HIPAA Breach News

Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack

Ohio-based Memorial Health System has recently confirmed the ransomware attack it experienced in August 2021 potentially involved the protected health information of 216,478 patients. The ransomware attack forced the health system to divert certain patients to other facilities and cancel some appointments to ensure patient safety. The attack was announced shortly after the breach, which occurred on August 14, 2021. The investigation revealed its network was first breached on July 10, 2021.

The incident was reported to the HHS’ Office for Civil Rights promptly, although at the time it was not known how many individuals had been affected. Memorial Health System discovered patient data may have been involved on or around September 17, 2021, then followed a comprehensive review of all affected files. On November 1, 2021, the scope of the incident was determined but it took until December 9, 2021, to confirm the individuals affected and the specific types of data involved, hence the delay in issuing notifications. Written notices were sent to affected individuals on or around January 12, 2022.

The information exposed and potentially exfiltrated included names, addresses, Social Security numbers, medical/treatment information, and health insurance information. Affected individuals have been offered a complimentary 12-month membership to Kroll’s credit monitoring service. Memorial Health System has since implemented additional safeguards to improve its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 Individuals

In mid-December, MedQuest Pharmacy started notifying 39,447 patients that some of their protected health information had potentially been compromised in a cyberattack that was detected on November 18, 2021. Assisted by its parent companies – UpHealth Inc and Innovations Group – and independent cybersecurity experts, MedQuest determined the attackers first gained access to its systems on October 27, 2021, and that unauthorized access to its environment was blocked on October 30, 2021.

A comprehensive review of all affected systems revealed the following types of information had potentially been accessed and/or acquired in the attack: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, health information, prescription information, referring doctor names, date(s) of treatment, health insurance policy numbers (including Medicare or Medicaid number), and internal MedQuest patient identification number.

MedQuest said a very small number of individuals also had their Social Security Number, driver’s license number, financial account/payment card information, health insurance claim number, policy information, and/or claim/appeal information exposed. All affected individuals have been offered a complimentary 12-month membership to Equifax’s credit and identity monitoring services.

Oscar Health Plan of California Notifies Members About 3rd Party Mismailing Incident

Oscar Health Plan of California has started notifying 7,632 individuals about an error at a printing vendor that resulted in their statements being sent to another health plan member.

According to a recent press release, the error affected mailings between October 28, 2021, and November 16, 2021. The statements included a limited amount of plan member information including name, claim number, health plan ID number, provider information, date(s) of service, procedure/service name, and plan name/affiliation only. In each case, the statement was sent to only one other plan member.

Oscar Health Plan has worked with its printing vendor to implement additional safeguards to prevent further mailing errors and has received no reports of any misuse of plan members’ information.

The post Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack appeared first on HIPAA Journal.

Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack

A Minnesota network of family medicine practices started notifying almost 200,000 patients that some of their personal and protected health information was potentially compromised in a cyberattack on a business associate more than a year ago.

Entira Family Clinics explained in the notification letters, which were sent to affected individuals on January 13, 2022, that the breach occurred at Netgain Technologies, which provides hosting and cloud IT solutions to companies in the healthcare and accounting sectors. Entira Family Clinics used Netgain’s services for hosting and email.

The healthcare provider said the information potentially compromised included names, addresses, Social Security numbers, and medical histories. In the notification letters, Entira said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”

The investigation uncovered no evidence of actual or attempted misuse of any personal information. Entira Family Clinics said it is working to improve security and mitigate risk, and that process has involved a review and update of policies and procedures related to the security of its systems, servers, and life cycle management. A security audit was also conducted of the Netgain environment to ensure stricter security of the cloud hosting site.

Affected individuals have been offered a complimentary membership to online credit monitoring services through IDX. The breach report submitted to the Maine Attorney General indicates 199,628 individuals were affected.

The notification letters sent to affected individuals state, “We recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information,” and that “Netgain was recently the target of a cybersecurity incident.”

There was no mention of the date of the breach in the notification letters, so affected individuals would not be aware that the ransomware attack and data theft incident had occurred more than 12 months previously on November 4, 2020.

