HIPAA Breach News

Humana Reports Mailing Errors Affecting More than 10,000 Members

Three mailing error incidents have resulted in the impermissible disclosure of the PHI of more than 10,000 Humana members. Data breaches have also recently occurred at KMJ Health Solutions, Jewish Home Lifecare, and Lake of the Woods County Social Services.

Insurance ACE/Humana Inc.

The Kentucky-based health insurance provider Humana Inc. has recently disclosed three separate mailing error incidents that have resulted in the impermissible disclosure of the protected health information of 10,688 of its members. On December 8, 2023, a programming error resulted in Explanation of Payment documents intended for providers being sent to an incorrect address. The documents included first and last names, Humana ID numbers, provider names, dates of service, and claim payment information.

On December 14, 2023, large print/braille health plan communications were mailed to incorrect recipients. An error was made when fixing an unrelated coding issue that added a date/time stamp to the naming convention, which was not a unique identifier. As a result, the system began overwriting files as duplicates, which resulted in members receiving another member’s letter. The information impermissibly disclosed included first and last names, addresses, Humana ID numbers, provider names, dates of service, claim payment information, prescription medication information, and copay and premium information.

On January 12, 2024, Humana’s printing vendor in Louisiana, Broadridge Output Solutions, Inc., experienced a printing error that caused explanation of benefits information of Humana members to be printed on the reverse of other members’ statements. The information impermissibly disclosed included names, claim information, provider name, gender, copay information, deductible and coinsurance information. Humana said all of the errors have been rectified and it is unaware of any misuse of members’ information.

KMJ Health Solutions

KMJ Health Solutions, a Michigan-based provider of online signout and charge capture systems, has reported a breach of the protected health information of 2,191 individuals. On November 19, 2023, KMJ Health Solutions identified unauthorized access to the server that hosts its eDocList system. The attacker used ransomware to encrypt files and may have obtained the data of some of its clients. The threat actor first gained access to the server on July 1, 2023. KMJ Health Solutions notified the affected clients on or around January 11, 2024.

One of the affected clients was Saint Joseph’s Medical Center in New York. The information potentially compromised included names, dates of birth, medical record numbers, diagnoses, laboratory results, dates of service, provider names, medications, and/or treatment information. Saint Joseph’s sent notifications to the affected individuals on March 4, 2024, and has confirmed that it no longer uses KNJ Health Solutions. When business associates experience data breaches, notifications may be issued by the business associate, their covered entity clients, or a combination of the two. It is therefore unclear at this stage how many individuals in total have been affected.

Jewish Home Lifecare

Jewish Home Lifecare, Inc., a New York senior health care system, identified unusual activity in its computer systems on January 7, 2023, and assisted by computer forensics experts, determined that there had been unauthorized access to its systems and the hackers potentially viewed or obtained patient data. The information exposed included names, addresses, dates of birth, Social Security numbers, payment card information, financial account information, passport numbers, medical record information, and medical treatment information. Jewish Home Lifecare has reported the incident to the HHS Office for Civil Rights as affecting 501 individuals. 501 is a placeholder often used to meet breach reporting requirements when the total number of affected individuals has yet to be confirmed.

Lake of the Woods County Social Services

Lake of the Woods County Social Services in Minnesota has reported a data breach that has affected individuals served by the County Social Services Department and their household members. On November 14, 2023, the County’s cybersecurity solutions detected and blocked a ransomware attack. While file encryption was prevented, the forensic investigation confirmed there was unauthorized access to its systems between November 14 and November 15, 2023, and data was stolen in the attack.

A ransom demand was received, but the County refused to pay to have the stolen data deleted, consistent with the advice of the FBI. Some of the stolen data was subsequently posted on the dark web. The information compromised in the attack included the following: Name, in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account information, payment card information, information related to medical condition, treatment or diagnosis, medications, names of healthcare providers, information related to services individuals received from the County Social Services Department, such as locations of service, dates of service, client identification number or unique identifiers related to services provided to you, insurance identification number, and/or insurance information. For a limited number of individuals, the data included mental health reports and/or username(s) and password(s) used to access online accounts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 537 individuals.

The post Humana Reports Mailing Errors Affecting More than 10,000 Members appeared first on HIPAA Journal.

Data Breaches Reported by Rebound Orthopedics, CCM Health, BCBST & Orsini Pharmaceutical Services

Data breaches have recently been reported by Rebound Orthopedics & Neurosurgery, CCM Health, BlueCare Plus Tennessee, and Orsini Pharmaceutical Services.

Rebound Orthopedics & Neurosurgery

Rebound Orthopedics & Neurosurgery in Vancouver, WA, has recently announced that it fell victim to a cyberattack on February 2, 2024. The attack was detected on February 3 when its computer systems went offline, including its patient and scheduling portals, and the outage lasted for more than 2 weeks. Computer forensics specialists were engaged to investigate the incident and confirmed that an unknown and unauthorized actor had accessed its network and viewed or copied files that were stored on its systems. A detailed review has been conducted of those files which confirmed that they contained patient information although no evidence was found to indicate any information in those files has been misused.

It is currently unclear what information was involved, as that information was not present in the sample notice provided to the Montana Attorney General. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected. Rebound Orthopedics & Neurosurgery said additional security measures have been implemented to prevent similar incidents in the future and complimentary credit monitoring services have been offered to the affected individuals for 24 months.

