Nebraska Medicine has started notifying approximately 219,000 patients about a malware attack that allowed an unauthorized individual to view and obtain patient information.

Nebraska Medicine identified unusual activity in some of its systems on September 20, 2020. All affected devices were isolated to contain the breach and impacted systems were shut down to prevent any further unauthorized access. Independent computer forensics experts were engaged to conduct an investigation and determine the nature and scope of the security breach.

The investigation confirmed that an unauthorized individual first gained access to the network on August 27, 2020 and deployed malware. Between August 27 and September 20, that individual copied certain files, some of which contained patient information.

The files contained information about patients who received medical services at The Nebraska Medical Center or University of Nebraska Medical Center, as well as a limited number of patients who visited Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare.

The protected health information obtained in the attack included one or more of the following data elements: Name, address, date of birth, medical record number, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information, and a limited number of Social Security numbers and driver’s license numbers.

Affected individuals were notified about the breach on February 5, 2021. Individuals whose Social Security or driver’s license number was compromised have been offered complimentary credit monitoring and identity theft protection services. Nebraska Medicine continues to monitor its IT environment for potential breaches and network monitoring tools have been enhanced.

Phishing Attack Affects 2,500 Hackley Community Care Patients

Hackley Community Care in Muskegon, MI is alerting approximately 2,5000 patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals.

In September 2020, a phishing email was sent to several staff members that contained a link to a malicious website. One employee clicked the link and entered their login credentials which were captured and used by the attacker to remotely access the employee’s email account between September 7 and September 24, 2020.

The investigation into the incident confirmed only one email account had been compromised and no evidence was found to indicate any emails in the account were opened. A review of the compromised email account was completed on December 18, 2020 and all individuals are now being notified if they have been affected.

For most of the affected individuals, the breach was limited to names and addresses. Individuals who had more sensitive data exposed have been offered complimentary credit monitoring services through TransUnion. Hackley Community Care is implementing additional security measures to prevent similar incidents in the future.

The post Nebraska Medicine Notifies 219,000 Patients About September 2020 Malware Attack appeared first on HIPAA Journal.

University of Pittsburgh Medical Center (UPMC) has announced the protected health information of more than 36,000 patients has potentially been accessed by unauthorized individuals following a cyberattack on a company that provides billing-related legal services to UPMC.

In June 2020, Charles J. Hilton & Associates P.C. (CJH) discovered suspicious activity in its employee email system and launched an investigation. On July 21, 2020, CJH determined that hackers had gained access to the email accounts of several of its employees between April 1, 2020 and June 25, 2020.

Computer forensics specialists conducted an extensive investigation into the incident to determine which information was accessed or obtained by the hackers. UPMC said it received a notification about the breach in December 2020 confirming patient information may have been accessed by the hackers. Notification letters are now being sent by CJH to all patients potentially affected by the breach. UPMC said none of its systems, including its electronic medical record system, were affected, and the only information involved was patient information provided to CJH to provide its contracted billing-related legal services.

CJH said the compromised accounts contained names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, trip numbers, Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational-health, diagnosis, symptoms, treatment, prescription or medications, drug tests, billing or claims, and/or disability.

CJH is offering complimentary membership to credit monitoring and identity theft protection services to affected individuals.

UPMC Health Plan Phishing Incident Impacts 19,000 Members

19,000 members of UPMC Health Plan are being notified that some of their protected health information has potentially been compromised. An email account of a UPMC Health Plan employee was accessed by an unauthorized individual on December 8, 2020. UPMC Health Plan was notified about the breach the following day.

The information stored in the compromised email account only included names, dates of birth, parent/guardian names, and limited clinical information, including dental provider and procedure information. No evidence was found to indicate any plan member information has been misused.

This phishing attack does not appear to be in any way connected to the phishing attack at Charles J. Hilton & Associates P.C.

Nevada Health Centers Alerts Patients About Email Account Breach

Nevada Health Centers has announced that the protected health information of some of its patients has potentially been compromised. Between November 20 and December 7, 2020, an unauthorized individual remotely logged into an employee’s email account that contained patient information.

The person who logged into the account appeared to be based overseas, with one of the login attempts made using a South African IP address. The attack appears to have been conducted to obtain financial information about Nevada Health Centers rather than patient health data, although it is possible that patient information was viewed or obtained in the attack. Nevada Health Centers said no evidence of PHI access or theft has been found.

