Premier Diagnostics, a Utah-based COVID-19 testing service, has inadvertently exposed the protected health information of tens of thousands of individuals.

Two Exposed Amazon S3 buckets were discovered by Bob Diachenko of Comparitech on February 22, 2021. It was not initially clear who owned the data, which related to patients from Utah, Nevada, and Colorado. The S3 buckets were eventually traced to Premier Diagnostics.

The S3 buckets contained two databases, one of which included around 200,000 images of scans of ID cards such as driver’s licenses, passports, state ID cards, medical insurance cards, and other IDs documents. The databases had been indexed by search engines and could be accessed over the Internet without a password.

Premier Diagnostics was determined to be the probable owner of the data on February 25, 2020 and attempts were made to contact the company. Contact was finally made on March 1, 2021 and the databases were secured the same day.

It is unclear whether the databases were found and downloaded by any individuals other then Diachenko in the week or more that the databases were accessible over the Internet. Premier Diagnostics confirmed to Comparitech that each individual had four scans: Two scans of a health insurance card and two scans of an ID document, so the IDs and insurance information of approximately 52,000 individuals were exposed. The ID cards included an individual’s name, age, address, gender, ID number, and their photo.

The second exposed Amazon S3 bucket contained a database that included the names, dates of birth, and test sample IDs from individuals who underwent a COVID-19 test, although the database did not include the test result. “Each of the 3,645 items in the bucket is a scanned table with dozens of patients,” explained Comparitech.

Nefilim Ransomware Gang Publishes Data Stolen from Atlanta Allergy & Asthma

Databreaches.net has reported Atlanta Allergy & Asthma in Georgia is one of the latest victims of the Nefilim ransomware gang, which recently published sensitive data on its dark web leak site that was stolen prior to the encryption of files. A 1.3 GB compressed archive was uploaded to the leak site that contained 597 files containing 2.5 GB of data.

The dumped data is a sample of an alleged 19GB of data stolen in the attack, with the Nefilim actors threatening to publish the remaining data if the ransom is not paid. The published data includes billing documents and patient audits that include highly sensitive personal, medical, and insurance information.

The incident has yet to appear on the HHS’ Office for Civil Rights website and the breach does not appear to have been announced by Atlanta Allergy & Asthma so it is currently unclear how many individuals have been affected.

Ransomware Gang Demanded $1.75 Million Payment from Allergy Partners of Western North Carolina

The Federal Bureau of Investigation (FBI) is investigating a February 23, 2021 ransomware attack on Allergy Partners of Western North Carolina that took its IT systems out of action for several days. As a result of the attack, the allergy center was unable to provide allergy shots to patients at its offices in Asheville and Arden. Normal services for patients resumed on March 1 at most of its locations.

According to a report filed with the police department, the attackers demand a ransom payment of $1.75 million for the keys to decrypt files.  Its IT department has been working round the clock to restore files and systems and third-party cybersecurity firms have been engaged to investigate the breach and determine if patient information was accessed or obtained by the attackers.

The post Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals appeared first on HIPAA Journal.

New London Hospital in central New Hampshire has discovered an unauthorized individual gained access to a file on its network in July 2020 and may have obtained the protected health information of 34,878 patients. A third-party cybersecurity firm was engaged to assist with the investigation and determined on February 16, 2021 that the file was accessed for a short period and may have been copied.

The file contained patient names, limited demographic information, and Social Security numbers; however, no diagnosis, treatment, or hospitalization information was compromised. New London Hospital is unaware of any misuse of information contained in the file. The network system on which the file was stored is no longer used by the hospital.

Additional safeguards have now been implemented to prevent similar breaches in the future. All patients have been notified and offered complimentary credit monitoring and identity theft protection services.

Child Focus Reports Malware Infection and 2,700-Record Data Breach

Child Focus, a Cincinnati, OH-based nonprofit that provides support to children and their families through early learning, behavioral health and foster care programs, has announced its systems have been hacked and malware deployed, which may have allowed the hackers to access sensitive patient information.

