A round up of recent healthcare privacy breaches that have been reported to the HHS’ Office for Civil Rights and state Attorneys General recently.

Twelve Oaks Recovery Discovers Malware Infection and Data Theft

Twelve Oaks Recovery, a Navarre, FL-based addiction and mental health treatment center, has discovered an unauthorized individual gained access to its network, installed malware, and stole documents from its systems. The attack was detected on December 13, 2020 when unusual network activity was detected. A forensic investigation confirmed malware had been deployed on December 13, and the following day data exfiltration was confirmed.

A review of the documents obtained by the attacker revealed they contained the protected health information of 9,023 patients, and included names, addresses, dates of birth, medical record numbers, and Social Security numbers.

Twelve Oaks Recovery has enhanced its network monitoring tools and taken steps to prevent similar breaches from occurring in the future.

Rainbow Rehabilitation Centers Discovers Email Account Breach

Rainbow Rehabilitation Centers, a Livonia, MI-based provider of therapeutic rehabilitation services for individuals with brain and spinal cord injuries, has discovered an unauthorized individual gained access to an employee’s email account that contained the protected health information of 1,749 patients and information about its employee group health plans.

Third party forensic experts were engaged to investigate the breach and confirmed that a single email account was breached. A review of the account revealed it contained PHI such as names, social security numbers, driver’s license numbers, appointment scheduling notes, and medical plan and benefits enrollment information. It was not possible to determine if any of that information was accessed by the attacker, but no reports have been received that suggest any patient information has been misused.

Affected individuals have been notified and offered a complementary 12-month membership to credit monitoring and identity theft protection services.

Summit Behavioral Healthcare Email Accounts Compromised

Summit Behavioral Healthcare, a Brentwood, TN-based provider of behavioral health services and operator of 18addition treatment centers throughout the United States, has discovered two employee email accounts were compromised, starting in late May 2020.

A third-party digital forensics firm was engaged to investigate the breach and on January 21, 2021 it was confirmed that protected health information was contained in the compromised accounts and may have been accessed or obtained by unauthorized individuals.

The information in the accounts varied from individual to individual and may have included names in combination with one or more of the following types of data: Social Security number, diagnosis or symptom information, treatment information, prescription information, health insurance numbers, medical history, financial account information, Medicaid / Medicare identification numbers, and health care provider information.

Affected individuals have been notified and offered a complementary 12-month membership to credit monitoring and identity theft protection services.

Email Account Breach Discovered at Jacobson Memorial Hospital and Care Center

Jacobson Memorial Hospital and Care Center in Elgin, ND has discovered an email account containing the protected health information of 1,547 patients has been accessed by an unauthorized individual.

The breach was detected on or around August 5, 2020 and a third-party cybersecurity firm was hired to investigate the breach and determine if any information had been accessed. It appears that the attack was conducted in order to send spam emails from the account; however, it is possible that patient information was viewed.

The account contained names, addresses, dates of birth, email addresses, Social Security numbers, phone numbers, insurance policy numbers, credit card numbers, bank account numbers, and some health information.

A new facility-wide security system has now been implemented, policies and procedures have been updated, and additional training has been provided to staff and vendors on data protection. Affected individuals have been offered complementary credit monitoring and identity theft restoration services.

Kaiser Permanente Fires Employee for Inappropriate PHI Access

Kaiser Permanente has fired an employee for accessing members’ medical records without authorization. The privacy breach was detected on December 28, 2020 and the investigation confirmed the records were accessed for reasons unrelated to individuals’ healthcare service needs. The types of information in the records included names, addresses, telephone numbers, email addresses, dates of birth, and photographs, but no other sensitive information.

Kaiser Permanente is reviewing its policies and procedures and will be implementing additional safeguards, as appropriate, to prevent similar privacy breaches in the future.

The post Roundup of Recent Healthcare Phishing and Malware Incidents appeared first on HIPAA Journal.

2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS).

UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country.

The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.