The compromised email account was discovered to contain patient names in combination with one or more of the following types of information: Address, phone number, date of birth, gender, ethnicity, race, insurance information, appointment information, medical record number, provider name, service location(s). It is currently unclear how many patients have been affected by the breach.

The post Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients appeared first on HIPAA Journal.

The County Manager’s Office of Ramsey County, MN has started notifying 8,700 clients of its Family Health Division that some of their personal information has potentially been accessed by unauthorized individuals in a ransomware attack on one of its vendors.

St. Cloud-based Netgain Technology LLC provides technology services to Ramsey County, including an application used by the Family Health Division for documenting home visits. Data within that application was potentially accessed and exfiltrated by threat actors prior to the deployment of ransomware.  The application contained information such as names, addresses, dates of birth, dates of service, telephone numbers, account numbers, health insurance information, medical information and, for a small number of individuals, Social Security numbers.

The attack appears to have been conducted with the sole purpose of extorting money from Netgain rather than to gain access to personal information; however, it was not possible to rule out unauthorized access or data theft.

Ramsey County was notified about the attack on December 2, 2020 and immediately stopped using Netgain’s services and applications and switched to backup processes. The attack has been reported to the law enforcement and steps are being taken to harden security to prevent further attacks.

Crisp Regional Health Services Hit with Ransomware Attack

Cordele, GA-based Crisp Regional Health Services has suffered a ransomware attack on January 27, 2020 that has forced certain systems offline. The attack disabled the hospital’s telephone system and staff had to resort to radios for internal communication. Patients and their family members were advised to make contact via social media while the phone system was down.

Steps were immediately taken to secure information and contain the attack and third-party cybersecurity professionals have been engaged to assist with the investigation and determine the extent and scope of the breach, and whether the attackers accessed or exfiltrated patient data.

Crisp Regional Health Services’ community relations and foundation director, Brooke Marshall, said “Workflow was never compromised, patient care was never compromised.”

The investigation is ongoing and further information will be released as and when it becomes available.

Vulnerability in Vaccine Scheduling Tool Allowed Individuals to Cut in Line and Book Vaccination Appointments

Beaumont Health in Michigan experienced a breach of its Epic COVID-19 vaccine scheduling application over the weekend of January 30/31. An unauthorized individual exploited a vulnerability in the platform and publicly shared an unauthorized scheduling pathway. That pathway was subsequently used by 2,700 individuals to book COVID-19 vaccination appointments.

Beaumont Health notified Epic about the incident on January 31, 2020 and both worked together to address the issue. All 2,700 individuals who cut in line have had their vaccination appointment cancelled. Individuals who met the eligibility criteria and booked legitimate appointments for a COVID-19 vaccination have not been affected.

Epic issued a statement confirming that the incident did not result in any unauthorized individuals gaining access to patients medical or hospital records.

The post Ramsey County and Crisp Regional Health Services Affected by Ransomware Attacks appeared first on HIPAA Journal.

A round up of healthcare phishing attacks that have been publicly disclosed in the past few days.

2,254 Patients Affected by Leonard J. Chabert Medical Center Email Account Breach

Leonard J. Chabert Medical Center has been notified that the protected health information of some of its patients has been compromised in a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).

LSU HCSD announced the breach publicly on November 20, 2020 but discovered on November 24, 2020 that some patient data from Leonard J. Chabert Medical Center, its partner hospital, had also potentially been compromised.

Leonard J. Chabert Medical Center was provided with information related to the breach on December 3, 2020, the analysis of which revealed the protected health information of 2,254 patients had been exposed between September 15, 2020 to September 18, 2020.

For most patients, the exposed data was limited to names, phone numbers, addresses, medical record numbers, dates of birth, account numbers, dates of service, types of services received, and health insurance identification numbers. A small subset of patients also had their bank account number and/or limited health information such as diagnoses exposed.

LSU HCSD is reviewing its email security measures, which will be enhanced to prevent similar breaches in the future and additional security awareness training is being provided to employees.

PHI of 1,800 Patients Potentially Compromised in Lynn Community Health Center Phishing Attack

Lynn Community Health Center (LCHC) in Massachusetts discovered an employee’s email account was accessed by an unauthorized individual following a response to a phishing email. The phishing attack was discovered on November 25, 2020 and the email account was immediately secured. Assisted by a digital forensics company, LCHC determined that a maximum of 4 email accounts may have been compromised in the attack.