CCM Health

CCM Health in Montevideo, MN, has recently notified 29,182 individuals about a network security incident that involved some of their personal and health information. In a March 12, 2024, breach notice, CCM Health explained that there had been unauthorized access to its network between April 3, 2023, and April 10, 2023, and an unauthorized third party may have accessed and removed files containing their sensitive information.

A comprehensive review was conducted of all files on the compromised parts of the network that confirmed they contained full names, date of birth, Social Security numbers, medical information, and health insurance information. The exposed health information included medical record numbers, patient account numbers, prescription information, healthcare provider names, medical diagnoses, diagnosis codes, treatment types, treatment locations, treatment dates, admission dates, discharge dates, and/or lab results.

The file review was completed on February 12, 2024, and notification letters have now been sent to the affected individuals. Single bureau credit monitoring/single bureau credit report/single bureau credit score services have been provided to the affected individuals at no charge

BlueCross BlueShield of Tennessee

BlueCross BlueShield of Tennessee, Inc. (BCBST) and Volunteer State Health Plan, Inc. which do business as BlueCare Plus Tennessee, have recently notified around 2,000 individuals about two security incidents that exposed their sensitive information.

BCBST said it identified suspicious login attempts to its member portal from outside the company on or around December 19, 2023. The attempts were made to log in using username and password combinations that came from an unknown source. The investigation found no evidence to suggest there had been a breach of BCBST systems, and it would appear that this was a credential stuffing attack, where username/password combinations that have been obtained in a third-party breach are used to try to log into accounts on other platforms.

The member portal was immediately disabled while the unauthorized activity was investigated, password security was enhanced, and third-party forensics experts were engaged to assist with the investigation. Between January 18 and January 24, 2024, BCBST learned that there had been a similar incident on August 7, 2023. The data potentially accessed in these two incidents included names, dates of birth, addresses, subscriber IDs, provider names, group numbers and names, plan information, medical information, claims information, and user IDs and passwords. For fewer than 1% of the affected individuals, financial information was also exposed. For individuals whose coverage ended more than two years ago the breached information only included IDs and passwords.

BCBST is implementing new login requirements and has notified the affected individuals and offered them identity monitoring services at no cost. They have also been asked to change their online account passwords when they sign in and to use a password that has not been used elsewhere. Two separate reports of data breaches have been logged by the HHS’ Office for Civil Rights that affected 1,251 and 790 individuals.

Orsini Pharmaceutical Services

Orsini Pharmaceutical Services in Illinois has recently discovered there has been unauthorized access to an employee’s email account. The breach was detected on January 10, 2024, and the investigation confirmed that a single email account was compromised between January 8 and January 10, 2024. The email account was reviewed to find out the types of information that had been exposed, which confirmed that the protected health information of 1,433 patients was present in the account, including names, addresses, dates of birth, medical record numbers, health insurance information, diagnoses, and/or prescription information.

Orsini Pharmaceutical Services did not find evidence to suggest that the attack was conducted to obtain patient data, but the possibility could not be ruled out. Additional safeguards and technical security measures have been put in place to further protect and monitor its systems, and the affected individuals have been notified and offered a complimentary 12-month membership to a credit monitoring service.

The post Data Breaches Reported by Rebound Orthopedics, CCM Health, BCBST & Orsini Pharmaceutical Services appeared first on HIPAA Journal.

White House Meets with Healthcare Community to Discuss Change Healthcare Ransomware Attack Mitigations

On March 12, White House officials met with UnitedHealth Group, leaders at the Department of Health and Human Services, and industry groups to discuss the cyberattack at UHG-owned Change Healthcare, the disruption to healthcare services over the past 3 weeks, and mitigations to help patients and providers.

The Change Healthcare cyberattack was detected on February 21 – the timeline of events can be viewed here – and caused an outage that lasted for three weeks. The Blackcat ransomware group claimed responsibility for the attack. The attack caused massive disruption with providers unable to verify coverage, submit prior authorization requests, exchange clinical records, and be reimbursed for services.

UHG set up a financial assistance program to help providers who receive payments processed by Change Healthcare, who could apply for temporary funding through Optum Financial Services, and the Centers for Medicare and Medicaid Services (CMS) introduced flexibilities to help ease the financial strain on providers, including applications for advanced payment. Last week, 2 weeks after the attack, UHG was finally able to provide a timeline for bringing systems back online and this week confirmed that 99% of pharmacy and payment systems are now online.

The meeting was led by HHS Secretary Xavier Becerra and Deputy Secretary Andrea Palm, who were joined by White House Domestic Policy Advisor Neera Tanden, White House Deputy National Security Advisor (DNSA) for Cyber and Emerging Technologies Anne Neuberger, and others from the federal government. At the meeting, concrete actions were discussed to mitigate the harm caused to patients and providers.

Secretary Becerra and Domestic Policy Advisor Tanden stressed that the government and public sector must work together to help providers, many of whom are struggling to make payroll and deliver timely care to patients. They also stressed that insurers needed to help providers who are facing financial difficulties. During the meeting, industry groups discussed the problems faced by providers, the gaps in the response from payers, and how providers desperately need more immediate payment options, direct communications, and relaxed billing and claims processing requirements.