UHS worked fast to restore its information technology infrastructure following the attack and worked around the clock to return to normal business operations; however, the recovery process took around 3 weeks. The disruption naturally had a major impact financially, with the UHS quarterly earnings report for Q4, 2020 showing $42.1 million in losses, which equated to 49 cents per diluted share. UHS ended the quarter with profits of $308.7 million, up 6.6% from Q4, 2019.

Restoring its IT infrastructure resulted in significant increase in labor costs, both internally and externally. Cash flows were also affected as certain administrative functions such as coding and billing had to be delayed until December 2020.

UHS has reported total pre-tax losses of an estimated $67 million in 2020 due to the ransomware attack, mostly as a result of the loss of operating income, reduction in patient activity, and increased revenue reserves as a result of the billing delays. UHS believes it is entitled to recover the majority of the $67 million in insurance payouts.

The post Universal Health Services Ransomware Attack Cost $67 Million in 2020 appeared first on HIPAA Journal.

Gore Medical Management, a medical practice company based in Griffin, GA, has discovered a historic data breach involving the protected health information (PHI) of 79,100 individuals. The breach occurred in 2017 and affects patients of Family Medical Center in Thomaston, which is now part of Upson Regional Medical Center.

In November 2020, Gore Medical Management was informed by the Federal Bureau of Investigation that a third-party computer had been recovered as part of an investigation which was found to contain the PHI of Family Medical Center patients.

The breach investigation confirmed that the vulnerability exploited by the hacker to gain access to the Family Medical Center network had been identified and corrected a few months after the breach, although the breach itself was not detected at the time. The medical record system was not compromised, but files containing names, addresses, dates of birth, and Social Security numbers were exfiltrated. No financial information or healthcare records were involved.

There does not appear to have been further access of its systems or any other transfers of data since 2017. Gore Medical Management has now notified all affected patients and has offered them a 12-month membership to an identity theft protection and credit monitoring service.

Pennsylvania Adult & Teen Challenge Discovers Compromised Email Accounts Containing PHI of 7,771 Individuals

Pennsylvania Adult & Teen Challenge, a Rehrersburg, PA-based provider of addiction treatment programs for adults and young people, has discovered an unauthorized individual gained access to employee email accounts that contained the protected health information of 7,771 individuals.

Suspicious activity was detected in an email account on July 29, 2020 and steps were taken to prevent further access and investigate the breach. The investigation confirmed that certain email accounts had been accessed by an unauthorized individual between July 27, 2020 and July 30, 2020.

A forensic investigation was conducted, and the compromised accounts were reviewed to determine the information potentially obtained by the attacker. That process was completed on December 29, 2020.

The types of information in the accounts varied from individual to individual and may have include names along with one or more of the following data elements: Social Security Number, driver’s license number, financial account information, payment card information, date of birth, prescription information, diagnosis information, treatment information, treatment provider, health insurance information, medical information, Medicare/Medicaid ID number, employer identification number, electronic signature, username and password.

It was not possible to determine if information in the email accounts was accessed or exfiltrated, but no reports have been received to date to indicate any patient information has been misused. Notification letters have recently been sent to affected individuals and complimentary identity theft protection services have been offered.

The post Gore Medical Management Alerted to 2017 Breach 79,100 Patients’ PHI appeared first on HIPAA Journal.

Covenant Healthcare in Saginaw, MI has discovered an unauthorized individual gained access to two employee email accounts that contained the protected health information of approximately 45,000 patients. The security breach was identified on December 21, 2020, with the investigation revealing the first email account was compromised on May 4, 2020.

A review of the compromised email accounts revealed they contained the following types of protected health information: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnosis and clinical information, medical treatment information, prescription information, doctors’ names, medical record numbers, patient account numbers, and medical insurance information.

Affected individuals have been advised to place a fraud alert on their accounts and to monitor their account statements for signs of unauthorized activity. Affected individuals do not appear to have been offered complimentary credit monitoring.

