Baywood Medical Associates, doing business as Desert Pain Institute (DPI) in Mesa, AZ, has discovered unauthorized individuals gained access to parts of its computer network that contained the protected health information of patients.

The security breach was detected and stopped by DPI on September 13, 2021, and a third-party cybersecurity company was engaged to assist with the investigation and determine the nature and scope of the cyberattack. On October 15, 2021, the forensic investigators confirmed evidence was found indicating the attackers had accessed parts of its network where patients’ protected health information was stored.

A review of the files on systems accessible to the hackers releveled the following information may have been viewed or exfiltrated: Full names, addresses, dates of birth, Social Security numbers, tax identification numbers, driver’s license/state-issued identification card numbers, military identification numbers, financial account numbers, medical information, and health insurance policy number. The types of data potentially compromised varied from patient to patient.

From September 13 when the breach was detected until the date of issuing notifications, no evidence has been found to indicate any actual or attempted misuse of patient data; however, affected individuals have been advised to be vigilant against identity theft and fraud and to sign up for the complimentary credit monitoring services that are being provided.

DPI said security measures for its systems and servers have been enhanced, which includes new end-point monitoring tools to identify unauthorized activity.

The incident has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, but the breach notification provided to the Maine attorney general indicates the protected health information of 45,262 individuals was potentially compromised.

The post PHI of 45,262 Desert Pain Institute Patients Potentially Compromised in Cyberattack appeared first on HIPAA Journal.

Family of Woodstock (FOW), a New York provider of crisis intervention, information, prevention, and support services, has suffered a cyberattack in which the protected health information of 8,214 individuals was potentially compromised.

The cyberattack was detected on August 3, 2021, and rapid steps were taken to eject the attackers from its network and restore its systems and operations. Third-party forensic investigators were engaged to determine the nature and scope of the breach, with the initial phase of the investigation concluding on September 11, 2021.

FOW said the investigation confirmed the attackers had access to parts of its network that contained protected health information such as first and last names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, medical history, diagnosis, treatment, condition, and health insurance information. At the time of issuing notifications, no evidence had been found indicating any attempted or actual misuse of information.

FOW has implemented additional cybersecurity safeguards, is enhancing its policies, procedures, and protocols, and is providing additional cybersecurity training to the workforce.

Physical Therapy Center Notifies 6,500 Patients of PHI Exposure

Viverant PT, LLC, a Minneapolis, MN-based physical therapy center, is notifying 6,500 current and former patients about a March 2021 cyberattack that exposed their protected health information.

The breach was detected on March 9, 2021, when suspicious emails were sent from an employee’s email account. The email account was immediately secured and steps were taken to address and contain the breach. A comprehensive review was conducted of its email environment, which confirmed only one email account had been breached but that it contained a wide range of sensitive data.

No evidence was found to indicate any attempted or actual misuse of patient data, but the possibility of data theft could not be ruled out. Viverant said the types of data in the account varied from individual to individual and may have included the following data elements: name, address, date of birth, Social Security number, driver’s license number, medical record number, date of service, diagnostic/treatment information, credit/debit card number with password or security code, health insurance information, financial account number with or without password or routing number, medications, username with security questions and answers, vehicle identification number (VIN), and digital signature.

Viverant said a leading security firm was engaged to assist with the investigation and response to the attack, and additional measures have been implemented to improve the security of its systems and practices. They include changing passwords, implementing more robust authentication, conducting further training of the workforce, and retaining national privacy and security experts to assist with ongoing security. Viverant said complimentary credit monitoring services have been offered to affected individuals.

The post Cyberattacks Reported by Family of Woodstock and Viverant appeared first on HIPAA Journal.

The protected health information of more than 650,000 patients of Community Medical Centers (CMC) in California has potentially been obtained by hackers.

CMC is a not-for-profit network of community health centers that serve patients in the San Joaquin, Solano, and Yolo counties in Northern California. CMC identified suspicious activity in its computer systems on October 10, 2021, and shut down its systems to prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach, with assistance provided by third-party cybersecurity experts.

The forensic investigation confirmed that unauthorized individuals had gained access to parts of its network where protected health information was stored, including first and last names, mailing addresses, dates of birth, Social Security numbers, demographic information, and medical information.

