HIPAA Breach News

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

Posted by HIPAA Journal

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual.

Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area.

The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information.

Patients affected by the breach were notified by mail starting October 9, 2020 while the incident was still being investigated, then further notifications were sent to patients between January 21 and February 8, 2021 when it became clear that more individuals had been affected.

Following the breach, the health system implemented additional security measures to prevent further breaches and retrained the workforce on how to identify suspicious emails. Individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed by law firm Morgan & Morgan with Einstein Healthcare patient Nanette Katz of Blue Bell, PA named as lead plaintiff.  The lawsuit alleges Einstein Healthcare failed to secure and safeguard the protected health information of patients and had not implemented or followed basic security procedures. As a result of that negligence, the lawsuit alleges sensitive patient information is now in the hands of cybercriminals and patients now face a substantial risk of identity theft. As a result of the breach, patients have had to spend, and will continue to have to spend, a significant amount of time and money protecting themselves against identity theft and fraud.

The lawsuit also alleges the healthcare provider failed to provide timely notifications to patients, with the lead plaintiff first receiving notification about the breach in January 2021, more than 6 months after the breach and alleged theft of her PHI. The lawsuit says the breach response was “untimely and woefully deficient, failing to provide basic details concerning the data breach.”

The lawsuit seeks monetary damages for the patient and class members, requests the courts order the health system to fully disclose details of the nature and extent of data compromised, and requires the health system to implement reasonably sufficient safeguards to prevent further data breaches in the future.

It is now relatively common for patients affected by data breaches to take legal action when their personal and protected health information is exposed or stolen; however, for these cases to succeed, victims of the data breach generally need to provide evidence that they have suffered harm. Many lawsuits are dismissed as the claims are deemed too speculative.

The nature of the harm and injuries suffered must also be sufficient to warrant damages. A recent lawsuit filed by a victim of an Envision Healthcare data breach – Pruchnicki v. Envision Healthcare Corp.- has recently been dismissed by the U.S. Court of Appeals for the Ninth Circuit.

In that case, the alleged harm and injuries were for time spent dealing with the breach, stress, nuisance, and annoyance from dealing with the aftereffects of the breach, worry, anxiety, and hesitation when applying for new credit cards, imminent and impending injury of potential fraud and identity theft, and diminution in value of the plaintiffs personal and financial information. The allegations of harm were sufficient for the District Court for standing purposes but were insufficient for compensable damages to be awarded.

The post Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack appeared first on HIPAA Journal.

PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack

Posted by HIPAA Journal

An unauthorized individual gained access to the email account of an employee of River Springs Health Plans and installed malware which potentially allowed the contents of the email account to be exfiltrated. The employee responded to the phishing email on September 14, 2020. The malware was detected and removed the following day and the email account was secured.

A leading forensics firm was retained to assist with the investigation and determine whether any sensitive information was accessed or obtained by the attackers. No evidence was found which suggested any member data had been exfiltrated, but data theft could not be ruled out. A comprehensive review of the affected account revealed on February 17, 2021 that the protected health information of 31,195 River Springs Health Plans members was stored in the email account.

The types of information in the account varied from individual to individual and may have included the following information: First and last names, dates of birth, member ID, Medicare ID, Medicaid ID, Social Security number, and references to medical information such as healthcare provider information. No financial information was compromised.

River Springs Health Plans has taken steps to improve email security and has reeducated the workforce on phishing email identification and reporting suspicious emails. Affected individuals have now been notified and complimentary credit monitoring services have been offered.

Health Center Partners of Southern California Impacted by Netgain Ransomware Attack

Health Center Partners of Southern California (HCP) has confirmed it has been affected by a ransomware attack on its IT service provider, Netgain Technology LLC.

HCP provides support to community health centers in Southern California which requires access to patient information, some of which was stored on systems that were affected by the September 2020 ransomware attack. Netgain’s investigation confirmed that between October 22, 2020 and December 3, 2020, files containing protected health information were obtained by the attacker, including files containing HCP data.