A review of the potentially breached accounts revealed they contained patient names in combination with one or more of the following data elements: Date of birth, mailing address, phone number, insurance information, medical record number, diagnoses, and other clinical information. A subset of patients also had their Social Security number exposed.

The investigation, which is ongoing, has not uncovered any evidence to suggest patient data was stolen or misused but as a precautionary measure, individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services.

Additional safeguards and security measures are being implemented to prevent further email security breaches, information protocols are being revised, and employee security awareness training has been reinforced.

1,440 Individuals Affected by Montgomery Hospice Phishing Attack

Montgomery Hospice, Inc. in Rockville, MD has learned that an unauthorized individual gained access to the email account of an employee on August 20, 2020. The breach was detected on November 16, 2020 and the email account was immediately secured.

A third-party cybersecurity firm was engaged to assist with the investigation, but it was not possible to determine which, if any, of the emails in the account were viewed or copied. A review of the email account confirmed the protected health information of 1,440 patients had been exposed, including names, medical record numbers, dates of birth, Social Security numbers, health insurance information, and limited medical information.

Affected individuals started to be notified about the breach on January 15, 2021. Only a limited number of patients had their Social Security numbers exposed and those individuals have been offered complimentary credit monitoring and identity protection services.

The hospice has since taken steps to improve email security and enhance its security infrastructure.  Further training has also been provided to the workforce on how to identify and avoid phishing emails.

Auris Health Notifies Patient About March 2020 Email Account Breach

Redwood City, CA-based Auris Health has started notifying certain patients that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of an employee in March 2020.

Upon discovery of the breach, access to the account was terminated and an investigation was conducted to determine the nature and scope of the breach. The investigation into the attack is ongoing, but Auris Health has determined that the compromised email account included patient names in combination with one or more of the following data elements: Social Security Number, tax identification number, passport number, health insurance number, health information, payment card information, and financial account number(s).

Auris Health is implementing additional security measures to prevent further breaches in the future, including enhancing its email authentication measures. Affected individuals have been offered a 2-year complimentary membership to credit and identity theft monitoring services.

The post 5 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks appeared first on HIPAA Journal.

Baptist Health’s Bethesda Hospital in Boynton Beach, FL has fired an employee for impermissibly accessing a patient’s protected health information and altering a home health order which was used to provide a patient with home care services.

The HIPAA breach was identified on December 1, 2020, prompting an internal investigation. The employee has now been terminated and the incident reported to law enforcement.

The investigation revealed other patient records may also have been accessed by the former employee between June 1, 2019 and December 2, 2020. The types of information potentially viewed included names, dates of birth, addresses, health insurance information, Social Security numbers, and clinical documentation.

All affected individuals have been notified and offered complimentary identity theft protection and credit monitoring services and Baptist Health is exploring ways to further safeguard patients’ protected health information and prevent similar breaches in the future.

The incident has yet to be listed on the HHS’ Office for Civil Rights’ website so it is currently unclear how many patients have been affected.

Montefiore Medical Center Fires Employee for Unauthorized Medical Record Access

Montefiore Medical Center in New York has discovered an employee accessed the protected health information of patients without authorization over a period of 5 months in 2020. Upon discovery of the unauthorized access, Montefiore immediately deactivated the employee’s access to the electronic medical record system and an investigation was launched to determine the extent of the HIPAA violations.

After a thorough investigation, the employee was terminated and the matter was reported to law enforcement for possible criminal prosecution. The types of information viewed by the former employee varied from patient to patient and may have included first and last names, addresses, dates of birth, medical record numbers, clinical information such as test results, diagnoses, and visit histories and the last four digits of Social Security numbers.

No reason was provided as to why the information was accessed, but no evidence was found to indicate patient information has been used for identity theft or fraud. All affected patients have now been notified and offered complimentary identity theft protection services.

This is the second incident involving improper medical record access to be announced by Montefiore Medical Center in the past 5 months. In September 2020, the medical center announced a former employee had stolen the PHI of approximately 4,000 patients between January 2018 and July 2020.

The post Montefiore Medical Center and Bethesda Hospital Fire Employees for HIPAA Breaches appeared first on HIPAA Journal.

