HIPAA Breach News

Associates in Dermatology Patients Affected by Business Associate Ransomware Attack

Posted by HIPAA Journal

Associates in Dermatology, a network of dermatology clinics in Indiana, Kentucky, and New York, has started notifying patients that some of their protected health information has been exposed in a ransomware attack on one of its business associates.

Virtual Private Network (VPN) Solutions provides electronic medical record management services to healthcare providers and Associates in Dermatology used its TouchChart software to host patient data. The ransomware attack was detected by VPN Solutions on or around October 31, 2021, and Associates in Dermatology was notified on December 22, 2021, that none of its data was accessed or stolen in the attack, but was told the forensic investigation into the attack was ongoing.

Associates in Dermatology said VPN Solutions was contacted on multiple occasions to ask how the forensic investigation was progressing and to obtain a formal report about the attack, but it took until January 17, 2023, to discover patient data had been exposed – 15 months after the breach was detected, and 2 months after VPN Solutions determined that files had been exposed.

According to the breach notice, electronic medical records were not exposed, but tag image files from a data warehouse may have been obtained in the attack. Most of those files did not contain patient data, but VPN Solutions said some of the files could be linked to patient names. Associates in Dermatology said VPN Solutions did not confirm if individually identifiable information or protected health information was contained in the files and did not provide a list of patient names.

Associates in Dermatology said its own analysis determined on March 10, 2023, that the compromised files may have contained personally identifiable information. The types of information varied from patient to patient and may have included one or more of the following data elements: first and last name, address, Social Security number, date of birth, medical condition(s)/diagnosis, treatment information, test results, health insurance policy number, subscriber identification number, health plan beneficiary number, and unique AID patient identifiers.

Associates in Dermatology said VPN Solutions has taken steps to improve security and has rebuilt its entire environment and restored all data. Associates in Dermatology performed a review of its contracts with third-party vendors and assessed their cybersecurity measures and has offered affected individuals complimentary credit monitoring and identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

47,000 Special Needs Student Records Exposed Online

A non-password-protected database containing the records of more than 47,000 special needs students has been exposed to the Internet and could be accessed by anyone without any authentication. The database was found by security researcher Jeremiah Fowler in mid-February, who traced the database to a company called Encore Support Services. Encore Support Services is a Brooklyn, NY-based provider of special education, behavioral health, and related services. Fowler notified Encore Support Services about the data exposure and the database has now been secured.

According to Fowler, the 6.74 GB database stored records going back to 2018 and included invoices containing student names, addresses, parent names, Open Student Information System (OSIS) numbers, service provider names, vendor information, EIN/SSN tax identification, and billing hours. The invoices also included codes for services that indicated a disability.

The data could be used for a range of nefarious purposes. For instance, Encore Support Services could be impersonated and parents contacted and asked to reveal sensitive information or pay a small charge on their credit card. Since a threat actor would have access to students’ unique OSIS numbers, case numbers, and therapy histories, the requests would be convincing.

Fowler was unable to determine how long the database had been exposed and whether it had been accessed by unauthorized individuals but suggests that the database most likely has not been exposed for long as it had not been encrypted using ransomware or deleted for extortion purposes.

The post Associates in Dermatology Patients Affected by Business Associate Ransomware Attack appeared first on HIPAA Journal.

SundaySky Cyberattack Impacts 37,000 Health Plan Members

Posted by HIPAA Journal

SundaySky, a New York-based provider of software solutions to businesses for creating marketing videos, has recently announced that unauthorized individuals gained access to servers in its cloud environment and may have obtained customer data. Unauthorized access was detected on January 8, 2023, and the forensic investigation confirmed that files were exfiltrated between January 6 and January 8, 2023. Those files contained customer-provided health plan information from December 2018 to January 2019.

SundaySky worked with the health plan provider to determine the compromised information, and the review was completed on February 20, 2023. Notifications have now been sent to the 37,095 affected individuals. The types of data compromised included first names, personal email addresses, Healthcare Savings Account (HSA) effective date and deductible, and information related to copay. SundaySky said additional technical safeguards have now been implemented for its cloud environment to prevent similar breaches in the future.