After discovering a potential breach of its core IT systems, third-party cybersecurity specialists were engaged to investigate the incident and determine the nature and scope of the breach. The electronic health record system and application database were not affected; however, Child Focus was informed on January 5, 2021 that the attackers may have been able to view the protected health information of 2,716 individuals, including names, dates of birth, Social Security numbers, health and treatment-related information, and state Medicaid numbers.

Affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services. Child Focus has also taken steps to improve system security, including implementing enhanced controls for remote access to its systems and advanced endpoint detection and response software on all endpoints and workstations.

Orlando Health South Lake Hospital Loses Logs Books Containing PHI of 1,623 Patients

Orlando Health South Lake Hospital has discovered logbooks used for recording patients’ hospital visits have been lost or stolen. The logbooks were discovered to be missing between December 24 and December 28, 2020. An extensive search was conducted, but the logbooks could not be located.

Hospital staff used the logbooks for recording information about obstetrics patients which included information such as patient names, dates of birth, medical record numbers, hospital account numbers, dates of service, attending physician, chief complaint, and/or internal hospital service codes. The data related to 1,673 patients who received care between April 20, 2019 and December 23, 2020.

The logbooks were kept in an area of the hospital that was not open to the public, so the hospital does not believe the logbooks have left the facility. Internal policies and procedures are being reviewed and will be revised, as necessary, to improve information security and the hospital is considering other more secure methods of recording patient data.

The post New London Hospital Data Breach Affects Almost 35,000 Patients appeared first on HIPAA Journal.

The number of individuals affected by a ransomware attack on St. Cloud-based Netgain Technology LLC has increased, with a further 210,000 individuals now known to have been affected. Netgain Technology provides IT and technology services to several entities in the healthcare industry, including the medical practice management company Woodcreek Provider Service in Washington. Ramsey County in Minnesota was previously confirmed to have been affected by the ransomware attack.

Woodcreek Provider Service provides support to pediatric clinics and urgent care centers owned and operated by MultiCare Health System.  Woodcreek Provider Service was notified by Netgain on December 2, 2020 that the protected health information of patients and the personal information of employees and contractors were stored on servers affected by the ransomware attack.

The Woodcreek Provider Service IT network and computer system is hosted by Netgain and a considerable amount of data has potentially been accessed or obtained in the extortion attack. Potentially compromised information includes: Names, addresses, medical record numbers, dates of birth, Social Security numbers, health insurance information, insurance claims, explanation of benefits statements, clinical notes, referral requests, lab test reports, decision not to vaccinate forms, authorization requests for services, treatment approvals, records requests, immunization information, vaccine records, prescription requests, release of information forms, subpoena records requests, medical record disclosure logs, incident reports, invoices, correspondence with patients, student identification numbers, bank account numbers, employment related documents, court documents, DEA certificates, payroll withholding and insurance deduction authorizations, benefit and tax forms, employee health information and some medical records.

Netgain provided reassurances that steps have been taken to improve security to prevent any further cyberattacks. Woodcreek Provider Service has also taken steps to protect information under its control and has reviewed and revised its cybersecurity policies and procedures.

Affected MultiCare Health System and Woodcreek Healthcare patients have been offered identity theft protection services and/or complimentary credit monitoring services.

The post 210K MultiCare Health System and Woodcreek Healthcare Patients Affected by Ransomware Attack appeared first on HIPAA Journal.

A phishing attack on Saint Alphonsus Health System in Boise, ID has resulted in the exposure of patient information and has also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus identified unusual activity in an employee’s email account on January 6, 2021. The account was immediately secured, and an investigation was conducted to determine the source and nature of the activity. Saint Alphonsus determined that the account had been accessed by an unauthorized individual on January 4, 2021, giving the individual access to the account and information contained therein for 2 days. The account was used to send phishing emails to other individuals in an attempt to obtain usernames and passwords.

