Anthem health plan members with End Stage Kidney Disease who are enrolled in the VillageHealth program have been notified that some of their protected health information has potentially been compromised in a ransomware attack.

VillageHealth helps Anthem plan members through care coordination between the dialysis center, nephrologists, and providers and shares the results with Anthem via its vendor, PracticeMax.

PracticeMax, a provider of business management and information technology solutions to healthcare organizations, identified the attack on May 1, 2021. The investigation revealed the attackers gained access to its systems on April 17, 2021, with access possible until May 5, 2021. PracticeMax said it regained access to its IT systems the following day.

A forensic investigation of the attack confirmed one server was affected that contained protected health information (PHI) which may have been accessed and acquired by the attackers.

The investigation into the attack concluded on August 19, 2021, and confirmed the following types of data had been exposed: First and last name, date of birth, address, phone number, Anthem member ID number, and clinical data relating to kidney care services received. Financial information and Social Security numbers were not compromised.

PracticeMax says it has conducted a review of its policies and procedures and has implemented additional safeguards to block future attacks, including rebuilding systems, using additional endpoint security solutions, and enhancing its firewalls. Affected individuals have been offered complimentary credit monitoring services for 24 months.

UMass Memorial Health Alerts Patients About Phishing Attack

UMass Memorial Health has discovered unauthorized individuals gained access to the email accounts of some of its employees as a result of responses to phishing emails. The phishing attack was discovered on August 25, 2021 when suspicious activity was identified in its email environment.

Authorized access to the accounts was immediately blocked and a forensic investigation was launched, with assistance provided by a third-party computer forensics firm. The investigation confirmed the email accounts were breached between June 24, 2020 and January 7, 2021, and during that time, the attackers had access to protected health information stored in the accounts.

While no evidence was found that indicated emails were viewed or obtained by the attackers, the possibility could not be ruled out. A review of the PHI in the accounts was completed on August 25, 2021. The exposed information includes names, Social Security numbers, driver’s license numbers, and financial account information. UMass Memorial Health said complimentary credit monitoring and identity theft protection services have been offered to affected individuals. UMass Memorial said it is enhancing email security and will be re-educating the workforce on email best practices.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.

The post Data Breaches Reported by PracticeMax and UMass Memorial Health appeared first on HIPAA Journal.

University Hospital Newark (NY) has discovered the protected health information of thousands of patients has been acquired by a former employee, who accessed the information without authorization over the course of a year. That information was subsequently disclosed to other individuals who were also not authorized to view the information.

Insider breaches such as this are fairly common, although what makes this case stand out is when the access occurred. In its substitute breach notice, University Hospital Newark said the unauthorized access occurred between January 1, 2016, and December 31, 2017.

The former employee had been provided with access to patient data to complete work duties but had exceeded the authorized use of that access and had viewed patient data not pertinent to job functions. The types of information viewed and obtained by the individual included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to care patients received at University Hospital. University Hospital said the matter has been reported to law enforcement and a criminal investigation into the unauthorized access and disclosure is ongoing.

University Hospital said it started mailing notification letters to affected individuals on October 11, 2021, and has offered those individuals complimentary identity theft and credit monitoring services for 12 months. University Hospital said steps have been taken to reduce the risk of further data breaches of this nature, including a review of internal policies and procedures and further training for the workforce on patient privacy. The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 8, 2021 as affecting 9,329 patients.

Employees often access and disclose PHI to identity thieves, although the nature of the data obtained suggests that may not be the case in this instance. University Hospital has not disclosed the reason for the access or how the breach was discovered, only that the former employee accessed the PHI of patients who visited the emergency department and received treatment for injuries sustained in a motor vehicle accident between 2016 and 2017.

On November 5, 2021, University Hospital reported another insider breach to the HHS’ Office for Civil Rights that affected 10,067 individuals. The breach involved the same data types as the previously reported breach and was also linked to individuals involved in road traffic accidents. The unauthorized access occurred between January 1, 2018, and December 31, 2019 and involved the PHI of individuals involved in motor vehicle accidents between 2018 and 2019. University Hospital did not say if this was the same individual but confirmed a criminal investigation is ongoing and the individual concerned is no longer employed at University Hospital. Notification letters were sent to affected individuals starting November 5, 2021.

In August this year, Long Island Jewish Forest Hills Hospital in New York notified more than 10,000 patients whose PHI was impermissibly accessed and disclosed between August 23, 2016, and October 31, 2017. The breach similarly impacted patients who had visited the emergency department after a motor vehicle accident. That breach came to light when a subpoena was received as part of a “No Fault” motor vehicle accident insurance scheme.