“We are committed to keeping your personal information safe and pledge to continually evaluate and modify our practices and internal controls to enhance security and privacy,” explained Covenant Healthcare in its website breach notice.

Fisher-Titus Medical Center – Norwalk, Ohio

An unauthorized individual has gained access to the email account of an employee of Fisher-Titus Medical Center in Norwalk, OH. The email account was first accessed in August 2020 and access remained possible until October 2020 when the breach was discovered and the email account was secured.

The delay in issuing notifications to affected individuals was due to the time taken to investigate the breach. Third-party cybersecurity experts completed their investigation on January 13, 2020 and breach notification letters were sent on February 18, 2021.

The medical center determined the breach included patient names, medical information such as diagnoses, clinical information, health insurance information, Social Security numbers, and credit/debit card numbers. Affected individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring services for 12 months.

Additional safeguards have now been implemented, including changes to the password policy, enhanced antivirus software, upgrades to external firewalls, and email retention policies have been revised and monitoring enhanced. A new anti-phishing platform has also been implemented.

University Hospital – Newark, New Jersey

University Hospital in Newark, NJ, has discovered an unauthorized individual gained access to its computer network and potentially viewed and exfiltrated patient information. The incident was detected on September 14, 2020, with the system found to have been breached four days previously.

A forensic investigation revealed the attacker potentially gained access to names, addresses, dates of birth, driver’s license numbers, Social Security numbers, state ID numbers, passport numbers, insurance information, financial information, medical record numbers, and some clinical information.

Affected individuals have been offered complimentary membership to identify theft protection and credit monitoring services for 12 months. University Hospital has since taken steps to improve its security protocols to prevent further breaches.

The post Email Security Breach Impacts 45,000 Covenant Healthcare Patients appeared first on HIPAA Journal.

St. Margaret’s Health –Spring Valley in Illinois is investigating a cyberattack that occurred over the weekend of February 20/21, 2021. The security breach was detected by the hospital’s IT team on February 21, and the hospital’s computer network and all web-based applications including email and its patient portal were shut down.

The hospital had security systems in place to protect against intrusions and data breaches. It is currently unclear how those systems were bypassed. Third-party cybersecurity experts have been engaged to assist with the investigation and remediation efforts.

St. Margaret’s Health had developed and practiced computer downtime emergency operations, which have been implemented and the hospital has temporarily reverted to paper records for recoding patient information and the hospital is relying on telephone and fax for communication while the email system is out of action. It is currently unclear for how long the systems will remain offline.

The cyberattack did not affected the computer systems of St. Margaret’s Peru, as those computer systems have not yet been merged with St. Margaret’s Spring Valley. Care continues to be provided to patients; however, diagnostic imaging procedures have been temporarily transferred to St. Margaret’s Peru while the security breach is remediated.

The breach investigation is still in the early stages, but no evidence has been found so far to suggest any patient information has been compromised.

COVID-19 Contact Tracing Data of Pitkin County, CO Residents Exposed Online

The personal information of 1,454 residents of Pitkin County in Colorado has been exposed online and could potentially have been accessed by unauthorized individuals. The exposure of the data was due to an error that occurred when configuring the county’s COVID-19 contact tracing system.

The types of information exposed includes names, dates of birth, employer information, date of onset of COVID-19 symptoms, date and type of COVID-19 test taken, the results of those tests, whether individuals have had a flu jab, information on school and childcare used by individuals, and whether individuals had any underlying health conditions. The information was exposed online between October 1, 2020 and December 14, 2020.

An error occurred when configuring the software used to upload the information to the website, which failed to prevent certain fields from being rendered inaccessible. While it is not possible to determine if any information was accessed by unauthorized individuals during the time it was accessible, the county suspects some people may have downloaded the information.

Pitkin Country is offering 12 free months of credit monitoring and identification restoration services to affected individuals.

