HIPAA Breach News

60,000 Individuals Affected by Texas Medical Liability Trust Data Breach

The Texas Medical Liability Trust (TMLT) has reported a data breach to the Maine Attorney General on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group that has affected 59,901 individuals.

Suspicious activity was detected within its IT environment on October 12, 2022. Steps were taken to secure its systems and third-party forensics specialists were engaged to investigate. They determined that an unauthorized actor had access to its environment between October 2, 2022, and October 13, 2022, and during that time, files containing protected health information may have been accessed that included names, Social Security numbers, EIN/Tax Identification numbers, state identification/driver’s license information, and financial account information. It took until August 18, 2023, to complete the review of the affected files.

Complimentary credit monitoring services have been offered to the affected individuals and a review of policies, procedures, and processes related to the storage and access of sensitive information has been conducted.

Email Account Breach Affects Patients of Bloom Health Centers

On July 5, 2023, Bloom Health Centers in Timonium, MD, identified suspicious activity in its Microsoft 365 email environment. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to identify the activity. Assisted by a third-party cybersecurity firm, Bloom Health Centers determined that the email account of one of its clinicians was accessed without authorization on or around June 23, 2023.

The review of the account was completed on August 7, 2023, and confirmed the account contained the protected health information of 1,545 patients including names, addresses, email addresses, telephone numbers, dates of birth, and medical information such as medications and diagnoses. That information may have been accessed or acquired during the incident; however, no instances of misuse of patient data have been identified.

The affected individuals have now been notified by mail and credit monitoring and identity theft protection services have been offered. Email security measures have been enhanced and further training on data protection best practices have been provided to all members of the workforce.

Prime Therapeutics/Magellan Rx Management Report Email Account Breach

Prime Therapeutics, a Minnesota-based pharmacy benefit management company serving health plans, employers, and government programs, and the next-generation pharmacy organization, Magellan Rx Management, a Prime Therapeutics company, have experienced a data breach involving the protected health information of 6,050 individuals.

The compromised data was stored in an employee’s mobile email account, which was discovered on July 11, 2023, to have been accessed by an unauthorized individual. The compromised credentials were disabled, the unauthorized individual’s IP address was blacklisted, and a review was conducted to determine what information had been exposed. While evidence of unauthorized data access was not found, the attacker may have been able to view names, addresses, dates of birth, member ID numbers, and medication(s).

Prime Therapeutics said it will continue to review internal procedures for potential improvements to strengthen account security and is evaluating additional safeguards to help prevent similar incidents from reoccurring in the future.

Carthage Area Hospital and Claxton Hepburn Medical Center Dealing with Cyberattack

Carthage Area Hospital and Claxton Hepburn Medical Center in Northern New York experienced a cyberattack on August 31, 2023. The hospitals put their emergency rooms on diversion and appointments were cancelled as a precaution due to IT systems being taken offline.

The FBI, New York State Department of Health, and the Department of Homeland Security were notified about the attack and the government is aware of the threat actor behind the attack but has not disclosed which group was responsible. The incident has been contained but the investigation is ongoing. At this stage of the investigation, it appears that patient data has not been compromised.

The post 60,000 Individuals Affected by Texas Medical Liability Trust Data Breach appeared first on HIPAA Journal.

Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG

Seymour, IN-based Schneck Medical Center has settled a lawsuit with the Indiana attorney general, Todd Rokita, over a 2021 ransomware attack and data breach that affected 89,707 Indiana residents. Schneck Medical Center has agreed to pay a penalty of $250,000 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws and will implement additional safeguards to prevent further data breaches.

According to the lawsuit, Schneck Medical Center conducted a risk analysis in December 2020 which revealed many critical security issues, but Schneck Medical Center failed to address them. 9 months later, on or around September 29, 2021, security flaws were exploited by a malicious actor who gained access to the network, exfiltrated sensitive patient data, and then deployed ransomware to encrypt files. The information stolen in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, diagnoses, and health insurance information.

Schneck Medical Center was quick to alert patients to the cyberattack through a statement on its website on September 29, 2021; however, the Indiana AG alleged that Schneck Medical Center failed to disclose the risk patients faced and did not encourage them to take steps to protect themselves against identity theft and fraud, even though Schneck Medical Center was aware at the time that a large quantity of sensitive data had been stolen.

