HIPAA Breach News

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Posted by HIPAA Journal

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty.

OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months.

When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay.

OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right of Access on July 22, 2019 and the complaint was closed. The patient then submitted a second complaint to OCR on July 28, 2019 when his medical records had still not been provided. The records were eventually provided to the patient on November 1, 2019, almost 6 months after the written request was submitted and more than 3 months after OCR provided technical assistance on the HIPAA Right of Access.

OCR determined the failure to respond to a written, signed medical record request from a patient in a timely manner was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b). In addition to the financial penalty, Arbour Hospital is required to adopt a corrective action plan that involves implementing policies and procedures for patient record access and providing training to the workforce. Arbour Hospital will also be monitored by OCR for compliance for 1 year.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative was launched in late 2019 to ensure patients are provided with timely access to their medical records at a reasonable cost. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations under this enforcement initiative and the 4th HIPAA Right of Access settlement to be announced in 2021.

The post Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000 appeared first on HIPAA Journal.

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access

Posted by HIPAA Journal

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims.

Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing.

In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined.

Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank, pre-signed prescriptions for controlled substances and providing the drugs without any involvement from physicians.

Two coconspirators – Dr. Mark Gibbs and Dr. Laila Hirjee – were paid $150 for each false order they signed and would regularly certify that hospice patients had terminal illnesses with a life expectancy of 6 months or less, without having conducted any examinations. Dr. Gibbs, Dr. Hirjee, and a third physician, Dr. Charles Leach, provided blank prescriptions for controlled substances which allowed Harris to prescribe schedule II-controlled substances to Medicare and Medicaid beneficiaries in the hospice without guidance from a medical professional.

Harris also violated the Health Insurance Portability and Accountability Act (HIPAA) Rules when he accessed the medical records of patients to identify individuals who could be contacted and offered Novus hospice services. In the summer of 2014, Harris negotiated an agreement with Express Medical which allowed him to access the medical records of potential patients in return for using the company for lab services and home health visits. Previous patients of Express Medical were then contacted by Harris’s wife and other hospice staff to recruit them, regardless of whether they were actually eligible for hospice services. This allowed Harris to recruit new hospice patients to avoid exceeding Medicare’s aggregate hospice cap.

The HHS’ Centers for Medicare and Medicaid Services received multiple reports of potential fraud and suspended Novus; however, Harris then transferred patients from Novus to a new hospice company, which then transferred reimbursements for hospice services back to Novus. Dr. Gibbs was registered as the medical director of the new hospice company.

Harris is scheduled to be sentenced on August 3, 2021 and faces up to 14 years in jail. The trial of Dr. Gibbs, Dr. Hirjee and two other coconspirators is scheduled for April 5, 2021. 10 codefendants have already pleaded guilty and are awaiting sentencing for their roles in the scam. Dr. Charles Leach previously pleaded guilty to one count of conspiracy to commit healthcare fraud in 2018, for his role in the $60 million fraud case. According to court documents, the blank prescriptions Dr. Leach signed were used to obtain controlled substances, high doses of which were then administered to patients by nurses to hasten their deaths.

“The Justice Department cannot allow unscrupulous business people to interfere with the practice of medicine. We are determined to root out healthcare fraud,” said Acting U.S. Attorney Prerak Shah. “We will continue to work tirelessly with our state and federal partners to hold those who commit health care fraud accountable and seek justice for patients that are harmed in furtherance of fraud schemes,” said FBI Dallas Special Agent in Charge Matthew DeSarno.

The post Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access appeared first on HIPAA Journal.

California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee

Posted by HIPAA Journal

The Department of State Hospitals (DSH) in California has discovered an employee accessed the protected health information (PHI) of 1,415 current/former patients and 617 employees without authorization.

The individual had an Information Technology role and had access to data servers containing sensitive patient and employee information in order to complete work duties. The improper access was discovered by DSH on February 25, 2021 during a routine annual review of access to data folders.

An investigation was immediately launched which revealed the employee had been accessing data without authorization for around 10 months. Files containing names, COVID-19 test results, and other health information necessary for tracking COVID-19 were copied directly from the server. The investigation into the privacy breach is ongoing and the employee has been placed on administrative leave pending completion of the investigation. So far, the investigation has not uncovered any evidence to suggest the copied data has been misused or disclosed to any other individual.

