The Vice Society ransomware gang claims to have conducted a ransomware attack on the California healthcare provider United Health Centers of San Joaquin Valley. United Health Centers operates more than 20 community health centers in Fresno, Kings, and Tulare counties.

The Vice Society ransomware gang emerged mid-2021 and is believed to be a spin-off of the HelloKitty ransomware operation. The gang is known to use a variety of methods to gain access to victims networks, including exploiting vulnerabilities such as the PrintNightmare bugs.

The gang is known for exfiltrating data from victims’ systems prior to the use of ransomware to encrypt files. Data are then published on its data leak site to pressure victims into paying the ransom. This attack appears to be no exception. Bleeping Computer reports it was notified on August 31, 2021 about the ransomware attack on United Health Centers by a trusted member of the cybersecurity community who said the healthcare provider’s entire network was shut down as a result of the attack.

The cyberattack has yet to appear on the HHS’ Office for Civil Rights Breach Portal or the website of the California Attorney General and United Health Centers has not published any notification on its website at the time of writing. Under HIPAA, regulated entities have up to 60 days to issue notifications about a data breach.

Bleeping Computer reports the Vice Society gang has already leaked data allegedly obtained in the attack on its data leak website, some of which contains patients’ protected health information (PHI). Databreaches.net has reviewed some of the dumped files and confirmed they contained PHI such as names, dates of birth, insurance information, dates of service, diagnostic codes, and treatment and service codes, along with a folder containing files of patients who had fallen into arrears on their accounts and were referred to debt collection agencies in 2012. Some of those files included patients’ Social Security numbers, diagnosis information, and other types of PHI.

Bleeping Computer said its source said the attack caused major disruption to its IT systems, although the healthcare provider had backups that were not impacted in the attack.  United Health Centers has reportedly started re-imaging computers and restoring data from backups. That, along with the data dump, suggests the ransom was not paid.

Both Bleeping Computer and Databreaches.net said they reached out to United Health Centers multiple times but have yet to receive a response about the attack.

While several ransomware-as-a-service operations place restrictions on industry sectors that can be attacked and avoid the healthcare industry, Vice Society certainly does not fall into that group. Around a fifth of its attacks are conducted on the healthcare sector.

The post Vice Society Ransomware Gang Attacks United Health Centers of San Joaquin Valley appeared first on HIPAA Journal.

Eastern Los Angeles Regional Center has discovered the email account of an employee has been accessed by an unauthorized individual. Suspicious activity was detected in the email account on July 15, 2021. A password reset was performed to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

It was confirmed that the account was accessed for a limited period of time on July 15, 2021 and that the email account contained the protected health information of 12,921 individuals, including first and last names, Social Security numbers, ELARC-issued client identifier numbers, Tax ID numbers, medical histories, treatment or diagnosis information, and health insurance information.

Eastern Los Angeles Regional Center said it found no evidence to suggest any information in the email account was exfiltrated or subjected to actual or attempted misuse.

Additional technical safeguards have been implemented to further enhance the security of sensitive information and affected individuals have been offered 12 months of complimentary credit monitoring services through Kroll.

Mercy Grace Private Practice Notifies 4,450 Patients About Data Breach

On August 30, 2021, Mercy Grace Private Practice in Gilbert, AZ notified 4,450 patients about a business email compromise attack in December 2020 involving a fraudulent wire transfer.

A third-party computer forensics firm was engaged to perform a comprehensive analysis of its entire email environment. That investigation confirmed that two employee email accounts had been compromised.

A review of the two email accounts confirmed they contained patient data such as names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and limited health information.  The purpose of the attack appears to have been to defraud the practice rather than obtain patient data. Mercy Grace Private Practice is unaware of any actual or attempted misuse of patient data as a result of the security breach.

In response to the breach, security protocols have been enhanced and further cybersecurity training has been provided to employees.

The post Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice appeared first on HIPAA Journal.

K and B Surgical Center in Beverley Hills, CA has discovered an unauthorized individual gained access to its computer network. The security breach was detected on March 30, 2021, with the third-party forensic investigation confirming its network was compromised between March 25 and March 30.