The employee whose credentials were compromised assisted with certain business functions that required access to protected health information, including performing billing functions for the West Region of Trinity Health, which includes Fresno.

A review of all emails and attachments revealed the account contained the protected health information of certain patients. The PHI in the account varied from patient to patient and included full names in combination with one or more of the following data elements: Address, telephone, date of birth, email, medical record number, treatment information, and/or billing information. The account also contained a limited number of Social Security numbers and credit card numbers.

While unauthorized account access was confirmed, it was not possible to determine which emails, if any, had been accessed. At the time of issuing notifications, no evidence was found to indicate any patient information has been misused. Credit monitoring services are being offered to affected individuals and employees have received further training on email and cybersecurity to prevent similar breaches in the future.

It is not currently known how many patients have been affected by the breach. This post will be updated when further information becomes available.

4,122 Individuals Affected by Southeastern Minnesota Center for Independent Living Phishing Attack

Southeastern Minnesota Center for Independent Living (SEMCIL), a provider of disability and support services in Rochester and Winona, has discovered an unauthorized individual gained access to an employee’s email account that contained the protected health information of 4,122 individuals.

An investigation into the security incident revealed the account was compromised on August 6, 2020 and access to the account remained possible until September 1, 2020. The investigation confirmed on December 22, 2020 that protected health information had been exposed, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and some medical treatment information. Notification letters started to be sent to affected individuals on February 19, 2021.

The investigation did not uncover evidence to suggest any protected health information was viewed or obtained, and no reports have been received to indicate any PHI has been misused. As a precaution against identity theft and fraud, individuals whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services.

The post Phishing Attack Impacts Saint Alphonsus Health System and Saint Agnes Medical Center Patients appeared first on HIPAA Journal.

Elara Caring, one the largest providers of home-based healthcare services in the United States, has suffered a phishing attack that has impacted more than 100,000 patients.

In mid-December, suspicious activity was identified in some employee email accounts. Prompt action was taken to secure the accounts to prevent further unauthorized access and a third-party security firm was engaged to investigate the breach.

The investigation confirmed that multiple employee email accounts had been accessed by an unauthorized individual, although no evidence was found to suggest any patient information in those accounts was viewed or obtained by the attackers. It was, however, not possible to rule out data theft.

A review of the compromised email accounts revealed they contained the PHI of 100,487 patients, including names, addresses, Social Security numbers, driver’s license numbers, Employer ID numbers, financial/bank account information, dates of birth, email addresses and passwords, insurance information and insurance account numbers, and passport numbers. Individuals affected by the breach have been offered complimentary credit monitoring and identity protection services.

Elara Caring has since taken steps to improve data security and has provided additional cybersecurity training to employees.

ProPath Email Accounts Accessed by an Unauthorized Individual.

ProPath, the largest, nationwide, fully physician-owned pathology practice in the United States, has discovered an unauthorized individual has accessed two email accounts containing patient information.

The email accounts were discovered to have been accessed by an unauthorized individual between May 4, 2020 and September 14, 2020. ProPath learned on January 28, 2021 that the email accounts contained protected health information including names, dates of birth, test orders, diagnosis and/or clinical treatment information, medical procedure information, and physician name. A limited number of individuals also had their Social Security number, financial account information, driver’s license number, health insurance information, and/or passport number exposed.

Individuals whose Social Security number was compromised have been offered complimentary credit monitoring services. Employees have received further training to help them detect malicious emails and additional technical safeguards have now been implemented.

It has yet to be confirmed exactly how many individuals have been affected. ProPath said the majority of individuals who received testing from the company have not been affected by the breach.

Cornerstone Care Email Account Breach Impacts 11,487 Patients

An email account containing the PHI of 11,487 patients of Cornerstone Care community health centers in Southwestern Pennsylvania and Northern West Virginia has been accessed by an unauthorized individual.

