HIPAA Breach News

350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack

Malborough, MA-based ReproSource Fertility Diagnostics has suffered a ransomware attack in which hackers gained access to systems containing the protected health information of approximately 350,000 patients.

ReproSource is a leading laboratory for reproductive health that is owned by Quest Diagnostics. ReproSource discovered the ransomware attack on August 10, 2021 and promptly severed network connections to contained the incident. An investigation into the security breach confirmed the attack occurred on August 8.

While it is possible that patient data was exfiltrated by the attackers prior to the deployment of ransomware, at this stage no evidence of data theft has been identified.

A review of the files on the affected systems was completed on September 24 and revealed they contained the following types of protected health information:

Names, phone numbers, addresses, email addresses, dates of birth, billing and health information (CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information), health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians. A small subset of individuals may have had driver’s license number, passport number, Social Security number, financial account number, and/or credit card number exposed.

Notification letters are now being sent to affected individuals by Quest Diagnostics.  Complimentary credit monitoring and protection services are being provided to affected individuals, who will also be protected by a $1,000,000 identity theft insurance policy.

ReproSource said additional safeguards have been implemented to protect against ransomware and other cyber threats, including additional monitoring and detection tools.

The post 350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack appeared first on HIPAA Journal.

Premier Patient Health Care Alerts Patients About Insider Data Breach

Carrollton, TX-based Premier Patient Health Care has discovered the protected health information of 37,636 patients has been obtained by an unauthorized individual in an insider wrongdoing incident.

Premier Patient Health Care is an Accountable Care Organization (ACO) that works with physicians to improve clinical outcomes under the Medicare Shared Savings Program (MSSP). The ACO and Premier Patient Health Care are operated and run by Premier Management Company, which is a business associate of many primary care physicians who are HIPAA-covered entities.

On April 30, 2020, Wiseman Innovations, a technology vendor used by Premier Management Company, determined a former Premier Patient Health Care executive had accessed its computer system in July 2020 after the termination of employment and viewed and obtained a file containing patient data.

A review of the file confirmed it contained the protected health information of patients of primary care physicians, including full names, age, date of birth, sex, race, county, state of residence, and ZIP code along with Medicare beneficiary information such as Medicare eligibility period, spend information, and hierarchical condition category risk score.

The investigation into the breach is ongoing, but it has not been possible to date to determine what the former executive did with the file after it was acquired, although no evidence has been found to indicate any attempted or actual misuse of patient information.

As a precaution, all affected patients have been advised to be vigilant and monitor their accounts for signs of fraudulent activity. Premier said policies and procedures are being reviewed and will be updated to help prevent similar incidents in the future.

Oregon Eye Specialists Reports Breach of Employee Email Account

The Portland-OR-based optometry group, Oregon Eye Specialists, has discovered a breach of its email environment and the exposure of the protected health information of certain patients.

On August 10, 2021, suspicious activity was detected in an email account, prompting a password reset and investigation. The investigation confirmed an unauthorized individual had gained access to certain employee email accounts from June 29, 2021 to August 30, 2021. A review of those accounts revealed they contained protected health information such as names, dates of birth, dates of service, medical record numbers, financial information, and health insurance information, including provider name and policy number.

No evidence has been found of any actual or attempted misuse of patient data at this stage but affected individuals have been advised to monitor their account and explanation of benefits statements for suspicious activity. Credit monitoring and identity protection services are being offered to affected individuals.

It is currently unclear how many people have been affected. The post will be updated as and when further information becomes available.

The post Premier Patient Health Care Alerts Patients About Insider Data Breach appeared first on HIPAA Journal.

Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach.

Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware.

Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients.

The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and others similarly affected by the ransomware attack. The lawsuit alleges the disclosure of protected health information was preventable, with the data breach occurring as a result of Elekta failing to implement sufficient cybersecurity policies and procedures. As a result, hackers were able to gain access to its platform and copy the sensitive data of patients.