In January 2020, Beaumont Health announced an impermissible access and disclosure incident also involving the PHI of patients who were involved in a motor vehicle accident between February 1, 2017, and October 22, 2019. The former employee was believed to have disclosed the PHI to an affiliated personal injury lawyer.

The post University Hospital Newark Notifies More Than 19,000 Individuals About Historic Insider Theft appeared first on HIPAA Journal.

Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group, has notified tens of thousands of patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021.

Professional Dental Alliance says the breach occurred at its vendor North American Dental Management. Steps were immediately taken to secure the affected accounts and prevent further unauthorized access. An investigation was launched which revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails.

The investigation into the breach uncovered no evidence of attempted or actual misuse of patient data, with the investigators concluding the breach was likely limited to credential harvesting. A comprehensive review of the affected email accounts confirmed they contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information. Professional Dental Alliance says the electronic dental record system and dental images were not accessed.

While it appears that protected health information was not stolen, affected individuals have been advised to exercise caution and review their credit reports and account statements and be vigilant for signs of misuse of their data.  Professional Dental Alliance says affected individuals are being offered complimentary membership to credit monitoring and identity theft protection services for two years.

The breach has been reported to the DHS’ Office for Civil Rights by each covered entity affected.  At least 125,760 patients are known to have had their protected health information exposed

The post Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients appeared first on HIPAA Journal.

Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group, has notified tens of thousands of patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021.

Professional Dental Alliance says the breach occurred at its vendor North American Dental Management. Steps were immediately taken to secure the affected accounts and prevent further unauthorized access. An investigation was launched which revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails.

The investigation into the breach uncovered no evidence of attempted or actual misuse of patient data, with the investigators concluding the breach was likely limited to credential harvesting. A comprehensive review of the affected email accounts confirmed they contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information. Professional Dental Alliance says the electronic dental record system and dental images were not accessed.

While it appears that protected health information was not stolen, affected individuals have been advised to exercise caution and review their credit reports and account statements and be vigilant for signs of misuse of their data.  Professional Dental Alliance says affected individuals are being offered complimentary membership to credit monitoring and identity theft protection services for two years.

The breach has been reported to the DHS’ Office for Civil Rights by each covered entity affected.  At least 125,760 patients are known to have had their protected health information exposed

The post Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients appeared first on HIPAA Journal.

Malborough, MA-based ReproSource Fertility Diagnostics has suffered a ransomware attack in which hackers gained access to systems containing the protected health information of approximately 350,000 patients.

ReproSource is a leading laboratory for reproductive health that is owned by Quest Diagnostics. ReproSource discovered the ransomware attack on August 10, 2021 and promptly severed network connections to contained the incident. An investigation into the security breach confirmed the attack occurred on August 8.

While it is possible that patient data was exfiltrated by the attackers prior to the deployment of ransomware, at this stage no evidence of data theft has been identified.

A review of the files on the affected systems was completed on September 24 and revealed they contained the following types of protected health information:

Names, phone numbers, addresses, email addresses, dates of birth, billing and health information (CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information), health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians. A small subset of individuals may have had driver’s license number, passport number, Social Security number, financial account number, and/or credit card number exposed.

Notification letters are now being sent to affected individuals by Quest Diagnostics.  Complimentary credit monitoring and protection services are being provided to affected individuals, who will also be protected by a $1,000,000 identity theft insurance policy.

ReproSource said additional safeguards have been implemented to protect against ransomware and other cyber threats, including additional monitoring and detection tools.

The post 350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack appeared first on HIPAA Journal.

Carrollton, TX-based Premier Patient Health Care has discovered the protected health information of 37,636 patients has been obtained by an unauthorized individual in an insider wrongdoing incident.

Premier Patient Health Care is an Accountable Care Organization (ACO) that works with physicians to improve clinical outcomes under the Medicare Shared Savings Program (MSSP). The ACO and Premier Patient Health Care are operated and run by Premier Management Company, which is a business associate of many primary care physicians who are HIPAA-covered entities.

On April 30, 2020, Wiseman Innovations, a technology vendor used by Premier Management Company, determined a former Premier Patient Health Care executive had accessed its computer system in July 2020 after the termination of employment and viewed and obtained a file containing patient data.

A review of the file confirmed it contained the protected health information of patients of primary care physicians, including full names, age, date of birth, sex, race, county, state of residence, and ZIP code along with Medicare beneficiary information such as Medicare eligibility period, spend information, and hierarchical condition category risk score.

The investigation into the breach is ongoing, but it has not been possible to date to determine what the former executive did with the file after it was acquired, although no evidence has been found to indicate any attempted or actual misuse of patient information.

