HIPAA Breach News

Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health

University of Minnesota Physicians has suffered a phishing attack that allowed unauthorized individuals to gain access to the email accounts of two employees. One email account was accessible between January 30 and January 31, 2020 and the other on February 4, 2020 for a short period of time.

Upon discovery of the breach, the accounts were immediately secured, and third-party forensic investigators were engaged to assess the nature and scope of the breach. The review did not uncover any evidence to suggest emails in the accounts had been viewed or patient data obtained, but it was not possible to rule out data access with a sufficiently high degree of certainty.

A review of the compromised accounts revealed they contained the protected health information of certain patients. The types of information in the accounts varied from patient to patient and may have included name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. A limited number of individuals also had their Social Security number exposed.

Notification letters started to be sent to affected individuals on March 30, 2020, even though the investigation was still ongoing. That investigation has now been completed. The delay was due to the painstaking and lengthy process involved in identifying the relevant data.

University of Minnesota Physicians said that at the time of the breach, multiple email security controls were in place including multi-factor authentication, regular training was being provided to employees on privacy and security, and phishing simulations were being conducted.

Additional technology has now been implemented to further improve security and refresher security training has been provided to employees. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services through Kroll.

The March 30, 2020 entry on the Office for Civil Rights breach portal indicates 683 individuals have been affected at the time of writing.

McLeod Health Discovers Email Account Breach

South Carolina-based Mcleod Health has discovered the email account of an employee has been accessed by unauthorized individual. Suspicious email account activity was detected on June 23, 2020 and the email account was immediately secured.

A comprehensive forensic review was conducted to determine the nature and scope of the breach, which revealed the email account was breached between April 13, 2020 and April 16, 2020. On August 19, 2020, McLeod Health determined the content of the email account had been downloaded by the attacker in April.

McLeod Health is in the process of conducting a review of the impacted email account to determine what information has been obtained by the attacker and which patients have been affected. Notifications will be mailed to affected patients when the review is completed.

McLeod Health had previously implemented multi-factor authentication to prevent compromised credentials from being used to gain access to email accounts; however, some internal settings had prevented it from being implemented on some devices. That issue is now being addressed and additional security awareness training is being provided to employees.

The post Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health appeared first on HIPAA Journal.

Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

More Than 295K Patients Impacted by Cyberattack on AspenPointe

The Colorado Springs-based mental health and behavioral health services provider AspenPointe has announced it was the victim of a cyberattack in September 2020 in which patient information may have been compromised. The attack forced the healthcare provider to take its systems offline and most of its operations were affected for several days while the attack was mitigated.

Third-party cybersecurity professionals were engaged to assist with the investigation and recovery efforts and determine the extent to which patient information may have been compromised. A review of the documents potentially accessible to the attackers revealed on November 10, 2020 that patient information had potentially been accessed or acquired.

The documents on the breached systems contained patient names along with one or more of the following data elements: date of birth, driver’s license number, bank account information, Medicaid ID number, admission/discharge dates, diagnosis code, date of last visit, and/or Social Security number.

Following the discovery of the breach, a password reset was performed. Cybersecurity has since been strengthened with additional endpoint protection technology, changes to the firewall, and other measures and network monitoring has been enhanced.

Notification letters are now being sent to all individuals potentially affected by the breach and a 1-year complimentary membership to IDX credit monitoring services is being provided to breach victims. Breach victims are also protected by a $1 million identity theft insurance policy and will have access to identity theft recovery services should they be required.

AspenPointe explained in its substitute breach notice that there have been no reported cases of identity theft, fraud, or improper use of patient information and no evidence was found to indicate any patient data was actually stolen by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 295,617 patients was potentially compromised in the attack.

The post More Than 295K Patients Impacted by Cyberattack on AspenPointe appeared first on HIPAA Journal.

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes.

The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained.

Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being exposed or compromised.

Two lawsuits have recently been filed in Minnesota state courts alleging violations of the Minnesota Health Records Act (MHRA), which introduced stricter regulations covering the privacy of healthcare data in Minnesota. MHRA applies to all applies to all Minnesota-licensed physicians and the legislation does have a private cause of action, so patients whose providers violate MHRA can be sued.

The lawsuit alleges Mayo Clinic did not implement systems or procedures to ensure plaintiffs’ and similarly situated individuals’ health records would be protected and not subject to unauthorized access, and that the former employee accessed the plaintiffs’ medical records without first obtaining their consent.

Under MHRA, healthcare providers must obtain a signed and dated consent form from a patient or the patient’s legal representative authorizing the release of their medical records, unless there is a specific authorization in law, or when there is a representation from a provider holding a signed and dated consent form from the patient in question authorizing the release of their medical records.

The lawsuit also brings common law tort claims for the invasion of privacy, negligent infliction of emotional distress, and vicarious liability. A major contributory factor to the emotional distress was some of the medical images that were accessible included nude photographs of patients taken in connection with their cancer treatments. The plaintiffs seek monetary damages and other relief deemed appropriate by the courts.

The post Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach appeared first on HIPAA Journal.

