The number of individuals affected by a ransomware attack on St. Cloud-based Netgain Technology LLC has increased, with a further 210,000 individuals now known to have been affected. Netgain Technology provides IT and technology services to several entities in the healthcare industry, including the medical practice management company Woodcreek Provider Service in Washington. Ramsey County in Minnesota was previously confirmed to have been affected by the ransomware attack.

Woodcreek Provider Service provides support to pediatric clinics and urgent care centers owned and operated by MultiCare Health System.  Woodcreek Provider Service was notified by Netgain on December 2, 2020 that the protected health information of patients and the personal information of employees and contractors were stored on servers affected by the ransomware attack.

The Woodcreek Provider Service IT network and computer system is hosted by Netgain and a considerable amount of data has potentially been accessed or obtained in the extortion attack. Potentially compromised information includes: Names, addresses, medical record numbers, dates of birth, Social Security numbers, health insurance information, insurance claims, explanation of benefits statements, clinical notes, referral requests, lab test reports, decision not to vaccinate forms, authorization requests for services, treatment approvals, records requests, immunization information, vaccine records, prescription requests, release of information forms, subpoena records requests, medical record disclosure logs, incident reports, invoices, correspondence with patients, student identification numbers, bank account numbers, employment related documents, court documents, DEA certificates, payroll withholding and insurance deduction authorizations, benefit and tax forms, employee health information and some medical records.

Netgain provided reassurances that steps have been taken to improve security to prevent any further cyberattacks. Woodcreek Provider Service has also taken steps to protect information under its control and has reviewed and revised its cybersecurity policies and procedures.

Affected MultiCare Health System and Woodcreek Healthcare patients have been offered identity theft protection services and/or complimentary credit monitoring services.

The post 210K MultiCare Health System and Woodcreek Healthcare Patients Affected by Ransomware Attack appeared first on HIPAA Journal.

A phishing attack on Saint Alphonsus Health System in Boise, ID has resulted in the exposure of patient information and has also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus identified unusual activity in an employee’s email account on January 6, 2021. The account was immediately secured, and an investigation was conducted to determine the source and nature of the activity. Saint Alphonsus determined that the account had been accessed by an unauthorized individual on January 4, 2021, giving the individual access to the account and information contained therein for 2 days. The account was used to send phishing emails to other individuals in an attempt to obtain usernames and passwords.

The employee whose credentials were compromised assisted with certain business functions that required access to protected health information, including performing billing functions for the West Region of Trinity Health, which includes Fresno.

A review of all emails and attachments revealed the account contained the protected health information of certain patients. The PHI in the account varied from patient to patient and included full names in combination with one or more of the following data elements: Address, telephone, date of birth, email, medical record number, treatment information, and/or billing information. The account also contained a limited number of Social Security numbers and credit card numbers.

While unauthorized account access was confirmed, it was not possible to determine which emails, if any, had been accessed. At the time of issuing notifications, no evidence was found to indicate any patient information has been misused. Credit monitoring services are being offered to affected individuals and employees have received further training on email and cybersecurity to prevent similar breaches in the future.

It is not currently known how many patients have been affected by the breach. This post will be updated when further information becomes available.

4,122 Individuals Affected by Southeastern Minnesota Center for Independent Living Phishing Attack

Southeastern Minnesota Center for Independent Living (SEMCIL), a provider of disability and support services in Rochester and Winona, has discovered an unauthorized individual gained access to an employee’s email account that contained the protected health information of 4,122 individuals.

An investigation into the security incident revealed the account was compromised on August 6, 2020 and access to the account remained possible until September 1, 2020. The investigation confirmed on December 22, 2020 that protected health information had been exposed, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and some medical treatment information. Notification letters started to be sent to affected individuals on February 19, 2021.

The investigation did not uncover evidence to suggest any protected health information was viewed or obtained, and no reports have been received to indicate any PHI has been misused. As a precaution against identity theft and fraud, individuals whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services.

The post Phishing Attack Impacts Saint Alphonsus Health System and Saint Agnes Medical Center Patients appeared first on HIPAA Journal.

Elara Caring, one the largest providers of home-based healthcare services in the United States, has suffered a phishing attack that has impacted more than 100,000 patients.

In mid-December, suspicious activity was identified in some employee email accounts. Prompt action was taken to secure the accounts to prevent further unauthorized access and a third-party security firm was engaged to investigate the breach.

