The protected health information of 153,013 individuals has potentially been compromised in an email security breach at HME Specialists LLC, dba Home Medical Equipment Holdco.

HME Specialists discovered suspicious activity in its email system and immediately secured all affected accounts and engaged a specialist cybersecurity company to conduct a forensic investigation to determine the extent and nature of the breach. The cybersecurity firm confirmed on March 11, 2021 that certain compromised email accounts contained protected health information and that the accounts had been accessed by unauthorized individuals between June 24 and July 14, 2020.

The accounts contained information such as names, dates of birth, diagnosis and/or other clinical information, along with limited Social Security numbers, driver’s license numbers, credit card numbers, account information and usernames and passwords. No specific evidence was found to suggest any information in the compromised accounts was acquired by the attackers or has been misused.

Affected individuals for whom a current address was held have been notified by mail and advised to monitor their financial accounts and explanation of benefits statements for signs of fraudulent activity. Complimentary credit monitoring services have been offered to all individuals whose Social Security numbers were exposed.

Additional technical safeguards have now been implemented for employee email accounts including multifactor authentication, and further training has been provided to the workforce to raise awareness of the risks of malicious emails.

Sapphire Community Health Suffers Ransomware Attack

Sapphire Community Health in Hamilton, MT has experienced a ransomware attack in which the protected health information of 4,000 patients was potentially compromised. The attack was discovered on February 18, 2021 when staff were prevented from accessing files. Information systems were shut down to limit the damage caused and appropriate scanning and restoration steps were taken.

The medical record system was unaffected, but some of the encrypted files contained patient data such as names, addresses, and dates of birth and, for a limited number of individuals, financial account information and/or Social Security numbers.

An investigation into the attack found no evidence to suggest any patient information was exfiltrated by the attackers prior to the use of ransomware. All affected individuals have now been notified and additional security safeguards have been implemented to prevent further attacks.

The post Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals appeared first on HIPAA Journal.

The Swedish oncology and radiology system provider Elekta is recovering from a cyberattack that forced it to take its first-generation cloud-based storage systems offline on April 20, 2021. While the company has confirmed it has suffered a security breach, details about the exact nature of the attack have yet to be released. It is unclear what type of malware was used in the attack, but ransomware is suspected. The cloud-based system was taken offline to contain the threat.

Elekta said only a subset of customers in the United States that use its software have been affected and are experiencing a service outage as a result of the cloud-based systems being taken offline. Elekta is in the process of migrating those customers to its new Microsoft Azure cloud and the company is working around the clock to complete that process. All affected customers have been notified; however, few details about the incident have been made public so as not to compromise the internal and law enforcement investigations, but Elekta reports that the threat has now been fully contained.

Connecticut-based Yale New Haven Health is one of the U.S. healthcare providers to be affected by the incident. The cyberattack on Elekta forced Yale New Haven Health to take its radiation equipment offline until the issues are resolved, as the radiology equipment cannot operate without the cloud-based software. Systems have been offline for more than a week and some cancer patients have been transferred to other healthcare providers to continue their treatments.

Other healthcare providers known to have been affected include Southcoast Health in Massachusetts, Lifespan Cancer Institute in Rhode Island, and Rhode Island Hospital. Those healthcare providers have postponed radiation treatments for cancer patients until the issues are resolved.

Elekta issued a statement saying no evidence has been found to indicate any data were extracted or copied. Elekta said around 170 customers in the United States that use its first-generation cloud system have experienced service disruptions to one or more of their products.

The post Several Healthcare Providers Postpone Radiation Treatments Due to Cyberattack on Software Vendor appeared first on HIPAA Journal.

The Michigan-based group health plan broker and consultancy firm Manquen Vance – formerly Cornerstone Municipal Advisory Group – is alerting 7,018 individuals about a potential breach of their personal and health information.

An investigation was launched on November 16, 2020 when the firm identified suspicious activity in the email account of an employee. Manquen Vance determined that the account was accessed by unauthorized individuals between November 1 and 16. No other email accounts were compromised.

While it is possible that emails and attachments containing sensitive information were viewed or copied, no specific evidence was found to suggest that was the case. The delay in issuing notifications was due to the time-consuming process of checking every email in the account for sensitive information. That process was completed on February 2, 2021 and confirmed that members’ names, health insurance information, and Social Security numbers had potentially been compromised. Manquen Vance has since taken steps to improve email security to prevent similar breaches in the future.

DNF Medical Centers Fires Employee for Diverting Blood Samples to Unauthorized Laboratory

DNF Medical Centers in Florida is notifying 846 individuals about a breach of their protected health information. On February 18, 2021 it was discovered that an employee was diverting patients’ blood samples to an unauthorized laboratory for testing, instead of LabCorp or Quest.

