UNM Health has discovered an unauthorized third party gained access to its network and potentially viewed and exfiltrated files from its systems that contained patients’ protected health information. The security breach was discovered on June 4, 2021 and an investigation was immediately launched to determine the extent and scope of the breach.

UNM Health determined its systems were accessed by the unauthorized third-party on May 2, 2021 and files containing the protected health information of its patients, including those of UNM Hospital, UNM Medical Group, Inc., and UNM Sandoval Regional Medical Center Inc. were potentially compromised.

A comprehensive review of all files on the compromised parts of its network was conducted and it was confirmed they contained information such as names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, and some clinical information related to the healthcare services provided by UNM Health. The Social Security numbers of a limited number of patients were also potentially compromised in the breach. UNM Health said its medical record systems was not affected.

UNM Health started sending breach notification letters to all individuals potentially affected by the breach on August 3, 2021. Complimentary credit monitoring and identity theft protection services have been offered to all individuals whose Social Security number was exposed.

UNM Health has not disclosed the exact nature of the security incident but said it has implemented additional measures to improve the security of its systems to prevent similar attacks in the future and has also provided additional education to its workforce on information security.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 637,252 patients have been affected by the breach, making this the 19^th largest healthcare data breach to be reported so far this year, and the largest ever breach to be reported by a New Mexico healthcare organization.

The post UNM Health Data Breach Affects More than 637,000 Patients appeared first on HIPAA Journal.

USA Waste-Management Resources, LLC has started notifying certain employees, former employees, and dependents covered by its self-administered health plan that some of their personal and protected health information was compromised in a January 2021 cyberattack.

Waste-Management Resources said suspicious activity was detected in its IT systems on January 21, 2021. An investigation was launched and, assisted by third party computer forensics specialists, Waste-Management Resources confirmed that an unauthorized individual had accessed its systems between January 21 and January 23, 2021 and that certain files were accessed and stolen in the attack.

An extensive review was conducted to determine if any files stored on the compromised parts of its network contained any sensitive information. That process was completed on June 21, 2021.

The review confirmed the following types of information had been exposed and have potentially been compromised: Names, Social Security numbers, taxpayer identification numbers, government ID numbers, state ID numbers, driver’s license numbers, dates of birth, financial/bank account numbers, debit/credit card numbers, medical history/treatment information, health insurance information, passport numbers, and username/email address and passwords for financial electronic accounts. Waste-Management Resources said it was not possible to tell which files were actually exfiltrated in the attack.

Notification letters started to be sent to affected individuals on August 11, 2021. Waste-Management Resources said, “While the investigation remains ongoing, we are taking steps now to implement additional safeguards and review policies and procedures relating to data privacy and security.”

Affected individuals have been advised to monitor their financial accounts for any sign of misuse of their personal data, and to obtain a free credit report from one of the three major credit monitoring bureaus and to consider placing a free fraud alert or a credit freeze on their files.  It does not appear that credit monitoring and identity theft protection services are being offered, despite the extensive and highly sensitive nature of data potentially compromised in the attack.

The post PHI of Employees Compromised in Cyberattack on Waste Management Firm appeared first on HIPAA Journal.

University Medical Center of Southern Nevada (UMC) has issued an update on a cyberattack it experienced in June 2021 and has now confirmed that some patient information was compromised in the attack.

The cyberattack occurred on June 14, 2021 and was conducted by a “by a well-known group of cybercriminals that seek to use the information for commercial gain,” according to a July 29, 201 UMC press release. UMC explained that suspicious activity was detected within its IT environment and prompt action was taken to remove the attackers from its network. UMC said the breach was contained the on June 15, with the initial investigation suggesting the attackers had gained access to certain file servers; however, the prompt action taken by its IT Division meant there was no disruption to patient care or its clinical systems.

Initially, UMC said it had no reason to believe any clinical systems were accessed by the attackers, although the investigation into the cyberattack was ongoing to establish the nature and scope of the cyberattack. The forensic investigation has now confirmed that certain files containing patients’ protected health information were compromised in the attack.

Those files contained information such as names, addresses, dates of birth, Social Security numbers, health insurance information, financial information, and some clinical information, including medical histories, diagnoses, and test results. UMC said no evidence has been found to indicate any specific misuse of patient information.

Notification letters are now being sent to all individual potentially affected by the attack and complimentary identity theft protection services are being provided.

UMC said it notified the FBI and Las Vegas Metropolitan Police Department about the attack and has been working closely with third-party cybersecurity consultants and will be implementing additional internal and external technology solutions to better protect patient data and prevent further cyberattacks.