Netgain paid the ransom to prevent further disclosure of the stolen data and received assurances that the attackers had deleted the data. The darkweb is being scanned and hacking forums monitored to identify any exposure of the data. HCP said in its breach notice that there is no reason to believe any data stolen in the attack will be misused but, as a precaution, affected individuals have been offered complimentary identity protection services through IDX.

The post PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack appeared first on HIPAA Journal.

Wyoming Department of Health Announces GitHub Data Breach Affecting 164,000 Individuals

Posted by HIPAA Journal

The Wyoming Department of Health (WDH) has discovered the protected health information of 164,021 individuals has been accidentally exposed online due to an error by a member of its workforce.

On March 10, 2021, WDH discovered an employee had uploaded files containing medical test result data to private and public repositories on the software development platform GitHub. While security controls are in place to protect users’ privacy, an error by the employee meant the data could potentially have been accessed by individuals unauthorized to view the information from January 8, 2021.

In total 53 files were uploaded to the platform that included COVID-19 and influenza test result data, along with one file that contained breath alcohol test results. The exposed information included patient IDs, dates of birth, addresses, dates of service, and test results. The COVID-19 test result data had been reported to WDH for Wyoming residents, although the tests themselves may have been performed anywhere in the United States between January 2020 and March 2021. The alcohol test results related to tests performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021.

“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” said WDH Director Michael Ceballos. “We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”

The files have been removed from GitHub and GitHub has confirmed that the files have been removed from its servers. WDH has taken steps to prevent similar exposures of protected health information in the future, including prohibiting the use of GitHub and other public repositories and retraining its workforce.

While no Social Security numbers, financial information, or health insurance information was involved, out of an abundance of caution, WDH has offered affected individuals complimentary identity theft protection services through IdentityForce, which includes advanced credit and dark web monitoring and an identity theft insurance policy.

This is the second GitHub-related breach to be announced in the past few weeks. Earlier this month, Med-Data confirmed that the protected health information of patients of some of its clients had been accidentally uploaded to GitHub repositories and an investigation by researcher Jelle Ursem and databreaches.net in 2020 identified many cases where healthcare data had been exposed on the platform.

The post Wyoming Department of Health Announces GitHub Data Breach Affecting 164,000 Individuals appeared first on HIPAA Journal.

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

Posted by HIPAA Journal

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%).

While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang.

The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site.

These attacks show that file encryption is not always necessary, with the threat of publication of stolen data often sufficient to ensure payment is made. Coveware notes that while exploitation of the vulnerabilities allowed data to be exfiltrated, it was not possible to deploy ransomware across victims’ networks, otherwise ransomware would most likely have also been used in the attacks.

The Clop ransomware gang was particularly active in Q1, 2020. The group often attacks large enterprises and demands huge ransoms and like many other ransomware gangs, steals data prior to file encryption and threatens to expose that data if payment is not made. These double extortion tactics have become the norm and most ransomware attacks now involve data exfiltration. In Q1, 77% of ransomware attacks involved data exfiltration up from 70% in Q4, 2020.

Ransomware victims may have no choice other than paying the ransom if they are unable to recover encrypted data from backups, but there are risks associated with paying the ransom demand, especially to prevent a data leak. There is no guarantee that data will be destroyed and could still be traded or sold to other threat groups after payment is made. Exfiltrated data may also be stored in multiple locations. Even if the threat actor destroys the data, third parties may still have a copy. Coveware notes that while data exfiltration has increased, a growing number of ransomware victims are electing not to give in to the attackers’ demands and are refusing to pay the ransom to prevent a data leak for these and other reasons.

“Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage.” – Coveware.

Many RaaS operations have increased the number of attacks by recruiting more affiliates, but some RaaS operations have struggled to scale up their operations. The Conti gang outsourced their chat operations which made negotiations and recoveries more difficult. The Lockbit and BlackKingdom gangs experienced technical difficulties which resulted in permanent data loss for some of their victims, and even the most prolific ransomware operation – Sodinokibi – experienced problems matching encryption keys with victims resulting in permanent data loss.