Payers were asked to provide assistance and committed to continued coordination. They also explained that they are working on further steps to reduce red tape, provide accessible funding opportunities through advanced payments, and other measures to address the cash flow issues that providers are experiencing. White House officials said they would be following up on the commitments made by payers at the meeting.

The interconnectedness of healthcare means a cyberattack on one entity can have far-reaching consequences, and with Change Healthcare processing 15 billion transactions annually and its systems touching the data of 1 in 3 patients in America, the fallout from the cyberattack has been immense. At the meeting, DNSA Neuberger stressed the urgent need to strengthen cybersecurity resilience across the sector, and the importance of all organizations implementing the HHS’s voluntary HPH Cybersecurity Performance Goals.  A readout of the meeting is available on the HHS website.

The post White House Meets with Healthcare Community to Discuss Change Healthcare Ransomware Attack Mitigations appeared first on HIPAA Journal.

Patient Data Exposed in Phishing Attack on UC San Diego Health

Data breaches have recently been reported by UC San Diego Health, Littleton Regional Healthcare, UT Southwestern Medical Center, and the Texas Health and Human Services Commission

UC San Diego Health Discloses January Phishing Attack

UC San Diego Health has recently notified the California Attorney General about a phishing attack that was discovered on January 9, 2024, which exposed the sensitive data of patients. Two Hillcrest Medical Center employees responded to the phishing emails and disclosed their credentials, which allowed their email accounts to be accessed by unauthorized individuals. UC San Diego Health said the email accounts were accessed for brief periods between January 9, 2024, and January 22, 2024.

A review of the exposed emails and attachments was completed on February 26, 2024, and confirmed that they contained patients’ protected health information such as names, Social Security numbers, and one or more of the following: mailing address; email address; date of birth; medical record number; health insurance information; treatment cost information; and/or clinical information, such as medications, provider name or diagnosis.

UC San Diego Health said it is enhancing its security controls and will continue to provide phishing prevention training and education to its employees. The affected individuals are being notified and are being offered complimentary credit monitoring and identity theft protection services.  It is currently unclear how many individuals have been affected.

Littleton Regional Healthcare Reports Email Error and the Impermissible Disclosure of Patient Information

Littleton Regional Healthcare in New Hampshire has recently reported a breach of the protected health information of 12,614 individuals. On January 2, 2024, an employee sent an email containing the names and dates of birth of patients to an individual who was not authorized to receive the information. That individual contacted Littleton Regional Healthcare the same day to report the error and confirmed that the information in the email had not been disclosed to anyone else and that the email had been deleted. Littleton Regional Healthcare has notified the affected individuals, reviewed appropriate policies and procedures, and has provided further training to employees to reduce the likelihood of similar errors in the future.

Texas Health and Human Services Commission Breach Affects More Than 3,300 Patients

The Texas Health and Human Services Commission (HHSC) has discovered an impermissible disclosure of the personal information of 3,392 individuals. On January 11, 2024, a member of staff emailed spreadsheets containing sensitive information to a personal email account. The spreadsheets contained the personal information of people who live in or around Tyler, Texarkana, Longview, Marshall, Beaumont, and Nacogdoches, and included full names, addresses, telephone numbers, financial information, health information, Medicaid numbers, and Social Security numbers. The spreadsheets were sent in several emails between September 2023 and October 2023.

The investigation into the breach concluded on February 2, 2024, and notification letters have now been mailed to the affected individuals, who have been offered 12 months of free credit monitoring services. HHSC said it has found no evidence to suggest that the spreadsheets have been shared with any other individuals or that the information has been misused. Additional training has been provided to the workforce to remind staff members of the importance of protecting confidential information.

UT Southwestern Medical Center Reports Software-Related Data Breach

UT Southwestern Medical Center has recently reported a breach to the Texas Attorney General that involved the protected health information of 2,094 individuals. Little information about the data breach has been disclosed at this stage, but the medical center has confirmed that the breach was not due to a cyberattack and was related to the internal use of unapproved software. The information that was involved included names, addresses, dates of birth, medical information, and health insurance information. UT Southwestern Medical Center individual notifications are currently being prepared and will be mailed shortly.

The post Patient Data Exposed in Phishing Attack on UC San Diego Health appeared first on HIPAA Journal.

Grace Lutheran Communities Falls Victim of ALPHV/Blackcat Ransomware Attack

Grace Lutheran Communities in Wisconsin, a provider of rehabilitation services, assisted living, independent living, and skilled nursing, has experienced a ransomware attack. The incident was detected on January 22, 2024, and while the investigation is ongoing, Grace Lutheran Communities has confirmed that patient data was stolen including names, addresses, Social Security numbers, and health insurance information.

On February 17, 2024, Grace Lutheran Communities discovered that a ransomware group – ALPHV/Blackcat – had published some of the stolen data on its data leak site. Grace Lutheran Communities said it is committed to ensuring the privacy and security of patient data and is enhancing network security to prevent similar attacks in the future. Grace Lutheran Communities has yet to confirm how many individuals have been affected.

Washington County Hospital and Nursing Home Falls Victim to Ransomware Attack

Washington County Hospital and Nursing Home has notified 31,125 individuals about a December cyberattack that may have resulted in an unauthorized third party accessing their sensitive information.  On December 24, 2023, network disruption occurred which prevented access to internal systems. A third-party cybersecurity firm was engaged to help secure its systems and conduct a forensic investigation, and evidence was found of unauthorized access to files containing patient data. Those files included tax forms and Social Security numbers (SSNs); however, no reports have been received of any actual or attempted identity theft or fraud as a result of the data breach.

