HIPAA Breach News

Universal Health Services Ransomware Attack Cost $67 Million in 2020

2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS).

UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country.

The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.

UHS worked fast to restore its information technology infrastructure following the attack and worked around the clock to return to normal business operations; however, the recovery process took around 3 weeks. The disruption naturally had a major impact financially, with the UHS quarterly earnings report for Q4, 2020 showing $42.1 million in losses, which equated to 49 cents per diluted share. UHS ended the quarter with profits of $308.7 million, up 6.6% from Q4, 2019.

Restoring its IT infrastructure resulted in significant increase in labor costs, both internally and externally. Cash flows were also affected as certain administrative functions such as coding and billing had to be delayed until December 2020.

UHS has reported total pre-tax losses of an estimated $67 million in 2020 due to the ransomware attack, mostly as a result of the loss of operating income, reduction in patient activity, and increased revenue reserves as a result of the billing delays. UHS believes it is entitled to recover the majority of the $67 million in insurance payouts.

The post Universal Health Services Ransomware Attack Cost $67 Million in 2020 appeared first on HIPAA Journal.

Gore Medical Management Alerted to 2017 Breach 79,100 Patients’ PHI

Gore Medical Management, a medical practice company based in Griffin, GA, has discovered a historic data breach involving the protected health information (PHI) of 79,100 individuals. The breach occurred in 2017 and affects patients of Family Medical Center in Thomaston, which is now part of Upson Regional Medical Center.

In November 2020, Gore Medical Management was informed by the Federal Bureau of Investigation that a third-party computer had been recovered as part of an investigation which was found to contain the PHI of Family Medical Center patients.

The breach investigation confirmed that the vulnerability exploited by the hacker to gain access to the Family Medical Center network had been identified and corrected a few months after the breach, although the breach itself was not detected at the time. The medical record system was not compromised, but files containing names, addresses, dates of birth, and Social Security numbers were exfiltrated. No financial information or healthcare records were involved.

There does not appear to have been further access of its systems or any other transfers of data since 2017. Gore Medical Management has now notified all affected patients and has offered them a 12-month membership to an identity theft protection and credit monitoring service.

Pennsylvania Adult & Teen Challenge Discovers Compromised Email Accounts Containing PHI of 7,771 Individuals

Pennsylvania Adult & Teen Challenge, a Rehrersburg, PA-based provider of addiction treatment programs for adults and young people, has discovered an unauthorized individual gained access to employee email accounts that contained the protected health information of 7,771 individuals.

Suspicious activity was detected in an email account on July 29, 2020 and steps were taken to prevent further access and investigate the breach. The investigation confirmed that certain email accounts had been accessed by an unauthorized individual between July 27, 2020 and July 30, 2020.

A forensic investigation was conducted, and the compromised accounts were reviewed to determine the information potentially obtained by the attacker. That process was completed on December 29, 2020.

The types of information in the accounts varied from individual to individual and may have include names along with one or more of the following data elements: Social Security Number, driver’s license number, financial account information, payment card information, date of birth, prescription information, diagnosis information, treatment information, treatment provider, health insurance information, medical information, Medicare/Medicaid ID number, employer identification number, electronic signature, username and password.

It was not possible to determine if information in the email accounts was accessed or exfiltrated, but no reports have been received to date to indicate any patient information has been misused. Notification letters have recently been sent to affected individuals and complimentary identity theft protection services have been offered.

The post Gore Medical Management Alerted to 2017 Breach 79,100 Patients’ PHI appeared first on HIPAA Journal.

Email Security Breach Impacts 45,000 Covenant Healthcare Patients

Covenant Healthcare in Saginaw, MI has discovered an unauthorized individual gained access to two employee email accounts that contained the protected health information of approximately 45,000 patients. The security breach was identified on December 21, 2020, with the investigation revealing the first email account was compromised on May 4, 2020.

A review of the compromised email accounts revealed they contained the following types of protected health information: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnosis and clinical information, medical treatment information, prescription information, doctors’ names, medical record numbers, patient account numbers, and medical insurance information.

Affected individuals have been advised to place a fraud alert on their accounts and to monitor their account statements for signs of unauthorized activity. Affected individuals do not appear to have been offered complimentary credit monitoring.

“We are committed to keeping your personal information safe and pledge to continually evaluate and modify our practices and internal controls to enhance security and privacy,” explained Covenant Healthcare in its website breach notice.

Fisher-Titus Medical Center – Norwalk, Ohio

An unauthorized individual has gained access to the email account of an employee of Fisher-Titus Medical Center in Norwalk, OH. The email account was first accessed in August 2020 and access remained possible until October 2020 when the breach was discovered and the email account was secured.

