Luxottica, the world’s largest eyewear company, experienced a cyberattack that affected some of the websites operated by the company.

Luxottica is the owner of eyewear brands such as Ray-Ban, Oakley, and Persol and produces designer eyewear for many well-known fashion brands. It also operates the EyeMed vision benefits company and partners with LensCrafters, Target Optical, EyeMed, Pearle Vision, and other eye care providers.

Luxottica partners are provided with web-based appointment scheduling software that allows patients to book appointments with eye care providers online and by phone. According to a recent breach notification, the appointment scheduling application was hacked by unknown individuals on August 5, 2020 and the attackers potentially gained access to the personal and protected health information of patients of its eye care partners.

Luxottica discovered the cyberattack on August 9, 2020 and immediately took steps to contain the breach. The subsequent investigation confirmed personal and protected health information were potentially accessed and acquired by the attackers. The types of data exposed included names, contact information, appointment dates and times, health insurance policy numbers, appointment notes, doctors’ notes, and information related to eye care treatment, including health conditions, procedures, and prescriptions. A limited number of patients also had their credit card number and/or Social Security number exposed.

Luxottica is unaware of any cases of misuse of personal or protected health information but, as a precaution, individuals whose financial information or Social Security number was potentially compromised have been offered a 2-year complimentary membership to Kroll’s identity theft protection service. Notifications started to be sent to the 829,454 individuals affected by the breach on October 27, 2020.

This is not the only security breach to have affected Luxottica this year. On September 18, 2020, the eyewear company suffered a Nefilim ransomware attack that caused significant outages and disruption to services in Italy and China. Sensitive information was also stolen in the attack prior to the deployment of ransomware.

The post Luxottica Data Breach Impacts 829,454 Individuals in the United States appeared first on HIPAA Journal.

Timberline Billing Service, LLC, a Des Moines, IA-based Medicaid billing company, has suffered a ransomware attack that resulted in the encryption and theft of data.

An investigation into the attack revealed an unknown individual gained access to its systems between February 12, 2020 and March 4, 2020 and deployed ransomware. Prior to the encryption of files, some information was exfiltrated from its systems.

Timberline’s clients include around 190 schools in Iowa. School districts in the state that have been impacted by the breach have now been notified. It is currently unclear exactly how many schools were affected and if the breach was limited to schools in Iowa. Timberline also has offices in Kansas and Illinois.

The types of data potentially obtained by the attacker included names, dates of birth, Medicaid ID numbers, and billing information. A limited number of Social Security numbers were also potentially compromised. While data theft occurred, no reports have been received to indicate any data have been misused.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 116,131 individuals.

University of California San Francisco Suffers PHI Breach

University of California San Francisco (UCSF) has suffered a cyberattack in which personal and health information held by the UCSF School of Medicine was potentially compromised. The cyberattack was detected on June 1, 2020 and involved a limited part of the School of Medicine’s IT systems. No further information on the exact nature of the attack has been released.

A leading cybersecurity consultant was retained to assist with the investigation and determined records relating to current and former UCSF employees, students, collaborators, and research participants may have been compromised. Those records contained names, government ID numbers, Social Security numbers, medical information, health insurance information, and some financial information. UCSF says it is unaware of any misuse of personal information.

UCSF has been working with third party cybersecurity consultants to reinforce its IT security defenses to prevent further breaches in the future.

The post Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals appeared first on HIPAA Journal.

A roundup of privacy and security incidents recently reported by HIPAA-covered entities and business associates that involved the exposure of disclosure of protected health information.

Server Breach Impacts Patients of Northwest Eye Surgeons and Sight Partners

Northwest Eye Surgeons LLC and Sight Partners LLC have started notifying 20,838 patients that some of their protected health information was stored on a server that was accessed by an unauthorized third party.

The breach was detected on May 1, 2020 and an investigation was immediately launched to determine the extent and scope of the breach. A third-party cybersecurity firm was engaged to assist with the investigation, and the review of the affected server was completed on July 31, 2020. A different IT firm was then engaged on August 7, 2020 to identify all protected health information stored on the server to determine which patients were affected.

The review revealed the server contained information such as patients’ names, dates of birth, Social Security numbers, driver’s license numbers, ID numbers, financial account and credit card information, medical information and insurance information.