Washington County Hospital and Nursing Home has augmented its security measures and is offering the affected individuals complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.

Bay Area Anesthesia Patients Affected by Cyberattack on Business Associate

Bay Area Anesthesia in Clearwater, FL, has been affected by a data security incident at a former business associate, Bowden Barlow Law. The law firm identified suspicious activity within its network and the investigation confirmed that there had been unauthorized access by a third party between November 17, 2023, and December 1, 2023, and during that time, files were exfiltrated from its network that contained the protected health information of 15,196 individuals. Bay Area Anesthesia has notified the affected individuals and has offered them complimentary credit monitoring and identity theft protection services for 12 months.

Cardiothoracic and Vascular Surgeons Alerts Patients About December Data Breach

Cardiothoracic and Vascular Surgeons in Austin, TX, has confirmed that unauthorized individuals accessed its network between October 12, 2023, and October 13, 2023, and exfiltrated files containing patient data. A review of the affected files was completed on January 22, 2024, and confirmed that the protected health information of 2,345 individuals was present in those files, including names, driver’s licenses, and/or government-issued IDs. Notifications were issued to the individuals on February 16, 2024, and credit monitoring and identity theft protection services are being made available.

The post Grace Lutheran Communities Falls Victim of ALPHV/Blackcat Ransomware Attack appeared first on HIPAA Journal.

Egyptian Health Department Cyberattack Affects Up to 100,000 Individuals

Egyptian Health Department (EHD) in Eldorado, IL, has recently announced a data breach affecting up to 100,000 patients. EHD suffered a cyberattack on December 21, 2023, and while the forensic investigation is still ongoing, evidence has been found that indicates folders on its network were accessed by an unauthorized individual. Those folders contained files that included patients’ protected health information and employee data.

The exposed patient data included names, dates of birth, medical information, and health insurance claims information. The exposed employee data included names, Social Security numbers, driver’s license numbers/ other government-issued IDs, financial account information, and/or insurance information. EHD is still investigating the incident to determine the potentially impacted employees and patients and will mail notifications when that process is completed.

EHD has taken several steps to improve security, including creating new domain controllers, moving the SMB network shares of the domain controllers to a dedicated virtual machine, conducting permission audits on shared folders, limiting Sharepoint Server to internal access only, installing Sentinel One and Huntress on all equipment, and implementing password protection on spreadsheets with PHI.

McKenzie County Healthcare System Announces Email Account Breach

McKenzie County Healthcare System in North Dakota has identified unauthorized access to an employee email account. The breach was detected on or around October 5, 2023, and the forensic investigation confirmed an unauthorized individual accessed a single email account between October 2 and October 5, 2023.

A review was conducted of all emails and attachments in the account, and it was confirmed that the protected health information of 21,000 patients had been exposed. The exposed data included names, addresses, medical information, and health insurance information. No evidence was found to indicate any of that information has been misused.

Forward Healthcare Impacted by MOVEit Hack at Business Associate

Forward Healthcare has confirmed that the protected health information of 3,999 patients was compromised in a cyberattack on its business associate, Philips Respironics. On December 20, 2023, Philips Respironics notified Forward Healthcare that data was compromised in a May 31, 2023, cyberattack that saw access gained to its Care Orchestrator and Encore Anywhere software solutions after a zero day vulnerability in the MOVEit Transfer solution was exploited. The data potentially stolen in the attack included names and personal and medical information.

Email Account Breached at Maryville Addiction Treatment Centers

Maryville Addiction Treatment Centers in New Jersey have started notifying 155,03 patients about a breach of an employee email account. The security breach was detected on or around August 22, 2023, and the forensic investigation revealed there had been unauthorized access to the account between August 21, 2023, to August 22, 2023.

The review of the account confirmed the following data was exposed: full names, Social Security numbers, medical treatment information, health insurance information, dates of birth, financial account information, and government identification. Maryville said there are no indications that any of the exposed information has been misused.

Cencora Confirms Recent Cyberattack Involved Data Exfiltration

The Fortune 500 pharmaceutical firm, Cencora, said in a filing with the Securities and Exchange Commission (SEC) that it has experienced an intrusion and data was exfiltrated from its network. Cencora said the attack did not have a material impact on its operations, but it is too early to tell whether the incident will have any material impact on its financial condition.

Cencora said it discovered unauthorized activity within its systems and took immediate action to contain the threat and reported the incident to law enforcement. Third-party cybersecurity experts have been engaged to assist with the investigation and data exfiltration was confirmed on February 21, 2024, but an announcement has yet to be made about the nature of the impacted data.

California Department of State Hospitals Alerts Patients About SSN Exposure

The State of California – Department of State Hospitals Atascadero (DSH-A) has started notifying certain patients about a security incident discovered on February 15, 2024, in which Leave and Activity Balance (LAB) reports were exposed. The reports were disseminated to DSH-A staff for use in timesheet approval and contained confidential information such as names and Social Security numbers. DSH has launched an investigation to determine if the reports have been improperly accessed and is in the process of arranging for complimentary identity theft protection services to be provided to the affected individuals.  At this stage, it is unclear how many individuals have been affected.

The post Egyptian Health Department Cyberattack Affects Up to 100,000 Individuals appeared first on HIPAA Journal.