The delay in issuing notifications to affected individuals was due to the time taken to investigate the breach. Third-party cybersecurity experts completed their investigation on January 13, 2020 and breach notification letters were sent on February 18, 2021.

The medical center determined the breach included patient names, medical information such as diagnoses, clinical information, health insurance information, Social Security numbers, and credit/debit card numbers. Affected individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring services for 12 months.

Additional safeguards have now been implemented, including changes to the password policy, enhanced antivirus software, upgrades to external firewalls, and email retention policies have been revised and monitoring enhanced. A new anti-phishing platform has also been implemented.

University Hospital – Newark, New Jersey

University Hospital in Newark, NJ, has discovered an unauthorized individual gained access to its computer network and potentially viewed and exfiltrated patient information. The incident was detected on September 14, 2020, with the system found to have been breached four days previously.

A forensic investigation revealed the attacker potentially gained access to names, addresses, dates of birth, driver’s license numbers, Social Security numbers, state ID numbers, passport numbers, insurance information, financial information, medical record numbers, and some clinical information.

Affected individuals have been offered complimentary membership to identify theft protection and credit monitoring services for 12 months. University Hospital has since taken steps to improve its security protocols to prevent further breaches.

The post Email Security Breach Impacts 45,000 Covenant Healthcare Patients appeared first on HIPAA Journal.

Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems

St. Margaret’s Health –Spring Valley in Illinois is investigating a cyberattack that occurred over the weekend of February 20/21, 2021. The security breach was detected by the hospital’s IT team on February 21, and the hospital’s computer network and all web-based applications including email and its patient portal were shut down.

The hospital had security systems in place to protect against intrusions and data breaches. It is currently unclear how those systems were bypassed. Third-party cybersecurity experts have been engaged to assist with the investigation and remediation efforts.

St. Margaret’s Health had developed and practiced computer downtime emergency operations, which have been implemented and the hospital has temporarily reverted to paper records for recoding patient information and the hospital is relying on telephone and fax for communication while the email system is out of action. It is currently unclear for how long the systems will remain offline.

The cyberattack did not affected the computer systems of St. Margaret’s Peru, as those computer systems have not yet been merged with St. Margaret’s Spring Valley. Care continues to be provided to patients; however, diagnostic imaging procedures have been temporarily transferred to St. Margaret’s Peru while the security breach is remediated.

The breach investigation is still in the early stages, but no evidence has been found so far to suggest any patient information has been compromised.

COVID-19 Contact Tracing Data of Pitkin County, CO Residents Exposed Online

The personal information of 1,454 residents of Pitkin County in Colorado has been exposed online and could potentially have been accessed by unauthorized individuals. The exposure of the data was due to an error that occurred when configuring the county’s COVID-19 contact tracing system.

The types of information exposed includes names, dates of birth, employer information, date of onset of COVID-19 symptoms, date and type of COVID-19 test taken, the results of those tests, whether individuals have had a flu jab, information on school and childcare used by individuals, and whether individuals had any underlying health conditions. The information was exposed online between October 1, 2020 and December 14, 2020.

An error occurred when configuring the software used to upload the information to the website, which failed to prevent certain fields from being rendered inaccessible. While it is not possible to determine if any information was accessed by unauthorized individuals during the time it was accessible, the county suspects some people may have downloaded the information.

Pitkin Country is offering 12 free months of credit monitoring and identification restoration services to affected individuals.

Documents Containing PHI of HarborChase Nursing Home Residents Found Scattered in Florida Streets

Documents containing the protected health information of residents of the HarborChase senior living facility in Mandarin in Jacksonville, FL have been found scatters in streets in St. John’s County. First Coast News was alerted to the privacy breach by residents who discovered the paperwork, some of which contained sensitive information such as names, addresses, Social Security numbers, and prescription information.

Some of the information related to patients of Guardian pharmacy, which was alerted to the breach and subsequently notified HarborChase. According to a report on First Coast News, HarborChase is investigating a document shredding company it contracted to securely dispose of documents containing patient information. HarborChase said all of the documents had been sent for secure disposal.

The post Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems appeared first on HIPAA Journal.

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020.

HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized individual; and the extent to which risk has been mitigated.

The HIPAA Breach Notification Rule requires notifications to be issued to affected individuals within 60 days of the discovery of a breach. All breaches must be reported OCR , including security incidents and privacy breaches affecting a single patient. If the breach affects 500 or more individuals, OCR must also be notified within 60 days. When there is a smaller breach, patients must still be notified within 60 days, but OCR does not need to be notified until 60 days from the end of the calendar year when the breach was discovered.