Netgain announced the data breach in December 2020, and most affected companies were notified by February 2021. Most of the affected Netgain clients sent notification letters in the spring and summer of 2021. It is unclear why there was such a long delay in Entira Family Clinics issuing notification letters, and whether this was due to late notification from Netgain.

Also this month, Caring Communities, an Illinois-based member-owned liability insurance company serving not-for-profit senior housing and care organizations, also sent notification letters about the Netgain data breach. The notification letters were sent on January 14, 2022, and closely mirror those sent by Entira.

Caring Communities also said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”

Caring Communities said it replaced Netgain as its hosting provider and migrated its environment to another service provider after being notified about the data breach and the same steps are being taken to improve security. Affected individuals have similarly been offered credit monitoring and identity theft protection services through IDX. It is currently unclear how many individuals have been affected. The notification letters also refer to the recent cyberattack on Netgain and do not mention when the attack occurred nor why there was such a long delay in issuing notification letters.

The post Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack appeared first on HIPAA Journal.

Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients

Roanoke, VA-based Jefferson Surgical Clinic has started notifying patients that some of their protected health information has potentially been compromised in a cyberattack that was detected on June 5, 2021.

According to the breach notification letter provided to the Maine Attorney General, the attacker gained access to parts of the network that contained patient data such as names, birth dates, Social Security numbers, and health and treatment information.  Jefferson Surgical Clinic promptly notified the Federal Bureau of Investigation about the breach and engaged third-party cybersecurity and forensics specialists to assist with the investigation.

The investigation uncovered no evidence to suggest any patient data has been or will be misused as a result of the security breach; however, as a precaution against identity theft and fraud, Jefferson Surgical Clinic has offered affected individuals 12 months of complimentary credit monitoring and identity theft protection services.

The Maine Attorney General was notified that the parts of the network accessed by the attacker contained the protected health information of 174,769 patients and that names or other personal identifiers were obtained in combination with Social Security numbers. No reason was provided as to why it took 7 months to issue notifications to patients and regulators.

Ransomware Attack on Non-Profit Affects 10,438 Individuals

A New Leaf, Inc., a Broken Arrow, OK, non-profit provider of services to individuals with developmental disabilities, has started notifying 10,438 individuals that some of their protected health information was potentially compromised in a March 2021 ransomware attack.

The attack was detected on March 30, 2021, when files on its network were encrypted.  Assisted by a leading cybersecurity firm, A New Leaf discovered that prior to file encryption, certain files were exfiltrated from its network.

Initially, due to the nature of the incident and the systems that had been affected, it was not believed that any protected health information had been compromised, but the investigation revealed on June 23, 2021, that some of the documents obtained by the attackers did include personal and protected health information. A manual review had to be conducted to determine what information had been obtained and where the affected people resided. That review was completed on October 11, 2021, and notification letters were sent to affected individuals on December 30, 2021.

A New Leaf has offered affected individuals a 2-year membership to Experian IdentityWorks Credit 3B’s identity theft protection and credit monitoring services.

The post Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients appeared first on HIPAA Journal.

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020.

2021 healthcare data breaches

Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009.

2021 healthcare data breaches - records breached

Largest Healthcare Data Breaches in December 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware
Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware
Monongalia Health System, Inc. WV Healthcare Provider 398,164 Business Email Compromise/Phishing
BioPlus Specialty Pharmacy Services, LLC FL Healthcare Provider 350,000 Hacked network server
Florida Digestive Health Specialists, LLP FL Healthcare Provider 212,509 Business Email Compromise/Phishing
Daniel J. Edelman Holdings, Inc. IL Health Plan 184,500 Business associate hacking/IT incident
Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky KY Healthcare Provider 106,910 Compromised email account
Fertility Centers of Illinois, PLLC IL Healthcare Provider 79,943 Hacked network server
Bansley and Kiener, LLP IL Business Associate 50,119 Ransomware
Oregon Eye Specialists OR Healthcare Provider 42,612 Compromised email accounts
MedQuest Pharmacy, Inc. UT Healthcare Provider 39,447 Hacked network server
Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. NY Health Plan 20,579 Phishing
Loyola University Medical Center IL Healthcare Provider 16,934 Compromised email account
Bansley and Kiener, LLP IL Business Associate 15,814 Ransomware
HOYA Optical Labs of America, Inc. TX Business Associate 14,099 Hacked network server
Wind River Family and Community Health Care WY Healthcare Provider 12,938 Compromised email account
Ciox Health GA Business Associate 12,493 Compromised email account
A New Leaf, Inc. AZ Healthcare Provider 10,438 Ransomware

