The Georgia fertility clinic Reproductive Biology Associates has announced it suffered a ransomware attack in April in which files containing the personal and protected health information of approximately 38,000 patients were exfiltrated by the attackers.

The attackers gained access to a file server containing embryology data on April 7, 2021, and ransomware was used to encrypt files on April 16, 2021. The files contained the PHI of patients of Reproductive Biology Associates and its affiliate My Egg Bank North America, which included full names, addresses, Social Security numbers, laboratory test results, and information related to the handling of human tissue.

The investigation into the attack concluded on June 7, 2021. While it has not been officially confirmed whether the ransom was paid, Reproductive Biology Associates said the attackers have deleted all data stolen in the attack and all encrypted data have now been recovered.

Reproductive Biology Associates has been monitoring online and dark web sites for signs of misuse or misappropriation of the stolen data and will continue to do. Affected individuals have been offered complimentary credit monitoring and identity theft protection services and a third-party cybersecurity firm has been engaged to help secure its systems and prevent further attacks.

Georgia Hospital System Suffers Ransomware Attack

St. Joseph’s/Candler (SJ/C) hospital system in Savannah, GA has announced it was the victim of a ransomware attack which occurred around 4 a.m. on Thursday June 17, 2021. The attack prevented access to computer systems and emergency protocols were implemented, with staff reverting to pen and paper to record patient data.

The attack was detected promptly and steps were taken to isolate systems to limit the damage caused; however, it is too early to tell what, if any, patient information has been affected and if the attackers exfiltrated patient data prior to using ransomware to encrypt files.

“Patient care operations continue at our facilities using established back-up processes and other downtime procedures,” explained SJ/C in a statement. “Our physicians, nurses and staff are trained to provide care in these types of situations and are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients.”

UF Health Ransomware Attack Having Impact on Patient Care

On May 31, 2021, UF Health Central Florida suffered a ransomware attack that affected The Villages Regional Hospital and Leesburg Hospital. Following the attack, emergency downtime procedures were implemented and care has continued to be provided to patients, with staff recording patient information using pen and paper.

It has now been more than 2 weeks since the attack and EHR downtime procedures are still in effect while UF Health attempts to restore its systems and affected data, and the attack is now having a negative impact on patient care.

According to a recent report on WESH 2 News, employees at the affected hospitals said they are still unable to check the EHR, cannot obtain medication lists, and are unable to confirm if patients have allergies. Staff are also experiencing delays receiving lab reports. Staff at the hospital spoke to reporters and said some patients were receiving one medication when a different one was ordered, and medications that are due are missing. “God forbid that we administer something that we thought was ordered or wasn’t ordered and something happens and there is a bad outcome,” said one employee to WESH 2 News.

It is currently unclear whether UF Health intends to pay the ransom and whether patient data have been stolen. A spokesperson for UF Health was unable to confirm when systems would be restored.

The post PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates appeared first on HIPAA Journal.

The Nevada health insurer Prominence Health Plan has announced it suffered a security breach on November 30, 2020 in which hackers potentially obtained the protected health information of some of its plan members. The data breach was discovered on April 22, 2021 and steps were immediately taken to prevent further unauthorized access, including changing the credentials used by the attacker to gain access to its network.

While Prominence Health Plan has not confirmed whether this was a ransomware attack, all affected plan member data has been restored from backups. The incident involved audio recordings of phone calls to the Prominence call center along with PDF files that included provider claim forms and letters to patients advising them about claim approvals and denials.

The audio files typically included full names, dates of birth, and member ID numbers, while the PDF files contained a member’s name, date of birth, sex, member ID number, mailing address, and claim code. The files included PHI of individuals who had been members between 2010 and 2020. Approximately 45,000 individuals have been affected.

There have been no reported cases of misuse of PHI and the information in the files was not in a readily usable format, which limits the potential for misuse. Prominence is conducting online monitoring for any signs of attempted misuse of the stolen data and affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services. Additional security measures are being implemented to prevent any further data breaches.

Ohio Medicaid

Ohio Medicaid has announced that its data manager, Maximus, has suffered a data breach in which the personal data of Ohio Medicaid providers has been exposed.

