UofL Health has started notifying 42,465 patients that some of their protected health information (PHI) was sent to an incorrect external email address.

The Louisville, KY healthcare system sent notification letters to affected patients on June 7, 2021 advising them about the exposure of some of their PHI. UofL Health was contacted the following day by the owner of the external domain and was provided with technical evidence that showed the emails had not been viewed by anyone and had been permanently deleted.

Some patients whose PHI was exposed were offered complimentary identity theft protection services. While it has now been confirmed that PHI had not been viewed and is no longer accessible, UofL Health said any patient who was offered identity theft protection services will still be able to sign up for them free of charge.

“We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner,” said UofL Health in a website notice to its patients. UofL Health did not state in its breach notice what information was in the emails.

Jawonio Notifies 13,313 Patients About Email Account Breach

Jawonio, a provider of lifespan services for individuals with developmental disabilities, behavioral health challenges, and chronic medical conditions in the Mid​-Hudson Region of New York, has discovered its email environment has been accessed by an unauthorized individual.

Suspicious activity was detected in its email environment on April 20, 2020. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the security breach. Assisted by third-party cybersecurity experts, Jawonio learned on November 24, 2020 that the personal and protected health information of 13,313 individuals had potentially been compromised.

The affected email accounts were reviewed and discovered to include names, dates of birth, medical record numbers, Social Security numbers, medical condition information, treatment information, government issued identification numbers, health insurance information, and financial account information.

While PHI was potentially viewed, no evidence was found to indicate that information has been misused. Individuals affected by the security breach have been provided with complimentary credit monitoring and identity protection services. The delay in issuing breach notification letters was due to the lengthy process of identifying current mailing addresses for affected individuals.

The post Email Data Breaches Reported by UofL Health and Jawonio appeared first on HIPAA Journal.

A former employee of Aultman Health Foundation accessed 7,300 patient records without authorization for almost 12 years before the HIPAA violation was discovered.

The employee was provided with access to patient records to fulfil duties related to coordinating patient care but was discovered to have accessed patient records when there was no legitimate work reason for doing so. The types of information accessed included patient names, addresses, dates of birth, health insurance information, diagnosis and treatment information, and Social Security numbers.

Aultman said it suspended the employee’s access to patient records as soon as the privacy violation was uncovered, and an investigation was immediately launched to determine the nature and scope of the HIPAA violation. The investigation revealed the employee accessed patient records without authorization from September 14, 2009 until April 26, 2021. The employee was terminated for violating HIPAA and hospital policies.

Aultman has started notifying patients whose records were viewed. Patient’s whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services. Aultman said its employees were aware that they were only permitted to access patient records for work purposes. “To help prevent something like this from happening again, Aultman has provided additional training to its system users and is implementing additional measures to protect the information of its patients,” said an Aultman spokesperson.

The incident appears to be a case of snooping. The former employee is not facing criminal charges and, so far, there is no indication that patient information has been or will be misused.

The Canton, OH-based health system operates Aultman Hospital, Aultman Orrville Hospital, Aultman Alliance Community Hospital, and several urgent care community health centers and physical therapy facilities in Stark County.

The post Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years appeared first on HIPAA Journal.

Ohio Medicaid has announced that its data manager, Maximus Corp, has experienced a data breach in which the personal information of Medicaid healthcare providers has been compromised.

Maximus is a global provider of government health data services. Through the provision of those services the company had been provided with the personal information of Medicaid healthcare providers. On May 19, 2021, Maximus discovered a server that contained personal information provided to the Ohio Department of Medicaid (ODM) or to a Managed Care Plan had been accessed by unauthorized individuals between May 17 and May 19, 2021.

Upon discovery of the breach, Maximus took the server offline to prevent any further unauthorized access and a leading third-party cybersecurity firm was engaged to assist with the investigation. The cybersecurity firm confirmed that the breach was confined to an application on the server and no other servers, applications, or systems were affected.

No evidence was found to indicate any information within the application has been misused, although data theft could not be ruled out. The application was used for the purposes of credentialing or tax identification related to the role of each individual as a healthcare provider.

The types of sensitive data contained within the application was limited to names, dates of birth, Social Security numbers, and Drug Enforcement Agency numbers. Maximus said individuals covered by Medicaid were not affected and the breach.

Maximus said the rapid detection of the breach limited potentially adverse impacts; however, since there is a possibility of data theft, all individuals affected were notified on June 18, 2021, and have been offered complimentary credit monitoring services for 24 months.

The breach has been reported to the Maine Attorney General as affecting 334,690 individuals. Those individuals are located in multiple U.S. states.

The post Maximus Reports Breach Affecting 334,000 Medicaid Healthcare Providers appeared first on HIPAA Journal.

