HIPAA Breach News

One Third of Healthcare Websites Still Use Meta Pixel Tracking Code

Posted by Steve Alder

A recent analysis of healthcare websites by Lokker found widespread use of Meta Pixel tracking code. 33% of the analyzed healthcare websites still use Meta pixel tracking code, despite the risk of lawsuits, data breaches, and fines for non-compliance with the HIPAA Rules.

Website Tracking Technologies in Healthcare

A study conducted in 2021 that looked at the websites of 3,747 U.S. hospitals found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties, and an analysis in 2022 of the websites of the top 100 hospitals in the United States by The Markup/STAT revealed one-third of those hospitals used tracking technologies on their websites that transferred visitor data, including protected health information (PHI), to third parties.

In December 2022, the HHS’ Office for Civil Rights issued guidance to HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that these technologies violate HIPAA unless there is a business associate agreement (BAA) in place with the provider of the code or authorizations are obtained from patients. OCR and the Federal Trade Commission wrote to almost 130 healthcare organizations in July 2023 warning them about the compliance risks of using tracking technologies, after these tools were discovered on their websites. In March 2024, OCR updated its guidance – believed to be in response to a legal challenge by the American Hospital Association –  however, OCR’s view that a BAA or authorizations are required has not changed.

Several hospitals and health systems have reported the use of these tracking technologies to OCR as data breaches, and many lawsuits have been filed against hospitals over the use of these tools, some of which have resulted in large settlements. For example, Novant Health agreed to pay $6.6 million to settle a lawsuit filed by patients who had their PHI transferred to third parties due to the use of these tracking tools. The FTC is also actively enforcing the FTC Act with respect to trackers, with BetterHelp having to pay $7.8 million to consumers as refunds for disclosing sensitive health data without consent. States have also taken action over the use of Meta pixel and other website trackers, with New York Presbyterian Hospital settling a Pixel-related HIPAA violation case with the New York Attorney General for $300,000.

Lokker’s 2024 Study of Website Tracking Technologies

Lokker, a provider of online data privacy and compliance solutions, conducted a study of 3,419 websites across four industries (healthcare, technology, financial services, and retail), that explored three critical areas of risk.

  • Unauthorized consumer data collection through third-party trackers, tags, and pixels.
  • How privacy tools are often failing to meet the requirements of emerging laws.
  • The escalating complexities of protecting consumers’ data privacy.

The study looked at the threat of data brokers sharing consumer data with foreign adversaries. Across all industries, 12% of websites had the TikTok pixel, including 4% of healthcare companies. While the privacy risks associated with this pixel are lower than other tracking technologies, the information collected by TikTok pixel may be transferred to China. 2% of websites, including 0.55% of healthcare websites, were found to use pixels and other web trackers that originated in China, Russia, or Iran. Data transfers to foreign nations are a major concern for the U.S. government. In February this year, President Biden signed an Executive Order to prevent the sharing of Americans’ data with foreign countries.

Alarmingly, given the considerable media coverage, HIPAA guidance, regulatory fines, and lawsuits associated with website tracking technologies, 33% of healthcare organizations were still using Meta pixel on their websites. Lokker found an average of 16 trackers and a maximum of 93 trackers on healthcare websites. The most common trackers used by healthcare organizations were from Google (googletagmanager.com, doubleclick.net, google-analytics.com, google.com, googleapis.com, youtube.com), Meta (facebook.com, facebook.net), ICDN (icdn.com), and Microsoft (linkedin.com). There appears to be confusion about obtaining consent from website visitors about the collection of their data through tracking technologies such as pixels and cookies. According to OCR guidance, the use of a banner on a website advising visitors about the use of tracking technologies does not constitute a valid HIPAA authorization. These consent banners were identified on the websites of 59% of healthcare organizations.

These consent banners often do not function as intended, as 98.5% of websites load cookies on page load, with Lokker reporting that, on average, 33 cookies are loaded before consent banners appear, and these banners often misclassify or overlook cookies and trackers. Lokker also found that technologies such as browser fingerprinting are often excluded from consent tools, and the rapidly evolving web means tracker changes may go unnoticed by consent tools, resulting in users unwittingly consenting to undesired data collection.

In addition to compliance risks related to HIPAA, there is also a risk of Video Privacy Protection Act (VPPA) violations. 3% of healthcare companies had Meta pixel or other social media trackers on pages containing video players, putting them at risk of VPPA lawsuits. In 2023, more than 80 lawsuits were filed alleging VPPA violations due Meta pixel being used to gather and disseminate video viewing data from websites without user consent, some of which have led to multi-million-dollar settlements.