The lawsuit alleges Elekta was negligent and failed to honor its duties to maintain adequate data security systems to reduce the risk of data breaches, adequately protect PHI on its systems, and properly monitor its data security systems for existing intrusions. It is also alleged that Elekta did not ensure agents, employees, and others with access to sensitive information employed reasonable security procedures.

The lawsuit claims Harrington and the class members have suffered damages and actual harm as a direct result of the cyberattack and they now face an increased risk of identity theft and fraud and must undertake additional security measures to protect themselves against harm.

The alleged harm suffered by Harrington and the class members includes imminent risk of future identity theft, lost time and money expended to mitigate the threat of identity theft, diminished value of personal information, and loss of privacy.

The lawsuit seeks damages, reimbursement of out-of-pocket expenses, legal costs, injunctive relief, and other and further relief as deemed appropriate by the courts.

The post Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Ransomware Deployed 2 Minutes After Hackers Gained Access to Johnson Memorial Health’s Network

Johnson Memorial Health has announced it was the victim of a ransomware attack on October 1, 2021. The attack saw files encrypted which crippled its IT systems. Emergency protocols were immediately implemented and employees are manually recording patient information and writing prescriptions until systems can be restored.

Ransomware gangs often gain access to systems days, weeks, or even months prior to deploying ransomware. During that time, they move laterally within networks to gain access to as many systems as possible before ransomware is deployed; however, not always.

The attack on Johnson Memorial Healthcare occurred at lightning speed. According to Dr. David Dunkle, President and CEO of Johnson Memorial Health, the hackers gained access to its IT systems at 10:31 p.m. on Friday night and deployed ransomware 2 minutes later at 10:33 p.m. The hospital’s IT department detected abnormal activity around 10:40 p.m. the same evening and shut down its network at 10:45 p.m. to minimize the damage caused.

A ransom demand was issued by the attackers, but Dunkie says no payment has been made. An investigation is now underway to determine the extent of the encryption and which systems and files have been affected.

Dunkie said medical care continues to be provided to patients and surgeries and appointments are continuing as normal, although without access to computers there may be a delay with patient registration. The decision was taken to divert ambulances to alternative facilities to reduce the burden on the staff. The investigation is still in the early stages and it is currently unclear to what extent patient information has been involved.

This is the third ransomware attack to be reported by an Indiana healthcare provider recently. Schneck Medical Center in Seymour announced last week that it was attacked with ransomware, and Eskenazi Health in Indianapolis suffered a ransomware attack in August. The attacks do not appear to be related.

The post Ransomware Deployed 2 Minutes After Hackers Gained Access to Johnson Memorial Health’s Network appeared first on HIPAA Journal.

Eskenazi Health Confirms Patient Data Was Stolen in August Ransomware Attack

Indianapolis, IN-based Eskenazi Health has announced it was the victim of a ransomware attack that was detected on or around August 4, 2021.

Suspicious activity was detected and the IT team immediately shut down systems to contain the attack. Emergency protocols were implemented, with staff reverting to pen and paper to record patient data. Without access to critical IT systems the decision was taken to go on diversion and ambulances were re-routed from Health & Hospital Corporation of Marion County to alternative facilities.

An investigation was launched to determine the nature and extent of the attack. Eskenazi Health said the forensic investigation determined the hackers had first gained access to its systems on May 19, 2021 and disabled its security systems to ensure their presence in the network was not detected. The intrusion was only detected when ransomware was deployed and files started to be encrypted.

The forensic investigators confirmed the attackers had been removed from its network and systems were secure. The initial investigation into the attack indicated patient information had not been accessed or stolen by the attackers. Eskenazi Health said it did not pay the ransom and was able to recover encrypted data from backups.

On October 1, 2021, Eskenazi Health issued an update confirming new information had come to light confirming the gang behind the attack had exfiltrated files containing patient information from its systems. Some of those files have been posted on a dark web data leak site.

A review of the stolen data confirmed the files contained names, dates of birth, addresses, telephone numbers, email addresses, ages, driver’s license numbers, medical record numbers, passport numbers, Social Security numbers, face photographs, patient account numbers, credit card information, diagnoses, physician names, prescriptions, dates of service, health insurance information, and cause/date of death for deceased patients.