Patient data sheets were sent with the blood samples which included patient names, addresses, dates of birth, phone numbers, healthcare provider name, and the last 4 digits of Social Security numbers. DNF Medical Centers reports that the laboratory conducted medical tests as requested and returned the results; however, since this was an unauthorized lab, DNF Medical Centers is concerned about the reliability of the results. As such, affected patients have been notified and have been asked to re-do their blood tests at no cost.

An investigation was launched into the incident and the employee was interviewed and subsequently terminated. DNF Medical Centers does not believe any personal information has been misused or further disclosed and that the samples were sent to the lab for the requested medical tests to be performed to allow the laboratory to bill patients’ health insurers for the tests.

PHI Compromised in Peak Vista Community Health Break In

On March 7, 2021, thieves broke into one of Peak Vista Community Health facilities in Colorado Springs and stole computer equipment. On March 31, 2021, Peak Vista determined that two of the stolen computers contained patient information including names, dates of birth, phone numbers, medical record numbers, medication lists, and diagnosis information.

The break-in has been reported to law enforcement, but the equipment has not been recovered. While it is possible that the thieves accessed information on the devices, no evidence of actual or attempted misuse of patient information has been identified. Peak Vista Community Health said only a very small portion of its patients were affected and all have now been notified by mail.

The post Manquen Vance Email Breach Impacts 7,018 Patients appeared first on HIPAA Journal.

The American College of Emergency Physicians (ACEP) has starting alerting certain members that some of their personal information was stored on a server that was accessed by unauthorized individuals.

In addition to providing professional organizational services to its members, management services are provided by ACEP to organizations such as the Emergency Medicine Foundation (EMF), Society for Emergency Medicine Physician Assistants (SEMPA), and the Emergency Medicine Residents’ Association (EMRA). The breach concerns data related to those organizations. Affected individuals had made a purchase from or donated to EMF, SEMPA, or EMRA.

A breach was detected on September 7, 2020 when unusual activity was identified in its systems. A server had been compromised that contained the login details for its SQL database servers, and those databases contained members’ information. While no evidence was found to indicate the credentials were used to access the databases, it was not possible to rule out unauthorized access. The information exposed was for the dates April 8, 2020 to September 21, 2020.

The exposed data varied from individual to individual. In addition to names, sensitive information such as Social Security numbers and financial information may have also been compromised.

The impacted server has been rebuilt, passwords changed, and additional technical safeguards have now been implemented.  12 months of credit monitoring services have been offered to affected individuals.

VEP Healthcare Discovers Multiple Email Accounts Were Accessed by Unauthorized Individuals

Portland, OR-based VEP Healthcare has discovered multiple employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails and disclosed their login credentials. The email security incident was detected on March 11, 2021 and the investigation confirmed the affected email accounts had been subjected to unauthorized access between November 15, 2019 and January 20, 2020. It is unclear exactly what information was contained in the compromised accounts.

While the email accounts were accessed, no evidence was found to indicate any protected health information in those accounts was viewed or obtained. However, out of an abundance of caution, affected individuals have been offered a free 12-month membership to the IDX identify theft protection service which includes a $1 million identity theft insurance policy.

VEP healthcare has since improved email security, implemented 2-factor authentication on email accounts, has modified its policies and procedures, and provided additional security awareness training to the workforce.

Epilepsy Florida Impacted by Blackbaud Data Breach

Epilepsy Florida has recently confirmed that it has been affected the data breach at Blackbaud Inc., its cloud computing vendor. The breach occurred in May 2020 and notifications were sent to affected clients in July 2020.

In a March 30, 2021 substitute breach notice, Epilepsy Florida explained that it launched an investigation into the breach to determine what information had been compromised and, after demanding further information from Blackbaud, determined the breach was limited to the full names of 1,832 individuals. No other information appears to have been compromised.

The post Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians appeared first on HIPAA Journal.

Montefiore Medical Center has discovered another employee has accessed patient information with no legitimate work reason for doing so.

The New York hospital announced in February 2020 that an employee had been discovered to have accessed medical records without authorization for 5 months in 2020, and another employee was found to have obtained the PHI of approximately 4,000 patients between January 2018 and July 2020.

The latest discovery involved an employee accessing the records of patients without authorization for more than a year. The breach was identified by Montefiore’s FairWarning software, which monitors records for inappropriate access.

When unauthorized medical record access was discovered, the employee was suspended pending an investigation. A review of record access confirmed that the employee had accessed records with no legitimate work reason for doing so between January 2020 and February 2021.