The post University Medical Center of Southern Nevada Confirms PHI Compromised in June Cyberattack appeared first on HIPAA Journal.

The New Jersey specialist diagnostic testing laboratory A2Z Diagnostics has started notifying patients that some of their protected health information was contained in employee email accounts that were accessed by unauthorized individuals.

Upon discovery of the breach, email accounts were immediately secured and third-party cybersecurity consultants were engaged to investigate the breach and determine whether any emails or attachments had been accessed or obtained in the attack. A2Z Diagnostics learned on June 28, 2021 that the compromised accounts were breached between February 2, 2021 and April 2, 2021, and some of the accounts contained the personal and protected health information of individuals who had tests performed at its laboratory; however, no evidence was found that suggested any emails had actually been viewed or stolen in the attack.

The types of information in the accounts varied from individual to individual and may have included full names in combination with one or more of the following types of information:  Social Security number, date of birth, driver’s license or state identification number, medical diagnosis or clinical information, treatment type or location, doctor name, health insurance information and/or medical procedure information. A2Z said only a limited number of individuals who received testing services were affected.

Notification letters started to be sent to affected individuals on July 28. Credit monitoring services have been offered to the small number of individuals whose Social Security number was exposed.

A2Z said it has undertaken significant measures to improve its technical safeguards to minimize the risk of a similar incident in the future, including enhancing its multi-factor authentication software.

Vison for Hope Discovers Breach of Employee Email Account

The animal-assisted therapy charity Vision for Hope has discovered an unauthorized individual has gained access to the email account of one of its employees and potentially viewed or obtained the protected health information of some of its patients.

Upon discovery of the breach, an investigation was launched to determine the nature and scope of the cyberattack, which revealed the email account was compromised between February 14 and April 2, 2021. A comprehensive review of all emails in the account was completed on June 2, 2021, when it was confirmed that the following types of protected health information were potentially accessed: Name, date of birth, Social Security number, driver’s license number, financial account number, medical treatment or diagnosis information, and/or medical insurance information. The types of information exposed varied from individual to individual.

Vision for Hope said it has no reason to believe any information in the account has been misused for the purpose of committing fraud or identity theft. On August 3, 2021, Vision for Hope started sending notification letters to affected individuals and has offered complimentary credit monitoring and identity theft protection services to all individuals whose Social Security number and/or driver’s license number were potentially accessed.

Information security procedures are now being reinforced with its employees and changes are being made to reduce the likelihood of further breaches occurring.

The post Email Account Breaches Reported by A2Z Diagnostics and Vision for Hope appeared first on HIPAA Journal.

Long Island Jewish Forest Hills Hospital (LIJFH) has started notifying certain patients about an insider data breach involving their medical records.

LIJFH explained in its breach notification letters that an unauthorized medical record access incident came to light around January 24, 2020. LIJFH had been issued with a subpoena for documents in connection with a law enforcement investigation into a “No Fault” motor vehicle accident insurance scheme that referenced an LIJFH employee.

A review was conducted of access logs relating to its medical record system and it was determined that the now former employee had improperly accessed the medical records of patients. While no evidence was found to indicate any patient information had been misused, or that the former employee was in any way involved in the insurance scheme, the decision was taken to issue notification letters.

Notification letters were sent to all patients whose medical records had been accessed by the former employee during the period that the individual had access to patients’ medical records, irrespective of whether the patients had been involved in a motor vehicle accident. That period spanned from August 23, 2016 to October 31, 2017.

LIJFH said it has been fully cooperating with the law enforcement investigation and explained that notification letters to all patients had been delayed at the request of law enforcement so as not to interfere with the investigation. Notification letters started to be sent on August 5, 2021.

No credit card numbers or financial information were accessed by the employee, only the following types of information: name, date of birth, address, phone number, insurance information, internal medical record number, treatment location, treatment provider, date(s) of service, reason for visit, brief summary of the patient’s medical history, medications, test results, diagnoses, and/or other treatment-related information. The Social Security numbers of a limited number of patients were also potentially viewed.

LIJFH is offering complimentary credit monitoring and identity protection services to all individuals potentially affected by the incident for 12 months or longer if required by state law.

LIJFH has confirmed that the individual is no longer employed by LIJFH. Steps have been taken to prevent and identify any further breach of this nature, including enhancing security tools that monitor access to medical record applications. Audits of medical record access are also being conducted by its compliance department. LIJFH said all employees already receive ongoing training on HIPAA and patient privacy. Following the discovery of the breach, the front-line staff was re-trained.

The post Long Island Jewish Forest Hills Hospital Notifies Patients About Insider Breach appeared first on HIPAA Journal.

