Washington-based NorthWest Congenital Heart Care is alerting 1,166 patients that some of their protected health information has been acquired by an unauthorized individual. On May 7, 2021, an unauthorized third party entered the office of a single NWCHC physician and stole an external hard drive that was used for data backups. The theft was reported to law enforcement, but the hard drive has not been recovered.

A review of the data backups revealed they contained patient information such as names, dates of birth, ages, medical and treatment information, dates of service, location of service, physician names, services requested, procedures performed, diagnosis codes, diagnosis and treatment descriptions, medical record numbers and, for one individual, health insurance information.

To reduce the risk of future data breaches, NorthWest Congenital Heart Care will be eliminating the use of external hard drives for data backups.

Superior HealthPlan Members Affected by Accellion Data Breach

2,781 members of Superior HealthPlan in Texas have been notified that some of their protected health information was compromised in the cyberattack on Accellion. The attack affected the Accellion file transfer appliance, which was used for sending files too large to be sent via email.

The attackers had access to the platform between January 7 and January 20, 2021. On April 2, 2021, Superior HealthPlan discovered the attackers were able to access and download files containing names, addresses, dates of birth, insurance ID numbers, and health information such as medical condition and treatment information.

All affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. Accellion’s services are no longer being used, all data has been removed from Accellion’s systems, and file transfer processes and tools have been reviewed and are being updated to prevent similar breaches in the future.

The post NorthWest Congenital Heart Care Reports Theft of Device Containing PHI of 1,166 Patients appeared first on HIPAA Journal.

Arizona Asthma and Allergy Institute has issued breach notification letters to 70,372 patients who received services between October 1, 2015 and June 15, 2020.

According to the breach notice, a range of their personal and protected health information including names, patient ID numbers, provider names, health insurance information, and treatment cost information was exposed online under the name of a different organization for a brief period in September 2020.

After being alerted about the exposed data, a third-party forensics company was engaged to investigate the breach. The investigation concluded on March 8, 2021 and confirmed that protected health information had been exposed.

According to databreaches.net, which contacted Arizona Asthma and Allergy Institute to alert them about the breach, this was a ransomware attack by the Maze ransomware operation. Sensitive data obtained in the breach had been posted to the Maze Group’s data leak site for a short period in September under the name Medical Management Inc.

Stillwater Medical Center Investigation Security Breach

Stillwater Medical Center in Oklahoma has launched an investigation into a security breach affecting certain information systems. In a June 14, 2021, Facebook post, Stillwater Medical Center explained that a breach occurred on June 13, 2021 and systems were immediately shut down while the incident was investigated. A third-party computer forensics firm is assisting with the investigation and systems will be brought back online as soon as possible.

The investigation is still in the early stages but, so far, no evidence has been found to indicate any patient data has been compromised. Further information about the incident will be released as and when it becomes available.

Nebraska Department of Health and Human Services Alerts Individuals About Privacy Breach

The Nebraska Department of Health and Human Services has identified a software error that resulted in individuals’ phone numbers and partial Social Security numbers being sent to a third party in April 2021.

The HHS discovered the privacy incident on April 9, 2021 and has now issued notification letters to approximately 500 individuals. According to the HHS, the nature of data and the individual to whom it was sent – an individual in the State of Nebraska – makes the risk of identity theft or fraud low.

Temporary measures have been taken to fix the software error while the HHS works on a more permanent solution.

The post Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach appeared first on HIPAA Journal.

A benefits administrator for home healthcare and nursing home workers, Service Employees International Union 775 (SEIU 775) Benefits Group, has experienced a cyberattack that resulted in the deletion of sensitive data.

IT staff detected anomalies within SEIU 775’s data systems on or around April 4, 2021, which included the deletion of certain data. An investigation was launched into the malicious activity, led by third-party cybersecurity experts and forensic consultants.

The investigation confirmed that its systems had been hacked and the data of unknown individuals had been deleted, including personally identifiable and protected health information. While information was deleted, no evidence was found to indicate any PII or PHI was viewed or acquired by the attackers and there have been no reported cases of misuse of data.

Data potentially compromised included names, addresses, and demographic data along with Social Security numbers and potentially health plan eligibility information. Upon discovery of the malicious activity, steps were immediately taken to prevent further unauthorized access and to contain the breach. Third -party cybersecurity experts have been assessing system security and SEIU 775 is working closely with its consultants to further strengthen its cybersecurity defenses.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 140,000 individuals. Victims of the breach have been offered complimentary credit monitoring and identity theft protection/restoration services through Kroll for 12 months.

