HIPAA Breach News

U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit

US Fertility LLC, the operator of more than 100 fertility clinics across the United States, has proposed a $5.75 million settlement to resolve a class action lawsuit that was filed in response to a data breach that exposed the data of around 900,000 patients.

U.S. Fertility announced in November 2020 that hackers had gained access to its network and installed malware (ransomware) that rendered certain systems inaccessible. The breach was detected on September 14, 2020; however, the hackers first gained access to the network on August 12, 2020. Before encrypting files, the hackers exfiltrated sensitive patient data including names, addresses, dates of birth, MPI numbers, Social Security numbers, medical information, and financial information.

A class action lawsuit was filed that alleged U.S. Fertility was negligent by failing to implement reasonable and appropriate cybersecurity measures to protect highly sensitive patient data from unauthorized access. Had those measures been implemented, the breach could have been prevented or its severity would have been severely reduced. U.S. Fertility maintains there was no wrongdoing but decided to settle the lawsuit.

Under the settlement terms, all class members are entitled to a $50 cash payment. Class members whose data was stolen from a California clinic will be entitled to claim an additional cash payment of $200. Claims may also be submitted for up to 4 hours of lost time at $25 per hour, and unreimbursed out-of-pocket losses can be claimed and will be paid up to a maximum of $15,000 per claimant. Claims for reimbursement of losses must be supported by receipts, account statements, IRS documents, police reports, FTC reports, professional invoices, and other documentation. The cash payments may be reduced and paid pro-rata depending on the number of claims submitted.

Individuals who wish to object to the settlement or exclude themselves have until February 20, 2024, to do so. All claims must be submitted by March 19, 2024. The final settlement hearing has been scheduled for April 18, 2024.

The post U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, through June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

  • Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
  • Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
  • Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.
  • Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

The post Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty appeared first on HIPAA Journal.

Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach

Des Moines Orthopaedic Surgeons (DMOS) in Iowa has recently notified 307,864 current and former patients that some of their protected health information (PHI) was exposed in a cyberattack almost a year ago. DMOS explained that the incident occurred on or around February 17, 2023, and allowed an unauthorized third party to access and/or remove files containing the PHI of DMOS patients. DMOS said the breach was due to the failure of one of its vendors.

DMOS said it immediately contained the threat and engaged third-party cybersecurity experts to investigate the incident to determine the extent of compromise. According to the notification letters, “DMOS devoted considerable time and effort to assessing the extent and scope of the incident and to determine what information may have been accessible to the unauthorized users.” It took 10 months to determine that patient data was present in the documents and records involved, with PHI exposure not confirmed until December 6, 2023.

The types of data involved included names along with one or more of the following: Social Security number, date of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information. Notification letters were mailed on January 22, 2024, and individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Michigan Orthopaedic Surgeons Email Account Breach Affects 67,000 Patients

Michigan Orthopaedic Surgeons has recently notified 67,477 patients that some of their PHI was present in an email account that was accessed by unauthorized individuals. Suspicious activity was detected in the email account on or around June 29, 2023. A third-party forensic security company was engaged to investigate the incident and confirmed the email account had been accessed by an unauthorized individual between May 5, 2023, and June 21, 2023.

A comprehensive review of the account was initiated, and it was determined on October 20, 2023, that protected health information was present in the account. The types of information varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, financial account number, username and password, health insurance information, and medical information, such as diagnosis, lab results, and prescription information. Individual notifications were mailed on December 19, 2023, and complimentary credit monitoring services have been provided to the individuals who had their Social Security numbers exposed.

Prestige Care Suffers Ransomware Attack

Prestige Care, Inc., a Vancouver, WA-based senior care organization, has recently notified 38,087 individuals that some of their personal and protected health information was potentially accessed or acquired in a September 2023 ransomware attack. The attack was detected on September 7, 2023, with the investigation determining that malware had been installed that prevented access to certain files on its system. The investigation confirmed that the threat actor had access to files containing personal and health information on September 7.

The file review confirmed on December 18, 2023, that those files included names and Social Security numbers. Notification letters started to be sent to the affected individuals on January 31, 2024. Complimentary credit monitoring services have been offered for 12 months.

Bay Area Heart Center Impacted by Phishing Attack on Business Associate

Bay Area Heart Center in St. Petersburg, FL has confirmed that patient data was exposed in a cyberattack at the law firm Bowden Barlow Law, P.A., which Bay Area Heart Center uses for collections. An employee at the law firm responded to a phishing email, which provided the attacker with access to one of the law firm’s servers between November 17, 2023, and December 1, 2023. Bay Area Heart Center was notified about the breach on December 27, 2023.

The investigation found no evidence to suggest data had been downloaded, but data theft could not be ruled out. The exposed data included names, addresses, full and partial Social Security Numbers, dates of service, limited claims data, and insurance policy numbers. “Bay Area Heart Center takes this matter extremely seriously and is equally frustrated that its patient files were compromised by a third-party vendor,” explained the healthcare provider in its breach notice. “Given the potential impact this breach could have on patients, and in furtherance of its commitment to safety and security, the medical practice is currently reevaluating its partnership with Bowden Barlow Law.” Bay Area Heart Center said it has offered the affected individuals a one-year membership to a credit monitoring service.

