Bricker & Eckler, one of the leading law firms in Ohio, suffered a ransomware attack in January in which client information was potentially compromised. The ransomware infection was detected by the law firm on January 31, 2021 and a third-party cybersecurity firm was engaged to assist with the investigation.

The investigation revealed the attackers first gained access to its systems on January 14, 2021, and access remained possible until January 31, 2021. During that time the attackers gained access to files containing client information and exfiltrated some data from the law firm’s systems.

A notice about the security incident on the law firm’s website confirms that the attackers were contacted, and information stolen in the attack was retrieved, suggesting the ransom was paid. Bricker & Eckler said the attackers confirmed they took steps to delete the stolen data and reassurances were provided that there had been no further disclosures of the stolen information and that no copies of the data had been retained.

As a full-service law firm serving clients in the healthcare industry, it was necessary for clients to provide the law firm with certain protected health information as part of the client engagement. That information was used as part of the legal services provided. It is possible that some of that information may have been viewed or obtained in the attack.

Bricker & Eckler said the protected health information potentially compromised included names and addresses and, for certain individuals, medical information and/or education-related information, driver’s license numbers and/or Social Security numbers.

The law firm started sending notification letters to all affected individuals on April 6, 2021. The law firm has taken steps to enhance the security of its network, internal systems, and applications to prevent similar attacks in the future.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 420,532 individuals.

The post PHI of More Than 420,000 Individuals Potentially Compromised in Ransomware Attack on Ohio Law Firm appeared first on HIPAA Journal.

La Clinica de la Raza in Oakland, CA is alerting certain patients about a potential breach of their protected health information. Malware was detected on systems containing patient data on January 28, 2021.

A third-party forensics company was engaged to assist with the investigation into the malware attack and determined on February 26, 2021 that the malware would have allowed files containing patient data to be accessed. The breach was short lived, as the malware had been installed and was only active on January 12, 2021.

During the short period of time that the malware was active it is possible that documents were viewed by unauthorized individuals, but the clinic believes relatively few documents were viewed. Those documents included full names, dates of birth, phone numbers, home addresses, health insurance information, and certain health information such as dates of service, diagnosis, test results, and treatment information related to medical services provided at the clinic.

Steps have been taken to improve data security, including enhancing its intrusion detection and prevention system, securing login credentials, providing additional workforce training, and implementing other risk prevention measures.

Malware Potentially Gave Cybercriminals Access to the PHI of Squirrel Hill Health Center Patients

Squirrel Hill Health Center in Pittsburg, PA has discovered malware on its computer network which may have provided cybercriminals with access to files containing patients’ protected health information. A security breach was identified on February 4, 2021 when suspicious activity was detected on its computer network that prevented files from being accessed.

Third-party computer forensic specialists were engaged to investigate the breach and determined unauthorized individuals gained access to its systems on January 28, 2021 and access remained possible until February 4, 2021. While it is common in attacks such as this for sensitive data to be exfiltrated, Squirrel Hill Health Center found no evidence to suggest personal information was subjected to actual or attempted misuse.

A review of the files that were potentially accessed revealed they contained names, addresses, dates of birth, diagnostic codes, limited appointment scheduling details, and, for a subset of individuals, Social Security numbers.

Policies, procedures, and processes related to the storage of and access to patient information are being reviewed and will be updated, as necessary, to improve security.

California Department of State Hospitals Discovers Insider Breach Worse Than Previously Thought

In March 2021, the California Department of State Hospitals announced that an employee in an IT role had accessed the data of 1,415 current and former patients and 617 employees without authorization over a 10-month period. The breach was discovered on February 25, 2021 as part of a routine review of employee access to data folders.

At the time of the announcement the review into the insider breach was ongoing. It has now been confirmed that the breach was worse than previously thought. The data of 1,735 current and former Atascadero State Hospital employees and 1,217 DSH job applicants who had not been employed was also accessed. The data included phone numbers, email addresses, social security numbers, date of birth, and health information. While the sensitive data was accessed, there is no indication that any information has been misused.

Laptop Stolen from Woolfson Eye Institute Contained Patient Data

Woolfson Eye Institute in Atlanta, GA has announced a laptop computer connected to medical testing equipment was stolen on September 21, 2020. A review of the contents of the laptop confirmed it contained a patient database that included patient names and dates of birth. No other information was exposed. The theft was reported to law enforcement, but the laptop has not been recovered.

Due to the limited nature of data on the laptop, patients are not believed to be at risk of identity theft and fraud but have been advised to remain vigilant.

The post Malware Discovered on Networks of Squirrel Hill Health Center and La Clinica de la Raza appeared first on HIPAA Journal.

