The Los Angeles Fire Department has discovered the COVID-19 vaccination statuses of 4,900 employees has been accidentally exposed online.

A list that included the full names of employees, dates of birth, employee numbers, and COVID-19 vaccination information (vaccination dates, doses, or declined vaccine) had been published on a website accessible to the public. During the time that the website was active, it was possible to visit the site and conduct searches of the database for names and employee numbers. The database was not password protected and no information had to be entered to authenticate users. If a wildcard search was conducted, a table was generated that listed the data of all 4,900 employees.

The website – covid.lacofdems.com – had been privately registered and was linked to the Fire Department’s Emergency Medical Service’s bureau. The website, which had not been authorized, was created on April 29, 2021 and was deactivated on July 15, 2021. The website had reportedly been created to allow Department employees to retrieve lost vaccination information.

Prior to the deactivation, a reporter at the LA Times downloaded the data from the database. An investigation into the owner of the site showed it was hosted by a department employee and had not been secured using government software or infrastructure.

After learning about the breach and exposure of vaccine status information, several firefighters took to social media to complain about the privacy violation. The firefighter’s union, Local 1014, has called for a full investigation to be conducted into the breach.

Error at Mailing Vendor Sees Letters Sent to Incorrect MassHealth Members

New Bedford, MA-based Standard Modern Company, Inc. has notified 2,707 patients about an accidental disclosure of some of their personal information.

Standard Modern Company provides mailing services to the Massachusetts Executive Office of Health and Human Services. On May 24, 2021, Standard Modern Company was notified that certain MassHealth members had received letters that contained the information of other MassHealth members. All mailings were ceased while the incident was investigated, with the investigation confirming an internal program error had occurred that affected mailings between May 10, 2021 and May 18, 2021. The error caused incorrect labels to be generated on a limited number of mailed notices.

In each case, a letter containing a member name, identification number, last four digits of their Social Security Number, and their data of birth was sent to a different MassHealth member.

Standard Modern Company has stopped using the internal program that caused the error, and additional safeguards have now been implemented to strengthen its mailing procedures and prevent further errors.

Each of the 2,707 affected individuals only had limited information disclosed to one other member, and there have been no reported cases of misuse of any of the disclosed information. A phone line has been established for affected individuals to find out more about the breach and have their questions answered, and complimentary access to Triple Bureau Credit Monitoring and cyber monitoring services have been offered at no charge for 24 months.

Standard Modern Company was assisted by the Buffalo, NY-based privacy and security law firm Beckage PLLC when investigating and responding to the breach.

The post Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company appeared first on HIPAA Journal.

McLaren Health Care Corporation (MHCC), the operator of 15 hospitals and over 100 primary care locations in Michigan and Ohio, has announced the protected health information of 64,600 of its cancer patients may have been compromised in a ransomware attack on vendor Elekta Inc.

Elekta provides software and technology services to MHCC facilities in Macomb, Northern Michigan, Gaylord, Cheboygan, West Branch, Lapeer, Central and Bay City, which includes data storage.

Between April 2 and April 20, 2021, Hackers had access to Elekta’s systems, exfiltrated data, then deployed ransomware to encrypt files. A ransom demand was issued, payment of which was required to decrypt data and prevent the exposure of data stolen in the attack. Elekta notified MHCC about the breach on May 17, 2021.

While patient data was affected, Elekta said it has no reason to believe that any of the stolen information will be further disclosed or published online. However, as a precaution against identity theft and fraud, complimentary identity theft protection and credit monitoring services are being offered to affected individuals.

The types of data potentially compromised in the attack included full names, Social Security numbers, addresses, dates of birth, height & weight measurements, medical diagnoses, medical treatment details, appointment confirmations, and other information MHCC collected to provide health care services.

Patients of The Cancer Center at Greenwood Leflore Hospital (CCGLH) in Mississippi have also been notified about the ransomware attack as a precautionary measure to prevent identity theft and fraud.