Causes of December 2021 Healthcare Data Breaches

18 data breaches of 10,000 or more records were reported in December, with the largest two breaches – two ransomware attacks – resulting in the exposure and potential theft of a total of 1,285,989 records. Ransomware continues to pose a major threat to healthcare organizations. There have been several successful law enforcement takedowns of ransomware gangs in recent months, the most recent of which saw authorities in Russia arrest 14 members of the notorious REvil ransomware operation, but there are still several ransomware gangs targeting the healthcare sector including Mespinoza, which the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about this month due to the high risk of attacks.

Phishing attacks continue to result in the exposure of large amounts of healthcare data. In December, email accounts were breached that contained the ePHI of 807,984 individuals. The phishing attack on Monongalia Health System gave unauthorized individuals access to email accounts containing 398,164 records.

8 of the largest breaches of the month involved compromised email accounts, two of which were business email compromise attacks where accounts were accessed through a phishing campaign and then used to send requests for changes to bank account information for upcoming payments.

Causes of December 2021 healthcare data breaches

Throughout 2021, hacking and other IT incidents have dominated the breach reports and December was no different. 82.14% of the breaches reported in December were hacking/IT incidents, and those breaches accounted for 91.84% of the records breached in December – 2,711,080 records. The average breach size was 58,937 records and the median breach size was 4,563 records. The largest hacking incident resulted in the exposure of the protected health information of 750,050 individuals.

The number of unauthorized access and disclosure incidents has been much lower in 2021 than in previous years. In December there were only 5 reported unauthorized access/disclosure incidents involving 234,476 records. The average breach size was 46,895 records and the median breach size was 4,109 records.

There were two reported cases of the loss of paper/films containing the PHI of 3,081 individuals and two cases of theft of paper/films containing the PHI of 2,129 individuals. There was also one breach involving the improper disposal of a portable electronic device containing the ePHI of 934 patients.

As the chart below shows, the most common location of breached PHI was network servers, followed by email accounts.

Location of breached PHUI in December 2021 healthcare data breaches

HIPAA Regulated Entities Reporting Data Breaches in December 2021

Healthcare providers suffered the most data breaches in December, with 36 breaches reported. There were 11 breaches reported by health plans, and 9 breaches reported by business associates. Six breaches were reported by healthcare providers (3) and health plans (3) that occurred at business associates. The adjusted figures are shown in the pie chart below.

December 2021 healthcare data breaches by HIPAA-regulated entity type

December 2021 Healthcare Data Breaches by U.S. State

Illinois was the worst affected state with 11 data breaches, four of which were reported by the accountancy firm Bansley and Kiener and related to the same incident – A ransomware attack that occurred in December 2020. the firm is now facing a lawsuit over the incident and the late notification to affected individuals – 12 months after the attack was discovered.

State Number of Breaches
Illinois 11
Indiana 5
Florida, Oklahoma, and Texas 4
Arizona 3
California, Georgia, Kansas, Michigan, New York, Oregon, Utah, and Virginia 2
Alabama, Colorado, Kentucky, Maryland, North Carolina, Rhode Island, Wisconsin, West Virginia, and Wyoming 1

HIPAA Enforcement Activity in December 2021

There were no further HIPAA penalties imposed by the HHS’ Office for Civil Rights in December. The year closed with a total of 14 financial penalties paid to OCR to resolve violations of the HIPAA Rules. 13 of the cases were settled with OCR, and one civil monetary penalty was imposed. 12 of the OCR enforcement actions were for violations of the HIPAA Right of Access.