The types of information accessed varied from patient to patient and included first and last names, medical record numbers, addresses, emails, dates of birth, and the last 4-digits of Social Security numbers. Montefiore found no evidence that financial information or clinical information was accessed.

The unauthorized record access violated Montefiore’s policies and HIPAA. The employee was fired, and the matter was referred to law enforcement for possible criminal prosecution.

Belden Facing Class Action Lawsuit Over November 2020 Data Breach

Belden, a U.S. vendor of networking equipment, is facing a class action lawsuit over a November 12, 2020 data breach in which the personal information of current and former employees was compromised. Hackers gained access to a limited number of file servers and exfiltrated employee data and information about some of its business partners.

The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of 6,348 individuals. Names, Social Security numbers, tax identification numbers, financial account numbers, home addresses, email addresses, dates of birth and other employment-related information were stolen. Belden announced the breach on November 24, 2020 and started notifying affected individuals on December 14, 2020.

The lawsuit, Edke v. Belden Inc., alleges the plaintiff and class members have been harmed as a result of the breach and had to wait several weeks before being notified that their personal information had been stolen. They allege the data breach has placed them at “significant risk of identity theft and various other forms of personal, social, and financial harm.” The lawsuit alleges Belden was careless and negligent, and security failures at the company allowed patient data to be stolen.

The post Montefiore Medical Center Fires Employee for Unauthorized Record Access appeared first on HIPAA Journal.

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) is alerting its members about a cyberattack in which their protected health information was stolen.

CHPDC, formerly called Trusted Health Plans, detected a breach of its computer systems on January 28, 2021. The Washington D.C-based health plan took immediate steps to isolate the affected computers and secure its network to prevent further unauthorized access and the cybersecurity firm CrowdStrike was hired to investigate the breach.

CrowdStrike confirmed that protected health information was exfiltrated by the attackers, who were most likely a foreign cybercriminal group. CHPDC said anyone who has been an enrollee of CHPDC has been affected, as well as current and former employees.

The types of data stolen included full names, addresses, telephone numbers, dates of birth, Social Security numbers, Medicaid numbers, medical information, claims information, and a limited amount of clinical information. The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 200,665 individuals.

CrowdStrike provide assistance in securing CHPDC systems and a series of steps were taken to enhance security to prevent similar breaches from occurring in the future. All passwords have been changed, CHPDC stopped operations that share information with business partners, and the Internet and dark web are being monitored for any signs of misuse of member data.

Since protected health information has been obtained by cybercriminals, affected individuals are being provided with complimentary identity theft protection and credit monitoring services for two years, which includes insurance and identity theft restoration services.

The post PHI of More than 200,000 Washington D.C. Health Plan Members Stolen by Hackers appeared first on HIPAA Journal.

Total Health Care Inc., a Detroit, MI-based health plan, has discovered unauthorized individuals have gained access to several employee email accounts that contained sensitive personal information of health plan members and physician partners.

Upon discovery of the breach, the email accounts were immediately secured to prevent further unauthorized access and security experts were engaged to conduct a forensic investigation to determine the nature and scope of the breach. The investigation confirmed that the breach was limited to email accounts, which were accessed by unauthorized individuals between December 16, 2020 and February 5, 2021.

No evidence was found to suggest any protected health information was viewed or misused, but unauthorized access could not be ruled out. A review of the emails in the accounts revealed they contained names, addresses, dates of birth, member IDs, claims information, and Social Security numbers.

Due to the sensitive nature of data in the accounts, affected individuals have been offered free credit monitoring services for up to two years through CyberScout. Steps have since been taken to improve email security, including reviewing and updating policies and procedures and providing additional security awareness training to the workforce.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 221,454 individuals.

Harrington Physician Services Reports Potential Breach of a Patient Mailing List

Southbridge, MA-based Harrington Physician Services is notifying 4,393 patients about a potential breach of some of their protected health information. It was recently discovered that a mailing list had been uploaded to a location within its information system that was not supposed to house patient data. As a result, it is possible that individuals outside of Harrington Physician Services may have been able to access the mailing list. The mailing list contained names, ages, addresses, dates of birth, primary care physician names and last office visit date only.

An investigation did not uncover any evidence to suggest the mailing list had been accessed, but it was not possible to rule out a breach. The mailing list was only exposed for a short period of time and, in order to access the list, an individual would require access to the network where the mailing list was stored. The risk to patients is therefore believed to be minimal; however, as a precaution, affected patients have been notified and provided with information about credit protection and monitoring services.

The post 221,000 Total Health Care Members Impacted by Email Account Breach appeared first on HIPAA Journal.