DSH explained that safeguards were in place to identify unauthorized PHI access, but since the actions of the employee were identical to legitimate access, the unauthorized access was not identified when it happened and was only discovered during the annual review.

“It appears that the employee used the access they were provided in order to perform their normal job duties to go directly into the server, copy files containing patient, former patient, and employee names, COVID-19 test results, and related health information without any apparent connection to their job duties, indicating a high probability of unauthorized access,” explained DSH in its data breach FAQs. It is currently unclear whether this was an intentional breach.

Steps have since been taken to prevent similar incidents in the future, including changing policies and procedures, limiting access to servers containing PHI, and improving logging and reviews of data activity. Automated detection of files containing PHI being copied to non-standard locations has also been improved.

Mendelson Kornblum Orthopedic and Spine Specialists Discovers Vulnerable Server Containing 28,658 Patients’ PHI

Mendelson Kornblum Orthopedic and Spine Specialists has recently announced that the protected health information of 28,658 patients has been exposed and may have been accessed by unauthorized individuals.

On January 5, 2021, the practice discovered one of its servers was “vulnerable to viewing by unauthorized third parties.” The server contained information such as patient names, medical record numbers, dates of birth, sex of patients, and information relating to medical images, such as the date/time the image was taken, image number, and the name of the body part that was imaged.

No medical images were accessible, nor highly sensitive information such as Social Security numbers, health insurance information, diagnosis/treatment information, or financial information.

While the server was vulnerable to third party access, the investigation did not uncover evidence of any misuse of patient data. Steps have since been taken to prevent similar incidents in the future.

Eyemart Express Alerts Patients to Email Account Breach

Farmers Branch, TX-based Eyemart Express has discovered an unauthorized individual has accessed the email accounts of certain employees and potentially viewed or obtained patients’ protected health information. The breach was discovered on December 11, 2020 and steps were immediately taken to prevent further unauthorized access.

The investigation confirmed the breach started on August 21, 2020 and was limited to email accounts. No internal systems were affected. A comprehensive review of the affected email accounts revealed they contained information such as names, e-mail addresses, and the subject lines of email communications between Eyemart Express and the affected customers. Only a small percentage of its patients have been affected and they have now been notified.

The post California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee appeared first on HIPAA Journal.

February 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents.

Healthcare Data Breaches Past 12 Months

After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches.

Healthcare Records Breached Past 12 Months

Largest Healthcare Data Breaches Reported in February 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware
BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing
RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware
Gore Medical Management, LLC GA Healthcare Provider 79,100 Hacking/IT Incident Hacking incident
Summit Behavioral Healthcare TN Healthcare Provider 70,822 Unauthorized Access/Disclosure Phishing
Humana Inc KY Health Plan 62,950 Unauthorized Access/Disclosure Subcontractor shared PHI without consent
Nevada Orthopedic & Spine Center NV Healthcare Provider 50,000 Hacking/IT Incident Unconfirmed
Fisher Titus Health, Inc. OH Health Plan 49,636 Hacking/IT Incident Phishing
Covenant HealthCare MI Healthcare Provider 47,178 Hacking/IT Incident Phishing
UPMC PA Healthcare Provider 36,086 Hacking/IT Incident Phishing attack on BA
Grand River Medical Group IA Healthcare Provider 34,000 Hacking/IT Incident Phishing
AllyAlign Health, Inc. VA Health Plan 33,932 Hacking/IT Incident Ransomware
Harvard Eye Associates CA Business Associate 29,982 Hacking/IT Incident Ransomware attack on BA
Texas Spine Consultants, LLP TX Healthcare Provider 25,728 Unauthorized Access/Disclosure Unconfirmed
UPMC Health Plan PA Health Plan 19,000 Hacking/IT Incident Phishing attack on BA

Causes of February 2021 Healthcare Data Breaches

Three breaches of more than 100,000 record were reported in February. The largest healthcare data breach of the month was reported by Kroger, an Ohio-based chain of supermarkets and pharmacies. The breach was due to a CLOP ransomware attack on a vendor – Accellion – that resulted in the theft of the protected health information of 368,100 of its customers. Kroger was one of several HIPAA-covered entities to be affected by the breach.

