HIPAA Breach News

February 14, 2024 Healthcare Data Breach Round-Up

Posted by Steve Alder

Data breaches have recently been reported by the Hampton-Newport News Community Services Board, Marywood Nursing Care Center, Health Alliance, United Regional Health Care System, Nabholz Construction, and J.D. Gilmour & Co.

Hampton-Newport News Community Services Board

The Hampton-Newport News Community Services Board, a Virginia-based provider of behavioral health and intellectual and developmental disability services, has notified 44,312 individuals that some of their protected health information was compromised in a recent ransomware attack. Technical disruptions were experienced on November 12, 2023, and it soon became clear that the disruption was due to the use of ransomware. Third-party cybersecurity experts were engaged to assist with the investigation and remediation, and they determined that the attackers gained access to its network on September 26, 2023.

A review was conducted of all files that could have been accessed which confirmed that patient data had been exposed.  The exposed data varied from patient to patient and may have included names in combination with Social Security numbers, addresses, ZIP codes, driver’s license numbers, dates of birth, clinical information such as diagnosis/conditions, lab results, medications or other treatment information, claims information and insurance information. The Hampton-Newport News Community Services Board was unable to confirm if the above data was accessed or stolen in the attack. Credit monitoring and identity restoration services have been offered to the affected individuals.

Marywood Nursing Care Center

Marian Village Corporation, doing business as Marywood Nursing Care Center in Massachusetts, experienced a security breach that involved the protected health information of 6,178 individuals. The breach notification sent to the Massachusetts Attorney General does not state when the breach was detected or when it occurred, only that an unauthorized individual accessed its network and potentially stole files that contained names, claim information, and addresses. No other information was compromised in the attack. The affected individuals have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge. Marywood said it has deployed additional monitoring tools and will continue to review and enhance the security of its systems.

Health Alliance

Health Alliance in Illinois has recently confirmed that the protected health information of 6,900 of its members was exposed in a data breach at a subcontractor of one of its business associates.  Health Alliance Contracted with OnTrak, which used the subcontractor Keenan. On August 27, 2023, Keenan discovered the unauthorized access and disconnected its network to contain the incident. The forensic investigation confirmed that an unauthorized third party had gained access to records containing health plan members’ data. Keenan notified Health Alliance about the breach on December 20, 2023, and provided a list of the affected members on January 10, 2024.

Health Alliance then reviewed and matched the list to the records of its members and notification letters have now been sent. Health Alliance said the following information was compromised in the incident: name, address, member number, date of birth, health coverage information, and, in some cases, Social Security number. Keenan has offered the affected individuals a 24-month membership to the Experian IdentityWorksSM Credit 3B service.

Nabholz Construction

Nabholz Construction, a provider of construction-related services in Arkansas, has been affected by a data breach at Cadence Bank, that exposed the protected health information of 5,326 members of its Corporation Employee Welfare Health Plan. Cadence Bank informed Nabholz on November 29, 2023, that data had been exposed in a cyberattack that exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. Progress Software issued a patch to fix the vulnerability on May 31, 2023; however, Cadence Bank determined that the vulnerability had been exploited between May 28, and May 31, 2023. The data compromised in the attack included names, Social Security numbers, dates of birth, addresses, medical information such as treatment information, provider names, medications, and health insurance information.

J.D. Gilmour & Co., Inc.

J.D. Gilmour & Co., Inc., a Glendale, CA-based insurance agency, discovered unauthorized access to its email environment on June 29, 2023. Third-party cybersecurity experts were engaged and conducted a forensic investigation of its entire email tenant, which confirmed there had been unauthorized access to a single employee email account. The review of the email account determined on October 27, 2023, that the protected health information of 2,481 individuals had been exposed. On December 21, 2023, J.D. Gilmour & Co. obtained the authorization to mail notification letters from the affected client. The affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no cost.

United Regional Health Care System

United Regional Health Care System has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that affected 36,900 patients. There is currently no mention of a data breach on the website of the Wichita Falls, TX-based health system but the breach notification submitted to the Texas Attorney General states the breach occurred on May 30, 2023, and involved names, dates of birth, medical information, and insurance information.

The post February 14, 2024 Healthcare Data Breach Round-Up appeared first on HIPAA Journal.

Azura Vascular Care Reports Data Breach Affecting 348,000 Patients

Posted by Steve Alder

Azura Vascular Care, a Pennsylvania-based operator of 70 outpatient vascular centers and ambulatory surgery centers in 25 states and Puerto Rico, notified the HHS’ Office for Civil Rights last month about a cybersecurity incident involving the protected health information of 348,000 patients.