Upon discovery of the breach, steps were taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The investigation concluded on April 27, 2021 that the attacker gained access to parts of the network that contained the protected health information of patients.

Data mining was performed on the affected servers to determine which types on information had been exposed and the patients that had been affected. K and B Surgical Center said in its September 3, 2021 breach notification letters that it took until July 27 to obtain a finalized list of affected patients.

The types of information potentially accessed and/or exfiltrated included the following data elements: Names, addresses, phone numbers, driver’s license numbers, diagnoses, treatment and prescription information, provider names, patient IDs, Medicare/Medicaid numbers, lab test results, health insurance information, and treatment cost information. At the time of issuing notification letters, no reports had been received of any cases of actual or attempted misuse of patient data as a result of the security breach.

In total, notification letters have been sent to 14,772 individuals. K and B Surgical Center has offered 12 months of complimentary credit monitoring and identity theft restoration services to affected individuals as a precaution against identity theft and fraud.

Following the security breach, passwords were changed for all user accounts, VPN connections, and email accounts and new anti-virus security systems and threat monitoring programs were installed on all computers. The workforce has been retrained on security, its Security Rule risk analysis has been updated, and periodic security audits will be conducted to identify potential vulnerabilities.

Healthpointe Medical Group Notifies Patients About Hacking Incident

Healthpointe Medical Group in Portland, OR has notified certain patients about a hacking incident and the exposure of their protected health information.

Healthpointe discovered suspicious activity on certain servers on or around June 9, 2021. Steps were promptly taken to secure its IT systems and a leading computer forensics firm was engaged to investigate the nature and scope of the breach. On or around July 7, 2021, the investigation confirmed the attacker had gained access to files or folders that contained patient data. A review of those files and folders was completed on July 27 and confirmed they contained names, addresses, and Social Security numbers. Notification letters started to be sent to affected individuals in late August.

Healthpointe has performed a company-wide password reset, updated its firewalls, expanded the use of multi-factor authentication, and took other steps to enhance its security protocols. Affected individuals have been told they can avail of 12 months of identity theft protection services through IDX at no cost and will be protected by a $1 million identity theft insurance policy.

The post K and B Surgical Center & Healthpointe Medical Group Notify Patients About Hacking Incidents appeared first on HIPAA Journal.

Temperance, MI-based Family Medical Center of Michigan (FMC) has notified 21,988 patients about a July 2020 ransomware attack in which their protected health information was compromised.

FMC said the attack appeared to have been conducted by a cybercriminal gang operating out of Ukraine. The attackers encrypted FMC’s financial files which prevented its employees from accessing patients’ financial information. A ransom demand of $30,000 in cryptocurrency was issued for the digital key to unlock the encrypted files.

FMC said it worked with a third-party computer security firm – IDX – to investigate the breach and help secure its digital environment. IDX advised paying the ransom as part of a strategy to determine the scope of the attack. FMC CEO, Ed Larkins said it complied with the demand and paid the ransom a week after the attack occurred. The attackers took two weeks to send the key to decrypt files.

The investigation into the attack confirmed only financial information was affected and patient medical records were not compromised in the attack. Patients affected by the attack had received medical services at some point in the past 14 years.

Following the attack, steps were taken to improve security and harden defenses to prevent further attacks. IDX is continuing to manage the response to the incident and has not detected any attempted or actual misuse of patient data since the attack. FMC has offered complimentary credit monitoring services to patients whose financial information was compromised.

Ransomware Attack Reported by Buddhist Tzu Chi Medical Foundation

Buddhist Tzu Chi Medical Foundation in West Sacramento, CA is notifying 18,968 patients that some of their protected health information has potentially been compromised in a recent cyberattack.

The attack was detected on July 15, 2021 when parts of its network became inaccessible. The affected server was immediately taken offline, and emergency protocols were implemented, with the staff switching to pen and paper to record patient data. A forensic investigation was conducted to determine the nature and scope of the breach, which confirmed that parts of the network accessed by the attackers contained patient data.