These technical problems show that even ransomware operations that intend to provide the keys to decrypt data are not always able to. Coveware also observed a worrying trend where ransomware gangs deliberately disrupt recovery after the ransom is paid. The Lockbit and Conti gangs were observed attempting to steal more data during the recovery phase and even attempting to re-launch their ransomware after victims have paid. Coveware notes that this kind of disruption was rare in 2020, but it is becoming more common. Technical issues and disruption to the recovery process have contributed to an increase in downtime due to an attack, which is up 10% in Q1 to 23 days.

In Q4, email phishing became the most common method of ransomware delivery, but Remote Desktop Protocol connections are once again the most common method of gaining access to victim networks. Phishing is still commonly used and is the method of attack favored by the Conti ransomware gang – the second most prevalent ransomware operation in Q1.

Exploitation of software vulnerabilities also increased, with unpatched vulnerabilities in Fortinet and Pulse Secure VPN appliances the most commonly exploited flaws. Coveware believes the majority of ransomware-as-a-service operators and affiliates do not exploit software vulnerabilities, instead they pay specialist threat actors for access to compromised networks. Those threat actors mostly target smaller organizations, with RDP the most common method of attack for larger organizations.

The post Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks appeared first on HIPAA Journal.

Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals

Posted by HIPAA Journal

The protected health information of 153,013 individuals has potentially been compromised in an email security breach at HME Specialists LLC, dba Home Medical Equipment Holdco.

HME Specialists discovered suspicious activity in its email system and immediately secured all affected accounts and engaged a specialist cybersecurity company to conduct a forensic investigation to determine the extent and nature of the breach. The cybersecurity firm confirmed on March 11, 2021 that certain compromised email accounts contained protected health information and that the accounts had been accessed by unauthorized individuals between June 24 and July 14, 2020.

The accounts contained information such as names, dates of birth, diagnosis and/or other clinical information, along with limited Social Security numbers, driver’s license numbers, credit card numbers, account information and usernames and passwords. No specific evidence was found to suggest any information in the compromised accounts was acquired by the attackers or has been misused.

Affected individuals for whom a current address was held have been notified by mail and advised to monitor their financial accounts and explanation of benefits statements for signs of fraudulent activity. Complimentary credit monitoring services have been offered to all individuals whose Social Security numbers were exposed.

Additional technical safeguards have now been implemented for employee email accounts including multifactor authentication, and further training has been provided to the workforce to raise awareness of the risks of malicious emails.

Sapphire Community Health Suffers Ransomware Attack

Sapphire Community Health in Hamilton, MT has experienced a ransomware attack in which the protected health information of 4,000 patients was potentially compromised. The attack was discovered on February 18, 2021 when staff were prevented from accessing files. Information systems were shut down to limit the damage caused and appropriate scanning and restoration steps were taken.

The medical record system was unaffected, but some of the encrypted files contained patient data such as names, addresses, and dates of birth and, for a limited number of individuals, financial account information and/or Social Security numbers.

An investigation into the attack found no evidence to suggest any patient information was exfiltrated by the attackers prior to the use of ransomware. All affected individuals have now been notified and additional security safeguards have been implemented to prevent further attacks.

The post Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals appeared first on HIPAA Journal.

Several Healthcare Providers Postpone Radiation Treatments Due to Cyberattack on Software Vendor

Posted by HIPAA Journal

The Swedish oncology and radiology system provider Elekta is recovering from a cyberattack that forced it to take its first-generation cloud-based storage systems offline on April 20, 2021. While the company has confirmed it has suffered a security breach, details about the exact nature of the attack have yet to be released. It is unclear what type of malware was used in the attack, but ransomware is suspected. The cloud-based system was taken offline to contain the threat.