Northern Light Health Says Patient Data Not Compromised in Cyberattack

On February 4, 2024, Northern Light Health in Brewer, ME, announced that it was forced to take its patient records system offline on February 3, 2024, after discovering certain computers had been compromised in a cyberattack.  Northern Light Health explained that none of the affected computers stored any patient data, and that the patient record system was taken offline while the incident was investigated. Northern Light Health said no third party has made contact demanding a ransom and the decision to take patient records offline was taken out of an abundance of caution. Downtime procedures were initiated immediately, and patient care was not disrupted.

Daily updates were provided on its website and on February 5, 2024, Northern Light Health said its medical record system was back online. The incident is still being investigated and there are still no indications that patient data was exposed.

The post Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach appeared first on HIPAA Journal.

ITRC: Data Compromises Reach All Time High in 2023

There was a huge increase in data compromises in 2023 but a fall in the number of individuals affected by those incidents, according to the Identity Theft Resource Center’s (ITRC) 2023 Data Breach Report. There was a 78% increase in publicly reported data compromises in 2023 with 3,205 incidents reported which is a 72% increase from the previous high-water mark of 1,860 data compromises that was set in 2021. The increase in incidents is staggering, as ITRC CEO Eva Velasquez explained. “Just the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020 (except for 2017).”

Even with such a high percentage increase, the estimated number of individuals affected by data compromises fell by 16% year-over-year to 353,027,892 individuals. ITRC reports that there is a general downward trend in the number of individuals affected by data breaches as criminals are focusing on quality rather than quantity and are searching for specific information that can be used for identity-related fraud and scams rather than conducting mass attacks.

Healthcare Tops List for Most Data Compromises

The ITRC data show that healthcare leads all industries in terms of the number of reported compromises, as the industry has done for the past 5 years. In 2023 ITRC tracked 809 healthcare data compromises with around 56 million victims, up from 343 compromises the previous year and around 28 million victims. Financial services and transportation round out the top three and all three of those sectors reported more than twice the number of compromises as the previous year. Utilities topped the list in terms of victim count with 73 million victims, yet reported just 44 reported incidents. The companies worst affected by data compromises in 2023 were T-Mobile, which had a breach that affected an estimated 37 million customers, followed by Xfinity (36M) and PeopleConnect (20M).

It is not possible to provide a simple answer as to why data breach numbers fluctuate. “We must acknowledge the significant impact of supply chain attacks and the effect they have on all organizations,” said Velasquez. “A single supply chain attack can directly or indirectly impact hundreds or thousands of businesses that rely on the same vendor.” Since 2018, the number of organizations impacted by supply chain attacks has increased by a staggering 2,600% and the number of victims has increased to more than 54 million – 15% of the overall number of victims in 2023.

The Consumer Breach Reporting Framework is Broken

Velasquez believes that stronger reporting requirements are necessary to help warn other vulnerable businesses of the risk associated with a similar attack as well as increased due diligence when it comes to vendors and data protection. Another issue highlighted by Velasquez is the legislative framework that was implemented more than two decades ago to warn consumers about data breaches is simply not working. “A Supply Chain Attack victim from 2020 confirmed in 2023 what was suspected for years: Businesses under or non-report breaches,” said Velasquez.

Velasquez was referring to Blackbaud, which suffered a cyberattack in 2020 that affected millions of individuals. Blackbaud was investigated and settled the multistate action and paid a penalty of $49.5 million. The settlement agreement confirmed that Blackbaud notified around 13,000 customers that they had been affected, yet only 604 organizations filed public notices tracked by the ITRC. “We need to bring a level of uniformity to the breach notice process to help protect both consumers and business,” said Velasquez.

Cyberattacks topped the list of the most common attack vectors with 2,365 reported compromises, although across all industry sectors, ITRC reports that phishing attacks were down (438 incidents) as were ransomware attacks (246 incidents), although reports from cybersecurity companies suggest that ransomware attacks increased. Guidepoint Security’s recent ransomware report showed an 80% year-over-year increase in ransomware activity.

Over the past few years, there has been a trend of increasing opaqueness with data breach disclosures. ITRC said more than 1,400 public data breach notices did not contain information about the attack vector, and that number has almost doubled since 2022. It is not only the root cause of data breaches that is being withheld. The ITRC reports a growing trend in withholding other information such as victim counts. “Actionable notices, those containing victim counts and attack vector details, declined from 60% in 2022 to 54% in 2023,” explained the ITRC in the report.

Problems and Solutions

The increase in data compromises by financially motivated and Nation/State threat actors in 2023 is likely to drive new levels of identity theft and fraud in 2024, with the ITRC particularly concerned about impersonation and synthetic identity fraud. Criminals are likely to combine stolen data with generative AI which will lead to increasingly sophisticated phishing attacks and other forms of identity fraud and scams, although the biggest threat from generative AI will continue to be misinformation and disinformation.

The ITRC is calling for a uniform breach notice law, rather than the current patchwork of federal and state laws to bring uniformity to data breach notices and ensure that consumers are given the information they need to make an informed decision about the risk they face.  To better protect consumers from identity theft and fraud, the ITRC believes there is a clear need for the expansion of facial verification along with digital credentials. This would also help lower the overall value of compromised personally identifiable information to bad actors.

Given the increase in supply chain attacks, organizations need to conduct due diligence on vendors, and knowing the breach history of a company is an important aspect of assessing risk. The ITRC will soon be launching a due diligence and alert tool for businesses – Breach Alert for Business (BA4B) – that will help them comply with state and federal requirements for cyber risk assessments on vendors and better understand the risks within their supply chains.

The post ITRC: Data Compromises Reach All Time High in 2023 appeared first on HIPAA Journal.