Elara Caring, one of the nation’s largest providers of home-based care, announced that several employee email accounts containing protected health information had been accessed by unauthorized individuals as a result of responses to phishing emails. Cochise Eye and Laser was also the victim of a ransomware attack in which the protected health information of 100,000 individuals was potentially stolen.

February 2021 Healthcare Data Breaches - Causes

Phishing attacks were the most common cause of data breaches in February, with network server incidents in close second. These mostly involved hacking and the deployment of malware or ransomware. Hacking incidents accounted for 71.1% of the month’s breaches and 85.7% of all records breached in the month. The average size of a hacking breach was 30,239 records and the median breach size was 8,849 records.

There were 10 unauthorized access/disclosure incidents reported in February involving 172,799 records. The average breach size was 17,280 records and the median breach size was 2,497 records. There were 2 theft incidents and 1 reported loss incident reported involving a total of 3,773 records, all three of which involved paper records.

February 2021 Healthcare Data Breaches - Location of breached PHI

Entities Reporting Healthcare Data Breaches in February 2021

Healthcare providers were the worst affected covered entity type in February, with 35 breaches reported. There were 5 breaches reported by health plans and 5 reported by business associates of HIPAA-covered entities. A further 5 breaches were reported by the covered entity but had some business associate involvement.

Entities affected by February 2021 healthcare data breaches

Healthcare Data Breaches by State

Healthcare data breaches of 500 or more records were reported in 20 states in February 2021. The worst affected states were California and Texas with six breaches reported in each state. 5 entities in Pennsylvania reported breaches, there were 4 breaches reported in Florida and Michigan, 2 in each of North Carolina, Nevada, Ohio, Tennessee, and Virginia, and 1 in each of Arizona, Colorado, Georgia, Iowa, Kentucky, Louisiana, Minnesota, North Dakota, Utah, and Wyoming.

HIPAA Enforcement Activity in February 2021

In February, the HHS’ Office for Civil Rights announced two settlements had been reached with HIPAA-covered entities to resolve potential violations of the HIPAA Rules. Both enforcement actions were in response to complaints from patients who had not been provided with timely access to their medical records.

OCR launched a new enforcement initiative in late 2019 targeting healthcare providers who were not complying with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Three Right of Access enforcement actions have resulted in settlements so far in 2021, and the latest two bringing the total number of settlements under this enforcement initiative to 16.

Sharpe Healthcare settled its case with OCR and paid a $70,000 penalty and Renown Health settled its case for $75,000.

The post February 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

Posted by HIPAA Journal

The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health.

In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware.

Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021.

Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months.

Arizona Complete Health has notified 27,390 of its plan members that they were affected by the attack and the same types of data have been compromised. The health plan has also stopped using Accellion and removed its data from its systems and offered plan members complimentary credit monitoring and identity theft protection services for 12 months.

Previously, the Ohio-based supermarket and pharmacy chain Kroger announced that it had been affected by the attack and the protected health information of 368,000 customers had been compromised. The University of Colorado and Southern Illinois University School of Medicine have also said they have been affected.

Lawsuits Filed Against Accellion and its Customers

Multiple lawsuits have now been filed against Accellion and its customers over the breach. Centene Corp. has filed a lawsuit against Accellion alleging it refused to comply with several provisions of its business associate agreement (BAA). The cyberattack resulted in the theft of the protected health information of “a significant number” of its health plan members. Centene believes it will suffer significant costs as a result of the breach and has requested the courts order Accellion to comply with the terms of its BAA and cover all breach-related expenses. Cenene said in the lawsuit that 9 gigabytes of its data was obtained by the attackers.

A federal lawsuit has also been filed against Kroger over the breach. The lawsuit, which seeks class action status, alleges Kroger was negligent and was fully aware of the potential security issues with the legacy file transfer solution, yet failed to upgrade to a more secure solution even after being encouraged to do so by Accellion. Kroger offered its customers 2-years of credit monitoring and identity theft protection services; however, since names, addresses, dates of birth, medical information and Social Security numbers were compromised, 2 years is not viewed as anywhere close to sufficient to protect kroger customers from identity theft and fraud.

The post More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed appeared first on HIPAA Journal.

PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack

Posted by HIPAA Journal

On January 12, 2021, Denver-based Colorado Retina Associates discovered the email account of one of its employees had been accessed by an unauthorized individual who used it to send phishing emails to individuals in the employee’s contact list. The email account was immediately secured and a cybersecurity firm was engaged to investigate the incident to determine the extent of the breach.