The Centers for Advanced Orthopaedics has discovered multiple employee email accounts have been accessed by unauthorized individuals. The orthopedics practice, which serves patients in Virginia, Maryland, and Washington DC, identified suspicious activity in its email system on September 17, 2020. Third party cybersecurity experts were engaged to assist with the investigation and determined several email accounts had been accessed by unauthorized individuals between October 2019 and September 2020.

A review of the affected email accounts was conducted to determine the types of information that had been exposed and it was confirmed on January 25, 2021 that protected health information may have been viewed or acquired by cybercriminals.

The email accounts contained information of patients, employees, and their dependents. Patient information was mostly restricted to names, dates of birth, diagnoses, and treatment information. A subset of patients also had one or more of the following data types stored in the account: Social Security number, driver’s license number, passport number, financial account information, payment card information, or email/username and password.

Employee and dependent information was mostly limited to date of births, medical diagnoses, treatment information, Social Security numbers, and driver’s license numbers. A subset included one or more of the following: passport number, financial account information, payment card information, or email/username and password.

Notifications were sent to affected individuals starting March 25, 2021. Complimentary credit monitoring and identity restoration services have been offered to affected individuals.

Policies and procedures and security infrastructure are being reviewed and will be updated to improve protections from these types of breaches.

Vendor Email Breach Impacts Patients of Remedy Medical Group

Administrative Advantage, a vendor that provides billing support to the Californian pain management specialty practice Remedy Medical Group, has discovered the email account of an employee was accessed by an unauthorized individual. Suspicious activity was detected in the email account in July 2020 and an investigation was launched to determine the nature and scope of the breach. Third-party security experts assisted with the investigation and determined on August 18, 2020 that the email account had been accessed by unauthorized individuals between June 23, 2020 and July 9, 2020.

At the time of the breach the email account contained the protected health information of Remedy Medical Group patients, which included names, financial account information, Social Security numbers, driver’s license and/or state identification numbers, credit and/or debit card information, dates of birth, passport numbers, electronic signature information, username and password information, medical record numbers, Medicare numbers, Medicaid numbers, treatment locations, diagnoses, health insurance information, and lab test results. The types of information potentially compromised varied from patient to patient.

Further to the breach, security measures have been reviewed and additional training has been provided to the workforce on email security. Individuals potentially at risk of identity theft have been offered access to identity theft protection services at no cost.

Email Error Discovered Affecting Dallas County Jail Inmates

Parkland Health and Hospital System has discovered an email error that resulted in the protected health information of individuals incarcerated in the Dallas County jail system being sent to an individual not authorized to view the information.

The email was sent in error to a Dallas County employee which contained lab test invoices that included inmates’ first and last name, date of birth, and name of the diagnostic test provided.

The breach occurred in February 2020. Parkland Health and Hospital System officials were informed by the recipient of the email that the message had not been read and was permanently deleted the day it was received. The 1,594 individuals affected have been notified.

The post Orthopedics Practice Discovers Year-Long Email Breach Affecting 125,000 Patients appeared first on HIPAA Journal.

Apple Valley Clinic in Minnesota has started notifying 157,939 patients that some of their protected health information was compromised in a ransomware attack on one of its information technology vendors.

Apple Valley Clinic, which is part of Allina Health, used Netgain Technology LLC to host its information technology network and computer systems. In November 2020, Netgain was attacked with ransomware which took its data centers offline. Netgain notified Apple Valley Clinic on December 2, 2020 that patient data may have been compromised in the ransomware attack. Allina Health received confirmation on January 29, 2021 that patient information had been involved.

The types of information compromised included names, dates of birth, bank account and routing numbers, Social Security numbers, patient billing information, and some medical information including symptoms and diagnoses. While several healthcare providers had PHI compromised, Apple Valley Clinic was the only Allina Health location to be affected.

Apple Valley Clinic has since taken steps to improve information security, including transitioning to the electronic health record system used by Allina Health. Netgain is continuing to investigate the attack and is monitoring for any adverse effects from the breach.

To date, Apple Valley Clinic has not received any reports to suggest any protected health information compromised in the attack has been misused; however, in order to ensure affected patients are protected, complimentary credit monitoring and identity theft protection services are being offered.

BioTel Heart Alerts 38,575 Patients to Online Exposure of PHI

The cardiac data company BioTel Heart has confirmed the protected health information of 38,575 patients has been exposed online by one of its vendors.

BioTel Heart, a trade name under which CardioNet, LLC and LifeWatch Services Inc., operate, was alerted to a breach on January 28, 2021 when a patient discovered some of their protected health information was accessible online from a Google search. An investigation was launched to determine the cause of the breach which revealed one of its vendors had failed to secure an Amazon S3 bucket, which resulted in patient information being accessible through the search engines. The investigation confirmed that patient data was accessible from October 17, 2019 to August 9, 2020.