Postal Prescription Service Impermissibly Disclosed Patient Names to Kroger

Healthy Options Inc., which does business as Postal Prescription Service (PPS), has announced an impermissible disclosure of limited patient information to its affiliated grocery business. On January 10, 2023, PPS discovered that the names and email addresses of 82,466 patients had been shared with the Kroger Co. and were used to create grocery accounts for those individuals. The affected individuals had created an online PPS account between July 2014 and January 13, 2023.

PPS said the impermissible disclosure was due to an internal error and its website has since been updated to address the problem. Affected individuals have been notified by mail.

Texas Medical Liability Trust Alerts Policyholders About PHI Breach

Texas Medical Liability Trust has recently notified 625 medical insurance policyholders that some of their personally identifiable information has been exposed. Suspicious network activity was detected on or around October 12, 2022, and the investigation confirmed that unauthorized individuals had access to parts of its network between October 2, 2022, and October 13, 2022.

The review of the affected files was completed on December 12, 2022, and affected individuals were notified on January 13, 2023, by Texas Medical Liability Trust on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group.

The exposed information included names, Social Security numbers, driver’s license numbers, and financial account information. Texas Medical Liability Trust said additional safeguards have been implemented and employees have received further training. Affected individuals have been offered complimentary credit monitoring services for 12 months.

The post SundaySky Cyberattack Impacts 37,000 Health Plan Members appeared first on HIPAA Journal.

FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has published its 2022 Internet Crime Report, which shows at least $10.3 billion was lost to cybercrime in 2022, up 49% ($3.4 billion) from 2021, despite a 5% reduction in complaints (800,944). Over the past 5 years, the FBI Internet Crime Complaint Center (IC3) has received reports of losses of more than $27.6 billion across 3.26 million complaints to IC3.

FBI data show a 36% year-over-year decrease in ransomware attacks, which fell from 3,729 complaints in 2021 to 2,385 complaints in 2022. Despite this decrease, the FBI says ransomware still poses a significant threat, especially to the healthcare sector which ranked top out of 16 critical infrastructure sectors for ransomware attacks in 2022 and actually saw an increase in complaints. 210 ransomware complaints were filed with IC3 in 2022 by healthcare organizations compared to 148 in 2021. The FBI has observed an increase in double extortion tactics in ransomware attacks, where data are stolen in addition to file encryption and payment is required to obtain the decryption keys and to prevent the publication or sale of stolen data. LockBit was the most prolific ransomware actor with 149 reported attacks, ALPHV/BlackCat was second with 114 attacks, and Hive was 3rd with 87 attacks.

Several cybercriminal groups that have historically used ransomware in their attacks have switched to extortion-only attacks, involving data theft and ransom demands but no file encryption. The FBI’s data shows extortion attacks have remained flat, increasing only slightly from 39,360 complaints in 2021 to 39,416 complaints in 2022.

Phishing remains one of the most common attack vectors, although reported phishing attacks fell by 7% year over year to 300,497 incidents. Even with that decrease, phishing is still the most common crime type in terms of victim count ahead of personal data breaches with 58,859 complaints and non-payment/non-delivery with 51,679 complaints.

Business email compromise (BEC) ranked 9th out of all crime types in terms of complaints but ranked 2nd in terms of reported losses with $2,742,354,049 lost to BEC attacks in 2022. BEC attacks increased 9% year-over-year although losses to the scams were down almost 14.5%. BEC was knocked from the top spot this year by investment scams, which saw $3,311,742,206 in reported losses, up 127% from 2021. The FBI reports an unprecedented increase in crypto investment schemes in 2022 in terms of both victim count and losses.

There was a major increase in tech support scams in 2022, which rose to 3rd place in terms of losses. Tech support scam complaints increased by 36% year-over-year to 32,538 complaints and losses to these scams increased by almost 132% to $806,551,993.

The FBI stressed the importance of reporting instances of cybercrime of any type and confirmed assistance will be provided to try to recover losses. The IC3 Recovery Asset Team (RAT) has a 73% success rate in freezing funds and limiting losses and has frozen $433.30 million in funds out of $590.62 million in reported losses across 2,838 incidents.

The post FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion appeared first on HIPAA Journal.