The investigation confirmed that multiple employee email accounts had been accessed by an unauthorized individual, although no evidence was found to suggest any patient information in those accounts was viewed or obtained by the attackers. It was, however, not possible to rule out data theft.

A review of the compromised email accounts revealed they contained the PHI of 100,487 patients, including names, addresses, Social Security numbers, driver’s license numbers, Employer ID numbers, financial/bank account information, dates of birth, email addresses and passwords, insurance information and insurance account numbers, and passport numbers. Individuals affected by the breach have been offered complimentary credit monitoring and identity protection services.

Elara Caring has since taken steps to improve data security and has provided additional cybersecurity training to employees.

ProPath Email Accounts Accessed by an Unauthorized Individual.

ProPath, the largest, nationwide, fully physician-owned pathology practice in the United States, has discovered an unauthorized individual has accessed two email accounts containing patient information.

The email accounts were discovered to have been accessed by an unauthorized individual between May 4, 2020 and September 14, 2020. ProPath learned on January 28, 2021 that the email accounts contained protected health information including names, dates of birth, test orders, diagnosis and/or clinical treatment information, medical procedure information, and physician name. A limited number of individuals also had their Social Security number, financial account information, driver’s license number, health insurance information, and/or passport number exposed.

Individuals whose Social Security number was compromised have been offered complimentary credit monitoring services. Employees have received further training to help them detect malicious emails and additional technical safeguards have now been implemented.

It has yet to be confirmed exactly how many individuals have been affected. ProPath said the majority of individuals who received testing from the company have not been affected by the breach.

Cornerstone Care Email Account Breach Impacts 11,487 Patients

An email account containing the PHI of 11,487 patients of Cornerstone Care community health centers in Southwestern Pennsylvania and Northern West Virginia has been accessed by an unauthorized individual.

The email account breach was detected on June 1, 2020 and third-party security experts were engaged to assist with the investigation who confirmed the breach was limited to a single corporate email account. A review of the PHI in that account was completed on January 13, 2021.

The account contained names and addresses and, for certain individuals, date of birth. Social Security number, medical history, condition, treatment, diagnosis, and/or health insurance information. Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services.

Affected individuals were notified by mail on February 25, 2021. Cornerstone Care has since implemented multi-factor authentication on email accounts.

The post PHI of More Than 100,000 Elara Caring Patients Potentially Compromised in Phishing Attack appeared first on HIPAA Journal.

The Sierra Vista, AZ-based ophthalmology and optometry provider Cochise Eye and Laser experienced a ransomware attack on January 13, 2021 that resulted in the encryption of its patient scheduling and billing software.

The attack prevented Cochise Eye and Laser from accessing any data in its scheduling system. Eye care services continued to be provided to patients, with the practice reverting to using paper charts. According to a February 17, 2021 breach notice on its website, paper charts were still in use as the scheduling system remained out of action.

The investigation into the ransomware attack found no evidence to indicate any patient data were exfiltrated prior to the encryption of files; however, data theft could not be ruled out. The types of information potentially accessed by the attackers included names, dates of birth, addresses, phone numbers and, for some individuals, Social Security numbers.

Since the attack, Cochise Eye and Laser has been working on improving the security of its systems and is implementing a new offsite backup system. Efforts to recover the encrypted data are ongoing and patient charts will be used to rebuild its schedules.

The ransomware attack has been reported to the HHS’ Office for Civil Rights as affecting up to 100,000 patients.

Petersburg Medical Center Discovers Insider Privacy Breach

Petersburg Medical Center in Alaska has discovered an employee accessed the medical records of certain patients without authorization, when there was no legitimate work reason for doing so.

An internal investigation was launched as soon as the unauthorized access was discovered, and the medical center was satisfied that there have been no further disclosures by the employee and no patient information was removed from the medical center.

Following the breach, the medical center took steps to prevent the employee “from accessing any patient records now or in the future.” It is unclear whether the sanctions included termination. Steps have since been taken to prevent any further privacy violations at the medical center and affected individuals have been notified by mail.

The post Up to 100,000 Individuals Affected by Cochise Eye and Laser Ransomware Attack appeared first on HIPAA Journal.