The types of information accessible through the search engines included names, contact information, dates of birth, health insurance information, and health information related to remote cardiac monitoring services, such as diagnoses, diagnostic tests, prescribing physicians’ names, and treatment information. While Social Security numbers are not requested by BioTel Heart, some Social Security numbers were also compromised.

BioTel Heart has confirmed that the vendor fixed the issue and secured the data on August 9, 2020. The business relationship with the vendor has since been terminated.

The vendor was notified about the breach via Amazon following the discovery of the exposed data by a security researcher, as reported in August 2020 by Databreaches.net. The vendor appears not to have reported the breach to BioTel Heart.

The post Third Party Data Breaches Reported by Apple Valley Clinic & BioTel Heart appeared first on HIPAA Journal.

Several healthcare organizations have recently confirmed they have been affected by the December 2020 Accellion cyberattack. The attack has been linked to the Clop ransomware gang, as its leak site was used to publish samples of data stolen in the attack, although ransomware is not believed to have been used.

Accellion provided a file transfer solution that was used for transmitting files that were too large to be sent via email. In the case of Health Net, the platform was used for exchanging files with healthcare providers and others who support its operations. Health net reports that names, addresses, dates of birth, insurance ID numbers, and health information was obtained by the attackers. Accellion notified Health Net about the breach on January 25, 2021.

Health Net has reported the breach as affecting 1,236,902 individuals across Health Net Community Solutions (686,556 individuals), Health Net of California (523,709 individuals), and Health Net Life Insurance Company (26,637 individuals).

California Health & Wellness has recently announced that it too was a victim of the Accellion cyberattack and confirmed that the names, addresses, dates of birth, insurance ID numbers, and health information of 80,138 members was stolen.

Stanford University has also recently confirmed that it was a victim of the attack and the PHI of Stanford Medicine patients was compromised, although details of the types of information stolen and the number of individuals affected has yet to be confirmed. Some of the data stolen in the attack was published on the attacker’s leak site.

Previously, University of Miami Health, Centene, Kroger, Trillium Community Health Plan, and Arizona Complete Health reported that they have been affected and had sensitive data stolen.

Multiple lawsuits have already been filed over the breach. Centene is suing Accellion over the breach and a lawsuit has been filed on behalf of affected Kroger pharmacy patients.

The vulnerabilities exploited in the cyberattack have been fixed and Accellion has confirmed that the FTA service will be discontinued from April 30, 2021, although support will continue to be provided until all contracts expire. Most victims have reported that they have discontinued using the Accellion FTA.

The post More Than 1.2 Million Health Net Members Affected by Accellion Cyberattack appeared first on HIPAA Journal.

Wake Forest Baptist Health has announced an unauthorized individual gained access to the systems of one of its technology vendors between October 16 and October 28, 2020 and potentially viewed or acquired files containing the protected health information of certain patients of Lexington Medical Center in North Carolina.

The breach occurred at Healthgrades Operating Co. Inc., which provided the hospital with patient and community education on health matters and medical services. The exact nature of the breach was not disclosed.

No reports have been received to date to indicate any information was stolen and misused. The types of PHI potentially accessed includes names, addresses, dates of birth, contact information, demographic information, medical treatment information, and Social Security numbers. The files contained PHI dated from mid-2010 to mid-2011.

All individuals whose PHI was potentially compromised in the attack were notified by mail on March 26, 2021 and have been offered complimentary credit monitoring and identity theft protection services.

It is currently unclear how many individuals have been affected by the breach. This post will be updated when further information is known.

CalViva Health Members Affected by Accellion Ransomware Attack

The protected health information of certain members of Fresno, CA-based CalViva Health has been compromised in a cyberattack at a third-party vendor. The individuals behind the attack may have accessed or downloaded sensitive files, although there are no indications at this stage that any sensitive information has been misused.

The vendor was Health Net Community Solutions, and its file transfer solution was provided by Accellion, which suffered a ransomware attack in which customers’ files were stolen. The attackers had access to data in the solution from January 7 to January 25, 2021.

As is common in manual ransomware attacks, the attackers released a sample of the stolen data on its leak site to encourage payment of the ransom. It is unclear if any of that information relates to CalViva Health members.

Health Net has since removed all files relating to CalViva members from the Accellion file transfer system and has now stopped using Accellion’s file transfer services.

CalViva Health has advised all affected members to monitor their statements and explanation of benefits statements for signs of fraudulent activity. As a precaution against identity theft and fraud, all affected individuals have been offered a membership to credit monitoring and identity theft services for one year at no cost.

The post Lexington Medical Center and CalViva Health Affected by Third-Party Data Breaches appeared first on HIPAA Journal.