The Tallahassee, FL-based Medicaid health plan, Florida Healthy Kids Corporation, has discovered its web hosting provider failed to patch vulnerabilities which were exploited by cybercriminals to gain access to its website and the protected health information of applicants for benefits for the past 7 years.

Florida Healthy Kids used Jelly Bean Communications Design, LLC. for hosting its website. The website included an online application that recorded information about individuals when they applied for Florida KidCare benefits or renewed their health or dental coverage online.

On December 9, 2020, Jelly Bean Communications notified Florida Healthy Kids that unauthorized individuals had gained access to the website and tampered with the addresses of several thousand applicants. Florida Healthy Kids engaged cybersecurity experts to conduct an investigation to determine the scope and severity of the breach.

Florida Healthy Kids temporarily shut down the website while the breach was investigated to prevent any further unauthorized access. The review of the hosted website platform and databases that supported the Florida KidCare application revealed several vulnerabilities were present from November 2013 to December 2020, and that the vulnerabilities had been exploited to gain access to the website.

While evidence was found showing applicant addresses had been tampered with, it is also possible that the attackers exfiltrated patient data, although evidence of data theft was not found.

The types of information exposed to the hackers included full names, birth dates, email addresses, telephone numbers, physical and mailing addresses, Social Security numbers, financial information, family relationships of individuals included in the application, and secondary insurance information.

The Florida KidCare online application remains offline while a new web hosting vendor is found. Affected individuals started to be notified on January 27, 2020 and have been advised to take steps to protect their identities, including setting up fraud alerts and security freezes. It is currently unclear exactly how many individuals have been affected.

The post Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI appeared first on HIPAA Journal.

Roper St. Francis Healthcare has notified 189,761 patients that some of their protected health information was contained in employee email accounts that were accessed by an unauthorized individual. The email security breach was detected in late October 2020, and the subsequent investigation revealed three email accounts were compromised between October 14 and October 29, 2020.

A review off the email accounts was conducted to determine the information that was potentially accessed. It was not possible to tell if patient information was viewed or exfiltrated, although the attacker would have been able to access names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information. The email accounts also contained the health insurance information and Social Security numbers of a limited number of patients.

Roper St. Francis Healthcare has offered complimentary credit monitoring and identity theft protection services to individuals whose Social Security number was potentially compromised. Steps have been taken to improve email security and employees have been provided with further training on email protection.

Einstein Healthcare Network Sends Additional Notifications About August 2020 Email Security Incident

Einstein Healthcare Network is notifying patients about a phishing attack that was discovered in the summer of 2020. The Pennsylvania-based healthcare provider, which operates medical centers in Philadelphia, Elkins Park, and East Norriton, identified unusual email account activity on August 10, 2020. The incident was investigated and it was determined that multiple employee email accounts had been accessed by an unauthorized individual between August 5, 2020 and August 17, 2020.

A review of the compromised email accounts was conducted to determine whether they contained any patient information. The review revealed emails and attachments contained the following types of patient data: Names, dates of birth, medical record numbers, patient account numbers, diagnoses, medications, provider names, types of treatment, and treatment locations. The types of information in the accounts varied from patient to patient, which for some patients also included Social Security numbers and health insurance information.

It was not possible to determine whether the unauthorized individual viewed or exfiltrated patient data while access to the email accounts was possible. Einstein Healthcare Network sent out a batch of breach notification letters to individuals potentially affected by the incident starting on October 9,2020. The breach was reported to the HHS’ Office for Civil Rights the same day. The OCR breach portal lists the incident as affecting 1,821 patients.

According to Einstein Healthcare Network’s substitute breach notice, “We continued our investigation, which concluded on November 16, 2020, and additional letters are mailing between January 21, 2021 and February 8, 2021.”

Email Incident Report by New York Center for Alternative Sentencing and Employment Services

The Center for Alternative Sentencing and Employment Services (CASES) in New York has discovered the email accounts of certain employees have been compromised. Hackers had access to the email accounts between July 6 and October 4, 2020.

An investigation of the breach revealed the hackers exfiltrated emails from the accounts that included patient data. For most patients, the stolen information was limited to name, date of birth, medical record/client ID number, and some clinical information related to the care provided by CASES. Some clients also had their Social Security number, driver’s license number, and/or health insurance information stolen. Those individuals have been offered complimentary credit monitoring and identity theft protection services.

Steps have since been taken to improve email security and the workforce has received further security awareness training.

The post Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack appeared first on HIPAA Journal.