The protected health information of up to 30,063 members of Florida Blue (Blue Cross and Blue Shield of Florida) may have been viewed or obtained in a brute force attack on the Florida Blue online member portal.

Starting on June 8, 2021, unknown individuals conducted a brute force campaign using a large database of user identifiers and corresponding passwords that was available from online sources in an attempt to gain access to the portal. The database appears to have been compiled from data breaches at third party companies where username and password combinations had been compromised.

Florida Blue reports that some of those automated attempts were successful and the attacker gained access to information contained in online member accounts. This information typically included names, contact information, claims information, payment information, health insurance policy information, and other personal information.

While access to accounts was gained, Florida Blue found no evidence to suggest any information in those accounts was removed by the attacker.

Attacks such as this highlight the importance of setting strong, unique passwords for all online platforms. In the event of a breach at one platform, the password cannot then be used to access other accounts.

Florida Blue said when the brute force attack was detected, steps were taken to block the IP addresses used by the attacker. New security measures are being implemented to enhance the security of its web portal to block any further attacks such as this.

Notification letters were sent to affected Florida Blue members starting on June 30, 2021. Affected members have been advised to be vigilant and to review their accounts for any sign of malicious activity, such as unauthorized transactions.

As a precaution against identity theft and fraud, affected members have been offered a complimentary 2-year membership to identity theft protection, detection, and resolution services through Experian.

The post 30,000 Florida Blue Members Impacted by Brute Force Attack on Member Portal appeared first on HIPAA Journal.

Florida Heart Associates is notifying 45,148 patients about a recent security breach in which their personal and protected health information may have been compromised. The security breach was detected on or around May 19, 2021, when unusual activity was spotted within certain networked computers.

Steps were immediately taken to contain the breach and secure personal information and an investigation was launched to determine the nature and scope of the breach. Florida Heart Associates determined that its computer network was breached between May 9 and May 19, 2021.

Security systems had been implemented prior to the breach which limited the impact of the intrusion; however, it is possible that the attackers gained access to servers on which patient information was stored. The impacted servers contained names, member identification numbers, dates of birth, Social Security numbers, and health insurance information, all of which may have been accessed.

Florida Heart Associates said in its substitute breach notice that no indications have been received to suggest any information on the compromised servers has been misused.

Florida Heart Associates said the investigation into the breach is ongoing and steps have been and will continue to be taken to improve data privacy and security. Additional safeguards will be implemented, and policies and procedures are being reviewed and will be updated. The breach has been reported to the Maine Attorney General as a ransomware attack.

Affected individuals are being encouraged to remain vigilant and should review their accounts statements, credit reports, and explanation of benefits statements for signs of identity theft and fraud.

“We understand how important it is for our clients to receive uninterrupted cardiac care services and will resume our regular services and care as soon as possible,” said Florida Heart Associates. “We apologize for any inconvenience that may have arose as a result of this incident. In the meantime, we ask for your understanding and patience.”

The post Cyberattack on Florida Heart Associates Potentially Affects 45,000 Patients appeared first on HIPAA Journal.

San Diego, CA-based ClearBalance, a loan provider that helps patients spread the cost of their hospital bills, was the victim of a phishing attack on March 8, 2021 and employees were tricked into disclosing their login credentials.

ClearBalance identified the email security breach on April 26, 2021 when the attacker attempted to make a fraudulent wire transfer. Steps were immediately taken to secure the email environment and prevent further unauthorized access, and the attempted wire transfer failed. No funds were transferred to the attacker’s account.

A third-party computer forensic investigator was engaged to investigate the breach and to determine whether the attacker accessed or obtained any sensitive data. The investigator confirmed that the breach was limited to the email environment and no other systems were affected and that the unauthorized individual had been ejected from email accounts the day the breach was detected.