Elekta said only a subset of customers in the United States that use its software have been affected and are experiencing a service outage as a result of the cloud-based systems being taken offline. Elekta is in the process of migrating those customers to its new Microsoft Azure cloud and the company is working around the clock to complete that process. All affected customers have been notified; however, few details about the incident have been made public so as not to compromise the internal and law enforcement investigations, but Elekta reports that the threat has now been fully contained.

Connecticut-based Yale New Haven Health is one of the U.S. healthcare providers to be affected by the incident. The cyberattack on Elekta forced Yale New Haven Health to take its radiation equipment offline until the issues are resolved, as the radiology equipment cannot operate without the cloud-based software. Systems have been offline for more than a week and some cancer patients have been transferred to other healthcare providers to continue their treatments.

Other healthcare providers known to have been affected include Southcoast Health in Massachusetts, Lifespan Cancer Institute in Rhode Island, and Rhode Island Hospital. Those healthcare providers have postponed radiation treatments for cancer patients until the issues are resolved.

Elekta issued a statement saying no evidence has been found to indicate any data were extracted or copied. Elekta said around 170 customers in the United States that use its first-generation cloud system have experienced service disruptions to one or more of their products.

The post Several Healthcare Providers Postpone Radiation Treatments Due to Cyberattack on Software Vendor appeared first on HIPAA Journal.

Manquen Vance Email Breach Impacts 7,018 Patients

Posted by HIPAA Journal

The Michigan-based group health plan broker and consultancy firm Manquen Vance – formerly Cornerstone Municipal Advisory Group – is alerting 7,018 individuals about a potential breach of their personal and health information.

An investigation was launched on November 16, 2020 when the firm identified suspicious activity in the email account of an employee. Manquen Vance determined that the account was accessed by unauthorized individuals between November 1 and 16. No other email accounts were compromised.

While it is possible that emails and attachments containing sensitive information were viewed or copied, no specific evidence was found to suggest that was the case. The delay in issuing notifications was due to the time-consuming process of checking every email in the account for sensitive information. That process was completed on February 2, 2021 and confirmed that members’ names, health insurance information, and Social Security numbers had potentially been compromised. Manquen Vance has since taken steps to improve email security to prevent similar breaches in the future.

DNF Medical Centers Fires Employee for Diverting Blood Samples to Unauthorized Laboratory

DNF Medical Centers in Florida is notifying 846 individuals about a breach of their protected health information. On February 18, 2021 it was discovered that an employee was diverting patients’ blood samples to an unauthorized laboratory for testing, instead of LabCorp or Quest.

Patient data sheets were sent with the blood samples which included patient names, addresses, dates of birth, phone numbers, healthcare provider name, and the last 4 digits of Social Security numbers. DNF Medical Centers reports that the laboratory conducted medical tests as requested and returned the results; however, since this was an unauthorized lab, DNF Medical Centers is concerned about the reliability of the results. As such, affected patients have been notified and have been asked to re-do their blood tests at no cost.

An investigation was launched into the incident and the employee was interviewed and subsequently terminated. DNF Medical Centers does not believe any personal information has been misused or further disclosed and that the samples were sent to the lab for the requested medical tests to be performed to allow the laboratory to bill patients’ health insurers for the tests.

PHI Compromised in Peak Vista Community Health Break In

On March 7, 2021, thieves broke into one of Peak Vista Community Health facilities in Colorado Springs and stole computer equipment. On March 31, 2021, Peak Vista determined that two of the stolen computers contained patient information including names, dates of birth, phone numbers, medical record numbers, medication lists, and diagnosis information.

The break-in has been reported to law enforcement, but the equipment has not been recovered. While it is possible that the thieves accessed information on the devices, no evidence of actual or attempted misuse of patient information has been identified. Peak Vista Community Health said only a very small portion of its patients were affected and all have now been notified by mail.

The post Manquen Vance Email Breach Impacts 7,018 Patients appeared first on HIPAA Journal.

Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians

Posted by HIPAA Journal

The American College of Emergency Physicians (ACEP) has starting alerting certain members that some of their personal information was stored on a server that was accessed by unauthorized individuals.

