HIPAA Breach News

Ohio Eye Care Provider Suffers Ransomware Attack

Eye Care Associates, a fully integrated regional eye care provider in northeast Ohio, experienced a ransomware attack in late July which took its computer systems out of action. Two weeks after the attack occurred, its computer systems remain locked.

According to Director of Operations, Mary Jo Silva, the attack occurred in the early hours of July 28, 2019. The Beaver Township Police Department was notified about the attack and the board was informed.

A ransom demand was received, but no amount was stated on the demand. Contact with the attackers was required in order to discover how needed to be paid. Silva said no contact was made with the attackers and no payment was made. Eye Care Associates has been working with its backup and file storage service provider to recover all encrypted files. Silva expects systems to be brought back online in the next couple of days. An investigation into the attack has uncovered no evidence to suggest patient information was stolen. The Business Journal reports that the ransomware was delivered via email.

The attack has caused considerable disruption at the hospital. It has not been possible to book new appointments for two weeks as the appointment system has been down. The hospital has also had to rely on paper records when providing treatment to patients.

Multiple Email Accounts Compromised in NCH Healthcare System Phishing Attack

Naples, FL-based NCH Healthcare System has experienced a phishing attack in which patient information may have been compromised.

NCH Healthcare identified suspicious activity in its payroll system on June 14, 2019 and called in third party computer forensics experts to investigate the breach. The investigation revealed the email accounts of several employees had been compromised as a result of responses to phishing emails.

It is possible that patient information in emails and email attachments could have been accessed or copied by the attackers. Patients have been notified about the breach and have been advised to monitor their accounts and explanation of benefits statements for any signs of fraudulent activity.

It is unclear at this stage how many patients have been affected by the breach.

The post Ohio Eye Care Provider Suffers Ransomware Attack appeared first on HIPAA Journal.

Hackers Demand $1 Million Ransom from Washington Hospital

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption.

On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee.

Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software, which allowed the attackers to infect more systems. Those systems are still down at the clinics, which are using pen and paper to record patient information.

A spokesperson for the hospital said patient care has not been affected. The hospital is continuing to provide emergency care to patients and appointments are going ahead as scheduled. There have been some delays to appointments and there are still issues accessing patient information. Patients have been told to bring details of their prescriptions and their medical histories and to make that information available at point of care.

The hospital had created backups but it was not possible to recover files as the backups had also been encrypted. As of August 13, 2019, the hospital still had not regained access to its files. The attack has been reported to the FBI and the hospital is assisting with its investigation.

The hospital had previously taken out a cybersecurity insurance policy for $1 million, which may cover the ransom payment. It is unclear whether the ransom has been paid.

No evidence of data access or theft was found, but the possibility could not be discounted. Affected patients had the following information exposed: Full name, address, phone number, date of birth, Social Security number, insurance information, diagnoses, and treatment information.

The hospital has started notifying the 85,000 patients affected by the breach and each has been offered complimentary credit monitoring services. Security measures are being assessed at the hospital and medical group and additional hardware and software solutions will be implemented as appropriate to improve security. Employees will also be provided with additional training.

The post Hackers Demand $1 Million Ransom from Washington Hospital appeared first on HIPAA Journal.

Renown Health Discovers PHI was Stored on Lost Thumb Drive

Renown Health, the largest healthcare provider in Northern Nevada, has started notifying certain patients that some of their protected health information (PHI) may have been compromised.

Patient information was present in files on a portable storage device (thumb drive) discovered to be missing on June 30, 2019. An extensive search of the facility was conducted but the thumb drive could not be located.

An investigation was conducted to determine what files had been saved to the device and which patients had their PHI exposed.

Files on the storage device related to patients who had received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019. The types of information in the files included names, diagnoses, medical record numbers, clinical information, admission dates, and physicians’ names.  No Social Security numbers or financial information were stored on the device.

Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any signs of fraudulent activity. Renown Health will be reviewing its policies covering the use of portable devices such as thumb drives and will be reeducating its workforce on safeguarding patient information.

The data breach has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is unclear how many patients have been affected.

