Associates in Dermatology, a network of dermatology clinics in Indiana, Kentucky, and New York, has started notifying patients that some of their protected health information has been exposed in a ransomware attack on one of its business associates.
Virtual Private Network (VPN) Solutions provides electronic medical record management services to healthcare providers and Associates in Dermatology used its TouchChart software to host patient data. The ransomware attack was detected by VPN Solutions on or around October 31, 2021, and Associates in Dermatology was notified on December 22, 2021, that none of its data was accessed or stolen in the attack, but was told the forensic investigation into the attack was ongoing.
Associates in Dermatology said VPN Solutions was contacted on multiple occasions to ask how the forensic investigation was progressing and to obtain a formal report about the attack, but it took until January 17, 2023, to discover patient data had been exposed – 15 months after the breach was detected, and 2 months after VPN Solutions determined that files had been exposed.
According to the breach notice, electronic medical records were not exposed, but tag image files from a data warehouse may have been obtained in the attack. Most of those files did not contain patient data, but VPN Solutions said some of the files could be linked to patient names. Associates in Dermatology said VPN Solutions did not confirm if individually identifiable information or protected health information was contained in the files and did not provide a list of patient names.
Associates in Dermatology said its own analysis determined on March 10, 2023, that the compromised files may have contained personally identifiable information. The types of information varied from patient to patient and may have included one or more of the following data elements: first and last name, address, Social Security number, date of birth, medical condition(s)/diagnosis, treatment information, test results, health insurance policy number, subscriber identification number, health plan beneficiary number, and unique AID patient identifiers.
Associates in Dermatology said VPN Solutions has taken steps to improve security and has rebuilt its entire environment and restored all data. Associates in Dermatology performed a review of its contracts with third-party vendors and assessed their cybersecurity measures and has offered affected individuals complimentary credit monitoring and identity theft protection services.
The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.
47,000 Special Needs Student Records Exposed Online
A non-password-protected database containing the records of more than 47,000 special needs students has been exposed to the Internet and could be accessed by anyone without any authentication. The database was found by security researcher Jeremiah Fowler in mid-February, who traced the database to a company called Encore Support Services. Encore Support Services is a Brooklyn, NY-based provider of special education, behavioral health, and related services. Fowler notified Encore Support Services about the data exposure and the database has now been secured.
According to Fowler, the 6.74 GB database stored records going back to 2018 and included invoices containing student names, addresses, parent names, Open Student Information System (OSIS) numbers, service provider names, vendor information, EIN/SSN tax identification, and billing hours. The invoices also included codes for services that indicated a disability.
The data could be used for a range of nefarious purposes. For instance, Encore Support Services could be impersonated and parents contacted and asked to reveal sensitive information or pay a small charge on their credit card. Since a threat actor would have access to students’ unique OSIS numbers, case numbers, and therapy histories, the requests would be convincing.
Fowler was unable to determine how long the database had been exposed and whether it had been accessed by unauthorized individuals but suggests that the database most likely has not been exposed for long as it had not been encrypted using ransomware or deleted for extortion purposes.
The post Associates in Dermatology Patients Affected by Business Associate Ransomware Attack appeared first on HIPAA Journal.