HIPAA Breach News

Health Plan Member Portals Accessed Using Stolen Credentials

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members.

The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information.

An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals.

The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have been offered 24 months of free credit monitoring and identity theft protection services.

49,500 Providence Health Plan Members Affected by Business Associate Data Breach

49,511 members of the Oregon-based Providence Health Plan have been affected by a data breach at one of its business associates.

On April 17, 2020, Brooklyn-based Zipari alerted Providence Health Plan about a coding error that allowed documents related to employer-sponsored health plans to be exposed online. The coding error was detected by Zipari on April 9, 2020. The investigation revealed the documents had been accessed by unauthorized individuals in May, September, and November 2019. The documents contained member names, employer names, and dates of birth. No other information was compromised.

The breach prompted Providence Health Plan to arrange a third-party audit of Zipari’s data security practices. Affected plan members have been offered complimentary credit monitoring services.

Central California Alliance for Health Discovers ‘Many’ Email Accounts Breached

On May 7, 2020, Central California Alliance for Health (CCAH) discovered an unauthorized individual gained access to the email accounts of some of its employees and potentially viewed and obtained the protected health information of some of its members. According to the breach notice submitted to the California Attorney General’s office, many CCAH email accounts were subjected to unauthorized access for about one hour.

A review of the compromised email accounts revealed they contained names, dates of birth, demographic information, Medi-Cal ID numbers, Alliance Care Management Program records, claims information, medical information, and referral information.

A full password reset was performed on all CCAH email accounts and further training has been provided to the workforce on email security. CCAH is unaware of any misuse of members information.

The post Health Plan Member Portals Accessed Using Stolen Credentials appeared first on HIPAA Journal.

Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack

Healthcare Fiscal Management Inc. (HFMI), a Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, has experienced a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by the attackers.

An unauthorized individual gained access to HFMI systems on April 12, 2020 and deployed a ransomware payload the following day which encrypted data on its systems. The systems accessed by the attacker were found to contain the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020.

In total, the data of approximately 58,000 patients may have been accessed and obtained by the attackers, although data access/theft could not be confirmed. The PHI stored on the compromised systems was limited to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and dates of service.

HFMI had prepared for such an event and had viable backups that were used to restore data the same day to a different hosting provider and a forensic investigation firm was engaged to investigate the breach. The forensic investigators confirmed the data is not in the possession of the attackers and is not accessible over the internet.

Security experts have been reviewing security controls and, based on their recommendations, steps will be taken to strengthen security. HFMI has offered all affected individuals complimentary credit monitoring and identity theft protection services as a precaution against identity theft and fraud.

Friendship Community Care Phishing Attack Impacts 9,745 Patients

Russellville, AR-based Friendship Community Care (FCC), a nonprofit provider of care for adults and children with disabilities, fell victim to a phishing attack in January 2020.

The breach was discovered on February 4, 2020 when suspicious activity was detected in an employee’s email account. Forensic investigators assisted with the investigation and determined on February 5, 2020 that an unauthorized individual had gained access to the email account, but further investigation revealed several Office 365 email accounts had been compromised using credentials obtained in the phishing attack.

FCC learned on February 7, 2020 that the email accounts contained protected health information. A comprehensive review of the email accounts confirmed that the PHI of 9,745 individuals may have been accessed, although no evidence was found to suggest emails were viewed or obtained by the attacker.

The compromised accounts contained  names, addresses, dates of birth, Social Security numbers, client ID numbers, Medicare IDs/Medicaid IDs, employer ID numbers, patient numbers, medical information, driver’s license numbers, state ID card numbers, student ID numbers, financial account information, mother’s maiden names, birth certificates, marriage certificates, disability codes, and facial photographs.

Affected individuals have been offered complimentary credit monitoring and identity protection services. A review of email security was conducted, and steps are being taken to enhance security to prevent similar breaches in the future.

The post Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack appeared first on HIPAA Journal.

30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks

Claremont, NC-based Choice Health Management Services, a provider of rehabilitation services and operator of several nursing homes in North and South Carolina, has experienced an email security breach affecting employees, and current and former patients.