US Fertility Reports Ransomware Attack Involving Data Theft

US Fertility has announced it suffered a ransomware attack on September 14, 2020 that affected some of its computer systems, including systems that contained sensitive protected health information. US Fertility is the largest operator of fertility clinics in the United States, running clinics at 55 locations in 10 states. Almost half of its locations are known to have been affected by the attack.

US Fertility responded immediately to the attack and determined that data had been encrypted on a number of its servers and workstations connected to its domain. Those devices were immediately taken offline while the attack was investigated. Third-party security and forensic experts were retained to assist with the investigation and the recovery of data on the affected workstations and servers. USF said it successfully restored all affected devices and reconnected them to the network on September 20, 2020. The attack has been reported to federal law enforcement and USF is assisting in the ongoing investigation.

USF said the forensic investigation has now been completed and data theft has been confirmed. The attackers first gained access to its network on August 12, 2020 and access remained possible until the attack was discovered on September 14, 2020. A review was conducted of all files accessible to the attackers, that that review was completed on November 13.

USF said unknown actors may have had access to files containing names, addresses, dates of birth, MPI numbers, and Social Security numbers. The types of data exposed varied from individual to individual and most patients did not have their Social Security number compromised.

While data theft was confirmed, there have been no reports received to indicate protected health information has been misused, but affected individuals have been advised to monitor their accounts and report any cases of suspected misuse of their protected health information.

USF has taken several steps to improve security since the attack, including fortification of its firewall, enhanced monitoring of networking activity, and further training has been provided to employees on data protection, computer security, and recognizing phishing emails.

The post US Fertility Reports Ransomware Attack Involving Data Theft appeared first on HIPAA Journal.

UVM Health Restores Electronic Health Record System One Month After Ransomware Attack

University of Vermont Health Network has announced it has brought its electronic health record (EHR) system back online, a month after experiencing a ransomware attack. The ransomware attack occurred on October 25, 2020 and caused a massive outage across all six of its hospitals. For the past month, staff have been forced to record patient information, orders, and medications using pen and paper while its computer systems were out of action.

Care continued to be provided to patients during the attack and recovery process, but the recovery of its EHR will greatly improve efficiency. The attack caused major disruption, especially at University of Vermont Medical Center in Burlington, but the attack affected its entire network. Without access to essential patient data, many elective procedures had to be rescheduled and the radiology department on the main campus experienced major delays, and was only open on a limited basis.

In a November 24, 2020 update, UVM Health announced it had achieved a major milestone in the recovery process, having brought its Epic EHR system back online for its inpatient and outpatient sites, including UVM Medical Center and the ambulatory clinics at Central Vermont Medical Center, Champlain Valley Physicians Hospital, and Porter Medical Center.

While electronic patient data is now available and staff can record patient data electronically, the recovery process is far from over and a great deal of work still needs to be done. “Our teams continue to work around the clock towards full restoration as quickly and safely as possible,” explained UVM Health.

The phone system has been restored, but patients are still unable to use the MyChart patient portal so will not be able to access their health information online. There are hundreds of other applications used across the health network to deliver care to patients, and many of those systems remain offline. UVM Health is working hard at restoring those systems and they will be systematically restored over time, with the main focus being patient-facing systems.

Several other healthcare networks were attacked with ransomware around the same time as the attack on UVM Health. St Lawrence Health System in New York was able to restore its electronic health record systems within two weeks, but Sky Lakes Medical Center has been forced to replace the majority of its networks and workstations as a result of its ransomware attack.

Ashtabula County Medical Center (ACMC) in Ohio was particularly badly affected. ACMC was attacked with ransomware on September 24, 2020, with the attack affecting the medical center and 5 of its health centers. The EHR has still not been restored two months after the attack, and a full recovery is not expected until the end of the year.

The post UVM Health Restores Electronic Health Record System One Month After Ransomware Attack appeared first on HIPAA Journal.

Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services

Connecticut Department of Social Services (DSS) has reported a potential breach of the protected health information of 37,000 individuals as a result of a series of phishing attacks that occurred between July and December 2019.

Several email accounts were compromised and were used to send spam emails to several DSS employees, the investigation of which confirmed the phishing attacks. A comprehensive investigation was conducted using state information technology resources and a third-party forensic IT firm, but no evidence was found to indicate the attackers had accessed patient information in the email accounts. According to the DSS breach notice, “Due to the large volume of emails involved and the nature of the phishing attack, the forensic efforts could not determine with certainty that the hackers did not access personal information.”

Identity theft protection services have been offered to affected individuals as a precaution and steps have been taken to improve email security and better protect against phishing attacks in the future.

More Than 92,000 Individuals Affected by Mercy Iowa City Phishing Attack

Mercy Iowa City has started notifying 92,795 individuals that some of their protected health information was potentially compromised in a phishing attack. The attack involved a single email account which was accessed by an unauthorized individual between May 15, 2020 and June 24, 2020. The email account was used to send spam and phishing emails.

A review of the compromised account revealed it contained names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, and health insurance information. Individuals whose driver’s license number or Social Security number were potentially compromised have been offered complimentary credent monitoring services for 12 months.

