HIPAA Breach News

Dental Care Alliance Data Breach Impacts More Than 1 Million Patients

Posted by HIPAA Journal

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, has been hacked and the protected health information of more than a million individuals has potentially been compromised. The breach occurred on September 18, 2020, was detected on October 11, and was contained on October 13.

The breach investigation did not uncover any specific evidence to suggest patient information has been obtained by the attackers or misused. A review of the systems accessible to the attackers revealed they contained names addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, health insurance information, and for around 10% of affected individuals, bank account numbers.

Notification letters were sent to the 1,004,304 affected individuals by Dental Care Alliance in November.

Legacy Community Health Services Email Breach Impacts 3,076 Patients

Legacy Community Health Services (LCHS) in Texas is notifying 3,076 individuals that some of their protected health information was contained in an email account that was accessed by an unauthorized individual.  LCHS identified an unauthorized login to an employee’s email account on July 24, 2020 and a password reset was performed the same day.

A third-party cybersecurity firm was engaged to investigate the breach and the review of the compromised account was completed on September 22, 2020. The review revealed the account contained patient names and limited clinical information related to care received and one patient’s driver’s license number. Misuse of patient information is not suspected. Notifications were sent to the 3,076 patients on November 20, 2020.

This is the third email breach to be reported by LCHS in 2020. An email account breach was reported to the HHS’ Office for Civil Rights in September as affecting 228,000 individuals, and a breach was reported as affecting 19,000 individuals in June 2020.

Hillcrest Nursing Center Discovers Unauthorized Medical Record Access by Former Employee

Hillcrest Nursing Center in Round Lake Beach, IL has discovered the protected health information of certain residents may have been viewed by an unauthorized individual.

On or around August 4, 2020, Hillcrest Nursing Center terminated one of its staff physicians. On August 23, 2020, Hillcrest was informed by some family members of residents that they had received a phone call from the terminated physician who had discussed care and treatment. An investigation was launched which revealed the physician still had access to the Hillcrest medical record system.

The physician’s login was immediately revoked, and a review was conducted to determine which records could potentially have been accessed. The review was completed on October 9, 2020 and confirmed the terminated physician had access to 1,030 records which included names, Social Security numbers, insurance information, medical histories, and treatment information.

All affected individuals have now been notified and complimentary identity theft restoration and credit monitoring services are being provided. A new policy has now been implemented that requires access to the electronic medical record system to be immediately revoked when staff members are terminated or otherwise leave employment.

The post Dental Care Alliance Data Breach Impacts More Than 1 Million Patients appeared first on HIPAA Journal.

Six More Healthcare Providers Impacted by Ransomware Attacks

Posted by HIPAA Journal

GBMC HealthCare in Maryland, Golden Gate Regional Center in California, and Dyras Dental in Michigan have recently suffered ransomware attacks and Allegheny Health Network, AMITA Health, and Bayhealth have announced they have been affected by the ransomware attack on Blackbaud Inc.

GBMC HealthCare

Towson, MD-based GBMC HealthCare has announced it suffered a ransomware attack on December 6, 2020 that forced its computer systems offline and the healthcare provider is now operating under EHR downtime procedures while the attack is mitigated.  GBMC HealthCare had planned for such an attack and had processes in place to ensure care could continue to be provided to patients while keeping disruption to a minimum.

Safe and effective care continues to be provided to patients and its emergency department did not stop receiving patients; however, some elective procedures scheduled for Monday 7, December were postponed. Efforts are underway to bring systems back online and restore the encrypted data and law enforcement has been notified and is investigating the attack. The Egregor ransomware gang has claimed responsibility for the attack.

Golden Gate Regional Center

Golden Gate Regional Center, a provider of services for individuals with developmental disabilities in Marin, San Francisco, and San Mateo counties in California, identified suspicious activity on its computer systems on September 23, 2020. The investigation revealed the protected health information of 11,315 had been exfiltrated from its computer systems prior to the deployment of ransomware.

