HIPAA Breach News

Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach

Posted by HIPAA Journal

Roper St Francis Healthcare is facing a class action lawsuit over an October 2020 data breach in which patient data was allegedly stolen. The lawsuit alleges negligence for the failure to protect the private data of its patients.

Between October 14 and 29, 2020, unauthorized individuals gained access to the email accounts of three of its employees. Those accounts contained the protected health information of around 190,000 patients. PHI in the compromised email accounts included financial and medical information.

This was far from the only data breach to have affected Roper St. Francis Healthcare in the past 18 months. Prior to the October 2020 phishing attack, Roper St. Francis reported two data breaches in September, one of which was a phishing attack that affected 6,000 individuals and the other was a ransomware attack on its vendor Blackbaud, which affected around 92,963 Roper St. Francis patients. Prior to those breaches, a breach was reported on January 29, 2010 as affecting 35,253 individuals.

According to the lawsuit, “At all relevant times, Roper knew the data it stored was vulnerable to cyberattack based upon these repeated and ongoing data breaches.”

The lawsuit, which was filed by The Richter Firm, The Solomon Law Group, Slotchiver & Slotchiver, LLC and Brent Souther Halversen, LLC, seeks economic and non-economic damages for the plaintiff and class members, compensatory, consequential, and actual damages, statutory and injunctive relief, punitive damages, and reimbursement for interest, costs, and reasonable attorneys’ fees.

“We merely seek to hold Roper accountable for its continued negligent actions in allowing these preventable data breaches from happening and to compensate current and former patients for the harm inflicted,” said Attorney Brent Halversen. “We seek to provide all patients whose private data was compromised credit monitoring services as partial compensation for the harm each has suffered, not just the hand full that Roper thinks are the worst cases.”

The post Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

PHI from Multiple Covered Entities Published on GitHub

Posted by HIPAA Journal

Med-Data Inc. has confirmed that the protected health information of patients of several of its clients has been uploaded to the open-source software development hosting website GitHub, where it could have been accessed by unauthorized individuals.

The Spring, TX-based revenue cycle management services vendor assists healthcare providers and health plans by processing Medicaid eligibility, third party liability, workers’ compensation and patient billing. On December 10, 2020, Med-Data was notified by security researcher Jelle Ursem that some data of its data had been discovered on GitHub. Dissent Doe of Databreaches.net provided a link to the uploaded data on December 14, 2020, according to the Med-Data breach notice.

An investigation was immediately launched, and it was determined that one of its employees had saved files containing protected health information to personal folders on GitHub Arctic Code Vault between December 2018 and September 2019. Med-Data said the files were removed from GitHub on December 17, 2020.

The files contained names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider named, and health insurance policy numbers. Med-Data notified all covered entities on February 8, 2020 and affected individuals were notified on March 31, 2021. All individuals affected have been offered complimentary credit monitoring and identity protection services through IDX.

To prevent similar breaches in the future, Med-Data has blocked the use of all file sharing websites, updated its internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution.

The Department of Health and Human Services was notified about the breach on February 8, 2021; however, the breach has not yet been listed on the OCR breach portal, so it is unclear how many individuals have been affected. Covered entities that have confirmed they were affected include OSF HealthCare, UChicago Medicine, Aspirus, King’s Daughters’ Health System, SCL Health, and Memorial Hermann Health System.

While Med-Data has confirmed that the files have been deleted from GitHub, that does not necessarily mean that the information is now secured. The files were uploaded to the GitHub Arctic Code Vault, which is a public data repository used for long term archiving of files. The storage facility was developed to securely store data for up to 1,000 years. The storage facility involved saving data to physical storage media – hardened film – which was shipped to the GitHub Arctic Code Vault, located in a coal mine in Svalbard, Norway.

The films contain a huge volume of data which was current up until February 2nd, 2020 when the archive was finalized. Since Med-Data had the files removed from GitHub on December 17, 2020, it is probable that some of the data has also been stored on film and sent to the archive. Med Data contacted GitHub and asked for the logs of the vault to determine if any of its data had been saved to the films and to arrange its removal, but it is unclear what happened after the request was made. “We do not know what transpired after that, although there had been some muttering that MedData might sue GitHub to get the logs,” explained Ursem and Doe in an April 1, 2020 report.