No evidence was found to indicate patient information was removed from the server or has been misused, but out of an abundance of caution, affected patients have been offered complimentary membership to Equifax Credit Watch Gold credit monitoring, identity theft protection, and dark web monitoring services for two years.

Email Breach at Distributor Affects 3,429 Users of DJO Mobility Products

DJO, LLC, a Lewisville, TX-based provider of medical technologies to improve patient mobility, is alerting 3,429 patients that some of their protected health information has potentially been accessed by an unauthorized individual in an email breach at a former independent distributor.

An email account used by an employee of All Pro Sports was compromised in a phishing attack. The email account was accessed and used to send phishing emails to individuals in the employee’s contact list. An analysis of the email account revealed it contained limited information relating to users of DJO products in the central Florida. The exposed information was limited to names, addresses, email addresses, dates of birth, physician names, product information, information related to the product prescription, and for a limited number of individuals, Medicare numbers.

The email breach was discovered by All Pro Sports on August 17, 2020 and steps were immediately taken to secure the account. DJO conducted a thorough investigation of the incident, engaged a leading IT forensics company to assist with the investigation, and confirmed that no other systems or information were involved. Affected patients were notified about the breach in October.

Lawrence General Hospital Reports Data Security Incident

Lawrence General Hospital in Massachusetts has reported a data security incident in which unauthorized individuals potentially accessed a limited amount of patient information. A security breach was identified on September 19, 2020 which disrupted its IT systems. The investigation revealed an unauthorized individual gained access to its systems on September 9, 2020. Access was possible until September 19 when the network was secured.

The compromised systems contained patient names, internal patient ID numbers, insurance type, internal visit ID numbers and, for a very limited number of patients, some clinical information. The Social Security numbers of 5 patients were also potentially compromised.

Notifications were sent to affected individuals on November 5, 2020. Lawrence General Hospital said enhancements have been made to its intrusion detection systems in response to the breach.

Spreadsheet Error Exposed Limited PHI of Mary Rutan Hospital Patients

Mary Rutan Hospital in Bellefontaine, OH has discovered a limited amount of patient information has been exposed due to a spreadsheet error. A link was added to the hospital’s website to provide information on Diagnosis Related Groups; a patient classification system that standardizes prospective payment to hospitals. DRG payments covers charges associated with an inpatient stay at the hospital.

The link directed individuals to a spreadsheet which was discovered to have multiple tabs, on which limited patient information was visible. Two of the tabs contained patient names, patient account numbers, birth dates, dates of service, reasons for visit, DRG codes, visit costs, insurance payment amounts, adjusted amounts, and any balances due for 1,677 patients. High risk data were not included on the spreadsheet.

No evidence was found to indicate the information was viewed by unauthorized individuals. The link was deactivated the same day the error was discovered.

Tri-State Specialists Notifies 17,500 Patients About Email Error

Tri-State Specialists, a network of orthopedic surgery clinics serving residents in Iowa, South Dakota, and Nebraska, is notifying 17,050 patients about an incident that resulted in the impermissible disclosure of their names and email addresses to a small number of current and former patients.

On September 16, 2020, Tri-State Specialists discovered an email had been sent by an employee that included patients’ names and email addresses in an attached file. No other patient information was included in the file. Patients have been advised to be vigilant for spam messages as a result of the disclosure of their email addresses.

In response to the breach, Tri-State Specialists have revised policies and procedures related to the sending of emails to prevent similar breaches in the future. The importance of data privacy has been re-emphasized with the workforce.

The post PHI Incidents Recently Reported by Healthcare Providers and Business Associates appeared first on HIPAA Journal.

Lafayette, LA-based Provider Health Services, Paragould-based Arkansas Methodist Medical Center, and Miami, FL-based lntelliRad Imaging have announced they have been affected by an email security breach at one of their business associates.

All three entities have a lockbox service with IBERIABANK to collect and process payments. IBERIABANk uses Technology Management Resources, Inc. (TMR) as a third‐party lockbox service provider for capturing and processing payment data for the lockbox. TMR discovered on July 3, 2020 that one of its employee’s email accounts had been accessed by an unauthorized individual, and that individual may have accessed or exfiltrated images containing protected health information.