UHG Identifies Attack Vector Used in Change Healthcare Ransomware Attack

UnitedHealth Group (UHG) has confirmed that the cybersecurity firms Mandiant and Palo Alto Networks are assisting with the forensic investigation and that the investigation into the February 21, 2024, ransomware attack on Change Healthcare is well underway. UHG has also confirmed that the forensic investigation has uncovered the source of the intrusion. After identifying the initial attack vector, UHG identified a safe restore point and can now work on restoring the systems that are currently non-operational and can start recovering data.

At this stage, UHG has not publicly disclosed the initial attack vector. There was speculation in the days immediately after the attack that two recently disclosed vulnerabilities in ConnectWise ScreenConnect were exploited in the attack. Those vulnerabilities were discovered on February 15, and notifications about the flaws were issued on February 19, just a couple of days before the LockBit ransomware attack on Change Healthcare was detected. UHG said it will be sharing further information on its investigation and recovery in the coming days, but it is unclear whether that will include the attack vector. Typically, victims of cyberattacks do not publicly disclose exactly how their systems were breached.

UHG has confirmed that it has stood up new instances of its Rx Connect (Switch) and Rx ePrescribing services and it has begun enabling its Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity. On March 13, 2024, UHG said all major pharmacy and payment systems are up and more than 99% of pre-incident claim volume is flowing.

March 11, 2024: UnitedHealth Group Expands Financial Assistance Program and Provides Timeline for Recovery

On March 8, 2024, more than 2 weeks after the Change Healthcare ransomware attack, UnitedHealth Group provided a timeline on when it expects to have restored its systems and services. UnitedHealth Group said its electronic prescribing service is now fully functional and has been since Thursday; however, electronic payments are not expected to be available until March 15, 2024. Testing of the claims network and software will commence on March 18, and services are expected to be restored throughout that week.

UnitedHealth Group has also confirmed that its financial assistance program, provided through Optum, has been expanded to include providers that have exhausted all available connection options as well as those that work with payers who will not advance finances during the outage. The financial assistance program will see advance payments made each week based on providers’ historic payment levels and those following the cyberattack. UnitedHealth Group was criticized for the onerous terms of its financial assistance program which was made available a week after the attack, but confirmed that the funds will not need to be repaid until claims flows have completely resumed. When that happens, providers will be sent an invoice and will be given 30 days to repay the funds.

Prior authorizations are being suspended for most outpatient services for Medicare Advantage plans, utilization reviews for inpatient admissions are being put on hold until March 31, 2024, and drug formulary exception review is suspended for Medicare Part D pharmacy benefits. Pharmacies affected by the outage have been notified by Optum Rx that pharmacy benefit manager will reimburse them for claims filled during the outage “with the good faith understanding that a medication would be covered.”

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO, UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”

The additional measures have been welcomed but the American Medical Association (AMA) has warned that physician practices are still likely to face significant challenges. “The AMA agrees with UnitedHealth’s call for all payers to advance funds to physicians as the most effective way to preserve medical practice viability during the financial disruption, especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is re-established,” said the AMA. “While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns. Full transparency and security assurances will be critical before connections are re-established with the Change Healthcare network.”

March 5, 2024: UnitedHealth Group Offers Temporary Funding Assistance in Response to Change Healthcare Ransomware Attack

UnitedHealth Group, the parent company of Change Healthcare, has set up a temporary financial assistance program for customers affected by the Change Healthcare ransomware attack. The program will help providers who have been unable to receive payments due to the outage at Change Healthcare. Under the financial assistance program, providers that receive payments processed by Change Healthcare will be able to apply for temporary funding through Optum Financial Services. If applications are made for temporary funding, they will be paid based on prior claims volume and will be interest-free and fee-free.

“We understand the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem,” Explained UnitedHealth. “While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”

The financial assistance program is only available for providers who have been affected by the disruption to payment distribution. Financial assistance is not being offered to providers that have faced claims submission disruption, therefore, only a small number of providers will qualify for assistance. The terms of the financial assistance program are also worrying. Any funds provided will need to be paid back when normal operations resume and repayments will need to be made within 5 days of receiving notice. The terms of the financial assistance include allowing Optum Financial Services to take back the funds without advance communication.

While the move has been welcomed by provider groups, they say it will do little to alleviate the financial strain on many of the affected providers who are experiencing severe cash flow problems due to the increased workload from having to implement workarounds for filing claims and prior authorization requests. The American Hospital Association (AHA) said the assistance being offered “falls far short of plugging the gaping holes in funding caused by the Change Healthcare outage.” The assistance being offered only addresses one of the two problems caused by the Change Healthcare outage.  It helps address the problem of payers being unable to pay via Change Healthcare, although the AHA said the terms and conditions are “shockingly onerous.” The AHA said no assistance is being offered at present to ease the burden on providers who are unable to bill payers in a timely manner due to the ongoing disruption of Change Healthcare’s clearinghouse and claims submission systems.

The recovery process has been slow for Change Healthcare. The Blackcat ransomware attack caused an outage that has lasted for almost 2 weeks. On March 1, 2024, Change Healthcare confirmed that it had set up a new instance of its Rx ePrescribing service and had successfully tested the new instance with vendors and retail pharmacies; however, the Clinical Exchange ePrescribing provider tools remain offline, as do around 100 of Change Healthcare’s IT products.

