The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans.

Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information.

Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review.

The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security numbers of around 46,000 veterans were stolen in the attack and could potentially be used for fraudulent purposes.

All veterans whose information was potentially compromised in the attack have now been notified by mail and have been offered complimentary credit monitoring services. They have also ben provided with information on the steps they can take to protect against fraudulent use of their information.

The VA is currently undergoing a major update of its financial services system; however, there have been several delays and the project is not expected to be completed until 2030. The FTC recently issued a request for information seeking cybersecurity audit services. The cybersecurity audit is intended to address compliance, strategy, and sustainment, and as part of the audit, the contractor is required to “provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices.”

The post Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs appeared first on HIPAA Journal.

Rocky Hill, CT-based Starling Physicians has started notifying 7,777 patients that some of their protected health information was stored in email accounts that were found to have been accessed by an unauthorized individual.

A breach of its email environment was detected on or around July 7, 2020. A comprehensive review was conducted to determine the extent of the breach and whether any patient data had been accessed. While evidence of PHI access was not found, it was not possible to rule out unauthorized data access.

Emails and email attachments were found to include names along with some of the following data elements: Dates of birth, medical record numbers, patient account numbers, diagnostic information, healthcare provider information, prescription information, and treatment information. A small number of affected individuals also had their address, social security number, and/or Medicare/Medicaid ID number exposed.

Starling Physicians is strengthening its cybersecurity defenses to prevent similar data security events in the future.

Advocate Aurora Health Notifies 2,979 Patients About PHI Exposure

Advocate Aurora Health has discovered paper and other hard copy files were exposed at Aurora Medical Center – Bay Area in Wisconsin during preparations to sell the facility and may have been accessed by unauthorized individuals.

A review of the files revealed they contained the personal and protected health information of 2,979 patients. The facility had not been used as a hospital since August 2018, but there were limited public uses of the building after that date, during which information may have been viewed.

The exposed files contained patients’ first and/or last names, date of birth; phone number; address; emergency contact information, Social Security number, medical record number, gender, height and weight, dates of service, exam or lab results, diagnoses, medications, employer information, and/or health insurance information.

The files have now been secured and affected individuals have been notified and offered a 12-month complimentary membership to Experian’s IdentityWorksSM service.

Moffitt Cancer Center Patients Notified about Theft of Unencrypted Storage Devices

1. Lee Moffitt Cancer Center and Research Institute in Tampa is notifying 4,056 patients that two unencrypted storage devices and paperwork containing protected health information have been stolen.

The USB devices and paperwork were in a briefcase which was stolen from the vehicle of a physician on July 2, 2020. A review of the devices and paperwork confirmed they contained limited protected health information such as patient names, dates of birth, medical record numbers and/or information about the services received at Moffitt.

Staff have been re-educated on securing patient data, the use of USB devices is being reviewed, and auto-encryption processes are being refined to ensure all patient information is secured. Moffitt Cancer Center is unaware of any attempted misuse of patient data.

Lost Hard Drive Contained the PHI of INTEGRIS Baptist Medical Center Patients

INTEGRIS is notifying certain patients that some of their protected health information was stored on a portable hard drive that was lost during an on-campus office move. The hard drive was discovered to be missing on October 17, 2029. A thorough search was conducted but the hard drive could not be located.

A backup copy of the data on the hard drive was located and analyzed and was found to contain the information of certain patients who had previously received medical services at INTEGRIS Baptist Medical Center Portland Avenue in Oklahoma City, formerly known as Deaconess Hospital. The data on the drive was limited to patients’ names, Social Security numbers, and limited clinical information.

Affected individuals have been offered a complimentary one-year membership of Experian’s IdentityWorksSM Credit 3B service.

The post Starling Physicians Email Breach Impacts 7,777 Patients appeared first on HIPAA Journal.