“LOKKER’s research sheds light on critical issues that businesses often underestimate. Unauthorized data collection through third-party trackers and related technologies is far more pervasive than most people realize. We all build websites with third-party tools, and they use other third-party tools, and so on. Many of these are essential and necessary. However, this web of interconnected technologies produces dozens to hundreds of URLs collecting data on a single webpage and is the engine that powers the data broker market,” said Ian Cohen, founder and CEO of LOKKER. “Moreover, data collection on websites and ad tech happens in real time; existing privacy tools are not real-time, and therefore not getting the job done. As a result, we’re seeing a dramatic increase in privacy violations, lawsuits, and fines.” The findings are published in Lokker’s Online Data Privacy Report March 2024.

The post One Third of Healthcare Websites Still Use Meta Pixel Tracking Code appeared first on HIPAA Journal.

Otolaryngology Associates Data Breach Affects Almost 317,000 Patients

Posted by Steve Alder

A cyber threat actor has tried to extort money from the Indiana ENT specialists, Otolaryngology Associates, after gaining access to its network and exfiltrating patient and employee data. Otolaryngology Associates said its security system generated alerts about a potential intrusion on February 17, 2024, a few hours after the threat actor gained access to the network. Immediate action was taken to secure the network and block the attack, and at no point was access to the network prevented.

Three days later on February 20, and again on February 21, a threat actor made contact and claimed to have stolen data in the attack and threatened to publish the stolen data if the ransom was not paid. Third-party forensic experts were engaged to investigate the breach and they determined that the threat actor had not manually accessed files on the network but had run programs that exfiltrated data from internal systems.

The forensic investigation was able to narrow down the data that may have been exfiltrated, but it was not possible to determine exactly what types of data had been taken. The review of the files on the compromised parts of the network revealed they contained the protected health information of 316,802 individuals. For the majority of the affected individuals, the information potentially stolen in the attack was limited to information contained in billing records, which do not include Social Security numbers or driver’s license numbers. The exposed information was limited to names, OA medical record numbers, service codes, date(s) of service, treating physician names, appointment locations, insurance company names, and the dollar amount of charges.

A subset of the affected individuals may have had one or more of the following exposed: Social Security number, driver’s license number, address, email address, telephone number, date of birth, appointment schedule, referral forms, and/or insurance plan numbers. Affected employees may have had their bank account information and payroll information exposed. The individual notification letters state the types of information that have been exposed. OA Facial Plastics patients were not affected as OA Facial Plastics systems were not accessed by the attacker.

Otolaryngology Associates said it has implemented additional security measures to prevent further attacks and has instructed a cybersecurity firm to monitor the dark web for any release of patient data. At the time of issuing the notifications, no patient data has been publicly released.

The post Otolaryngology Associates Data Breach Affects Almost 317,000 Patients appeared first on HIPAA Journal.

Email Accounts Compromised at Aveanna Healthcare and UNC Hospitals & School of Medicine

Posted by Steve Alder

Email accounts have been compromised at the Georgia home health provider Aveanna Healthcare and UNC Hospitals and School of Medicine in North Carolina. Patient data has been exposed and potentially stolen in the attacks.

Aveanna Healthcare

Aveanna Healthcare, an Atlanta, GA, provider of home health and hospice care, has announced a security breach of its email environment and the exposure of the data of 65,482 patients. Anomalous activity was identified in an employee email account on September 22, 2023. The account was immediately secured, and an investigation was launched to determine the nature of the activity, and whether patient data had been exposed or stolen.

The investigation confirmed that an unauthorized third party had gained access to its email environment and potentially obtained files that contained patient information. Third-party specialists were engaged to review the affected files to determine the individuals affected and the types of data that may have been compromised. That process was completed on March 12, 2024, and notification letters started to be mailed to the affected individuals on March 15, 2024. The affected individuals have been offered complimentary identity theft protection services.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, driver’s license or state identification number, date of birth, medical information, diagnosis, treatment information, MRN/patient identification number, incidental health reference, provider name, health insurance information, prescription information, Medicare/Medicaid number, and treatment cost information. Aveanna Healthcare said it has not found any evidence to indicate patient data has been misused.

