The medical payment billing service provider MultiPlan has announced a breach of its email environment. On January 27, 2021, suspicious activity was identified in the email account of one of its employees. Action was immediately taken to terminate unauthorized access and the employee’s email credentials were changed.

MultiPlan immediately launched an investigation to determine the nature and scope of the breach, with assistance provided by forensics experts. The investigation confirmed that the main purpose of the attack was to divert wire transfers from MultiPlan customers looking to pay invoices. The email account was compromised and used by the attacker to communicate with those customers regarding billing, and to attempt to divert payments to an account under their control.

While protected health information does not appear to have been targeted in the attack, the compromised email account was found to contain the protected health information of 214,956 individuals. That information could have been viewed or obtained by the attacker between December 23, 2020 and January 27, 2021.

The types of information in the account included full names, addresses, email addresses, dates of birth, healthcare provider names, medical record numbers, date/cost of healthcare services, claims identifiers, health insurance ID numbers, member IDs, group IDs, and Social Security numbers.

MultiPlan has notified all affected individuals and will be covering the cost of two years of credit monitoring. Additional protocols and processes have now been implemented to prevent further email breaches in the future.

Hawaii Independent Physicians Association Reports Email Account Breach

Hawaii Independent Physicians Association (HIPA) is notifying 18,770 patients about a security incident involving the email account of a subcontractor.

On February 4, 2021, HIPA determined an unauthorized individual had accessed the email account. External access to the account was immediately blocked and all HIPA users were required to change their login credentials for their system and email accounts and as a precaution. Assisted by a third-party cybersecurity firm, HIPA determined the breach was limited to a single email account which contained the protected health information of patients of its physicians.

The types of information in the compromised account included full names, dates of birth, home addresses, and information about the general health condition of patients. No evidence of unauthorized data access was found, but the possibility that PHI was viewed or obtained could not be ruled out.

The cybersecurity firm investigating the breach made recommendations to improve email security and HIPA is in the process of implementing the suggested changes.

The post Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association appeared first on HIPAA Journal.

Three more healthcare providers have announced they have been affected by the recent ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc.

Elekta provides a cloud-based mobile application called SmartClinic, which is used by healthcare providers to access patient information for cancer treatments. Cybercriminals gained access to Elekta’s systems between April 2, 2021 and April 20, 2021 exfiltrated the SmartClinic database prior to deploying ransomware and encrypting files. The database contained the personal and protected health information (PHI) of patients of 42 healthcare systems in the United States. Elekta notified affected customers in May 2021.

Advocate Aurora Health has recently announced that 68,000 of its patients across 7 sites in Illinois have been affected by the attack. The following types of PHI were acquired by the ransomware gang: names, addresses, dates of birth, height and weight measurements, Social Security numbers, driver’s license numbers, diagnosis information, treatment information, and appointment confirmations.

Advocate Aurora Health said no evidence has been found to suggest information obtained in the attack has been misused, but complimentary credit monitoring, fraud consultation, and identity theft restoration services have been offered to affected individuals as a precaution. Advocate Aurora Health said it has been working with Elekta to ensure steps are taken to prevent similar events in the future.

Philadelphia, PA-based Jefferson Health said the database contained the PHI of cancer patients who received treatment at its Sidney Kimmel Cancer Center. Patient names, dates of birth, medical record numbers, physician names, department, date(s) of service, treatment plans, diagnosis and/or prescription information were compromised. For some patients, a Social Security number was also included in the database. Patients are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. Jefferson Health said it is now re-evaluating its relationship with Elekta. Jefferson Health has not yet disclosed how many patients were affected.

Intermountain Healthcare in Salt Lake City, UT said patient names and scanned image files were potentially compromised. The image files included data such as medical intake forms and medical images, which may have included dates of birth, demographic information, insurance cards, other identification cards, and Social Security numbers. Intermountain Healthcare has been working with Elekta to implement additional safeguards, including migrating its data to a new-generation Elekta cloud system. The 28,628 affected patients have been offered complimentary credit monitoring services.

The post Advocate Aurora Health, Jefferson Health, and Intermountain Healthcare Affected by Elekta Ransomware Attack appeared first on HIPAA Journal.

Sierra Nevada Primary Care Physicians in California is alerting 1,717 patients about an incident involving the theft of some of their protected health information, including names and credit card information.

On May 20, 2021, Sierra Nevada Primary Care Physicians was notified by the District Attorney’s office that two envelopes containing receipts from the practice had been found in the vehicle of a suspect.

The receipts were for payments made by patients between January 1, 2019 and March 20, 2019. For individuals who paid in person at the front desk using a debit or credit card, the receipts contained the individual’s name, name of the practice, amount charged, and the last four digits of the card number. Receipts for payments made by individuals using a debit card or credit card by mail or over the phone included that individual’s name, debit/credit card number, expiry date, CVV code, signature, practice name, and amount charged.