Ann & Robert H. Lurie Children’s Hospital Responding to Cyberattack

On February 1, 2024, Ann & Robert H. Lurie Children’s Hospital in Chicago announced on its website and social media channels that it is responding to a cybersecurity incident and has been forced to take its network systems offline. The cyberattack has been reported to law enforcement agencies and Lurie Children’s is working collaboratively with those agencies and third-party cybersecurity experts to investigate the attack and bring network systems back online as soon as it is safe to do so.

The 360-bed acute care hospital is a leading provider of pediatric care in Illinois and one of the biggest children’s healthcare providers in the Midwest, serving 239,000 children each year. The cyberattack has disrupted normal operations and caused delays to medical care for certain patients, with ultrasound and CT scan results temporarily unavailable. Some appointments and elective procedures have been canceled to ensure patient safety. The hospital has confirmed that its emergency services are unaffected, and it is operating under a first-come, first-served approach and is prioritizing emergency patients.

The system-wide network outage has affected computers, Internet access, email, and phone lines at the main hospital, outpatient centers, and primary care offices. Lurie Children’s Hospital apologized for the inconvenience caused and said it is actively working to resolve the issue as soon as possible and is trying to minimize the disruption to patients as far as possible. Lurie Children’s has been working on establishing an emergency helpline to address patient families’ and community providers’ needs but it was not possible to provide a timeline for when normal operations will resume.

Little information has been disclosed so far about the nature of the attack. No ransomware groups appear to have claimed responsibility at this stage. Naturally, at such an early stage of the incident response, it is not possible to tell if any patient data has been stolen. Lurie Children’s will provide updates as the investigation progresses. Just a few days ago, another Chicago hospital confirmed that it had suffered a cyberattack. Saint Anthony Hospital fell victim to a LockBit ransomware attack in December. The LockBit group recently added the hospital to its data leak site as it sought payment of a $900,000 ransom and gave the hospital just 2 days to make payment to prevent the release of the stolen data.

The post Ann & Robert H. Lurie Children’s Hospital Responding to Cyberattack appeared first on HIPAA Journal.

LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital

The LockBit ransomware gang has added Chicago’s Saint Anthony Hospital to its data leak site and is demanding a ransom payment of almost $900,000 from the nonprofit hospital to prevent the release of the stolen data. Earlier this week, Saint Anthony Hospital confirmed that it was still investigating the attack, which was detected on December 18, 2023. Saint Anthony Hospital took immediate action to secure its network to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the unauthorized activity. The prompt action taken by the hospital in response to the attack allowed care to continue to be provided to patients without disruption.

The investigation confirmed on January 7, 2024, that an unknown, unauthorized third party had copied files from its network on December 18, 2023, which contained patient information. Those files are being reviewed to determine the number of patients affected and the types of information involved, and that process is ongoing. At this stage, Saint Anthony Hospital is unable to say how many individuals have been affected and the specific types of data involved. Individual notification letters will be mailed to the affected individuals when that process is completed.

While the theft of patient data has been confirmed, the forensic investigation did not find any evidence that its electronic medical record database or financial systems as a whole were compromised. Saint Anthony Hospital said that as part of its commitment to data privacy, existing data security policies and procedures are being reviewed and will be updated as appropriate to better protect patient data in the future.  The incident has been reported to the Federal Bureau of Investigation, Department of Health and Human Services, and other regulators. Since some patient data has been stolen, patients have been advised to remain vigilant against incidents of identity theft and should review their account and explanations of benefits statements for unusual activity, and report any suspicious activity to their insurance company, health care provider, or financial institution.

Since the notification was issued, the LockBit ransomware group added Saint Anthony Hospital to its data leak site. The LockBit group has previously claimed that it prohibits affiliates from attacking hospitals. Last year, an affiliate conducted an attack on Toronto’s Hospital for Sick Children (SickKids), which was promptly followed by an apology from the group, and a free decryptor was issued to allow the hospital to recover files for free, and the group claimed that the affiliate behind the attack had been kicked out of its program for violating its operating rules. The latest attack suggests its policy of not attacking hospitals has been canceled. In the listing on its data leak site, the LockBit group claimed that “Always US hospitals put their greedy interest over those of their patients and clients,” apparently oblivious to the fact that Saint Anthony Hospital is a nonprofit healthcare provider.

Saint Anthony Hospital has indicated the ransom will not be paid. “As a vital safety-net hospital to the people in the communities we serve, we are dedicated to using our resources to care for our community’s most vulnerable and not to rewarding the illegal actions of bad actors,” said CIO Jeff Eilers.

The post LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital appeared first on HIPAA Journal.

Security Breaches in Healthcare in 2023

An unwanted record was set in 2023 with 725 large security breaches in healthcare reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), beating the record of 720 healthcare security breaches set the previous year. Aside from 2015, the number of reported security breaches in healthcare has increased every year although the rate of increase is slowing and 2024 could see the healthcare industry start to turn the corner.

As the chart shows, healthcare security breaches are occurring twice as often as in 2017/2018, with two large healthcare data breaches reported each day on average in 2023. Just a few years ago it was alarming that large healthcare data security breaches were being reported at a rate of one a day. Little did we know how bad the situation would get in such a short space of time.

The healthcare industry is struggling to deal with increasingly sophisticated cyberattacks, although in many incidents cyber threat actors have exploited vulnerabilities that should have been identified and addressed long before they were found and exploited by hackers. Many healthcare organizations are failing at basic security measures and are not consistently adhering to cybersecurity best practices due to budgetary pressures, difficulty recruiting and retaining skilled IT security professionals, and confusion about the most effective steps to take to improve resilience to cyber threats.