UNC Hospitals & School of Medicine

UNC Hospitals & School of Medicine has reported a breach of its email environment. A School of Medicine employee received a phishing email from a known and trusted contact and followed the link in the email, believing the message to be a genuine communication. The employee’s email account was protected with multi-factor authentication (MFA); however, the threat actor tricked the employee into sharing the MFA code, allowing the email account to be accessed.

The email account was compromised on February 1, 2024, and the incident was discovered the following day. The account was immediately secured; however, patient information in the account may have been viewed or acquired. While there have been no reports of misuse of patient information, UNC Hospitals is offering complimentary credit monitoring services to individuals who had their driver’s license numbers, Social Security numbers, financial account information, and/or health insurance information exposed. At this stage, it is unclear how many individuals have been affected.

The post Email Accounts Compromised at Aveanna Healthcare and UNC Hospitals & School of Medicine appeared first on HIPAA Journal.

Malicious Actor Steals Patient Data from Multiple Ernest Health Hospitals

Posted by Steve Alder

Ernest Health, the operator of rehabilitation and long-term acute care hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming, has started notifying patients about a recent data security incident involving their personal and protected health information.

Ernest Health identified unauthorized activity in its computer systems on February 1, 2024, and the forensic investigation confirmed there had been unauthorized access to systems containing patient data between January 16, 2024, and February 4, 2024, and files were acquired in the attack that included patient information. For the majority of the affected individuals, the compromised data was limited to names, addresses, dates of birth, medical record numbers, health insurance plan member IDs, claims data, diagnosis, and prescription information. Some patients also had their Social Security and/or driver’s license numbers compromised.

The security incident affected patients at multiple hospitals in the network, including:

  • Advanced Care Hospital of Southern New Mexico
  • Denver Regional Rehabilitation Hospital
  • Greenwood Regional Rehabilitation Hospital
  • Lafayette Regional Rehabilitation Hospital
  • Mountain Valley Regional Rehabilitation Hospital
  • Northern Colorado Rehabilitation Hospital
  • Northern Idaho Rehabilitation Hospital
  • Northern Utah Rehabilitation Hospital
  • Rehabilitation Hospital of Southern New Mexico
  • Rehabilitation Hospital of the Northwest
  • Summa Rehabilitation Hospital
  • Trustpoint Rehabilitation Hospital of Lubbock

Notification letters started to be mailed to the affected individuals on March 29, 2024, and complimentary credit monitoring and identity theft protection services have been offered for two years. The data breach has been reported to regulators, but it is currently unclear how many patients have been affected.

The post Malicious Actor Steals Patient Data from Multiple Ernest Health Hospitals appeared first on HIPAA Journal.

City of Hope Cyberattack Affects 827,000 Individuals

Posted by Steve Alder

City of Hope, a non-profit clinical research and cancer treatment center in Duarte, California, has confirmed that the personal and protected health information of 827,149 individuals was compromised in a 2023 cyberattack. Suspicious activity was detected within some of its systems on October 13, 2023, and after securing the systems and implementing mitigation measures, a forensic investigation was launched to determine the nature and scope of the incident. A third-party cybersecurity firm assisted with the investigation and confirmed there had been unauthorized access to some of its systems between September 19, 2023, and October 12, 2023. During that time, copies of certain files were exfiltrated from its systems.

The delay in issuing notifications was due to the time required to conduct a detailed review of all files on the compromised systems to determine the extent of the data breach. The investigation is ongoing, but City of Hope has confirmed that the files contained personal and protected health information. The types of data involved varied from individual to individual and included names in combination with one or more of the following data elements: contact information such as phone numbers and email addresses, dates of birth, Social Security numbers, driver’s license numbers, other government identification numbers, financial information such as bank account numbers and credit card details, health insurance information, medical records, medical histories, diagnoses/conditions, health insurance information, and unique internal patient identifiers.

City of Hope said additional and enhanced safeguards were implemented promptly and a leading cybersecurity firm was engaged to review the security of its network, systems, and data. The affected individuals are now being notified by mail. City of Hope is offering two years of complimentary credit monitoring and identity theft protection services to the individuals who had their data exposed in the attack.

The post City of Hope Cyberattack Affects 827,000 Individuals appeared first on HIPAA Journal.