It was not possible to determine whether any patient data were viewed or exfiltrated by the attackers, only that data access was possible. The files potentially compromised in the attack contained names, dates of birth, and diagnosis information, which included dental x-rays for dental patients. No other patient data was stored on the affected server and computers.

Due to the nature of data exposed, there is believed to be a very low risk of misuse of the information; however, as a precaution, affected patients have been advised to monitor their estimate of benefits and other health information for any suspicious activity.

The post Ransomware Attacks Reported by Family Medical Center of Michigan & Buddhist Tzu Chi Medical Foundation appeared first on HIPAA Journal.

The U.S. Vision Inc. subsidiary, USV Optical Inc. has announced unauthorized individuals have gained access to certain servers and systems that contained patients’ protected health information.  The unauthorized access was detected on May 12, 2021, with the subsequent forensic investigation confirming the hackers had access to its systems for almost a month from April 20, 2021 to May 17, 2021, when its systems were secured.

Third-party computer forensics specialists are continuing to investigate the breach to determine the full extent and scope of the intrusion but have concluded that unauthorized individuals potentially viewed and exfiltrated patient data in the attack.

It has been confirmed that the following types of employee and patient data have been exposed: Names, eyecare insurance information, and eyecare insurance application and/or claims information. A subset of individuals may also have had the following data exposed: Address, date of birth, and/or other individual identifiers. No reports have been received to date of any cases of attempted or actual misuse of personal and protected health information as a result of the security breach.

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 180,000 individuals. Notifications are being sent to those individuals along with advice on steps that can be taken by breach victims to protect their identities, should they deem those steps to be appropriate.

USV Optical said it worked diligently to investigate and respond to the incident is currently working to identify and notify potentially impacted individuals. A review is being conducted of policies related to data protection and these will be enhanced to better protect patient data.

This is the second major data breach to be reported by an eye care provider in the past few days. Simon Eye Management recently reported an email security breach in which the protected health information of 144,000 individuals was exposed.

The post U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals appeared first on HIPAA Journal.

Barlow Respiratory Hospital in Los Angeles, CA has announced it has suffered a ransomware attack on August 27, 2021. The attack was conducted by the Vice Society ransomware gang, which gained access to its network and electronic medical record system. Prior to using ransomware to encrypt files, the gang exfiltrated patient data, some of which has been posted on the gang’s dark web data leak site.

Barlow Respiratory Hospital said while the attack affected several IT systems, the hospital was able to continue to operate under its emergency procedures and patient care was not interrupted.

Upon detection of the security breach, law enforcement agencies were notified and a third-party cybersecurity firm was engaged to assist with the investigation and determine the scope of the data breach. The investigation into the attack is ongoing.

While some ransomware operations have said they will not target healthcare providers, Vice Society does not fall into that category. The ransomware operation appeared in June 2021 and has already attacked multiple healthcare providers, including Eskenazi Health in Indianapolis. The ransomware gang is known to exploit new security vulnerabilities, including the Windows PrintNightmare flaws.

“We will continue to work with law enforcement to assist in their investigation, and we are working diligently, with the assistance of a cybersecurity firm, to assess what information may have been involved in the incident,” said a spokesperson for Barlow Respiratory Hospital. “If necessary, we will notify the individuals whose information may have been involved, in accordance with applicable laws and regulations, in due course.”

Missouri Delta Medical Center Suffers Hive Ransomware Attack

The protected health information of patients of Missouri Delta Medical Center in Sikeston, MO has been stolen in a ransomware attack conducted by the Hive ransomware gang. Earlier this month, a sample of the stolen data was uploaded to the ransomware gang’s data leak site in an effort to pressure the medical center into paying the ransom. The Hive ransomware gang has attacked multiple healthcare providers in the past few weeks, including Memorial Health System.