With healthcare data breaches increasing year-over-year, something needs to be done to help healthcare organizations improve resilience to cyber threats and action is now being taken at the state and federal levels. In December 2023, the HHS published a concept paper outlining plans to improve resilience to cyber threats across the sector and limit the severity of attacks when defenses are breached. In the paper, the HHS indicated it will be adopting a carrot-and-stick approach by developing voluntary Healthcare and Public Health (HPH) Sector Cybersecurity Goals (CPGs) that consist of cybersecurity measures that will have the greatest impact on security along with an update to the HIPAA Security Rule to add new cybersecurity requirements.

In January 2024, the CPGs were unveiled. They consist of Essential CPGs, which are high-impact, low-cost steps that healthcare organizations can take to improve cybersecurity, and a set of Enhanced CPGs to help healthcare organizations mature their cybersecurity programs. The HHS also hopes to obtain the necessary funding to help low-resourced healthcare delivery organizations cover the initial cost of the cybersecurity improvements in the Essential CPGs and to create an incentive scheme to encourage the adoption of the Enhanced CPGs.

In response to an alarming increase in cyberattacks on New York hospitals, New York Governor Kathy Hochul announced new cybersecurity measures had been proposed for New York hospitals, which are expected to be finalized in the first half of 2024. Hospitals in the state will be given a 1-year grace period to comply with the new requirements and funding has been set aside to help them cover the cost of making the necessary improvements.

It is not just the increasing number of data breaches that is a cause of concern it is the scale of these data breaches. 2023 was the worst-ever year for breached healthcare records with breached records increasing by 156% from 2022 to 133,068,542 breached records, beating the previous record of 113 million records set in 2015. In 2023, an average of 373,788 healthcare records were breached every day.

healthcare security breaches 2009-2023- records compromised

The total of 133 million records is also likely to significantly increase. To meet the breach reporting requirements of the HIPAA Breach Notification Rule, OCR must be notified within 60 days of the discovery of a data breach. When that deadline is near and breached organizations have not yet completed their document reviews to find out how many individuals have had their protected health information (PHI) exposed, breaches are reported to OCR using a placeholder of 500 or 501 records. The breached entity can then amend its OCR breach report when the number of affected individuals has been confirmed. Currently, 54 data breaches in 2023 are listed on the OCR breach portal as affecting 500 or 501 individuals. Some of these incidents have been reported by large healthcare providers, health plans, and business associates, so some of those breaches could involve hundreds of thousands or even millions of records.

Biggest Healthcare Security Breaches in 2023

Since several large healthcare organizations and major vendors have yet to confirm how many individuals have been affected by data breaches, the list of the biggest healthcare data breaches in 2023 is subject to change. Based on current figures, 114 data breaches of 100,000 or more records were reported in 2023, including 26 data breaches of more than 1 million records, 5 data breaches of more than 5 million records, and one breach of 11.27 million records. The average data breach size in 2023 was 183,543 records and the median data breach size was 5,175 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HCA Healthcare TN Business Associate 11,270,000 Hackers accessed an external storage location that was used to automatically format emails
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hackers access to its network between March 27, 2023, and May 2, 2023
Managed Care of North America (MCNA) GA Business Associate 8,861,076 Ransomware attack with data leak (LockBit ransomware group)
Welltok, Inc. CO Business Associate 8,493,379 MOVEit Transfer vulnerability exploited (Clop hacking group)
PharMerica Corporation KY Healthcare Provider 5,815,591 Ransomware attack with data leak (Money Message ransomware group)
HealthEC LLC NJ Business Associate 4,452,782 Hackers had access to its network between July 14, 2023, and July 23, 2023
Reventics, LLC FL Business Associate 4,212,823 Ransomware attack with data leak (Royal ransomware group)
Colorado Department of Health Care Policy & Financing CO Health Plan 4,091,794 MOVEit Transfer vulnerability exploited at a vendor (Clop hacking group)
Regal Medical Group, Lakeside Medical Organization, ADOC Acquisition, & Greater Covina Medical Group CA Healthcare Provider 3,388,856 Ransomware attack with data leak (Unspecified, Russia-based ransomware group)
CareSource OH Business Associate 3,180,537 MOVEit Transfer vulnerability exploited (Clop hacking group)
Cerebral, Inc DE Business Associate 3,179,835 Impermissible disclosure of PHI via Pixel tracking code on its website
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Fortra GoAnywhere MFT vulnerability exploited (Clop hacking group)
Maximus, Inc. VA Business Associate 2,781,617 MOVEit Transfer vulnerability exploited (Clop hacking group)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack (ransomware group unknown)
Harvard Pilgrim Health Care MA Health Plan 2,624,191 Ransomware attack (ransomware group unknown)
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Ransomware attack (ransomware group unknown)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 2,430,920 Ransomware attack (Snatch and Nokoyawa groups claimed credit)
Postmeds, Inc. CA Healthcare Provider 2,364,359 Hackers hack access to its network between August 30, 2023, and September 1, 2023
Centers for Medicare & Medicaid Services MD Health Plan 2,342,357 MOVEit Transfer vulnerability exploited at Maximus Inc. (Clop hacking group)
Arietis Health, LLC FL Business Associate 1,975,066 MOVEit Transfer vulnerability exploited (Clop hacking group)
Pension Benefit Information, LLC MN Business Associate 1,866,694 MOVEit Transfer vulnerability exploited (Clop hacking group)
Performance Health Technology OR Business Associate 1,752,076 MOVEit Transfer vulnerability exploited (Clop hacking group)
Prospect Medical Holdings, Inc. CA Business Associate 1,309,096 Ransomware attack and data leak (Rhysida group unknown)
PurFoods, LLC IA Healthcare Provider 1,229,333 Hackers had access to its network between January 16, 2023, and February 22, 2023
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking incident – details unknown
Nuance Communications, Inc. MA Business Associate 1,225,054 MOVEit Transfer vulnerability exploited (Clop hacking group)