The Georgia fertility clinic Reproductive Biology Associates has announced it suffered a ransomware attack in April in which files containing the personal and protected health information of approximately 38,000 patients were exfiltrated by the attackers.

The attackers gained access to a file server containing embryology data on April 7, 2021, and ransomware was used to encrypt files on April 16, 2021. The files contained the PHI of patients of Reproductive Biology Associates and its affiliate My Egg Bank North America, which included full names, addresses, Social Security numbers, laboratory test results, and information related to the handling of human tissue.

The investigation into the attack concluded on June 7, 2021. While it has not been officially confirmed whether the ransom was paid, Reproductive Biology Associates said the attackers have deleted all data stolen in the attack and all encrypted data have now been recovered.

Reproductive Biology Associates has been monitoring online and dark web sites for signs of misuse or misappropriation of the stolen data and will continue to do. Affected individuals have been offered complimentary credit monitoring and identity theft protection services and a third-party cybersecurity firm has been engaged to help secure its systems and prevent further attacks.

Georgia Hospital System Suffers Ransomware Attack

St. Joseph’s/Candler (SJ/C) hospital system in Savannah, GA has announced it was the victim of a ransomware attack which occurred around 4 a.m. on Thursday June 17, 2021. The attack prevented access to computer systems and emergency protocols were implemented, with staff reverting to pen and paper to record patient data.

The attack was detected promptly and steps were taken to isolate systems to limit the damage caused; however, it is too early to tell what, if any, patient information has been affected and if the attackers exfiltrated patient data prior to using ransomware to encrypt files.

“Patient care operations continue at our facilities using established back-up processes and other downtime procedures,” explained SJ/C in a statement. “Our physicians, nurses and staff are trained to provide care in these types of situations and are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients.”

UF Health Ransomware Attack Having Impact on Patient Care

On May 31, 2021, UF Health Central Florida suffered a ransomware attack that affected The Villages Regional Hospital and Leesburg Hospital. Following the attack, emergency downtime procedures were implemented and care has continued to be provided to patients, with staff recording patient information using pen and paper.

It has now been more than 2 weeks since the attack and EHR downtime procedures are still in effect while UF Health attempts to restore its systems and affected data, and the attack is now having a negative impact on patient care.

According to a recent report on WESH 2 News, employees at the affected hospitals said they are still unable to check the EHR, cannot obtain medication lists, and are unable to confirm if patients have allergies. Staff are also experiencing delays receiving lab reports. Staff at the hospital spoke to reporters and said some patients were receiving one medication when a different one was ordered, and medications that are due are missing. “God forbid that we administer something that we thought was ordered or wasn’t ordered and something happens and there is a bad outcome,” said one employee to WESH 2 News.

It is currently unclear whether UF Health intends to pay the ransom and whether patient data have been stolen. A spokesperson for UF Health was unable to confirm when systems would be restored.

The post PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates appeared first on HIPAA Journal.

The Nevada health insurer Prominence Health Plan has announced it suffered a security breach on November 30, 2020 in which hackers potentially obtained the protected health information of some of its plan members. The data breach was discovered on April 22, 2021 and steps were immediately taken to prevent further unauthorized access, including changing the credentials used by the attacker to gain access to its network.

While Prominence Health Plan has not confirmed whether this was a ransomware attack, all affected plan member data has been restored from backups. The incident involved audio recordings of phone calls to the Prominence call center along with PDF files that included provider claim forms and letters to patients advising them about claim approvals and denials.

The audio files typically included full names, dates of birth, and member ID numbers, while the PDF files contained a member’s name, date of birth, sex, member ID number, mailing address, and claim code. The files included PHI of individuals who had been members between 2010 and 2020. Approximately 45,000 individuals have been affected.

There have been no reported cases of misuse of PHI and the information in the files was not in a readily usable format, which limits the potential for misuse. Prominence is conducting online monitoring for any signs of attempted misuse of the stolen data and affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services. Additional security measures are being implemented to prevent any further data breaches.

Ohio Medicaid

Ohio Medicaid has announced that its data manager, Maximus, has suffered a data breach in which the personal data of Ohio Medicaid providers has been exposed.

An application used by Maximus was discovered to have been accessed by an unauthorized third party between May 17 and May 19, 2021. Upon discovery of the breach, Maximus took the application offline to prevent any further unauthorized access and a leading third-party cybersecurity firm was engaged to assist with the investigation.

The cybersecurity firm confirmed that the breach was confined to the application and no other servers, applications, or systems were affected. No evidence was found to indicate any information within the application – Ohio credentialing and licensing data – has been misused. Maximus said people covered by Medicaid were not affected.

