Denton County in Texas has discovered a vulnerability in a third-party provider application used in connection with individuals’ personal health information has potentially been exploited by unauthorized individuals. The application was used at COVID-19 vaccination clinics in the County, and contained information such as names, dates of birth, email addresses, phone numbers, and COVID-19 vaccination information.

The vulnerability, discovered by Denton County officials on July 7, 2021, meant the information in the application database was accessible by anonymous users. When the flaw was discovered, the application was immediately shut down and an investigation was launched to determine the extent of the issue and whether any unauthorized individuals had exploited the flaw to gain access to sensitive data.

Denton County confirmed that an error had been made configuring the application which exposed data to unauthorized individuals. While no evidence was found to indicate any actual or attempted misuse of individuals’ protected health information, it was not possible to rule out unauthorized access to the underlying database.

A time consuming, comprehensive review was conducted to determine which individuals had been affected. Only the above information had been exposed. Sensitive data such as Social Security numbers, driver license numbers, and financial account information were not used in connection with the application.

Denton County, assisted by the third-party application provider, has now implemented additional safeguards to ensure the security of the application and the personal and protected health information of Couty residents.

The nature of the exposed data does not put individuals at a high risk of identity theft or fraud; however, the County has advised all affected individuals to remain vigilant and to review their account statements and credit reports for suspicious activity.

Initially, it appeared that around 1.2 million individuals had been affected, but a review confirmed many exposed files were duplicates. The breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 326,417 individuals.

The post TX: Denton County Discovers COVID-19 Application Leaked Data of 346,000 Individuals appeared first on HIPAA Journal.

CareATC, a Tulsa, OK-based population health management company, has discovered the email accounts of two employees have been accessed by unauthorized individuals, who potentially gained access to the personal information of patients and employees.

CareATC launched an investigation on June 29, 2021 when suspicious activity was detected in the email account of an employee. Third-party forensics specialists were engaged to assist with the investigation and determine the extent and scope of the security breach. That investigation revealed a second email account had also been compromised, with the two email accounts subject to unauthorized access between June 18 and June 29, 2021.

Upon discovery of the compromised email accounts steps were taken to block any further unauthorized access, and a comprehensive review was conducted to determine which patient data had been exposed. The review was completed around August 11, 2021.

For the majority of affected individuals – which include patients, employees, and dependents of patients and employees – the information in the compromised email accounts was limited to names and dates of birth. Other individuals also had one or more of the following data elements exposed in addition to their name: Social Security number, driver’s license number, date of birth, financial account information, medical history and treatment information, health insurance information, passport number, US Alien Registration number, electronic/digital signature, and username and password.

Notifications have now been sent to affected individuals for whom valid mailing addresses were maintained. CareATC has been working with third-party cybersecurity specialists to improve email security, and steps have already been taken to strengthen the security of its email system. CareATC also said employees have been provided with additional email security training.

The breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal indicates 98,774 patients were affected by the breach.

The post CareATC Email Accounts Accessed by Unauthorized Individuals appeared first on HIPAA Journal.

DuPage Medical Group, the largest independent physician group in the state of Illinois, has started notifying approximately 600,000 patients about a security breach in which their personal and protected health information may have been compromised.

DuPage Medical Group identified suspicious activity in its computer network on July 13, 2021 and engaged cyber forensic specialists to conduct an investigation to determine the full nature and scope of the breach. They determined unauthorized actors had gained access to its IT systems on July 12 and access remained possible until the breach was detected on July 13 and its network was secured.

A comprehensive review was conducted of all files on the systems that were accessible to the hackers and, on August 17, 2021, DuPage Medical Group confirmed that files containing patient information had potentially been impacted.

The types of information potentially compromised in the security breach varied from patient to patient and may have included the following data elements: Names, address­es, dates of birth, diag­no­sis codes, Cur­rent Pro­ce­dur­al Ter­mi­nol­o­gy (CPT) codes, and treat­ment dates. The Social Security numbers of a small subset of patients were affected, but no financial information was exposed.

DuPage Medical Group said the forensic investigation uncovered no evidence to suggest any information stored on the affected systems has been sub­ject to actu­al or attempt­ed mis­use as a result of the security inci­dent; however, as a precaution against identity theft and fraud, complimentary credit monitoring and identity theft protection services are being offered to all individuals affected by the breach.