Data stolen in the attack was limited to names, GGRC client identification numbers, service codes/descriptions, vendor/service provider names/numbers, month or year of service, and cost information related to the services provided. The investigation did not uncover evidence to suggest any stolen data has been misused. Affected individuals were notified by mail in November and complimentary identity theft protection services have been provided to breach victims.

Dyras Dental

Dyras Dental in Lansing, MI has experienced a ransomware attack involving Egregor ransomware, although this has not been confirmed by the dental service provider. A dump of data stolen in the attack was identified by databreaches.net on September 24, 2020. Attempts were made to contact Dyras Dental, but no response was received. Databreaches.net has referred the breach to the Department of Health and Human Services’ Office for Civil Rights as it would appear that the breach has not been reported and patients have not received notification that their PHI has been stolen.

According to Databreaches.net, the dumped data included over 100 files that included insurance billing information, employee W-2 statements, and voicemail recordings containing PHI.

Allegheny Health Network, AMITA Health, and Bayhealth Impacted by Blackbaud Ransomware Attack

Pennsylvania-based Allegheny Health Network, Illinois-based AMITA Health, and Delaware-based Bayhealth have recently announced they have been impacted by the ransomware attack on the software and cloud computing services provider Blackbaud. The healthcare providers used Blackbaud to maintain their fund-raising records and donor databases.

Blackbaud assured the three healthcare providers that no credit card information, bank account information, or social security numbers were compromised in the attack, but some protected health information was stolen by the attackers prior to the deployment of ransomware. Blackbaud paid the ransom demand and received assurances that all stolen data was subsequently destroyed and has not been, and will not be, sold on, published, or misused.

Allegheny Health Network was one of the worst affected clients with the records of 299,507 individuals stolen in the attack. AMITA Health has reported the breach as affecting 261,054 individuals and Bayhealth says 78,006 individuals were affected.

University of Vermont Medical Center Ransomware Attack Cost Could Exceed $63 Million

Ransomware attacks can prove extremely costly. The October 2020 ransomware attack on the University of Vermont Medical Center has reportedly cost more than $1.5 million per day in lost revenue and increased expenses, according to hospital president Stephen Leffler, not including the cost of getting its systems back up and running. The attack occurred on October 28, 2020 and 42 days later losses continue to be experienced. Lost revenue and expenses could exceed $63 million.

The hospital has restored many systems and is operational; however, around 30% of the 600 applications used by the hospital remain out of action and disruption is still being experienced in some areas. Most of the radiology systems have now been restored, although that process has taken around six weeks, cancer treatment capabilities are still not fully restored, sleep studies have not been restarted, and the process of addressing the backlog of postponed appointments and entering handwritten records into its systems is expected to take several more weeks.

The post Six More Healthcare Providers Impacted by Ransomware Attacks appeared first on HIPAA Journal.

Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health

Posted by HIPAA Journal

Two insider data breaches have been reported in the past few days by Montefiore Medical Center and Mercy Health. Both incidents involved an employee accessing patient information when there was no legitimate work-related reason for doing so.

Former Montefiore Medical Center Employee Accessed Patient Data for Billing Scam

Montefiore Medical Center in New York City has discovered a former employee accessed patient information as part of a billing scam. Patient names, medical record numbers, and surgery dates were viewed and used to create invoices for unused surgical products, in connection with a vendor.

Montefiore Medical Center discovered the fraud after the invoices had been paid and launched an investigation that revealed the former employee had accessed the information of approximately 4,000 patients without authorization between January 2018 and July 2020.

Medical records, Social Security numbers, and financial information were not accessed, and the investigation has not uncovered any evidence to suggest patients or their insurance companies were defrauded. The fraud has been reported to law enforcement and the investigation is ongoing.

Montefiore Medical Center said the former employee died during the investigation and the vendor has been banned from all Montefiore campuses.

Montefiore Medical Center has taken steps to prevent similar incidents in the future. The paper forms involved in the scam are no longer used and procedures for processing invoices for surgical supplies are being reviewed.

Criminal background checks are already conducted prior to appointment and all employees receive training on privacy policies and are made aware that the medical center has a zero-tolerance policy concerning accessing medical records unless there is a work-related reason for doing so.