Documents Containing PHI of HarborChase Nursing Home Residents Found Scattered in Florida Streets

Documents containing the protected health information of residents of the HarborChase senior living facility in Mandarin in Jacksonville, FL have been found scatters in streets in St. John’s County. First Coast News was alerted to the privacy breach by residents who discovered the paperwork, some of which contained sensitive information such as names, addresses, Social Security numbers, and prescription information.

Some of the information related to patients of Guardian pharmacy, which was alerted to the breach and subsequently notified HarborChase. According to a report on First Coast News, HarborChase is investigating a document shredding company it contracted to securely dispose of documents containing patient information. HarborChase said all of the documents had been sent for secure disposal.

The post Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems appeared first on HIPAA Journal.

Kroger has announced it has suffered a data security incident involving the exploitation of SQL injection vulnerabilities in its Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy appliance that was released around 20 years ago as a secure file transfer solution for sharing files too large to send via email.

A zero-day vulnerability in the product was first identified by Accellion in mid-December 2020, with a further three vulnerabilities subsequently identified. Some of those vulnerabilities were exploited by a threat actor to gain access to the vulnerable devices. The hacker then installed a web shell which was used to exfiltrate sensitive data.

Accellion explained in a February 22, 2021 press release that Mandiant had investigated the security incident and attributed the attacks to a criminal hacker tracked as UNC2546. UNC2546 has been linked to the FIN11 hacking group and CL0P ransomware operation.

In January, several Accellion FTA customers reported receiving ransom demands for the return of stolen data. Threats were made to publish stolen data on the CL0P ransomware data leak site if the ransom was not paid. Accellion says around 300 customers use the Accellion FTA, fewer than 100 were victims of the attack, and fewer than 25 suffered significant data theft. Ransomware was not used in the attacks.

Kroger was alerted to the breach on January 23, 2021 and discontinued use of the Accellion FTA. An internal investigation was conducted to determine which information had potentially been stolen. Kroger said fewer than 1% of its customers were affected, most of whom were customers of Kroger Health and Money Services, along with some associates and employees.

Some Social Security numbers were compromised but the breach did not include financial information or customer account passwords, and there have been no reports of the misuse of any customer data. Kroger has offered complimentary credit monitoring services to all affected customers.

The incident has yet to be reported to the HHS’ Office for Civil Rights so it is currently unclear how many patients have been affected.

The post Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers appeared first on HIPAA Journal.

The protected health information of 29,982 patients of a Laguna Hills, CA-based provider of medical and surgical eye care services has potentially been stolen in a cyberattack on its online storage vendor.

On January 15, 2021, Harvard Eye Associates was informed by its storage vendor that hackers had gained access to the vendor’s computer system and exfiltrated data. It is not clear whether files were encrypted to prevent access; however, a ransom demand was issued for the return of the stolen data. The storage vendor consulted with cybersecurity experts and the Federal Bureau of Investigation and took the decision to pay the ransom demand.

The hackers returned the stolen data and provided assurances that no copies of the data had been made and there had been no further disclosures of the stolen information. The cybersecurity experts engaged by the security vendor have been monitoring the Internet and darknet and have not found any evidence to suggest the stolen data has been sold or leaked online. An investigation into the breach revealed the hackers first gained access to its computer systems on October 24, 2020.

The types of patient information potentially obtained by the hackers included patients’ names, addresses, phone numbers, email addresses, dates of birth, medical histories, health insurance information, medications, and information about treatment provided at Harvard Eye Associates.

Harvard Eye Associates provides billing and other administrative services to Alicia Surgery Center in Laguna Hills, which requires access to the types of data previously mentioned. Alicia Surgery Center patients were also affected by the security incident. It is currently unclear how many patients of Alicia Surgery Center have been affected.

Harvard Eye Associates and Alicia Surgery Center explained in their website breach notices that affected individuals are being notified and offered complimentary credit monitoring and identity theft protection services.

The post Ransom Paid to Recover Healthcare Data Stolen in Cyberattack on Online Storage Vendor appeared first on HIPAA Journal.