60,545 members of Tufts Health Plan have had their protected health information exposed in a phishing attack on the vision benefits management company EyeMed.

The phishing attack occurred in June 2020 and was discovered by EyeMed on July 1, 2020. Access to the breached account was terminated the same day. EyeMed notified Tufts Health Plan about the breach in September 2020.

The compromised email account contained the following types of protected health information: Names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license or other government identification numbers, and birth or marriage certificates. Partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and/or passport numbers were implicated for some individuals.

Affected individuals have been offered a 2-year complimentary membership to credit monitoring and identity protection services.

Security Incident Affects Tennessee Proton Radiation Therapy Centers

Two proton radiation therapy centers in Tennessee have been impacted by a security incident. The attack occurred in the early hours of October 28, 2020 and affected The Proton Therapy Center, LLC in Knoxville and MTPC, LLC in Nashville.

The attack has caused continued disruption to some clinical and financial operations, although care continues to be delivered safely and effectively. Efforts are underway to mitigate the attack and established back-up processes including offline documentation methods have been adopted.

The investigation into the breach has not uncovered evidence so far to indicate patient or employee information was copied, accessed, or misused.

Liv-On Family Care Center Patients Notified of PHI Theft

St. Paul, MN-based Liv-On Family Care Center is notifying 1,580 patients that computer equipment containing their protected health information was stolen in a break-in on October 25, 2020.

The thieves stole computers, laptops, and tablets that contained information such as patients’ names, date of births, addresses, social security numbers, medical records, and other information. The devices were password protected, but not encrypted, so it is possible that the PHI could be accessed. The break-in has been reported to law enforcement, but the stolen computer equipment has not been recovered.

Presbyterian Health Plan Mailing Error Affects More Than 3,500 Members

Albuquerque, NM-based Presbyterian Health Plan is notifying 3,557 plan members about a mailing error that saw letters misdirected to other health plan members. On October 1, 2020, letters were sent to plan members advising them about recommended health screenings for managing their healthcare treatment and provided contact information for care coordination. Those letters were addressed to patients by name but were sent to other members’ addresses. The mailing did not include any Social Security numbers, financial or credit card information, or any information contained in medical systems or any other health information.

The post Tufts Health Plan Members’ PHI Exposed in EyeMed Phishing Attack appeared first on HIPAA Journal.

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, has been hacked and the protected health information of more than a million individuals has potentially been compromised. The breach occurred on September 18, 2020, was detected on October 11, and was contained on October 13.

The breach investigation did not uncover any specific evidence to suggest patient information has been obtained by the attackers or misused. A review of the systems accessible to the attackers revealed they contained names addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, health insurance information, and for around 10% of affected individuals, bank account numbers.

Notification letters were sent to the 1,004,304 affected individuals by Dental Care Alliance in November.

Legacy Community Health Services Email Breach Impacts 3,076 Patients

Legacy Community Health Services (LCHS) in Texas is notifying 3,076 individuals that some of their protected health information was contained in an email account that was accessed by an unauthorized individual.  LCHS identified an unauthorized login to an employee’s email account on July 24, 2020 and a password reset was performed the same day.

A third-party cybersecurity firm was engaged to investigate the breach and the review of the compromised account was completed on September 22, 2020. The review revealed the account contained patient names and limited clinical information related to care received and one patient’s driver’s license number. Misuse of patient information is not suspected. Notifications were sent to the 3,076 patients on November 20, 2020.

This is the third email breach to be reported by LCHS in 2020. An email account breach was reported to the HHS’ Office for Civil Rights in September as affecting 228,000 individuals, and a breach was reported as affecting 19,000 individuals in June 2020.

Hillcrest Nursing Center Discovers Unauthorized Medical Record Access by Former Employee

Hillcrest Nursing Center in Round Lake Beach, IL has discovered the protected health information of certain residents may have been viewed by an unauthorized individual.

On or around August 4, 2020, Hillcrest Nursing Center terminated one of its staff physicians. On August 23, 2020, Hillcrest was informed by some family members of residents that they had received a phone call from the terminated physician who had discussed care and treatment. An investigation was launched which revealed the physician still had access to the Hillcrest medical record system.

The physician’s login was immediately revoked, and a review was conducted to determine which records could potentially have been accessed. The review was completed on October 9, 2020 and confirmed the terminated physician had access to 1,030 records which included names, Social Security numbers, insurance information, medical histories, and treatment information.

All affected individuals have now been notified and complimentary identity theft restoration and credit monitoring services are being provided. A new policy has now been implemented that requires access to the electronic medical record system to be immediately revoked when staff members are terminated or otherwise leave employment.

The post Dental Care Alliance Data Breach Impacts More Than 1 Million Patients appeared first on HIPAA Journal.

Two insider data breaches have been reported in the past few days by Montefiore Medical Center and Mercy Health. Both incidents involved an employee accessing patient information when there was no legitimate work-related reason for doing so.

Former Montefiore Medical Center Employee Accessed Patient Data for Billing Scam

Montefiore Medical Center in New York City has discovered a former employee accessed patient information as part of a billing scam. Patient names, medical record numbers, and surgery dates were viewed and used to create invoices for unused surgical products, in connection with a vendor.

Montefiore Medical Center discovered the fraud after the invoices had been paid and launched an investigation that revealed the former employee had accessed the information of approximately 4,000 patients without authorization between January 2018 and July 2020.