Another statement was released two months later on November 26, 2021, confirming that files had been stolen in the attack; however, Schneck Medical Center failed to disclose that protected health information had been exposed, despite being aware that PHI had been stolen. Schneck Medical Center also failed to issue timely individual notifications, which were not mailed until May 13, 2022 – 226 days after the discovery of the data breach. Schneck Medical Center also claimed in a May 13, 2022, substitute breach notice that data theft was discovered on March 17, 2022, when Schneck Medical Center was aware on September 29, 2023, that data had been stolen.

The Indiana attorney general alleged multiple violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule and violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act.

Schneck Medical Center Compensates Patients for Losses

Schneck Medical Center has also recently settled a consolidated class action lawsuit for $1.3 million. Two lawsuits were filed in response to the ransomware attack and data breach by patients Jalen Nierman, Bryce Sheaffer, Jennifer Renoll, Patricia White, and Nigel Myers who sought compensation for the data breach. The plaintiffs alleged Schneck Medical Center failed to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. Schneck Medical Center agreed to a settlement with no admission of wrongdoing.

Under the terms of the settlement, class members are entitled to claim up to $500 in ordinary expenses, including up to 4 hours of lost time at $15 per hour. Individuals who incurred extraordinary expenses due to the data breach can claim up to $6,000. Claims may be paid pro rata, depending on the number of claims received. The settlement also includes 27 months of free credit monitoring and identity theft protection services and coverage through a $1 million identity theft insurance policy.

The post Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG appeared first on HIPAA Journal.

L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million

The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.

In 2016, a media outlet reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal over a 2-day period in 2014 due to a manual processing error. OCR informed L.A. Care Health Plan it had initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach caused by a mailing error that saw members receive the ID cards of other health plan members.

OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.

  1. A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
  3. A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
  4. A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
  5. A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
  6. The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).

L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The post L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million appeared first on HIPAA Journal.

Kaiser Pays $49 Million to Settle Improper Disposal Investigation

California Attorney General Rob Bonta has announced a $49 million settlement has been reached with Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals to resolve allegations of improper disposal of hazardous waste, medical waste, and protected health information.

Oakland, CA-based Kaiser is the largest healthcare provider in California with more than 700 healthcare facilities in the state, serving more than 8.8 million patients. An investigation was launched by 6 district attorneys from Alameda, San Bernardino, San Francisco, San Joaquin, San Mateo, and Yolo counties into the unlawful dumping of dangerous items.  Undercover staff from the district attorneys’ offices inspected dumpsters at 16 different Kaiser facilities. The dumpsters were not secured and the contents were destined for disposal in landfill sites.

The inspectors found hundreds of items of hazardous and medical waste, including aerosols, cleansers, sanitizers, batteries, syringes, medical tubing containing body fluids, pharmaceuticals, and electronic wastes. The dumpsters also contained more than 10,000 paper records that contained the protected health information of 7,700 patients. The California Department of Justice later joined the investigation and expanded it statewide at other Kaiser facilities. Kaiser was alleged to have violated the Health Insurance Portability and Accountability Act (HIPAA), and California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.

In response to the investigation, Kaiser engaged a third-party consultant to conduct more than 1,100 trash audits at its facilities and its operating procedures have been updated to ensure proper waste disposal across its facilities in California. The settlement consists of $37,513,000 in civil penalties, $4,832,000 in attorneys’ fees and costs, and $4,905,000 for supplemental environmental projects. A further $1.75 million in civil monetary penalties must be paid if Kaiser has not invested a further $3.5 million in its Californian facilities to provide enhanced environmental compliance measures.

Kaiser is also required to retain an independent third-party auditor to conduct more than 520 trash compactor audits at its California facilities to make sure hazardous items and protected health information are not being disposed of in regular trash, and at least 40 programmatic field audits must be conducted each year for the next 5 years to evaluate compliance with its policies covering hazardous waste, medical waste, and protected health information.