An application used by Maximus was discovered to have been accessed by an unauthorized third party between May 17 and May 19, 2021. Upon discovery of the breach, Maximus took the application offline to prevent any further unauthorized access and a leading third-party cybersecurity firm was engaged to assist with the investigation.

The cybersecurity firm confirmed that the breach was confined to the application and no other servers, applications, or systems were affected. No evidence was found to indicate any information within the application – Ohio credentialing and licensing data – has been misused. Maximus said people covered by Medicaid were not affected.

Maximus said the rapid detection of the breach limited potentially adverse impacts; however, since there is a possibility of data theft, all individuals affected were notified on June 18, 2021 and have been offered complimentary credit monitoring services for 24 months.

The post Prominence Health Plan Data Breach Impacts up to 45,000 Individuals Associates appeared first on HIPAA Journal.

San Juan Regional Medical Center has recently notified tens of thousands of its patients about a security breach that occurred in the fall of 2020. The Farmington, NM medical center discovered its network had been accessed by an unauthorized individual on September 8, 2020. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the breach.

The forensic investigation revealed the attacker exfiltrated files between September 7th and 8th, with a manual review of those files confirming they contained the protected health information of 68,792 patients. The types of information in the files varied from patient to patient and included names in combination with one or more of the following date elements:

Dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers.

While data theft was confirmed, no evidence has been found to indicate any of the stolen PHI has been misused. Complimentary credit monitoring services have been offered to individuals whose Social Security number was compromised. Steps have also been taken to secure its network and improve internal processes to prevent further security breaches.

Coastal Medical Group Reports Hacking and Data Theft Incident

Old Bridge, NJ-based Coastal Medical Group, a gastroenterology and internal medicine specialist, has suffered a security breach in which patient data has potentially been compromised. The practice, which is listed as permanently closed, discovered the breach on April 21, 2021.

The investigation into the breach indicates systems were first compromised on March 25, 2021. According to a statement released by the practice, incident response and recovery procedures were immediately implemented, and the practice worked quickly to assess the security of its systems and prevent further unauthorized access.

The investigation confirmed that files containing protected health information were acquired by the attacker, which included full names, home addresses, dates of birth, other demographic and contact information, Social Security numbers, insurance information, diagnoses, and treatment information.

The practice has notified all affected patients by mail and has offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to secure its systems to prevent any further breaches.

It is currently unclear how many individuals have been affected.

Springfield Psychological Reports Email Error

Pennsylvania-based Springfield Psychological has notified certain current, former, and prospective patients about an email error that exposed email addresses. A routine marketing email was sent on June 9, 2020; however, rather than having the recipients’ email addresses hidden, the email was sent in a way that made recipients’ email addresses visible to all recipients.

Aside from identifying individuals as having received or considered receiving healthcare services from Springfield Psychological, the only information exposed were email addresses.

Springfield Psychological contacted the HHS’ Office for Civil Rights about the incident in the fall of 2020 and on May 25, 2021, OCR informed Springfield Psychological that the incident was a reportable breach under HIPAA. Affected individuals were then promptly notified.

The post San Juan Regional Medical Center Data Breach Affects 68,792 Patients appeared first on HIPAA Journal.

South Texas Health System has notified 6,761 about an accidental disclosure of some of their protected health information. South Texas Health System provides discharge instructions after patients receive medical care in its hospitals. Part of that process involves an employee generating and emailing a monthly report that identifies patients that have been discharged from its hospital emergency departments.

South Texas Health System discovered on April 8, 2021 that an email with an attached November 2020 report was sent to an incorrect email address on April 7. Steps were taken to try to identify the recipient and get the email deleted, but that individual remains unknown and it is unclear whether the email has been opened, viewed, or deleted.

The email attachment contained a list of patients discharged from its hospital emergency departments in November 2020, which included names, internal hospital visit numbers, date and time of discharge, whether discharge instructions were provided, and information about where the patients were discharged.

The nature of the data in the report makes it unlikely that patients will suffer harm; however, out of an abundance of caution, those individuals have been offered complimentary membership to an Internet surveillance and an identity theft restoration service for 12 months.