The incident was detected on November 9, 2023. Cybersecurity experts were engaged to assist with the investigation, which confirmed that unauthorized individuals accessed certain systems on or before September 27, 2023, and encrypted certain files. On November 15, 2023, it was confirmed that some of the files that were available to the hackers contained patient data such as names, mailing addresses, dates of birth, and other demographic and contact information, including emergency contact information, Social Security numbers, insurance information, diagnosis and treatment information, and other information from medical or billing records.

Some guarantor information was also exposed, including names, mailing addresses, telephone numbers, dates of birth, Social Security Numbers, and email addresses. Azura Vascular Care said individuals who had sensitive information exposed such as Social Security numbers have been offered complimentary identity protection, credit monitoring, and fraud resolution services.

Covenant Care California Assessing Scope of Cyberattack

Covenant Care California, LLC, which operates skilled nursing facilities and home health agencies throughout California and Nevada, has confirmed there has been unauthorized access to files containing the personal and protected health information of patients and other individuals. The cyberattack was detected on November 14, 2023, and while the investigation is ongoing, it has been determined that files were removed from its network between November 12 and November 14.

The incident has affected current and former patients, prospective patient referrals, and responsible parties of patients who received services from a facility or agency operated by Covenant Care, including rehabilitation services provided through a company called AFFIRMA and home health services provided under the names Focus Health, Elevate Home Health, Choice Home Health Care, and San Diego Home Health.

The list of affected individuals has yet to be finalized, but Covenant Care California has confirmed that the incident involved the following information: name, date of birth, medical information, and/or health insurance information, including diagnosis or treatment information and/or claims and billing information. For some individuals, the information may include also Social Security number, financial account or credit/debit card numbers, driver’s license or state/federal identification number, and/or other personal information.

The breach has been reported to the HHS’ Office for Civil Rights with an interim total of 501 individuals, which will be updated when the investigation concludes. Affected individuals are being offered credit monitoring and identity theft restoration services at no cost.

Cooper Aerobics Announces 124K-Record Data Breach

Cooper Aerobics, on behalf of Cooper Clinic, Cooper Medical Imaging, and Cooper Aerobics Enterprises in Texas, has notified 124,341 individuals that some of their protected health information was exposed in a cyberattack in early 2023. It is not clear from the notification letters when the intrusion occurred. After a comprehensive investigation and file review, Cooper Aerobics learned on December 8, 2023, that files containing the personal and protected health information of patients were potentially removed from its network on February 3, 2023.

Patients have been notified that the following information was potentially involved: name, address, phone number, email address, date of birth, credit or debit card number (including expiration date, and financial account and routing number), tax identification number, driver’s license or government identification, passport number, username and password, Social Security number, and health information (including medical record/patient account number, prescription information, medical provider, and medical procedures), and health insurance information.

Cooper Aerobics started notifying the affected individuals on January 5, 2024 and said it continually evaluates and modifies its practices and internal controls to protect against unauthorized access and will continue to do so.

6,000 Individuals Impacted by Ransomware Attack on Colorado Ophthalmology Associates

Colorado Ophthalmology Associates (COA) has recently disclosed a ransomware attack that was discovered on November 14, 2023. Data exfiltration is common in ransomware attacks, but no evidence of data theft was identified during the forensic investigation. COA said that the attack involved automated encryption and resulted in the loss of electronic medical record files for patient visits or exams conducted between April 10, 2023, and November 14, 2023.

The forensic investigation confirmed that the intrusion began as early as October 4, 2023, and ended on November 14, 2023. The types of information exposed in the attack were limited to names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, insurance information, dates of service, types of services, diagnoses, conditions, prescriptions, test results, medications, and other treatment information. The incident has been reported to the HHS’ Office for Civil Rights as affecting up to 6,020 individuals.

The post Azura Vascular Care Reports Data Breach Affecting 348,000 Patients appeared first on HIPAA Journal.

462,000 Hawaiians Affected by Data Breach at Navvis & Company

Posted by Steve Alder

Approximately 462,000 individuals who enrolled in health plans through the Hawaii Medical Service Association (HMSA) have been affected by a data breach at the St. Louis, MO-based business services provider Navvis & Company. Navvis & Company detected unauthorized activity within its systems on July 25, 2023, and the forensic investigation confirmed that an unauthorized third party had access to its systems between July 12, 2023, and July 25, 2023, and exfiltrated sensitive information.