“The illegal disposal of hazardous and medical waste puts the environment, workers, and the public at risk. It also violates numerous federal and state laws,” said Attorney General Bonta. “As a healthcare provider, Kaiser should know that it has specific legal obligations to properly dispose of medical waste and safeguard patients’ medical information. I am pleased that Kaiser has been cooperative with my office and the district attorneys’ offices, and that it took immediate action to address the alleged violations.”

The post Kaiser Pays $49 Million to Settle Improper Disposal Investigation appeared first on HIPAA Journal.

Lifeline Systems Company Notifies Patients About August 2022 Cyberattack

Lifeline Systems Company, a Marlborough, MA-based provider of patient alarm systems has recently notified 74,849 individuals about a data breach that occurred more than a year ago. According to the notification letters, unusual network activity was detected on August 6, 2022. Incident response protocols were immediately initiated, and a third-party computer forensic investigation was launched to investigate the nature of the incident.

The investigation confirmed that an unauthorized individual had access to its systems from July 27, 2022, to August 6, 2022, and accessed certain documents on its systems during that period. On August 18, 2022, Lifeline determined the documents included information for subscribers, employees, and individuals eligible to receive Lifeline services. The exposed information included names, driver’s license numbers, and Social Security numbers.

Due to the length of time taken to perform the document review, notification letters could not be sent until September 7, 2023. Complimentary credit monitoring services have been offered to individuals who had their Social Security number or driver’s license number exposed. Lifeline said it has enhanced its network monitoring capabilities and will continue to conduct audits of its systems to look for unauthorized activity.

Milan Eye Center Reports Breach at EHR Vendor

Milan Eye Center, an Atlanta, GA-based network of eye surgery centers, has started notifying 67,336 patients that some of their protected health information was compromised in an incident at its third-party vendor, iMedicWare Inc.  Milan Eye Center said it was informed about a data compromise incident on December 9, 202, and launched an investigation which concluded on July 24, 2023, that an unauthorized individual was able to access at least some historical patient archives maintained by iMedicWare between May 18, 2020, and July 23, 2020.

The records included information such as names, birth dates, telephone numbers, insurance coverage information, Social Security numbers, service locations, dates of service, and health statuses. It was not possible to determine exactly which patient records were accessed, so notification letters were sent to all individuals who received services on or before July 23, 2020. Complimentary credit monitoring services have been offered to the affected individuals.

Milan Eye Center confirmed it no longer uses iMedicWare as its electronic health record vendor and said additional technical safeguards and policies have been implemented to enhance information system security.

NOW Health Group Suffers Phishing Attack

Bloomingdale, IL-based NOW Health Group, Inc. has recently determined that the protected health information of 4,661 individuals was compromised in a phishing attack. The attack was detected on or around March 17, 2023, when suspicious activity was identified in its email environment. The forensic investigation determined that unauthorized individuals gained access to certain employee email accounts between March 17 and March 20. A review of the emails and documents in the accounts was completed on July 6, 2023. The information potentially compromised included names and Social Security numbers.

Additional safeguards have been implemented to improve email security and further training has been provided to employees to help them identify phishing attempts. Complimentary credit monitoring services have been offered to the affected individuals.

Mountain View Family Practice Reports June 2023 Cyberattack

Mountain View Family Practice in Baldwinville, MA, has alerted 5,139 about a June 11, 2023, cyberattack on its systems. The forensic investigation determined that an unauthorized individual had access to its systems between June 10 and June 11, 2023, and viewed and potentially obtained certain data stored on its systems, including names and Social Security numbers. Notifications were sent to the affected individuals on August 31, 2023, and credit monitoring and identity theft protection services have been offered.

The post Lifeline Systems Company Notifies Patients About August 2022 Cyberattack appeared first on HIPAA Journal.

IBM Notifies Janssen CarePath Patients About Unauthorized Database Access

IBM has recently announced that the sensitive data of patients of the Johnson & Johnson Health Care Systems subsidiary, Janssen CarePath, has been exposed. IBM is a business associate of Johnson & Johnson and manages the application and database that supports the Janssen CarePath platform. Janssen recently became aware of a method that could be used by unauthorized individuals to gain access to the database and notified IBM, which worked with the database provider and remediated the problem. IBM also conducted an investigation to determine if the database had been accessed by unauthorized individuals and confirmed unauthorized access had occurred on August 2, 2023; however, it was not possible to determine the nature of the access and if patient data had been exfiltrated.