As a precaution, all affected patients have been advised to be vigilant and monitor their accounts for signs of fraudulent activity. Premier said policies and procedures are being reviewed and will be updated to help prevent similar incidents in the future.

Oregon Eye Specialists Reports Breach of Employee Email Account

The Portland-OR-based optometry group, Oregon Eye Specialists, has discovered a breach of its email environment and the exposure of the protected health information of certain patients.

On August 10, 2021, suspicious activity was detected in an email account, prompting a password reset and investigation. The investigation confirmed an unauthorized individual had gained access to certain employee email accounts from June 29, 2021 to August 30, 2021. A review of those accounts revealed they contained protected health information such as names, dates of birth, dates of service, medical record numbers, financial information, and health insurance information, including provider name and policy number.

No evidence has been found of any actual or attempted misuse of patient data at this stage but affected individuals have been advised to monitor their account and explanation of benefits statements for suspicious activity. Credit monitoring and identity protection services are being offered to affected individuals.

It is currently unclear how many people have been affected. The post will be updated as and when further information becomes available.

The post Premier Patient Health Care Alerts Patients About Insider Data Breach appeared first on HIPAA Journal.

Johnson Memorial Health has announced it was the victim of a ransomware attack on October 1, 2021. The attack saw files encrypted which crippled its IT systems. Emergency protocols were immediately implemented and employees are manually recording patient information and writing prescriptions until systems can be restored.

Ransomware gangs often gain access to systems days, weeks, or even months prior to deploying ransomware. During that time, they move laterally within networks to gain access to as many systems as possible before ransomware is deployed; however, not always.

The attack on Johnson Memorial Healthcare occurred at lightning speed. According to Dr. David Dunkle, President and CEO of Johnson Memorial Health, the hackers gained access to its IT systems at 10:31 p.m. on Friday night and deployed ransomware 2 minutes later at 10:33 p.m. The hospital’s IT department detected abnormal activity around 10:40 p.m. the same evening and shut down its network at 10:45 p.m. to minimize the damage caused.

A ransom demand was issued by the attackers, but Dunkie says no payment has been made. An investigation is now underway to determine the extent of the encryption and which systems and files have been affected.

Dunkie said medical care continues to be provided to patients and surgeries and appointments are continuing as normal, although without access to computers there may be a delay with patient registration. The decision was taken to divert ambulances to alternative facilities to reduce the burden on the staff. The investigation is still in the early stages and it is currently unclear to what extent patient information has been involved.

This is the third ransomware attack to be reported by an Indiana healthcare provider recently. Schneck Medical Center in Seymour announced last week that it was attacked with ransomware, and Eskenazi Health in Indianapolis suffered a ransomware attack in August. The attacks do not appear to be related.

The post Ransomware Deployed 2 Minutes After Hackers Gained Access to Johnson Memorial Health’s Network appeared first on HIPAA Journal.

Indianapolis, IN-based Eskenazi Health has announced it was the victim of a ransomware attack that was detected on or around August 4, 2021.

Suspicious activity was detected and the IT team immediately shut down systems to contain the attack. Emergency protocols were implemented, with staff reverting to pen and paper to record patient data. Without access to critical IT systems the decision was taken to go on diversion and ambulances were re-routed from Health & Hospital Corporation of Marion County to alternative facilities.

An investigation was launched to determine the nature and extent of the attack. Eskenazi Health said the forensic investigation determined the hackers had first gained access to its systems on May 19, 2021 and disabled its security systems to ensure their presence in the network was not detected. The intrusion was only detected when ransomware was deployed and files started to be encrypted.

The forensic investigators confirmed the attackers had been removed from its network and systems were secure. The initial investigation into the attack indicated patient information had not been accessed or stolen by the attackers. Eskenazi Health said it did not pay the ransom and was able to recover encrypted data from backups.

On October 1, 2021, Eskenazi Health issued an update confirming new information had come to light confirming the gang behind the attack had exfiltrated files containing patient information from its systems. Some of those files have been posted on a dark web data leak site.

A review of the stolen data confirmed the files contained names, dates of birth, addresses, telephone numbers, email addresses, ages, driver’s license numbers, medical record numbers, passport numbers, Social Security numbers, face photographs, patient account numbers, credit card information, diagnoses, physician names, prescriptions, dates of service, health insurance information, and cause/date of death for deceased patients.

Notification letters are being sent to affected individuals and complimentary credit monitoring and identity theft protection services are being provided. It is currently unclear how many patients have been affected by the attack.

The post Eskenazi Health Confirms Patient Data Was Stolen in August Ransomware Attack appeared first on HIPAA Journal.