SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.

South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.

A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.

Call 4 Health Issues Notifications About March 2024 Cyberattack

Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.

Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.

In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.

Clear Spring Health Notifies Patients About Change Healthcare Data Breach

Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.

Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.

The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.

SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.

South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.

A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.

Call 4 Health Issues Notifications About March 2024 Cyberattack

Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.

Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.

In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.

Clear Spring Health Notifies Patients About Change Healthcare Data Breach

Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.

Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.

The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.

The Florida Department of Health has confirmed to FOX 35 in Orlando that it is investigating a cyberattack. The attack has affected its Vital Statistics System, which is used to process birth and death certificates. The disruption to the system has been causing problems for funeral homes across the state for the past two weeks. Some funeral homes have postponed their services or have been forced to physically visit healthcare providers to get signed copies of death certificates.

The Department of Health has released few details about the attack but this appears to have been a ransomware attack involving the exfiltration of a large volume of data. The RansomHub group claimed responsibility for the attack and said it had stolen around 100 gigabytes of data from the Department and started to leak the stolen data when the ransom was not paid by its deadline of July 1, 2024. The Department of Health has not commented on the validity of the group’s claims nor the extent of any data breach.

The failure to pay the ransom should not have come as a surprise, as Florida amended its State Cybersecurity Act to prohibit state agencies, counties, and municipalities that experience a ransomware attack from paying or otherwise complying with a ransom demand. The ban on ransom payments took effect on July 1, 2022.

There are no reasons to believe that the hacking group’s data theft claims are not genuine. RansomHub has conducted many attacks in the United States, including attacks on healthcare organizations and government departments. The group was also indirectly involved in the February ransomware attack on Change Healthcare, having obtained the data stolen in the attack from a BlackCat ransomware group affiliate after BlackCat performed an exit scam, pocketed the $22 million ransom, and refused to pay the affiliate.

The post RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data appeared first on The HIPAA Journal.

Palomar Health Medical Group has warned patients that they may have been affected by an April 2024 cyberattack, and DaVita has learned that tracking tools on its website and mobile app may have sent user data to third-party vendors.

Palomar Health Medical Group Announces April 2024 Cyberattack

Palomar Health Medical Group, a provider of primary and specialty care to communities in North San Diego County, has informed patients about a recent cyberattack that exposed some of their protected health information. A security breach was detected on or around May 5, 2024, and immediate action was taken to prevent further unauthorized access to its systems. An investigation was launched to determine the nature and scope of the incident, which confirmed that hackers had access to its network from April 23, 2024, to May 5, 2024.

Palomar Health Medical Group said the attack “may have caused certain files to files to become unrecoverable,” which suggests that ransomware was used. Palomar Health Medical Group has confirmed that certain files were exfiltrated from its network and the review of those files is ongoing, as is the process of restoring the affected files. A full recovery of the affected systems was expected by July 1, 2024; however, the recovery process is taking longer than anticipated.

It is still not possible to tell exactly how many patients have been affected or the specific types of data that have been exposed or obtained in the attack; however, Palomar Health Medical Group has identified the categories of data involved. The compromised data varies from individual to individual and, based on the initial findings of the investigation, will include patient names in combination with one or more of the following: address, date of birth, Social Security number, medical history information, disability information, diagnostic information, treatment information, prescription information, physician information, medical record number, health insurance information, subscriber number, health insurance group/plan number, credit/debit card number, security code/PIN number, expiration date, email address and password, and username and password.

The breach has affected current and former patients of Palomar Health Medical Group and its affiliates Graybill Medical Group and Pacific Accountable Care. Individual notification letters will be mailed to the affected individuals when the file review is completed.

DaVita Notifies Patients About Tracking Technology Privacy Incident

DaVita Inc., a Denver, CO-based provider of kidney dialysis services, notified 67,443 patients on July 2, 2024, about a pixel-related data breach.  Pixels are online tracking technologies that are used on websites and mobile applications for recording visitor activity. DaVita explained that it learned on June 17, 2024, that tracking tools had been installed on its website health portal and Care Connect mobile application that they may have transmitted data to third-party vendors.