This is not the only breach to be reported in recent weeks by a benefits administrator. In May, the Florida vision and hearing benefits administrator 20/20 Hearing Care Network experienced a data deletion incident. In that incident, the breach affected up to 3.3 million individuals. The attacker gained access to and deleting data stored in an unprotected Amazon Web Services cloud storage bucket, with the data downloaded from the S3 bucket prior to deletion.

The post SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals appeared first on HIPAA Journal.

Ohio-based Five Rivers Health Centers has notified 155,748 patients that some of their protected health information was stored in email accounts that have been accessed by an unauthorized individual following a phishing attack.

It is unclear when the breach was discovered, but Five Rivers Health Centers reports that following an extensive forensic investigation into the cyberattack and a manual document review, it discovered on March 31, 2021, that the breached email accounts contained patients’ personal and health information.

The forensic investigation confirmed that the email accounts had been breached between April 1, 2020, and June 2, 2020. Notification letters were sent to affected patients on May 28, 2021 – More than a year after the first email accounts were breached.

The types of protected health information in emails and attachments varied from patient to patient and may have included one or more of the following data elements:  Name, address, date of birth, medical record number, patient account number, diagnoses, treatment and/or clinical information, test results, lab test reports, provider name, dates of service, treatment cost information, prescription information, health insurance information, and Medicaid or Medicare numbers.

A limited number of individuals also had their financial account number, payment card numbers, driver’s license number, state identification number, and/or Social Security number exposed. A 12-month complimentary membership to a credit monitoring service has been offered to individuals whose Social Security number was exposed.

Following the attack, policies and procedures have been reviewed and updated, 2-factor authentication has been implemented, and employees have been provided with further cybersecurity training.

Cancer Centers of Southwest Oklahoma Breach Affects 8,000 Patients

Cancer Centers of Southwest Oklahoma (CCSO) has discovered the protected health information of 8,000 patients was potentially compromised in a cyberattack on one of its business associates. CCSO used a 1^st generation cloud-based storage system provided by Elekta Inc., which was breached earlier this year.

Elekta hired third-party cybersecurity experts to investigate the security breach and confirmed on April 28, 2021, that the breached systems included the protected health information of CCSO patients. While it was not possible to determine what information was accessed or exfiltrated by the attackers, Elekta concluded that all information in the system had been exposed and must be considered compromised. The cloud-based storage system remains offline while the forensic investigation continues.

CCSO said in its substitute breach notification letter that the following types of information were stored in the system and may have been accessed or stolen: Name, Social Security number, address, date of birth, height, weight, medical diagnosis, medical treatment details and appointment confirmations.

Elekta is offering complimentary access to identity monitoring, fraud consultation, and identity theft restoration services to affected individuals.

The post Five Rivers Health Centers Phishing Attack Affects Almost 156,000 Patients appeared first on HIPAA Journal.

Lafourche Medical Group, a Louisiana-based urgent care center operator, has notified 34,862 patients about a security breach that potentially involved some of their protected health information.

On March 30, 2021, Lafourche Medical Group learned that an external accountant had responded to a phishing email that spoofed one of the owners of Lafourche Medical Group and disclosed login credentials to the attacker. The compromised credentials were used to gain access to the group’s Microsoft 365 environment.

A third-party IT company was engaged to assist with the investigation, but found no evidence to suggest its on-premise systems or cloud-based electronic medical record system were compromised; however, the credentials could have been used to view or download data from its Microsoft 365 environment, which contained some patient information. “Due to the size of the email system, we are unable to identify all potential patient information that may have been contained in the system,” explained Lafourche Medical Group in its substitute breach notice.

Clinical information was not compromised; however, emails were used to communicate certain patient information for billing and other clinic purposes. The types of information often sent via email includes names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.

A more robust vetting process has been implemented for business associates and a third-party IT consultancy was engaged to reassess its computer system and security measures and to recommend best practices for improving information security.  Several measures have now been implemented to improve security, including strengthening the firewall and spam and malware filters, implementing stricter password policies, adding multi-factor authentication for mobile access, and retraining the staff on cybersecurity, social engineering, and phishing.

The post Third-Party Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients appeared first on HIPAA Journal.

The risk and compliance firm LogicGate has identified a security incident in which the protected health information of 47,035 individuals has potentially been compromised.

LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform.

The Risk Cloud Platform is used by companies to identify and manage compliance risks and meet data protection and security standards. All backup files stored in AWS S3 buckets are encrypted, but the attacker was able to use the credentials to decrypt data. The backup files contained customer data that had been uploaded to their Risk Cloud environment prior to February 23, 2021. LogicGate said it did not identify any decrypt events associated with customers’ stored attachments.

It is currently unclear whether any customer data was exfiltrated by the attacker and no details have been released about how the credentials were obtained.