The attacker was not able to gain access to the database that hosts the medical record systems of any healthcare providers; however, some sensitive data was present in emails and attachments which were potentially accessed. A review of the contents of the email accounts revealed they contained the following data elements:

Names, tax IDs, Social Security numbers, dates of birth, government-issued ID numbers, telephone numbers, healthcare account numbers, balance amounts, dates of service, ClearBalance loan numbers and balances, personal banking information, clinical information, health insurance information, and full-face photographic images. The types of data in the accounts varied from individual to individual.

Security safeguards have been enhanced to better protect the email environment and personal data, all user passwords have been changed, stronger access controls have been implemented on the network, and procedures for reporting suspicious activity have been updated.

The purpose of the attack appears to have been to make fraudulent wire transfers rather than to obtain sensitive data; however, as a precaution against identity theft and fraud, ClearBalance has offered affected individuals complimentary identity theft protection services, 24 months of credit monitoring services, and cover with an identity theft insurance reimbursement policy.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 209,719 individuals.

The post PHI of Over 200,000 Individuals Potentially Compromised in ClearBalance Phishing Attack appeared first on HIPAA Journal.

Manitowoc, WI-based Forefront Management, LLC and Forefront Dermatology, S.C. discovered on June 4, 2021 that unauthorized individuals had gained access to its network and potentially viewed private and confidential employee and patient information.

The affected systems were immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack. On June 24, 2021, Forefront determined that certain files stored on its network had been accessed and potentially obtained which contained the personal information of a limited number of Forefront employees, including their names and Social Security numbers. The investigation revealed its network was first breached on May 28, 2021 and access remained possible until June 4, 2021.

During the course of the investigation, Forefront determined the unauthorized individual also accessed files that included the personal and protected health information of a limited number of current and former Forefront patients.

Patient information potentially compromised in the attack included names, addresses, dates of birth, patient account numbers, health insurance member ID numbers, medical record numbers, dates of service, provider names, and/or medical and clinical treatment information.

The breach summary submitted to state attorneys general indicates 4,431 individuals were affected by the breach. While there is no indication that any information in the files has been misused, Forefront is offering affected individuals a complimentary 12-month membership to TransUnion’s myTrueIdentity Credit Monitoring Service.

Forefront said it is enhancing its security protocols to help prevent a similar incident from occurring in the future.

The post Wisconsin Dermatology Practice Reports Data Breach Affecting 4,400 Individuals appeared first on HIPAA Journal.

Coastal Family Health Center (CFHC), the fourth largest community health center in Mississippi, has started notifying patients about a May 13, 2021 cyberattack that involved some of their protected health information.

CFHC said hackers attempted to shut down its computer operations; however, that attempt failed and CFHC was able to continue treating patients and providing services to the community. An investigation was immediately launched into the incident to determine how the attack occurred and whether any sensitive patient information was accessed by the hackers.

On June 4, 2021 the investigation revealed some files accessed by the attackers contained the protected health information of patients, including names, addresses, Social Security numbers, health insurance information, and health and treatment information.

Independent cybersecurity professionals were engaged to assist with improving the security of its systems and policies and procedures have been changed to prevent further breaches in the future. After determining current mailing addresses, notification letters were sent to affected individuals on July 2, 2021.

While there have been no reported cases of misuse of patient information, out of an abundance of caution, CFHC is providing all affected individuals with complimentary identity theft protection services through IDX.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 62,342 current and former patients.

Carle Cancer Treatment Reports Hacking Incident Affecting 8,066 Patients

Carle Cancer Treatment in Normal, IL has started notifying 8,066 patients that some of their protected health information was exposed in a cyberattack on data storage vendor Elekta.

Elekta investigated the data breach and determined hackers had access to its systems between April 2 and April 20, 2021 and during that time may have accessed or obtained patient information such as full names, addresses, demographic data, Social Security numbers, birth dates, height/weight measurements, medical diagnoses, medical treatment information, and appointment confirmations.