February 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

The number of healthcare data breaches reported over the past three months has remained fairly flat, with only a small uptick in breaches in February, which saw 43 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), well below the 12-month average of 57.4 reported breaches a month. An average of 41 data breaches have been reported each month over the past 3 months, compared to an average of 50.6 breaches per month for the corresponding period last year.

February 2023 Healthcare Data Breach Report - Records breached

The downward trend in breached records did not last long. There was a sizeable month-over-month increase in breached records, jumping by 418.7% to 5,520,291 records. February was well above the monthly average of 4,472,186 breached records a month, with the high total largely due to a single breach that affected more than 3.3 million individuals.

February 2023 Healthcare Data Breach Report - Records Breached

 

Largest Healthcare Data Breaches Reported in February 2023

17 healthcare data breaches of 10,000 or more records were reported in February, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of 4 medical groups in California that are part of the Heritage Provider Network – Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; & Greater Covina Medical Group, Inc. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest data healthcare data breach of the year. That record did not stand for long, as a 4.4 million-record breach was reported this month (Independent Living Systems).

Hacking incidents were reported by CentraState Healthcare System in New York (617,901 records), Cardiovascular Associates in Alabama (441,640 records), and the Florida-based revenue cycle management company, Revenetics (250,918 records), all of which saw sensitive data exfiltrated. It is unclear whether these incidents were ransomware or extortion attacks. An email account breach at Highmark Inc. rounds out the top five. That incident was reported to the HHS’ Office for Civil Rights as two separate breaches, affecting 239,039 and 36,600 individuals -275,639 in total. The breach occurred as a result of an employee clicking a link in a phishing email.

The full list of 10,000+ record data breaches and their causes are detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Regal Medical Group, Inc., Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group, Inc. CA Healthcare Provider 3,300,638 Ransomware attack (data theft confirmed)
CentraState Healthcare System, Inc. NJ Healthcare Provider 617,901 Hacking incident (data theft confirmed)
Cardiovascular Associates AL Healthcare Provider 441,640 Hacking incident (data theft confirmed)
Reventics, LLC FL Business Associate 250,918 Hacking incident (data theft confirmed)
Highmark Inc PA Health Plan 239,039 Phishing attack
90 Degree Benefits, Inc. WI Business Associate 175,000 Hacking incident
Hutchinson Clinic, P.A. KS Healthcare Provider 100,000 Hacking incident
Lawrence General Hospital MA Healthcare Provider 76,571 Hacking incident
Sharp Healthcare CA Healthcare Provider 62,777 Hacked web server (data theft confirmed)
Rise Interactive Media & Analytics, LLC IL Business Associate 54,509 Hacking incident
Highmark Inc PA Business Associate 36,600 Phishing attack
Teijin Automotive Technologies Welfare Plan MI Health Plan 25,464 Ransomware attack – Access gained through phishing
Evergreen Treatment Services WA Healthcare Provider 21,325 Hacking incident
Aloha Nursing Rehab Centre HI Healthcare Provider 20,216 Hacking incident (data theft confirmed)
NR Pennsylvania Associates, LLC PA Healthcare Provider 14,335 Hacking incident (data theft confirmed)
Intelligent Business Solutions NC Business Associate 11,595 Ransomware attack
Arizona Health Advantage, Inc. dba Arizona Priority Care; AZPC Clinics, LLC; and health plans for which APC has executed a BAA AZ Healthcare Provider 10,978 Ransomware attack

Causes of Healthcare Data Breaches in February 2023

Hacking and other IT incidents dominated the breach reports in February with 33 such incidents reported, accounting for 76.7% of all breaches reported in February. Across those incidents, the records of 5,497,797 individuals were exposed or stolen – 99.59% of the breached records in February. The average breach size was 166,600 records and the median breach size was 10,978 records.

There were 8 unauthorized access/disclosure incidents reported involving a total of 13,950 records. The average breach size was 1,744 records and the median breach size was 689 records. One of the incidents – reported by Asante – involved a physician accessing the records of patients when there was no treatment relationship. The unauthorized access occurred for 9 years before it was detected, during which time the records of 8,834 patients were impermissibly viewed. Incidents such as this show why it is important to maintain logs of medical record access and to review those logs regularly, ideally automating the process using a monitoring and alerting system.

