HIPAA Breach News

PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online

Posted by HIPAA Journal

Arizona Asthma and Allergy Institute in Peoria, AZ has discovered the protected health information of up to 50,000 patients has been temporarily exposed online and could potentially have been accessed by an unauthorized individual.

The affected patient data had been exposed for a brief period in September 2020 under the name of a different organization. Upon discovery of the security incident, a third-party computer forensics firm was engaged to investigate and determine the scope of the security breach and the extent to which patient data had been affected.

The investigation confirmed on March 8, 2021 that the types of data exposed included first and last names, patient identification numbers, provider names, health insurance information, and treatment cost information. Affected patients had received medical services from the Arizona Asthma and Allergy Institute between October 1, 215 and June 15, 2020.

While the exposure of data was confirmed, no evidence was found to indicate any patient data has been misused; however, affected patients have been advised to monitor their explanation of benefits statements for any signs of fraudulent activity.

Arizona Asthma and Allergy Institute has since taken steps to enhance security to prevent any similar incidents in the future.

Package of Documents Containing PHI of 4,571 Patients of Lost in Transit

Irvine, CA-based Exceltox Laboratories has notified 4,571 individuals about the potential exposure of some of their protected health information.

Exceltox is a CLIA-certified laboratory that provides clinical and toxicology testing services, including COVID-19 tests. On February 15, 2021, Exceltox sent a package containing documents related to COVID-19 tests performed for patients via UPS to its document scanning vendor.

Exceltox believed that the package had been safely delivered, but later discovered the package had not arrived at its intended destination. Exceltox worked with UPS to try to locate the missing package but it has not yet been found. According to UPS documentation, an attempt was made to deliver the package, but the offices of the document scanning company were closed. The package was returned to the depot for redelivery, but the package was never redelivered. Efforts are continuing to try to locate the missing package.

The documents in the package included full names, addresses, phone numbers, Social Security numbers, dates of birth, genders, medical provider names, patient IDs, test types, collection dates, insurance provider names, insurance plan names, and policy numbers and/or group numbers.

The post PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online appeared first on HIPAA Journal.

UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled

Posted by HIPAA Journal

A lawsuit filed against Universal Health Services (UHS) following a 2020 data breach has been allowed to proceed; however, only for one of the patients named on the lawsuit.

UHS operates around 400 hospitals and care centers in the United States and the United Kingdom. In September 2020, UHS suffered a ransomware attack in which sensitive data was exfiltrated. The Ryuk ransomware gang threatened to release the stolen data on a leak site if the ransom was not paid, although the UHS investigation found no evidence of any data misuse.

The attack affected all 400 UHS care sites and caused significant disruption, with IT systems finally being brought back online a month after the attack. UHS was forced to postpone some scheduled appointments as a result of the attack.

A lawsuit was filed in the U.S. District Court, Eastern District of Pennsylvania by the law firm Morgan & Morgan naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. Two of the plaintiffs sought damages for the exposure of sensitive data, which they claimed placed them at an increased risk of identity theft and fraud.

As is often the case in data breach lawsuits, the claims of two of the plaintiffs – Barry Graham and Angela Morgan – were deemed to be too speculative and that an increased risk of identity theft and fraud was not sufficient for standing as it did not constitute harm. The plaintiffs were unable to provide evidence to support their claim, with U.S. District Judge Gerald McHugh noting that in cases of data theft in ransomware attacks, the theft of data is “generally the means to an end: extorting payment,” and that the courts could only speculate as to whether the stolen data was in a form that would allow the attackers to make unauthorized transactions in the names of the plaintiffs and whether they would actually be intended targets in future criminal acts by the hackers.

The claim of the third plaintiff, Stephen Motkowicz, was determined to be sufficient to survive the motion to dismiss. Motkowicz had an appointment for a surgical procedure postponed as a result of the attack. Motkowicz required surgery to treat a medical condition and, as a result of the delay, was forced to take further time off work and ultimately lost his health insurance through his employer and was forced to purchase an insurance policy at a higher price.

“Plaintiff’s injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery,” said Judge McHugh. While his claim was sufficient to survive the motion to dismiss, Judge McHugh said the theory of causation provided a significant challenge, which would have to be evaluated through further discovery to determine if it was sufficient to have standing.

The post UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled appeared first on HIPAA Journal.