Mercy Iowa City has implemented additional safeguards to prevent further attacks, including multi-factor authentication on email accounts.

LSU Health Care Services Suffers Phishing Attack

The Louisiana State University (LSU) Health New Orleans Health Care Services Division has announced that an unauthorized individual has accessed the email account of an employee and potentially viewed or obtained the information of patients of several hospitals in Louisiana.

The email account was breached on September 15, 2020. The attack was discovered on September 18 and the email account was immediately disabled. An investigation was launched but no evidence was found to indicate patient information in the emails and attachments was accessed or obtained by the individual responsible.

A review of the breached email account revealed it contained the protected health information of patients of the following hospitals:

  • University Medical Center in Lafayette
  • Lallie Kemp Regional Medical Center in Independence
  • Leonard J. Chabert Medical Center in Houma
  • O. Moss Regional Medical Center in Lake Charles
  • Bogalusa Medical Center in Bogalusa
  • Interim LSU Hospital in New Orleans.
  • Earl K. Long Medical Center in Baton Rouge

The types of information potentially compromised varied from patient to patient and medical center to medical center, but may have included names, phone numbers, addresses, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of services received, insurance ID numbers, and a limited number of financial account information and health information. The investigation into the breach is continuing, but so far “thousands” of patients are known to have had their information exposed.

LSU Health is currently evaluating additional security measures to better protect against further attacks and additional information security training has been provided to employees.

The post Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services appeared first on HIPAA Journal.

Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands

Three healthcare providers in New York, Florida, and Georgia have started notifying patients that some of their protected health information was potentially compromised in recent cyberattacks, two of which involved ransomware and one involving an unspecified computer virus.

Four Winds Hospital, NY

Four Winds Hospital in Katonah, NY, discovered files had been encrypted by ransomware on or around September 1, 2020. The attack prevented the hospital from accessing its computer systems and resulted in downtime of around two weeks while the attack was mitigated.

Upon discovery of the attack, steps were immediately taken to prevent any further unauthorized system access and third-party cybersecurity experts were engaged to help identify the scope of the attack and whether patient data had been compromised.

According to Four Winds Hospital’s substitute breach notice, “[The cybersecurity experts] obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified.” That suggest a ransom was paid, although that has not been confirmed by Four Winds Hospital.

The attack did not involve the electronic medical record system, cloud environment, email, or encrypted data fields. The investigation revealed password protected files were accessed and patient lists from 1983 to present could potentially have been viewed. Those lists included names and medical record numbers, with around 100 records containing Social Security numbers. Miscellaneous files containing patient data from 2013 to present may also have been accessed. Those files included names, treatment information, and the Social Security numbers of Medicare patients admitted prior to 2019.

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear how many patients have been affected.

Advanced Urgent Care of Florida Keys

Advanced Urgent Care of Florida Keys started issuing notifications to patients on November 6, 2020 about a ransomware attack that occurred on March 1, 2020. While not stated in the breach notice, Databreaches.net previously reported (on March 14, 2020) that patient data was stolen in the attack and was dumped online when the ransom demand was not paid.

According to the Advanced Urgent Care breach notice, an investigation was launched following the attack which took until September 11, 2020 to determine patient data had been compromised. The attack saw files on a backup drive encrypted which contained protected health information including names, dates of birth, health insurance information, medical treatment information, medical diagnostic information, lab results, medical record numbers, Medicare or Medicaid beneficiary numbers, medical billing information, bank account information, credit or debit card information, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, driver’s license numbers, signatures, and Social Security numbers.

Complimentary credit monitoring services have been offered to patients whose Social Security number was compromised and steps have been taken to improve security to prevent further attacks and to identify and remediate future threats.

Galstan & Ward Family and Cosmetic Dentistry, GA

Galstan & Ward Family and Cosmetic Dentistry in Suwanee, GA, has reported a ransom event involving a computer virus on one of its servers. In contrast to ransomware attacks where files are encrypted and a ransom note is placed on infected computers, Galstan & Ward said the practice was contacted by telephone and told that a computer server had been infected with a virus. A ransom was then demanded over the telephone.

Galstan & Ward had previously detected suspicious activity on the server and had arranged for a third-party vendor to wipe the server and restore data from a backup. No ransom was paid, and Galstan & Ward reports no significant disruption to services or data loss. However, on September 11, 2020, Galstan & Ward discovered files had been stolen and published online on a dark web website, although those files did not contain any patient information.

The contracted IT firm confirmed that the malware had been removed and found no evidence to indicate patient information in its dental practice software was accessed. Additional investigations similarly found no evidence to indicate patient data was accessed or acquired.

Notifications were issued to patients out of an abundance of caution since it was not possible to rule out the possibility of unauthorized PHI access. If the attackers accessed the dental software system, they could have viewed names, dates of birth, addresses, Social Security numbers, and dental records.

In its comprehensive substitute breach notice, Galstan & Ward said cryptographic technology is now used to protect patient data and additional data security measures have been implemented on its web server infrastructure. Affected individuals have been offered complimentary identity theft protection services through IDX.

The post Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands appeared first on HIPAA Journal.