The security breach was detected in late 2019 when suspicious activity was detected in the email accounts of some of its employees. An internal investigation was launched which determined on January 17, 2020 that the email accounts of 17 employees had been subjected to unauthorized access. Since it was not possible to determine which emails and/or email attachments had been opened by the attackers, a third-party firm was engaged to assist with the investigation. While the review concluded on March 27, 2020 that the compromised accounts contained sensitive information, it was unclear which facilities affected individuals had visited for treatment. It took until May 12, 2020 to tie those individuals to a particular facility.

The compromised accounts contained a wide range of sensitive information including names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, credit card information, financial account information, employer identification number, username with password or associated security questions, email address with password or associated security questions, date of service, provider name, medical record number, patient number, medical information, diagnostic or treatment information, surgical information, medications, and/or health insurance information.

Notifications have been sent to affected patients and steps have been taken to improve security to prevent future data breaches. The HHS’ Office for Civil Rights breach portal indicates 11,650 individuals were affected.

19,000 Patients Affected by Phishing Attack on Houston Health Clinic

The Houston, TX federally qualified health center, Legacy Community Health, is notifying approximately 19,000 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of one of its employees.

On April 10, 2020, an employee responded to an email believing it to be a legitimate request and disclosed credentials that allowed their email account to be accessed. The breach was discovered on April 16, 2020 and the email account was immediately secured.

Assisted by a third-party computer forensics firm, Legacy Community Health confirmed the breach was limited to one email account which was found to contain patient names, dates of service, and health information related to the care provided at its clinics.

The investigation into the breach is ongoing and notifications will soon be sent to all individuals whose information has been exposed. At this stage, no evidence has been found to suggest any patient information was obtained or misused.

Legacy Community Health is taking steps to improve email security and has enabled multi-factor authentication on its email accounts. Further training has also been provided to staff to help them identify and avoid phishing emails.

The post 30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks appeared first on HIPAA Journal.

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data.

The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court.

The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months.

A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to $1 million, although it is unclear whether that insurance policy paid out and if the ransom was paid. Regardless, it was not possible to recover all data encrypted in the attack and some patients’ protected health information was not recovered.

The lawsuit alleged violations of the Washington State Consumer Privacy Act, the Washington State Uniform Healthcare Information Act, the Washington State Consumer Privacy Act, the state Constitution’s Right to Privacy, that Grays Harbor Community Hospital and Harbor Medical Group were negligent for failing to protect the privacy of patients, breach of express contract, breach of implied contract, and an intrusion upon seclusion/ invasion of privacy.

Grays Harbor Community Hospital and Harbor Medical Group agreed to the settlement with no admission of liability. All claims stated in the lawsuit have been denied.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement of $185,000 to cover the claims of the 88,000 patients affected by the ransomware attack. Affected patients can submit claims up to a maximum of $210 per person to cover out-of-pocket monetary losses incurred as a result of the breach and up to three hours of documented lost time dealing with the fallout from the breach at a rate of $15 per hour.

Claims up to $2,500 will also be accepted to cover provable other losses incurred that were more likely than not due to the ransomware attack. All available credit monitoring insurance and identity theft insurance must be exhausted before Grays Harbor is responsible for any larger payouts. If the claims exceed $185,000 they will be paid pro rata to reduce costs.

Class members have until July 27, 2020 to exclude themselves from the settlement or submit an objection. A fairness hearing has been scheduled for August 31, 2020. To receive a share of the settlement fund, a claim must be submitted by December 23, 2020.

Following the ransomware attack, steps were taken to improve security and more than $300,000 has been invested in information security. A further $60,000 will be spent on security improvements over the next three years.

This is the second data breach settlement to be announced this week. A settlement was also proposed by UnityPoint health to resolve a lawsuit filed by victims of two 2018 phishing-related data breaches. That settlement will see UnityPoint Health make a minimum of $2.8 million available to cover claims and, very unusually, no cap has been placed on claims payments, so the final settlement amount could be substantial.

The post $185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit appeared first on HIPAA Journal.

Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected

HIPAA Journal previously reported on an April 2020 ransomware attack on Magellan Health. Further information on the attack has now been released that shows the scale of the attack.