This is the second data breach of this nature to be reported in the past few days. The New York Fire Department also reported a breach involving the loss of a portable electronic device containing the ePHI of patients. Around 10,000 EMS patients were impacted by the breach.

These incidents highlight the importance of implementing encryption on all portable electronic devices used to store ePHI. In the event of device loss or theft, ePHI cannot be accessed by unauthorized individuals and a data breach will be prevented.

The post Renown Health Discovers PHI was Stored on Lost Thumb Drive appeared first on HIPAA Journal.

More than 10,000 FDNY EMS Patients Notified of PHI Exposure

More than 10,000 EMS patients taken to hospital by a New York Fire Department (FDNY) ambulance between 2011 and 2018 have had some of their protected health information exposed.

According to FDNY spokesperson Myles Miller, there was “a loss of data caused by one employee’s failure to follow the department’s data security policies.”

The fire department learned on March 4, 2019 that an employee’s personal hard drive was missing. The hard drive had been used by the employee to store files containing patient information such as patient care reports.

A patient care report is created when a 911 call is received that requires an ambulance to respond. The reports contained information on 10,253 patients such as name, address, telephone number, date of birth, insurance details, health condition, and for approximately 3,000 patients, their Social Security number.

All affected individuals are now being notified of the breach and individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. “The FDNY is treating the incident as if the information may have been seen by an unauthorized person,” wrote the FDNY in its breach notification letter.

The employee in question was authorized to access patient information but was not authorized to use a personal, unencrypted hard drive to store files containing protected health information. The employee will be subjected to disciplinary measures and all employees required to handle medical information will be retrained.

The post More than 10,000 FDNY EMS Patients Notified of PHI Exposure appeared first on HIPAA Journal.

Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients

Community Psychiatric Clinic in Seattle, WA, a provider of accredited outpatient, mental health treatment, and counselling services, has experienced two security breaches in which patient information may have been compromised. In both cases, an unauthorized individual gained access to an employee’s Microsoft Office 365 account.

The first security breach was detected on March 12, 2019 when an employee’s account was subjected to unauthorized access. The affected account was immediately secured, passwords were changed, and the employee’s hard drive was restored.  The email account also had additional protections added to prevent similar breaches from occurring in the future. The investigation did not uncover any evidence to suggest that patient data had been stolen.

Around two months later on May 8, 2019, a second email account was discovered to have been compromised in a separate attack. The attacker used the email account to send a fraudulent wire transfer request to another member of staff. The transfer was executed, but due to the fast response of the clinic, it was possible to recover all the funds. A password reset was performed to lock out the attackers and additional protections have now been implemented on the breached account to reduce the risk of further attacks. Again, no evidence was found to suggest patient information had been stolen.

A forensic investigation revealed that in addition to the above two accounts, a further two accounts had also been compromised. The investigators note that since the attackers accessed the mailboxes through Outlook Web Access, it significantly reduced the potential for large scale data exfiltration. The lack of evidence of data exfiltration suggests the attackers did not succeed in obtainment patient information, but patients have been notified as a precaution.

The breaches have yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

The post Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients appeared first on HIPAA Journal.

PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration

A database containing the personal information of individuals who had expressed an interest in Amarin Pharma’s cholesterol drug Vascepa® has been exposed online.

The database was maintained by third party vendor and contained information such as full names, addresses, telephone numbers, email addresses, medications, and interest in a copay card for Vascepa®.

Amarin learned of the breach via media reports of an exposed database containing information of Amarin customers and immediately launched an investigation. The company quickly determined which database had been exposed and took steps to suspend active data feeds and the database was secured the same day.

The vendor’s investigation revealed a database misconfiguration had occurred which rendered the database accessible online between May 2, 2018 and June 20, 2019.

An investigation by the vendor confirmed that the database had been subjected to unauthorized access by a third party between May 29, 2019 and June 20, 2019, and during that time data had been copied.

Amarin and its vendor are continuing to investigate the breach and the database will not be brought back online until additional safeguards have been implemented to prevent any further accidental disclosures.

