Lafourche Medical Group, a Louisiana-based urgent care center operator, has notified 34,862 patients about a security breach that potentially involved some of their protected health information.

On March 30, 2021, Lafourche Medical Group learned that an external accountant had responded to a phishing email that spoofed one of the owners of Lafourche Medical Group and disclosed login credentials to the attacker. The compromised credentials were used to gain access to the group’s Microsoft 365 environment.

A third-party IT company was engaged to assist with the investigation, but found no evidence to suggest its on-premise systems or cloud-based electronic medical record system were compromised; however, the credentials could have been used to view or download data from its Microsoft 365 environment, which contained some patient information. “Due to the size of the email system, we are unable to identify all potential patient information that may have been contained in the system,” explained Lafourche Medical Group in its substitute breach notice.

Clinical information was not compromised; however, emails were used to communicate certain patient information for billing and other clinic purposes. The types of information often sent via email includes names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.

A more robust vetting process has been implemented for business associates and a third-party IT consultancy was engaged to reassess its computer system and security measures and to recommend best practices for improving information security.  Several measures have now been implemented to improve security, including strengthening the firewall and spam and malware filters, implementing stricter password policies, adding multi-factor authentication for mobile access, and retraining the staff on cybersecurity, social engineering, and phishing.

The post Third-Party Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients appeared first on HIPAA Journal.

The risk and compliance firm LogicGate has identified a security incident in which the protected health information of 47,035 individuals has potentially been compromised.

LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform.

The Risk Cloud Platform is used by companies to identify and manage compliance risks and meet data protection and security standards. All backup files stored in AWS S3 buckets are encrypted, but the attacker was able to use the credentials to decrypt data. The backup files contained customer data that had been uploaded to their Risk Cloud environment prior to February 23, 2021. LogicGate said it did not identify any decrypt events associated with customers’ stored attachments.

It is currently unclear whether any customer data was exfiltrated by the attacker and no details have been released about how the credentials were obtained.

Hoboken Radiology Alerts Patients to Potential Breach of Medical Images and PHI

Hoboken Radiology has started notifying patients about a security breach that occurred between June 2, 2019 and December 1, 2020. In a recent press release, Hoboken Radiology said it received a notification on November 3, 2020 about suspicious activity on its medical imaging server.

Third-party cybersecurity specialists were engaged to investigate the incident and determine if any patient data had been accessed by unauthorized individuals. The investigation is still ongoing, but it was confirmed that there were suspicious connections from an external source between the above dates. The affected server contained patient data which could have potentially been viewed or obtained by unauthorized individuals.

A review of files on the server found they contained a range of patient data including names, genders, dates of birth, treatment dates, referring physician names, patient ID numbers, accession numbers, medical images, and a description of those images. Social Security numbers, payment card details, financial information, and medical insurance information were not compromised.

While unauthorized access to the server was confirmed, no evidence was found to indicate any actual or attempted misuse of patient data. Policies, procedures, and processes related to storage of and access to personal information are being reviewed and will be updated to better protect patient data in the future.

The breach has been reported to appropriate authorities but it has yet to appear on the HHS’ Office for Civil rights website, so it is unclear exactly how many individuals have been affected.

Glacier Medical Associates Alerting Patients About April 2021 Data Breach

Glacier Medical Associates in Whitefish, MT has announced it suffered a security breach on April 7 in which patient data was potentially accessed. Third-party digital forensics experts were engaged to investigate the breach and determine the nature and scope of the incident. The investigation concluded on May 10. No evidence of data theft was found and there have been no reported cases of misuse of patient data. No information has been released about the nature of the breach.

Practice Administrator Kelli Meuchel was advised by the practice’s legal counsel not to disclose the number of individuals affected and the incident has yet to appear on the HHS’ Office for Civil Rights breach portal. Meuchel said all affected individuals will be notified by mail and will be advised about the types of information that were compromised.

The post Risk and Compliance Firm Reports Breach of 47,035 Records appeared first on HIPAA Journal.

Sturdy Memorial Hospital in Attleboro, MA is notifying 57,379 patients about a computer security incident that occurred on February 9, 2021 in which patient data was stolen. According to the hospital’s breach notice, an unauthorized individual gained access to its systems but the hospital secured those systems later that day.

The individual demanded a ransom payment to prevent the exposure/sale of data stolen in the attack. The hospital took the decision to pay the ransom and received assurances all stolen data would be permanently destroyed and would not be further disclosed. It is unclear whether this was simply a data theft incident or whether ransomware had been used in the attack.