Breach reports should be submitted to OCR electronically via the OCR breach reporting portal. While smaller breaches can be reported ‘together’ ahead of the deadline via the portal, each incident must be submitted individually. Since details of the breach must be provided, including contact information, the nature of the incident, and the actions taken following the breach, adding these breach reports can take some time. The best practice is to report the breaches throughout the year when sufficient information about the nature, scope, and cause of the breaches are known, rather than wait until the last minute.

The failure to report small healthcare data breaches before the deadline could result in sanctions and penalties against the covered entity or business associate.

The post March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches appeared first on HIPAA Journal.

Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers

Kroger has announced it has suffered a data security incident involving the exploitation of SQL injection vulnerabilities in its Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy appliance that was released around 20 years ago as a secure file transfer solution for sharing files too large to send via email.

A zero-day vulnerability in the product was first identified by Accellion in mid-December 2020, with a further three vulnerabilities subsequently identified. Some of those vulnerabilities were exploited by a threat actor to gain access to the vulnerable devices. The hacker then installed a web shell which was used to exfiltrate sensitive data.

Accellion explained in a February 22, 2021 press release that Mandiant had investigated the security incident and attributed the attacks to a criminal hacker tracked as UNC2546. UNC2546 has been linked to the FIN11 hacking group and CL0P ransomware operation.

In January, several Accellion FTA customers reported receiving ransom demands for the return of stolen data. Threats were made to publish stolen data on the CL0P ransomware data leak site if the ransom was not paid. Accellion says around 300 customers use the Accellion FTA, fewer than 100 were victims of the attack, and fewer than 25 suffered significant data theft. Ransomware was not used in the attacks.

Kroger was alerted to the breach on January 23, 2021 and discontinued use of the Accellion FTA. An internal investigation was conducted to determine which information had potentially been stolen. Kroger said fewer than 1% of its customers were affected, most of whom were customers of Kroger Health and Money Services, along with some associates and employees.

Some Social Security numbers were compromised but the breach did not include financial information or customer account passwords, and there have been no reports of the misuse of any customer data. Kroger has offered complimentary credit monitoring services to all affected customers.

The incident has yet to be reported to the HHS’ Office for Civil Rights so it is currently unclear how many patients have been affected.

The post Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers appeared first on HIPAA Journal.

Ransom Paid to Recover Healthcare Data Stolen in Cyberattack on Online Storage Vendor

The protected health information of 29,982 patients of a Laguna Hills, CA-based provider of medical and surgical eye care services has potentially been stolen in a cyberattack on its online storage vendor.

On January 15, 2021, Harvard Eye Associates was informed by its storage vendor that hackers had gained access to the vendor’s computer system and exfiltrated data. It is not clear whether files were encrypted to prevent access; however, a ransom demand was issued for the return of the stolen data. The storage vendor consulted with cybersecurity experts and the Federal Bureau of Investigation and took the decision to pay the ransom demand.

The hackers returned the stolen data and provided assurances that no copies of the data had been made and there had been no further disclosures of the stolen information. The cybersecurity experts engaged by the security vendor have been monitoring the Internet and darknet and have not found any evidence to suggest the stolen data has been sold or leaked online. An investigation into the breach revealed the hackers first gained access to its computer systems on October 24, 2020.

The types of patient information potentially obtained by the hackers included patients’ names, addresses, phone numbers, email addresses, dates of birth, medical histories, health insurance information, medications, and information about treatment provided at Harvard Eye Associates.

Harvard Eye Associates provides billing and other administrative services to Alicia Surgery Center in Laguna Hills, which requires access to the types of data previously mentioned. Alicia Surgery Center patients were also affected by the security incident. It is currently unclear how many patients of Alicia Surgery Center have been affected.

Harvard Eye Associates and Alicia Surgery Center explained in their website breach notices that affected individuals are being notified and offered complimentary credit monitoring and identity theft protection services.

The post Ransom Paid to Recover Healthcare Data Stolen in Cyberattack on Online Storage Vendor appeared first on HIPAA Journal.

January 2021 Healthcare Data Breach Report

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day.

January 2021 Healthcare Data Breaches

There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records.

January 2021 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply patches for 7 years, which allowed unauthorized individuals to exploit the flaws and gain access to sensitive data.

Hendrick Health had a major data breach due to a ransomware attack; one of many reported by healthcare providers since September 2020 when ransomware actors stepped up their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology vendors.