The exact nature of the cyberattack was not disclosed so it is unclear if the attackers attempted to deploy ransomware. DuPage Med­ical Group said the security breach “caused a disruption to network systems” and resulted in a “network outage.”

DuPage Medical Group said it has reviewed its existing security measures and has already implemented additional cybersecurity protections to reduce the risk of further cyberattacks, and will “improve every aspect of our tech­nol­o­gy roadmap to bet­ter serve patients.”

The post 600,000 DuPage Medical Group Patients Notified About PHI Breach appeared first on HIPAA Journal.

San Andreas Regional Center in San Jose, CA has started notifying patients that their PHI may have been compromised in a July 2021 ransomware attack.

On July 5, its networks and servers were taken out of action as a result of the attack. Steps were rapidly taken to remediate the attack and third-party computer forensics experts were engaged to investigate the breach, determine how access to its systems was gained, and to discover the extent to which patient data had been affected.

The initial investigation into the ransomware attack was concluded on August 2, 2021, when it was confirmed that the attackers had gained access to parts of the network where patients’ protected health information was stored and certain files stored on its servers that contained patient data had been exfiltrated by the attackers prior to the use of ransomware. It was not possible to determine any specific patient information that was stolen by the attackers.

At the time of issuing notification letters to affected patients, San Andreas Regional Center had not identified any instances of attempted or actual misuse of patient data. A review of all files accessible to the attackers confirmed the following types of patient data were potentially compromised in the attack: First and last names, addresses, dates of birth, telephone numbers, Social Security numbers, email addresses, health plan beneficiary numbers, health insurance information, full-face photos, and or comparable images, UCI (unique identifying number or code generated by SARC for patients), medical information, diagnoses, disability codes, and other certificate/license numbers.

Policies and procedures are being updated, employees have received further cybersecurity training, and additional cybersecurity safeguards are being implemented to strengthen security. Complimentary credit monitoring and identity theft protection services are being offered to affected individuals.

The breach has been reported to the HHS’ Office for Civil Rights but the incident is not yet showing on the OCR breach portal, so it is currently unclear how many patients have been affected.

The post San Andreas Regional Center Victim of Ransomware Attack appeared first on HIPAA Journal.

The Merrillville, IN-based ear, nose, and throat specialist, CarePointe ENT, has announced it suffered a ransomware attack on June 25, 2021 which resulted in the encryption of files on its network. Some of the files encrypted in the attack are known to include the personal and protected health information of its patients.

It is common in ransomware attacks for sensitive data to be exfiltrated prior to the use of ransomware to encrypt files. The main purpose of data exfiltration is to pressure victims into paying the ransom. CarePointe said it believes the attack was conduced with the sole purpose of extorting money from the practice, not to steal patient data. No reports have been received which suggest any patient data have been misused as a result of the cyberattack, although after thoroughly investigating the attack it was not possible to rule out the possibility that patient data had been viewed by the attackers.

CarePointe said it has taken steps to reduce the likelihood of further cyberattacks, with the additional measures implemented including enhanced its threat detection capabilities and restricting remote access to its systems. Affected patients have been advised to obtain a free credit report and to check the report for signs of misuse of their personal and protected health information, and also to consider placing a fraud alert on their credit reports.

A review of the systems accessible to the attackers confirmed the following types of patient data may have been compromised: Name, address, date of birth, Social Security number (if provided to CarePointe), medical insurance information, and related health information.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 48,742 individuals.

The post 48,000 Individuals Affected by Ransomware Attack on CarePointe ENT appeared first on HIPAA Journal.

Atlanta Allergy & Asthma has started notifying 9,851 patients about a January 2021 cyberattack in which their protected health information was exposed and potentially compromised. Atlanta Allergy & Asthma said its investigation into the breach determined hackers had access to its network between January 5 and January 13, 2021. Upon discovery of the breach, steps were immediately taken to kick the unauthorized individuals out of its network and mitigate against any potential harm.

Atlanta Allergy & Asthma engaged third party cybersecurity professionals to determine the nature and scope of the breach, with the investigation confirming the attackers had access to parts of the network where documentation was stored that included protected health information.