CCGLH was also notified by Elekta on May 17 about the ransomware attack and was told that patient data had been encrypted; however, Elekta’s forensic investigation determined there was no interactive access to the PHI and the PHI of CCGLH patients was not downloaded or transferred from the database. However, it was not possible to totally rule out the possibility of unauthorized data access and PHI theft.

The same types of information were impacted as MHCC and complimentary access to identity monitoring, fraud consultation, and identity theft restoration services is also being provided to CCGLH patients. It is currently unclear exactly how many CCGLH patients have been affected.

The post McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack appeared first on HIPAA Journal.

UC San Diego Health has discovered unauthorized individuals gained access to the email accounts of some of its employees and may have accessed or exfiltrated emails containing patient data. The email accounts were compromised as a result of employees responding to phishing emails and disclosing their email credentials.

The email environment has now been secured and additional measures have been implemented to improve security. The investigation into the breach revealed the first email account was compromised on December 2, 2020, and others were compromised up until April 8, 2020.

At this stage, no evidence has been found to indicate any emails or email attachments were subjected to unauthorized access between December 2020 and April 2021, and no reports have been received that suggest the protected health information (PHI) of patients has been misused; however, it was not possible to rule out unauthorized PHI access and data exfiltration.

The investigation into the breach is ongoing to identify exactly what happened and the information that has been affected. Notification letters will be sent to all affected individuals once the forensic investigation is completed. The full review of affected email accounts is expected to take until September. Individual notifications will be issued no later than September 30, 2021. Affected individuals will be offered a complimentary membership to credit monitoring services for 12 months.

UC San Diego Health explained in its substitute breach notice that the following types of information were contained in the compromised email accounts: full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.

Community members have been warned to be vigilant and to monitor their financial accounts and explanation of benefits statements for signs of identity theft or other fraudulent activity.

UnitedHealthcare Reports Breach Affecting 2,330 Plan Members

The health plan provider UnitedHealthcare has announced the protected health information of 2,330 plan members has been exposed in a phishing attack on one of its insurance brokers – Academic HealthPlans, Inc. (AHP).

AHP identified suspicious activity in its email system on June 21, 2021. Steps were immediately taken to block further unauthorized access and an investigation was launched to determine the nature and extent of the breach. AHP determined that two employee email accounts had been compromised after the employees responded to phishing emails and that email accounts were subject to unauthorized access between August 6, 2020 and August 24, 2020 and on October 2, 2020. The security breach was limited to the Microsoft 365 cloud-based email system.

A review of the email accounts revealed they contained names, member identification numbers, Social Security Numbers, credit/debit card information, dates of birth, addresses, plan information, and claim information. Notification letters were sent to affected individuals on July 20, 2021 and a complimentary 2-year membership to identity theft protection services has been offered to affected individuals. AHP found no evidence suggesting emails in the account had been viewed or acquired.

The post Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare appeared first on HIPAA Journal.

A ransomware attack on Fort Myers, FL-based Florida Heart Associates that started around May 19, 2021 has caused serious and ongoing disruption to its services, with the medical practice only operating at around 50% capacity two months after the attack. Disruption is expected to continue for several more weeks, with the practice not expecting to fully recover until the end of next month or even early September.

Prior to the use of ransomware, the attackers exfiltrated files containing the protected health information of 45,148 patients, including Social Security numbers, member identification numbers, birth dates, and health insurance information. A ransom demand was issued to ensure the deletion of stolen data and to provide the keys to decrypt data, but the decision was taken by the practice not to pay the attackers. The ransomware gang was ejected from the network, but not before much of its IT infrastructure was rendered inoperable.

The investigation revealed its systems were first breached on May 9, 2021, with the hackers deploying ransomware on May 19, when staff were prevented from accessing files. The attack took its IT systems and phone lines out of action, with the phones having only just been brought back online.