Medical records, Social Security numbers, and financial information were not accessed, and the investigation has not uncovered any evidence to suggest patients or their insurance companies were defrauded. The fraud has been reported to law enforcement and the investigation is ongoing.

Montefiore Medical Center said the former employee died during the investigation and the vendor has been banned from all Montefiore campuses.

Montefiore Medical Center has taken steps to prevent similar incidents in the future. The paper forms involved in the scam are no longer used and procedures for processing invoices for surgical supplies are being reviewed.

Criminal background checks are already conducted prior to appointment and all employees receive training on privacy policies and are made aware that the medical center has a zero-tolerance policy concerning accessing medical records unless there is a work-related reason for doing so.

Mercy Health Discovers Unauthorized PHI Access by Former Employee

Cincinnati, OH-based Mercy Health has started notifying certain patients that some of their protected health information has been accessed by a member of staff for reasons other than providing care.

The insider breach was discovered by Mercy Health on October 7, 2020. The investigation revealed the employee had accessed patient information on multiple occasions when the information was not required for providing care to patients. The reason for the unauthorized access has not been made public.

Affected patients have been advised to monitor their credit reports and billing/accounts statements and to report any unauthorized activity. As a precaution against identity theft and fraud, affected patients have been offered a complimentary 1-year membership to IDX identity theft protection services.

For the majority of affected patients, the information accessed was limited to name, address, demographic information, date of birth, medical record number, treatment information, clinical information, and/or radiological images.  The former employee also viewed the health insurance ID numbers of a limited number of patients.

Mercy Health has since enhanced procedures to prevent similar incidents in the future and the staff has been re-educated on compliance with Mercy Health’s policies and procedures.

At the time of writing, the incident has not appeared on the HHS’ Office for Civil Rights breach portal so it is unclear how many patents have been affected.

The post Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health appeared first on HIPAA Journal.

University of Minnesota Physicians has suffered a phishing attack that allowed unauthorized individuals to gain access to the email accounts of two employees. One email account was accessible between January 30 and January 31, 2020 and the other on February 4, 2020 for a short period of time.

Upon discovery of the breach, the accounts were immediately secured, and third-party forensic investigators were engaged to assess the nature and scope of the breach. The review did not uncover any evidence to suggest emails in the accounts had been viewed or patient data obtained, but it was not possible to rule out data access with a sufficiently high degree of certainty.

A review of the compromised accounts revealed they contained the protected health information of certain patients. The types of information in the accounts varied from patient to patient and may have included name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. A limited number of individuals also had their Social Security number exposed.

Notification letters started to be sent to affected individuals on March 30, 2020, even though the investigation was still ongoing. That investigation has now been completed. The delay was due to the painstaking and lengthy process involved in identifying the relevant data.

University of Minnesota Physicians said that at the time of the breach, multiple email security controls were in place including multi-factor authentication, regular training was being provided to employees on privacy and security, and phishing simulations were being conducted.

Additional technology has now been implemented to further improve security and refresher security training has been provided to employees. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services through Kroll.

The March 30, 2020 entry on the Office for Civil Rights breach portal indicates 683 individuals have been affected at the time of writing.

McLeod Health Discovers Email Account Breach

South Carolina-based Mcleod Health has discovered the email account of an employee has been accessed by unauthorized individual. Suspicious email account activity was detected on June 23, 2020 and the email account was immediately secured.

A comprehensive forensic review was conducted to determine the nature and scope of the breach, which revealed the email account was breached between April 13, 2020 and April 16, 2020. On August 19, 2020, McLeod Health determined the content of the email account had been downloaded by the attacker in April.

McLeod Health is in the process of conducting a review of the impacted email account to determine what information has been obtained by the attacker and which patients have been affected. Notifications will be mailed to affected patients when the review is completed.

McLeod Health had previously implemented multi-factor authentication to prevent compromised credentials from being used to gain access to email accounts; however, some internal settings had prevented it from being implemented on some devices. That issue is now being addressed and additional security awareness training is being provided to employees.

The post Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health appeared first on HIPAA Journal.

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

The Colorado Springs-based mental health and behavioral health services provider AspenPointe has announced it was the victim of a cyberattack in September 2020 in which patient information may have been compromised. The attack forced the healthcare provider to take its systems offline and most of its operations were affected for several days while the attack was mitigated.

Third-party cybersecurity professionals were engaged to assist with the investigation and recovery efforts and determine the extent to which patient information may have been compromised. A review of the documents potentially accessible to the attackers revealed on November 10, 2020 that patient information had potentially been accessed or acquired.

The documents on the breached systems contained patient names along with one or more of the following data elements: date of birth, driver’s license number, bank account information, Medicaid ID number, admission/discharge dates, diagnosis code, date of last visit, and/or Social Security number.

Following the discovery of the breach, a password reset was performed. Cybersecurity has since been strengthened with additional endpoint protection technology, changes to the firewall, and other measures and network monitoring has been enhanced.

Notification letters are now being sent to all individuals potentially affected by the breach and a 1-year complimentary membership to IDX credit monitoring services is being provided to breach victims. Breach victims are also protected by a $1 million identity theft insurance policy and will have access to identity theft recovery services should they be required.

AspenPointe explained in its substitute breach notice that there have been no reported cases of identity theft, fraud, or improper use of patient information and no evidence was found to indicate any patient data was actually stolen by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 295,617 patients was potentially compromised in the attack.

The post More Than 295K Patients Impacted by Cyberattack on AspenPointe appeared first on HIPAA Journal.