Lamoille Health Partners Settles Class Action Data Breach Lawsuit for $540,000

Posted by Steve Alder

Lamoille Health Partners, a Vermont health system serving patients in Lamoille County, has agreed to settle a lawsuit that was filed in response to a June 2022 ransomware attack in which the protected health information of 59,381 patients was exposed and potentially stolen. Hackers gained access to the Lamoille Health Partners network between June 12, 2022, and June 13, 2022, and used ransomware to encrypt files. The attack exposed names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information. The affected individuals were notified about the breach in August 2022 and individuals who had their Social Security numbers exposed were offered complimentary identity protection and credit monitoring services.

A lawsuit – Marshall v Lamoille Health Partners Inc. – was filed in the U.S. District Court for the District of Vermont on September 1, 2022, in response to the breach that alleged Lamoille Health Partners was negligent by failing to implement reasonable and appropriate cybersecurity measures and follow security best practices. The lawsuit also alleged there was an unnecessary delay in notifying the affected individuals and that Lamoille Health Partners was not compliant with the HIPAA Rules. The lawsuit claimed the plaintiff, Patricia Marshall, and the class faced an imminent and ongoing risk of identity theft and fraud due to their sensitive information being in the hands of cybercriminals.

Lamoille Health Partners has not admitted to any wrongdoing and disagrees with the claims; however, a settlement was proposed to bring the legal action to an end. Under the terms of the proposed settlement, a $540,000 fund will be created to cover claims from individuals who were affected by the breach. Class members can submit claims of up to $5,000 to cover unreimbursed, documented out-of-pocket expenses incurred as a result of the breach, including bank fees, credit expenses, travel expenses, costs of credit monitoring services, and unauthorized charges. In addition, all class members will be entitled to a pro-rata payment which will be distributed after attorneys’ fees and legal costs have been deducted and claims have been paid. The payment is anticipated to be around $50 per class member.

Important Dates:

  • Deadline for exclusion/objection: May 30, 2024
  • Deadline for submitting claims: June 20, 2024
  • Final approval hearing: September 30, 2024

The post Lamoille Health Partners Settles Class Action Data Breach Lawsuit for $540,000 appeared first on HIPAA Journal.

New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation

Posted by Steve Alder

The HHS’ Office for Civil Rights has announced another financial penalty has been imposed for a violation of the HIPAA Right of Access. Essex Residential Care, LLC, which does business as Hackensack Meridian Health, West Caldwell Care Center in New Jersey, has been ordered to pay a civil monetary penalty of $100,000 to resolve the alleged violation.

Hackensack Meridian Health operates skilled nursing facilities in New Jersey, including the West Caldwell Care Center. In May 2020, OCR received a complaint from the son of a mother who had received care at West Caldwell Care Center who alleged he had not been provided with a copy of her medical records within the 30 days allowed by the HIPAA Privacy Rule.

Son Not Provided with His Mother’s Records within 30 Days

The complainant was the personal representative of his mother and therefore should have been provided with a copy of his mother’s medical records. The complainant first asked for a copy of the records on April 19, 2020, via email, and on April 23, 2020, an administrator at West Caldwell Care Center advised him that the records could not be provided without a copy of a power of attorney, medical proxy or similar document executed by the mother, confirming that he was her personal representative.

The appropriate documentation was provided but West Caldwell Care Center still did not provide the requested records, which led to him filing a complaint with OCR. On October 15, 2020, OCR notified West Caldwell Care Center that an investigation had been opened as a result of the complaint and the correspondence included a data request pursuant to the investigation.

West Caldwell Care Center responded and acknowledged that the records had not been provided within the allowed 30 days and, in response to OCR’s investigation, sent the requested records in late November, which were received by the complainant on December 1, 2020, 161 days after the initial request was made.

West Caldwell Care Center Disagreed with OCR’s Determination

Most HIPAA Right of Access investigations are informally settled with OCR, a financial penalty is paid, and the covered entity agrees to adopt a corrective action plan which includes updates to its policies and procedures and training on HIPAA policies for staff members. In this case, West Caldwell Care Center’s attorney disagreed with OCR’s proposed resolution of the investigation. OCR then notified West Caldwell Care Center that the investigation had uncovered preliminary indications of non-compliance with the HIPAA Right of Access, and OCR provided West Caldwell Care Center with the opportunity to submit evidence of mitigating factors.

West Caldwell Care Center acknowledged that the complainant was not provided with the requested records, but the records were provided to another facility to which his mother had been transferred. West Caldwell Care Center also said that at the time of the initial request, there was ongoing litigation due to the non-payment of care costs. As another mitigating factor, West Caldwell Care Center said it was dealing with the COVID-19 pandemic, and that the complainant filed a complaint with OCR exactly 30 days after the request was made before West Caldwell Care Center’s response to the initial request was due. West Caldwell Care Center accepted that the matter should have been handled differently.