The types of information disclosed varied from individual to individual based on their interactions on the website and use of the mobile application. That information may have included usernames and third-party identifiers/cookies, employment status, patient classification/reference, information about the use of the app or pages visited on the website, and information indicating whether the user was signed into a DaVita account, but not the account password. For certain users, limited demographic information may also have been disclosed and, potentially, lab test names or lab test resources viewed on the website but no lab test results. The above types of information could be tied to an individual via their IP address and third-party identifiers, such as if a user was logged into their Google or Facebook account at the time. First and last names would only have been disclosed if they were used to create a username.

DaVita said it has removed all third-party tracking technologies that are not part of a HIPAA-compliant service and has implemented new policies and procedures and provided additional training to members of its workforce to prevent similar privacy breaches in the future. DaVita said it is not aware of any misuse of the disclosed information that is likely to result in financial or similar harm.

The post Patient Data Compromised in Palomar Health Medical Group Cyberattack appeared first on The HIPAA Journal.

HealthEquity has confirmed a breach of its SharePoint data, which included protected health information. Data breaches have also been reported by Kairos Health Arizona and Ambulnz.

HealthEquity

HealthEquity, a Draper, UT-based financial technology and business services company, has suffered a cyberattack that has exposed protected health information. HealthEquity provides health savings account (HSA) services and other consumer-directed benefits solutions, including health reimbursement arrangements (HRAs), and manages millions of HSAs, HRAs, and other benefit accounts.

HealthEquity explained in an 8-K filing with the Securities and Exchange Commission (SEC) that it recently identified anomalous behavior in a business partner’s device, and said the initial investigation indicates that the device had been compromised and was used to access members’ information. No malware was found on its systems and business operations were unaffected, and while the company is still evaluating the financial impact of the incident, it does not believe that the incident will have any material effect on its business or financial results.

The breach was detected on March 25, 2024, and immediate action was taken to prevent further unauthorized access. A forensic investigation was launched to determine the extent of the breach, which revealed an unauthorized actor accessed and exfiltrated HealthEquity’s SharePoint data. Its transactional systems, where integrations occur, were not affected. HealthEquity has started notifying the affected partners, clients, and members and is offering complimentary credit monitoring and identity theft protection services. The extent of the breach and the types of information involved has bot yet been publicly disclosed.

Kairos Health Arizona

Kairos Health Arizona, an employee benefits pool serving public entity employers in Arizona, has discovered that there has been unauthorized access to member data by a former third-party vendor. An investigation was launched which determined that between November 2, 2023, and March 29, 2024, the vendor accessed and downloaded information from a Kairos database.

A review was conducted to determine the types of data involved and confirmed that the downloaded data included names, insurance identification numbers, claims/coverage information, and health information. No Social Security numbers, driver’s license numbers, or financial account information were accessed or downloaded. Notification letters have now been sent to the 14,364 affected individuals and steps have been taken to enhance the security of its network, internal systems, and applications to prevent similar incidents in the future.

Ambulnz

Ambulnz, a subsidiary of DocGo that provides medical transportation and ambulance services, has discovered the protected health information of 4,742 patients has been exposed and potentially stolen in a cyberattack that was detected on April 22, 2024. The forensic investigation confirmed that a threat actor first accessed its network on April 21, 2024, and access was blocked the following day; however, the attack was not detected in time to prevent the threat actor from downloading patient data from its network. The stolen files included names, plus one or more of the following: dates of birth, address, medical record number, patient account number, health insurance identification number, and/or diagnosis and treatment information. A limited number of patients also had their Social Security numbers and/or driver’s license numbers stolen.

The post Protected Health Information Stolen in HealthEquity SharePoint Breach appeared first on The HIPAA Journal.

The Mount Kisco Surgery Center, doing business as the Ambulatory Surgery Center of Westchester in New York, has recently notified 22,139 patients that some of their protected health information has been exposed and potentially stolen.

Suspicious activity was detected in an employee’s email account on November 3, 2023, and after securing the account, a forensic investigation was launched to determine the nature and scope of the activity. The investigation confirmed that the unauthorized third party had access to the account from October 23, 2023, to November 3, 2023, and that the account contained patient data.

A comprehensive review was then initiated to determine the individuals affected and the types of data involved. That process was completed on May 30, 2024, and then address information was verified. The affected individuals were notified by mail on June 26, 2024. The types of data involved varied from patient to patient and included names in combination with one or more of the following: Social Security number, driver’s license number, state identification number, date of birth, medical information, including diagnosis information, treatment information, and prescription information, and health insurance information, including claim information and health insurance number.