The incident has now been listed on the HHS’ Office for Civil Rights breach portal as affecting 6 Magellan entities, each of which has reported the incident separately. Several other entities have also submitted breach reports confirming their patients and subscribers have also been affected.

It is too early to tell exactly how many individuals have been affected by the ransomware attack, but the total as of July 1, 2020 exceeds 364,000, making the attack the third largest healthcare data breach to be reported in 2020. There may still be some entities that have yet to report the breach.

Entities known to have been impacted by the breach are listed in the table below.

Affected Entity Entity Type Individuals Affected
Magellan Healthcare, Maryland Business Associate 50,410
Magellan Complete Care of Florida Health Plan 76,236
Magellan Rx Pharmacy Healthcare Provider 33,040
Magellan Complete Care of Virginia Health Plan 3,568
Merit Health Insurance Company Health Plan 102,748
National Imaging Associates Business Associate 22,560
University of Florida Jacksonville Healthcare Provider 54,002
University of Florida, Health Shands Healthcare Provider 13,146
University of Florida Healthcare Provider 9,182
Total   364,892

In contrast to many of the healthcare ransomware attacks that have been reported in recent weeks, where access to networks was gained through brute force attacks on remote desktop services or the exploitation of vulnerabilities in VPNs, this attack started with a spear phishing email in which a Magellan client was impersonated. That email was sent on April 6 and the ransomware was deployed less than a week later.

Magellan explained in its substitute breach notification letter sent to the California Attorney General’s Office that the attacker downloaded malware that was designed to steal login credentials and passwords, and gained access to a single Magellan corporate server and stole employee information. The data stolen in the attack related to current employees and included the following data elements: Address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number. For a limited number of employees, usernames and passwords were also obtained.

The notice of security incident on the Magellan Health websites confirms patients of Magellan Health and its subsidiaries and affiliates were also impacted, and the following types of data were exposed: Treatment information, health insurance account information, member ID, other health-related information, email addresses, phone numbers, and physical addresses.  In certain instances, Social Security numbers were also affected.

No mention is made on the June 12, 2020 website notice whether protected health information was also stolen in the attack. In all cases, Magellan Health says no evidence has been uncovered to date to suggest any patient or employee information has been misused.

The post Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected appeared first on HIPAA Journal.

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed.

The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018.

The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month before the breach was detected and email accounts were secured. Notification letters were sent to affected individuals in August 2018.

A lawsuit was filed soon after the announcement about the breach was made. The lawsuit alleged UnityPoint Health mishandled the breach and misrepresented the nature, breadth, scope, harm, and cost of the breach. It was alleged that UnityPoint Health did not notify affected individuals within the 60-day time frame demanded by the HIPAA Breach Notification Rule and when notifications were issued, patients were not informed that their Social Security numbers had been exposed.

In the breach notification letters UnityPoint Health explained that no evidence was found to suggest the protected health information exposed in the attack was or will be used for unintended purposes, suggesting affected patients were not placed at risk. UnityPoint Health also failed to offer breach victims credit monitoring or identity theft protection services, even though Social Security numbers and river’s license numbers had been exposed.

UnityPoint Health attempted to have the lawsuit dismissed and was partially successful. In July 2019, a US District Court Judge partially dismissed some of the claims in the lawsuit, although other claims were allowed to proceed. The judge ruled that the plaintiffs’ alleged facts sufficient to establish there was an objectively reasonable likelihood of future identity theft.

A settlement was proposed on June 26, 2020 to resolve the lawsuit and will provide victims with monetary and injunctive relief. Under the terms of the proposed settlement, UnityPoint Health has agreed to make a minimum of $2.8 million available to class members to cover claims. Each affected individual can submit a claim of up to $1,000 to cover documented ordinary out-of-pocket expenses such as credit monitoring and identity theft protection services, and up to 3 hours in lost time charged at $15 per hour.