Causes of Cybersecurity Breaches in Healthcare in 2023

There has been a leveling off of security breaches in healthcare in the last three years after a sharp increase in hacking incidents between 2018 and 2021, with only a 0.69% year-over-year increase in large data breaches. The year included two major mass hacking incidents by the Clop hacking group that affected many healthcare organizations. Clop-linked threat actors exploited zero-day vulnerabilities in two file transfer solutions – Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer. The first of these mass hacking incidents occurred in January with the group exploiting a remote code execution flaw – CVE-2023-0669 – in GoAnywhere MFT to attack almost 130 organizations, including healthcare organizations and business associates.

The second mass hacking incident occurred in May and was far more extensive. A zero-day vulnerability was exploited in MOVEit Transfer and more than 2,470 organizations had data stolen from their MOVEit servers. Across those incidents, the data of more than 94 million individuals was stolen. Many healthcare providers and business associates were affected, and the top three worst affected companies were HIPAA-regulated entities – Maximus, Welltok, and Delta Dental of California and Affiliates.

As the graph below shows, hacking incidents continue to dominate the breach reports with almost four times as many hacking incidents reported in 2023 than all other breach causes combined. 578 of the year’s 725 breaches were due to hacking and other IT incidents. The sharp rise in hacking incidents in 2018 is linked to the widespread use of ransomware and the proliferation of ransomware-as-a-service (RaaS) groups, which allowed attacks to be conducted at scale by recruiting affiliates to breach networks and receive a cut of any ransoms generated.

Causes of healthcare security breaches

Data from the ransomware remediation firm Coveware shows ransomware attacks are becoming much less profitable, with fewer victims choosing to pay the ransom. In Q4, 2023, 29% of ransomware victims paid the ransom compared to 85% at the start of 2019.  In these attacks, ransomware groups steal vast amounts of sensitive data. If the ransom is not paid, the data is leaked or sold to other threat actors and is used for a multitude of nefarious purposes, but it is ransom payments that are the main source of income for these groups, and with fewer ransoms being paid, ransomware actors need to conduct more attacks to maintain their incomes.

The number of healthcare records stolen in hacking incidents has increased sharply in recent years. In 2023, more than 124 million records were compromised in healthcare hacking incidents which is 93.5% of the year’s total number of breached records. On average, 215,269 healthcare records were stolen in each hacking incident (median 73,623 records). The scale of some of these hacking incidents emphasizes the need for network segmentation to limit the data that can be accessed if networks are breached, and the importance of implementing a zero trust architecture. Zero trust assumes that adversaries have already breached ‘perimeter’ defenses and requires verification and validation of every stage of a digital interaction.

healthcare security breaches - records compromised

Aside from hacking incidents, there are several other types of security breaches in healthcare. There was a 10.4% increase in unauthorized access and disclosure incidents in 2023 and a 13.6% increase in impermissibly accessed or disclosed records. 127 Unauthorized access/disclosure incidents were reported in 2023 and 8,598,916 records were accessed or disclosed across those incidents. These HIPAA breaches may be smaller than the hacking incidents, averaging 67,708 records per incident (median 1,809 records), but they can be just as harmful.

Improper disposal incidents have remained consistently low over the past 5 years (5 incidents in 2023) apart from a spike during the pandemic in 2020, and there has been a marked decline in loss/theft incidents, of which there were only 15 incidents reported in 2023 – the lowest total of any year to date. The fall in these incidents can be explained by the widespread use of encryption on portable electronic devices and the migration of data to the cloud.

Given the high percentage of hacking incidents, the most common locations of breached PHI – network servers – should come as no surprise. In 2023, 69.8% of large data breaches involved network servers (506 incidents). Email was the next most common location of compromised PHI, accounting for 18.3% of breaches (133 incidents). While multifactor authentication does not provide complete protection against email account breaches, widespread adoption of phishing-resistant multifactor authentication will see email data breaches reduce dramatically. Multifactor authentication is one of the Essential HPH CPGs and one of the most important security measures to implement in 2024.

healthcare security breaches in 2023 - location of breached data

Healthcare Security Breaches at HIPAA-Regulated Entities

The HIPAA Breach Notification Rule requires all breaches of protected health information to be reported to OCR and individual notifications to be sent to the affected individuals within 60 days of the discovery of a data breach. When a data breach occurs at a business associate of a HIPAA-covered entity, the entity that reports the breach will be dictated by the terms of the business associate agreement. Business associates often self-report their data breaches to OCR, but their covered entities may choose to report the breach themselves, or a combination of the two. For instance, Maximus Inc. disclosed in an SEC filing that the data of between 8 million and 11 million individuals was compromised in its MOVEit Transfer hacking incident, but Maximus reported the breach to OCR as affecting 2,781,617 individuals. Several clients chose to report the breach themselves.