Notification letters are being sent to affected individuals and complimentary credit monitoring and identity theft protection services are being provided. It is currently unclear how many patients have been affected by the attack.

The post Eskenazi Health Confirms Patient Data Was Stolen in August Ransomware Attack appeared first on HIPAA Journal.

Almost 54,000 Patients Affected by OSF HealthCare Ransomware Attack

The Peoria, IL-based not-for-profit catholic health system OSF HealthCare has started notifying 53,907 patients about a cyberattack that was discovered on April 23, 2021.

OSF HealthCare said upon discovery of the breach, steps were taken to prevent further unauthorized access and a third-party forensic investigator was engaged to conduct an investigation into the attack to determine the extent of the breach. The investigator confirmed the attackers first accessed its systems on March 7, 2021 and access remained possible until April 23, 2021.

OSF HealthCare said the attackers accessed certain files on its system that related to patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center. On August 24 it was determined the following types of patient data may have been compromised:

Names, contact information, dates of birth, Social Security numbers, driver’s license numbers, state/government ID numbers, treatment information, diagnosis information and codes, physician names, dates of service, hospital units, prescription information, medical record numbers, and Medicare/Medicaid or other health insurance information. A subset of patients also had financial account information, credit/debit card information or credentials for an online financial account exposed.

Individuals whose Social Security number or driver’s license number was compromised in the attack have been offered complimentary credit monitoring and identity protection services through Experian. OSF HealthCare says it has implemented additional safeguards and technical security measures to prevent further attacks.

The substitute breach notice on the OSF HealthCare website makes no mention of the nature of the attack, but this appears to have been a ransomware attack involving data theft, with data potentially stolen 7 months ago.

Databreaches.net says it was alerted to the publication of stolen data on a dark web leak site in June and notified OSF HealthCare about the exposure of patient data. A ransomware operation known as Xing Team claimed responsibility for the attack and uploaded data to its dark web leak site that included patients’ protected health information. Databreaches.net said “according to a counter on the site, the listing has been accessed more than 350,000 times.”

The post Almost 54,000 Patients Affected by OSF HealthCare Ransomware Attack appeared first on HIPAA Journal.

Cyberattacks Reported by Schneck Medical Center and Epilepsy Foundation of Texas

Schneck Medical Center in Seymour, IN has announced it was a victim of a cyberattack which has had an impact on organizational operations.

The attack was detected on September 29, 2021 and an announcement was made the same day. In response to the attack, all IT systems within its facilities were suspended out of an abundance of caution, and third-party cybersecurity experts have been engaged to assist with the investigation and restore its IT system as quickly as possible. Schneck Medical Center said investigations into cyberattacks and the restoration of IT systems take time to fully resolve, but steps have been taken to minimize disruption to its systems.

Schneck Medical Center said most medical services have not been affected by the attack and patients should arrive as normal for scheduled services and appointments. Patients will be notified individually if for any reason their appointment has had to be postponed as a result of the attack.

“As a team of dedicated and caring medical professionals, we understand that healthcare is about people taking care of people. We remain committed to continuing to provide exceptional care to our communities and will provide additional updates as appropriate,” said Schneck Medical Center in its breach notification.

At this stage it is unclear if patient information has been compromised. Further information will be released about the attack if the investigation confirms the attackers gained access to systems containing patient information.

PHI Potentially Compromised in Epilepsy Foundation of Texas Phishing Attack

The email account of an employee of Epilepsy Foundation of Texas has been accessed by an unauthorized individual who potentially viewed or obtained sensitive patient data. Epilepsy Foundation of Texas discovered the email account had been compromised on or around June 8, 2021 when the account was used to send fraudulent emails. The email account was immediately secured and an investigation was conducted to determine the nature and scope of the breach.

The investigation confirmed the account was breached when the employee responded to a phishing email. An analysis of the incident and review of the information in the email account was completed on September 2, 2021 and efforts were then made to obtain accurate address information for affected individuals to allow notifications to be sent. Notification letters started to be sent to affected individuals on October 1, 2021.