Mercy Health Discovers Unauthorized PHI Access by Former Employee

Cincinnati, OH-based Mercy Health has started notifying certain patients that some of their protected health information has been accessed by a member of staff for reasons other than providing care.

The insider breach was discovered by Mercy Health on October 7, 2020. The investigation revealed the employee had accessed patient information on multiple occasions when the information was not required for providing care to patients. The reason for the unauthorized access has not been made public.

Affected patients have been advised to monitor their credit reports and billing/accounts statements and to report any unauthorized activity. As a precaution against identity theft and fraud, affected patients have been offered a complimentary 1-year membership to IDX identity theft protection services.

For the majority of affected patients, the information accessed was limited to name, address, demographic information, date of birth, medical record number, treatment information, clinical information, and/or radiological images.  The former employee also viewed the health insurance ID numbers of a limited number of patients.

Mercy Health has since enhanced procedures to prevent similar incidents in the future and the staff has been re-educated on compliance with Mercy Health’s policies and procedures.

At the time of writing, the incident has not appeared on the HHS’ Office for Civil Rights breach portal so it is unclear how many patents have been affected.

The post Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health appeared first on HIPAA Journal.

Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health

Posted by HIPAA Journal

University of Minnesota Physicians has suffered a phishing attack that allowed unauthorized individuals to gain access to the email accounts of two employees. One email account was accessible between January 30 and January 31, 2020 and the other on February 4, 2020 for a short period of time.

Upon discovery of the breach, the accounts were immediately secured, and third-party forensic investigators were engaged to assess the nature and scope of the breach. The review did not uncover any evidence to suggest emails in the accounts had been viewed or patient data obtained, but it was not possible to rule out data access with a sufficiently high degree of certainty.

A review of the compromised accounts revealed they contained the protected health information of certain patients. The types of information in the accounts varied from patient to patient and may have included name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. A limited number of individuals also had their Social Security number exposed.

Notification letters started to be sent to affected individuals on March 30, 2020, even though the investigation was still ongoing. That investigation has now been completed. The delay was due to the painstaking and lengthy process involved in identifying the relevant data.

University of Minnesota Physicians said that at the time of the breach, multiple email security controls were in place including multi-factor authentication, regular training was being provided to employees on privacy and security, and phishing simulations were being conducted.

Additional technology has now been implemented to further improve security and refresher security training has been provided to employees. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services through Kroll.

The March 30, 2020 entry on the Office for Civil Rights breach portal indicates 683 individuals have been affected at the time of writing.

McLeod Health Discovers Email Account Breach

South Carolina-based Mcleod Health has discovered the email account of an employee has been accessed by unauthorized individual. Suspicious email account activity was detected on June 23, 2020 and the email account was immediately secured.

A comprehensive forensic review was conducted to determine the nature and scope of the breach, which revealed the email account was breached between April 13, 2020 and April 16, 2020. On August 19, 2020, McLeod Health determined the content of the email account had been downloaded by the attacker in April.

McLeod Health is in the process of conducting a review of the impacted email account to determine what information has been obtained by the attacker and which patients have been affected. Notifications will be mailed to affected patients when the review is completed.

McLeod Health had previously implemented multi-factor authentication to prevent compromised credentials from being used to gain access to email accounts; however, some internal settings had prevented it from being implemented on some devices. That issue is now being addressed and additional security awareness training is being provided to employees.

The post Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health appeared first on HIPAA Journal.

Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

Posted by HIPAA Journal

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

Posted by HIPAA Journal

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

More Than 295K Patients Impacted by Cyberattack on AspenPointe

Posted by HIPAA Journal

The Colorado Springs-based mental health and behavioral health services provider AspenPointe has announced it was the victim of a cyberattack in September 2020 in which patient information may have been compromised. The attack forced the healthcare provider to take its systems offline and most of its operations were affected for several days while the attack was mitigated.

Third-party cybersecurity professionals were engaged to assist with the investigation and recovery efforts and determine the extent to which patient information may have been compromised. A review of the documents potentially accessible to the attackers revealed on November 10, 2020 that patient information had potentially been accessed or acquired.