The OCR breach data shows data breaches by the reporting entity, and as such, using that data for analyses means business associate data breaches will be underrepresented. In the table below we show data breaches by reporting entity and the charts reflect where the breach actually occurred.

Healthcare Security Breaches in 2023 – Reporting Entity

Entity Type Data Breaches Records Breached Average Breach Size
Healthcare Provider 450 39,925,448 88,723
Business Associate 170 77,347,471 454,985
Health Plan 103 15,792,548 153,326
Healthcare Clearinghouse 2 3,075 1,538

Healthcare Security Breaches in 2023 – Location of Data Breach

The adjusted data shows healthcare providers suffered the most data breaches; however, data breaches at business associates were more severe, with more than 2.5 times as many records breached at business associates than at healthcare providers. The average size of a data breach at a healthcare provider was 89,983 records (median 5,354 records) whereas the average breach at a business associate was 338,394 records (median 5,314 records). 11 of the top 15 security breaches in healthcare in 2023 occurred at business associates of HIPAA-covered entities.

Securing the supply chain is one of the biggest cybersecurity challenges in healthcare. Healthcare organizations often outsource certain functions to specialist vendors and health systems often rely on dozens, if not hundreds, of different vendors, many of which require access to protected health information and every vendor used introduces risk. Healthcare organizations need to conduct due diligence on their vendors, including assessing their security controls. Before onboarding any new vendor it must be made abundantly clear what the business associate’s responsibilities are with respect to HIPAA, data security, and breach reporting.

Strengthening the security of the supply chain is labor-intensive and costly, and many healthcare organizations lack the appropriate resources to devote to vendor risk management, but vendor risk management failures can have significant ramifications. An inventory should be maintained on all vendors, including details of the business associate agreements, and data provided to each.  A risk assessment should be conducted before onboarding any vendor including an assessment of their security posture. If a vendor fails to meet the necessary cybersecurity requirements, then they should not be used. If there is no suitable alternative, then controls should be put in place to manage risk and reduce it to a low and acceptable level. While vendors may confirm that they have implemented reasonable and appropriate safeguards and data security policies and procedures, there are no guarantees that those policies and procedures will be followed and cybersecurity standards maintained. Conducting assessments of vendor security at intake is not sufficient. There should be ongoing reviews and audits of vendors and suppliers. If an organization lacks the personnel to handle this in-house, then third-party consultants should be engaged to assist with these processes. Third-party risk management requirements are included in both the Essential and Enhanced CPGs announced by the HHS in January 2024.

HIPAA Security Breaches Reported in All 50 States

No U.S. state was able to avoid a healthcare security breach in 2023. Data breaches of 500 or more records were reported in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The states that experienced the most data breaches are the most heavily populated and have the highest number of HIPAA-regulated entities.

State Number of Data Breaches
California 80
New York 63
Texas 58
Pennsylvania 40
Massachusetts 39
Illinois 36
Florida 33
Georgia & New Jersey 21
Arizona & Minnesota 17
Connecticut, Maryland, Michigan & Ohio 16
Indiana, North Carolina & Tennessee 15
Virginia 14
Iowa 13
Kansas & Oregon 12
Washington 11
Kentucky, Missouri, Mississippi & Wisconsin 10
Colorado 9
Alabama 8
Utah 7
Arkansas, Oklahoma, and South Carolina 6
Alaska 5
Idaho, Louisiana, Maine, North Dakota & West Virginia 4
Delaware & New Mexico 3
Montana, Nebraska, New Hampshire & Nevada 2
Hawaii, Rhode Island, South Dakota, Vermont, Wyoming, District of Columbia, Puerto Rico & the U.S. Virgin Islands 1

HIPAA Enforcement Activity in 2023

In 2023, OCR announced 13 settlements with HIPAA-regulated entities to resolve allegations of HIPAA violations, a 40.9% reduction from the previous year. These investigations stemmed from reviews of HIPAA compliance in response to reported data breaches and investigations of complaints from patients and health plan members about potential HIPAA violations. While the number of financial penalties fell, the funds raised from OCR enforcement actions increased from $2,124,140 in 2022 to $4,176,500 in 2023.

Since 2019, the majority of penalties imposed by OCR resolved alleged violations of the HIPAA Right of Access. The HIPAA Right of Access requires individuals to be provided with a copy of their health records, on request, within 30 days of that request being received and they should only be charged a reasonable, cost-based fee for exercising that right if they are charged at all. Since OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, 46 penalties have been imposed for HIPAA Right of Access violations, 4 of which were in 2023. This is a significant reduction from the 17 HIPAA Right of Access fines imposed in 2022.

Penalties were imposed for other HIPAA Privacy Rule violations in 2023, including one penalty for a lack of policies and procedures relating to access to PHI by employees and one penalty for the failure to obtain authorization from patients before disclosing their PHI to a reporter. Following the overturning of the penalty imposed on the University of Texas MD Anderson Cancer Center in 2018, OCR appears to have been reluctant to pursue financial penalties for Security Rule violations in all but the most egregious cases. In 2023, OCR imposed seven penalties to resolve potential violations of the HIPAA Security Rule.

Violations of several HIPAA Security Rule provisions were cited in these enforcement actions, with t6 of the 7 enforcement actions involving risk analysis failures. Another common violation was the failure to maintain and review logs of activity in information systems containing ePHI to identify unauthorized access. One of the penalties stemmed from a report of snooping on medical records by security guards, with OCR determining there was a failure to implement policies and procedures relating to HIPAA Security Rule compliance and a lack of HIPAA Privacy Rule training.