Third party computer forensics experts were engaged to investigate the breach, and a review was conducted to determine what patient data was compromised. The review was completed on April 21, 2021 and all affected individuals started to be notified on May 28, 2021.

Sturdy Memorial Hospital said that in addition to its own patients, some patient data from other healthcare provider partners – Harbor Medical Associates, South Shore Medical Center, and providers affiliated with South Shore Physician Hospital Organization – was also compromised.

The types of patient information compromised varied from patient to patient and may have included one or more of the following data elements: Name, address, phone number, date of birth, Social Security number, driver’s license number, other government ID number, financial account number, routing number, bank name, credit card number and security code, Medicare Health Insurance Claim numbers, medical history information, treatment or diagnosis information, procedure or diagnosis codes, prescription information, provider name, medical record number, Medicare/Medicaid number, health insurance information, and treatment cost information. Sturdy Memorial Hospital said its electronic health record system was not affected.

Complimentary credit monitoring and identity protection services are being offered to individuals whose Social Security number or driver’s license number was compromised in the attack. Additional safeguards and technical security measures have now been implemented at Sturdy Memorial Hospital to better protect and monitor its IT systems.

UF Health Ransomware Attack Affects The Villages and Leesburg Hospitals

University of Florida Health (UF Health) has been forced to adopt downtime procedures following a ransomware attack on May 31, 2021. Staff switched to pen and paper to record patient information with access to computer systems and email not possible due to the attack.

The attack affected UF Health The Villages Hospital and UF Health Leesburg, and was identified by UF Health Central Florida on the evening of May 31 when unusual activity was detected on its computer servers. The attack does not appear to have affected the Gainesville and Jacksonville campuses.

The attack is being investigated and efforts are underway to ensure systems and data are secured. Medical services at all UF Health locations continue to be provided and patient safety has not been affected. It is currently unclear whether the attackers stole patient data prior to the use of ransomware to encrypt files.

The post Ransomware Attacks Affect Sturdy Memorial Hospital and UF Health appeared first on HIPAA Journal.

Scripps Health, the second largest healthcare provider in San Diego, has started sending breach notification letters to 147,267 patients to inform them that some of their personal and health information was stolen in a May 1, 2021 ransomware attack.

The attack forced Scripps Health to adopt its EHR downtime procedures with its systems offline. Staff at its medical offices and hospitals were forced to work with paper charts while systems were restored and data was recovered. That process has taken almost a month, during which time access to important patient information such as test results was prevented. Scripps Health only regained the ability to create new records last week when the MyScripps patient portal was brought back online.

The attack affected many of the healthcare provider’s care sites and caused disruption to operations at two of its four hospitals. Scripps Health took the decision to divert some critical patients to other facilities, with all four of its main hospitals placed on emergency care diversion for stroke, heart attack, and trauma patients. Some non-urgent appointments also had to be delayed in the days following the attack.

Scripps Health said its main Epic medical record system was not compromised, but prior to the deployment of ransomware the attackers acquired documents that contained patient data such as names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and some clinical information such as physicians’ names, dates of service, and treatment information. The Social Security numbers and/or driver’s license numbers of around 3,700 individuals was obtained by the hackers. Complementary credit monitoring and identity protection support services are being offered to those individuals.

Scripps Health has commenced a manual review of the documents compromised in the attack and explained that it is a time-intensive process that will likely take several months. “We do not yet know the content of the remainder of documents we believe are involved,” said Scripps Health in a statement about the attack and said notification letters are being sent to affected individuals as quickly as possible.

“It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape,” said Scripps Health. “For our part, Scripps is continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation.”

The post 147,000 Patients Affected by Scripps Health Ransomware Attack appeared first on HIPAA Journal.

Hartsville, SC-based CareSouth Carolina has notified 76,035 patients that some of their protected health information has potentially been compromised in a ransomware attack on its IT vendor, Netgain Technologies.

CareSouth Carolina was informed by Netgain on January 14, 2021 that the company had experienced a ransomware attack in December 2020, and the attackers had access to servers containing patient data from late November, some of which was exfiltrated prior to the use of ransomware.

On April 13, 2021, Netgain provided CareSouth Carolina with a copy of the data that was potentially compromised. CareSouth Carolina conducted a review of the data and on April 27, 2021 confirmed the dataset included patient names, date of birth, address, diagnosis/conditions, lab results, medications, and other clinical information. For a small number of patients, Social Security numbers were involved.

The attackers issued a ransom demand to Netgain and threatened to sell the stolen data if payment was made. Netgain took the decision to pay the ransom and received assurances that the stolen data was deleted and had not been further disclosed.