This is not the only GitHub data breach to be discovered by Jelle Ursem and Dissent Doe. They reported in August 2020 that the medical records of between 150,000 and 200,000 individuals had also been uploaded to GitHub and could have been accessed by anyone.

The post PHI from Multiple Covered Entities Published on GitHub appeared first on HIPAA Journal.

Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals

Posted by HIPAA Journal

Personal Touch Holding Corp, a Lake Success, NY-based provider of home health services, is alerting 753,107 patients about a breach of their protected health information.

Personal Touch Holding Corp operates around 30 Personal Touch Home Care subsidiaries in more than half a dozen U.S. states. On January 27, 2021, Personal Touch discovered it was the victim of a cyberattack involving its private cloud hosted by its managed service providers. The attackers encrypted the cloud-stored business records of Personal Touch and 29 of its direct and indirect subsidiaries.

The investigation into the ransomware attack is ongoing. At this stage it is unclear to what extent individual’s protected health information was compromised; however, it is possible that the attackers obtained data stored in its private cloud prior to the use of ransomware.

An analysis of its cloud environment revealed the following types of patient information may have been compromised in the attack: names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, including check copies, credit card numbers, bank account information, medical treatment information, health insurance card, health plan benefit numbers, and medical record numbers.

Employee information was also compromised, including names, contact information, dates of birth, Social Security numbers (including dependent and spouse Social Security numbers), driver’s license numbers, passport numbers, birth certificates, background and credit reports, demographic information, usernames and passwords used at the Company, personal email addresses, fingerprints, insurance cards, health and welfare plan benefit numbers, retirement benefits information, medical treatment information, check copies, and other financial information necessary for payroll.

Following the discovery of the breach, outside counsel and was retained and independent forensics experts were engaged to assist with the investigation. The FBI has been alerted, along with state attorneys general and the HHS’ Office for Civil Rights. Personal Touch said it has now implemented advanced monitoring and alerting software.

This is the second ransomware attack to affect Personal Touch subsidiaries in a little over a year. In January 2020, Personal Touch announced that the protected health information of patients of 16 of its subsidiaries had been compromised in a ransomware attack on its cloud vendor, Crossroads Technologies. Crossroads Technologies hosted the Personal Touch cloud-based electronic health records. 156,400 medical records were compromised in that ransomware attack.

The post Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals appeared first on HIPAA Journal.

Lexington Medical Center and CalViva Health Affected by Third-Party Data Breaches

Posted by HIPAA Journal

Wake Forest Baptist Health has announced an unauthorized individual gained access to the systems of one of its technology vendors between October 16 and October 28, 2020 and potentially viewed or acquired files containing the protected health information of certain patients of Lexington Medical Center in North Carolina.

The breach occurred at Healthgrades Operating Co. Inc., which provided the hospital with patient and community education on health matters and medical services. The exact nature of the breach was not disclosed.

No reports have been received to date to indicate any information was stolen and misused. The types of PHI potentially accessed includes names, addresses, dates of birth, contact information, demographic information, medical treatment information, and Social Security numbers. The files contained PHI dated from mid-2010 to mid-2011.

All individuals whose PHI was potentially compromised in the attack were notified by mail on March 26, 2021 and have been offered complimentary credit monitoring and identity theft protection services.

It is currently unclear how many individuals have been affected by the breach. This post will be updated when further information is known.

CalViva Health Members Affected by Accellion Ransomware Attack

The protected health information of certain members of Fresno, CA-based CalViva Health has been compromised in a cyberattack at a third-party vendor. The individuals behind the attack may have accessed or downloaded sensitive files, although there are no indications at this stage that any sensitive information has been misused.

The vendor was Health Net Community Solutions, and its file transfer solution was provided by Accellion, which suffered a ransomware attack in which customers’ files were stolen. The attackers had access to data in the solution from January 7 to January 25, 2021.

As is common in manual ransomware attacks, the attackers released a sample of the stolen data on its leak site to encourage payment of the ransom. It is unclear if any of that information relates to CalViva Health members.

Health Net has since removed all files relating to CalViva members from the Accellion file transfer system and has now stopped using Accellion’s file transfer services.

CalViva Health has advised all affected members to monitor their statements and explanation of benefits statements for signs of fraudulent activity. As a precaution against identity theft and fraud, all affected individuals have been offered a membership to credit monitoring and identity theft services for one year at no cost.