Falls Church, VA-based Inova Health System is one of the latest healthcare providers to confirm that it has been affected by the ransomware attack on Blackbaud. A backup of its donor database contained the information of 1,045,270 donors, patients, and prospective donors, which takes the total number of healthcare victims in the United States past 2.99 million. That total is also likely to grow as the deadline for reporting the breach to the HHS has not yet been reached.

On July 16, 2020, Blackbaud issued notifications to its clients that it had suffered a ransomware attack. Unauthorized individuals gained access to its systems on February 7, 2020, with access possible until May 20, 2020 when the attack was detected when ransomware was deployed. Prior to the deployment of ransomware, certain data were exfiltrated from Blackbaud’s servers. While not all clients were affected, the attackers were able to obtain backups of fundraising databases of many of the firm’s clients.

For most organizations, the breached data were limited to donor names, addresses, dates of birth, contact information, and giving history and, for patients, also provider names, dates of service, and hospital departments where treatment was provided. Blackbaud said credit card information, bank account information, and Social Security numbers were not compromised.

Blackbaud agreed to pay the ransom demand and was provided with the keys to decrypt files encrypted in the attack and arrangements were made with the attackers to have the data stolen permanently deleted. Blackbaud is satisfied that all data stolen in the attack have been permanently deleted and were not further disclosed by the attackers. Blackbaud also confirmed that the vulnerability that was exploited by the attackers to gain access to its systems has now been fixed.

No evidence has been found that suggests there have been further disclosures of data stolen in the attack, Blackbaud has seen evidence indicating the data were deleted, and the firm is using a third-party to monitor the dark web to ensure that no copies are offered up for sale or are publicly disclosed.

U.S. Healthcare Organizations Affected by the Blackbaud Ransomware Attack

The HIPAA Breach Notification Rule allows a maximum of 60 days from the discovery of a data breach to issue notifications. Since notifications were issued to affected clients on July 16, 2020, there may still be some healthcare providers affected by the breach that have yet to report.

The list below is not comprehensive but includes entities that are known to have been affected by the breach, together with the number of individuals potentially affected, where known.

The post Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack appeared first on HIPAA Journal.

Hennepin County Medical Center in Minneapolis is potentially facing legal action over snooping on George Floyd’s medical records by multiple employees. Attorney Antonio Romanucci of Chicago-based law firm Romanucci & Blandin said he was informed that several employees of Hennepin County Medical Center had accessed George Floyd’s medical records on multiple occasions when there was no legitimate reason for doing so, in clear violation of hospital policies and the Health Insurance Portability and Accountability Act (HIPAA).

Attorneys representing Hennepin County Medical Center notified the family of George Floyd that certain records relating to George Floyd had been inappropriately accessed by certain employees. Details about the types of records viewed by the employees, the individuals involved, and their positions at Hennepin County Medical Center were not disclosed.

Antonio Romanucci and the family’s legal team issued a statement to the Star Tribune saying they are currently “exploring all remedies” to “make this right and make the family whole for this incredible intrusion of privacy…  The security of medical records and personal information is of critical importance in Minnesota and across the country.”

George Floyd’s family have yet to decide whether to take legal action against the medical center. At this stage, no subpoenas have been issued to obtain further information from Hennepin County Medical Center about the number of individuals involved and the types of information they accessed.

Hennepin Healthcare was contacted for further information about the privacy breach and said, “Any breach of patient confidentiality is taken seriously and thoroughly investigated,” but also said they could not comment on the privacy breach due to patient confidentiality. Hennepin Healthcare did confirm that the individuals who accessed George Floyd’s protected health information are no longer employed by Hennepin County Medical Center. It is unclear if those individuals were terminated or if they voluntarily resigned from their positions.

The post Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records appeared first on HIPAA Journal.

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July that took its email and phone system out of action and limited its lab and radiology services. The cyberattack, which involved ransomware, took certain systems out of action for several weeks. It is now two months after the attack and the external email system is still not working.

The clinic’s medical record system was not breached, so the data potentially viewed and/or obtained were limited. The attack was performed by an overseas adversary, according to a statement issued by the clinic. It is unclear whether the ransom was paid. The clinic said, “We followed the recommendations our cybersecurity firm made to us in consultation with the FBI.”

