Montefiore Medical Center has discovered another employee has accessed patient information with no legitimate work reason for doing so.

The New York hospital announced in February 2020 that an employee had been discovered to have accessed medical records without authorization for 5 months in 2020, and another employee was found to have obtained the PHI of approximately 4,000 patients between January 2018 and July 2020.

The latest discovery involved an employee accessing the records of patients without authorization for more than a year. The breach was identified by Montefiore’s FairWarning software, which monitors records for inappropriate access.

When unauthorized medical record access was discovered, the employee was suspended pending an investigation. A review of record access confirmed that the employee had accessed records with no legitimate work reason for doing so between January 2020 and February 2021.

The types of information accessed varied from patient to patient and included first and last names, medical record numbers, addresses, emails, dates of birth, and the last 4-digits of Social Security numbers. Montefiore found no evidence that financial information or clinical information was accessed.

The unauthorized record access violated Montefiore’s policies and HIPAA. The employee was fired, and the matter was referred to law enforcement for possible criminal prosecution.

Belden Facing Class Action Lawsuit Over November 2020 Data Breach

Belden, a U.S. vendor of networking equipment, is facing a class action lawsuit over a November 12, 2020 data breach in which the personal information of current and former employees was compromised. Hackers gained access to a limited number of file servers and exfiltrated employee data and information about some of its business partners.

The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of 6,348 individuals. Names, Social Security numbers, tax identification numbers, financial account numbers, home addresses, email addresses, dates of birth and other employment-related information were stolen. Belden announced the breach on November 24, 2020 and started notifying affected individuals on December 14, 2020.

The lawsuit, Edke v. Belden Inc., alleges the plaintiff and class members have been harmed as a result of the breach and had to wait several weeks before being notified that their personal information had been stolen. They allege the data breach has placed them at “significant risk of identity theft and various other forms of personal, social, and financial harm.” The lawsuit alleges Belden was careless and negligent, and security failures at the company allowed patient data to be stolen.

The post Montefiore Medical Center Fires Employee for Unauthorized Record Access appeared first on HIPAA Journal.

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) is alerting its members about a cyberattack in which their protected health information was stolen.

CHPDC, formerly called Trusted Health Plans, detected a breach of its computer systems on January 28, 2021. The Washington D.C-based health plan took immediate steps to isolate the affected computers and secure its network to prevent further unauthorized access and the cybersecurity firm CrowdStrike was hired to investigate the breach.

CrowdStrike confirmed that protected health information was exfiltrated by the attackers, who were most likely a foreign cybercriminal group. CHPDC said anyone who has been an enrollee of CHPDC has been affected, as well as current and former employees.

The types of data stolen included full names, addresses, telephone numbers, dates of birth, Social Security numbers, Medicaid numbers, medical information, claims information, and a limited amount of clinical information. The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 200,665 individuals.

CrowdStrike provide assistance in securing CHPDC systems and a series of steps were taken to enhance security to prevent similar breaches from occurring in the future. All passwords have been changed, CHPDC stopped operations that share information with business partners, and the Internet and dark web are being monitored for any signs of misuse of member data.

Since protected health information has been obtained by cybercriminals, affected individuals are being provided with complimentary identity theft protection and credit monitoring services for two years, which includes insurance and identity theft restoration services.

The post PHI of More than 200,000 Washington D.C. Health Plan Members Stolen by Hackers appeared first on HIPAA Journal.

Total Health Care Inc., a Detroit, MI-based health plan, has discovered unauthorized individuals have gained access to several employee email accounts that contained sensitive personal information of health plan members and physician partners.

Upon discovery of the breach, the email accounts were immediately secured to prevent further unauthorized access and security experts were engaged to conduct a forensic investigation to determine the nature and scope of the breach. The investigation confirmed that the breach was limited to email accounts, which were accessed by unauthorized individuals between December 16, 2020 and February 5, 2021.

No evidence was found to suggest any protected health information was viewed or misused, but unauthorized access could not be ruled out. A review of the emails in the accounts revealed they contained names, addresses, dates of birth, member IDs, claims information, and Social Security numbers.

Due to the sensitive nature of data in the accounts, affected individuals have been offered free credit monitoring services for up to two years through CyberScout. Steps have since been taken to improve email security, including reviewing and updating policies and procedures and providing additional security awareness training to the workforce.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 221,454 individuals.