The District Attorney confirmed that the two envelopes and receipts were recovered and the perpetrators were arrested. Sierra Nevada Primary Care Physicians has offered affected individuals 12 months of complimentary credit monitoring services but believes misuse of information is unlikely. Steps have since been taken to improve security, including keeping receipts in a locked room that only two individuals can access, and all receipts now have the credit card information blacked out.

University of Maryland, Baltimore Impacted by Accellion Cyberattack

University of Maryland, Baltimore has announced the protected health information of 30,468 individuals was compromised in a cyberattack on its Accellion File Transfer Appliance (FTA) in December 2020.

Hackers gained access to the system, exfiltrated data, and issued a ransom demand for the safe return of the stolen data. Some of that information was subsequently published on the hacker’s data leak site.

University of Maryland said the system was used by students and faculty staff and was rigorously monitored and patches to fix security issues were promptly applied; however, in this instance, a vulnerability was exploited for which a patch had not yet been released by Accellion.

A plan had already been formed to replace the system with a newer, more secure system prior to learning about the breach. The plan was executed in February 2021 and the legacy Accellion FTA appliance has now been replaced. Complimentary credit monitoring services have been offered to affected individuals.

The post Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI appeared first on HIPAA Journal.

The Lake County Health Department in Illinois has announced it has suffered two data breaches that potentially involved the personal and protected health information of around 25,000 patients.

The first breach occurred in 2019 when a Lake County Health employee sent an unencrypted email from their work email account to an internal employee’s personal email account. The email had an attached spreadsheet of medical record requests dating from December 2016 to June 2019. The requests had been made through a third-party company which handled release of information requests for the Lake County Health Department. The spreadsheet included the names of 24,241 patients along with dates relevant to the vendor.

Lake County Health discovered the breach on July 22, 2019; however, it took until July 2021 for notification letters to be sent to affected patients. The reason for the delay of almost two years was due to Lake County Health officials not believing notification letters were required, as no personal health information had been compromised; however, the Department of Health and Human Services disagreed with that assessment and required notification letters to be issued as personal health information may have been compromised.

A second data breach was discovered on May 14, 2021 which involved a Google spreadsheet containing names, dates of birth, email addresses, phone numbers, and the COVID-19 vaccination status of 705 individuals. The spreadsheet was saved in the personal Google Drive account of an employee. While Google Drive can be a HIPAA compliant solution for use in healthcare along with other G Suite services, personal accounts are not. Google can access information in personal Google accounts and uses that information to deliver tailored services and advertisements. All affected individuals were seniors who had sought information on COVID-19 vaccinations. Those individuals have now been notified.

While both privacy incidents resulted in patient data being exposed, Lake County Health said internal risk assessments were conducted and no evidence was found to indicate any of the exposed information had been acquired by unauthorized individuals or misused.

The Lake County Health Department has since implemented solutions to prevent any similar breaches in the future, including encryption of all email and enhanced monitoring.

The post Lake County Health Department Notifies 25,000 Patients About Two Data Breaches appeared first on HIPAA Journal.

The protected health information of up to 30,063 members of Florida Blue (Blue Cross and Blue Shield of Florida) may have been viewed or obtained in a brute force attack on the Florida Blue online member portal.

Starting on June 8, 2021, unknown individuals conducted a brute force campaign using a large database of user identifiers and corresponding passwords that was available from online sources in an attempt to gain access to the portal. The database appears to have been compiled from data breaches at third party companies where username and password combinations had been compromised.

Florida Blue reports that some of those automated attempts were successful and the attacker gained access to information contained in online member accounts. This information typically included names, contact information, claims information, payment information, health insurance policy information, and other personal information.

While access to accounts was gained, Florida Blue found no evidence to suggest any information in those accounts was removed by the attacker.

Attacks such as this highlight the importance of setting strong, unique passwords for all online platforms. In the event of a breach at one platform, the password cannot then be used to access other accounts.

Florida Blue said when the brute force attack was detected, steps were taken to block the IP addresses used by the attacker. New security measures are being implemented to enhance the security of its web portal to block any further attacks such as this.

Notification letters were sent to affected Florida Blue members starting on June 30, 2021. Affected members have been advised to be vigilant and to review their accounts for any sign of malicious activity, such as unauthorized transactions.

As a precaution against identity theft and fraud, affected members have been offered a complimentary 2-year membership to identity theft protection, detection, and resolution services through Experian.

The post 30,000 Florida Blue Members Impacted by Brute Force Attack on Member Portal appeared first on HIPAA Journal.