The email account breach was detected on June 1, 2020 and third-party security experts were engaged to assist with the investigation who confirmed the breach was limited to a single corporate email account. A review of the PHI in that account was completed on January 13, 2021.

The account contained names and addresses and, for certain individuals, date of birth. Social Security number, medical history, condition, treatment, diagnosis, and/or health insurance information. Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services.

Affected individuals were notified by mail on February 25, 2021. Cornerstone Care has since implemented multi-factor authentication on email accounts.

The post PHI of More Than 100,000 Elara Caring Patients Potentially Compromised in Phishing Attack appeared first on HIPAA Journal.

The Sierra Vista, AZ-based ophthalmology and optometry provider Cochise Eye and Laser experienced a ransomware attack on January 13, 2021 that resulted in the encryption of its patient scheduling and billing software.

The attack prevented Cochise Eye and Laser from accessing any data in its scheduling system. Eye care services continued to be provided to patients, with the practice reverting to using paper charts. According to a February 17, 2021 breach notice on its website, paper charts were still in use as the scheduling system remained out of action.

The investigation into the ransomware attack found no evidence to indicate any patient data were exfiltrated prior to the encryption of files; however, data theft could not be ruled out. The types of information potentially accessed by the attackers included names, dates of birth, addresses, phone numbers and, for some individuals, Social Security numbers.

Since the attack, Cochise Eye and Laser has been working on improving the security of its systems and is implementing a new offsite backup system. Efforts to recover the encrypted data are ongoing and patient charts will be used to rebuild its schedules.

The ransomware attack has been reported to the HHS’ Office for Civil Rights as affecting up to 100,000 patients.

Petersburg Medical Center Discovers Insider Privacy Breach

Petersburg Medical Center in Alaska has discovered an employee accessed the medical records of certain patients without authorization, when there was no legitimate work reason for doing so.

An internal investigation was launched as soon as the unauthorized access was discovered, and the medical center was satisfied that there have been no further disclosures by the employee and no patient information was removed from the medical center.

Following the breach, the medical center took steps to prevent the employee “from accessing any patient records now or in the future.” It is unclear whether the sanctions included termination. Steps have since been taken to prevent any further privacy violations at the medical center and affected individuals have been notified by mail.

The post Up to 100,000 Individuals Affected by Cochise Eye and Laser Ransomware Attack appeared first on HIPAA Journal.

AllyAlign Health, a Glen Allen, VA-based Medicare Advantage health plan administrator, has started notifying members and providers about an attempted ransomware attack that occurred on November 13, 2020.

According to the breach notification letters sent to affected individuals, AllyAlign Health first became aware of the attack on November 14, 2020. An investigation of the incident found the systems accessed by the attackers contained members’ first and last names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, Medicare beneficiary identifiers, medical claims histories, health insurance policy numbers, and other medical information.

Providers affected by the breach have been notified that names, addresses, dates of birth, Social Security numbers, and Council for Affordable Quality Healthcare (CAQH) credentialing information may have been compromised.

It is unclear exactly how many individuals have been affected by the incident. According to the breach notification sent to the Maine Attorney General, the protected health information of 76,348 individuals was potentially compromised in the breach. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 33,932 individuals have been affected. The 33,932 individuals could be members and the rest providers.

The Attorney General notification indicates the breach was discovered on February 2, 2021. This could be the date when the breach investigation was completed, and the number of individuals affected became known.

AllyAlign Health said it acted quickly to respond to the breach and engaged IT specialists to ensure the security of its network environment. Since the breach occurred, policies and procedures have been updated relating to the security of its systems and servers and information life cycle management. Notification letters were sent to affected individuals on February 26, 2021 and credit monitoring and identity theft protection services have been offered. At the time of issuing notifications, no reports had been received related to the misuse of member or provider data.

The post Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack appeared first on HIPAA Journal.