The New Jersey Attorney General imposed a $425,000 financial penalty on Regional Cancer Care Associates, which covered three separate Hackensack healthcare providers – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC – that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland.

The New Jersey Attorney General and the New Jersey Division of Consumer Affairs investigated a breach of the email accounts of several employees between April and June 2019 involving the protected health information of 105,000 individuals and a subsequent breach when the breach notification letters were sent to affected individuals’ next of kin in error.

The companies were alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, failing to protect against reasonably anticipated threats to the security/integrity of patient data, a failure to implement security measures to reduce risks and vulnerabilities to an acceptable level, the failure to conduct an accurate and comprehensive risk assessment, and the lack of a security awareness and training program for all members of its workforce. The case was settled with no admission of liability. There were 4 HIPAA enforcement actions by state attorneys general in 2021. New Jersey was involved in 3 of those enforcement actions.

The post December 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA).

The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack.

In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs.

Accellion clients affected by the breach included banks, law firms, universities, and healthcare organizations. Many of the files belonging to healthcare organizations contained sensitive patient and health plan member data. Healthcare organizations affected by the breach include Health Net Community Solutions, Health Net of California, California Health & Wellness, Trinity Health, The University of California, Stanford University School of Medicine, University of Miami Health, Kroger, Trillium, Community Health Plan, Arizona Complete Health, CalViva Health, and Health Employees’ Pension Plan.

Following the attack, several lawsuits were filed against Accellion and its clients over the data breach. The class action lawsuit against Accellion alleged the company had failed to implement and maintain appropriate data security practices to protect the sensitive data of its clients, failed to detect security vulnerabilities in the Accellion FTA, failed to disclose its security practices were inadequate and failed to prevent the data breach. As a result of the attack, highly sensitive information was stolen, including names, contact information, dates of birth, Social Security numbers, driver’s license numbers, and healthcare data.

Accellion denied all of the allegations in the lawsuit and accepts no liability for the data breach. The company said in the settlement agreement that it is not responsible for managing, updating, and maintaining customers’ instances of the FTA software. Accellion also said the company does not collect any customer data, does not access the content of files shared or stored via the FTA solution, and provided no guarantees to customers that the FTA software was secure.

It is unclear how many individuals will be covered by the settlement, but the number is certainly in excess of 9.2 million individuals. Accellion will attempt to obtain up-to-date contact information for those individuals in order to send notices of the proposed settlement. The proposed settlement includes a cash fund of $8.1 million to cover claims, notices, administration costs, and service awards to affected users of the Accellion FTA. $4.6 million of the fund will be made available within 10 days, with the remainder made available within 10 days of the settlement being approved.

Affected individuals will be entitled to sign up for 24 months of three-bureau credit monitoring and insurance services, or receive reimbursement for documented losses up to a maximum value of $10,000, or receive a cash payment, which is expected to be in the region of $15 to $50. Accellion will also fully retire the Accellion FTA and take steps to ensure the security of its replacement Kiteworks solution. Those measures include increasing its bug bounty program, maintaining FedRAMP certification, employing individuals with responsibility for cybersecurity, providing cybersecurity training to its workforce, and undergoing regular assessments to confirm continued compliance with the cybersecurity measures outlined in the settlement.

The proposed settlement will resolve all claims against Accellion only. There are still lawsuits and settlements outstanding against clients affected by the breach. The supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed on behalf of the 3.8 million employees and customers affected by the breach.

The post Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit appeared first on HIPAA Journal.

Online Pharmacy Notifies 105,000 Patients About Cyberattack and Potential Theft of PHI

The Auburndale, FL-based digital pharmacy and health app developer Ravkoo has started notifying certain patients that some of their sensitive personal information has been exposed and potentially obtained by an unauthorized individual.

Ravkoo hosts its online prescription portal on Amazon Web Services (AWS). The portal was targeted in a cyberattack that was detected on September 27, 2021. Upon discovery of the security breach, steps were immediately taken to secure the portal and third-party cybersecurity experts were engaged to assist with the forensic investigation, mitigation, restoration, and remediation efforts.