February 2023 Healthcare Data Breach Report - Causes

One theft incident was reported involving a portable electronic device containing the PHI of 986 patients and one incident involved the improper disposal of paper records that contained the PHI of 7,558 patients.

February 2023 Healthcare Data Breach Report - Location PHI

What HIPAA-Regulated Entities were Affected?

Healthcare providers were the worst affected HIPAA-regulated entity in February, with 31 data breaches of 500 or more records. Seven data breaches were reported by business associates and five were reported by health plans. When data breaches involve business associates, they are often reported by the covered entity. In February, 6 data breaches involved business associates but were reported by the affected healthcare providers and health plans. The two charts are based on where the breach occurred rather than who reported it.

February 2023 Healthcare Data Breach Report - Reporting Entities

The average healthcare provider breach exposed 178,046 records (median: 3,061 records), the average health plan data breach exposed 67,236 records (median: 3,909 records), and the average business associate data breach involved 47,859 records (median: 8,500 records).

February 2023 Healthcare Data Breach Report - records by reporting entity

Where Did the Breaches Occur?

Data breaches were reported by HIPAA-covered entities and business associates in 28 states, with California being the worst affected state with 4 breaches reported in February.

State Breaches
California 4
Pennsylvania & Texas 3
Arizona, Illinois, Kansas, Massachusetts, New Jersey, Oregon, Virginia & Washington 2
Alabama, Colorado, Connecticut, Florida, Georgia, Hawaii, Iowa, Maryland, Michigan, New Hampshire, New Mexico, North Carolina, Rhode Island, Tennessee, Utah, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in February 2023

The HHS’ Office for Civil Rights announced one enforcement action in February to resolve alleged violations of the HIPAA Rules. OCR investigated Banner Health over a 2016 breach of the protected health information of 2.81 million individuals and identified multiple potential HIPAA violations related to risk analyses, system activity reviews, verification of identity for access to PHI, and technical safeguards. Banner Health agreed to settle the case and paid a $1,125,000 financial penalty.

DNA Diagnostics Center was investigated by the Attorneys General in Pennsylvania and Ohio after a reported breach of the personal and health information of 45,600 state residents. The investigation determined there was a lack of safeguards, a failure to update its asset inventory, and a failure to disable or remove assets that were not used for business purposes. While these failures would have been HIPAA violations, the settlement resolved violations of state laws. DNA Diagnostics Center paid a financial penalty of $400,000, which was split equally between the two states.

In February, the Federal Trade Commission (FTC) announced its first-ever settlement to resolve a violation of the FTC Health Breach Notification Rule. While the Rule has been in effect for a decade, the FTC has never enforced it. That has now changed. The FTC stated last year that it would be holding non-HIPAA-covered entities accountable for impermissible disclosures of health information and breach notification failures. GoodRx Holdings Inc. was found to have used tracking technologies on its website that resulted in unauthorized disclosures of personal and health information to Facebook, Google, and other third parties and failed to issue notifications to affected individuals. The allegations were settled and GoodRx paid a $1,500,000 financial penalty.

The post February 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alabama Healthcare Provider Announces 441,000-Record Data Breach

Posted by HIPAA Journal

The Birmingham, AL, Heart Hospital, Cardiovascular Associates, has recently announced that unauthorized individuals gained access to certain parts of its network between November 28, 2022, and December 5, 2022, and removed files containing patient information. The breach was detected on December 5, 2022, and immediate action was taken to contain the breach and prevent further unauthorized access. A leading digital forensics firm was engaged to investigate the breach and confirmed data theft had occurred.

The review of the affected files revealed they contained the following types of information: Full names, birth dates, addresses, Social Security numbers, health insurance information, medical record numbers, dates of service, provider/facility names, visit/procedure/diagnosis information, medical tests results and images, billing and claims information, passport numbers, driver’s license numbers, credit/ debit card information, and financial account information. The types of data compromised varied from patient to patient and the usernames and passwords of a limited number of patients were also compromised.

Cardiovascular Associates has strengthened system security to prevent similar breaches in the future and its security and monitoring capabilities have been enhanced. Individuals whose Social Security number, credit card/debit card information, financial account information, passport or driver’s license number was compromised have been offered free credit monitoring and identity restoration services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal but has been reported to the Maine Attorney General as affecting 441,640 individuals.