The documents on the breached systems contained patient names along with one or more of the following data elements: date of birth, driver’s license number, bank account information, Medicaid ID number, admission/discharge dates, diagnosis code, date of last visit, and/or Social Security number.

Following the discovery of the breach, a password reset was performed. Cybersecurity has since been strengthened with additional endpoint protection technology, changes to the firewall, and other measures and network monitoring has been enhanced.

Notification letters are now being sent to all individuals potentially affected by the breach and a 1-year complimentary membership to IDX credit monitoring services is being provided to breach victims. Breach victims are also protected by a $1 million identity theft insurance policy and will have access to identity theft recovery services should they be required.

AspenPointe explained in its substitute breach notice that there have been no reported cases of identity theft, fraud, or improper use of patient information and no evidence was found to indicate any patient data was actually stolen by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 295,617 patients was potentially compromised in the attack.

The post More Than 295K Patients Impacted by Cyberattack on AspenPointe appeared first on HIPAA Journal.

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Posted by HIPAA Journal

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes.

The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained.

Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being exposed or compromised.

Two lawsuits have recently been filed in Minnesota state courts alleging violations of the Minnesota Health Records Act (MHRA), which introduced stricter regulations covering the privacy of healthcare data in Minnesota. MHRA applies to all applies to all Minnesota-licensed physicians and the legislation does have a private cause of action, so patients whose providers violate MHRA can be sued.

The lawsuit alleges Mayo Clinic did not implement systems or procedures to ensure plaintiffs’ and similarly situated individuals’ health records would be protected and not subject to unauthorized access, and that the former employee accessed the plaintiffs’ medical records without first obtaining their consent.

Under MHRA, healthcare providers must obtain a signed and dated consent form from a patient or the patient’s legal representative authorizing the release of their medical records, unless there is a specific authorization in law, or when there is a representation from a provider holding a signed and dated consent form from the patient in question authorizing the release of their medical records.

The lawsuit also brings common law tort claims for the invasion of privacy, negligent infliction of emotional distress, and vicarious liability. A major contributory factor to the emotional distress was some of the medical images that were accessible included nude photographs of patients taken in connection with their cancer treatments. The plaintiffs seek monetary damages and other relief deemed appropriate by the courts.

The post Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach appeared first on HIPAA Journal.

US Fertility Reports Ransomware Attack Involving Data Theft

Posted by HIPAA Journal

US Fertility has announced it suffered a ransomware attack on September 14, 2020 that affected some of its computer systems, including systems that contained sensitive protected health information. US Fertility is the largest operator of fertility clinics in the United States, running clinics at 55 locations in 10 states. Almost half of its locations are known to have been affected by the attack.

US Fertility responded immediately to the attack and determined that data had been encrypted on a number of its servers and workstations connected to its domain. Those devices were immediately taken offline while the attack was investigated. Third-party security and forensic experts were retained to assist with the investigation and the recovery of data on the affected workstations and servers. USF said it successfully restored all affected devices and reconnected them to the network on September 20, 2020. The attack has been reported to federal law enforcement and USF is assisting in the ongoing investigation.

USF said the forensic investigation has now been completed and data theft has been confirmed. The attackers first gained access to its network on August 12, 2020 and access remained possible until the attack was discovered on September 14, 2020. A review was conducted of all files accessible to the attackers, that that review was completed on November 13.

USF said unknown actors may have had access to files containing names, addresses, dates of birth, MPI numbers, and Social Security numbers. The types of data exposed varied from individual to individual and most patients did not have their Social Security number compromised.

While data theft was confirmed, there have been no reports received to indicate protected health information has been misused, but affected individuals have been advised to monitor their accounts and report any cases of suspected misuse of their protected health information.

USF has taken several steps to improve security since the attack, including fortification of its firewall, enhanced monitoring of networking activity, and further training has been provided to employees on data protection, computer security, and recognizing phishing emails.

The post US Fertility Reports Ransomware Attack Involving Data Theft appeared first on HIPAA Journal.