The investigation confirmed sensitive patient data had been exposed and may have been compromised, including names, addresses, phone numbers, certain prescription information, and limited medical data. Ravkoo said the impacted portal did not contain any Social Security numbers, which are not maintained in the affected portal. The forensic investigation did not uncover any evidence that indicated information contained within the portal has been or will be misused.

Ravkoo has reported the cyberattack to the Federal Bureau of Investigation (FBI) and is assisting with the investigation. Ravkoo has also been working with forensics experts to review the security of its AWS environment. Steps are now being taken to improve security to prevent further data breaches in the future.

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 105,000 individuals. Affected individuals are being offered complimentary access to Kroll’s online credit monitoring service as a precaution, which includes access to resolution services in the event of identity theft.

Micah Lee at The Intercept said in a September 28, 2021 tweet that a hacker had claimed responsibility for the attack on Ravkoo and said the patient portal was “hilariously easy” to hack and involved the use of a hidden admin portal that any user could log in to and request patient data.

The post Online Pharmacy Notifies 105,000 Patients About Cyberattack and Potential Theft of PHI appeared first on HIPAA Journal.

EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach

QRS, a Tennessee-based healthcare technology services company and EHR vendor, is facing a class action lawsuit over an August 2021 cyberattack in which the protected health information (PHI) of almost 320,000 patients was exposed and potentially stolen.

The investigation into the data breach confirmed a hacker had gained access to one of its dedicated patient portal servers between August 23 and August 26, 2021, and viewed and possibly obtained files containing patients’ PHI. Sensitive data stored on the server included patients’ names, addresses, birth dates, usernames, medical information, and Social Security numbers. QRS started sending notification letters to affected individuals in late October and offered identity theft protection services to individuals who had their Social Security number exposed.

On January 3, 2022, Matthew Tincher, a Frankfurt, KY resident, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS. The lawsuit alleges QRS was negligent for failing to reasonably secure, monitor, and maintain the PHI and personally identifiable information (PII) stored on its patient portal.

As a result of those failures, the lawsuit alleges Tincher and class members have suffered actual, concrete, and imminent injury, including present injury and damages from identity theft, loss or diminished value of their PHI and PII, and have incurred out-of-pocket expenses from attempting to remedy the exposure of their sensitive information and have had to spend time mitigating the effects of the unauthorized data access. They also face a continued and increased risk to their PHI and PII, which were unencrypted and remain available to unauthorized parties to access and abuse.

The lawsuit also takes issue with the speed at which QRS issued breach notification letters, which were issued almost 2 months after the discovery of the breach. During those two months, the plaintiffs and class embers were unaware they had been placed at significant risk of identity theft, fraud, and personal, social, and financial harm.

The lawsuit alleges QRS had a responsibility to ensure the PHI and PII within its patient portal were appropriately protected, and the breach of its duties to protect that information amounts to negligence and/or recklessness, which violates federal and state statutes. The lawsuit claims QRS signed business associate agreements (BAAs) with its healthcare provider clients, so was aware or should have been aware of its responsibilities to ensure PHI was protected against cyberattacks. The lawsuit also lists cybersecurity measures recommended by the Cybersecurity and Infrastructure Security Agency (CISA) which should have been implemented in that regard and maintains QRS should have been aware of the high risk of being attacked due to the large number of healthcare data breaches that have been reported in recent years.

Lawsuits are often filed against healthcare organizations over data breaches that exposed sensitive information. Whether the lawsuits succeed often depends on whether the plaintiffs are able to demonstrate they have suffered actual harm as a direct consequence of the data breach. Tincher claims to have been notified about the breach on October 22, 2021, and within 3 days was the victim of actual identity theft, and that it is more likely than not that his sensitive information was exfiltrated from the QRS patient portal during the data breach.

The lawsuit alleges the total damages incurred by the plaintiff and class members exceed the minimum $5 million jurisdictional amount required by the Court, and that the Court has jurisdiction over the defendant because QRS operates and is incorporated in the district. The plaintiff and class members seek a jury trial, unspecified damages, and injunctive and equitable relief.

The post EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach appeared first on HIPAA Journal.

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack.