Great Neck/Mid Island Dental Reports Third-Party Data Breach

Richard T. Miller, DMD, PC, doing business as Great Neck/Mid Island Dental, has recently announced via his legal counsel that the protected health information of 22,933 individuals may have been accessed by unauthorized individuals. The data breach occurred at a law firm that helped Great Neck Dental acquire the assets of another dental practice in 2015. Cooperman Lester Miller Carus LLP (CLMC), assisted the seller with the acquisition and was provided with information as part of the business transaction, which included patient information. Great Neck Dental was notified on October 7, 2022, that an unauthorized individual had gained access to the email account of a CLMC partner between March 27, 2022, and June 1, 2022. The email account contained patient names, dates of birth, Social Security numbers, and dental insurance information.

Richard T. Miller said Great Neck/Mid Island Dental systems were unaffected and no reports of data misuse have been detected; however, as a precaution, affected individuals have been offered complimentary identity protection services.

Multnomah County Health Department Says Records of 2,000 Clients Potentially Accessed in Break-in

The Multnomah County Health Department in Oregon has confirmed that the personal information of approximately 2,000 individuals has potentially been accessed in a break-in at the Multnomah County Health Department headquarters. The break-in occurred over the weekend of February 17/18, 2023, and was discovered on February 21 due to the President’s Day holiday.

A county laptop computer and a new client cell phone were stolen and the perpetrator also entered an area where paper records were stored that contained client information. The suspected perpetrator was arrested last week by law enforcement. All affected clients and employees have been notified by mail if they were affected.

The post Alabama Healthcare Provider Announces 441,000-Record Data Breach appeared first on HIPAA Journal.

UC San Diego Health Announces Impermissible Disclosure of Patient Data Due to Website Analytics Code

Posted by HIPAA Journal

University of California (UC) San Diego Health is the latest healthcare organization to start notifying patients that some of their protected health information has been impermissibly disclosed to third parties due to the use of website tracking technologies. UC San Diego Health said the analytics code was added to its scheduling websites by one of its business associates, Solv Health, without authorization from UC San Diego Health. UC San Diego Health contracted with Solv Health to provide website hosting and management services.

The analytics code captured limited data of visitors to the scheduling websites who booked in-person or telehealth appointments. The captured information was then impermissibly disclosed to the third parties that provided the code. UC San Diego Health did not state in its breach notifications who the third parties were but said they received first and last names, birth dates, email addresses, IP addresses, third-party cookies, reasons for the appointments, and insurance type (e.g., PPO, HMO, Other).

UC San Diego Health confirmed that Social Security numbers, medical record numbers, financial account numbers, and debit and credit card information were not disclosed and the analytics code was not used on its electronic health record or MyUCSDChart systems, so no information within those systems was disclosed. UC San Diego Health said notification letters started to be mailed to affected individuals on March 20, 2023. Those individuals had used the scheduling websites for its Express Care (La Jolla) or Urgent Care locations (Downtown San Diego, Encinitas, Eastlake/Chula Vista, Pacific Highlands Ranch, & Rancho Bernardo).

When the analytics code was discovered in December 2022, UC San Diego Health directed Solv Health to immediately remove the code from the scheduling websites and worked with Solv Health to determine who had been affected. UC San Diego Health is now using a new online scheduling tool and has enhanced its vendor assessment and management procedures.

The incident has been reported to the HHS’ Office for Civil Rights and local media outlets; however, it is currently unclear how many individuals have been affected. This post will be updated when that information is made public.

The post UC San Diego Health Announces Impermissible Disclosure of Patient Data Due to Website Analytics Code appeared first on HIPAA Journal.

Employee of Beacon Health System Impermissibly Accessed 3,100 Patients Records

Posted by HIPAA Journal

South Bend, IN-based Beacon Health System (BHS) says the medical records of 3,117 patients have been accessed by an employee when there was no legitimate work reason for viewing the records. The unauthorized activity was detected on or around January 10, 2023, prompting an investigation to determine the extent of the privacy violation.