Hoboken Radiology Alerts Patients to Potential Breach of Medical Images and PHI

Hoboken Radiology has started notifying patients about a security breach that occurred between June 2, 2019 and December 1, 2020. In a recent press release, Hoboken Radiology said it received a notification on November 3, 2020 about suspicious activity on its medical imaging server.

Third-party cybersecurity specialists were engaged to investigate the incident and determine if any patient data had been accessed by unauthorized individuals. The investigation is still ongoing, but it was confirmed that there were suspicious connections from an external source between the above dates. The affected server contained patient data which could have potentially been viewed or obtained by unauthorized individuals.

A review of files on the server found they contained a range of patient data including names, genders, dates of birth, treatment dates, referring physician names, patient ID numbers, accession numbers, medical images, and a description of those images. Social Security numbers, payment card details, financial information, and medical insurance information were not compromised.

While unauthorized access to the server was confirmed, no evidence was found to indicate any actual or attempted misuse of patient data. Policies, procedures, and processes related to storage of and access to personal information are being reviewed and will be updated to better protect patient data in the future.

The breach has been reported to appropriate authorities but it has yet to appear on the HHS’ Office for Civil rights website, so it is unclear exactly how many individuals have been affected.

Glacier Medical Associates Alerting Patients About April 2021 Data Breach

Glacier Medical Associates in Whitefish, MT has announced it suffered a security breach on April 7 in which patient data was potentially accessed. Third-party digital forensics experts were engaged to investigate the breach and determine the nature and scope of the incident. The investigation concluded on May 10. No evidence of data theft was found and there have been no reported cases of misuse of patient data. No information has been released about the nature of the breach.

Practice Administrator Kelli Meuchel was advised by the practice’s legal counsel not to disclose the number of individuals affected and the incident has yet to appear on the HHS’ Office for Civil Rights breach portal. Meuchel said all affected individuals will be notified by mail and will be advised about the types of information that were compromised.

The post Risk and Compliance Firm Reports Breach of 47,035 Records appeared first on HIPAA Journal.

Sturdy Memorial Hospital in Attleboro, MA is notifying 57,379 patients about a computer security incident that occurred on February 9, 2021 in which patient data was stolen. According to the hospital’s breach notice, an unauthorized individual gained access to its systems but the hospital secured those systems later that day.

The individual demanded a ransom payment to prevent the exposure/sale of data stolen in the attack. The hospital took the decision to pay the ransom and received assurances all stolen data would be permanently destroyed and would not be further disclosed. It is unclear whether this was simply a data theft incident or whether ransomware had been used in the attack.

Third party computer forensics experts were engaged to investigate the breach, and a review was conducted to determine what patient data was compromised. The review was completed on April 21, 2021 and all affected individuals started to be notified on May 28, 2021.

Sturdy Memorial Hospital said that in addition to its own patients, some patient data from other healthcare provider partners – Harbor Medical Associates, South Shore Medical Center, and providers affiliated with South Shore Physician Hospital Organization – was also compromised.

The types of patient information compromised varied from patient to patient and may have included one or more of the following data elements: Name, address, phone number, date of birth, Social Security number, driver’s license number, other government ID number, financial account number, routing number, bank name, credit card number and security code, Medicare Health Insurance Claim numbers, medical history information, treatment or diagnosis information, procedure or diagnosis codes, prescription information, provider name, medical record number, Medicare/Medicaid number, health insurance information, and treatment cost information. Sturdy Memorial Hospital said its electronic health record system was not affected.

Complimentary credit monitoring and identity protection services are being offered to individuals whose Social Security number or driver’s license number was compromised in the attack. Additional safeguards and technical security measures have now been implemented at Sturdy Memorial Hospital to better protect and monitor its IT systems.

UF Health Ransomware Attack Affects The Villages and Leesburg Hospitals

University of Florida Health (UF Health) has been forced to adopt downtime procedures following a ransomware attack on May 31, 2021. Staff switched to pen and paper to record patient information with access to computer systems and email not possible due to the attack.

The attack affected UF Health The Villages Hospital and UF Health Leesburg, and was identified by UF Health Central Florida on the evening of May 31 when unusual activity was detected on its computer servers. The attack does not appear to have affected the Gainesville and Jacksonville campuses.

The attack is being investigated and efforts are underway to ensure systems and data are secured. Medical services at all UF Health locations continue to be provided and patient safety has not been affected. It is currently unclear whether the attackers stole patient data prior to the use of ransomware to encrypt files.

The post Ransomware Attacks Affect Sturdy Memorial Hospital and UF Health appeared first on HIPAA Journal.