Carle Cancer Treatment Normal was notified about the breach on April 29. Elekta said its investigation uncovered no evidence indicating patient information was publicly disclosed or used for fraudulent purposes. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Coastal Family Health Center Cyberattack Affects 62,000 Patients appeared first on HIPAA Journal.

Professional Business Systems, Inc. operating as Practicefirst Medical Management Solutions and PBS Medcode Corp, a provider of medical management services involving data processing for healthcare providers, has suffered a ransomware attack in which files containing patient information were obtained by the attackers.

The ransomware attack was identified on December 30, 2020, and its systems were promptly shut down in an effort to contain the attack. Third-party cybersecurity experts were engaged to investigate the incident and law enforcement was notified.

Practicefirst has not confirmed whether the ransom was paid but did say it received assurances from the attacker that the files copied from its systems have been destroyed and were not further disclosed.

There have been no identified cases of misuse of patient information; however, all affected individuals have been advised to monitor their accounts for any sign of fraudulent activity.

The types of patient information contained in the files differed from patient to patient and may have included the following data elements:  name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information.

Additional security protocols have since been implemented to better protect its network, email, and other IT systems.

Prima Pediatrics Suffers Suspected Ransomware Attack

Prima Pediatrics has discovered some of its computer systems have been compromised and malware was installed that “rendered a few of our computer systems inoperable and the data stored on those systems inaccessible.”

Prima Pediatrics said most of the data on the affected computers is thought to have been encrypted at the time of the attack, and there have been no reports of improper use of patient data. The investigation uncovered no evidence to suggest any patient data was exfiltrated by the attackers. Protected health information stored on the affected systems included names, diagnoses and medical conditions, and medical histories.

All patients potentially affected by the incident have been notified and advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity. Prima Pediatrics will be assessing and modifying its privacy and data security policies and procedures to prevent similar situations from occurring in the future.

Hoya Optical Labs Ransomware Attack Affects More Than 3,000 Patients

Hoya Optical Labs has started notifying some of its patients about a ransomware attack in which some of their protected health information may have been compromised.

Hoya Optical Labs, which is based in Japan, said only its U.S. systems were affected. The attack is believed to have been conducted by a cybercriminal organization known as Astro Team, which claimed on its blog that around 300 GB of data were stolen prior to file encryption. Some of that data has been leaked online.

The ransomware attack was detected by Hoya Optical Labs on April 5, 2021, with its systems initially breached on March 15, 2021. 3,259 patients have been affected, with the following types of data stolen in the attack: Names, addresses, phone numbers, Social Security numbers, medical information, driver’s license numbers, payroll information, and usernames and passwords to financial accounts.

The attack was reported to law enforcement and affected individuals have been notified. Steps have been taken to improve system security and governance practices and ongoing monitoring will be enhanced to help prevent any future attacks.

Penn Foundation Reports February 2021 Ransomware Attack

Penn Foundation, a West Rockhill Township, PA-based nonprofit provider of behavioral health and substance abuse services has been hit with a ransomware attack in which client data may have been stolen.

The cyberattack was identified on February 10, 2021, when employees were prevented from accessing their computers. A third-party cybersecurity firm was engaged to assist with the investigation and remediation of the attack and confirmed that files containing client information may have been exfiltrated prior to the use of ransomware to encrypt files.

A review of the compromised systems showed they contained the protected health information of clients, but it is currently unclear how many of the healthcare provider’s 17,197 clients have been affected. Penn Foundation said the ransom was not paid.

Minnesota Community Care Affected by Netgain Ransomware Attack

St, Paul, MN-based Minnesota Community Care (MCC) is one of the latest healthcare providers to announce that it was affected by the November 2020 ransomware attack on the cloud-based IT service provider Netgain Technologies. Netgain detected the attack on November 24, 2020, and notified MCC on February 25, 2021, that some of its data files had been accessed and exfiltrated in the attack.

