Scripps Health, the second largest healthcare provider in San Diego, has started sending breach notification letters to 147,267 patients to inform them that some of their personal and health information was stolen in a May 1, 2021 ransomware attack.

The attack forced Scripps Health to adopt its EHR downtime procedures with its systems offline. Staff at its medical offices and hospitals were forced to work with paper charts while systems were restored and data was recovered. That process has taken almost a month, during which time access to important patient information such as test results was prevented. Scripps Health only regained the ability to create new records last week when the MyScripps patient portal was brought back online.

The attack affected many of the healthcare provider’s care sites and caused disruption to operations at two of its four hospitals. Scripps Health took the decision to divert some critical patients to other facilities, with all four of its main hospitals placed on emergency care diversion for stroke, heart attack, and trauma patients. Some non-urgent appointments also had to be delayed in the days following the attack.

Scripps Health said its main Epic medical record system was not compromised, but prior to the deployment of ransomware the attackers acquired documents that contained patient data such as names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and some clinical information such as physicians’ names, dates of service, and treatment information. The Social Security numbers and/or driver’s license numbers of around 3,700 individuals was obtained by the hackers. Complementary credit monitoring and identity protection support services are being offered to those individuals.

Scripps Health has commenced a manual review of the documents compromised in the attack and explained that it is a time-intensive process that will likely take several months. “We do not yet know the content of the remainder of documents we believe are involved,” said Scripps Health in a statement about the attack and said notification letters are being sent to affected individuals as quickly as possible.

“It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape,” said Scripps Health. “For our part, Scripps is continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation.”

The post 147,000 Patients Affected by Scripps Health Ransomware Attack appeared first on HIPAA Journal.

Hartsville, SC-based CareSouth Carolina has notified 76,035 patients that some of their protected health information has potentially been compromised in a ransomware attack on its IT vendor, Netgain Technologies.

CareSouth Carolina was informed by Netgain on January 14, 2021 that the company had experienced a ransomware attack in December 2020, and the attackers had access to servers containing patient data from late November, some of which was exfiltrated prior to the use of ransomware.

On April 13, 2021, Netgain provided CareSouth Carolina with a copy of the data that was potentially compromised. CareSouth Carolina conducted a review of the data and on April 27, 2021 confirmed the dataset included patient names, date of birth, address, diagnosis/conditions, lab results, medications, and other clinical information. For a small number of patients, Social Security numbers were involved.

The attackers issued a ransom demand to Netgain and threatened to sell the stolen data if payment was made. Netgain took the decision to pay the ransom and received assurances that the stolen data was deleted and had not been further disclosed.

Netgain and CareSouth have since implemented additional security measures to prevent any repeat attacks, and CareSouth is offering affected patients complimentary identity theft protection services.

Community Access Unlimited Ransomware Attack Impacts 13,813 Individuals

Elizabeth, NJ-based Community Access Unlimited has started notifying 13,813 individuals that their protected health information was stored on systems that were accessed by unauthorized individuals.

Community Access Unlimited identified suspicious activity within its internal systems on November 10, 2020. The systems were immediately taken offline, and third-party forensics specialists were engaged to determine the nature and scope of the breach.

The investigation revealed its systems were accessed by unauthorized individuals between June 29, 2020 and November 12, 2020, but it was not possible to determine whether any patient data was accessed or exfiltrated by the attackers.

A review of the compromised systems revealed the following data could potentially have been accessed or obtained: Names, dates of birth, driver’s license numbers, state identification card numbers, non-resident identification numbers, health information, health insurance beneficiary numbers, and usernames and passwords.

Policies and procedures have since been reviewed and enhanced to reduce the potential for a further attack. Affected individuals have now been notified and complimentary credit monitoring and identity restoration services have been offered to potentially impacted individuals.

The post Ransomware Attacks Affect Community Access Unlimited and CareSouth Carolina Patients appeared first on HIPAA Journal.

In the wake of the ransomware attack on Colonial Pipeline, some ransomware gangs such as REvil and Avaddon claimed that they have implemented new rules that require their affiliates to obtain authorization prior to attacking a target, and that attacks on healthcare organizations had been banned. However, many ransomware-as-a-service operations have not implemented restrictions and healthcare providers are still being targeted. Recently, 4 more healthcare organizations have been confirmed as falling victim to attacks.

San Diego Family Care

San Diego Family Care (SDFC) in California has confirmed it has been affected by a ransomware attack in December 2020. SDFC and its business associate Health Center Partners of Southern California (HCP) were impacted by a ransomware attack on their information technology hosting provider, Netgain Technologies. Netgain Technologies reportedly paid a $2.3 million ransom to obtain the keys to unlock the encrypted files and notified SDFC and HCP on January 20, 2021 that the protected health information of their patients had been compromised.