A claim of up to $6,000 can be made per person to cover extraordinary expenses which includes documented out-of-pocket expenses and up to 10 hours per person at $15 per hour for time lost arranging credit monitoring services, credit freezes, and other actions taken as a result of the breach.  In contrast to most data breach settlements, UnityPoint Health has not placed a cap on extraordinary expenses claims, so UnityPoint Health will cover actual losses if breach victims submit a valid claim. All victims will also be entitled to a year’s membership to credit monitoring and identity theft protection services and will be protected by a $1 million insurance policy against identity theft. The credit monitoring services and insurance policy are estimated to cost around $200 per class member.

The four breach victims named in the lawsuit will also be entitled to claim an additional $2,500 per person. The full costs of notice and claims administration and attorney fees will be paid by UnityPoint Health up to a maximum value of $1.58 million.

UnityPoint Health has also agreed to make improvements to network and data security and will undergo an annual audit by a third-party security firm to ensure that security measures are adequate, and the healthcare provider is complying with its security policies.

Given the lack of a cap on claims, this could turn out to be one of the largest ever healthcare data breach settlements. The settlement will now need to be approved by a judge and could be finalized by the end of the year.

The post UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care

CHI St. Luke’s Health-Memorial Lufkin in Texas has started notifying patients that some of their protected health information may have been accessed by an unauthorized individual.

St Luke’s threat management team investigated a security breach involving a network server on March 25, 2020. Third-party vendors conducted a forensic investigation and determined on April 23, 2020 that the email accounts of two employees may have been accessed by an unapproved outside party.

The investigation did not uncover evidence confirming unauthorized PHI access or data theft, but the possibility could not be ruled out. The email accounts contained names, diagnosis information, dates of services, and facility account numbers. Based on the investigation, St. Luke’s does not believe patient data has been used inappropriately but has offered certain patients complimentary credit monitoring services through Experian as a precaution.

The security breach was thoroughly investigated, data access logs were checked, and a threat intelligence analysis was performed. All passwords were reset across the facility, hardware has been replaced and upgraded, changes have been made to software to improve security, and processes for accessing the network have been changed.

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

RiverPointe Post Acute Reports Loss of 633 Patients’ PHI

RiverPointe Post Acute Carmichael, CA has notified 633 nursing home residents that some of their protected health information has been exposed. A USB storage device containing names, insurance ID numbers, and some Social Security numbers was sent in the mail but was lost in transit. When the device was not received, the loss was reported to the postal service and a search was performed, but the storage device could not be located.

While no specific evidence was uncovered to indicate the device was obtained by an unauthorized individual, affected residents have been offered complimentary identity theft protection services as a precaution. Further training has now been provided to employees on data security.

Email Error Exposed PHI of 11,500 Iowa Total Care Members

Iowa Total Care has discovered the protected health information of thousands of patients has been impermissibly disclosed by an employee. On April 29, 2020, an employee sent an Excel spreadsheet containing claims data to a large provider organization. The file contained the protected health information of patients that had not received medical care at the organization.

The spreadsheet contained names, Medicaid ID numbers, dates of birth, and procedure and diagnosis codes of 11,581 patients. The provider is a HIPAA covered entity so is aware of the need to safeguard protected health information and has confirmed that the spreadsheet was deleted and had not been shared or copied.

Iowa Total Care has re-educated the employee concerned and has implemented additional safeguards to prevent similar errors in the future.

The post Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care appeared first on HIPAA Journal.

Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach

Landmark Hospital of Athens in Georgia has suspended three employees who are suspected of accessing, copying or disclosing patient records. The potential HIPAA breach may be linked to a lawsuit that was filed against the 42-bed hospital on June 22, 2020 by four nurses who allege the hospital has been falsifying COVID-19 test results in what they describe as a “COVID-19 coverup”.

The nurses allege that five of their patients had tested positive for COVID-19 after displaying symptoms and after the positive result, the hospital administrator reordered COVID-19 tests for those patients. The nurses allege that for the retests, samples were intentionally collected without following proper sampling protocols. They claim that this was done deliberately to reduce the chance of a positive test result.

The nurses, who are named as Jane Doe and John Doe in the lawsuit, are seeking immediate court intervention “to stop the hospital concealing and mishandling a COVID-19 outbreak in the facility.” The nurses also want the hospital to temporarily stop receiving and discharging patients. The nurses also seek damages as they claim they have been unnecessarily exposed to COVID-19.