Patients and staff members at several nursing and rehabilitation facilities in Illinois are being notified that some of their protected health information has potentially been compromised in a cyberattack on Dynamic Health Care, Inc.

Dynamic Health Care provides consulting, administrative, and back office services to nursing and rehabilitation facilities in Illinois that require access to certain staff and patient data. On November 8, 2020, Dynamic Health Care discovered malware had been installed on certain computers within its network. An investigation was launched into the malware incident to determine the full nature and scope of the incident.

Dynamic Health Care confirmed an unauthorized individual had accessed its network on or around November 8, 2020 and on January 7, 2021, it was determined that during the time that access to the network was possible, the attacker potentially viewed or acquired information about staff and nursing home residents at facilities including Woodbridge Nursing Pavilion, Waterfront Terrace, Bridgeview Health Care Center, Willow Crest Nursing Pavilion, Ottawa Pavilion, and River North of Bradley Health & Rehabilitation Center.

A comprehensive review was conducted of all data on the affected computers, which confirmed that sensitive data had been exposed. The types of information potentially compromised in the attack varied from individual to individual and may have included name, date of birth, Social Security number, treating nursing care facility name, resident identification number, and dates of admission and/or discharge.

Dynamic Health Care has mailed notification letters to all individual affected by the incident. Dynamic Health Care said strict security measures had been implemented to protect all information in its possession, but these measures have now been strengthened following the breach. Additional training and education have also been provided to the workforce to help prevent further breaches in the future.

The post Dynamic Health Care Malware Attack Affects Multiple Nursing and Rehabilitation Facilities in Illinois appeared first on HIPAA Journal.

Irving, TX-based NCH Corporation, an international marketer of maintenance products, has reported a suspected ransomware attack. Suspicious network activity was detected within its systems on March 5, 2021, “that caused certain systems in its network to become unavailable.”

Steps were taken to block further unauthorized access and restore its systems. The investigation revealed the attackers had access to certain parts of its network between March 2 and March 5, 2021 and during that time there was unauthorized access to certain files stored on its file servers. It was not possible to tell which files had been accessed, so notifications have been sent to all individuals whose information was potentially compromised. The review of the files was completed on June 29, 2021. The files contained the names of certain current and former employees and their dependents, along with Social Security numbers and driver’s license numbers.

Notification letters were sent on July 29, 2021 and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 11,427 individuals were affected.

Renaissance Life & Health Insurance Co. Members Affected by Business Associate Ransomware Attack

A vendor used by Renaissance Life & Health Insurance Co. has suffered a ransomware attack in which the protected health information of some of its members was potentially compromised.

Renaissance Life & Health Insurance used Secure Administrative Solutions (SAS) for claims processing services. SAS detected unusual activity within its IT system on April 15, 2021 and immediately launched an investigation. On May 25, 2021, SAS learned that a limited amount of data may have been exfiltrated from its IT systems, including names, addresses, Social Security numbers, and agent license numbers.

The attackers had access to its IT systems between March 15 and April 15, 2021.While SAS did not specify the nature of the attack in its breach notifications, Renaissance Life & Health said ransomware was involved and SAS had received assurances that data exfiltrated in the attack had been destroyed by the attacker, suggesting the ransom may have been paid. SAS said in its notification letter that data were restored from clean backups.

SAS also said it “enforced a system-wide global password reset, implemented more strict password complexity requirements, and provided all users with new personal computers and training on updated network security protocols and procedures.”

Affected individuals have been offered credit monitoring and identity theft protection services for 12 months.

Insider Incident Affects Patients of TGH Urgent Care powered by Fast Track

Synergic Healthcare Solutions has notified 558 individuals about the potential theft of their protected health information by a former employee of Tampa General Urgent Care.

The breach occurred on September 9, 2020 when a former employee of Tampa General Urgent Care is alleged to have photographed patient information at TGH Urgent Care’s facility in Seminole, FL, which is partnered with Tampa General Hospital. The breach was discovered on November 6, 2020.

The former employee has been accused of taking photographs of patients’ driver’s licenses and credit card details. While the former employee is only believed to have taken photographs of the information of 3 patients, the decision was taken to notify all 558 patients whose charts had been accessed by the employee.

All individuals potentially affected have been offered complimentary credit monitoring services. TGH has since re-educated employees about privacy and security and the reporting of potential privacy violations.

Southwest Nebraska Public Health Department Discovers Exposure of COVID-19 Vaccination Information

Southwest Nebraska Public Health Department (SNPHD) has notified 13,500 individuals about the exposure of COVID-19 vaccine information over the Internet.