Navvis & Company mailed notification letters to the affected health plan enrollees last month. The information exposed in the incident included names, dates of birth, health plan information, medical treatment information, medical record numbers, patient account numbers, case identification numbers, provider and doctor information, and health record information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Navvis & Company reported the breach to OCR as affecting 917 individuals, with the affected clients mostly choosing to report the breach themselves. As such the total number of individuals affected is not known. Other affected clients included SSM Health.

Atlanta Women’s Health Group Notifies 30,000 Patients About April 2023 Cyberattack

Atlanta Women’s Health Group has notified approximately 30,000 patients that their protected health information was stolen in a cyberattack that was detected on April 12, 2023. Third-party cybersecurity experts were engaged to investigate the extent of the breach and an extensive data mining exercise was conducted to determine the individuals affected and the types of data involved.

Atlanta Women’s Health Group said for the majority of patients, the exposed data was limited to names, dates of birth, patient ID numbers, and other information that may be contained in medical records. It was not possible to tell which specific types of information were accessed or acquired. The review was time-intensive, hence the delay in issuing notification letters. Following the attack, Atlanta Women’s Health Group worked with outside security consultants to implement additional cybersecurity measures to prevent further attacks. While data theft occurred, Atlanta Women’s Health Group said it is unaware of any misuse of patient data.

Coastal Hospice & Palliative Care Confirmed PHI Exposure in July Cyberattack

Coastal Hospice & Palliative Care in Salisbury, MD, has confirmed that the protected health information of 29,100 individuals was potentially compromised in a July 2023 cyberattack. The attack was detected on July 24, 2023, when its network was disrupted. Cybersecurity experts were engaged to investigate the incident and assist with the recovery process.

The review of the files on the affected part of the network was completed on November 20, 2023, and confirmed that the following information had been exposed and was potentially obtained by the attackers: name, Social Security number, date of birth, medical diagnosis information, individual health insurance policy number, physician or medical facility information, medical condition or treatment information and patient account number. Coastal Hospice & Palliative Care said the incident was reported to the Federal Bureau of Investigation and steps have been taken to improve security to prevent similar incidents in the future.

The post 462,000 Hawaiians Affected by Data Breach at Navvis & Company appeared first on HIPAA Journal.

U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

US Fertility LLC, the operator of more than 100 fertility clinics across the United States, has proposed a $5.75 million settlement to resolve a class action lawsuit that was filed in response to a data breach that exposed the data of around 900,000 patients.

U.S. Fertility announced in November 2020 that hackers had gained access to its network and installed malware (ransomware) that rendered certain systems inaccessible. The breach was detected on September 14, 2020; however, the hackers first gained access to the network on August 12, 2020. Before encrypting files, the hackers exfiltrated sensitive patient data including names, addresses, dates of birth, MPI numbers, Social Security numbers, medical information, and financial information.

A class action lawsuit was filed that alleged U.S. Fertility was negligent by failing to implement reasonable and appropriate cybersecurity measures to protect highly sensitive patient data from unauthorized access. Had those measures been implemented, the breach could have been prevented or its severity would have been severely reduced. U.S. Fertility maintains there was no wrongdoing but decided to settle the lawsuit.

Under the settlement terms, all class members are entitled to a $50 cash payment. Class members whose data was stolen from a California clinic will be entitled to claim an additional cash payment of $200. Claims may also be submitted for up to 4 hours of lost time at $25 per hour, and unreimbursed out-of-pocket losses can be claimed and will be paid up to a maximum of $15,000 per claimant. Claims for reimbursement of losses must be supported by receipts, account statements, IRS documents, police reports, FTC reports, professional invoices, and other documentation. The cash payments may be reduced and paid pro-rata depending on the number of claims submitted.

Individuals who wish to object to the settlement or exclude themselves have until February 20, 2024, to do so. All claims must be submitted by March 19, 2024. The final settlement hearing has been scheduled for April 18, 2024.

The post U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, through June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

  • Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
  • Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
  • Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.
  • Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

The post Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty appeared first on HIPAA Journal.

Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach

Posted by Steve Alder

Des Moines Orthopaedic Surgeons (DMOS) in Iowa has recently notified 307,864 current and former patients that some of their protected health information (PHI) was exposed in a cyberattack almost a year ago. DMOS explained that the incident occurred on or around February 17, 2023, and allowed an unauthorized third party to access and/or remove files containing the PHI of DMOS patients. DMOS said the breach was due to the failure of one of its vendors.