SDFC and HCP were provided with a copy of the affected data and conducted a review to determine which individuals had been affected and the types of data involved. The review was completed on April 11, 2021 and 125,500 patients are now known to have been affected.

SDFC explained in its substitute breach notice that the following types of data were compromised: Names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health insurance information, and/or client identification numbers. Affected individuals were notified by mail on May 7, 2021.

SAC Health Systems

San Bernardino, CA-based SAC Health Systems was also a victim of the ransomware attack on its now former IT service provider, Netgain Technologies. SAC Health Systems was notified by Netgain Technologies on January 15, 2021 that the ransomware gang had access to servers containing patient data between November 15, 2020 and November 22, 2020.

SAC Health Systems confirmed on April 20, 2021 that 28,128 individuals had been affected. The types of data compromised included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, tax identification numbers, financial account information, medical histories, electronic signatures, health insurance information, medical record numbers, doctor names, prescription information, and reason for absence. All affected individuals are now being notified.

Harper County Community Hospital

Harper County Community Hospital in Oklahoma has announced it suffered a ransomware attack on March 24, 2021 in which the protected health information of 5,725 patients was potentially compromised.

The hospital said patient medical records were not affected, but workstations and common drives were compromised, and they contained files that included first and last names, dates of birth, home addresses, patient account numbers, diagnoses, Social Security numbers, and health insurance information.

Harper County Community Hospital took immediate corrective actions and has implemented extensive IT security protocols, back-up processes, and updated its HIPAA policies and procedures. All affected individuals are now being notified about the attack.

Prestige Medical Group

Georgia-based Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group, has been affected by a ransomware attack that has been reported to the HHS’ Office for Civil Rights as affecting 34,203 patients.

The attack was conducted by the Avaddon ransomware gang, one of the gangs that has since claimed it is stopping attacks by affiliates on the healthcare sector. The attackers claimed they had exfiltrated patient and employee data prior to file encryption and leaked a sample of data stolen in the attack on its leak site, stating that the medical practice was not interested in cooperating. The attackers claimed, “We have data on the diseases of your clients, confidential cards of your clients, various information on your clients, a lot of opinions and reports from doctors, agreements and contracts, financial information, information about employees, personal data of employees.”

The post 4 More Healthcare Organizations Announce Patients Affected by Recent Ransomware Attacks appeared first on HIPAA Journal.

ZocDoc, a New York-based provider of a platform that allows prospective patients book appointments with doctors and dentists, has discovered a bug in its software that allowed patient data to be accessed by medical and dental practices when access should have been restricted.

The investigation revealed programming errors had occurred that meant from August 2020 until the errors were discovered and corrected, certain past and current practice staff members had access the provider portal, when their accounts should have been either decommissioned, deleted, or been limited. In all cases, the individuals who could have accessed patient data improperly were healthcare providers and are therefore bound to maintain the privacy and security of patient data. ZocDoc said there is no evidence to suggest there have been any further disclosures of patient data.

Patient data potentially accessed included names, email addresses, phone numbers, appointment histories with the practice, insurance information, Social Security numbers, and medical information provided by individuals in connection with appointments booked through the service.

ZocDoc said it performed a review of its software and code and the programming errors have been corrected. Security practices have now been strengthened, regular security audits will continue to be conducted, and steps have been taken to enhance those audits.

ZocDoc said approximately 7,600 individuals across the United States have been affected. As a precaution against identity theft and fraud, affected individuals have been offered a complimentary 12-month membership to the Experian IdentityWorks identity theft protection service.

Email Account Breaches Reported by Cincinnati Parenting Center

Beech Acres Parenting Center in Cincinnati has discovered email accounts containing client data have been accessed by an unauthorized individual. A digital forensics firm was engaged to assist with the investigation and determine the nature and full scope of the breach. The investigation revealed email accounts were accessed by an unauthorized individual between December 29, 2020 and March 18, 2021.

A review of the emails and attachments in the compromised accounts revealed they contained sensitive client information including names, dates of birth, client account numbers, dates of service, provider names, treatment, and clinical information and, for a subset of individuals, health insurance information, Social Security numbers, and/or driver’s license numbers.

Upon discovery of the breach, all email accounts were secured. Devices and systems are being reviewed and steps will be taken to improve security. The workforce will also be re-educated on identifying and avoiding suspicious emails.

Once the review has concluded, affected individuals will be notified by mail. Individuals whose Social Security or driver’s license number was potentially compromised will be offered complimentary credit monitoring and identity protection services.

The post ZocDoc Says Programming Error Resulted in Exposure of Patient Data appeared first on HIPAA Journal.

Gallup, NM-based Rehoboth McKinley Christian Health Care Services (RMCHCS) has announced it was the victim of a ransomware attack in February 2021 in which patient data was exfiltrated.