There have been reports in the media that indicate Optum paid a $22 million ransom payment to the ALPHV/Blackcat ransomware group for the decryption key and to ensure that the stolen data is deleted. The affiliate behind the attack claims that the ALPHV/Blackcat group stole the ransom and has now shut down the operation. The affiliate claims to have 4TB of the data stolen from Change Healthcare.

UnitedHealth Provides Update on Incident Response and Recovery

UnitedHealth Group has provided further updates on the recovery process. On March 1, 2024, a new instance of Change Healthcare’s Rx ePrescribing service was made available and UnitedHealth Group said it has already processed more than 3 million transactions, and volume is increasing daily as more system vendors reconnect. Workarounds are continuing to be deployed for claims, and UnitedHealth Group says 90% of claims are now flowing uninterrupted, with claims expected to increase to around 95% by next week (w/c 3/11); however, there are still issues with Change Healthcare’s payment capabilities although progress is being made on restoring them. “Our teams have been diligently working on restoration of the core environment. We expect our data center rebuild and restoration of database center services to be complete this week,” explained UnitedHealth Group. “From there, we will turn our full attention to application and service restoration.”

On March 7, UnitedHealth Group said a new instance of the Rx Connect (Switch) service is now online and it is actively working to restore full service and connectivity claim traffic and has begun enabling Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity.

While progress is being made on restoring services, attention will soon turn to the scale of the data breach. Given that Change Healthcare processes 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions, this could turn out to be one of the largest healthcare data breaches of all time. At least 5 class action lawsuits have already been filed in Tennessee and Minnesota on behalf of patients who allege their information was stolen in the attack, and that number is expected to continue to grow as the extent of the data breach becomes clear.

March 2, 2024: Change Healthcare Confirms Blackcat Ransomware Attack as Rx ePrescribing Service Reestablished

The Blackcat ransomware ground claims to have stolen a vast amount of data from Change Healthcare in the recent cyberattack. In a statement posted, and later removed, from its data leak site, a member of the group claimed to have stolen 6TB of data from UnitedHealth, which the group alleges includes “highly selective data”  from all Change Healthcare clients, including Medicare, CVS Caremark, Health Net, and Tricare, the U.S. military medical health agency. Screenshots of some of the data were shared as proof of data theft. The group also claims to have stolen the source code of Change Healthcare applications.  The group claims to have stolen the data of millions of patients, including medical records, insurance records, dental records, payment information, claims information, and patients’ PHI, including health data, contact information, and Social Security numbers.

Change Healthcare has yet to determine the extent of any data breach at this early stage of its investigation. Ransomware groups usually threaten to publicly release data to pressure victims into paying the ransom, and listings are often added when victims refuse to negotiate or when negotiations break down. The rapid removal of the listing suggests that Change Healthcare is in touch with the group, although there could be other reasons for the removal of the data.

In an update on February 28, 2024, Change Healthcare confirmed that disruptions have continued for a 9th day, with some applications still experiencing connectivity issues. Change Healthcare also said it has a high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems were not compromised and the breach appears to be limited to Change Healthcare, with none of its clients’ systems breached.

In a February 29, 2024 update, Change Healthcare confirmed that this was an ALPHV/Blackcat ransomware attack. “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat. Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”

While not specifically referencing the Change Healthcare cyberattack, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint cybersecurity alert on February 27 warning about increased attacks on the healthcare sector by the Blackcat/ALPHV ransomware group. 70 victims have been listed on the group’s data leak site since December 2023, and the healthcare sector has been the most commonly attacked sector.

In a March 1, 2024 update, Change Healthcare explained that a new instance of its ePrescribing service has been stood up, although Clinical Exchange ePrescribing providers’ tools are still not operational. “Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types,” explained Change Healthcare in a March 1, 2024 status update. “As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.”

February 27, 2024: Blackcat Ransomware Group Behind Change Healthcare Cyberattack

The disruption at Change Healthcare has continued into the seventh day after its February 21 cyberattack, with pharmacies across the country still struggling to process prescriptions. With Change Healthcare’s systems out of action, pharmacies have been unable to transmit insurance claims and now have significant backlogs of prescriptions that cannot be processed. On Monday, Change Healthcare confirmed that the attack is still affecting 117 of its applications and components.

Change Healthcare/Optum has been providing daily updates and has confirmed that the disruption is continuing. “We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” explained Change Healthcare in its February 26, 204 update. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”

Change Healthcare has engaged the services of Alphabet’s cybersecurity unit, Mandiant, which is assisting with the investigation and remediation of the cyberattack. While neither Change Healthcare nor Mandiant have commented on the nature of the attack, Reuters has reported that two sources familiar with the incident have confirmed that this was a ransomware attack, and that the ALPHV/Blackcat ransomware group is responsible. On February 27, 2024, a member of the Blakcat group confirmed that they were behind the attack.

Blackcat is known to engage in double extortion tactics, where sensitive data is exfiltrated before ransomware is used to encrypt files. Ransoms must be paid to recover encrypted files and to prevent the release of stolen data, so there is likely to have been a data breach although that has not been confirmed by Change Healthcare at this stage.