Harrington Physician Services Reports Potential Breach of a Patient Mailing List

Southbridge, MA-based Harrington Physician Services is notifying 4,393 patients about a potential breach of some of their protected health information. It was recently discovered that a mailing list had been uploaded to a location within its information system that was not supposed to house patient data. As a result, it is possible that individuals outside of Harrington Physician Services may have been able to access the mailing list. The mailing list contained names, ages, addresses, dates of birth, primary care physician names and last office visit date only.

An investigation did not uncover any evidence to suggest the mailing list had been accessed, but it was not possible to rule out a breach. The mailing list was only exposed for a short period of time and, in order to access the list, an individual would require access to the network where the mailing list was stored. The risk to patients is therefore believed to be minimal; however, as a precaution, affected patients have been notified and provided with information about credit protection and monitoring services.

The post 221,000 Total Health Care Members Impacted by Email Account Breach appeared first on HIPAA Journal.

Bricker & Eckler, one of the leading law firms in Ohio, suffered a ransomware attack in January in which client information was potentially compromised. The ransomware infection was detected by the law firm on January 31, 2021 and a third-party cybersecurity firm was engaged to assist with the investigation.

The investigation revealed the attackers first gained access to its systems on January 14, 2021, and access remained possible until January 31, 2021. During that time the attackers gained access to files containing client information and exfiltrated some data from the law firm’s systems.

A notice about the security incident on the law firm’s website confirms that the attackers were contacted, and information stolen in the attack was retrieved, suggesting the ransom was paid. Bricker & Eckler said the attackers confirmed they took steps to delete the stolen data and reassurances were provided that there had been no further disclosures of the stolen information and that no copies of the data had been retained.

As a full-service law firm serving clients in the healthcare industry, it was necessary for clients to provide the law firm with certain protected health information as part of the client engagement. That information was used as part of the legal services provided. It is possible that some of that information may have been viewed or obtained in the attack.

Bricker & Eckler said the protected health information potentially compromised included names and addresses and, for certain individuals, medical information and/or education-related information, driver’s license numbers and/or Social Security numbers.

The law firm started sending notification letters to all affected individuals on April 6, 2021. The law firm has taken steps to enhance the security of its network, internal systems, and applications to prevent similar attacks in the future.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 420,532 individuals.

The post PHI of More Than 420,000 Individuals Potentially Compromised in Ransomware Attack on Ohio Law Firm appeared first on HIPAA Journal.

La Clinica de la Raza in Oakland, CA is alerting certain patients about a potential breach of their protected health information. Malware was detected on systems containing patient data on January 28, 2021.

A third-party forensics company was engaged to assist with the investigation into the malware attack and determined on February 26, 2021 that the malware would have allowed files containing patient data to be accessed. The breach was short lived, as the malware had been installed and was only active on January 12, 2021.

During the short period of time that the malware was active it is possible that documents were viewed by unauthorized individuals, but the clinic believes relatively few documents were viewed. Those documents included full names, dates of birth, phone numbers, home addresses, health insurance information, and certain health information such as dates of service, diagnosis, test results, and treatment information related to medical services provided at the clinic.

Steps have been taken to improve data security, including enhancing its intrusion detection and prevention system, securing login credentials, providing additional workforce training, and implementing other risk prevention measures.

Malware Potentially Gave Cybercriminals Access to the PHI of Squirrel Hill Health Center Patients

Squirrel Hill Health Center in Pittsburg, PA has discovered malware on its computer network which may have provided cybercriminals with access to files containing patients’ protected health information. A security breach was identified on February 4, 2021 when suspicious activity was detected on its computer network that prevented files from being accessed.

Third-party computer forensic specialists were engaged to investigate the breach and determined unauthorized individuals gained access to its systems on January 28, 2021 and access remained possible until February 4, 2021. While it is common in attacks such as this for sensitive data to be exfiltrated, Squirrel Hill Health Center found no evidence to suggest personal information was subjected to actual or attempted misuse.

A review of the files that were potentially accessed revealed they contained names, addresses, dates of birth, diagnostic codes, limited appointment scheduling details, and, for a subset of individuals, Social Security numbers.

Policies, procedures, and processes related to the storage of and access to patient information are being reviewed and will be updated, as necessary, to improve security.