The Conti ransomware gang struck in February and stole a range of sensitive data, including job application data, background check information, staff reports, and the protected health information of patients. A sample of the stolen files was uploaded to the Conti data leak site to pressure the healthcare provider into paying the ransom. The data is no longer listed on the leak site, but it is unclear whether the ransom was paid.

RMCHCS discovered on February 16, 2021 that patient data had been stolen by the ransomware group. RMCHSC engaged a third-party computer forensics firm to investigate the attack and determined the attackers exfiltrated data between January 21 and February 5, 2021. A review of the files potentially accessed by the hackers was completed on April 30, 2021 and notification letters were sent to those individuals.

RMCHCS said the data potentially accessed included names, addresses, telephone numbers, email addresses, dates of birth, dates of service, Social Security numbers, driver’s license numbers, password numbers, tribal ID numbers, health insurance information, medical record numbers, provider names, diagnoses, treatment information, prescription information, financial account information, and billing and claims data. The types of data potentially compromised varied from individual to individual.

Free identity monitoring and restoration services have been offered to individuals affected by the breach and RMCHCS said it has hardened its systems against attacks by hackers and has increased security and monitoring.

The breach is believed to have affected 209,280 individuals.

The post Rehoboth McKinley Christian Health Care Services Notifies Patients about February 2021 Ransomware Attack appeared first on HIPAA Journal.

Health Plan of San Joaquin (HPSJ), a non-profit Medi-Cal managed care provider based in French Camp, CA, has discovered an unauthorized individual has gained access to its email system and potentially accessed or obtained sensitive data.

A potential email breach was suspected on or around October 12, 2020 when anomalous activity was identified in the email system. HPSJ determined on October 23, 2020 that multiple employee email accounts had been remotely accessed by an unauthorized individual. A password reset was performed on all affected email accounts to prevent further access, and the investigation confirmed that unauthorized access to email accounts occurred between September 26, 2020 and October 12, 2020.

Following any email system breach, all emails in the compromised accounts must be checked to determine whether they contain any sensitive data. That can be a labor-intensive and time-consuming process. In this case, the process involved a programmatic and painstaking manual review, which revealed that the compromised email accounts contained the protected health information of 420,433 individuals.

The delay in issuing breach notification letters was due to the length of time it took to identify PHI in the email accounts, and the subsequent review of internal records to identify up-to-date contact information for those individuals to allow notification letters to be sent. That process has only recently been completed and breach notification letters started to be sent to affected individuals on May 18, 2021.

The types of PHI in the compromised accounts included names, addresses, and Social Security numbers. While unauthorized email account access was confirmed, no reports have been received to indicate there has been any misuse of PHI; although, as a precaution against identity theft and fraud, affected individuals who had their Social Security number exposed have been offered a complimentary 12-month membership to credit monitoring services through Equifax.

The post Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals appeared first on HIPAA Journal.

New England Dermatology has started notifying 58,106 patients about the exposure of some of their protected health information. In an April 30, 2021 breach notice, New England Dermatology explained the privacy breach was due to the improper disposal of specimen bottles by its in-house pathology laboratory.

The lab should have been sending the specimen bottles for shredding or incineration since the specimen bottles had printed labels that included patient data covered by the HIPAA Rules; however, they were discarded as regular trash. The information on the bottles included patients’ first and last names, birth dates, dates of specimen collection, name of provider who took the specimen, and body part from which the specimen was taken. No other information was included on the labels. The regular trash, including the specimen bottles, was collected by a waste contractor that serviced the building and was sent to landfill.

The improper disposal dated back to February 4, 2011 and continued until the HIPAA violation was discovered on March 31, 2021. Any individual whose specimen(s) was analyzed by its pathology lab during that time will have had the above information exposed. New England Dermatology is unaware of any cases of attempted or actual misuse of patient data.

In response to the discovery, policies and procedures were immediately changed and further training has been provided to staff members.

Alaska Department of Health and Social Services Reports Malware Attack

On May 18, 2021, the Alaska Department of Health and Social Services (DHSS) announced that that its website, dhss.alaska.gov, was affected by a malware attack. The website was taken offline on May 17, 2021 to prevent harm to its servers, systems, and databases, and the website will remain offline until the attack is remediated and fully investigated.

In addition to the main DHSS website, some other systems have been taken offline including its background check system, behavioral health and substance abuse management system, the Alaska vital records system, Case Management System for TANF work activities, and the system used by schools to report vaccine data for public health purposes.

The DHSS does not know how long the investigation will take nor for how long the above systems will remain offline. It is unclear who launched the attack and the motives of the attackers. Further information will be made available to the public as details about the attack are confirmed, including if protected health information has been compromised.

The post New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years appeared first on HIPAA Journal.