DMOS said it immediately contained the threat and engaged third-party cybersecurity experts to investigate the incident to determine the extent of compromise. According to the notification letters, “DMOS devoted considerable time and effort to assessing the extent and scope of the incident and to determine what information may have been accessible to the unauthorized users.” It took 10 months to determine that patient data was present in the documents and records involved, with PHI exposure not confirmed until December 6, 2023.

The types of data involved included names along with one or more of the following: Social Security number, date of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information. Notification letters were mailed on January 22, 2024, and individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Michigan Orthopaedic Surgeons Email Account Breach Affects 67,000 Patients

Michigan Orthopaedic Surgeons has recently notified 67,477 patients that some of their PHI was present in an email account that was accessed by unauthorized individuals. Suspicious activity was detected in the email account on or around June 29, 2023. A third-party forensic security company was engaged to investigate the incident and confirmed the email account had been accessed by an unauthorized individual between May 5, 2023, and June 21, 2023.

A comprehensive review of the account was initiated, and it was determined on October 20, 2023, that protected health information was present in the account. The types of information varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, financial account number, username and password, health insurance information, and medical information, such as diagnosis, lab results, and prescription information. Individual notifications were mailed on December 19, 2023, and complimentary credit monitoring services have been provided to the individuals who had their Social Security numbers exposed.

Prestige Care Suffers Ransomware Attack

Prestige Care, Inc., a Vancouver, WA-based senior care organization, has recently notified 38,087 individuals that some of their personal and protected health information was potentially accessed or acquired in a September 2023 ransomware attack. The attack was detected on September 7, 2023, with the investigation determining that malware had been installed that prevented access to certain files on its system. The investigation confirmed that the threat actor had access to files containing personal and health information on September 7.

The file review confirmed on December 18, 2023, that those files included names and Social Security numbers. Notification letters started to be sent to the affected individuals on January 31, 2024. Complimentary credit monitoring services have been offered for 12 months.

Bay Area Heart Center Impacted by Phishing Attack on Business Associate

Bay Area Heart Center in St. Petersburg, FL has confirmed that patient data was exposed in a cyberattack at the law firm Bowden Barlow Law, P.A., which Bay Area Heart Center uses for collections. An employee at the law firm responded to a phishing email, which provided the attacker with access to one of the law firm’s servers between November 17, 2023, and December 1, 2023. Bay Area Heart Center was notified about the breach on December 27, 2023.

The investigation found no evidence to suggest data had been downloaded, but data theft could not be ruled out. The exposed data included names, addresses, full and partial Social Security Numbers, dates of service, limited claims data, and insurance policy numbers. “Bay Area Heart Center takes this matter extremely seriously and is equally frustrated that its patient files were compromised by a third-party vendor,” explained the healthcare provider in its breach notice. “Given the potential impact this breach could have on patients, and in furtherance of its commitment to safety and security, the medical practice is currently reevaluating its partnership with Bowden Barlow Law.” Bay Area Heart Center said it has offered the affected individuals a one-year membership to a credit monitoring service.

Northern Light Health Says Patient Data Not Compromised in Cyberattack

On February 4, 2024, Northern Light Health in Brewer, ME, announced that it was forced to take its patient records system offline on February 3, 2024, after discovering certain computers had been compromised in a cyberattack.  Northern Light Health explained that none of the affected computers stored any patient data, and that the patient record system was taken offline while the incident was investigated. Northern Light Health said no third party has made contact demanding a ransom and the decision to take patient records offline was taken out of an abundance of caution. Downtime procedures were initiated immediately, and patient care was not disrupted.

Daily updates were provided on its website and on February 5, 2024, Northern Light Health said its medical record system was back online. The incident is still being investigated and there are still no indications that patient data was exposed.

The post Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach appeared first on HIPAA Journal.

ITRC: Data Compromises Reach All Time High in 2023

Posted by Steve Alder

There was a huge increase in data compromises in 2023 but a fall in the number of individuals affected by those incidents, according to the Identity Theft Resource Center’s (ITRC) 2023 Data Breach Report. There was a 78% increase in publicly reported data compromises in 2023 with 3,205 incidents reported which is a 72% increase from the previous high-water mark of 1,860 data compromises that was set in 2021. The increase in incidents is staggering, as ITRC CEO Eva Velasquez explained. “Just the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020 (except for 2017).”