Due to the sensitive nature of the exposed data, CMC is offering complimentary identity theft protection, identity theft resolution, and credit monitoring services to affected individuals. CMC said it has confirmed its systems are now secure, policies and procedures have been reviewed and updated to improve security, and data management policies have been reviewed and updated.

Law enforcement has been notified about the breach, as have appropriate state attorneys general and the Department of Health and Human Services.

The breach report submitted to the Maine attorney general indicates the protected health information of 656,047 individuals was potentially compromised.

Professional Healthcare Management Discloses Ransomware Attack

Memphis, TN-based Professional Healthcare Management (PMH) has started notifying certain patients that some of their protected health information has potentially been compromised in a September 2021 ransomware attack.

The attack was detected on September 14 and action was quickly taken to secure its servers and workstations. Assisted by third-party cybersecurity and incident response experts, PMH was able to quickly secure and restore its systems and operations. An investigation was conducted to determine the nature and scope of the breach which determined the personal and protected health information of patients may have been accessed and obtained by the attackers.

The breach investigation is ongoing but, at this stage, no evidence of data theft or misuse of patient data has been identified; however, notification letters are now being sent to affected individuals and the incident has been reported to the HHS’ Office for Civil Rights.

PMH said the following types of patient information were potentially compromised: first and last names, Social Security numbers, health insurance information (Medicaid number, Medicare number, and insurance identification number), prescription name(s), and diagnosis code(s).

Additional safeguards are being implemented to improve IT security, cybersecurity policies, protocols, and procedures are being updated, and additional cybersecurity training has been provided to the workforce.

The post More than 650K Patients of Community Medical Centers Notified About Hacking Incident appeared first on HIPAA Journal.

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed.

Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21.

While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed.

Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters have been sent to affected individuals. Out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Network monitoring tools have now been enhanced and its systems will be regularly audited for unauthorized activity.

Throckmorten County Memorial Hospital Discovers Malware Infection

Throckmorten County Memorial Hospital in Texas has discovered unauthorized individuals gained access to parts of its computer network that contained the personal information of 3,136 employees and patients.

An intrusion was detected on September 7, 2021, which involved unauthorized access to systems and the installation of malware. A forensic investigation determined its network was breached on August 25, 2021, and access remained possible until September 7.

A review of the affected systems confirmed they contained patient information such as first and last name, address, date of birth, gender, date(s) of service, diagnoses, current procedural terminology code, medical condition, medication, and details of hospital visits. Employee data potentially compromised included name, wage history, Social Security number, payroll information, and filing information.

Throckmorten County Memorial Hospital said affected individuals have been offered a complimentary membership to a credit monitoring service and will be protected by an identity theft and fraud insurance policy. Notifications about the security breach were delayed to allow time for the malware to be removed and security to be improved, as providing notifications earlier would have left its network vulnerable to other threat actors.

The post Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital appeared first on HIPAA Journal.

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed.

Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21.

While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed.

Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters have been sent to affected individuals. Out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Network monitoring tools have now been enhanced and its systems will be regularly audited for unauthorized activity.

Throckmorten County Memorial Hospital Discovers Malware Infection

Throckmorten County Memorial Hospital in Texas has discovered unauthorized individuals gained access to parts of its computer network that contained the personal information of 3,136 employees and patients.

An intrusion was detected on September 7, 2021, which involved unauthorized access to systems and the installation of malware. A forensic investigation determined its network was breached on August 25, 2021, and access remained possible until September 7.

A review of the affected systems confirmed they contained patient information such as first and last name, address, date of birth, gender, date(s) of service, diagnoses, current procedural terminology code, medical condition, medication, and details of hospital visits. Employee data potentially compromised included name, wage history, Social Security number, payroll information, and filing information.

Throckmorten County Memorial Hospital said affected individuals have been offered a complimentary membership to a credit monitoring service and will be protected by an identity theft and fraud insurance policy. Notifications about the security breach were delayed to allow time for the malware to be removed and security to be improved, as providing notifications earlier would have left its network vulnerable to other threat actors.

The post Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital appeared first on HIPAA Journal.

Tech Etch, a Plymouth, MA-based manufacturer of precision-engineered thin metal components, flexible printed circuits, and EMI/RFI shielding, has announced it was the victim of a ransomware attack in which the personal and protected health information of current and former employees was potentially compromised.