TMR notified affected customers on August 21, 2020 and confirmed that the threat actor potentially viewed images of checks and other images that contained protected health information within the TMR’s iRemit application. The unauthorized access occurred between August 5, 2018 and May 31, 2020, with most of the activity occurring between February 2020 and May 2020.

Provider Health Services said in its substitute breach notice that the PHI potentially viewed was limited to names, addresses, Social Security numbers, and some medical information.

Arkansas Methodist Medical Center said in addition to above information, checking account numbers and routing numbers found on personal checks and information submitted with payments such as AMMC account numbers were also potentially compromised.

lntelliRad imaging reports that patient names, addresses, Social Security numbers, bank account and routing number, diagnosis and treatment information, test results, health insurance information, and other information related to patient medical care were also potentially compromised.

TMR has since taken several steps to prevent further breaches, including implementing additional firewall rules to carefully control access to the iRemit website, including restricting access from other countries

Arkansas Methodist Medical Center reported the breach as affecting 4,916 of its patients, 1,700 patients of Provider Health Services were affected, and lntelliRad imaging said 1,862 patients were affected.

The post Healthcare Providers Affected by Email Account Breach at Payment Processing Vendor appeared first on HIPAA Journal.

The number of victims reporting being impacted by the Blackbaud ransomware attack and data breach has continued to grow over the past few weeks, with the Department of Health and Human Services’ Office for Civil Rights breach portal continuing to list healthcare victims. Recent additions include Moffitt Cancer Center, OSF HealthCare System, and Geisinger, with those three entities reporting the incident as affecting a total of 276,600 individuals.

While the total number of victims has not been disclosed by Blackbaud, at least 250 healthcare organizations, non-profits, and educational institutions are known to have been impacted, with healthcare organizations reporting the breach as affecting more than 10 million individuals.

Unsurprisingly given the breach costs incurred by organizations and the number of individuals whose personal information has been exposed, Blackbaud is facing many class action lawsuits. At least 23 proposed class action lawsuits have been filed so far in the United States and Canada, according to its 2020 Q3 Quarterly Report filed with the U.S. Securities and Exchange Commission (SEC). 17 of those lawsuits were filed in federal court in the United States, 4 in state courts, and 2 in Canadian courts.

The lawsuits allege victims have suffered harm as a result of the breach and allege violations of several laws, with the lawsuits seeking damages, injunctive relief, and attorneys’ fees, and around 160 claims have been received from Blackbaud’s customers in the U.S, Canada, and United Kingdom.

In addition to the lawsuits, Blackbaud is being investigated by regulators over violations of data privacy laws, including the Department of Health and Human Services, the Federal Trade Commission, and internationally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. A joint investigation has also been launched by 43 state attorneys general and the District of Columbia.

According the SEC filing, Blackbaud has already incurred costs in excess of $3.2 million dealing with the cyberattack between July and September 2020, and $3.6 million in costs over the previous 9 months. That figure is offset by $2.9 million accrued in insurance recoveries between July and September.

Costs will continue to be accrued in the response to the breach and while those costs are likely to be considerable, Blackbaud expects its cyber insurance policies to cover the bulk of the costs of the breach.

“We have good insurance in place – our insurers are working with us very closely. The key there is coordinating with them and make sure we’re clear on what they’re covering or not going to cover,” said Blackbaud’s chief financial officer Anthony Boor in an October 30, 2020 call with financial analysts.

While the cyber insurance policies have already covered some of the costs, there is no guarantee that all costs will be covered by those policies. “Lawsuits that are putative class actions require a plaintiff to satisfy a number of procedural requirements before proceeding to trial,” explained Boor. “As a result of these uncertainties, we may be unable to determine the probability of loss until, or after, a court has finally determined that a plaintiff has satisfied the applicable class action procedural requirements.”

In the call with financial analysts, Blackbaud explained that the forensic investigation revealed exactly how the hackers succeeded in gaining access to its systems. The flaw exploited in the attack was present in one of its early generation products which has since been fixed and steps have already been taken to harden security. Blackbaud also explained that millions of dollars had been invested in cybersecurity and personnel prior to the breach in preparation for such an attack.

Blackbaud managed to contain the attack but was not able to prevent the exfiltration of some customer data. The ransom was paid to prevent publication of the data and Blackbaud believes the payment has prevented any further disclosures of data.

“We have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” explained Blackbaud in the SEC filing.