BHS said the employee’s work duties were related to patient registrations, verification of benefits, and patient placements within the hospital. As such, security privileges allowed access to clinical documentation in medical records, as access to clinical information was occasionally necessary. The investigation confirmed on February 20, 2023, that the medical record access was unrelated to the employee’s work duties, with the period of access spanning from November 18, 2018, to February 24, 2023.

The information accessed included names, addresses, birth dates, Social Security numbers, and clinical information such as diagnoses, emergency care treatment information, labs and diagnostic testing, operative and anesthesia documentation, ancillary clinical documentation, and medical histories. BHS said notification letters are being sent to affected individuals and confirmed that the employee no longer works at BHS.

California Secretary of State Confirmed Impermissible Disclosure of Historical Health Records

The California Secretary of State has recently confirmed there has been an impermissible disclosure of historic records. A researcher has requested records from the state’s sterilization program, which are public when they are older than 75 years; however, the records provided to the researcher included data from 1948 to 1952. The records were provided on December 19 and December 22, with the former provided on-site and the latter by secure digital transfer.

The researcher notified the California Secretary of State about the error on December 23, 2022. The disclosure was due to a mislabeled data range. The researcher confirmed the records had not been viewed in detail and have since been deleted from the researcher’s computer. The records included personally identifiable information such as names, family member names, dates of birth, familial medical histories, and medical information such as diagnoses, operation dates, sterilization dates, and other medical information. The California Secretary of State arranged a review of the records and redacted the records from the microfilm.

Sensitive PHI Exposed at Baltimore Occupational Health Service Provider

Boxes of files containing sensitive patient information have been discovered outside Occupational Medical Services in Baltimore, MD. Occupational Medical Services provides drug and alcohol testing and care in worker compensation cases. The boxes had been opened by some members of the public and were found to contain names, contact information, health information, and Social Security numbers.

According to FOX45 reporters, who contacted company owner Joyce Phillips, the files came from a medical facility that had closed down and were due to be collected and shredded. 200 boxes of files had been moved outside where they had remained for a day awaiting collection.

The post Employee of Beacon Health System Impermissibly Accessed 3,100 Patients Records appeared first on HIPAA Journal.

Three Healthcare Providers Report Phishing Attacks

Posted by HIPAA Journal

Livonia, MI-based Trinity Health has confirmed that an unauthorized individual gained access to an employee email account and potentially viewed or obtained patient information. Suspicious account activity was detected in the employee’s email account on January 5, 2023. The investigation confirmed unauthorized access to the email account occurred between December 16, 2022, and December 18, 2022.

A review of the contents of the account was completed on February 14, 2023. The types of information in the account varied from patient to patient and may have included names, medical record numbers, patient ID numbers, encounter numbers, location(s) of service, provider names and specialties, procedure name(s), insurance name/type, billing balances, and dates of birth. A limited number of individuals had their address, phone number, email address, and prescription information exposed.

Trinity Health changed the account password to prevent further unauthorized access and has reviewed its policies and procedures. Due to the nature of the exposed information, Trinity Health believes the potential for misuse is low; however, affected individuals have been offered a complimentary 12-month membership to a credit monitoring and identity theft protection service.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

Beaver Medical Group Patients Affected by Email-Related Breach

Beaver Medical Group and Epic Management in California, part of the Optum Group, have started notifying certain patients that an employee’s workstation has been compromised as a result of a response to a phishing email. The email account was accessed for a limited period of time, but during that window of opportunity, emails may have been viewed or copied. The forensic investigation concluded on February 3, 2023, that the exposed information included names, member ID numbers, health plan information, and premium payment amounts.

Beaver and Epic have confirmed that security controls have been enhanced on their servers to prevent similar breaches in the future and monitoring has been enhanced. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

AllCare Plus Pharmacy Reports Summer 2022 Phishing Attack

AllCare Plus Pharmacy in Northborough, MA, has recently reported a phishing attack to the Maine Attorney General that has affected 5,971 patients. On June 21, 2022, AllCare Plus Pharmacy identified a phishing campaign targeting multiple employees. Prompt action was taken to remove the phishing emails from its email systems and prevent unauthorized account access; however, several employee accounts were accessed by unauthorized individuals.