$100,000 Civil Monetary Penalty Imposed

OCR determined that West Caldwell Care Center failed to provide the requested records within the 30 days allowed by the HIPAA Privacy Rule and that the delay from June 23, 2020, to December 1, 2020, was a violation of the HIPAA Right of Access. The maximum civil monetary penalty was $206,080 based on the reasonable cause penalty tier (see: What are the penalties for HIPAA violations); however, per OCR’s reinterpretation of the language of the HITECH Act and its subsequent Notice of Enforcement Discretion, the penalty was capped at $100,000.

West Caldwell Care Center argued that a civil monetary penalty was not permitted because the violation was not due to wilful neglect and was timely corrected and that imposing a civil monetary penalty would be arbitrary and capricious and would violate the Administrative Procedure Act (APA). OCR disagreed that the violation was timely corrected and said the affirmative defense requirements were not met, and that the penalty was appropriate and reasonable given that the violation did not violate the APA and that the civil penalty amount was reasonable given the substantial delay providing the requested records.

West Caldwell Care Center said its staff believed they had responded in the allowed time frame by transferring the records to another facility; however, OCR’s view was that the records were not provided to the personal representative as required by HIPAA. West Caldwell Care Center was advised of its right to request a hearing with an administrative law judge; but on advice from its legal counsel, chose to waive that right.

“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” commented OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

This is the fourth financial penalty imposed by OCR in 2024 to resolve alleged HIPAA violations and its 145th financial penalty to date. OCR has now fined 48 HIPAA-regulated entities for failing to provide patients or their personal representatives with timely access to the requested medical records that they are legally entitled to obtain.

The post New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a $35,000 settlement has been reached with Phoenix Healthcare to resolve a HIPAA Right of Access violation. This is the 47th investigation of a HIPAA Right of Access case to result in a financial penalty. The HIPAA Right of Access provision of the HIPAA Privacy Rule requires patients or their personal representatives to have timely access to their health information. Access/copies of the requested information must be provided within 30 days of the request being received.

OCR received a complaint from a daughter whose mother was a patient of Phoenix Healthcare, an Oklahoma multi-facility organization in nursing care. The daughter was the personal representative of her mother and had not been provided with timely access to her mother’s medical records. The daughter requested the records on multiple occasions and had to wait almost a year to receive the requested data. The requested records were provided 323 days after the initial request was made.

The daughter reported the matter to OCR as a potential HIPAA investigation and OCR launched an investigation. OCR determined that there had been a violation of the HIPAA Right of Access and informed Phoenix Healthcare by letter on March 30, 2021, of its intention to impose a financial penalty of $250,000 for the failure to comply with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Phoenix Healthcare contested the proposed fine and requested a hearing before an Administrative Law Judge (ALJ). The ALJ upheld the violations cited by OCR and that there had been wilful neglect of the HIPAA Privacy Rule. The ALJ ordered Phoenix Healthcare to pay a civil monetary penalty of $75,000.

Phoenix Healthcare appealed the $75,000 penalty, contesting both the penalty amount and the wilful neglect determination. The Departmental Appeals Board affirmed the ALJ’s decision that there had been wilful neglect of the HIPAA Rules and order to pay $75,000; however, OCR chose to settle with Phoenix Healthcare and reduced the financial penalty to $35,000 on the condition that the Departmental Appeals Board’s decision is not challenged, that Phoenix Healthcare revises its HIPAA policies and procedures, and provides HIPAA training on the revised policies and procedures to its workforce.

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”

This is the third OCR HIPAA investigation of 2024 to result in a financial penalty, the others being a $4,750,000 settlement with Montefiore Medical Center, and a $40,000 settlement with Green Ridge Behavioral Health.

The post OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000 appeared first on HIPAA Journal.

MFA Bypassed in Cyberattack on L.A. County Department of Mental Health

Posted by Steve Alder

Cyberattacks and data breaches have been reported by the L.A. County Department of Mental Health, Healthfirst, Wyndemere Senior Care, Risas Dental & Braces, and Baylor College of Medicine.