California Department of State Hospitals Discovers Insider Breach Worse Than Previously Thought

In March 2021, the California Department of State Hospitals announced that an employee in an IT role had accessed the data of 1,415 current and former patients and 617 employees without authorization over a 10-month period. The breach was discovered on February 25, 2021 as part of a routine review of employee access to data folders.

At the time of the announcement the review into the insider breach was ongoing. It has now been confirmed that the breach was worse than previously thought. The data of 1,735 current and former Atascadero State Hospital employees and 1,217 DSH job applicants who had not been employed was also accessed. The data included phone numbers, email addresses, social security numbers, date of birth, and health information. While the sensitive data was accessed, there is no indication that any information has been misused.

Laptop Stolen from Woolfson Eye Institute Contained Patient Data

Woolfson Eye Institute in Atlanta, GA has announced a laptop computer connected to medical testing equipment was stolen on September 21, 2020. A review of the contents of the laptop confirmed it contained a patient database that included patient names and dates of birth. No other information was exposed. The theft was reported to law enforcement, but the laptop has not been recovered.

Due to the limited nature of data on the laptop, patients are not believed to be at risk of identity theft and fraud but have been advised to remain vigilant.

The post Malware Discovered on Networks of Squirrel Hill Health Center and La Clinica de la Raza appeared first on HIPAA Journal.

The Centers for Advanced Orthopaedics has discovered multiple employee email accounts have been accessed by unauthorized individuals. The orthopedics practice, which serves patients in Virginia, Maryland, and Washington DC, identified suspicious activity in its email system on September 17, 2020. Third party cybersecurity experts were engaged to assist with the investigation and determined several email accounts had been accessed by unauthorized individuals between October 2019 and September 2020.

A review of the affected email accounts was conducted to determine the types of information that had been exposed and it was confirmed on January 25, 2021 that protected health information may have been viewed or acquired by cybercriminals.

The email accounts contained information of patients, employees, and their dependents. Patient information was mostly restricted to names, dates of birth, diagnoses, and treatment information. A subset of patients also had one or more of the following data types stored in the account: Social Security number, driver’s license number, passport number, financial account information, payment card information, or email/username and password.

Employee and dependent information was mostly limited to date of births, medical diagnoses, treatment information, Social Security numbers, and driver’s license numbers. A subset included one or more of the following: passport number, financial account information, payment card information, or email/username and password.

Notifications were sent to affected individuals starting March 25, 2021. Complimentary credit monitoring and identity restoration services have been offered to affected individuals.

Policies and procedures and security infrastructure are being reviewed and will be updated to improve protections from these types of breaches.

Vendor Email Breach Impacts Patients of Remedy Medical Group

Administrative Advantage, a vendor that provides billing support to the Californian pain management specialty practice Remedy Medical Group, has discovered the email account of an employee was accessed by an unauthorized individual. Suspicious activity was detected in the email account in July 2020 and an investigation was launched to determine the nature and scope of the breach. Third-party security experts assisted with the investigation and determined on August 18, 2020 that the email account had been accessed by unauthorized individuals between June 23, 2020 and July 9, 2020.

At the time of the breach the email account contained the protected health information of Remedy Medical Group patients, which included names, financial account information, Social Security numbers, driver’s license and/or state identification numbers, credit and/or debit card information, dates of birth, passport numbers, electronic signature information, username and password information, medical record numbers, Medicare numbers, Medicaid numbers, treatment locations, diagnoses, health insurance information, and lab test results. The types of information potentially compromised varied from patient to patient.

Further to the breach, security measures have been reviewed and additional training has been provided to the workforce on email security. Individuals potentially at risk of identity theft have been offered access to identity theft protection services at no cost.

Email Error Discovered Affecting Dallas County Jail Inmates

Parkland Health and Hospital System has discovered an email error that resulted in the protected health information of individuals incarcerated in the Dallas County jail system being sent to an individual not authorized to view the information.

The email was sent in error to a Dallas County employee which contained lab test invoices that included inmates’ first and last name, date of birth, and name of the diagnostic test provided.

The breach occurred in February 2020. Parkland Health and Hospital System officials were informed by the recipient of the email that the message had not been read and was permanently deleted the day it was received. The 1,594 individuals affected have been notified.

The post Orthopedics Practice Discovers Year-Long Email Breach Affecting 125,000 Patients appeared first on HIPAA Journal.

Apple Valley Clinic in Minnesota has started notifying 157,939 patients that some of their protected health information was compromised in a ransomware attack on one of its information technology vendors.