Epilepsy Foundation of Texas said the compromised email account contained first and last names, dates of birth, driver’s license numbers, health insurance information, financial account numbers, Social Security numbers, biometric data, payment card numbers, usernames and passwords, and medical information.

Following the attack, security protocols were reviewed and have now been enhanced. Epilepsy Foundation of Texas said it is unaware of any cases of attempted or actual misuse of patient data but has advised affected patients to exercise caution and monitor their accounts and explanation of benefits statements for signs of fraudulent activity.

The post Cyberattacks Reported by Schneck Medical Center and Epilepsy Foundation of Texas appeared first on HIPAA Journal.

Ransomware Attack on Florida Behavioral Health Service Provider Affects 19,000 Individuals

The Clearwater, FL-based non-profit behavioral health service provider Directions for Living was the victim of a ransomware attack on July 17, 2021.

Upon detection of the attack, law enforcement was notified and third-party computer forensics experts were engaged to investigate the scope of the attack and assist with remediation efforts. The investigation concluded on August 30, 2021.

A review of servers potentially accessed by the attackers confirmed they contained personal and protected health information of current and former clients, including names, addresses, dates of birth, Social Security numbers, diagnostic codes, claims information, insurance information, healthcare provider names, date of service, and certain health information. Directions for Living said its electronic medical record system was not affected and could not be accessed by the attackers and clients’ financial information was not stored on the affected servers. While personal and protected health information may have been accessed by unauthorized individuals, Directions for Living said no evidence has been found to indicate any actual or attempted misuse of that information.

“For nearly 40 years, Directions for Living has been a proud and trusted resource for those seeking a welcoming and compassionate provider of behavioral health services. We take this role, and our commitment to our community, very seriously,” said Directions for Living. “Please know that your privacy is always our top priority, and we are working diligently to respond appropriately and continue to ensure that you are protected, and your information is safe with us.”

The process of notifying affected individuals started on August 30, in accordance with the requirements of the HIPAA Breach Notification Rule. Affected individuals have been advised to be vigilant and to check their account statements, credit reports, and explanation of benefits statements for signs of fraudulent activity. Individuals whose Social Security numbers have been exposed have been offered complimentary credit monitoring and identity theft monitoring services for 12 months.

The breach report submitted the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 19,494 individuals was stored on the affected servers.

The post Ransomware Attack on Florida Behavioral Health Service Provider Affects 19,000 Individuals appeared first on HIPAA Journal.

PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack

Lisle, IL-based Navistar Inc. has issued further notification letters to individuals affected by a security breach that was detected on May 20, 2021.

The U.S. truck manufacturer immediately implemented its cybersecurity response plan when a potential breach of its information technology systems was detected, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the breach.

On May 31, 2021, Navistar was informed that certain data had been extracted from its systems in the attack. The investigation into the data theft confirmed on August 20, 2021 that the exfiltrated files contained the protected health information of current and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. That information is understood to have been stolen prior to the discovery of the security breach on May 20.

Navistar said the exfiltrated data potentially included names, addresses, dates of birth, and information related to participation on the health and insurance plans, which may have included some health-related information such as the names of providers and prescriptions. A subset of individuals also had their Social Security numbers compromised.

Navistar said it has taken several actions following the security incident, including enhancing its security protocols and controls, implementing new technology, and conducting further training for the workforce. Security controls will continue to be assessed and updated as appropriate to prevent further security breaches.

Notification letters were sent to affected individuals to alert them to the data breach in early July, with the latest notification letters providing further information on the same incident, including advising additional individuals that further investigation into the security breach shoed their Social Security numbers had also been compromised.

Navistar said it is offering a 2-year complementary membership to credit monitoring and identity theft protection services to individuals who had their Social Security number compromised in the attack.

The breach was reported to the Maine Attorney General as affecting 63,126 individuals, with the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicating the protected health information of 49,000 plan members was compromised.

The post PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack appeared first on HIPAA Journal.