The post Lexington Medical Center and CalViva Health Affected by Third-Party Data Breaches appeared first on HIPAA Journal.

University of Miami Health and Mott Community College Data Compromised in Ransomware Attacks

Posted by HIPAA Journal

The protected health information of patients of University of Miami Health has been obtained by unauthorized individuals in a ransomware attack on the file transfer service provider Accellion.

University of Miami Health used Accellion’s file transfer technology for sharing files that were too large to send via email. The University of Miami said the Accellion solution was only used by a small number of individuals at the university and prompt action was taken to contain the incident. The university has since stopped using Accellion’s file transfer services.

The investigation into the attack is ongoing and the analysis of the files that were obtained or potentially compromised in the attack has not yet been completed, so it is not yet known exactly how many individuals have been affected.

The University of Miami does not believe any of its systems were compromised in the attack with the breach believed to be limited to files sent or received through Accellion’s file transfer solution.

The gang behind the attack demanded a $10 million ransom for the keys to decrypt data and avoid having data published online or sold on dark web marketplaces. Some of the data stolen in the attack has already been posted on the gang’s leak site, including some data relating to patients of University of Miami Health.

The University of Miami was one of several Accellion customers to be affected by the breach, including the University of Colorado, Kroger, Centene, Arizona Complete Health, and Shell Oil.

1,612 Dental Plan Members Affected by Mott Community College Ransomware Attack

Mott Community College has notified 1,612 individuals that files containing their protected health information were obtained by unauthorized individuals prior to the use of ransomware on its systems.

When the attack was discovered, a third-party cybersecurity firm was engaged to assist with the investigation to determine the extent of the security breach. The analysis revealed attackers gained access to its network on November 27, 2020 and access remained possible until January 9, 2021.

On January 23, 2021 Mott Community College discovered that sensitive data had been exfiltrated by the attackers prior to the use of ransomware, and that some of the files related to individuals covered under its self-insured dental plan. A review of those files confirmed they included names, dates of birth, and dental plan enrollment and claims information for individuals covered by the dental plan in 2014-2015, and 2019.

Notification letters were sent to all individuals affected starting on March 24, 2021. While data exfiltration was confirmed, it does not mean the contents of the files were viewed, misused, or further disclosed. Mott Community College has now implemented additional safeguards and technical security measures to prevent any further attacks, including multifactor authentication for all network and email access and additional password requirements.

The post University of Miami Health and Mott Community College Data Compromised in Ransomware Attacks appeared first on HIPAA Journal.

New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years.

OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records.

OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting on patient requests for their medical records, was in violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524. As a result of OCR’s intervention, the patient did receive a copy of the requested records. The case was settled by Village Plastic Surgery with no admission of liability.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner,” said Acting OCR Director Robinsue Frohboese. “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

This is the 18th financial penalty to be imposed by OCR to resolve violations of the HIPAA Right of Access under its Right of Access enforcement initiative that was launched in late 2019. This is the 6th HIPAA penalty to be imposed in 2021, and the 5th to resolve a HIPAA Right of Access violation.

The post New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

Posted by HIPAA Journal

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account.

The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets.

Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is permanent and will not be lifted by Amazon.

The S3 buckets may have been used to store SalusCare data, but Amazon will not voluntarily provide copies of audit logs or a copy of the data stored in the S3 buckets as they do not belong to SalusCare. The two S3 buckets are understood to include almost 86,000 files that were stolen in the attack.

To get access to the audit logs and data, SalusCare filed a lawsuit in federal court seeking injunctive relief under Florida’s Computer Abuse and Recovery Act. SalusCare seeks a ruling that will compel Amazon to provide the audit logs and a copy of the content of the two S3 buckets. SalusCare also wants the courts to order Amazon to make the suspension of access permanent to prevent the attacker from accessing the data or copying the stolen information to another online storage service. SalusCare has also sued the individual behind the attacks – John Doe.

The lawsuit argued that the data stolen in the attack and hosted by Amazon is extremely sensitive and could be used to commit identity theft, could be sold by the hacker on darknet marketplaces, or leaked to the public.

“The files contain extremely personal and sensitive records of patients’ psychiatric and addiction counseling and treatment,” explained SalusCare in its petition to the U.S. District Court in Fort Myers. “The files also contain sensitive financial information such as social security numbers and credit card numbers of SalusCare patients and employees.”