The post Blackbaud SEC Filing Provides Further Information on Data Breach and Mitigation Costs appeared first on HIPAA Journal.

Redwood City, CA-based Ascend Clinical, a provider of ESRD laboratory testing for independent dialysis providers, has announced it suffered a phishing attack that led to a ransomware attack in May 2020.

Unusual system activity and file encryption were detected on or around May 31, 2020. Prompt action was taken to isolate the affected systems and an investigation was launched to determine the nature and scope of the incident. Assisted by a third-party security firm, Ascend Clinical determined access to its systems was gained when an employee responded to a phishing email.

Prior to the use of ransomware, the attackers accessed files that contained names, dates of birth, mailing addresses, and Social Security numbers. Steps have since been taken to strengthen its email security defenses to prevent similar attacks in the future.

The breach report submitted to the HHS’ Office for Civil Rights indicates 77,443 individuals were affected by the incident.

Alamance Skin Center Suffers Ransomware Attack

The Greensboro-based health system, Cone Health, has suffered a ransomware attack that affected the Alamance Skin Center in Burlington, NC.

The ransomware attack was limited to the single practice and occurred in late July 2020 and is believed to have started with a phishing attack or brute force attempt to obtain credentials. Prompt action was taken to isolate the impacted systems and third-party computer forensics experts were retained to assess the scope of the breach. The investigation did not find any evidence to suggest patient information was stolen prior to the encryption of files and no reports have been received that indicate patient information has been misused.

However, some patient information was encrypted in the attack and is unrecoverable. Cone Health reports the protected health information affected was limited to patient names, medical record numbers, dates of birth, diagnosis information, addresses, and date(s) of service.

The attack affected the appointments system, which is not accessible. Patients with appointment have been advised to contact the practice to confirm their appointment. Since it was not possible to determine with 100% certainty that patient information was not accessed by the attackers, all affected patients have been advised to be vigilant against incidents of identity theft and fraud.

Alamance Skin Center is reviewing existing policies and procedures and will be implementing additional safeguards to prevent similar incidents in the future.

Perry County Memorial Hospital Discovers Email Security Breach

Perry County Memorial Hospital in Tell City, IN has discovered the email accounts of two employees have been accessed by unauthorized individuals.

An investigation was launched which revealed the accounts were accessed on August 23, 2020. A review of the compromised accounts confirmed they contained private patient data which could have been viewed or obtained by the attackers, although no evidence of data theft was identified.

The information potentially compromised was limited to names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information, along with a limited number of Social Security numbers, Medicare/Medicaid numbers, and health insurance information.

Perry County Memorial Hospital is taking steps to enhance email security to prevent similar breaches in the future. Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft monitoring services.

BryLin Behavioral Health Notifies Patients About Potential PHI Breach

BryLin Behavioral Health System, a provider of mental health and addiction treatment services in Buffalo, NY, is alerting certain patients that some of their protected health information was potentially compromised as a result of a cybersecurity incident that occurred in August 2020.

Unusual network activity was detected by BryLin on August 19, 2020. Immediate action was taken to secure the network and an investigation was launched which revealed its systems had been compromised on August 14, 2020. Unauthorized individuals potentially accessed documents on the compromised systems that contained patient names, dates of birth, addresses, treatment information and/or clinical information and, in some instances, patients’ Social Security numbers and/or health insurance information. The breach only affected data of patients who received medical services at BryLin hospital. Patient information from its outpatient clinic, outpatient substance use, and outpatient mental health care services was not affected.

All patients affected by the breach have now been notified and the 75 patients who had their Social Security number exposed have been offered complimentary credit monitoring services.

It is currently unclear how many individuals have been affected by the breach.

The post Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks appeared first on HIPAA Journal.

Four email-related data breaches have recently been reported by U.S healthcare providers, along with an unspecified cyberattack on a mental health and addiction treatment provider.

12,000 Patients Impacted by Email Breach at Arkansas Otolaryngology Center

Little Rock, AR-based Arkansas Otolaryngology Center is alerting 12,000 patients about an email security breach discovered on July 17, 2020. An unauthorized individual was discovered to have gained access to the email account of an employee and was using the account to send unauthorized messages.