The investigation into the breach confirmed that the attackers potentially accessed the protected health information of 85 patients, all of whom have now been notified. The types of information involved were EMR data downloaded in order to send claims to insurance companies.

Separate breach notification letters were also sent to 308,000 patients. Those individuals are not believed to be at risk but have been advised to be vigilant and to look out for suspicious emails.

NorthShore University Health System, UK HealthCare, & Main Line Health Victims of Blackbaud Ransomware Attack

NorthShore University Health System, University of Kentucky (UK) HealthCare, and Main Line Health have recently announced that they have been affected by the ransomware attack on their business associate, Blackbaud.

The attacker gained access to Blackbaud’s systems between February 7 and May 20, 2020 and backups of databases were stolen by the attackers prior to the deployment of ransomware. Blackbaud paid the ransom and obtained the keys to decrypt files and received assurances that all information stolen in the attack has been securely and permanently deleted.

NorthShore University Health System, based in Evanston, IL, confirmed the data of 348,000 patients were compromised in the attack. The compromised data were limited to names, dates of birth, and limited clinical information. The risk to affected individuals is believed to be low.

UK HealthCare said the data of approximately 163,000 donors who had previously been patients were compromised in the attack. The breached information was limited to names, addresses, dates of birth, medical record numbers, admission dates, area of service and attending doctors.

The attack also involved the donor database of Main Line Health. The database contained patient donors’ or prospective donors’ names, ages, genders, dates of birth, medical record numbers, date(s) of treatment, department(s) of service and treating physicians. 60,595 individuals are known to have been affected.

The post Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack appeared first on HIPAA Journal.

Imperium Health Management, a Louisville, KY-based provider of development services to Accountable Care Organizations (ACOs), is notifying 139,114 individuals that some of their protected health information was potentially compromised in a recent phishing attack.

Imperium Health learned of the attack on April 23, 2020. The investigation revealed one email account was breached on April 21, 2020 and a second email account was breached on April 24, 2020 due to the employees responding to phishing emails. The emails contained links that appeared to be legitimate but directed the employees to a website where their email credentials were harvested.

A review of the compromised email accounts revealed they contained protected health information such as patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information. Imperium Health was notified that the accounts contained PHI on June 18, 2020.

A third-party computer forensic firm assisted with the investigation and confirmed the breach only involved the two email accounts. Access was not gained to any other Imperium Health systems. While it is possible that patient information was viewed or obtained, to date no evidence has been uncovered to indicate patient information was viewed, obtained, or misused in any way.

Imperium Health has implemented additional security measures to protect its systems from further cyberattacks, which include the use of two-factor authentication on email accounts for remote access and new protocols for the secure transfer of sensitive information. The workforce has also been re-educated on email security and how to identify phishing emails.

Atrium Health and Saint Luke’s Foundation Impacted by Blackbaud Ransomware Attack

Saint Luke’s Health Foundation has confirmed the personal and demographic information of 360,212 individuals was compromised in the recent Blackbaud ransomware attack.

The attackers obtained a copy of a backup of a database which was used as leverage to extort funds from Blackbaud. The data is understood to have been obtained at some point between February 7, 2020 and May 20, 2020. Blackbaud chose to pay the ransom demand to obtain the keys to unlock the files encrypted by the ransomware and prevent any further disclosures of data stolen in the attack. Blackbaud does not believe any data were disclosed by the attacker or otherwise made available to the public and believes all data stolen in the attack have now been permanently deleted.

Data compromised in the attack included names, mailing addresses, email addresses, telephone numbers, and/or date of birth. A limited number of patients may have had guarantors’ names compromised, along with some patient medical information such as dates of service and departments where care was provided.