According to vpnMentor, the database contained the records of approximately 78,000 individuals. A second database containing transaction information was also exposed.

Database of Billing and Insurance Data Processing Vendor Exposed Online

Another exposed database was discovered by security researchers at UpGuard. The database was stored in an unsecured Amazon S3 bucket and contained around 14,000 documents containing a range of medical, personal and financial information. The database was tracked to the billing and insurance data processing vendor Medico.

Spreadsheets, documents, PDF files, text files, and images were accessible through the database. Those files contained names, contact information, banking information, insurance information, Social Security numbers, usernames, passwords, prescription information, other personal and medical information. Most of the information dated from 2018.

UpGuard notified the vendor of the unsecured S3 bucket and the database and files were secured the same day. It is unclear whether the information had been subjected to unauthorized access prior to its discovery by UpGuard researchers.

The post PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration appeared first on HIPAA Journal.

Further 185,000 Individuals Affected by AMCA Data Breach

Three more healthcare organizations have announced they have been affected by the data breach at American Medical Collection Agency (AMCA): West Hills Hospital & Medical Center in California, Inform Diagnostics, and CompuNet Clinical Laboratories.

The AMCA data breach was first announced more than two months ago. Most of the companies impacted by the breach were notified by AMCA in May/June that some of their patients’ data had potentially been compromised, but it has taken several weeks for those companies to be provided with sufficient information to make announcements and sent notification letters.

The breach at AMCA occurred between August 1, 2018 and March 30, 2019. During that period, an unauthorized individual had access to a web payment page, through which it was possible to obtain personal and financial information. Affected individuals had had their information passed to AMCA to collect outstanding bills for medical services.

The latest announcements bring the total number of companies known to have been affected to 21. It is not yet known how many patients of West Hills Hospital and Medical Center have been affected, but as it stands, the total victim count is at least 24,390,307. It may take several weeks before the final victim count is known and all of those individuals receive their breach notification letters.

West Hills Hospital and Medical Center

West Hills Hospital and Medical Center in West Hills, CA, uses a company called United WestLabs (UWL)to manage its reference laboratory. United WestLabs was informed by AMCA on June 12, 2019, that it had been impacted by the breach. Affected patients had their name, address, patient account number, amount owed, and service dates compromised. Some patients also had their credit or debit card number exposed.

AMCA has sent breach notification letters to all individuals whose financial information was exposed. All other affected West Hills patients are being notified by the hospital. West Hills Hospital and United WestLabs have now stopped using AMCA’s services.

Inform Diagnostics

Inform Diagnostics is an Irving, TX-based provider of pathology laboratory services. On June 30, 2019, the company was notified by AMCA’s holding company, Retrieval Masters Creditors Bureau, that personal and payment information had been accessed by a hacker. That information included first and last names, banking information, credit/debit card numbers, Social Security numbers, service dates, and names or referring physicians. 173,690 Inform Diagnostics patients are known to have been affected.

CompuNet Clinical Laboratories

Dayton, OH-based laboratory service provider CompuNet Clinical Laboratories was notified by AMCA on June 5, 2019 that the company had been affected by the breach.

The data exposed included names, dates of birth, service dates, medical service provider names, names of referring physicians, health insurance information, and other medical information. A subset of patients also had their Social Security number, credit/debit card number, and/or financial information exposed. Approximately 111,000 patients are known to have been affected.

Companies Known to Have Been Affected by the AMCA Data Breach

Healthcare Organization Records Exposed
Quest Diagnostics/Optum360 11,900,000
LabCorp 7,700,000
Clinical Pathology Associates 2,200,000
American Esoteric Laboratories 541,900
Carecentrix 500,000
Sunrise Medical Laboratories 427,000
BioReference Laboratories/Opko Health 422,600
Inform Diagnostics 173,690
CBLPath Inc. 148,900
Laboratory Medicine Consultants 147,600
CompuNet Clinical Laboratories 111,000
Austin Pathology Associates 46,500
South Texas Dermatopathology PLLC 16,100
Pathology Solutions 13,300
Penobscot Community Health Center 13,000
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
Western Pathology Consultants 4,550
Laboratory of Dermatology ADX, LLC 4,240
Natera 3,000
West Hills Hospital and Medical Center / United WestLabs Unknown
Total: 24,390,307

The post Further 185,000 Individuals Affected by AMCA Data Breach appeared first on HIPAA Journal.

Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients

New Mexico-based Presbyterian Healthcare Services is notifying approximately 183,000 patients and health plan members that some of their protected health information (PHI) has been exposed in a recent security breach.

On or around May 6, 2019, several Presbyterian Healthcare Services employees received phishing emails. Certain employees responded to the emails and inadvertently disclosed their credentials to the attackers. Those credentials were used to gain access to accounts containing sensitive information such as names, dates of birth, and Social Security numbers.

Presbyterian Healthcare Services became aware of the breach on June 9 and immediately secured the affected accounts. The breach investigation uncovered no evidence to suggest any personal information was accessed or stolen by the attacker and no reports been received to suggest any PHI has been misused.

The breach affected approximately 21% of Presbyterian Healthcare Services patients and plan members. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months and have been advised to monitor their accounts and explanation of benefits statements carefully for any sign of fraudulent activity.

Presbyterian Healthcare Services is taking steps to improve email security to prevent any further breaches of this nature in the future.

3,812 Patients Affected by Three Rivers Community Health Group Phishing Attack

Perry County Medical Center, Inc. d/b/a Three Rivers Community Health Group, has discovered an unauthorized individual has gained access to the email account of one of its employees and may have viewed patient information.

The account breach was discovered on May 28, 2019. A forensic investigation was conducted by external computer experts who determined that patient information such as names, dates of birth, dates of service, physicians’ names, prescription information, health insurance group, and ID numbers may have been accessed. No financial information or Social Security numbers were breached.

No evidence of unauthorized data access or data theft were uncovered and the community health group is unaware of any instances of identity theft or misuse of PHI. As a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The attack has prompted a review of privacy and security controls and additional protections will be implemented as appropriate to enhance email security.

The post Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients appeared first on HIPAA Journal.

Imperial Health Ransomware Attack Impacts More Than 111,000 Patients

Imperial Health, a physicians’ network serving patients in Southwest Louisiana, is alerting more than 111,000 patients that some of their protected health information has potentially been compromised in a recent ransomware attack.

An unauthorized party had succeeded in downloading ransomware onto the network, which encrypted files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). The attack was detected on May 19, 2019.

The database contained the protected health information of 116,262 patients. While no evidence of data access or data theft was uncovered during the investigation, it was not possible to rule out a breach of PHI. The decision was therefore taken to issue notifications to affected patients to allow them to take step to eliminate any risk of harm.

The information stored in the database related to patients who had previously received medical services at CFO. The information varied from patient to patient and may have included name, address, telephone number, birth date, Social Security number, medical record number, diagnoses, treatment information, medications, dates of service, treating physician, and other clinical information.

The incident has been reported to law enforcement and Imperial Health is assisting with the investigation. Imperial Health has removed the ransomware from its network and has successfully restored data. New anti-virus software has now been deployed to better deal with the threat from malware and ransomware in the future.

Lost Laptop Contained PHI of 1,500 Patients

The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) has announced that a laptop computer containing the protected health information of approximately 1,500 patients has been lost. The laptop was password-protected but not encrypted.

The laptop computer was in a briefcase which was lost on public transport. The laptop contained information such as names, dates of birth, MCI numbers, service provider names, and Medicaid waiver services that the client had applied for or was receiving.

All 1,500 affected individuals were notified of the breach the same day that the laptop was lost and have been offered one year of credit monitoring services at no cost. A forensic review confirmed that the laptop had not been used to access patient records.

It is DBHIDS policy for all laptop computers to be encrypted and it is unclear how this device was missed. DBHIDS will conduct a review and will ensure all laptop computers are encrypted, staff will be re-assigned to the HIPAA Basics training course, and further training on security-focused topics will also be provided.

The post Imperial Health Ransomware Attack Impacts More Than 111,000 Patients appeared first on HIPAA Journal.