MCC reviewed the data files and confirmed on April 30, 2021, that the files contained the personal and protected health information of 64,855 patients. The compromised data included full names with one or more of the following types of data:

Social Security number; driver’s license number; government identification number; date of birth; credit card/debit card; account password/PIN/CVN/access code/expiration date for credit card/debit card; diagnosis/diagnosis code; medical history/condition/treatment/hospital unit/physician name/date of service; medical record number; patient account number; Medicare/Medicaid number; health insurance policy number; username/email address and password for financial electronic account; and/or username/email address and password for non-financial electronic account.

There have been no reported cases of misuse of patient data. Affected individuals were notified on June 8, 2021, and individuals whose Social Security number was compromised have been offered a complimentary one-year membership to Experian’s credit monitoring service.

The post Ransomware Attacks Reported by 5 HIPAA Covered Entities and Business Associates appeared first on HIPAA Journal.

University of Wisconsin Hospitals and Clinics Authority has reported a breach of its Epic MyChart portal which has affected 4,318 UW Health patients. Unusual activity was detected in the portal and an investigation was launched on April 20, 2021, to determine the nature and extent of the breach.

The investigation ran until May 4, 2021, and determined unauthorized individuals had access to the portal for a period of around 4 months, with dates of access ranging from December 27, 2020 to April 13, 2021.

UW Health said the individual had viewed the MyChart patient portal homepage which displays clinical information such as hospital admission dates, appointment reminders, care team, subject lines of messages from providers, and prompts to view new test results. Pages were also accessed that included some patient appointment and admission dates, demographic information such as names, addresses, phone numbers, and email addresses, health insurance and claims information, diagnoses, medications, and test results. Notification letters were sent to affected patients starting on June 18, 2021.

UW Health has taken steps to improve security such as strengthening password security, implementing 2-factor authentication for access to the MyChart portal, deactivating accounts that have been inactive for 15 months, and enhancing its monitoring processes.

Jones Family Dental Computers Hacked

Jones Family Dental in Ashland, OR, has reported a hacking incident in which the protected health information of 6,493 current and former patients was potentially compromised. An investigation was launched following the detection of suspicious computer activity, which revealed its computers had been accessed by an unauthorized individual between April 15, 2021, and April 18, 2021.

It was not possible to determine whether computers containing patient information were accessed, but the possibility could not be ruled out. The practice does not believe any patient data was accessed or exfiltrated; however, notification letters were sent to affected individuals as a precaution.

Patient information on the computer network at the time of the breach included the following data elements: name, address, date of birth, driver’s license number, treatment notes, health history, diagnostic information, and/or health/dental insurance information.

Security policies and procedures are being reviewed and will be updated to prevent similar breaches in the future.

The post UW Health Discovers 4-Month Breach of Its MyChart Portal appeared first on HIPAA Journal.

An Ohio State University’s (OSU) pilot program to help veterans recover from Post Traumatic Stress Disorder (PTSD) and other mental health issues was breached and the personal information of patients has been compromised, according to a recent NBC4 Investigates Report.

The (OSU) Veterans Neuromodulation Operation Wellness (NOW) pilot program was shut down permanently on June 15, 2021, but prior to the closure, a data breach occurred. OSU explained in its notification letters to affected individuals that the breach was detected on April 24, 2021, and occurred between January 25, 2021, and March 4, 2021.

NBC4 Investigates spoke with one veteran who received a June 14, 2021, notification letter from the Office of Compliance and Integrity informing him that his name, address, Social Security number, and medical history may have been compromised. It is currently unclear how many individuals have been affected by the breach.

The Veterans Now Program was paused in March 2021 for a week, with the program’s lead doctor placed on leave. The program was then re-started without the lead doctor but was shut down permanently on June 15, 2021. An OSU spokesperson said the shutdown was due to noncompliance issues. It is unclear whether those noncompliance issues were related to the data breach.

Physicians Dialysis Reports Potential PHI Breach

Physicians Dialysis is alerting certain patients that some of their protected health information has potentially been compromised as a result of a security breach.