The nurses allege the falsification of COVID-19 test results allowed patients to be discharged, freeing up beds for other patients so the hospital could continue to bill Medicare for services and maintain patient volume.

The lawsuit alleges the patients who had tested positive were not isolated from other patients and no PPE was provided to nurses treating those patients. They also claim that the air conditioning system was not working for the period of time the patients were in the facility. Mobile air conditioners are used which take air from patient rooms and blow it into corridors, which they claim increased the risk of other patients and staff members contracting COVID-19. The air conditioning system uses dry hydrogen peroxide to reduce the risk of contaminants being circulated.

The nurses claim they voiced their concerns with Landmark’s administration, but no action was taken hence the legal action. They allege the actions of the hospital has created a public health risk, and placed patients and hospital employees and their families at risk.

Marie Saylor, CEO of Landmark Hospital of Athens, issued a statement saying the hospital will “vigorously investigate allegations and defend our hospital and its staff against misleading and false claims… we have always made the safety and well-being of our patients and staff our top priority, and continue to do so as we manage the local impact of the COVID-19 pandemic.”

The post Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach appeared first on HIPAA Journal.

Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute

North Shore Pain Management (NSPM) in Massachusetts has started notifying 12,472 patients that some of their protected health information has been stolen by hackers. The breach was detected on April 21, 2020 and the investigation confirmed that the attackers first gained access to its systems on April 16, 2020.

The substitute breach notice on the NSPM website does not provide details about the nature of the attack, but it has been independently confirmed by Emsisoft and databreaches.net as a ransomware attack involving AKO ransomware. The gang responsible for the attack dumped 4GB of data stolen in the attack on their Tor site when the ransom demand was not paid.

The dumped files contain a range of sensitive data on employees and patients. The NSPM breach notice confirms the files stolen in the attack contained patient names, dates of birth, health insurance information, account balances, financial information, diagnosis and treatment information, and for certain patients, ultrasound and MRI images. Social Security numbers were also obtained for patients whose SSN is used as their health insurance /member number.

Since the stolen data has been exposed online and is in the hands of cybercriminals, affected patients have been advised to monitor their financial statements and explanation of benefits statements closely for any sign of misuse of their data. Patients whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services. NSPM has now retained a new IT management vendor and is taking steps to enhance cybersecurity.

The AKO ransomware operators, like many groups that manually deploy ransomware, steal data prior to file encryption to increase the chance of a ransom being paid. The AKO gang often requires two ransom payments to be paid. One covers the cost of the decryptor and a second payment is often required to ensure any data stolen in the attack is deleted. Lawrence Abrams of Bleeping Computer has been in touch with the gang who said two ransom demands are issued to companies with large revenues. The ransom payment to delete files is variable, ranging from $100,000 to $2,000,000.

The gang said some healthcare providers have only paid the ransom to have the data deleted and did not pay for the decryptor. It is unclear whether a ransom was paid by NSPM.

Florida Orthopaedic Institute Suffers Ransomware Attack

Tampa, FL-based Florida Orthopaedic Institute has announced it was attacked with ransomware on April 9, 2020 and patient data on its servers was encrypted. An internal investigation was conducted which revealed the personal and protected health information of patients may have been stolen prior to the encryption of files. Florida Orthopaedic Institute is unaware of any misuse of patient information as a result of the attack.

Florida Orthopaedic Institute engaged a third-party computer forensic firm to assist with the investigation and steps have been taken to restore the encrypted data and secure its systems. Affected patients have now been notified and have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services.

The types of data encrypted and potentially obtained by the attackers included names, dates of birth, Social Security numbers, medical information related to appointment times, physician locations, diagnosis codes, payment amounts, insurance plan identification numbers, payer identification numbers, claims addresses, and/or FOI claims history.

Florida Orthopaedic Institute is working with third-party experts to enhance security to prevent further cyberattacks in the future.

The breach has not yet been added to the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

The post Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute appeared first on HIPAA Journal.