Email-based attacks such as business email compromise (BEC) and phishing attacks were common in January, and were the cause of 4 of the top ten breaches.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Florida Healthy Kids Corporation Health Plan* 3,500,000 Hacking/IT Incident:

Website and Web Application Hack

Network Server
Hendrick Health Healthcare Provider 640,436 Hacking/IT Incident:

Ransomware

Network Server
Roper St. Francis Healthcare Healthcare Provider 189,761 Hacking/IT Incident:

Phishing attack

Email
Precision Spine Care Healthcare Provider 20,787 Hacking/IT Incident:

BEC attack

Email
Walgreen Co. Healthcare Provider 16,089 Unauthorized Access/Disclosure:

Unknown

Email
The Richards Group Business Associate 15,429 Hacking/IT Incident:

Phishing attack

Email
Florida Hospital Physician Group Inc. Healthcare Provider 13,759 Hacking/IT Incident:

EHR System

Electronic Medical Record
Managed Health Services Health Plan* 11,988 Unauthorized Access/Disclosure:

Unconfirmed

Paper/Films
Bethesda Hospital Healthcare Provider 9,148 Unauthorized Access of EMR by employee Electronic Medical Record
County of Ramsey Healthcare Provider* 8,687 Hacking/IT Incident:

Ransomware

Network Server

*Breach reported by covered entity but occurred at a business associate.

Causes of January 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to cause the majority of healthcare data breaches. January saw 20 hacking/IT incidents reported, which accounted for 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was compromised or exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents involving 50,996 records. The average breach size was 4,636 records and the median breach size was 1,680 records.

There was one reported incident involving the loss of an unencrypted laptop computer containing 2,340 records, but no theft or improper disposal incidents.

Causes of January 2021 Healthcare Data Breaches

As the bar chart below shows, email is the most common location of breached PHI, mostly due to the high number of phishing attacks. This was closely followed by network server incidents, which mostly involve malware or ransomware.

Location of PHI in January 2021 Healthcare Data Breaches

January 2021 Healthcare Data Breaches by Entity Type

Healthcare providers were the worst affected covered entity type with 23 reported data breaches followed by health plans with 6 reported breaches. Three data breaches were reported by business associates of HIPAA covered entities, although a further 7 occurred at business associates but were reported by the covered entity, including the largest data breach of the month.

The number of breaches reported by business associates have been increasing in recent months. These incidents often involve multiple covered entities, such as the data breach at Blackbaud in 2020 which resulted involved the data of more than 10 million individuals across around four dozen healthcare organizations. A study by CI Security found 75% of all breached healthcare records in the second half of 2020 were due to data breaches at business associates.

January 2021 healthcare data breaches by covered entity type

Where Did the Data Breaches Occur?

January’s 32 data breaches were spread across 18 states, with Florida the worst affected with 6 reported breaches. There were 3 breaches reported by entities in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had 1 breach reported.

HIPAA Enforcement Activity in January 2021

2020 was a record year for HIPAA enforcement actions with 19 settlements reached to resolve HIPAA cases, and the enforcement actions continued in January with two settlements reached with HIPAA covered entities to resolve violations of the HIPAA Rules.

Excellus Health Plan settled a HIPAA compliance investigation that was initiated following a report of a breach of 9,358,891 records in 2015. OCR investigators identified multiple potential violations of the HIPAA Rules, including a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Excellus Health Plan settled the case with no admission of liability and paid a $5,100,000 financial penalty.

OCR continued with its crackdown of noncompliance with the HIPAA Right of Access with a $200,000 financial penalty for Banner Health. OCR found two Banner Health affiliated covered entities had failed to provide a patient with timely access to medical records, with both patients having to wait several months to receive their requested records.

The post January 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack

Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020.

As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone.

The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information.

Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients.

The lawsuit – Jewett et al. v. Wilmington Surgical Associates – was filed by Rhine Law Firm; Morgan & Morgan; and Mason Lietz & Klinger on February 10, 2021 and was recently removed to the US District Court for the Eastern District of North Carolina.

Plaintiffs Katherine Teal, Sherry Bordeaux, and Philip Jewett allege in the lawsuit that their sensitive personal and health information is now in the hands of cybercriminals, which places them at an elevated risk of identity theft and fraud and other damages such as the lowering of credit scores and higher interest rates. The plaintiffs also allege they have suffered ascertainable losses as a result of the security incident in terms of out-of-pocket expenses and time spent remediating the effects of the data breach.

The lawsuit alleges Wilmington Surgical Associates was negligent for failing to adequately safeguard patient data when it had been put on notice about the elevated risk of ransomware attacks. In addition, it is alleged that the North Carolina healthcare provider failed to adequately monitor its systems for network intrusions and failed to provide timely breach notifications to patients and adequate information on the types of information compromised in the attack.

The plaintiffs seek reimbursement of out-of-pocket expenses, compensation for time spent dealing with the aftereffects of the breach, restitution, injunctive relief, and adequate credit monitoring services for breach victims. The lawsuit also requires the courts to order Wilmington Surgical Associates to improve data security and undergo annual security audits.

The post Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack appeared first on HIPAA Journal.