A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022.

According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors.

Stewart said he reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), activated the state’s cybersecurity insurance policy through the State Treasurer’s Office, and engaged third-party forensic investigators to assist with the investigation and response and recovery efforts. “The companies and personnel provided by the insurance policy are widely regarded as the best in the industry,” said Stewart.

The response to the ransomware attack required systems to be taken offline, sites on the network were isolated from each other, and external access to resources over the Internet and by third parties was blocked. The containment approach limited the ability of state employees to use computers and access shared resources and more than a month after the ransomware attack some services continue to face disruption. While the response and recovery approach has resulted in ongoing disruption, Stewart said this approach was necessary to protect the state’s network and the citizens of the state of Maryland and was important to prevent reinfection.

Atif Chaudhry, MDH Deputy Secretary for Operations, said a major focus in the aftermath of the attack was to ensure business and service continuity, which involved implementing the FEMA Incident Command System (ICS). “Under this ICS system, we formed a Unified Command Structure to address the incident. This permits MDH and DoIT to jointly collaborate to manage and address all incident-related matters. DoIT provides the technical expertise and is taking the lead on network security and IT system recovery efforts,” said Chaudhry.

MDH faced a shortage of equipment in the aftermath of the attack, which meant employees have had to share computers at work. To address the problem, Chaudhry said MDH ordered an additional 2,400 laptop computers and a further 3,000 will be ordered this week.  Additional IT equipment such as wireless access points and printers have also been ordered to ensure employees have the equipment they need to do their jobs. Further, alternative processes have been implemented to ensure staff can serve the most urgent needs of the public, which include migration to Google Workspaces. Google Workspaces has provided employees a suite of online tools that are unaffected by the ransomware attack ensuring employees can collaborate and save and share critical files.

The attack has caused disruption to the state’s pandemic response. On Thursday, January 12, 2022, MDH said it had restored around 95% of state-level surveillance data and it is working to restore the complete COVID-19 dataset. Reports will be updated at the earliest opportunity.

The post Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack appeared first on HIPAA Journal.

PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised

Anthem Inc. has alerted 2,003 members that some of their protected health information has potentially been viewed or obtained by an unauthorized individual who gained access to the network of one of its business associates.

Anthem works with the Atlanta, GA-based insurance broker OneDigital, which provides support for individuals enrolled in group health plans to help them procure and manage their health insurance. OneDigital had been provided with the protected health information of certain members to assist them or their current or former employer to obtain and manage their health insurance plan.

On November 24, 2021, Anthem was notified by OneDigital about a network server hacking incident that occurred in January 2021. Anthem said the investigation into the breach did not uncover any direct evidence of unauthorized viewing or theft of protected health information, but those activities could not be ruled out.

The types of data stored on the compromised systems included names, addresses, dates of birth, healthcare provider names, health insurance numbers, group numbers, dates and types of health care services, medical record numbers, lab test results, prescription information, payment information, claims information, Social Security numbers, and driver’s license numbers.

Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. Anthem said it is working with OneDigital to reduce the risk of similar breaches occurring in the future.

Billing Error Results in Exposure of the PHI of More Than 1,700 Advocate Aurora Health Patients

The Illinois-based 26-hospital health system, Advocate Aurora Health, has notified more than 1,700 patients that some of their protected health information has potentially been compromised.

On or around July 29, 2021, billing statements were prepared and mailed to patients, but they failed to reach their destination. The statements contained a limited amount of protected health information, such as patients’ names, dates of service, the types of services provided, the name of the healthcare provider they visited, and visit account numbers.

Advocate Aurora Health discovered the billing error on October 29, 2021. The subsequent investigation revealed there had been an accidental change to its billing software that went unnoticed, which resulted in statements being mailed to the wrong address. Advocate Aurora Health said it has not received any reports of attempted or actual misuse of any patient data as a result of the incident, but patients have been notified by mail as a precaution and have been offered complimentary credit monitoring services.

Advocate Aurora Health said it is making changes to its internal processes and technology to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights as affecting 1,729 individuals.

The post PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised appeared first on HIPAA Journal.