HIPAA Breach News

UF Health Says PHI Potentially Compromised in May 2021 Cyberattack

On May 31, 2021, UF Health Central Florida experienced a cyberattack that affected Leesburg Hospital and The Villages Hospital. The security breach was announced by UF Health within a few hours of the attack being detected, although at the time it was unclear whether any patient data had been compromised in the incident.

An investigation into the breach was conducted which determined the attackers had access to its computer network between May 29 and May 31, 2021, and while unauthorized access to patient data was not confirmed, UF Health has now reported that some patient data may have been accessible. The exposed data included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, and limited treatment information.

UF Health said its electronic medical records were not involved or accessed, and the breach did not affect its Gainesville or Jacksonville campuses. UF Health said it has no reason to believe any exposed data has been misused or disclosed; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services. UF Health said it is taking steps to prevent further attacks, including enhancing the security of its electronic systems and improving protections for sensitive data.

UF Health has not publicly disclosed whether the cyberattack involved ransomware, although some local media outlets have reported ransomware was involved and the attackers demanded a $5 million ransom.

Eskenazi Health Reports Attempted Ransomware Attack

Indianapolis, IN-based Eskenazi Health is dealing with an attempted ransomware attack. The attack occurred in the early hours of August 4, 2021 but Eskenazi Health said its monitoring systems functioned as they should and proactively shut down its network to contain the attack.

Eskenazi Health switched to emergency procedures and the decision was taken to divert ambulances to other facilities to ensure patient safety. Eskenazi Health is currently working to bring its systems back online. At this stage its monitoring systems suggest patient and employee data were not compromised in the attack.

Sandford Health Victim of Cyberattack

Sioux Falls, SD-based Sandford Health says it was the victim of an August 3, 2021 cyberattack which it is working to resolve.  Sanford President and CEO Bill Gassen confirmed its IT Team took aggressive measures in response to the attempted cyberattack and everything is being done to minimize disruption and providing exceptional care to patients remains its number one priority.

No further details have been released about the exact nature of the incident, but at this stage it does not appear that the information of patients, residents, or employees has been compromised. Leading IT security experts have been engaged and are assisting with the breach response and investigation and further information will be released as and when it becomes available.

The post UF Health Says PHI Potentially Compromised in May 2021 Cyberattack appeared first on HIPAA Journal.

73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months

Ransomware attacks have increased significantly during the past year, but phishing attacks continue to cause problems for businesses, according to a recent survey conducted by Arlington Research on behalf of security firm Egress. Almost three quarters (73%) of surveyed businesses said they had experienced a phishing related data breach in the past 12 months.

The survey for the 2021 Insider Data Breach Report was conducted on 500 IT leaders and 3,000 employees in the United States and United Kingdom. The survey revealed 74% of organizations had experienced a data breach as a result of employees breaking the rules, something that has not been helped by the pandemic when many employees have been working remotely. More than half (53%) of IT leaders said remote work had increased risk, with 53% reporting an increase in phishing incidents in the past year.

The increased risk from remote working is of concern, especially as many organizations plan to continue to support remote working or adopt a hybrid working model in the future. 50% of IT leaders believe remote/hybrid working will make it harder to prevent data breaches from malicious email attacks. There appears to be a disconnect, as only 61% of employees believe they are less likely or equally likely to cause a data breach when working from home.

Phishing attacks are naturally bad for organizations but there is also a human cost. In 23% of organizations, employees who fell for a phishing email that resulted in a data breach were either fired or voluntarily left after the incident.

“Organizations are being bombarded by sophisticated phishing attacks. Hackers are crafting highly targeted campaigns that use clever social engineering tricks to gain access to organizations’ most sensitive data, as well as leapfrog into their supply chain. Phishing is also the most common entry point for ransomware, with potentially devastating consequences,” said Egress VP of Threat Intelligence Jack Chapman. “Remote working has also made employees even more vulnerable. With many organizations planning for a remote or hybrid future, phishing is a risk that must remain central to any security team’s plans for securing their workforce.”

The survey revealed an astonishing 94% of businesses had experienced an insider data breach in the past year. 84% of IT leaders said human error was the leading cause of insider breaches, although 28% said malicious insider breaches were their biggest fear.

89% of insider incidents had repercussions for the employees in question; however, an overwhelming majority (97%) of employees said they would report a breach they had caused, which is reassuring considering 55% of IT leaders said they rely on employees to alert them to security incidents.

The post 73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months appeared first on HIPAA Journal.

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security.

Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets.

The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked sector with 194 reported incidents, followed by information with 180 data breaches.

The report shows there have been significant shifts in data breach trends in 2021. While data breaches have declined globally and have remained fairly constant in the United States, there has been a marked increase in ransomware attacks. Risk Based Security recorded 352 ransomware attacks in the first 6 months of 2021 and, if that pace continues, the number of attacks will be significantly higher than 2020.

Ransomware attacks are extremely costly in healthcare due to the long period of downtime, and without access to medical records patient safety is put at risk. This is of course known to ransomware gangs. The reliance on access to data and the high cost of downtime increases the probability of the ransom being paid.

In 2020, data breaches started to take longer to be reported and that trend has continued in 2021. This is in part due to the increase in ransomware attacks, which can take longer to investigate, but even taking that into account there were many cases when breach notifications took an unusually long time to be issued and that has started to attract attention from regulators.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” said Inga Goddijn, Executive Vice President at Risk Based Security. “The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

The majority of reported breaches (67.97%) were hacking incidents, with only 100 (5.66%) due to viruses, and just 45 email incidents (2.55%). There were 76 web breaches reported (4.30%); however, they resulted in the highest number of records being breached.

Data breaches that exposed access credentials such as email addresses and passwords have remained consistent with other years, with email addresses exposed in 40% of breaches and passwords in 33%. The majority of reported breaches in 2021 were the result of external threat actors (78.66%), with 13.75% caused by insiders. Out of the confirmed insider breaches, the majority were accidental (58.85%), with 18.52% caused by malicious insiders.

Risk Based Security also notes that breach severity is increasing. Large numbers of data breaches have been reported in 2021 that involved sensitive data, which is a particularly worrying trend.

The post Healthcare Industry has Highest Number of Reported Data Breaches in 2021 appeared first on HIPAA Journal.

Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital

Academic HealthPlans, Inc. (AHP) has discovered an unauthorized individual has gained access to the email accounts of two employees following responses to phishing emails.

AHP was alerted to a potential breach when suspicious activity was detected in its Microsoft Office 365 email environment. The affected accounts were secured, and an investigation was launched to determine the extent of the breach. On June 4, 2021, AHP determined that the email accounts were compromised as a result of phishing attacks between August 6, 2020 and August 24, 2020, and on October 2, 2020. The breach was limited to those two accounts and did not involve any other systems.

A comprehensive and time-consuming programmatic and manual review was conducted to identify the individuals and information affected. That review confirmed that the email accounts contained information related to the student health plans AHP administers.

The exposed data include student names, dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information. No evidence was found that suggested any emails or attachments in the accounts were actually viewed.

Affected health plans and self-insured universities were notified between June 21, 2021 and July 7, 2021, and AHP started sending notification letters to affected individuals on June 29, 2021. AHP has offered eligible individuals complimentary credit monitoring and identity theft protection services

Extensive training has been provided to employees to help them identify phishing emails and other threats and existing security measures have been enhanced.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,330 individuals.

Wayne County Hospital in Iowa Notifies 2,016 Patients About Phishing Attack

Wayne County Hospital in Corydon, IA is alerting 2,016 patients about the potential theft of some of their protected health information. On March 22, 2021, the hospital became aware of a breach of its email environment. Email accounts were immediately secured to prevent further unauthorized access and a third-party cybersecurity company was engaged to investigate the breach and determine the extent of the attack.

The investigation revealed unauthorized individuals had gained access to email accounts as a result of employees responding to phishing emails. The compromised email accounts contained names, addresses, Social Security numbers, driver’s license numbers, financial account information, treatment or procedure information, medical provider or facility names, diagnoses, medications, medical record numbers, insurance information, and dates of service. There have been no reports of misuse of patient data to date.

Wayne County Hospital said appropriate steps will be taken to prevent similar breaches in the future.

The post Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital appeared first on HIPAA Journal.

Multiple Healthcare Providers Affected by Breach at Vendor Used by Billing and Collection Company

This month, Ventura, CA-based Community Memorial Health System and Ithaca, NY-based Cayuga Medical Center, and Allentown, PA-based Lehigh Valley Health Network have announced that the protected health information of some of their patients has been potentially compromised in a cyberattack that affected one of its vendors.