Even with such a high percentage increase, the estimated number of individuals affected by data compromises fell by 16% year-over-year to 353,027,892 individuals. ITRC reports that there is a general downward trend in the number of individuals affected by data breaches as criminals are focusing on quality rather than quantity and are searching for specific information that can be used for identity-related fraud and scams rather than conducting mass attacks.

Healthcare Tops List for Most Data Compromises

The ITRC data show that healthcare leads all industries in terms of the number of reported compromises, as the industry has done for the past 5 years. In 2023 ITRC tracked 809 healthcare data compromises with around 56 million victims, up from 343 compromises the previous year and around 28 million victims. Financial services and transportation round out the top three and all three of those sectors reported more than twice the number of compromises as the previous year. Utilities topped the list in terms of victim count with 73 million victims, yet reported just 44 reported incidents. The companies worst affected by data compromises in 2023 were T-Mobile, which had a breach that affected an estimated 37 million customers, followed by Xfinity (36M) and PeopleConnect (20M).

It is not possible to provide a simple answer as to why data breach numbers fluctuate. “We must acknowledge the significant impact of supply chain attacks and the effect they have on all organizations,” said Velasquez. “A single supply chain attack can directly or indirectly impact hundreds or thousands of businesses that rely on the same vendor.” Since 2018, the number of organizations impacted by supply chain attacks has increased by a staggering 2,600% and the number of victims has increased to more than 54 million – 15% of the overall number of victims in 2023.

The Consumer Breach Reporting Framework is Broken

Velasquez believes that stronger reporting requirements are necessary to help warn other vulnerable businesses of the risk associated with a similar attack as well as increased due diligence when it comes to vendors and data protection. Another issue highlighted by Velasquez is the legislative framework that was implemented more than two decades ago to warn consumers about data breaches is simply not working. “A Supply Chain Attack victim from 2020 confirmed in 2023 what was suspected for years: Businesses under or non-report breaches,” said Velasquez.

Velasquez was referring to Blackbaud, which suffered a cyberattack in 2020 that affected millions of individuals. Blackbaud was investigated and settled the multistate action and paid a penalty of $49.5 million. The settlement agreement confirmed that Blackbaud notified around 13,000 customers that they had been affected, yet only 604 organizations filed public notices tracked by the ITRC. “We need to bring a level of uniformity to the breach notice process to help protect both consumers and business,” said Velasquez.

Cyberattacks topped the list of the most common attack vectors with 2,365 reported compromises, although across all industry sectors, ITRC reports that phishing attacks were down (438 incidents) as were ransomware attacks (246 incidents), although reports from cybersecurity companies suggest that ransomware attacks increased. Guidepoint Security’s recent ransomware report showed an 80% year-over-year increase in ransomware activity.

Over the past few years, there has been a trend of increasing opaqueness with data breach disclosures. ITRC said more than 1,400 public data breach notices did not contain information about the attack vector, and that number has almost doubled since 2022. It is not only the root cause of data breaches that is being withheld. The ITRC reports a growing trend in withholding other information such as victim counts. “Actionable notices, those containing victim counts and attack vector details, declined from 60% in 2022 to 54% in 2023,” explained the ITRC in the report.

Problems and Solutions

The increase in data compromises by financially motivated and Nation/State threat actors in 2023 is likely to drive new levels of identity theft and fraud in 2024, with the ITRC particularly concerned about impersonation and synthetic identity fraud. Criminals are likely to combine stolen data with generative AI which will lead to increasingly sophisticated phishing attacks and other forms of identity fraud and scams, although the biggest threat from generative AI will continue to be misinformation and disinformation.

The ITRC is calling for a uniform breach notice law, rather than the current patchwork of federal and state laws to bring uniformity to data breach notices and ensure that consumers are given the information they need to make an informed decision about the risk they face.  To better protect consumers from identity theft and fraud, the ITRC believes there is a clear need for the expansion of facial verification along with digital credentials. This would also help lower the overall value of compromised personally identifiable information to bad actors.

Given the increase in supply chain attacks, organizations need to conduct due diligence on vendors, and knowing the breach history of a company is an important aspect of assessing risk. The ITRC will soon be launching a due diligence and alert tool for businesses – Breach Alert for Business (BA4B) – that will help them comply with state and federal requirements for cyber risk assessments on vendors and better understand the risks within their supply chains.

The post ITRC: Data Compromises Reach All Time High in 2023 appeared first on HIPAA Journal.