In addition to providing professional organizational services to its members, management services are provided by ACEP to organizations such as the Emergency Medicine Foundation (EMF), Society for Emergency Medicine Physician Assistants (SEMPA), and the Emergency Medicine Residents’ Association (EMRA). The breach concerns data related to those organizations. Affected individuals had made a purchase from or donated to EMF, SEMPA, or EMRA.

A breach was detected on September 7, 2020 when unusual activity was identified in its systems. A server had been compromised that contained the login details for its SQL database servers, and those databases contained members’ information. While no evidence was found to indicate the credentials were used to access the databases, it was not possible to rule out unauthorized access. The information exposed was for the dates April 8, 2020 to September 21, 2020.

The exposed data varied from individual to individual. In addition to names, sensitive information such as Social Security numbers and financial information may have also been compromised.

The impacted server has been rebuilt, passwords changed, and additional technical safeguards have now been implemented.  12 months of credit monitoring services have been offered to affected individuals.

VEP Healthcare Discovers Multiple Email Accounts Were Accessed by Unauthorized Individuals

Portland, OR-based VEP Healthcare has discovered multiple employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails and disclosed their login credentials. The email security incident was detected on March 11, 2021 and the investigation confirmed the affected email accounts had been subjected to unauthorized access between November 15, 2019 and January 20, 2020. It is unclear exactly what information was contained in the compromised accounts.

While the email accounts were accessed, no evidence was found to indicate any protected health information in those accounts was viewed or obtained. However, out of an abundance of caution, affected individuals have been offered a free 12-month membership to the IDX identify theft protection service which includes a $1 million identity theft insurance policy.

VEP healthcare has since improved email security, implemented 2-factor authentication on email accounts, has modified its policies and procedures, and provided additional security awareness training to the workforce.

Epilepsy Florida Impacted by Blackbaud Data Breach

Epilepsy Florida has recently confirmed that it has been affected the data breach at Blackbaud Inc., its cloud computing vendor. The breach occurred in May 2020 and notifications were sent to affected clients in July 2020.

In a March 30, 2021 substitute breach notice, Epilepsy Florida explained that it launched an investigation into the breach to determine what information had been compromised and, after demanding further information from Blackbaud, determined the breach was limited to the full names of 1,832 individuals. No other information appears to have been compromised.

The post Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians appeared first on HIPAA Journal.

March 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates.

Healthcare data breaches in the past 12 months

The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in March 2021

The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server
Health Net of California Health Plan 523,709 Hacking/IT Incident Network Server
Woodcreek Provider Services LLC Business Associate 207,000 Hacking/IT Incident Network Server
Trusted Health Plans, Inc. Health Plan 200,665 Hacking/IT Incident Network Server
Apple Valley Clinic Healthcare Provider 157,939 Hacking/IT Incident Network Server
Saint Alphonsus Health System Healthcare Provider 134,906 Hacking/IT Incident Email
The Centers for Advanced Orthopaedics Healthcare Provider 125,291 Hacking/IT Incident Email
Cancer Treatment Centers of America at Midwestern Regional Medical Center Healthcare Provider 104,808 Hacking/IT Incident Email
SalusCare Healthcare Provider 85,000 Hacking/IT Incident Email
California Health & Wellness Health Plan 80,138 Hacking/IT Incident Network Server
Mobile Anesthesiologists Healthcare Provider 65,403 Hacking/IT Incident Network Server
Trillium Community Health Plan Health Plan 50,000 Hacking/IT Incident Network Server
PeakTPA Business Associate 50,000 Hacking/IT Incident Network Server
Sandhills Medical Foundation, Inc. Healthcare Provider 39,602 Hacking/IT Incident Network Server
ProPath Services, LLC Healthcare Provider 39,213 Hacking/IT Incident Email
BioTel Heart Healthcare Provider 38,575 Hacking/IT Incident Network Server
Healthgrades Operating Company, Inc. Business Associate 35,485 Hacking/IT Incident Network Server
The New London Hospital Association, Inc. Healthcare Provider 34,878 Hacking/IT Incident Network Server
La Clinica de La Raza, Inc. (La Clinica) Healthcare Provider 31,132 Hacking/IT Incident Network Server
Arizona Complete Health Health Plan 27,390 Hacking/IT Incident Network Server
Health Net Life Insurance Company Health Plan 26,637 Hacking/IT Incident Network Server
Colorado Retina Associates, P.C. Healthcare Provider 26,609 Hacking/IT Incident Email
Haven Behavioral Healthcare Business Associate 21,714 Hacking/IT Incident Network Server
Health Prime International Business Associate 17,562 Hacking/IT Incident Network Server
CalViva Health Health Plan 15,287 Hacking/IT Incident Network Server