That investigation concluded on February 24, 2021 and revealed other email accounts had also been compromised, two of which contained patients’ protected health information. The nature of the attack meant that between January 6, 2021 and January 17, 2021, synching may have occurred. That means the contents of the email accounts may have been copied to the attacker’s device.

A comprehensive review of the email accounts was performed which revealed the protected health information of 26,609 individuals was stored in the accounts. The types of PHI varied from individual to individual may have included full names, date of birth, home addresses, phone numbers, email addresses, dates of service, diagnoses and conditions, labs and diagnostic studies, medications, other treatment or procedure information, and certain health insurance, claims, billing, and payment information.

Fewer than 3% of affected individuals had their Social Security exposed, and fewer than 0.2% of individuals had their driver’s license, financial account, or payment card information exposed.

A password reset was performed across the entire email system and changes have been made to how authorized individuals access email accounts. Security awareness has also been reinforced across the entire workforce.

Affected individuals have now been notified and have been offered 12 months of identity theft protection services.

Walmart Discovers PHI of 2,067 Customers Potentially Compromised in Vendor Breach

On February 16, 2021, Walmart was notified by one of its suppliers about a security incident that may have involved the protected health information of Walmart customers.

The supplier used a data hosting service which was compromised on January 20, 2021. The attackers stole records related to 2,067 Walmart pharmacy customers which included information such as names, dates of birth, addresses, telephone numbers, medication information, prescription numbers, prescriber information, prescription dates, and a very small number of health insurance subscriber ID numbers.

The supplier said it immediately stopped using the data hosting service once it became aware of the breach. Walmart said it is reviewing the security practices of its supplier and will be monitoring the circumstances surrounding the data security event.

The post PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack appeared first on HIPAA Journal.

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

Posted by HIPAA Journal

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks.

The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net.

The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised.

Healthcare Hacking Incidents Increased by 42% in 2020

Healthcare hacking incidents increased by 42% in 2020, continuing a 5-year trend that has seen hacking incidents increase each year. 470 incidents were classed as hacking-related breaches, which accounted for 62% of all breaches in the year. 31,080,823 healthcare records were compromised in the 277 incidents where the number of affected individuals is known. Many of the 2020 hacking incidents involved the use of ransomware. Ransomware attacks increased considerably in 2020, with more than double the number of ransomware attacks on healthcare organizations than in 2019.

Surge in Insider Data Breaches in 2020

There has been a four-year decline in insider breaches, but the Protenus report shows insider data breaches increased in 2020. More than 8.5 million records were exposed or compromised in those incidents – more than double the number of breached records by insiders as 2019. In fact, more records were breached by insiders in 2020 than in 2017, 2018, and 2019 combined. In 2020, 1 in 5 data breaches was an insider incident.

Insider breaches include insider errors and insider wrongdoing. 96 breaches involved insider error in 2020, of which data was obtained for 74 of the incidents. There were 45 cases of insider wrongdoing, with data obtained for 30 of the incidents. Errors by employees resulted in the exposure of the protected health information of at least 7,673,363 individuals and insider wrongdoing incidents resulted in the exposure/theft of at least 241,128 records.

Business Associates Often Involved

The number of data breaches involving business associates increased in 2020, with 12% of all breaches having at least some business associate involvement. Business associate breaches resulted in the exposure or theft of more than 24 million patient records, with 55% of all hacking incidents having some business associate involvement along with 25% of insider error incidents. The number of breaches involving business associates could be considerably higher as the researchers were unable to accurately determine if business associates were involved in many of the breaches.

Data Breaches Discovered Faster but Breach Reporting Slower

In 2020 it took an average of 187 days from the breach occurring to discovery by the breached entity, which is a considerable improvement on the 224-day average discovery time in 2019. In 2020, the median discovery time was just 15 days. However, there was considerable variation in discovery times, from almost immediately in some cases to several years after the breach in others.

Reporting on data breaches was slower than in 2019, with the average time for reporting a breach increasing from 80 days in 2019 to 85 days in 2020, with a median time of 60 days – the maximum time allowed for reporting a breach by the HIPAA Breach Notification Rule. The figures were based on just 339 out of the 758 breaches due to a lack of data.