The lawsuit requests that after Amazon provides a copy of the data and audit logs to SalusCare the S3 buckets should be purged to prevent any further unauthorized access.

Amazon did not oppose any injunctive relief sought by SalusCare and The News-Press reports that a District Court federal judge granted the requests on March 25, 2021.

The post SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach appeared first on HIPAA Journal.

Cancer Treatment Centers of America Announces 105,000-Record Data Breach

Posted by HIPAA Journal

Cancer Treatment Centers of America is alerting 104,808 patients of its Midwestern Regional Medical Center that some of their protected health information was contained in an email account that was accessed by an unauthorized individual.

Suspicious activity was identified in a CTCA account holder’s account on January 18, 2021. The account was immediately secured to prevent further unauthorized access and a third-party forensics firm was engaged to assist with the investigation and determine the nature and scope of the breach.

The investigation revealed the email account was accessed on January 12, 2021 and access remained possible until January 18 when a password reset was performed. It was not possible to confirm which emails, if any, were accessed, nor was it possible to rule out data theft.

A review of the compromised account revealed it contained patient names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information. No financial information or Social Security numbers were compromised.

CTCA has implemented additional security measures to prevent further breaches and additional security enhancements are being evaluated. Notifications were sent to affected individuals on March 18, 2021.

Vendor Breach Affects More than 9,000 Insulet Patients

The Acton, MA-based medical device company Insulet Corporation is alerting 9,050 patients about a data breach at an online customer training vendor – Cornerstone On-Demand.

Insulet was notified around January 19, 2020 that an unauthorized individual had gained access to Cornerstone’s systems on January 13, 2021 and potentially downloaded data that included the protected health information of Insulet patients.

Data stored on the compromised system included names, email addresses, Insulet customer training records, and online course information. When Cornerstone identified the breach, its systems were immediately secured to prevent further unauthorized access. Additional security measures have since been implemented to prevent further attacks. Insulet said it has begun transitioning to a new online training vendor and will order Cornerstone to delete all its data once the transition has been completed.

The post Cancer Treatment Centers of America Announces 105,000-Record Data Breach appeared first on HIPAA Journal.

Misconfiguration Resulted in Exposure of the PHI of 65,000 Mobile Anesthesiologists Patients

Posted by HIPAA Journal

Mobile Anesthesiologists has recently discovered a limited amount of patients’ protected health information (PHI) has been exposed due to a technical misconfiguration. The error was determined to have occurred prior to December 14, 2020, and made PHI such as names, health insurance information, date of service, medical procedure, and dates of birth publicly accessible.

An investigation into the error was concluded on January 28, 2021 and confirmed that the PHI of 65,403 individuals had been exposed. While the PHI could potentially have been accessed by unauthorized individuals, no evidence of unauthorized data access or PHI misuse was discovered. Affected individuals were notified by mail starting March 10, 2021.

Haven Behavioral Healthcare Announces Breach of Systems Containing Patient Data

Nashville, TN-based Haven Behavioral Healthcare has announced that unauthorized individuals gained access to parts of its network that contained the protected health information of patients. The breach was detected on or around September 27, 2020. An investigation was immediately launched, and third-party cybersecurity experts were engaged to determine the nature and scope of the breach.

The investigation revealed its systems were subjected to unauthorized access between September 24 and September 27, 2020 and, on January 27, 2021, it was determined files on those systems contained patient information. A review of the files was completed on March 11, 2021 and notification letters started to be sent on March 23, 2021.

While the files were accessible, the investigation was unable to determine if the files were accessed. It is currently unclear which hospitals and how many patients have been affected.

Email Error Results in Unauthorized Disclosure of Heart of Texas Community Health Center Patients

Heart of Texas Community Health Center has discovered the protected health information of a limited number of patients has been exposed.

An email containing patient data was sent to individuals authorized to view the information, but the email was sent to an account that was outside the protection of the firewall so could potentially have been intercepted as the email was not encrypted.

The email only included an email address and indicated the email account holder was overdue a pap smear. No names or other information were included in the email. The email only related to female patients aged 21 to 65 years of age who were seen at a Heart of Texas Community Health Center site between September and December 2020.

No reports have been received to indicate the email was intercepted or otherwise accessed by unauthorized individuals.

The post Misconfiguration Resulted in Exposure of the PHI of 65,000 Mobile Anesthesiologists Patients appeared first on HIPAA Journal.