Ann & Robert H. Lurie Children’s Hospital Responding to Cyberattack

Posted by Steve Alder

On February 1, 2024, Ann & Robert H. Lurie Children’s Hospital in Chicago announced on its website and social media channels that it is responding to a cybersecurity incident and has been forced to take its network systems offline. The cyberattack has been reported to law enforcement agencies and Lurie Children’s is working collaboratively with those agencies and third-party cybersecurity experts to investigate the attack and bring network systems back online as soon as it is safe to do so.

The 360-bed acute care hospital is a leading provider of pediatric care in Illinois and one of the biggest children’s healthcare providers in the Midwest, serving 239,000 children each year. The cyberattack has disrupted normal operations and caused delays to medical care for certain patients, with ultrasound and CT scan results temporarily unavailable. Some appointments and elective procedures have been canceled to ensure patient safety. The hospital has confirmed that its emergency services are unaffected, and it is operating under a first-come, first-served approach and is prioritizing emergency patients.

The system-wide network outage has affected computers, Internet access, email, and phone lines at the main hospital, outpatient centers, and primary care offices. Lurie Children’s Hospital apologized for the inconvenience caused and said it is actively working to resolve the issue as soon as possible and is trying to minimize the disruption to patients as far as possible. Lurie Children’s has been working on establishing an emergency helpline to address patient families’ and community providers’ needs but it was not possible to provide a timeline for when normal operations will resume.

Little information has been disclosed so far about the nature of the attack. No ransomware groups appear to have claimed responsibility at this stage. Naturally, at such an early stage of the incident response, it is not possible to tell if any patient data has been stolen. Lurie Children’s will provide updates as the investigation progresses. Just a few days ago, another Chicago hospital confirmed that it had suffered a cyberattack. Saint Anthony Hospital fell victim to a LockBit ransomware attack in December. The LockBit group recently added the hospital to its data leak site as it sought payment of a $900,000 ransom and gave the hospital just 2 days to make payment to prevent the release of the stolen data.

The post Ann & Robert H. Lurie Children’s Hospital Responding to Cyberattack appeared first on HIPAA Journal.

LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital

Posted by Steve Alder

The LockBit ransomware gang has added Chicago’s Saint Anthony Hospital to its data leak site and is demanding a ransom payment of almost $900,000 from the nonprofit hospital to prevent the release of the stolen data. Earlier this week, Saint Anthony Hospital confirmed that it was still investigating the attack, which was detected on December 18, 2023. Saint Anthony Hospital took immediate action to secure its network to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the unauthorized activity. The prompt action taken by the hospital in response to the attack allowed care to continue to be provided to patients without disruption.

The investigation confirmed on January 7, 2024, that an unknown, unauthorized third party had copied files from its network on December 18, 2023, which contained patient information. Those files are being reviewed to determine the number of patients affected and the types of information involved, and that process is ongoing. At this stage, Saint Anthony Hospital is unable to say how many individuals have been affected and the specific types of data involved. Individual notification letters will be mailed to the affected individuals when that process is completed.

While the theft of patient data has been confirmed, the forensic investigation did not find any evidence that its electronic medical record database or financial systems as a whole were compromised. Saint Anthony Hospital said that as part of its commitment to data privacy, existing data security policies and procedures are being reviewed and will be updated as appropriate to better protect patient data in the future.  The incident has been reported to the Federal Bureau of Investigation, Department of Health and Human Services, and other regulators. Since some patient data has been stolen, patients have been advised to remain vigilant against incidents of identity theft and should review their account and explanations of benefits statements for unusual activity, and report any suspicious activity to their insurance company, health care provider, or financial institution.

Since the notification was issued, the LockBit ransomware group added Saint Anthony Hospital to its data leak site. The LockBit group has previously claimed that it prohibits affiliates from attacking hospitals. Last year, an affiliate conducted an attack on Toronto’s Hospital for Sick Children (SickKids), which was promptly followed by an apology from the group, and a free decryptor was issued to allow the hospital to recover files for free, and the group claimed that the affiliate behind the attack had been kicked out of its program for violating its operating rules. The latest attack suggests its policy of not attacking hospitals has been canceled. In the listing on its data leak site, the LockBit group claimed that “Always US hospitals put their greedy interest over those of their patients and clients,” apparently oblivious to the fact that Saint Anthony Hospital is a nonprofit healthcare provider.

Saint Anthony Hospital has indicated the ransom will not be paid. “As a vital safety-net hospital to the people in the communities we serve, we are dedicated to using our resources to care for our community’s most vulnerable and not to rewarding the illegal actions of bad actors,” said CIO Jeff Eilers.

The post LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital appeared first on HIPAA Journal.