April 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered Entity Covered Entity Type Business Associate Involvement Individuals Affected Type of Breach Reported Cause of Breach
Trinity Health Business Associate Yes 586,869 Hacking/IT Incident Ransomware (Accellion)
Bricker & Eckler LLP Business Associate Yes 420,532 Hacking/IT Incident Ransomware
Health Center Partners of Southern California Business Associate Yes 293,516 Hacking/IT Incident Ransomware (Netgain Technologies)
Total Health Care Inc. Health Plan No 221,454 Hacking/IT Incident Phishing
Wyoming Department of Health Health Plan No 164,010 Unauthorized Access/Disclosure Exposure of PHI over Internet
Home Medical Equipment Holdco, LLC Healthcare Provider No 153,013 Hacking/IT Incident Phishing
Health Aid of Ohio, Inc. Healthcare Provider No 141,149 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Woodholme Gastroenterology Healthcare Provider No 50,000 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Neighborhood Healthcare Healthcare Provider Yes 45,200 Hacking/IT Incident Ransomware (Netgain Technologies)
Crystal Lake Clinic PC Healthcare Provider No 37,331 Hacking/IT Incident Not confirmed
RiverSpring Health Plans Health Plan No 31,195 Hacking/IT Incident Phishing
Middletown Medical Imaging Healthcare Provider No 29,945 Hacking/IT Incident Exposure of PHI over Internet
St. John’s Well Child and Family Center, Inc. Healthcare Provider No 29,030 Hacking/IT Incident Unspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy Corporation Healthcare Provider No 24,037 Hacking/IT Incident Phishing
Squirrel Hill Health Center Healthcare Provider No 23,869 Hacking/IT Incident Malware
Eastern Shore Rural Health System Inc. Healthcare Provider Yes 23,282 Unauthorized Access/Disclosure Not confirmed
Faxton St. Luke’s Healthcare Healthcare Provider Yes 17,656 Hacking/IT Incident Ransomware (CaptureRX)
Midwest Transplant Network, Inc. Healthcare Provider No 17,580 Hacking/IT Incident Ransomware
Baptist Health Arkansas Healthcare Provider Yes 16,765 Hacking/IT Incident Hacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

State No. Reported Data Breaches
California 7
Michigan and Texas 5
Florida, New York, & Wisconsin 4
Massachusetts & Ohio 3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont 2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming 1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

The post April 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised

Posted by HIPAA Journal

SEIU 775 Benefits Group in Washington has notified approximately 140,000 of its members that some of their protected health information has been exposed. Around April 4, 2020, SEIU 775 Benefits Group’s IT team detected anomalous activity within the group’s data systems, including the apparent deletion of certain data files.

Third party digital forensics experts were engaged to assist with the investigation and confirmed that systems had been accessed by an unauthorized individual who deleted certain files that contained personally identifiable and protected health information. The forensics experts found no evidence to indicate any protected health information was downloaded or viewed and no reports have been received that suggest there has been any misuse of PHI.

The types of information potentially accessed was limited to names, addresses, and Social Security numbers, with health plan eligibility or enrollment information also potentially compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll for 12 months.

Woodholme Gastroenterology Associates Breach Impacts 50,000 Patients

Woodholme Gastroenterology Associates in Baltimore, MD has discovered an unauthorized individual gained access to its systems and exfiltrated files that included patients’ protected health information on February 25, 2021.

The security breach was detected on March 1, 2021 and steps were immediately taken to prevent any further unauthorized access. A comprehensive review of the files that were exfiltrated or potentially accessed revealed they contained patients’ names, addresses, email addresses, dates of birth, patient ID numbers, diagnoses and/or treatment information. A limited number of Social Security numbers, driver’s license numbers, and health insurance information was also potentially compromised.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security number or driver’s license number was exposed. The HHS’ Office for Civil Rights breach portal indicates up to 50,000 patients have been affected.

Employee of Vitality Senior Living Charged with Identity Theft

A certified nursing assistant formerly employed by Vitality Senior Living in Arlington, VA has been charged with stealing the identities of 6 residents under her care.

In April, the woman allegedly admitted to the executive director that she had fraudulently cashed a $1,200 check from one of the residents. The woman was terminated and law enforcement was notified. The victim reported the matter to the police and said 6 blank checks had been stolen from his checkbook and two had been cashed. The victim also said several fraudulent charges had been made against his debit card.