At the time of issuing notifications, no reports had been received to suggest there had been any misuse of patient data. Mount Kisco Surgery Center said it has enhanced network security to prevent similar breaches in the future.

Mobile Medical Response Warns Patients About PHI Breach

Mobile Medical Response, a Michigan-based provider of medical transportation and ambulance services, has announced that there has been an impermissible disclosure of patient information at one of its business associates. Mobile Medical Response contracted with CBM Services to provide collections services. CMB Services had issued a check to Mobile Medical Response, which an unauthorized individual attempted to cash.

When checks are issued to Mobile Medical Response by CMB Services, they are accompanied by a statement of accounts that includes the names of individuals to whom the payments relate. The statements include names, identify individuals as having received transportation services from Mobile Medical Response, and potentially include other information.

Mobile Medical Response has confirmed that addresses, dates of birth, Social Security numbers, driver’s license/state identification numbers, financial account information, payment card information, patient record information, medical diagnosis/condition information, medical treatment information, and health insurance information were not impermissibly disclosed.

Mobile Medical Response is currently investigating the incident to determine the full name, scope, and impact of the event. In the meantime, the breach has been reported as affecting 500 individuals. The total will be updated when the investigation has been completed.

The post Email Breach Affects 22,000 Ambulatory Surgery Center of Westchester Patients appeared first on The HIPAA Journal.

Providence Mission Heritage Endocrinology and Samaritan Health Services have identified unauthorized access to patient data by former employees.

Providence Mission Heritage Endocrinology

In May 2024, Providence Mission Heritage Endocrinology in Mission Viejo, CA, discovered an insider breach that involved unauthorized access to clinical records. Providence launched an investigation into the activity and confirmed that the unauthorized access had been ongoing for more than three years. The first instance occurred on December 15, 2020, and it continued until May 15, 2024. The nature of the access was not disclosed; however, Providence said there is an active investigation by the California Department of Insurance.

The review confirmed that only names, State IDs, driver’s license numbers, and health insurance coverage information were accessed. Social Security numbers were not accessed; however, as a precaution, credit monitoring and identity protection services have been offered to the affected individuals for 12 months at no cost. Cambria Haydon, Chief Privacy Officer, Providence has advised the affected patients to take advantage of those services.

The incident has been reported to the California Attorney General; however, it is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Samaritan Health Services

Samaritan Health Services in Oregon has announced that a physician who worked at its Lebanon Community Hospital may have accessed the protected health information of patients without authorization. An investigation was launched in November 2023, when unauthorized access was suspected.

The investigation involved a review of access logs to patient records, interviews with patients and employees, and a written attestation from the physician. While many of the records accessed by the physician were for legitimate purposes, Samaritan was unable to verify the purpose of the physician’s record access for 1,296 individuals.

Samaritan is confident that if the medical records of those individuals were accessed, it was not for malicious purposes and there are no indications that any patient data will be misused; however, as a precaution, the affected individuals have been advised to monitor their account statements and credit reports closely and should immediately report any unusual activity to the appropriate financial institution.

The post Insider Breaches Reported by Providence Mission Heritage Endocrinology & Samaritan Health Services appeared first on The HIPAA Journal.

Gaia Software has disclosed details of a February 2024 cyberattack, Pinnacle Orthopaedics & Sports Medicine Specialists are investigating an April 2024 cyberattack, and OB GYN Specialists of Lima have discovered the improper disposal of patient data.

Gaia Software

Gaia Software, a provider of electronic medical record and billing management software services to Americare Renal Center, has mailed notification letters to patients whose protected health information was compromised in a February 2024 cyberattack.

Gaia Software notified the HHS’ Office for Civil Rights about the breach on April 5, 2024, and confirmed in the breach report that the protected health information of 56,676 individuals had been compromised in the incident. The investigation into the incident concluded on April 19, 2024; however, details about the attack have only recently been made public.

According to the breach notification letters that were mailed on June 28, 2024, Gaia Software detected the cyberattack on or around February 5, 2024. The breach notification letters do not state whether ransomware was involved, only that the threat actor “attempted to infiltrate Gaia’s computer network and demand a ransom payment.”