OCR Enforcement Actions in 2023 Resulting in Financial Penalties

HIPAA-Regulated Entity Penalty Amount Penalty Type Individuals Affected Reason for Penalty
LA Care Health Plan $1,300,000 Settlement 1,498 Risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and impermissible disclosure of PHI
Banner Health $1,250,000 Settlement 2.81 million Risk analysis failure, lack of reviews of information system activity, lack of verification of identity for access to PHI, and a lack of technical safeguards
Lafourche Medical Group $480,000 Settlement 34,862 No risk analysis prior to the 2021 phishing incident, and no procedures to regularly review logs of system activity prior to the incident
MedEvolve Inc. $350,000 Settlement 230,572 Risk analysis failure, lack of a business associate agreement, and an impermissible disclosure of PHI
Yakima Valley Memorial Hospital $240,000 Settlement 419 Lack of HIPAA Security Rule policies and procedures
Optum Medical Care $160,000 Settlement 6 Failure to provide individuals with timely access to their medical records
Doctors’ Management Services $100,000 Settlement 206,695 Risk analysis failure, lack of reviews of records of system activity, lack of policies/procedures to comply with the HIPAA Security Rule, and impermissible disclosure of PHI
UnitedHealthcare $80,000 Settlement 1 Failure to provide an individual with timely access to their medical records
St. Joseph’s Medical Center $80,000

 

Settlement 3 Disclosure of the PHI of patients to a reporter and a lack of HIPAA Privacy Rule training
iHealth Solutions (Advantum Health) $75,000

 

Settlement 267 Risk analysis failure and an impermissible disclosure of PHI
Manasa Health Center, LLC $30,000

 

Settlement 4 Impermissible PHI disclosure in response to online review
Life Hope Labs, LLC $16,500 Settlement 1 Failure to provide an individual with timely access to their medical records
David Mente, MA, LPC $15,000 Settlement 1 Failure to provide an individual with timely access to their medical records

Attorney General Penalties for HIPAA Violations in 2023

The was a major increase in enforcement actions by state attorneys general in 2023 in response to security breaches in healthcare, with 15 settlements reached with HIPAA-regulated entities to resolve violations of HIPAA and state consumer protection laws. In 2022 there were only three settlements with attorneys general to resolve HIPAA violations, four in 2021, and three in 2019. The majority of the penalties imposed in 2023 by state attorneys general resolved violations of the HIPAA Security Rule that were uncovered during data breach investigations. The majority of these cases involved a lack of reasonable and appropriate security measures such as multifactor authentication, access controls, encryption, security testing, data logging and monitoring, data retention, and up-to-date asset inventories.

Four settlements in 2023 came from multi-state actions. Since the entities concerned operated in multiple states, attorneys general pooled their resources and conducted joint investigations. The largest penalty of the year was imposed on Blackbaud and resolved multiple violations of the HIPAA Security Rule that contributed to a breach of the personal and protected health information of 5.5 million individuals. State attorneys general in Oregon, New Jersey, Florida & Pennsylvania joined forces in an investigation of a 2.1 million-record data breach at EyeMed Vision Care, and Pennsylvania & Ohio conducted a joint investigation of DNA Diagnostics Center over a 45,600-record data breach, both of which uncovered multiple HIPAA Security Rule failures.

32 states and Puerto Rico participated in an investigation of the Puerto Rican healthcare clearinghouse, practice management software, and electronic medical record provider Inmediata. HIPAA Security Rule failures were identified that led to a breach of the protected health information of more than 1.5 million individuals, followed by violations of the HIPAA Breach Notification Rule. California imposed a massive penalty on Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals. The case was resolved for $49 million and related to the improper disposal of PHI and hazardous waste, with the bulk of the settlement amount concerned with the latter.

State Attorney General HIPAA-Regulated Entity Penalty Amount Penalty Type Individuals Affected Reason for Penalty
49 States and the District of Columbia Blackbaud $49,500,000 Settlement 5,500,000 Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state consumer protection laws
California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 Settlement 7,700 Violations of HIPAA for the improper disposal of PHI and violations of several state laws for the improper disposal of hazardous waste
Oregon, New Jersey, Florida & Pennsylvania EyeMed Vision Care $2,500,000 Settlement 2.1 million Lack of administrative, technical, and physical safeguards, and access control failures – use of the same password by several employees.
32 States and Puerto Rico Inmediata $1,400,000 Settlement 1,565,338 Failure to implement appropriate safeguards to ensure data security, failure to conduct a secure code review, and data breach notification failures
New York Practicefirst $550,000 Settlement 1.2 million Patch management failure, lack of encryption, and a lack of security testing.
New York U.S. Radiology Specialists Inc. $450,000 Settlement 198,260, including 92,540 New York residents Failure to upgrade hardware to address a known vulnerability
California Kaiser Permanente $450,000 Settlement Up to 167,095 individuals Mailing error that resulted in an impermissible disclosure of PHI, failure to promptly halt mailings when there was a known error and negligent maintenance or disposal of medical information
New York Healthplex $400,000 Settlement 89,955 (62,922 New York residents) Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
New York Personal Touch Holding Corp dba Personal Touch Home Care $350,000 Settlement 753,107 (316,845 New York residents) Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training
New York New York Presbyterian Hospital $300,000 Settlement 54,396 Violations of the HIPAA Privacy Rule and New York Executive Law due to the use of pixels on its website that transmitted PHI to third parties
Indiana Schneck Medical Center $250,000 Settlement 89,707 Failure to address known vulnerabilities in a timely manner and breach notification failures.
New York Heidell, Pittoni, Murphy & Bach LLP $200,000 Settlement 61,438 New York residents Widespread non-compliance with the HIPAA Security Rule – 17 HIPAA violations
Pennsylvania & Ohio DNA Diagnostics Center $400,000 Settlement 45,600 Lack of safeguards to detect and prevent unauthorized access, failure to update asset inventory, and disable/remove assets that were not used for business purposes.
Indiana CarePointe ENT $125,000 Settlement 48,742 Failure to correct known security issues in a reasonable time frame, lack of business associate agreement
Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended) Settlement 677 Violations of HIPAA data encryption requirements, violation of state data protection laws, and deceptive trading practices.