On May 18, 2021, SNPHD was made aware that data have been exposed on the SNPHD website. The information accessible on the website was limited to name, address, county, date of birth, date of vaccination, vaccination type, race and gender.

SNPHD contacted its web hosting company which confirmed that only one individual had accessed the data. SNPHD confirmed that the individual has worked closely with SNPHD and believes there is no cause for concern related to the file being accessed; however, individuals affected have been notified out of an abundance of caution.

The incident prompted SNPHD to provide its staff with additional training related to HIPAA, privacy, and confidentiality to ensure that an event like this does not occur again.

The post NCH Corporation and Others Announce Data Breaches appeared first on HIPAA Journal.

On January 10, 2021, Gastroenterology Consultants, PA suffered a ransomware attack that resulted in the encryption of sensitive data.  Yesterday, notifications were sent to patients potentially affected by the attack to inform them that their protected health information may have been accessed or compromised in the attack.

Gastroenterology Consultants, the largest partnership GI practice in Houston, TX, launched an investigation into the attack and took steps to remove the attackers from its network and restore affected data. A substitute breach notice was uploaded to the company website on March 19, 2021 advising patients about the attack. No evidence was found to indicate any patient data were accessed by the attacker or exfiltrated in the attack.

Attacks such as this typically warrant breach notification letters, as while evidence of data theft may not be found, it is usually not possible to rule out unauthorized access to PHI with a high degree of certainty. In this case, Rather than identify the individual patients affected by the attack, the decision was taken to notify all patients whose PHI was potentially compromised. The breach report submitted to the Maine Attorney General indicates 162,163 breach notifications have been sent.

“After undertaking an extensive data mining process to determine specifically whether any patient or employee had any sensitive Personal Information or Personal Health Information exposed, we, unfortunately, learned that the time and effort to manually review thousands of documents was not cost-effective,” explained Gastroenterology Consultants in its breach notification. “Therefore, although there is no evidence of any unauthorized use of patient or employee data, we have determined it best to issue mail notifications to all employees and patients detailing the specific type of information potentially exposed.”

The files potentially compromised had been prepared by employees to facilitate patient processing. The documents contained some personal health information, with fewer than 50 having their Social Security numbers compromised. Those individuals have been offered free credit monitoring services, as have employees whose sensitive data were potentially accessed.

The post Gastroenterology Consultants Notifies Patients About January 2021 Ransomware Attack appeared first on HIPAA Journal.

On May 31, 2021, UF Health Central Florida experienced a cyberattack that affected Leesburg Hospital and The Villages Hospital. The security breach was announced by UF Health within a few hours of the attack being detected, although at the time it was unclear whether any patient data had been compromised in the incident.

An investigation into the breach was conducted which determined the attackers had access to its computer network between May 29 and May 31, 2021, and while unauthorized access to patient data was not confirmed, UF Health has now reported that some patient data may have been accessible. The exposed data included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, and limited treatment information.

UF Health said its electronic medical records were not involved or accessed, and the breach did not affect its Gainesville or Jacksonville campuses. UF Health said it has no reason to believe any exposed data has been misused or disclosed; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services. UF Health said it is taking steps to prevent further attacks, including enhancing the security of its electronic systems and improving protections for sensitive data.

UF Health has not publicly disclosed whether the cyberattack involved ransomware, although some local media outlets have reported ransomware was involved and the attackers demanded a $5 million ransom.

Eskenazi Health Reports Attempted Ransomware Attack

Indianapolis, IN-based Eskenazi Health is dealing with an attempted ransomware attack. The attack occurred in the early hours of August 4, 2021 but Eskenazi Health said its monitoring systems functioned as they should and proactively shut down its network to contain the attack.

Eskenazi Health switched to emergency procedures and the decision was taken to divert ambulances to other facilities to ensure patient safety. Eskenazi Health is currently working to bring its systems back online. At this stage its monitoring systems suggest patient and employee data were not compromised in the attack.

Sandford Health Victim of Cyberattack

Sioux Falls, SD-based Sandford Health says it was the victim of an August 3, 2021 cyberattack which it is working to resolve.  Sanford President and CEO Bill Gassen confirmed its IT Team took aggressive measures in response to the attempted cyberattack and everything is being done to minimize disruption and providing exceptional care to patients remains its number one priority.

No further details have been released about the exact nature of the incident, but at this stage it does not appear that the information of patients, residents, or employees has been compromised. Leading IT security experts have been engaged and are assisting with the breach response and investigation and further information will be released as and when it becomes available.

The post UF Health Says PHI Potentially Compromised in May 2021 Cyberattack appeared first on HIPAA Journal.