Since patient data may have been accessed, IBM has issued notification letters to the affected Janssen CarePath customers. The data exposed included names in combination with one or more of the following data types: contact information, date of birth, health insurance information, medications, and healthcare conditions. IBM has offered the affected individuals 12 months of complimentary credit monitoring services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected. The data breach could be substantial as 1.16 million patients used the CarePath platform in 2022.

Hospital Sisters Health System Dealing with Cyberattack

Hospital Sisters Health System (HSHS) is currently dealing with a cybersecurity incident that forced it to take some of its IT systems offline. The phone system was taken out of action, but hospital and clinic phone lines have now mostly been restored. The hshs.org website was affected and is now redirecting to the domain hshsupdates.org, where regular updates are being posted for patients.

Hospital Sisters Health System is headquartered in Springfield, IL, and operates 15 hospitals in Illinois and Wisconsin, which have been working under downtime procedures until IT systems can be safely brought back online. All hospitals and emergency departments remain open, and patients are being received and treated; however patient billing services are still suspended. At this stage of the investigation, it is too early to tell to what extent, if any, patient data has been compromised.

The University of Massachusetts Chan Medical School Confirms PHI was Stolen in MOVEit Transfer Hack

The University of Massachusetts Chan Medical School has recently confirmed that the protected health information of 134,394 individuals was compromised by the Clop hacking group, which exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution.

The affected individuals had enrolled in a state program through the Worcester, MA-based medical school, such as the State Supplement Program, MassHealth Premium Assistance, MassHealth Community Case Management, or the Executive Office of Elder Affairs and Aging Services Access Points home care programs. The compromised information includes names, dates of birth, addresses, Social Security numbers, financial account numbers, and healthcare information (diagnosis, treatment information, prescription information, provider names, dates of service, claims information, and health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The post IBM Notifies Janssen CarePath Patients About Unauthorized Database Access appeared first on HIPAA Journal.

CentroMed Facing 2 Class Action Lawsuits Over 350,000-Record Data Breach

El Centro Del Barrio, dba CentroMed in San Antonio, TX, is facing at least two class action lawsuits over a June 2023 cyberattack in which hackers gained access to the personal and protected health information (PHI) of 350,000 patients.

The attack was detected on June 12, 2023, and the forensic investigation confirmed unauthorized access to IT systems first occurred on June 9, 2023. The information accessed in the attack included names, addresses, dates of birth, Social Security numbers, financial account information, medical record numbers, health insurance plan member IDs, and claims data. The affected individuals were notified by mail on August 11, 2023.

CentroMed patients Jasmine Grace and Dawn Leal have each taken legal action against CentroMed over the impermissible disclosure of their personal information and allege CentroMed was negligent for failing to properly secure and safeguard their personally identifiable information, which is now in the hands of cybercriminals.

They both claim they face an imminent, ongoing, and substantial risk of identity theft and fraud and have had to invest considerable time and money into protecting themselves against the misuse of their personal information. The lawsuits also take issue with the length of time it took CentroMed to issue notification letters to patients. CentroMed took two months to issue notifications, although this was within the time allowed under the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

The lawsuits allege the defendant violated HIPAA by failing to adequately protect their data and allege negligence, breach of fiduciary duty, and unjust enrichment. Jasmine Grace’s lawsuit was filed in District Court in San Antonio, and she is represented by attorney Samantha Holbrook. The lawsuit seeks $1 million in damages. Dawn Leal’s lawsuit was filed in San Antonio federal court by attorney Joe Kendall and seeks $5 million in damages.

The post CentroMed Facing 2 Class Action Lawsuits Over 350,000-Record Data Breach appeared first on HIPAA Journal.

Employee Health Plan Data Exposed in Forever 21 Data Breach

Fashion retailer Forever 21 has notified the Maine Attorney General of a data breach in which the health plan data of 539,207 current and former employees was exposed. Breach notifications letters are being sent to everyone potentially affected by the breach. However, the letters reveal little about the nature of the attack or what specific data was exposed.