A comprehensive review was conducted of those documents. Atlanta Allergy & Asthma said it was confirmed on July 8, 2021 that the following types of information had potentially been compromised: Names, dates of birth, Social Security numbers, financial account numbers and/or routing numbers, diagnoses, treatment information and costs, procedure types, provider names, treatment location, dates of service, patient account numbers and/or health insurance information.

Atlanta Allergy & Asthma said it is not aware of any attempted or actual misuse of patient data as a result of the breach. Starting on August 20, 2021, letters were sent to affected individuals to alert them to the exposure of their patient data to allow them to take steps to protect against identity theft and fraud, including availing of the credit monitoring and identity protection services that are being offered free of charge to affected patients.

Atlanta Allergy & Asthma said it continuously evaluates its cybersecurity practices and internal controls and will be taking steps to enhance the security and privacy of patient data.

Atlanta Allergy & Asthma did not disclose the exact nature of the cyberattack in its breach notification letter; however, DataBreaches.net obtained evidence that this was a ransomware attack by the Nefilim ransomware threat group, and that sensitive data were stolen in the attack. Some of the stolen files contained patient information and 2GB of stolen data were dumped on the Nefilim data leak site in March 2021.

The post PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack appeared first on HIPAA Journal.

Metro Infectious Disease Consultants is notifying 171,740 patients about an email security incident discovered on June 24, 2021. An unauthorized individual was found to have gained access to certain employees’ email accounts which contained the protected health information of patients.

Upon discovery of the security breach, steps were immediately taken to secure the accounts to prevent further access and Metro Infectious Disease Consultants engaged a computer forensics firm to determine the extent and scope of the breach. The investigation confirmed the breach was confined to its email environment and that the compromised email accounts contained patient data such as names, addresses, dates of birth, account numbers, insurance information, prescription information, limited clinical information, Social Security numbers, and driver’s license numbers. The types of data in the account varied from individual to individual.

Metro Infectious Disease Consultants has sent notification letters to all individuals affected by the breach and complimentary credit monitoring and identity theft protection services have been offered to all individuals whose Social Security number or driver’s license number was exposed in the incident.

Metro Infectious Disease Consultants said it has no reason to believe that anyone’s personal information has been misused, or that the unauthorized party that accessed the account viewed or acquired patient data; however, as a precaution, affected individuals have been advised to regularly monitor their credit reports, account statements and explanation of benefit statements for suspicious activity.

The computer forensics firm analyzed the cybersecurity defenses of Metro Infectious Disease Consultants and made recommendations to enhance security, which are being implemented to prevent further data breaches.

The post Metro Infectious Disease Consultants Reports 172,000-Record Data Breach appeared first on HIPAA Journal.

South Florida Community Care Plan has discovered a former employee sent internal documents containing the protected health information of plan members to a personal email account. The breach was discovered on June 21, 2021 during a review of the former employee’s email account.

An investigation was launched into the unauthorized activity which determined on June 21, 2021 that the documents contained the following types of plan member information: Names, addresses, dates of birth, member identification numbers, primary care physician names, diagnoses, procedure billing codes, approved services, and/or procedure types.

The sending of plan members’ information to personal email accounts is a violation of South Florida Community Care Plan policies; however, no evidence was found to indicate the information was sent outside the scope of the former employee’s employment.

South Florida Community Care Plan said data security is one of its top priorities and steps were taken to prevent unauthorized data access and exfiltration. The employee’s email and login credentials were revoked at the time employment came to an end, a full audit was conducted into the activities of the employee within the IT system, and all company-issued equipment was recovered. A further audit was then conducted into the employee’s actions while employed at CCP to ensure there were no other instances of unauthorized activity.

All individuals affected by the incident have now been notified and, as a precaution against identity theft and fraud, have been provided with complimentary credit monitoring services. Affected individuals have been advised to monitor their accounts and credit reports over the next 12-24 months for any signs of suspicious activity.

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The report is not yet showing on the breach portal, so it is currently unclear how many individuals have been affected.

The post South Florida Community Care Plan Notifies Patients About Insider Email Breach appeared first on HIPAA Journal.