Atrium Health, one of the nation’s leading healthcare systems with over 900 care locations, has also confirmed it was affected by the Blackbaud ransomware attack. Data compromised in the attack include patients’ first and last names, contact information, demographic information (including date of birth, guarantor information, decedent status (if applicable) and internally generated patient ID numbers), treatment dates, locations of service, and treating physicians’ names. Minors affected by the breach also had the name and relationship of their guarantor exposed. Patients who made a donation to Atrium Health had the date of the donation and amount included in the stolen data.

The post PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack appeared first on HIPAA Journal.

The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days.

Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation.

Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach.

The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals impacted by the breach, but the total is rapidly approaching 1 million.

Blackbaud is one of the largest providers of fundraising database and support services for health care organizations, educational institutions, and other non-profits worldwide. The company maintains records for more than 25,000 non-profit organizations.

The ransomware attack occurred on or around May 14, 2020; however, the attackers had initially gained access to its systems several months previously in February 2020. Blackbaud took action to limit the extent of the file encryption and contained the attack by May 20, 2020. Prior to the deployment of ransomware, the attackers were able to exfiltrate a subset of data from Blackbaud’s self-hosted environment, including the platform used by many healthcare organizations for engagement and fundraising.

Blackbaud’s cloud services are extensively used by healthcare organizations the world over, including 30 of the top 32 largest nonprofit hospitals, but the company said its public cloud environment was not affected and neither was the majority of its self-hosted environment.

In the most part the breach was limited to the names of donors, individuals who had attended fundraising events in the past, and community members with relationships with the affected healthcare organizations.

In addition to names, demographic information such as addresses, dates of birth, telephone numbers, and email addresses were compromised, and in some cases, donation dates, donation amounts and other donor profile information. For the majority of affected healthcare organizations, highly sensitive information such as bank account information, credit card information, and Social Security numbers were not affected.

Blackbaud issued a statement about the breach confirming the ransom demand was paid in order to obtain the keys to decrypt data and to prevent any malicious use of the data stolen in the attack.

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly… We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident,” explained Blackbaud in its ransomware and data breach notification.

The post Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million appeared first on HIPAA Journal.

Tucson, AZ-based Assured Imaging, a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services, has announced it has suffered a ransomware attack that resulted in the encryption of its medical record system.

Assured Imaging discovered the attack on May 19, 2020 and worked quickly to stop any further unauthorized access and restore the encrypted data. Assisted by a third-party computer forensics firm, Assured Imaging investigated the ransomware attack to determine the scope of the breach. The investigation revealed an unauthorized individual gained access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated “limited data” prior to the deployment of ransomware.

The forensic investigation confirmed data had been stolen but it was not possible to determine exactly what information was exfiltrated by the attackers. A review was conducted to identify all types of information that could potentially have been accessed. The compromised system was found to contain full names, addresses, dates of birth, patient IDs, facility used, treating clinicians’ names, medical histories, services performed, assessments of the service performed, and recommendations on future testing.

Assured Imaging is unaware of any misuse of patient data but does encourage all affected individuals to monitor their accounts and credit reports for any sign or fraudulent activity.

The incident has been reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates up to 244,813 individuals were affected by the attack.

Email Breach Affects 6,000 Roper St. Francis Healthcare Patients

Charleston, SC-based Roper St. Francis Healthcare has data breach involving a single email account. The breach was detected on July 8, 2020, with the investigation revealing the email account was compromised between June 13, 2020 and June 17, 2020.

The forensic investigation confirmed the email account contained patients’ names, dates of birth, medical record or patient account numbers, and limited clinical and/or treatment information, including providers’ names, diagnoses, and/or procedure information. The health insurance information and/or Social Security numbers of a limited number of individuals were also stored in the email account. Approximately 6,000 patients have been affected by the breach.

Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services. Roper St. Francis Healthcare has reinforced training on email security and has augmented its email security measures.

This is not the first phishing attack to be reported by Roper St. Francis this year. In February, the healthcare provider announced the email accounts of 13 employees had been compromised as a result of a phishing attack between November 15 2018 and December 1, 2018.  The PHI of 35,253 patients was compromised in the breach.