AllyAlign Health, a Glen Allen, VA-based Medicare Advantage health plan administrator, has started notifying members and providers about an attempted ransomware attack that occurred on November 13, 2020.

According to the breach notification letters sent to affected individuals, AllyAlign Health first became aware of the attack on November 14, 2020. An investigation of the incident found the systems accessed by the attackers contained members’ first and last names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, Medicare beneficiary identifiers, medical claims histories, health insurance policy numbers, and other medical information.

Providers affected by the breach have been notified that names, addresses, dates of birth, Social Security numbers, and Council for Affordable Quality Healthcare (CAQH) credentialing information may have been compromised.

It is unclear exactly how many individuals have been affected by the incident. According to the breach notification sent to the Maine Attorney General, the protected health information of 76,348 individuals was potentially compromised in the breach. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 33,932 individuals have been affected. The 33,932 individuals could be members and the rest providers.

The Attorney General notification indicates the breach was discovered on February 2, 2021. This could be the date when the breach investigation was completed, and the number of individuals affected became known.

AllyAlign Health said it acted quickly to respond to the breach and engaged IT specialists to ensure the security of its network environment. Since the breach occurred, policies and procedures have been updated relating to the security of its systems and servers and information life cycle management. Notification letters were sent to affected individuals on February 26, 2021 and credit monitoring and identity theft protection services have been offered. At the time of issuing notifications, no reports had been received related to the misuse of member or provider data.

The post Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack appeared first on HIPAA Journal.

A round up of recent healthcare privacy breaches that have been reported to the HHS’ Office for Civil Rights and state Attorneys General recently.

Twelve Oaks Recovery Discovers Malware Infection and Data Theft

Twelve Oaks Recovery, a Navarre, FL-based addiction and mental health treatment center, has discovered an unauthorized individual gained access to its network, installed malware, and stole documents from its systems. The attack was detected on December 13, 2020 when unusual network activity was detected. A forensic investigation confirmed malware had been deployed on December 13, and the following day data exfiltration was confirmed.

A review of the documents obtained by the attacker revealed they contained the protected health information of 9,023 patients, and included names, addresses, dates of birth, medical record numbers, and Social Security numbers.

Twelve Oaks Recovery has enhanced its network monitoring tools and taken steps to prevent similar breaches from occurring in the future.

Rainbow Rehabilitation Centers Discovers Email Account Breach

Rainbow Rehabilitation Centers, a Livonia, MI-based provider of therapeutic rehabilitation services for individuals with brain and spinal cord injuries, has discovered an unauthorized individual gained access to an employee’s email account that contained the protected health information of 1,749 patients and information about its employee group health plans.

Third party forensic experts were engaged to investigate the breach and confirmed that a single email account was breached. A review of the account revealed it contained PHI such as names, social security numbers, driver’s license numbers, appointment scheduling notes, and medical plan and benefits enrollment information. It was not possible to determine if any of that information was accessed by the attacker, but no reports have been received that suggest any patient information has been misused.

Affected individuals have been notified and offered a complementary 12-month membership to credit monitoring and identity theft protection services.

Summit Behavioral Healthcare Email Accounts Compromised

Summit Behavioral Healthcare, a Brentwood, TN-based provider of behavioral health services and operator of 18addition treatment centers throughout the United States, has discovered two employee email accounts were compromised, starting in late May 2020.

A third-party digital forensics firm was engaged to investigate the breach and on January 21, 2021 it was confirmed that protected health information was contained in the compromised accounts and may have been accessed or obtained by unauthorized individuals.

The information in the accounts varied from individual to individual and may have included names in combination with one or more of the following types of data: Social Security number, diagnosis or symptom information, treatment information, prescription information, health insurance numbers, medical history, financial account information, Medicaid / Medicare identification numbers, and health care provider information.

Affected individuals have been notified and offered a complementary 12-month membership to credit monitoring and identity theft protection services.

Email Account Breach Discovered at Jacobson Memorial Hospital and Care Center

Jacobson Memorial Hospital and Care Center in Elgin, ND has discovered an email account containing the protected health information of 1,547 patients has been accessed by an unauthorized individual.

The breach was detected on or around August 5, 2020 and a third-party cybersecurity firm was hired to investigate the breach and determine if any information had been accessed. It appears that the attack was conducted in order to send spam emails from the account; however, it is possible that patient information was viewed.