The three healthcare providers used Guidehouse for medical billing and collection services. On January 20, 2021, hackers gained access to the Accellion File Transfer Appliance (FTA) used by Guidehouse for transferring files to clients. For patients of Community Memorial Health System the files included sensitive patient information such as names, dates of birth, member ID addresses, and certain medical information. For Cayuga Medical Center patients, names, dates of birth, insurance account numbers, and certain medical information were potentially compromised. For Lehigh Valley Health Network, the potentially compromised data include names, medical record numbers, account numbers, dates of service, diagnosis and procedure names, billing or payer information and provider names.

Guidehouse was notified about the cyberattack by Accellion in March 2021 and immediately stopped using the FTA service.  Leading cybersecurity experts were engaged to assist with the investigation and breach response, and affected customers were notified about the breach on May 21, 2021.

Guidehouse sent breach notification letters to affected individuals on July 16, 2021. The delay in issuing notifications was due to the time it took to identify the individuals affected and to confirm contact details.

While certain data were obtained by the hackers in the attack, Guidehouse said it is unaware of any cases of misuse of the stolen data. However, as a precaution against identity theft and fraud, affected individuals have been offered a complimentary membership to the Experian IdentityWorks credit monitoring service for 24 months.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many patients of the three healthcare providers have been affected.

Several other healthcare organizations in the United States have been affected by the Accellion FTA cyberattack, including Kroger Pharmacy, Trillium Health Plan, Health Net, Trinity Health, Arizona Complete Health, Centene Corp, and Stanford Medicine.

The post Multiple Healthcare Providers Affected by Breach at Vendor Used by Billing and Collection Company appeared first on HIPAA Journal.

Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology

Prestera Mental Health Center in West Virginia has started notifying 2,152 individuals about a security breach involving employee email accounts. On or around April 1, 2021, Prestera Center learned that certain employee email accounts had been subjected to unauthorized access between August 2020 and September 2020.

While it was possible to confirm that there had been unauthorized access, it was not possible to tell whether any patient data had been viewed or acquired.

A review was conducted to determine the types of information that were present in the email accounts and which individuals had been affected. The types of data in the account varied from individual to individual and may have included names, addresses, dates of birth, state identification card numbers, Social Security numbers, financial account information, medical information, and health insurance information.

Upon discovery of the breach, prompt action was taken to secure the accounts to prevent any further unauthorized access. Policies and procedures have since been reviewed and updated, and additional safeguards have been implemented to improve email security.

Notification letters have been sent to affected individuals and a complimentary membership to the TransUnion Interactive MyTrueIdentity credit monitoring service has been offered.

This is the second email account breach to have been reported in the past few months. On December 31, 2020, Prestera Center reported an email account breach involving patient names, dates of birth, medical record and/or patient account numbers, diagnostic information, healthcare provider information, prescription and/or treatment information and, in some instances, addresses, social security numbers and Medicare/Medicaid ID numbers. It is unclear if these two incidents are related.

Wisconsin Institute of Urology Says PHI Potentially Compromised in Email Security Incident

Wisconsin Institute of Urology (WIU) has discovered the email account of an employee has been accessed by an unauthorized individual. WIU was alerted to the breach on or around May 26, 2021 when suspicious activity was detected in the email account. The account was immediately secured by changing the password and an investigation was launched to determine the nature and extent of the breach.

It was confirmed on June 9, 2021 that an unauthorized individual had used the employee’s credentials to access the account; however, no reports have been received about any cases of misuse of patient data.

A time intensive review was conducted to identify all individuals whose protected health information was contained in emails and email attachments. That review revealed the email account contained PHI such as names, dates of birth, medical treatment and/or medical diagnosis information, health insurance information and, for a limited number of individuals, Social Security numbers.

It is currently unclear how many individuals have been affected. This post will be updated as and when further information is made available.

The post Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology appeared first on HIPAA Journal.

Star Refining & Express MRI Report Phishing Attacks

The Peachtree Corners, GA-based medical imaging center, Express MRI, has started notifying patients that some of their protected health information has been exposed in a historic data breach. Express MRI discovered on July 10, 2020 that an unauthorized individual had gained access to one of its email accounts and used that account to send unauthorized emails. The incident was investigated at the time, but it was determined that no patient information had been accessed.

A secondary review of the security breach was conducted on June 10, 2021, and while no specific evidence was uncovered that indicated there had been unauthorized data access or data theft, Express MRI concluded that it was not actually possible to totally rule out unauthorized data access or exfiltration, therefore breach notification letters were warranted.

A review of the compromised account confirmed the following information may have been accessed or acquired: Names, addresses, email addresses, dates of birth, patient ages, referring physician names, body part scanned, and whether the scan was related to a workers’ compensation claim or motor vehicle accident investigation. No other patient data were present in the compromised email accounts.