Email Data Breach Affects Atricure Group Health Plan Members

Ohio-based Atricure has discovered an email account of one of its employees was accessed by an unauthorized individual for a short period on March 8, 2021. Upon discovery, the account was immediately secured and a third-party cybersecurity firm was engaged to assist with the investigation. The breach was confirmed as affecting a single email account, but it was not possible to tell if any emails or attachments were viewed.

An analysis of all emails and attachments in the account was completed on April 7, 2021 and revealed they contained some sensitive information of employees, beneficiaries and dependents relating to the Atricure Group Health Plan. In total, 2,487 individuals have been affected by the breach.

The types of information potentially compromised included names, addresses, dates of birth, Social Security numbers, financial account information, clinical information, and health insurance claims information. Affected individuals have been provided with complimentary credit monitoring, fraud consultation, and identity theft restoration services. Atricure has also enhanced its security protocols and has re-educated employees on email security.

The post South Texas Health System and Atricure Report Email Incidents appeared first on HIPAA Journal.

Washington-based NorthWest Congenital Heart Care is alerting 1,166 patients that some of their protected health information has been acquired by an unauthorized individual. On May 7, 2021, an unauthorized third party entered the office of a single NWCHC physician and stole an external hard drive that was used for data backups. The theft was reported to law enforcement, but the hard drive has not been recovered.

A review of the data backups revealed they contained patient information such as names, dates of birth, ages, medical and treatment information, dates of service, location of service, physician names, services requested, procedures performed, diagnosis codes, diagnosis and treatment descriptions, medical record numbers and, for one individual, health insurance information.

To reduce the risk of future data breaches, NorthWest Congenital Heart Care will be eliminating the use of external hard drives for data backups.

Superior HealthPlan Members Affected by Accellion Data Breach

2,781 members of Superior HealthPlan in Texas have been notified that some of their protected health information was compromised in the cyberattack on Accellion. The attack affected the Accellion file transfer appliance, which was used for sending files too large to be sent via email.

The attackers had access to the platform between January 7 and January 20, 2021. On April 2, 2021, Superior HealthPlan discovered the attackers were able to access and download files containing names, addresses, dates of birth, insurance ID numbers, and health information such as medical condition and treatment information.

All affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. Accellion’s services are no longer being used, all data has been removed from Accellion’s systems, and file transfer processes and tools have been reviewed and are being updated to prevent similar breaches in the future.

The post NorthWest Congenital Heart Care Reports Theft of Device Containing PHI of 1,166 Patients appeared first on HIPAA Journal.

Arizona Asthma and Allergy Institute has issued breach notification letters to 70,372 patients who received services between October 1, 2015 and June 15, 2020.

According to the breach notice, a range of their personal and protected health information including names, patient ID numbers, provider names, health insurance information, and treatment cost information was exposed online under the name of a different organization for a brief period in September 2020.

After being alerted about the exposed data, a third-party forensics company was engaged to investigate the breach. The investigation concluded on March 8, 2021 and confirmed that protected health information had been exposed.

According to databreaches.net, which contacted Arizona Asthma and Allergy Institute to alert them about the breach, this was a ransomware attack by the Maze ransomware operation. Sensitive data obtained in the breach had been posted to the Maze Group’s data leak site for a short period in September under the name Medical Management Inc.

Stillwater Medical Center Investigation Security Breach

Stillwater Medical Center in Oklahoma has launched an investigation into a security breach affecting certain information systems. In a June 14, 2021, Facebook post, Stillwater Medical Center explained that a breach occurred on June 13, 2021 and systems were immediately shut down while the incident was investigated. A third-party computer forensics firm is assisting with the investigation and systems will be brought back online as soon as possible.

The investigation is still in the early stages but, so far, no evidence has been found to indicate any patient data has been compromised. Further information about the incident will be released as and when it becomes available.

Nebraska Department of Health and Human Services Alerts Individuals About Privacy Breach

The Nebraska Department of Health and Human Services has identified a software error that resulted in individuals’ phone numbers and partial Social Security numbers being sent to a third party in April 2021.

The HHS discovered the privacy incident on April 9, 2021 and has now issued notification letters to approximately 500 individuals. According to the HHS, the nature of data and the individual to whom it was sent – an individual in the State of Nebraska – makes the risk of identity theft or fraud low.