Los Angeles County Department of Mental Health

The Los Angeles County Department of Mental Health has recently notified the California Attorney General about a breach of an employee’s email account. The email account had multi-factor authentication (MFA) in place; however, MFA was bypassed. The cyber threat actors bypassed MFA using a technique known as push notification spamming, where a user is sent multiple MFA push notifications to their mobile device in the hope that they will eventually respond. The employee did respond, resulting in their email account being compromised.

According to the Department of Mental Health, the attack stemmed from a breach at the City of Gardena Police Department (GDP). “GPD’s email exchanges with the Department of Mental Health (DMH) allowed the malicious actor or actors to send an email to a DMH employee and get access to that employee’s Microsoft Office 365 account.” The account contained names, dates of birth, Social Security numbers, addresses, telephone numbers, and medical record numbers.

This is not the first attack of this kind to affect the Department of Mental Health. Similar attacks occurred on October 6, 2023, and October 24, 2023. The breach notices sent to the affected individuals on December 6, 2023, December 22, 2023, and March 22, 2024, all include the following statement, “We have also notified Microsoft of the vulnerability in the Microsoft Office 365 multifactor authentication that was exploited by the malicious actor or actors. We have since implemented new security controls to address this specific attack.” Only one report is currently showing on the HHS’ Office for Civil Rights breach portal – dated December 22, 2023 – indicating 1,284 individuals were affected. It is unclear how many individuals had their data exposed in the latest attack.

Healthfirst

The New York health insurance provider, Healthfirst, has recently notified 6,836 of its 2 million members about unauthorized access to its member portal. Healthfirst, which provides health plans under the names Healthfirst PHSP, Inc., Healthfirst Health Plan, Inc., and Healthfirst Insurance Company, said member names, dates of birth, Healthfirst member ID numbers, and member zip codes were used to create unauthorized accounts. The accounts have now been disabled and internal protocols for digital member account validation have been updated to prevent similar incidents in the future. An investigation is ongoing into the source of the unauthorized activity. Healthfirst said it has no reason to believe that the unauthorized activity is linked to the Change Healthcare cyberattack. The affected individuals were notified on March 19, 2024.

Wyndemere Senior Care

Wyndemere Senior Care LLC, a Wheaton, IL-based provider of independent & assisted living neighborhoods, skilled nursing, & memory care, has notified 6,846 individuals that some of their personal information has been exposed in a cyberattack. Suspicious activity was detected in its computer systems on September 8, 2023, with the forensic investigation confirming there had been unauthorized network access between September 1, 2023, and September 8, 2023. A review of the files on the compromised parts of the network confirmed on February 21, 2024, that names and financial account numbers had been exposed. Individual notifications were mailed to the affected individuals on March 28, 2024. Wyndemere said it is implementing additional cybersecurity safeguards and is providing further training to its employees.

Risas Dental & Braces

Risas Dental & Braces in Phoenix, AZ, has recently notified patients about a cyberattack detected in July 2023 in which their protected health information was exposed. Unusual activity was identified in its computer systems on July 10, 2023, and immediate action was taken to secure its network. Third-party cybersecurity specialists were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. The digital forensics team determined that unauthorized individuals had gained access to the network and may have downloaded files containing patient data.

The review of those files was completed on January 26, 2024, and confirmed they contained protected health information such as names, contact information, high-level treatment information such as procedure names or notes, the initial date or dates of service, and/or insurance subscriber information.  The affected individuals were notified by mail on March 22, 2024. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Baylor College of Medicine (Advarra)

Baylor College of Medicine in Houston, TX, has confirmed that the personal information of certain participants in breast cancer clinical trials has been exposed in a data breach at its vendor, Advarra. The data was present in the email account of an Advarra employee that was accessed by an unauthorized third party in October 2023. Baylor College of Medicine was first made aware of the email security incident in November 2023, with the Advarra investigation determining in February 2024 that research participants’ data had been exposed. Advarra reported the breach to the Maine Attorney General in February as affecting 4,656 individuals and involving names, other personal identifiers, and Social Security numbers. It is unclear whether that figure includes the research participants.

Baylor College of Medicine said the research participants’ data exposed in the attack related to breast cancer research and clinical trials at the Dan L Duncan Comprehensive Cancer Center between 1999 to 2013. Baylor College of Medicine said the breach names and dates of birth and that Advarra has offered affected individuals complimentary credit monitoring, fraud consultation, and identify theft restoration services.

The post MFA Bypassed in Cyberattack on L.A. County Department of Mental Health appeared first on HIPAA Journal.