“The current climate has increased risk for health systems as a new trend emerged of at least two data breaches per day, a troubling sign of the continuing vulnerability of patient information, heightened by the pandemic,” explained Protenus in the report. “Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.”

The post 2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches appeared first on HIPAA Journal.

Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised

Posted by HIPAA Journal

The Portland, OR-based technology and communication solution provider Metro Presort suffered a ransomware attack on May 6, 2019 which resulted in the encryption of files and locked staff out of its systems. The ransomware attack was promptly identified and was contained by May 15, 2019 and the company was able to recover from the attack relatively quickly. An investigation into the attack found no evidence to suggest files were removed from its system, and since the company already encrypted customer data, the attackers would not have been able to access any sensitive information.

In October 2020, Metro Presort reinvestigated the attack and the secondary investigation was unable to confirm that files containing customer data were definitely encrypted before the attack. The invoices, statements, and spreadsheets that Metro presort processed for clients, including healthcare organizations, could potentially have been accessed. An analysis of those files confirmed they contained patient names, addresses, dates of birth, patient and health plan IDs or account numbers, appointment dates, treatment dates, and diagnoses and treatment codes, according to a substitute breach notice published on the Metro Presort website on November 24, 2020.

The incident has recently appeared on the HHS’ Office for Civil Rights website stating the PHI of up to 38,387 individuals may have been compromised. Metro Presort explained in its breach notice that the Department of Health and Human Services’ Office for Civil Rights investigated the breach, Metro Presort’s response, and its policies and procedures, and closed the case on December 31, 2020 after confirming no HIPAA violations had occurred.

“Both before and since this incident, MPI and has devoted considerable resources to maintaining and enhancing its data security, including implementation of the latest technical safeguards to prevent similar incidents, additional protections (encryption) of customer files, and security audits,” explained Metro Presort in its breach notice.

The post Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised appeared first on HIPAA Journal.

Ransomware Gangs Claim Three More Healthcare Victims

Posted by HIPAA Journal

PeakTPA, a St. Louis, MO-based provider of health plan management and back-office services, has announced it suffered a cyberattack on or around December 28, 2020 in which protected health information was stolen.

The security incident was detected on December 31 and involved two cloud servers used by the company to manage program of all-inclusive care for the Elderly (PACE) claims.  According to the breach report submitted to the HHS’ Office for Civil Rights, the PHI of up to 50,000 individuals was stolen or exposed.

An investigation into the attack confirmed the attackers obtained full names, home addresses, dates of birth, Social Security numbers, PACE program IDs, and diagnosis and treatment information.

Affected individuals have been notified and offered complimentary membership to credit monitoring, fraud consultation, and identity theft restoration services via Kroll.

St. Bernard’s Total Life Healthcare, Inc., which provides PACE in Northeast Arkansas, and Rocky Mountain Health Care Services in Colorado Springs have confirmed that their patients have been impacted by the attack.

92,000 Individuals Affected by Preferred Home Care of New York Ransomware Attack

Preferred Home Care of New York, a Brooklyn, NY-based provider of in-home care services, experienced a ransomware attack on January 8, 2020 in which patient data was stolen. The attack was detected the following day. According to databreaches.net, samples of data stolen in the attack were uploaded to the Sodinokibi (REvil) data leak site in January.

External counsel for Preferred Home Care of New York explained in a data breach notification that the types of data obtained by the gang varied from individual to individual and may have included names, addresses, email addresses, phone numbers, dates of birth, financial information such as bank account numbers, Social Security numbers and medical information related to health assessments, physicals, drug screens, vaccinations, and TB tests, as well as FMLA and worker’s compensation claims.

92,283 individuals have been notified and complimentary credit monitoring and identity theft protection services have been offered to breach victims.

Newberry County Memorial Hospital Suffers Ransomware Attack

Newberry County Memorial Hospital in South Carolina has announced it suffered a ransomware attack in February that took certain servers out of action, forcing the hospital to switch to manual procedures while the attack was mitigated. The hospital had a full backup of its data and systems and was able to restore all encrypted data without paying the ransom.

The investigation into the attack is ongoing and no evidence has been found of unauthorized data access or data exfiltration to date. The hospital has since taken steps to improve security to prevent similar attacks in the future.

The post Ransomware Gangs Claim Three More Healthcare Victims appeared first on HIPAA Journal.