Temporary measures have been taken to fix the software error while the HHS works on a more permanent solution.

The post Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach appeared first on HIPAA Journal.

A benefits administrator for home healthcare and nursing home workers, Service Employees International Union 775 (SEIU 775) Benefits Group, has experienced a cyberattack that resulted in the deletion of sensitive data.

IT staff detected anomalies within SEIU 775’s data systems on or around April 4, 2021, which included the deletion of certain data. An investigation was launched into the malicious activity, led by third-party cybersecurity experts and forensic consultants.

The investigation confirmed that its systems had been hacked and the data of unknown individuals had been deleted, including personally identifiable and protected health information. While information was deleted, no evidence was found to indicate any PII or PHI was viewed or acquired by the attackers and there have been no reported cases of misuse of data.

Data potentially compromised included names, addresses, and demographic data along with Social Security numbers and potentially health plan eligibility information. Upon discovery of the malicious activity, steps were immediately taken to prevent further unauthorized access and to contain the breach. Third -party cybersecurity experts have been assessing system security and SEIU 775 is working closely with its consultants to further strengthen its cybersecurity defenses.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 140,000 individuals. Victims of the breach have been offered complimentary credit monitoring and identity theft protection/restoration services through Kroll for 12 months.

This is not the only breach to be reported in recent weeks by a benefits administrator. In May, the Florida vision and hearing benefits administrator 20/20 Hearing Care Network experienced a data deletion incident. In that incident, the breach affected up to 3.3 million individuals. The attacker gained access to and deleting data stored in an unprotected Amazon Web Services cloud storage bucket, with the data downloaded from the S3 bucket prior to deletion.

The post SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals appeared first on HIPAA Journal.

Ohio-based Five Rivers Health Centers has notified 155,748 patients that some of their protected health information was stored in email accounts that have been accessed by an unauthorized individual following a phishing attack.

It is unclear when the breach was discovered, but Five Rivers Health Centers reports that following an extensive forensic investigation into the cyberattack and a manual document review, it discovered on March 31, 2021, that the breached email accounts contained patients’ personal and health information.

The forensic investigation confirmed that the email accounts had been breached between April 1, 2020, and June 2, 2020. Notification letters were sent to affected patients on May 28, 2021 – More than a year after the first email accounts were breached.

The types of protected health information in emails and attachments varied from patient to patient and may have included one or more of the following data elements:  Name, address, date of birth, medical record number, patient account number, diagnoses, treatment and/or clinical information, test results, lab test reports, provider name, dates of service, treatment cost information, prescription information, health insurance information, and Medicaid or Medicare numbers.

A limited number of individuals also had their financial account number, payment card numbers, driver’s license number, state identification number, and/or Social Security number exposed. A 12-month complimentary membership to a credit monitoring service has been offered to individuals whose Social Security number was exposed.

Following the attack, policies and procedures have been reviewed and updated, 2-factor authentication has been implemented, and employees have been provided with further cybersecurity training.

Cancer Centers of Southwest Oklahoma Breach Affects 8,000 Patients

Cancer Centers of Southwest Oklahoma (CCSO) has discovered the protected health information of 8,000 patients was potentially compromised in a cyberattack on one of its business associates. CCSO used a 1^st generation cloud-based storage system provided by Elekta Inc., which was breached earlier this year.

Elekta hired third-party cybersecurity experts to investigate the security breach and confirmed on April 28, 2021, that the breached systems included the protected health information of CCSO patients. While it was not possible to determine what information was accessed or exfiltrated by the attackers, Elekta concluded that all information in the system had been exposed and must be considered compromised. The cloud-based storage system remains offline while the forensic investigation continues.

CCSO said in its substitute breach notification letter that the following types of information were stored in the system and may have been accessed or stolen: Name, Social Security number, address, date of birth, height, weight, medical diagnosis, medical treatment details and appointment confirmations.

Elekta is offering complimentary access to identity monitoring, fraud consultation, and identity theft restoration services to affected individuals.

The post Five Rivers Health Centers Phishing Attack Affects Almost 156,000 Patients appeared first on HIPAA Journal.