In December 2023, the Blackcat group was the subject of a US-led law enforcement operation that took down websites used by the group. The group issued a statement following the attack stating that in response to the takedown it has removed affiliate restrictions and now allows them to conduct attacks on critical infrastructure entities and healthcare organizations. It should be noted that the “rule” on not targeting healthcare organizations was not strictly followed before the takedown, as the group has conducted several attacks on healthcare organizations including McLaren Health Care and Norton Healthcare in 2023.

In early updates on the nature of the attack, Change Healthcare said it suspected that the attack was the work of a nation-state-associated actor; however that appears not to be the case. ALPHV/Blackcat is a financially motivated cybercriminal group with no known links to any nation state. There have also been media reports suggesting the attack involved the exploitation of a vulnerability in ConnectWise’s ScreenConnect app. ConnectWise issued a statement saying Change Healthcare does not appear to be a direct customer, although it is possible that ConnectWise was used by a managed service provider. At this stage, no MSP partners have come forward and confirmed a breach that impacted Change Healthcare.

February 22, 2024: Change Healthcare Responding to Cyberattack

Change Healthcare, a Nashville, TN-based provider of healthcare billing and data systems, has confirmed that it is dealing with a cyberattack that has caused network disruption. The attack was detected on February 21, 2024, and immediate action was taken to contain the incident and prevent further impacts.

“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” explained Change Healthcare on its status page.  The Change Healthcare cyberattack has caused enterprise-wide connectivity issues and cybersecurity experts are working around the clock to mitigate the attack and restore the affected systems.

UnitedHealth Group owns Change Healthcare and the healthcare provider Optum. Change Healthcare provides prescription processing services through Optum which provides services to over 67,000 U.S. pharmacies and serves 129 million patients. Change Healthcare handles more than 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions. Change Healthcare is used by Tricare, the healthcare provider of the U.S. military, and all military pharmacies, clinics, and hospitals have been affected by the disruption caused by the Change Healthcare cyberattack, and retail pharmacies across the country are experiencing delays processing prescriptions and have been unable to send orders through insurance plans.

In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, UnitedHealth confirmed that confirming that Change Healthcare had experienced a cyberattack that affected dozens of systems. At this stage of the incident response, it is too early to tell if any patient data has been exposed or stolen in the attack and neither UnitedHealth nor Change Healthcare could provide a timeline on when systems will be brought back online.

UnitedHealth said in its SEC filing that it suspects the cyberattack was conducted by a nation state, rather than a cybercriminal group, but did not provide further information on how that determination was made. That announcement is concerning, given the recent warnings about China maintaining access to critical infrastructure entities in the U.S. and the new sanctions due to be imposed on Russia in response to the death of Alexei Navalny.

There are also fears that the cyberattack could extend to the pharmacies connected to the Optum system. The American Hospital Association (AHA) has issued a warning to all members that they should immediately disconnect from the Optum system as a precaution. “We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said, and in the meantime switch to manual processes.

What is HIPAA and does this Cyberattack Break the Law?

All healthcare organizations that conduct transactions electronically that involve protected health information are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for privacy and security. The HIPAA Privacy Rule prohibits disclosures of protected health information to unauthorized individuals and the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information.

If an unauthorized individual gains access to systems containing protected health information, it is classed as an impermissible disclosure of protected health information and is a reportable HIPAA breach. A cyberattack that results in access being gained to protected health information is not necessarily a HIPAA violation. The HIPAA Security Rule requires risks and vulnerabilities to be identified, and for those risks to be managed and reduced to a reasonable and appropriate level. The HIPAA Security Rule does not require risks and vulnerabilities to be eradicated entirely.

The first priority following the detection of unauthorized system activity should be to contain the incident and ensure that the threat actor is eradicated from internal systems. Systems must be safely brought back online and the nature and scope of the incident established through a forensic investigation. If it is determined that patient data has been exposed, the breach must be reported to the Department of Health and Human Services (HHS) and the affected individuals must be provided with individual notifications within 60 days of the discovery of a data breach. The HHS investigates all data breaches of over 500 records to determine if they were the result of a failure to comply with the HIPAA Rules and financial penalties can be imposed for noncompliance.

The HIPAA Journal will update this post as more information about the incident comes to light, so please check back over the coming days and months.

The post UHG Identifies Attack Vector Used in Change Healthcare Ransomware Attack appeared first on HIPAA Journal.

Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy

Connexin Software, which does business as Office Practicum, has proposed a $4 million settlement to resolve a consolidated class action lawsuit stemming from a 2022 data breach that affected almost 3 million individuals. Office Practicum provides pediatric-specific health information technology solutions to healthcare providers, including electronic health records, practice management software, billing services, and business analytics tools.

On August 26, 2022, Connexin Software said it detected a data anomaly within its internal network and the subsequent forensic investigation confirmed that an unauthorized third party had obtained an offline set of patient data that was used for data conversion and troubleshooting. The compromised data included the protected health information of 2,675,934 patients, the majority of whom were children. The compromised data included names, guarantor names, parent/guardian names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and treatment information, and billing and claims data.

Several class action lawsuits were filed against Connexin Software shortly after the company announced the breach, nine of which were consolidated into a single class action lawsuit as they all made similar claims, including an alleged failure to implement reasonable and appropriate security measures to protect patient data. Children’s data is particularly valuable to cybercriminals as it can be misused for years. The affected individuals suffered an invasion of privacy and immediate and long-term risks of identity theft, fraud, medical identity theft, misappropriation of health insurance benefits, and other misuses. The plaintiffs argued that the threat actor behind the attack could also sell the data of children to human trafficking groups.