Apple Valley Clinic, which is part of Allina Health, used Netgain Technology LLC to host its information technology network and computer systems. In November 2020, Netgain was attacked with ransomware which took its data centers offline. Netgain notified Apple Valley Clinic on December 2, 2020 that patient data may have been compromised in the ransomware attack. Allina Health received confirmation on January 29, 2021 that patient information had been involved.

The types of information compromised included names, dates of birth, bank account and routing numbers, Social Security numbers, patient billing information, and some medical information including symptoms and diagnoses. While several healthcare providers had PHI compromised, Apple Valley Clinic was the only Allina Health location to be affected.

Apple Valley Clinic has since taken steps to improve information security, including transitioning to the electronic health record system used by Allina Health. Netgain is continuing to investigate the attack and is monitoring for any adverse effects from the breach.

To date, Apple Valley Clinic has not received any reports to suggest any protected health information compromised in the attack has been misused; however, in order to ensure affected patients are protected, complimentary credit monitoring and identity theft protection services are being offered.

BioTel Heart Alerts 38,575 Patients to Online Exposure of PHI

The cardiac data company BioTel Heart has confirmed the protected health information of 38,575 patients has been exposed online by one of its vendors.

BioTel Heart, a trade name under which CardioNet, LLC and LifeWatch Services Inc., operate, was alerted to a breach on January 28, 2021 when a patient discovered some of their protected health information was accessible online from a Google search. An investigation was launched to determine the cause of the breach which revealed one of its vendors had failed to secure an Amazon S3 bucket, which resulted in patient information being accessible through the search engines. The investigation confirmed that patient data was accessible from October 17, 2019 to August 9, 2020.

The types of information accessible through the search engines included names, contact information, dates of birth, health insurance information, and health information related to remote cardiac monitoring services, such as diagnoses, diagnostic tests, prescribing physicians’ names, and treatment information. While Social Security numbers are not requested by BioTel Heart, some Social Security numbers were also compromised.

BioTel Heart has confirmed that the vendor fixed the issue and secured the data on August 9, 2020. The business relationship with the vendor has since been terminated.

The vendor was notified about the breach via Amazon following the discovery of the exposed data by a security researcher, as reported in August 2020 by Databreaches.net. The vendor appears not to have reported the breach to BioTel Heart.

The post Third Party Data Breaches Reported by Apple Valley Clinic & BioTel Heart appeared first on HIPAA Journal.

Several healthcare organizations have recently confirmed they have been affected by the December 2020 Accellion cyberattack. The attack has been linked to the Clop ransomware gang, as its leak site was used to publish samples of data stolen in the attack, although ransomware is not believed to have been used.

Accellion provided a file transfer solution that was used for transmitting files that were too large to be sent via email. In the case of Health Net, the platform was used for exchanging files with healthcare providers and others who support its operations. Health net reports that names, addresses, dates of birth, insurance ID numbers, and health information was obtained by the attackers. Accellion notified Health Net about the breach on January 25, 2021.

Health Net has reported the breach as affecting 1,236,902 individuals across Health Net Community Solutions (686,556 individuals), Health Net of California (523,709 individuals), and Health Net Life Insurance Company (26,637 individuals).

California Health & Wellness has recently announced that it too was a victim of the Accellion cyberattack and confirmed that the names, addresses, dates of birth, insurance ID numbers, and health information of 80,138 members was stolen.

Stanford University has also recently confirmed that it was a victim of the attack and the PHI of Stanford Medicine patients was compromised, although details of the types of information stolen and the number of individuals affected has yet to be confirmed. Some of the data stolen in the attack was published on the attacker’s leak site.

Previously, University of Miami Health, Centene, Kroger, Trillium Community Health Plan, and Arizona Complete Health reported that they have been affected and had sensitive data stolen.

Multiple lawsuits have already been filed over the breach. Centene is suing Accellion over the breach and a lawsuit has been filed on behalf of affected Kroger pharmacy patients.

The vulnerabilities exploited in the cyberattack have been fixed and Accellion has confirmed that the FTA service will be discontinued from April 30, 2021, although support will continue to be provided until all contracts expire. Most victims have reported that they have discontinued using the Accellion FTA.

The post More Than 1.2 Million Health Net Members Affected by Accellion Cyberattack appeared first on HIPAA Journal.