Outlook for 2024

It has been a particularly bad year for security breaches in healthcare with hacking incidents continuing to increase in number as well as severity. Cyber actors will continue to target the healthcare industry and with fewer victims paying ransoms, these attacks may even increase as ransomware actors attempt to maintain their incomes. In 2023 we saw increasingly aggressive tactics by ransomware groups including swatting attacks on patients when their healthcare provider refused to pay the ransom and these aggressive tactics look set to continue.

To reduce security breaches in healthcare, more must be done than achieving the minimum cybersecurity standards of the HIPAA Security Rule. If all healthcare organizations implemented the recently announced HHS Essential Cybersecurity Goals, there would be a marked reduction in healthcare cybersecurity breaches in 2024. In practice that will be difficult for many healthcare organizations due to limited budgets and a chronic shortage of skilled cybersecurity professionals; however, the HHS plans to make funding available to help cover the initial cost of security improvements and establish an incentive program for adopting the Enhanced Security Goals. These measures will go a long way toward raising the baseline level of cybersecurity in the healthcare industry and improving resilience to cyber threats.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Security Breaches in Healthcare in 2023 appeared first on HIPAA Journal.

Keenan & Associates Data Breach Affects More Than 1.5 Million Individuals

The Torrance, CA-based insurance broker Keenan & Associates has recently reported a cybersecurity incident to the Maine Attorney General that has affected 1,509,616 individuals. Keenan & Associates is part of AssuredPartners NL, one of the largest brokerage firms in the United States. The company has clients across a variety of industries, including healthcare, education, and the public sector.

The cybersecurity incident was detected on Sunday, August 27, 2023, when some of its network servers were disrupted. Action was immediately taken to contain the attack and isolate the affected network servers and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that there had been unauthorized access to its internal systems at various points between August 21, 2023, and August 27, 2023, and during that time, certain files were exfiltrated from its systems. Some of those files contained personal data provided by its clients along with some employee data. The review of those files confirmed they contained names in combination with one or more of the following: date of birth, Social Security number, passport number, driver’s license number, health insurance information, and general health information.

Keenan & Associates said additional security protocols have been implemented to enhance network, data, and system security, and its security measures will continue to be evaluated to determine if further steps need to be taken to harden cybersecurity defenses. The incident has also been reported to the Federal Bureau of Investigation (FBI) and Keenan & Associates has been assisting the FBI with its investigation.

While data theft was confirmed, Keenan & Associates is unaware of any actual or attempted misuse of the stolen data. As a precaution, affected individuals have been offered complimentary credit monitoring, identity theft protection, and identity theft resolution services. Keenan & Associates did not publicly disclose the names of the affected clients, so it is unclear at this stage whether the breach is reportable under the Health Insurance Portability and Accountability Act.

The post Keenan & Associates Data Breach Affects More Than 1.5 Million Individuals appeared first on HIPAA Journal.

314,000 Patients Affected by Cyberattack on CompleteCare Health Network

CompleteCare Health Network, a health system serving patients in southern New Jersey, has recently confirmed that the protected health information of 313,973 patients has potentially been compromised in an October 2023 ransomware attack.

An unauthorized third party gained access to certain CompleteCare Health Network computer systems and attempted to use ransomware to encrypt files. CompleteCare Health Network said this was a sophisticated ransomware attack that was detected and stopped on or around October 12, 2023. Third-party cybersecurity experts were engaged to investigate the attack and determine the nature of any unauthorized activity, and whether any patient data was involved. The substitute breach notice on the CompleteCare Health Network states, “Please know that we have taken steps to ensure your data will not be further published or distributed,” which appears to confirm that there was data exfiltration, the threat group behind the attack threatened to publish the data, and payment was made to prevent that outcome.

CompleteCare Health Network conducted a review of all files on the affected systems and confirmed they contained protected health information. The types of information involved varied from patient to patient and may have included names, phone numbers, addresses, and some sensitive personal information and/or personal health information. Notification letters started to be mailed to the affected individuals on December 15, 2023. Each individual notification letter states the exact types of data involved. CompleteCare Health Network said no reports have been received to indicate any actual or attempted misuse of patient data, but as a precaution, complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

“Data security is one of our highest priorities. Upon discovering the incident, we immediately took the affected systems offline and began the process of securing and confirming the fortification of our systems,” said a spokesperson for CompleteCare Health Network. Measures taken in response to the breach include revising policies and procedures and network security software, and reviewing how patient data are stored and managed. Since the attack, the network has been monitored 24/7 by third-party cybersecurity experts and CompleteCare Health Network has engaged leading cybersecurity firms to assist with monitoring its network for the long term.

The post 314,000 Patients Affected by Cyberattack on CompleteCare Health Network appeared first on HIPAA Journal.