Express MRI said it took, “significant and immediate steps” to respond to the incident, including assembling a team of highly qualified experts to reinforce the security of its information systems and implement additional safeguards to prevent further breaches.

Star Refining Phishing Attack Affects 1,910 Individuals

Adelda Health, Inc. dba Star Refining, has discovered the personal information of 1,910 individuals has potentially been viewed or obtained by unauthorized individuals who gained access to the email accounts of several of its employees following responses to phishing emails.

The breach was detected by the West Palm Beach, FL-based dental refining company on April 29, 2021 and a third-party computer forensics firm was engaged to ensure the incident was fully remediated and to determine the nature and scope of the breach.

A review of the compromised email accounts revealed they contained sensitive data such as first and last names, mailing addresses, driver’s license numbers, Social Security numbers, and credit card/financial information; however, no evidence was found that indicated emails containing that information were viewed or acquired during the time the accounts were accessible. The first of the accounts were discovered to have been accessed on April 12, 2021.

Notifications started to be sent to affected individuals on July 22, 2021. Complimentary Experian Identity Works credit monitoring and identity theft protection services have been offered to affected individuals.

The post Star Refining & Express MRI Report Phishing Attacks appeared first on HIPAA Journal.

Harris County, TX: PHI of 26,000 Individuals Exposed Online

Harris County in Texas has discovered the personal and health information of thousands of individuals has been exposed online and was potentially accessed by unauthorized individuals.

Under Harris County’s legally required reporting obligations, information is provided to the Harris County Justice Administration Department which includes System Person Numbers, which are unique identifiers that are assigned to individuals by the Harris County jail system. In addition to those numbers, some limited health information is provided related to the medical care individuals received at the County’s Jail Clinic, which includes health histories, diagnoses, and/or prescription information.

The inadvertent disclosure of sensitive information was discovered by Harris County officials on July 9, 2021. Harris County determined that between March 15, 2021 and May 22, 2021, the above types of information were inadvertently made available on the Justice Administration Department’s website.

No names were included, nor any Social Security numbers or financial account information, but since unique identifiers were included, it may have been possible for individuals to be identified.  During the course of the investigation, no evidence was found to indicate the exposed information was accessed or downloaded by unauthorized individuals and no reports have been received that suggest any information has been misused.

Harris County is encouraging all affected individuals to review any statements they receive from their healthcare providers and to check them carefully and report any instances where healthcare services are listed that they have not received.

The investigation is ongoing, and a helpline has been set up for affected individuals to receive further information (1-855-545-2039). Harris County is also taking steps to enhance existing processes to prevent similar breaches in the future.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 26,000 individuals.

The post Harris County, TX: PHI of 26,000 Individuals Exposed Online appeared first on HIPAA Journal.

More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians

Email accounts containing the protected health information of 447,426 patients of Orlando Family Physicians in Florida have been accessed by an unauthorized individual.

Orlando Family Physicians said the first email account was compromised on April 15, 2021 as a result of an employee responding to a phishing email and disclosing their account credentials. Action was promptly taken to block unauthorized access, and an investigation was launched to determine the nature and extent of the breach.

Assisted by a leading cybersecurity forensics firm, Orlando Family Physicians determined that an additional three employee email accounts had also been subjected to unauthorized access. All four of the compromised email accounts had external access blocked within 24 hours of the initial unauthored account access.

Orlando Family Physicians determined on May 21, 2021, that the unauthorized individual potentially accessed emails in the account that contained patients’ protected health information. A review of the emails and attachments was conducted, and on July 9, 2021, Orlando Family Physicians was able to identify all affected individuals.

The email accounts contained the personal and protected health information of current patients, potential patients, employees, and other individuals. The types of information in the accounts varied from individual to individual and included one or more of the following types of data: Names, demographic information, diagnoses, provider names, prescriptions, health insurance information (Medicare beneficiary number or other subscriber identification number), patient account numbers, medical record numbers, and passport numbers.

The attack appears to have been conducted with the aim of committing financial fraud against the practice, rather than to obtain patient data; however, since unauthorized data access and exfiltration could not be ruled out, affected individuals have been advised to exercise caution and closely check their financial accounts and explanation of benefits statements for signs of fraudulent activity.

Orlando Family Physicians has enhanced its technical security measures following the breach and supplemental training on email security is being provided to the workforce.

The post More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians appeared first on HIPAA Journal.