Florida Heart Associates CEO Todd Rauchenberger said the practice is still providing care to patients and is now taking walk-in appointments. In addition to having to work without telephones and limited access to IT systems, the practice has lost many members of staff. With the reduction in staff, patients are feeling the effect. Fox4 News reports that patients have not been able to reach the practice by telephone to make appointments, and it has been difficult for many patients to get appointments with a doctor.

Florida Heart Associates has already notified patients about the breach and the exposure of their personal and health information and said it will be implementing additional measures to improve security moving forward, including technical safeguards and reviewing and updating policies and procedures with respect to data privacy and security.

The post Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack appeared first on HIPAA Journal.

Oklahoma Heart Hospital has started notifying certain patients about a privacy incident in which paperwork containing limited patient information was accidentally donated to charity.

A former employee had made handwritten notes which contained the protected health information of a limited number of patients during the course of that individual’s employment at Oklahoma Heart Hospital between 2011 and 2014.

Some of the former employee’s personal possessions were donated to charity in May 2021, with the handwritten notes accidentally included in the donated items. Oklahoma Heart Hospital was contacted by the individual who found the notes and arrangements were immediately made to collect the paperwork. The documents were then cataloged to identify the patients involved and the types of information that had been exposed.

The notes included information such as patients’ names, medical record numbers, OHH visit numbers, dates of birth, ages, admit dates, genders, and clinical information consisting of diagnosis, lab results, medications and/or treatment information. No information was exposed that would have provided unauthorized individuals with access to patient record systems.

While the protected health information of some patients was viewed by an individual not authorized to view the information, Oklahoma Heart Hospital has not uncovered any evidence to suggest any patient data has been further disclosed or misused; however, out of an abundance of caution, all affected individuals have been notified by mail and advised to monitor their account and explanation of benefits statements for signs of fraudulent activity.

The privacy breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 1,038 patients.

The post Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity appeared first on HIPAA Journal.

The Nebraska Department of Health and Human Services has announced a security incident involving the protected health information of clients of Aging Partners, a department of the City of Lincoln.

The breach was discovered by the Lincoln Information Services Department on May 25, 2021. Employees had responded to phishing emails and disclosed credentials to their email accounts, which contained more than 46,000 emails. Assisted by a computer forensics company, it was determined that the email account was accessed by an unauthorized individual between May 18 and May 21.

A review of the emails in the account confirmed some contained patient information such as names, addresses, dates of birth, phone numbers, Social Security numbers, dates of service, type/amount of service, and some health information such as diagnoses, care assessments, and medication lists. Emails also contained bank account numbers or other financial information of a limited number of individuals. 6,600 of the emails included the PHI of Aging Partners’ clients, although only 1,513 individuals have been affected. For the majority of affected individuals, only names were included in the email accounts.

All affected individuals are now being notified and credit monitoring and identity theft protection services are being offered to individuals whose financial information was present in the compromised email accounts.

UNC Health Reports Phishing Attack

UNC Health has announced that an email account containing the protected health information of patients of University of North Carolina at Chapel Hill School of Medicine (SOM) and the University of North Carolina Hospitals (UNC Hospitals) has been accessed by an unauthorized individual.

On May 20, 2021, UNC Health discovered the email account of a SOM faculty member had been compromised. That individual provided clinical services at UNC Hospitals. The email account was immediately secured, and an investigation was launched to determine the extent of the breach. Assisted by a third-party cybersecurity firm, UNC Health determined that the email account breach was isolated to April 20, 2021 and no other email accounts or systems were involved.

A review of the account revealed the following types of information could potentially have been compromised: Patients’ names, dates of birth, diagnosis and treatment information, and/or information about a research study patients may have been involved in or have been eligible for at UNC Hospitals/SOM. The email account contained the health insurance information of fewer than 30 patients and the Social Security numbers of fewer than 10 patients. There have been no reported cases of misuse of patient data.

Additional email security measures are being implemented and employees are being provided with further training to help them identify phishing emails.

The post UNC Health and Nebraska DHHS Report Phishing Attacks appeared first on HIPAA Journal.