The suspect’s name had been written on one of the cashed checks and the other had her brother’s name, who was also employed at Vitality Senior Living but was not charged in relation to the incident. The police found photographs of the victim’s driver’s license and debit cards on the suspect’s phone along with evidence that a further 5 residents had been targeted, three of whom had been defrauded. The police also found evidence that the woman had tried to file fraudulent unemployment claims and tax returns for individuals whose identities could not be verified.

The woman is due to appear in court on May 25, 2021 on more than dozen identity theft charges.

The post 140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

Posted by HIPAA Journal

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

Records of 200,000 Military Veterans Exposed Online

Posted by HIPAA Journal

A database containing the personal and protected health information of almost 200,000 U.S. military veterans has been discovered to be accessible online by security researcher Jeremiah Fowler.

The database was identified on April 18, 2021 and a review identified references to a company called United Valor Solutions. Jacksonville, NC-based United Valor Solutions is a contractor of the Department of Veterans Affairs (VA) that provides disability evaluation services for the VA and other government agencies. The database – which contained veterans’ names, dates of birth, contact information, medical information, appointment information, unencrypted passwords, and billing information – could be accessed without a password. The database could have been viewed and downloaded by anyone and information in the database altered or deleted.

Fowler notified United Valor Solutions about the exposed data breach. The company replied the following day confirming the exposed database had been reported to its contractors and public access had been shut down. It is unclear for how long the database was exposed; however, United Valor Solutions said the database only appeared to have been accessed by internal IP addresses and Fowler’s.

Fowler said he found evidence of a ransomware attack. Within the dataset was a message titled “Read_me” which claimed that records had been downloaded and would be exposed if a 0.15 Bitcoin ransom was not paid.”

According to Threatpost, which first reported the story, the VA has been investigating the incident and that it appears to have been related to penetration testing. Reginald Humphries, director of IT strategic communication at the Office of Information and Technology at the VA provided a statement: “It appears that a researcher was attempting to find security deficiencies and flaws in United Valor Solutions systems. At this time, we do not believe there was a data breach but rather this was done for research purposes, at the request of the contractor, United Valor Solutions.” The VA investigation into the incident is ongoing.

Additional Individuals Impacted by Insider Atascadero State Hospital Breach

A breach previously reported by the California Department of State Hospitals (DSH) has affected more individuals than previously thought. The breach, which was identified on February 25, 2021, involved improper medical record access by a former employee.

The breach was initially thought to have involved the records of 1,415 patients and former patients, 617 employee names, the personal and protected health information of 1,735 employees, and information about 1,217 job applicants who had not been successful in gaining employment.

Further investigations into the improper access revealed the personal information of a further 80 individuals was accessed, including addresses, phone numbers, email addresses, social security numbers, dates of birth, and driver’s license numbers. The immigration information of 38 individuals, employment-related health information of 81 individuals who had with applied for work, had been employed, or were former employees, and 20 individuals’ dates of birth and the last four digits of their Social Security numbers were also accessed.

The employee concerned has been placed on administrative leave while the case is investigated. The California Highway Patrol is assisting the DSH with the investigation.

The post Records of 200,000 Military Veterans Exposed Online appeared first on HIPAA Journal.

University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years

Posted by HIPAA Journal

University of Florida Health Shands has discovered a former employee has accessed the medical records of 1,562 patients without authorization.

The HIPAA violations were discovered on April 7, 2021 and the employee’s access to medical records was immediately terminated pending an investigation. The investigation confirmed the employee had been accessing patient medical records without a work reason for doing so from March 30, 2019 to April 6, 2021.

The types of information that could have been viewed included names, addresses, phone numbers, birth dates, and lab test results, but no Social Security numbers, financial information, or health insurance information was compromised.

University of Florida Health Shands does not believe any PHI has been stolen or further disclosed; however, out of an abundance of caution, affected individuals have been offered one year of complimentary credit monitoring services.

Third Party Breach Affects St. Paul’s PACE Patients

Community Eldercare of San Diego, dba St. Paul’s PACE, has been affected by a breach at one of its vendors. PeakTPA is a health plan management company that provides billing and other administrative services to St. Paul’s PACE. PeakTPA suffered a cyberattack on December 31, 2020 in which the records of certain St. Paul’s PACE patients were compromised.

While the cybercriminal organization behind the attack was not disclosed in its breach notice, PeakTPA said the gang was broken up by the FBI on January 27, 2021 and was informed that all documents stolen in the attack were recovered. The timing suggests the attack may have been conducted by the Netwalker ransomware gang.