Gaia Software said it has not detected any misuse of patient data but has confirmed that patient information was exposed and was potentially stolen in the attack. The types of data involved varied from individual to individual and may have included names, addresses, dates of birth, Social Security numbers, health insurance information, and/or health information.

Gaia Software said it is implementing additional safeguards and enhanced security measures to prevent similar incidents in the future and is reviewing information life cycle management. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary single bureau credit monitoring/single bureau credit report/single bureau credit score services.

Pinnacle Orthopaedics & Sports Medicine Specialists

On June 21, 2024, Pinnacle Orthopaedics & Sports Medicine Specialists in Marietta, GA, announced that an unauthorized third party gained access to its computer network and potentially obtained patient data. The intrusion was detected on or around April 22, 2024, and steps were immediately taken to prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the security breach.

On or around April 29, 2024, Pinnacle confirmed that the protected health information of fewer than 10 patients had been stolen. Those patients were notified but as the investigation continued it became clear that more patients had been affected. On or around June 7, 2024, Pinnacle determined that the protected health information of more than 500 patients had been exposed. Pinnacle is currently undertaking a detailed review of the exposed files and cannot confirm at this stage exactly how many patients have been affected. Those individuals will be notified when the investigation is completed.

Pinnacle said the types of information involved vary from individual to individual and may include names, dates of birth, medical/health information, treatment/diagnostic information, health insurance information, and/or billing/payment information. Pinnacle said it is implementing enhanced security measures to prevent similar incidents in the future.

OB GYN Specialists of Lima

OB GYN Specialists of Lima in Ohio have notified 1,100 patients that some of their personal and protected health information has been exposed in an improper disposal incident. The incident was detected on June 14, 2024, and attempts were made to retrieve the documents, but it was not possible to retrieve them all.

The documents related to visits to its office between June 5, 2024, and June 13, 2024, and included the demographic information that is printed when patients visit, which may have also included test results. Steps have since been taken to prevent similar incidents in the future.

The post PHI Exposed in Cyberattacks on Gaia Software & Pinnacle Orthopaedics & Sports Medicine Specialists appeared first on The HIPAA Journal.

SkinCure Oncology has notified 13,434 patients about an email attack that occurred in June 2023, and the Wisconsin Department of Health Services has announced a breach of the personal information of 19,150 Medicaid recipients.

SkinCure Oncology

SkinCure Oncology in Burr Ridge, IL, has issued individual notifications to 13,434 patients whose protected health information was compromised in an email breach that occurred more than a year ago. According to the substitute breach notice, the investigation confirmed that multiple email accounts were accessed by an unauthorized third party between June 23 and June 25, 2023.

A comprehensive review was conducted to identify the files in the email accounts, and on December 6, 2023, it was confirmed that protected health information was present in emails and email attachments. SkinCure Oncology believes files in those email accounts were viewed and potentially obtained in the attack. The exposed information varied from individual to individual and may have included names, birth dates, medical record numbers, medical histories, and health insurance information. A limited number of patients had their Social Security numbers, driver’s license numbers, financial account information, and/or credit card information exposed.

The delay in issuing individual notifications was due to the time it took for SkinCure Oncology and its practice partners to locate up-to-date address information. The substitute breach notice makes no mention of complimentary credit monitoring and identity theft protection services, only that patients should be vigilant against identity theft and fraud. Further information can be contained by calling SkinCure Oncology’s helpline – (866) 528-8844. The helpline is manned Monday to Friday from 8:00 a.m. to  5:30 p.m. Central Time.

Wisconsin Department of Health Services

Wisconsin Department of Health Services has reported a breach of the protected health information of up to 19,150 Medicaid recipients. The breach occurred at one of its partner organizations, Disability Rights Wisconsin, which discovered an unauthorized third party had gained access to an employee email account. It is unclear from the announcement when the breach occurred and when it was discovered.

Notification letters were sent to the affected individuals on June 21, 2024, and they were advised about the data that was exposed. Complimentary credit monitoring services have been offered to the affected individuals for 12 months and a helpline – 888-733-3814 – has been set up for individuals seeking further information. The helpline is manned Monday to Friday, from 8:00 a.m. to 8 p.m. Central Time.

The post Email Breaches Reported by SkinCure Oncology & the Wisconsin Department of Health Services appeared first on The HIPAA Journal.