The settlement is in the best interests of all parties concerned. The plaintiffs will be able to claim for reimbursement of out-of-pocket expenses and Connexin Software will avoid further legal costs. Connexin Software explained to the judge when filing the preliminary settlement that if the lawsuit had progressed much further, the company would have no option other than to file for bankruptcy protection.

All parties have agreed to the proposed settlement, which has received preliminary approval from a Pennsylvania federal court judge. The plaintiffs and class members have been given three options: Expanded identity theft protection services for three years and coverage by a $1,000,000 identity theft insurance policy; reimbursement for unreimbursed out-of-pocket expenses up to a maximum of $7,500 per class member; or a flat-fee cash payment, the amount of which will be determined based on the claims received. Connexin Software has also agreed to invest $1.5 million in its information security program to better protect patient data in the future. Attorneys for the plaintiffs and class members are seeking around $1.3 million in fees.

“The parties were well-aware of each other’s strengths and weaknesses by virtue of the court’s ruling on Connexin’s partial motion to dismiss, their exchange of thousands of pages of documents, nearly a dozen depositions, and mediation-related discovery and analysis directed at Connexin’s finances,” states the settlement document. “Rather than prolonging the litigation, plaintiffs have reached a settlement that will immediately provide them and class members with significant benefits for their injuries arising from the data security incident.” The settlement now awaits a final hearing, the date for which has not yet been set.

The post Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy appeared first on HIPAA Journal.

Harvard Pilgrim Health Care Ransomware Victim Count Rises to 2.6 Million

Harvard Pilgrim Health Care has confirmed that the information of 2,632,275 individuals was compromised in an April 2023 ransomware attack, increasing the previous total by 81,353. In updated notices submitted to the Attorneys General in California and Maine this month, Harvard Pilgrim Health Care explained that the attack was detected on April 17, 2023, and action was immediately taken to contain the threat and prevent further unauthorized access to its systems. Law enforcement and regulators were notified, and third-party cybersecurity experts were engaged to assist with its investigation and remediation efforts.

Harvard Pilgrim Health Care said the cybercriminal group behind the attack exfiltrated data from its systems between March 28, 2023, and April 17, 2023. The systems accessed by the attackers were used to service members, accounts, brokers, and providers, which contained names, Social Security numbers, and financial information. Harvard Pilgrim Health Care started notifying the affected individuals on May 23, 2023 and disclosed the breach to media organizations serving all 50 states. On June 15, individual notification letters started to be mailed to the affected individuals. As the investigation progressed it became clear that other individuals had been affected.  Harvard Pilgrim Health Care has offered complimentary credit monitoring and identity theft protection services to the affected individuals and has implemented additional cybersecurity safeguards to prevent similar breaches in the future.

Coleman Professional Services Inc. Reports Breach of Employee Email Accounts

Coleman Professional Services, Inc., an Ohio-based provider of behavioral health services, has reported a breach of its email environment. On December 14, 2023, Coleman learned that an unauthorized third party had gained access to several employee email accounts. The forensic investigation confirmed the accounts were accessed by an unauthorized third party between September 18, 2023, and October 31, 2023.

The forensic investigation could not confirm whether any patient data was viewed or acquired, but the review of the affected accounts confirmed that they contained the protected health information of 51,889 individuals. The types of information exposed varied from individual to individual and may have included first and last names, dates of birth, Social Security numbers, driver’s license numbers, financial information, and, in some cases, health information. Identity theft protection services have been offered to the affected individuals. Coleman has also taken additional steps to prevent unauthorized individuals from accessing its employee email accounts.

North Hill Communities Report Cyberattack and Data Breach

North Hill, including North Hill Communities, Inc., North Hill Home Health Care, Inc., North Hill Needham, Inc., Connected for Life, Inc., and the North Hill Employee Dental Plan, has confirmed that the personal and protected health information of up to 4,798 individuals was potentially compromised in a December 2023 cyberattack.

The attack was detected on December 26, 2023, and the forensic investigation confirmed that its network had been compromised by an unauthorized third party on December 19, 2023. North Hill said it was not possible to determine whether personal or protected health information was accessed or acquired but did determine that the compromised parts of its network contained sensitive data. The exposed data included names in combination with one or more of the following: date of birth, date of death (if applicable), address, Social Security number, phone number, admission date, health insurance information, medical record number, treatment dates, financial account/bank account number, driver’s license number, claims information, and medical information.

North Hill started notifying the affected individuals on February 14, 2023 and is covering the cost of Single Bureau Credit Monitoring/Single Bureau Credit. Additional security detection and monitoring solutions are being implemented to help prevent similar occurrences in the future.

Advarra Inc. Reports Email Account Breach

Advarra Inc., a provider of integrated research compliance solutions, has reported a breach of the personal and protected health information of 4,656 individuals. On October 26, 2023, Advarra identified suspicious activity in an employee email account. The investigation confirmed that a single account was breached on October 25, 2023, and company and personal information in the account was acquired by an unauthorized third party. That information included names and Social Security numbers. Advarra is unaware of any actual or attempted misuse of data but has offered the affected individuals complimentary credit monitoring and identity theft protection services as a precaution.

The post Harvard Pilgrim Health Care Ransomware Victim Count Rises to 2.6 Million appeared first on HIPAA Journal.