While no evidence of misuse of patient data has been identified, it should be assumed that protected health information was accessed or obtained. The review of the affected accounts confirmed they contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions.

AllCare Plus Pharmacy said additional security measures, internal controls, and safeguards have been implemented, and affected individuals have been offered 24 months of credit monitoring services.

The post Three Healthcare Providers Report Phishing Attacks appeared first on HIPAA Journal.

Protected Health Information Exposed in 5 Recent Hacking Incidents

Posted by HIPAA Journal

Florida Medical Clinic, NorthStar Emergency Medical Services, Denver Public Schools, Wichita Urology Group, and The Bone & Joint Clinic have recently reported hacking incidents and the exposure and potential theft of protected health information.

Florida Medical Clinic

Florida Medical Clinic has recently announced that it was the victim of a ransomware attack. The attack was detected on January 9, 2023, and prompt action was taken to contain the attack, which limited data exposure, although files were encrypted. The third-party forensic investigation confirmed the attacker accessed files that contained patients’ protected health information; however, its electronic medical record system was not affected.

In a refreshingly detailed breach notice, Florida Medical Clinic explained that 94,132 files had been exposed, each of which only contained limited patient information. 95% of the compromised files only included an individual’s name. The remaining files included names, phone numbers, email addresses, birth dates, and addresses. No financial information was compromised, and only 115 Social Security numbers were exposed.

Florida Medical Clinic said evidence was obtained of all stolen files being permanently deleted, which indicates the ransom was paid. No evidence of misuse of patient data has been uncovered. All affected patients have been notified and additional cybersecurity measures have been implemented to prevent further attacks, including replacing certain system components and changing remote access protocols.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

NorthStar Emergency Medical Services

Tuscaloosa, AL-based NorthStar Emergency Medical Services has recently reported a data breach that has affected up to 82,450 patients. According to the notice sent to the Maine Attorney General, suspicious activity was detected within its computer network on September 16, 2022; however, it took until March 8, 2023, to determine that patient data had been exposed. The breach notice did not state when the attackers first gained access to its network.

The affected files contained information such as names, Social Security numbers, birth dates, patient ID numbers, treatment information, Medicare/Medicaid numbers, and health insurance information. Notification letters were sent to affected individuals on March 14, 2023. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals and steps have been taken to harden security.

Denver Public Schools

Denver Public Schools has recently announced that unauthorized individuals gained access to some of its servers and exfiltrated files that contained sensitive employee data. Data theft was discovered on January 4, 2023, and the forensic investigation confirmed unauthorized individuals had access to its network between December 13, 2022, and January 13, 2023.

The document review revealed the affected files included names, Social Security numbers, fingerprints (if on file), bank account numbers/pay card numbers, student ID numbers, driver’s license numbers, passport numbers, and some health plan enrollment information. The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 35,068 current and former participants in its employer-sponsored health plan. It is unclear how many students were affected by the data breach. Denver Public Schools said additional security measures have been implemented to prevent similar breaches in the future. Credit monitoring and identity theft protection services are being offered to affected individuals.

The Bone & Joint Clinic in Wisconsin

The Bone & Joint Clinic, which operates 7 clinics in Wisconsin, has recently notified current and former employees and patients about a cyberattack that was detected on January 16, 2023, which caused network disruption. According to the notification letters, unauthorized individuals potentially accessed and acquired files containing information such as names, addresses, phone numbers, birth dates, Social Security numbers, health insurance information, and diagnosis and treatment information.

Affected individuals were notified on March 7, 2023, and offered 12 months of complimentary credit monitoring and identity theft protection services. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

Wichita Urology Group

Wichita Urology Group in Kansas has recently notified 1,493 individuals that unauthorized individuals gained access to its network and potentially viewed or obtained files containing names, prescription information, billing information, and health insurance information.

Suspicious activity was detected within its network on January 3, 2023, with the forensic investigation confirming the intrusion occurred on January 2. The forensic investigation confirmed on January 26, 2023, that protected health information had been exposed; however, there has been no detected misuse of patient data. Technical security measures have been enhanced to prevent further attacks.

The post Protected Health Information Exposed in 5 Recent Hacking Incidents appeared first on HIPAA Journal.