Florida Heart Associates is notifying 45,148 patients about a recent security breach in which their personal and protected health information may have been compromised. The security breach was detected on or around May 19, 2021, when unusual activity was spotted within certain networked computers.

Steps were immediately taken to contain the breach and secure personal information and an investigation was launched to determine the nature and scope of the breach. Florida Heart Associates determined that its computer network was breached between May 9 and May 19, 2021.

Security systems had been implemented prior to the breach which limited the impact of the intrusion; however, it is possible that the attackers gained access to servers on which patient information was stored. The impacted servers contained names, member identification numbers, dates of birth, Social Security numbers, and health insurance information, all of which may have been accessed.

Florida Heart Associates said in its substitute breach notice that no indications have been received to suggest any information on the compromised servers has been misused.

Florida Heart Associates said the investigation into the breach is ongoing and steps have been and will continue to be taken to improve data privacy and security. Additional safeguards will be implemented, and policies and procedures are being reviewed and will be updated. The breach has been reported to the Maine Attorney General as a ransomware attack.

Affected individuals are being encouraged to remain vigilant and should review their accounts statements, credit reports, and explanation of benefits statements for signs of identity theft and fraud.

“We understand how important it is for our clients to receive uninterrupted cardiac care services and will resume our regular services and care as soon as possible,” said Florida Heart Associates. “We apologize for any inconvenience that may have arose as a result of this incident. In the meantime, we ask for your understanding and patience.”

The post Cyberattack on Florida Heart Associates Potentially Affects 45,000 Patients appeared first on HIPAA Journal.

San Diego, CA-based ClearBalance, a loan provider that helps patients spread the cost of their hospital bills, was the victim of a phishing attack on March 8, 2021 and employees were tricked into disclosing their login credentials.

ClearBalance identified the email security breach on April 26, 2021 when the attacker attempted to make a fraudulent wire transfer. Steps were immediately taken to secure the email environment and prevent further unauthorized access, and the attempted wire transfer failed. No funds were transferred to the attacker’s account.

A third-party computer forensic investigator was engaged to investigate the breach and to determine whether the attacker accessed or obtained any sensitive data. The investigator confirmed that the breach was limited to the email environment and no other systems were affected and that the unauthorized individual had been ejected from email accounts the day the breach was detected.

The attacker was not able to gain access to the database that hosts the medical record systems of any healthcare providers; however, some sensitive data was present in emails and attachments which were potentially accessed. A review of the contents of the email accounts revealed they contained the following data elements:

Names, tax IDs, Social Security numbers, dates of birth, government-issued ID numbers, telephone numbers, healthcare account numbers, balance amounts, dates of service, ClearBalance loan numbers and balances, personal banking information, clinical information, health insurance information, and full-face photographic images. The types of data in the accounts varied from individual to individual.

Security safeguards have been enhanced to better protect the email environment and personal data, all user passwords have been changed, stronger access controls have been implemented on the network, and procedures for reporting suspicious activity have been updated.

The purpose of the attack appears to have been to make fraudulent wire transfers rather than to obtain sensitive data; however, as a precaution against identity theft and fraud, ClearBalance has offered affected individuals complimentary identity theft protection services, 24 months of credit monitoring services, and cover with an identity theft insurance reimbursement policy.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 209,719 individuals.

The post PHI of Over 200,000 Individuals Potentially Compromised in ClearBalance Phishing Attack appeared first on HIPAA Journal.

Manitowoc, WI-based Forefront Management, LLC and Forefront Dermatology, S.C. discovered on June 4, 2021 that unauthorized individuals had gained access to its network and potentially viewed private and confidential employee and patient information.

The affected systems were immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack. On June 24, 2021, Forefront determined that certain files stored on its network had been accessed and potentially obtained which contained the personal information of a limited number of Forefront employees, including their names and Social Security numbers. The investigation revealed its network was first breached on May 28, 2021 and access remained possible until June 4, 2021.

During the course of the investigation, Forefront determined the unauthorized individual also accessed files that included the personal and protected health information of a limited number of current and former Forefront patients.

Patient information potentially compromised in the attack included names, addresses, dates of birth, patient account numbers, health insurance member ID numbers, medical record numbers, dates of service, provider names, and/or medical and clinical treatment information.

The breach summary submitted to state attorneys general indicates 4,431 individuals were affected by the breach. While there is no indication that any information in the files has been misused, Forefront is offering affected individuals a complimentary 12-month membership to TransUnion’s myTrueIdentity Credit Monitoring Service.

Forefront said it is enhancing its security protocols to help prevent a similar incident from occurring in the future.

The post Wisconsin Dermatology Practice Reports Data Breach Affecting 4,400 Individuals appeared first on HIPAA Journal.