, the State of Maine is urging all affected individuals to ignore those claims and take steps to protect themselves against fraud. The individuals affected may have been Maine residents, employees, or could have received services from or interacted with a state agency. Maine also participates in data sharing agreements with other organizations to enhance the services it offers to residents and the public.

The data exposed would depend on the interactions with state agencies. All affected individuals who had their Social Security numbers or taxpayer identification numbers stolen have been offered two years of complimentary credit monitoring and identity protection services.

Affinity Legacy Inc. Affected by MOVEit Hack

Affinity Legacy Inc., formerly known as Affinity Health Plan, Inc., has confirmed that it was affected by the recent MOVEit Transfer hacks. The breach occurred at one of its business associates, which provided claims processing services, and used the software solution for file transfers.

The vulnerability was exploited between May 30 and June 2, 2023, and on June 21, 2023, the vendor determined that certain files had been downloaded by the attackers that contained the protected health information of 5,538 individuals who were either Affinity Health Plan members prior to 2019, or EmblemHealth Medicare Advantage Plan members after 2019. The stolen data included names, mailing addresses, dates of birth, Social Security numbers, Medicare numbers and/or medical diagnosis codes. Complimentary personal identity and privacy protection services have been offered to the affected individuals.

The Charles Lea Center Suffers Ransomware Attack

The Charles Lea Center, a non-profit organization in Spartanburg County, SC, has recently notified 1,250 individuals that some of their personal information was compromised in a June 2023 ransomware attack. The incident was detected on June 19, 2023, when a portion of its network was encrypted. A ransom demand was issued, and the threat actor claimed to have exfiltrated a limited number of files from its systems.

While the forensic investigation could not determine the specific types of information that had been compromised, the file review confirmed on October 2, 2023, that the exposed files contained names, Social Security numbers, dates of birth, and some medical treatment information. The Charles Lea Center has offered the affected individuals complimentary credit monitoring services and has advised them to monitor their financial account statements regularly for signs of fraud. The Charles Lea Center said it had taken steps to ensure the privacy of data before the attack and will be augmenting those measures to further enhance security.

Detroit Chassis Health Plan Member Data Exposed

Detroit Chassis in Michigan, a provider of niche vehicle manufacturing solutions, was the victim of a sophisticated cyberattack that occurred on or around March 12, 2023. When the attack was detected, immediate action was taken to secure its systems and third-party cybersecurity experts were engaged to investigate. The investigation confirmed that the attackers had access to parts of its network that contained the data of 958 members of its health plan which was stored on an email server that was in the process of being decommissioned.

Detroit Chassis said, “While we believe there is a reasonable basis to conclude this information was not subject to unauthorized acquisition, we were unable to rule it out.” The server contained information such as names, addresses, dates of birth, Social Security numbers, driver’s licenses, financial account information, passport numbers, credit card numbers, state identification numbers, usernames and access information for non-financial accounts, medical information, health insurance numbers and information related to its employee prescription benefits plan.

Medical Records Stolen in Lakeview Healthcare System Break-in

Lakeview Healthcare System, a central Florida health system, had a break-in at its Fern Drive location in Leesburg on September 29, 2023.  The break-in occurred around 5 a.m. and the intruder stole three password-protected mobile devices and medical records that contained the protected health information of patients. The paper records included information such as names, addresses, diagnosis and treatment information, and billing information.

Lakeview Healthcare System said it has engaged in extensive remediation efforts to minimize the risk of similar incidents in the future, has reviewed its security policies and procedures, and has re-educated the workforce on data security and secure document storage. Physical security measures are being assessed at each location, including using more shred bins, upgrading physical locks, and implementing additional access controls to allow for faster and more precise termination of access.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,495 individuals.

The post State of Maine Reports 450,000-Record Data Breach appeared first on HIPAA Journal.

Hundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack

Posted by Steve Alder

California Physicians’ Service, which does business as Blue Shield of California, has confirmed that it has been affected by the mass exploitation of a vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The breach has been reported to the HHS’ Office for Civil Rights in two separate breach reports, one involving the data of 636,848 Blue Shield of California plan members and another that has affected 26,523 Blue Shield of California or Blue Shield of California Promise Health Plan members.

The breach occurred at an unnamed vendor of Blue Shield of California that managed vision benefits. The vendor used the MOVEit Transfer solution to transfer large files as part of its contracted duties. A zero-day vulnerability in the MOVEIt Transfer solution was exploited between May 28, and May 31, 2023, and files were exfiltrated that included members’ names, birthdates, addresses, subscriber ID numbers, subscribers’ names, birthdates, Social Security numbers, group ID numbers, vision providers’ names, patient ID numbers, vision claims numbers, vision-related treatment and diagnosis information, and vision-related treatment cost information. The Clop hacking group claimed responsibility for the hacks.

Blue Shield of California said its own systems were not compromised. The breach was limited to the MOVEit Transfer server. Credit monitoring and identity restoration services have been offered to the affected individuals.

Wyoming County Community Health System Confirms March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has experienced a cybersecurity incident that has caused network disruption. The security breach was detected on March 28, 2023, and the subsequent forensic investigation determined that files had been exposed on that date and may have been accessed or acquired by unauthorized individuals. A review was then conducted of the files to determine the individuals and types of data involved, and that process was completed on November 8, 2023. The review confirmed up to 26,000 individuals had been affected and had some or all of the following information exposed: name, Social Security number, driver’s license/state identification number, date of birth, biometric data, medical information, health insurance information, and account number.

Notification letters were sent to the affected individuals on November 16, 2023. Wyoming County Community Health System said it has implemented additional measures to enhance network security and minimize the risk of a similar incident occurring in the future.

Westside Community Services Confirms Cyberattack and Data Theft

The San Francisco, CA-based social services organization, Westside Community Services, has notified 2,484 individuals about a security breach involving unauthorized access to its network between April 25, 2023, and May 1, 2023. Third-party cybersecurity professionals were engaged to conduct a forensic investigation and confirmed that files had been exfiltrated from its network. The document review was completed on October 16, 2023.

The stolen files included full names along with one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, passport numbers, other government identification numbers, financial account information, credit or debit card information, usernames and passwords associated with one or more online accounts, medical information (date of service, provider name, medical record number, patient number, medical history, surgical information, medication, and/or treatment information), and/or health insurance policy information. Westside Community Services said it continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information and will continue to do so.

Unauthorized Email Access Reported by Molina Healthcare of Iowa

Molina Healthcare of Iowa, Inc. says it discovered on November 22, 2023, that there had been unauthorized access to an employee email account between September 25 and 26, 2023. It was not possible to determine if any information in the email account was copied, but the review of the emails confirmed that they contained the protected health information of 1,647 Medicaid recipients. Those individuals have been notified about the breach by mail. Molina Healthcare of Iowa said the breach did not affect any members covered by other managed care organizations.

This is the third incident to affect Molina Healthcare of Iowa members this year. On May 31, 2023, Amerigroup inadvertently disclosed personal health information for 833 Iowa Medicaid members to 20 providers in explanation of payment notices; and on May 26, 2023, a Medicaid contractor confirmed there had been unauthorized access to its systems on March 6, 2023, which affected 233,000 Medicaid members.

Robeson Health Care Corporation Updates Data Breach Notice

Robeson Health Care Corporation has provided an update on a breach that was previously reported to the Maine Attorney General as affecting 15,045 individuals. The investigation has confirmed that a further 62,627 individuals have been affected. The incident has been previously covered by The HIPAA Journal in this post.

The post Hundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack appeared first on HIPAA Journal.