Hamilton Health Center Reports Impermissible Disclosure of 10,000 Patients’ PHI

Harrisburg, PA-based Hamilton Health Center, Inc. has announced the protected health information of 10,393 individuals was impermissibly disclosed as a result of a recent phishing attack.

Hamilton Health Center learned on June 19, 2020 that a spreadsheet containing patient information had been sent to an unauthorized individual in response to a phishing email. The spreadsheet contained patients’ full names, member IDs, and dates of birth, along with one or more of the following data elements: Diagnosis, treatment, physical condition medications, dates of laboratory tests and/or examinations, and/or the name of the patient’s provider.

While the above data were impermissibly disclosed, no reports have been received to indicate any information has been misused. Affected individuals are being encouraged to monitor their explanation of benefits statements for any sign of misuse of their information.

The post Assured Imaging Ransomware Attack Affects Almost 245,000 Patients appeared first on HIPAA Journal.

Northwestern Memorial HealthCare has discovered the personal information of individuals who had previously made donations to Northwestern Memorial HealthCare was potentially compromised in the recent Blackbaud ransomware attack. An unauthorized individual first gained access to Blackbaud systems on February 7, 2020, with the access possible until May 20,2020 when ransomware was deployed.

Prior to the use of ransomware, the attacker may have accessed a backup of a database that contained names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information. The database also contained the Social Security numbers and/or financial/payment card information of 5 individuals. In total, the information of 55,983 Northwestern Memorial HealthCare donors was potentially compromised in the attack.

Northwestern Memorial HealthCare is conducting a review of its third-party database storage vendors and its relationship with Blackbaud in order to prevent similar data breaches in the future.

Names and Health Insurance Information of 15,000 Lafayette Fire Department Ambulance Users Compromised

On July 27, 2020, the City of Lafayette, CO experienced a ransomware attack that disrupted the phone, email, online payment, and reservation systems and prevented the city from accessing essential data. After assessing the cost/benefits of all options, the decision was taken to pay the $45,000 ransom rather than risk extensive disruption and damage to its online operations.

Prior to the deployment of ransomware, the attackers may have gained access to personal information stored on Lafayette’s computer network. In addition to the personal information, including Social Security numbers, of city employees, and usernames and passwords of individuals who used certain online services, the attackers potentially gained access to the names and health insurance identification numbers of 15,000 individuals who had been transported by the Lafayette Fire Department ambulance prior to January 1, 2018.

The city has cleaned and rebuilt its system servers and computers, crypto-safe backup systems have been deployed, and additional cybersecurity measures are being implemented to prevent further ransomware attacks.

Cook Children’s Medical Center Breach Impacts 1,768 Individuals

Fort Worth, TX-based Cook Children’s Medical Center has discovered a box of radiology images to be missing from a locked storage room. A search was conducted for the missing storage discs, but they could not be located. The protected health information contained on the discs was limited to names, dates of birth, medical record numbers, service dates, physician names, and scan types.

The images required specialist software to view, but some of the protected health information could have been viewed without specialist software. The images related to 1,768 individuals who had undergone hip and spine imaging between 2005 and 2014.  No reports have been received to suggest any information on the discs has been misused. All affected individuals have now been notified.

PHI of 2,102 Individuals Potentially Compromised in D&S Residential Holdings Phishing Attack

Austin, TX-based D&S Residential Holdings has discovered an unauthorized individual gained access to some employee email accounts between April 20, 2020 and June 15, 2020 as a result of responses to phishing emails.

D&S Residential Holdings conducted a comprehensive investigation, assisted by a leading computer security firm, but was unable to determine whether any information in the email accounts was accessed or stolen by the attackers.

A review of the email accounts revealed they contained protected health information. Individuals whose Social Security number was compromised in the attack have been offered 12 months of complimentary credit monitoring and identity theft protection services.  The breach report submitted to the HHS’ Office for Civil Rights indicates 2,102 individuals were affected by the breach.

The post 56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack appeared first on HIPAA Journal.