According to the notification published on the Maine Attorney General website, Forever 21 experienced an “external system breach” between January 5 and March 21, 2023. The nature of the information breached is “name or other personal identifier in combination with Social Security number”, and identity theft services are being offered to those potentially affected.

The notification also includes a link to the company’s breach notification letter to potentially affected individuals. The letter provides limited information about the nature of the attack or what specific data was exposed, stating that an unauthorized third party “accessed certain Forever 21 systems” and “obtained select files from certain Forever 21 systems”.

With regards to what these select files might have contained, the letter states “the files involved contained some of your personal information, such as your name, Social Security number, date of birth, bank account number (without access code or pin), and information regarding your Forever21 health plan, including enrollment and premiums paid.”

Letter Raises More Questions than Answers

Forever 21 notes in the breach notification letter that the company has taken step to “help assure” the unauthorized third party no longer has access to the data, has not copied, retained, or further disclosed the data. This has led to speculation that Forever 21 paid a ransom to the unauthorized third party – which, historically, doesn’t “help assure” the data will not be further disclosed.

Additionally, although the notification letter includes details of the credit monitoring and identity theft services available to potentially affected individuals, there is no advice about obtaining a copy of PHI from individuals’ healthcare providers to ensure stolen data is not used to obtain healthcare or other health services (i.e., prescription drugs) in the individuals’ names.

This could mean that no Protected Health Information was exposed in the data breach, or that Forever 21 has omitted this important piece of advice for affected individuals. The latter is more likely if the data exposed in the external system breach included details of how the premiums were calculated or what payments had been made by the health plan for individuals’ treatments.

At the time of publication, Forever 21 has not reported the data breach to HHS’ Office for Civil Rights. However, as the date the breach was discovered on the Maine Attorney General website is entered as August 4, 2023, the company has until October 3, 2023, to notify the agency – if Protected Health Information was exposed and the external system breach qualifies as a HIPAA data breach.

The post Employee Health Plan Data Exposed in Forever 21 Data Breach appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Sued Over Ransomware Attack and Data Breach

The San Francisco, CA-based law firm, Orrick, Herrington & Sutcliffe LLP, is facing a class action lawsuit over a ransomware attack and data breach that was detected on March 13, 2023. The law firm determined that part of its network had been compromised by an unauthorized third party, which gained access to a file share that was used to store client files. The unauthorized access was immediately blocked; however, the forensic investigation confirmed that files containing personal information had been exfiltrated from its servers between February 28 and March 13, 2023. The compromised information included names, addresses, dates of birth, and Social Security numbers. The law firm offered the affected individuals complimentary credit monitoring and identity theft protection services.

On August 11, 2023, a lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of plaintiff Dennis R Werley, and more than 152,818 similarly situated individuals who had their personal information compromised in the attack. The lawsuit alleges the law firm failed to implement adequate and reasonable measures to protect its computer systems, failed to take adequate steps to prevent and stop the breach, did not detect the breach in a timely manner, failed to disclose material facts that adequate system security measures were not in place to prevent data breaches, failed to honor repeated promises and representations to protect the information of the breach victims, then failed to provide timely notifications. According to the lawsuit, “Thanks to Defendant’s failure to protect the Breach Victims’ Personal Information, cyber criminals were able to steal everything they could possibly need to commit nearly every conceivable form of identity theft and wreak havoc on the financial and personal lives of potentially millions of individuals.”

The lawsuit alleges the plaintiff and class members have had their privacy violated and have been victims of identity theft and fraud or have been exposed to a heightened and imminent risk of fraud and identity theft, and have and will continue to incur out-of-pocket costs for credit monitoring services, credit freezes, and other protective measures. The lawsuit includes a long list of cybersecurity measures that the law firm could and should have implemented to prevent the data breach but failed to do so.

The lawsuit alleges negligence, negligence per se, breach of fiduciary duty, breach of confidence, breach of implied contract, and invasion of privacy and seeks a jury trial, compensatory damages, adequate credit monitoring services, and injunctive relief, including an order from the court requiring the law firm to implement a swathe of security measures to prevent future data breaches.

The post Orrick, Herrington & Sutcliffe Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.