Companies such as Tech Etch would not normally be required to comply with HIPAA; however, the company provides a health plan for its employees and, as such, is classed as a HIPAA-covered entity.

Tech Etch discovered the ransomware attack on August 25, 2021, with the investigation determining the attackers gained access to its network on August 20. Tech Etch engaged an external forensic cybersecurity team to assist with the breach investigation, help secure its network, and prevent any further unauthorized access. Tech Etch had viable backups that were unaffected and was able to restore all encrypted data without paying the ransom.

Multiple safeguards had been implemented to secure employees’ personal and protected health information, but despite those protections, some employee data may have been stolen. Tech Etch said no direct evidence of data staging or data exfiltration was identified and the investigation indicated the attackers had not accessed the HR servers where employee data were stored. The attackers did try to access data backups containing employee data, but the backups were encrypted by Tech Etch and could not be viewed. Some employee information, such as names, addresses, Social Security numbers, dates of birth, and personal health information, was present in its email environment and could have been accessed or exfiltrated.

Tech Etch has not found any evidence that any employee data has been acquired or misused and it does not appear that any employee data have been posted publicly.

Affected employees have been advised to monitor their credit reports, accounts, and explanation of benefits statements for signs of fraudulent activity and to immediately report any suspicious transactions if they are discovered.  Tech Etch has already taken steps to enhance its security systems to prevent further security incidents and will continue to review those protocols to ensure they remain effective.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights and the Massachusetts Attorney General. This post will be updated when it is known how many individuals have been affected.

UNC Hospitals Discovers Insider Breach and Data Theft

The protected health information of 719 patients of UNC Hospitals has been stolen by a former employee, who used the information for financial gain.

The Chapel Hill, NC-based healthcare provider discovered the unauthorized access on September 10, 2021. The employee in question was responsible for handling patients’ payments for services at several UNC Hospitals clinics and was provided with access to sensitive patient data to complete work duties.

The employee stole patients’ demographic information, financial information, Social Security numbers, copies of insurance cards, and patients’ driver’s licenses and used that information to fraudulently obtain goods and services.

Patients whose protected health information was accessed or misused by the former employee have been notified by mail and have been offered complimentary credit monitoring services for 12 months. The UNC Hospitals Police Department has launched a criminal investigation into the incident.

The post PHI of Employees Potentially Compromised in Tech Etch Ransomware Attack appeared first on HIPAA Journal.

Syracuse ASC, dba Specialty Surgery Center of Central New York, has started notifying 24,891 patients that some of their protected health information (PHI) was potentially accessed by unauthorized individuals who gained access to its computer systems.

The breach was identified by Syracuse ASC around March 31, 2021, and steps were immediately taken to secure its systems and prevent further unauthorized access. A third-party cybersecurity firm was engaged to assist with the forensic investigation, which concluded on April 30, 2021, and determined the hackers accessed parts of its systems that contained PHI.

A second investigation was conducted to determine which individuals’ PHI had been exposed. A list of individuals potentially affected by the incident was obtained on August 16, 2021, with the delay in issuing notifications due to a “substantial data validation process to verify the accuracy of the data.”

The file review confirmed names may have been compromised along with limited health information, but no evidence was found to indicate any actual or attempted misuse of data on the compromised systems.

Several steps have already been taken to improve IT security to prevent further data breaches, including updating its antivirus software and switching provider, locking down external websites, adding warning banners to emails from external sources, reconfiguring routers and closing unused ports and services, segregating the guest Wi-Fi network, updating switches and firewalls, upgrading operating systems on workstations, and providing further security awareness training to the workforce.

Computer Containing PHI Stolen from Advocate Lutheran General Hospital

A laptop computer containing the protected health information of patients of Advocate Lutheran General Hospital in Park Ridge, IL has been stolen.

The computer was stolen from the hospital on between 3:30 p.m. on September 22 and 06:30 a.m. on September 24, 2021. Upon discovery of the theft, technologies and processes were implemented to protect patient data and the laptop computer was remotely disabled; however, it is possible that in the short window of opportunity, data stored on the device could have been viewed. The hospital said it has found no evidence to indicate patient data was compromised.

The post PHI of 24,891 Specialty Surgery Center of Central New York Patients Potentially Compromised appeared first on HIPAA Journal.