PeakTPA said information accessed by the attackers included names, addresses, dates of birth, medication information and Social Security numbers. Affected individuals have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll for 3 years. PeakTPA said additional security measures have now been implemented to prevent similar breaches in the future.

Cyberattack Impacts 29,000 St. John’s Well Child and Family Center Patients

St. John’s Well Child and Family Center, Inc. in West Sacramento, CA is notifying 29,030 individuals that some of their protected health information was potentially viewed or acquired in a cyberattack on February 3, 2021.

Upon discovery of the attack, steps were immediately taken to secure its systems and third-party cybersecurity experts were engaged to assist with the investigation. The investigation confirmed that the attackers potentially viewed or acquired protected health information such as names, Social Security numbers, and other personal or health information.

Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The post University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years appeared first on HIPAA Journal.

Ransomware Attack on New York Medical Group Impacts 330K Patients

Posted by HIPAA Journal

The New York medical group practice, Orthopedic Associates of Dutchess County, has announced the protected health information of certain patients was potentially stolen in a recent cyberattack.

The security incident was detected on March 5, 2021 when suspicious activity was identified in its systems. An investigation into the incident confirmed its systems had been accessed by unauthorized individuals on or around March 1, 2021. The attackers gained access to certain systems and encrypted files and issued a ransom demand for the keys to unlock the encrypted files.

The attackers claimed they had stolen sensitive data prior to the encryption of files, although it was not possible to determine which files had been stolen. A review of the systems accessed by the attackers revealed they contained files that included protected health information such as names, addresses, contact telephone numbers, email addresses, emergency contact information, diagnoses, treatment information, medical record numbers, health insurance information, payment details, dates of birth, and Social Security numbers.

Individuals potentially affected by the breach have been notified by mail and have been offered a 12- month complimentary membership to credit monitoring and identity theft protection services. To date, there have been no reports of attempted or actual misuse of any patient data.

The protected health information of 331,376 individuals was potentially compromised in the attack.

PHI of 5,426 Individuals Compromised in Entrust Medical Billing Ransomware Attack

Entrust Medical Billing, a Canton, OH-based medical billing company, has suffered a ransomware attack in which the protected health information of 5,426 individuals may have been compromised.

Third-party cybersecurity professionals were engaged to assist with the investigation and determine the extent of the breach. On or around March 1, 2021, the investigation confirmed some of the files exfiltrated by the attackers contained protected health information such as names, addresses, dates of birth, medical diagnosis/clinical information/treatment type or location, medical procedure information, patient account number, and health insurance information.

While data theft was confirmed, no evidence has been found to indicate actual or attempted misuse of any of the stolen data. Affected individuals have now been notified and those whose Social Security number has been compromised have been offered complimentary credit monitoring services. New technical safeguards have now been implemented and monitoring across its network environment has been increased.

The post Ransomware Attack on New York Medical Group Impacts 330K Patients appeared first on HIPAA Journal.

CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients

Posted by HIPAA Journal

CaptureRx, a San Antonio, TX-based provider of 340B administrative services to healthcare providers, has suffered a ransomware attack in which files containing the protected health information of customers’ patients were stolen.

The security breach was detected on February 19, 2021, with the investigation confirming unauthorized individuals had accessed and acquired files containing sensitive data on February 6, 2021. A review of those files was completed on March 19, 2021 and affected healthcare provider clients were notified between March 30 and April 7, 2021.

CaptureRx has since been working with the affected healthcare providers to notify all individuals affected. The types of data exposed and acquired by the attackers was limited to names, dates of birth, prescription information and, for a limited number of patients, medical record numbers.

CaptureRx had security systems in place to ensure the privacy and security of healthcare data, but the attackers had managed to bypass those protections. Following the attack, policies and procedures were reviewed and enhanced and additional training has been provided to the workforce to reduce the risk of any further security breaches.

It is currently unclear how many of its healthcare provider clients have been affected nor the total number of individuals impacted by the breach. Breach victims include:

  • The Mohawk Valley Health System affiliate, Faxton St. Luke’s Healthcare in New York – 17,655 patients.
  • Randolph, VT-based Gifford Health Care – 6,777 patients.
  • Thrifty Drug Stores (Thrifty White) – Currently unknown number of patients.

CaptureRx said the investigation into the breach has not uncovered evidence to suggest any actual or attempted misuse of data stolen in the attack; however, affected individuals have been advised to monitor their account and explanation of benefits statements for signs of fraudulent activity.

The post CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients appeared first on HIPAA Journal.