Missouri Delta Medical Center engaged the services of a leading forensic security firm to investigate the attack and determine the nature and scope of the breach. The medical center was later notified by a third party that some patient data had been stolen and published online. According to the post on the Hive gang’s data leak site, the names, addresses, phone numbers, dates of birth, Social Security numbers, sex/race, next of kin details, diagnoses, and financial information of 95,000 individuals was stolen in the attack. That information was contained in 400 GB of files that were exfiltrated prior to file encryption.

Missouri Delta Medical Center said the attack has not affected its ability to provide care for patients. The investigation into the cyberattack is ongoing but at this stage it appears that its electronic medical record system was not affected.

“We apologize for any inconvenience this incident may have caused, and are taking steps to increase our security and reduce the risk of a similar incident occurring in the future. We remain focused on continuing to serve our community,” said Missouri Delta Medical Center.

The post Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital appeared first on HIPAA Journal.

The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor.

The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days.

The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack.

The cyberattack was extensive and caused major disruption. Some IT systems affected remain offline, including the websites of many divisions. Temporary web pages have been used to host critical information until the websites can be restored. It is not yet known when all systems will be brought back online. The department’s IT infrastructure is complex, so the recovery process is taking a long time.

The cybersecurity firm Mandiant was engaged to conduct a forensic investigation into the cyberattack. In an August update, the DHSS said hackers had exploited a website vulnerability which allowed them to gain access to DHSS data. “This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period. The attackers took steps to maintain that long-term access even after they were detected,” said DHSS Technology Officer Scott McCutcheon.

All data stored on DHSS infrastructure at the time of the attack is presumed to have been compromised and could potentially be misused, which means the personal and health data of more than 700,000 individuals has likely been breached.

DHSS is currently unaware which information has been accessed or stolen, but it likely includes names, dates of birth, Social Security numbers, phone numbers, addresses, driver’s license numbers, internal identifying numbers (including case reports, protected service reports, Medicaid etc.), health information, financial information and historical information concerning any interactions with the DHSS.

“DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft,” explained the DHSS in its breach notice.  The DHSS says it is providing free credit monitoring services to “any concerned Alaskan” as a result of the cyberattack, and a code for signing up for those services is being provided in the breach notification letters, which will be mailed between September 27, 2021 and October 1, 2021.

This is a breach of both the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA).

“DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks,” said DHSS Chief Information Security Officer Thor Ryan. “Recommendations for future security enhancements are being identified and provided to state leadership.”

It is not the first time that a data breach has affected all state residents. In January 2019, around 700,000 Alaskans were notified by DHSS about a hacking incident that exposed their personal data. In that incident, the Zeus Trojan had been installed on its network in June 2018.

The post Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans appeared first on HIPAA Journal.

Wilmington, DE-based Simon Eye Management has suffered a breach of its email environment and hackers potentially gained access to the protected health information of 144,373 patients.

Simon Eye identified suspicious activity in certain employee email accounts on or around June 8, 2021. Action was immediately taken to secure the accounts and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. Assisted by third -party security experts, Simon Eye determined that unauthorized individuals gained access to employee email accounts between May 12 and May 18, 2021.

The incident was an attempted business email compromise (BEC) attack, where employee email accounts are compromised and used in a scam to trick employees into making fraudulent wire transfers, in this case through the manipulation of invoices. Simon Eye said none of the attackers’ attempts were successful.

While gaining access to patient data did not appear to be the goal of the attackers, the email accounts they were able to access did contain patients’ protected health information and it is possible PHI was viewed or obtained in the attack. Simon Eye found no evidence indicating any patient information was viewed or stolen, and there have been no reported cases of actual or attempted misuse of patient data as a result of the cyberattack.

A comprehensive review was conducted to identify patients whose PHI was contained in emails and email attachments. The review confirmed the following types of patient data were present in the accounts: name, medical history, treatment/diagnosis information, health information, health insurance information, and insurance application and/or claims information. A subset of individuals also had their Social Security number, date of birth, and/or financial account information exposed.

Simon Eye has implemented additional data security protocols to enhance email security and is in the process of verifying the contact information of all affected patients. Notification letters will be mailed to those individuals in due course.

The post Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients appeared first on HIPAA Journal.