Netgain and CareSouth have since implemented additional security measures to prevent any repeat attacks, and CareSouth is offering affected patients complimentary identity theft protection services.

Community Access Unlimited Ransomware Attack Impacts 13,813 Individuals

Elizabeth, NJ-based Community Access Unlimited has started notifying 13,813 individuals that their protected health information was stored on systems that were accessed by unauthorized individuals.

Community Access Unlimited identified suspicious activity within its internal systems on November 10, 2020. The systems were immediately taken offline, and third-party forensics specialists were engaged to determine the nature and scope of the breach.

The investigation revealed its systems were accessed by unauthorized individuals between June 29, 2020 and November 12, 2020, but it was not possible to determine whether any patient data was accessed or exfiltrated by the attackers.

A review of the compromised systems revealed the following data could potentially have been accessed or obtained: Names, dates of birth, driver’s license numbers, state identification card numbers, non-resident identification numbers, health information, health insurance beneficiary numbers, and usernames and passwords.

Policies and procedures have since been reviewed and enhanced to reduce the potential for a further attack. Affected individuals have now been notified and complimentary credit monitoring and identity restoration services have been offered to potentially impacted individuals.

The post Ransomware Attacks Affect Community Access Unlimited and CareSouth Carolina Patients appeared first on HIPAA Journal.

In the wake of the ransomware attack on Colonial Pipeline, some ransomware gangs such as REvil and Avaddon claimed that they have implemented new rules that require their affiliates to obtain authorization prior to attacking a target, and that attacks on healthcare organizations had been banned. However, many ransomware-as-a-service operations have not implemented restrictions and healthcare providers are still being targeted. Recently, 4 more healthcare organizations have been confirmed as falling victim to attacks.

San Diego Family Care

San Diego Family Care (SDFC) in California has confirmed it has been affected by a ransomware attack in December 2020. SDFC and its business associate Health Center Partners of Southern California (HCP) were impacted by a ransomware attack on their information technology hosting provider, Netgain Technologies. Netgain Technologies reportedly paid a $2.3 million ransom to obtain the keys to unlock the encrypted files and notified SDFC and HCP on January 20, 2021 that the protected health information of their patients had been compromised.

SDFC and HCP were provided with a copy of the affected data and conducted a review to determine which individuals had been affected and the types of data involved. The review was completed on April 11, 2021 and 125,500 patients are now known to have been affected.

SDFC explained in its substitute breach notice that the following types of data were compromised: Names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health insurance information, and/or client identification numbers. Affected individuals were notified by mail on May 7, 2021.

SAC Health Systems

San Bernardino, CA-based SAC Health Systems was also a victim of the ransomware attack on its now former IT service provider, Netgain Technologies. SAC Health Systems was notified by Netgain Technologies on January 15, 2021 that the ransomware gang had access to servers containing patient data between November 15, 2020 and November 22, 2020.

SAC Health Systems confirmed on April 20, 2021 that 28,128 individuals had been affected. The types of data compromised included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, tax identification numbers, financial account information, medical histories, electronic signatures, health insurance information, medical record numbers, doctor names, prescription information, and reason for absence. All affected individuals are now being notified.

Harper County Community Hospital

Harper County Community Hospital in Oklahoma has announced it suffered a ransomware attack on March 24, 2021 in which the protected health information of 5,725 patients was potentially compromised.

The hospital said patient medical records were not affected, but workstations and common drives were compromised, and they contained files that included first and last names, dates of birth, home addresses, patient account numbers, diagnoses, Social Security numbers, and health insurance information.

Harper County Community Hospital took immediate corrective actions and has implemented extensive IT security protocols, back-up processes, and updated its HIPAA policies and procedures. All affected individuals are now being notified about the attack.

Prestige Medical Group

Georgia-based Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group, has been affected by a ransomware attack that has been reported to the HHS’ Office for Civil Rights as affecting 34,203 patients.

The attack was conducted by the Avaddon ransomware gang, one of the gangs that has since claimed it is stopping attacks by affiliates on the healthcare sector. The attackers claimed they had exfiltrated patient and employee data prior to file encryption and leaked a sample of data stolen in the attack on its leak site, stating that the medical practice was not interested in cooperating. The attackers claimed, “We have data on the diseases of your clients, confidential cards of your clients, various information on your clients, a lot of opinions and reports from doctors, agreements and contracts, financial information, information about employees, personal data of employees.”

The post 4 More Healthcare Organizations Announce Patients Affected by Recent Ransomware Attacks appeared first on HIPAA Journal.