Assisted by a third-party computer forensics company, Arkansas Otolaryngology Center determined that four email accounts had been compromised between July 17, 2020 and July 27, 2020. It was not possible to determine whether any emails in the accounts had been subjected to unauthorized access during the time the accounts were accessible.

A review of emails and email attachments in the compromised accounts revealed they contained the following types of protected health information: names, dates of birth, medical record numbers, Social Security numbers, diagnoses, doctors’ names, driver’s license numbers, state identification card numbers, insurance group numbers, treatment locations, and treatment or procedure types or codes. A limited number of individuals also had financial account information exposed.

Upon discovery of the breach a full password reset was performed, and additional technical safeguards have since been implemented to prevent further email breaches. Individuals affected by the breach have been offered complimentary credit monitoring services.

Centerstone of Indiana Email Breach Impacts 11,638 Patients

Centerstone of Indiana, a provider of mental health and substance use disorder treatment services in Indiana, Illinois, Tennessee, and Florida, has discovered an employee’s email account has been accessed by an unauthorized individual.

Unusual activity was detected in the email account and it was immediately secured. The investigation revealed the email account had been accessed between December 12, 2019 and December 16, 2019; however, it took until August 25, 2020 for the investigation to confirm that protected health information was contained within the account.

The protected health information of 11,638 patients was exposed in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers, state identification card numbers, medical diagnoses, treatment information, Medicaid and Medicare information, and health insurance information. The types of exposed data varied from patient to patient. Some employee information was also potentially compromised.

Notification letters were sent to affected patients on Thursday, October 22, 2020 and information has been provided on the steps that should be taken to reduce the risk of misuse of their data.

Centerstone reports that $800,000 has been invested on IT security infrastructure following the breach, including new software applications and security appliances. A security audit and gap assessment are being conducted by third-party security experts to identify any other areas where security can be improved. Policies and procedures are also being reassessed and further training on IT security has been provided to the workforce.

Perry County Memorial Hospital Discovers Email Security Breach

Perry County Memorial Hospital in Tell City, IN has discovered the email accounts of two employees have been accessed by unauthorized individuals.

An investigation was launched which revealed the accounts were accessed on August 23, 2020. A review of the compromised accounts confirmed they contained private patient data which could have been viewed or obtained by the attackers, although no evidence of data theft was identified.

The information potentially compromised was limited to names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information, along with a limited number of Social Security numbers, Medicare/Medicaid numbers, and health insurance information.

Perry County Memorial Hospital is taking steps to enhance email security to prevent similar breaches in the future. Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft monitoring services.

Tri-State Specialists Alerts 17,500 Patients About Email Error

Tri-State Specialists, a network of orthopedic surgery clinics serving residents in Iowa, South Dakota, and Nebraska, is alerting 17,050 patients about an incident that resulted in the impermissible disclosure of names and email addresses to a small number of current and former patients.

On September 16, 2020, Tri-State Specialists discovered an email had been sent by an employee that included patients’ names and email addresses in an attached file. No other patient information was included in the file. Patients have been advised to be vigilant for spam messages as a result of the disclosure of their email addresses.

In response to the breach, Tri-State Specialists have revised policies and procedures related to the sending of emails to prevent similar breaches in the future and the importance of data privacy has been re-emphasized with the workforce.

BryLin Behavioral Health Notifies Patients About Potential PHI Breach

BryLin Behavioral Health System, a provider of mental health and addiction treatment services in Buffalo, NY, is alerting certain patients that some of their protected health information was potentially compromised as a result of a cybersecurity incident that occurred in August 2020.

Unusual network activity was detected by BryLin on August 19, 2020. Immediate action was taken to secure the network and an investigation was launched which revealed its systems had been compromised on August 14, 2020. Unauthorized individuals potentially accessed documents on the compromised systems that contained patient names, dates of birth, addresses, treatment information and/or clinical information and, in some instances, patients’ Social Security numbers and/or health insurance information. The breach only affected data of patients who received medical services at BryLin hospital. Patient information from its outpatient clinic, outpatient substance use, and outpatient mental health care services was not affected.

All patients affected by the breach have now been notified and the 75 patients who had their Social Security number exposed have been offered complimentary credit monitoring services.

It is currently unclear how many individuals have been affected by the breach.

The post Email Incidents Result in the Potential Disclosure of the PHI of More Than 41,000 Patients appeared first on HIPAA Journal.