Maximus said the rapid detection of the breach limited potentially adverse impacts; however, since there is a possibility of data theft, all individuals affected were notified on June 18, 2021 and have been offered complimentary credit monitoring services for 24 months.

The post Prominence Health Plan Data Breach Impacts up to 45,000 Individuals Associates appeared first on HIPAA Journal.

San Juan Regional Medical Center has recently notified tens of thousands of its patients about a security breach that occurred in the fall of 2020. The Farmington, NM medical center discovered its network had been accessed by an unauthorized individual on September 8, 2020. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the breach.

The forensic investigation revealed the attacker exfiltrated files between September 7th and 8th, with a manual review of those files confirming they contained the protected health information of 68,792 patients. The types of information in the files varied from patient to patient and included names in combination with one or more of the following date elements:

Dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers.

While data theft was confirmed, no evidence has been found to indicate any of the stolen PHI has been misused. Complimentary credit monitoring services have been offered to individuals whose Social Security number was compromised. Steps have also been taken to secure its network and improve internal processes to prevent further security breaches.

Coastal Medical Group Reports Hacking and Data Theft Incident

Old Bridge, NJ-based Coastal Medical Group, a gastroenterology and internal medicine specialist, has suffered a security breach in which patient data has potentially been compromised. The practice, which is listed as permanently closed, discovered the breach on April 21, 2021.

The investigation into the breach indicates systems were first compromised on March 25, 2021. According to a statement released by the practice, incident response and recovery procedures were immediately implemented, and the practice worked quickly to assess the security of its systems and prevent further unauthorized access.

The investigation confirmed that files containing protected health information were acquired by the attacker, which included full names, home addresses, dates of birth, other demographic and contact information, Social Security numbers, insurance information, diagnoses, and treatment information.

The practice has notified all affected patients by mail and has offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to secure its systems to prevent any further breaches.

It is currently unclear how many individuals have been affected.

Springfield Psychological Reports Email Error

Pennsylvania-based Springfield Psychological has notified certain current, former, and prospective patients about an email error that exposed email addresses. A routine marketing email was sent on June 9, 2020; however, rather than having the recipients’ email addresses hidden, the email was sent in a way that made recipients’ email addresses visible to all recipients.

Aside from identifying individuals as having received or considered receiving healthcare services from Springfield Psychological, the only information exposed were email addresses.

Springfield Psychological contacted the HHS’ Office for Civil Rights about the incident in the fall of 2020 and on May 25, 2021, OCR informed Springfield Psychological that the incident was a reportable breach under HIPAA. Affected individuals were then promptly notified.

The post San Juan Regional Medical Center Data Breach Affects 68,792 Patients appeared first on HIPAA Journal.

South Texas Health System has notified 6,761 about an accidental disclosure of some of their protected health information. South Texas Health System provides discharge instructions after patients receive medical care in its hospitals. Part of that process involves an employee generating and emailing a monthly report that identifies patients that have been discharged from its hospital emergency departments.

South Texas Health System discovered on April 8, 2021 that an email with an attached November 2020 report was sent to an incorrect email address on April 7. Steps were taken to try to identify the recipient and get the email deleted, but that individual remains unknown and it is unclear whether the email has been opened, viewed, or deleted.

The email attachment contained a list of patients discharged from its hospital emergency departments in November 2020, which included names, internal hospital visit numbers, date and time of discharge, whether discharge instructions were provided, and information about where the patients were discharged.

The nature of the data in the report makes it unlikely that patients will suffer harm; however, out of an abundance of caution, those individuals have been offered complimentary membership to an Internet surveillance and an identity theft restoration service for 12 months.

Email Data Breach Affects Atricure Group Health Plan Members

Ohio-based Atricure has discovered an email account of one of its employees was accessed by an unauthorized individual for a short period on March 8, 2021. Upon discovery, the account was immediately secured and a third-party cybersecurity firm was engaged to assist with the investigation. The breach was confirmed as affecting a single email account, but it was not possible to tell if any emails or attachments were viewed.

An analysis of all emails and attachments in the account was completed on April 7, 2021 and revealed they contained some sensitive information of employees, beneficiaries and dependents relating to the Atricure Group Health Plan. In total, 2,487 individuals have been affected by the breach.

The types of information potentially compromised included names, addresses, dates of birth, Social Security numbers, financial account information, clinical information, and health insurance claims information. Affected individuals have been provided with complimentary credit monitoring, fraud consultation, and identity theft restoration services. Atricure has also enhanced its security protocols and has re-educated employees on email security.

The post South Texas Health System and Atricure Report Email Incidents appeared first on HIPAA Journal.