The account contained names, addresses, dates of birth, email addresses, Social Security numbers, phone numbers, insurance policy numbers, credit card numbers, bank account numbers, and some health information.

A new facility-wide security system has now been implemented, policies and procedures have been updated, and additional training has been provided to staff and vendors on data protection. Affected individuals have been offered complementary credit monitoring and identity theft restoration services.

Kaiser Permanente Fires Employee for Inappropriate PHI Access

Kaiser Permanente has fired an employee for accessing members’ medical records without authorization. The privacy breach was detected on December 28, 2020 and the investigation confirmed the records were accessed for reasons unrelated to individuals’ healthcare service needs. The types of information in the records included names, addresses, telephone numbers, email addresses, dates of birth, and photographs, but no other sensitive information.

Kaiser Permanente is reviewing its policies and procedures and will be implementing additional safeguards, as appropriate, to prevent similar privacy breaches in the future.

The post Roundup of Recent Healthcare Phishing and Malware Incidents appeared first on HIPAA Journal.

2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS).

UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country.

The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.

UHS worked fast to restore its information technology infrastructure following the attack and worked around the clock to return to normal business operations; however, the recovery process took around 3 weeks. The disruption naturally had a major impact financially, with the UHS quarterly earnings report for Q4, 2020 showing $42.1 million in losses, which equated to 49 cents per diluted share. UHS ended the quarter with profits of $308.7 million, up 6.6% from Q4, 2019.

Restoring its IT infrastructure resulted in significant increase in labor costs, both internally and externally. Cash flows were also affected as certain administrative functions such as coding and billing had to be delayed until December 2020.

UHS has reported total pre-tax losses of an estimated $67 million in 2020 due to the ransomware attack, mostly as a result of the loss of operating income, reduction in patient activity, and increased revenue reserves as a result of the billing delays. UHS believes it is entitled to recover the majority of the $67 million in insurance payouts.

The post Universal Health Services Ransomware Attack Cost $67 Million in 2020 appeared first on HIPAA Journal.

Gore Medical Management, a medical practice company based in Griffin, GA, has discovered a historic data breach involving the protected health information (PHI) of 79,100 individuals. The breach occurred in 2017 and affects patients of Family Medical Center in Thomaston, which is now part of Upson Regional Medical Center.

In November 2020, Gore Medical Management was informed by the Federal Bureau of Investigation that a third-party computer had been recovered as part of an investigation which was found to contain the PHI of Family Medical Center patients.

The breach investigation confirmed that the vulnerability exploited by the hacker to gain access to the Family Medical Center network had been identified and corrected a few months after the breach, although the breach itself was not detected at the time. The medical record system was not compromised, but files containing names, addresses, dates of birth, and Social Security numbers were exfiltrated. No financial information or healthcare records were involved.

There does not appear to have been further access of its systems or any other transfers of data since 2017. Gore Medical Management has now notified all affected patients and has offered them a 12-month membership to an identity theft protection and credit monitoring service.

Pennsylvania Adult & Teen Challenge Discovers Compromised Email Accounts Containing PHI of 7,771 Individuals

Pennsylvania Adult & Teen Challenge, a Rehrersburg, PA-based provider of addiction treatment programs for adults and young people, has discovered an unauthorized individual gained access to employee email accounts that contained the protected health information of 7,771 individuals.

Suspicious activity was detected in an email account on July 29, 2020 and steps were taken to prevent further access and investigate the breach. The investigation confirmed that certain email accounts had been accessed by an unauthorized individual between July 27, 2020 and July 30, 2020.

A forensic investigation was conducted, and the compromised accounts were reviewed to determine the information potentially obtained by the attacker. That process was completed on December 29, 2020.

The types of information in the accounts varied from individual to individual and may have include names along with one or more of the following data elements: Social Security Number, driver’s license number, financial account information, payment card information, date of birth, prescription information, diagnosis information, treatment information, treatment provider, health insurance information, medical information, Medicare/Medicaid ID number, employer identification number, electronic signature, username and password.

It was not possible to determine if information in the email accounts was accessed or exfiltrated, but no reports have been received to date to indicate any patient information has been misused. Notification letters have recently been sent to affected individuals and complimentary identity theft protection services have been offered.

The post Gore Medical Management Alerted to 2017 Breach 79,100 Patients’ PHI appeared first on HIPAA Journal.