 

Causes of March 2021 Healthcare Data Breaches

43 breaches – 69.35% of the month’s total – were the result of hacking/IT incidents such as compromised network servers and email accounts. Hacking incidents accounted for 98.43% of all records breached in March – 2,867,472 records. The average breach size was 66,685 records and the median breach size was 26,609 records.  17 unauthorized access/disclosure incidents were reported in March (27.42% of breaches) and 44,395 records were breached in those incidents – 1.52% of the month’s total. The average breach size was 2,611 records and the median breach size was 1,594 records. There was one theft incident reported involving 500 healthcare records and one loss incident that affected 717 individuals.

causes of March 2021 healthcare data breaches

Many of the reported breaches occurred at business associates of HIPAA covered entities, with those breaches impacting multiple healthcare clients. Notable business associate data breaches include a cyberattack on Accellion that affected its file transfer appliance. Hackers exploited vulnerabilities in the appliance and stole client files. A ransom was demanded by the attackers and threats were issued to publish the stolen data if payment was not made. The two largest data breaches of the month were due to this incident.

Several healthcare organizations were affected by a ransomware attack on business associate Netgain Technology LLC, including the 3rd and 5th largest breaches reported in March. Med-Data suffered a breach that affected at least 5 covered entities. This incident involved an employee uploading files containing healthcare data to a public facing website (GitHub).

 

The most common location of breached protected health information was network servers, many of which were due to ransomware attacks or other malware infections. Email accounts were the second most common location of breached PHI, which were mostly accessed following responses to phishing emails.

March 2021 healthcare data breaches - location PHI

Covered Entities Reporting Data Breaches in March 2021

Healthcare providers were the worst affected covered entity with 40 reported breaches and 15 breaches were reported by health plans, with the latter increasing 200% from the previous month. While only 5 data breaches were reported by business associates of covered entities, 30 of the month’s breaches – 48.39% – involved business associates but were reported by the covered entity. That represents a 200% increase from February.

March 2021 healthcare data breaches - breached entity

Distribution of March 2021 Healthcare Data Breaches

There was a large geographical spread of data breaches, with covered entities and business associates in 30 states affected. California was the worst affected state with 11 data breaches reported. There were 5 breaches reported in Texas, 4 in Florida and Massachusetts, 3 in Illinois and Maryland, 2 in each of Arkansas, Arizona, Michigan, Minnesota, Missouri, Ohio, and Pennsylvania, and one breach was reported in each of Alabama, Colorado, Connecticut, Georgia, Idaho, Kansas, Louisiana, Montana, New Hampshire, Nevada, Oregon, South Carolina, Tennessee, Utah, Washington, Wisconsin, and West Virginia.

HIPAA Enforcement Activity in March 2021

The HHS’ Office for Civil Rights announced two further settlements to resolve HIPAA violations in March, both of which involved violations of the HIPAA Right of Access. These two settlements bring the total number of financial penalties under OCR’s HIPAA Right of Access enforcement initiative to 18.

Arbour Hospital settled its case with OCR and paid a $65,000 financial penalty and Village Plastic Surgery settled its case and paid OCR $30,000. Both cases arose from complaints from patients who had not been provided with timely access to their medical records.

The post March 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.