Unusual activity was detected in its systems on March 21, 2021 and independent cybersecurity experts were engaged to assist with the investigation to determine the nature and scope of the breach. That investigation revealed unauthorized access to a database containing the protected health information of current and former patients, including names, addresses, birth dates, medical information, Social Security numbers, health insurance information, and claims information.

It took until June 22, 2021, to identify affected individuals and verify contact information. Notification letters were sent to affected individuals on June 25, 2021.

Individuals whose Social Security number was compromised have been offered complimentary credit monitoring services through IDX. Since the breach was discovered, Physicians Dialysis has implemented additional security measures to prevent similar breaches in the future.

The post PHI of Veterans with PTSD Potentially Compromised in OSU Data Breach appeared first on HIPAA Journal.

Discovery Practice Management Notifies Individuals About June 2020 Email Incident

Discovery Practice Management, a provider of administrative support services to Authentic Recovery Center and Cliffside Malibu facilities in California, has announced that unauthorized individuals gained access to the email environment it maintains for those facilities.

Suspicious email activity was detected in the email environment on July 31, 2020. An investigation was launched which revealed there had been unauthorized logins to staff email accounts at both facilities between June 22, 2020 and June 26, 2020.

The accounts were immediately secured and a third-party cybersecurity firm was engaged to investigate the breach but it was not possible to confirm whether protected health information in the accounts was viewed or exfiltrated.

Protected health information potentially compromised included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license number, and clinical information, such as diagnosis, treatment information, and prescription information.

The company said in its breach notification letter to the California Attorney General that it worked with both practices to confirm the contact information for the 13,611 individuals whose information was potentially compromised. That process was completed on June 2, 2021. Affected individuals have now been notified and have been offered a complimentary one-year membership to credit monitoring and identity theft protection services.

Discovery Practice Management does not believe the attack was conducted in order to steal patient information, rather it is thought to have been part of an attack to divert invoice payments. Steps have since been taken to improve email security and training has been reinforced with the facilities’ staff on how to identify and avoid suspicious emails.

Email Addresses of Hundreds of One Medical Patients Exposed in Error

An email error has exposed the email addresses of hundreds of One Medical patients. One Medical sent emails to patients asking them to verify their email addresses. The email addresses of patients were not added to the ‘BCC’ field of the email and instead were put in the ‘To’ field, which meant they could be viewed by all individuals who were sent the email.

Only email addresses were exposed, although the emails did identify the owner of an email address as a One Medical patient. Several of the individuals who received the email took to Twitter to complain. One individual said the email that was received had 981 email addresses visible.

One Medical issued a statement on Twitter in response to the error. “We are aware emails were sent to some of our members that exposed recipient email addresses. We apologize if this has caused you concern, but please rest assured that we have investigated the root cause of this incident and confirmed that this was not caused by a security breach of our systems. We will take all appropriate actions to prevent this from happening again.”

Peoples Community Health Center Reports Email Account Breach

Peoples Community Health Center in Waterloo, IA has discovered the email account of one of its employees has been accessed by an unauthorized individual. Suspicious email activity was detected in the email account on March 22, 2021 and third-party cybersecurity experts were engaged to determine the nature and scope of the breach.

The investigation confirmed that a single email account had been accessed by an unauthorized individual between March 18, 2021 and March 22, 2021.  A review of the emails and attachments in the account was completed on May 24, 2021 and determined the following types of information had potentially been compromised:

Names, addresses, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, medical diagnoses, medical treatment information, health insurance information, payment card numbers or card CVV/expiration date.

Affected individuals are being notified by mail and steps have been taken to prevent similar breaches in the future, including reviewing and enhancing policies and procedures and providing further workforce training.

The post PHI Exposed in Email Incidents at Discovery Practice Management, One Medical, and Peoples Community Health Clinic appeared first on HIPAA Journal.