Behavioral Health Network (BHN), the largest behavioral health service provider in Western Massachusetts, has announced that malware was downloaded onto its computer systems that prevented files from being accessed.

The security breach was discovered on May 28, 2020 when staff were prevented from accessing files. An investigation was immediately launched to determine the extent of the attack and whether any data had been exfiltrated by the attacker. Around July 17, 2020, BHN determined that an unauthorized individual had gained access to its systems on May 26, two days before the malware was introduced.

While it was not possible to determine whether any data had been stolen by the attacker prior to the deployment of the malware, the possibility of data theft could not be totally ruled out. No reports have been received to date indicating patient data has been misused.

An analysis of the affected systems revealed the protected health information of 129,571 current and former patients was potentially compromised. The systems that were accessible to the attacker contained names, addresses, dates of birth, Social Security numbers, medical/diagnosis/treatment information, and/or health insurance claim information.

Out of an abundance of caution, individuals affected by the incident have been offered complimentary credit monitoring and identity theft protection services. To help prevent further data breaches, policies and procedures are being reviewed, staff are being provided with further training on data privacy and security, and additional safeguards are being put in place to prevent further unauthorized data access.

9,200 Rite Aid Customers Notified PHI was Potentially Compromised During Period of Civil Unrest

Rite Aid Corporation has confirmed that the protected health information of 9,200 customers was potentially compromised during the period of civil unrest in late May. Several break-ins occurred at Rite Aid pharmacies. On and after May 27 and thieves stole prescription orders awaiting collection, along with hard copies of prescription records that contained customer information. The types of data exposed or stolen included names, addresses, and details of prescribed medications.

Rite Aid is far from the only pharmacy chain to have suffered break-ins and looting. Walgreens, Walmart, CVS, Cub, and Kroger pharmacies all suffered similar incidents, as did many independent pharmacies.

The post Protected Health Information of 129K Individuals Potentially Compromised in Behavioral Health Network Malware Attack appeared first on HIPAA Journal.

The University of Maryland Faculty Physicians, Inc. (FPI) has suffered a phishing attack in which the protected health information of patients of University of Maryland Medical Center (UMMC) may have been accessed by unauthorized individuals.

FPI is the faculty practice plan for University of Maryland School of Medicine affiliated physician practice groups and provides support to physicians and staff who provide services at UMMC locations.

Following the discovery of the unauthorized accessing of an FPI email account, the account was secured and a comprehensive investigation was conducted to determine the nature and scope of the breach. On May 26, 2020, FPI determined the email account was accessed by an unauthorized individual between February 6, 2020 and February 11, 2020. The email account contained the protected health information of 33,896 individuals.

The types of information in the account varied from patient to patient and may have included the following data types in addition to patient names: Date of birth, medical record number, and clinical information related to the care received at a UMMC location or from an FPI-affiliated physician. A small number of Social Security numbers were also found in emails and email attachments. No evidence was uncovered suggesting patient data was viewed or obtained by the attacker.

FPI and UMMC have conducted a review of policies and procedures and steps have been taken to improve email security to prevent further breaches in the future.

Records of 25,554 Patients of Highpoint Foot & Ankle Center Potentially Compromised

Highpoint Foot & Ankle Center in Chalfont, PA has discovered an unauthorized individual conducted a remote access attack and gained access to systems containing 25,554 patient records. The security breach was detected on May 20, 2020 and prompt action was taken to prevent further unauthorized system access.

An internal investigation was immediately launched which revealed the hacker had access to patient records that contained patient names, addresses, dates of birth, phone numbers, Social Security numbers, and diagnosis and treatment information. While unauthorized access was confirmed, no evidence was found that indicated patient information was viewed or copied and no reports have been received suggesting patient data has been misused.

Highpoint Foot & Ankle Center has implemented additional safeguards to prevent further security breaches and has offered affected patients complimentary membership to credit monitoring and identity theft protection services through MyIDCare.

The post Data Breaches Reported by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center appeared first on HIPAA Journal.

A former employee of Ashley County Medical Center has been discovered to have accessed the medical records of 722 patients without authorization.

Ashley County Medical Center launched an investigation into the HIPAA violation and determined the nurse had viewed limited patient data for reasons unrelated to the provision of care or treatment. Ashley County Medical Center does not believe any patient information was shared with a third party or accessed with a view to misusing the data. Patient information is believed to have been accessed out of curiosity.

Ashley County Medical Center has a sanctions policy in place covering unauthorized medical record access, and in line with that policy the nurse was terminated for the HIPAA violation.

“Patient privacy is an extremely serious matter and any failure to protect patient information will subject employees to disciplinary actions,” said Phillip Gilmore, Chief Executive Officer, ACMC. “We are continuing to take steps to report the actions of this employee, notify any additional patients whose information was viewed, continuing to diligently monitor and protect patient information, and provide additional education to our staff.”

San Antonio Hospital Exposed Patient Data Online

The protected health information of 1,237 patients of Foundation Surgical Hospital of San Antonio in Texas has been accidentally exposed over the internet.

On January 29, 2020, the hospital posted a link on its website to a file that was supposed to show average hospital charges; however, the file linked via the website contained patients’ names, diagnosis codes, patient account numbers, procedure dates, charges and amount paid, and whether the charges had been paid, were due, or had been written off. The incorrect document was reported to the hospital and the link was removed on May 27, 2020.

The post Ashley County Medical Center Nurse Terminated for Improper Medical Record Access appeared first on HIPAA Journal.

Owens Ear Center in Fort Worth, TX, suffered a ransomware attack on May 28, 2020 in which patient information was encrypted. The computer systems that were encrypted contained patients’ medical records, which included information such as names, addresses, dates of birth, health insurance information, health information, and Social Security numbers.

Many ransomware attacks on healthcare organizations see healthcare data stolen before it is encrypted. These double extortion attacks require a ransom to be paid in order to decrypt files and prevent the sale or publication of the stolen data. Owens Ear Center investigated the attack and found no evidence to indicate patient information was accessed or copied prior to file encryption and believes this was solely an attempt to extort money from the practice and that the attackers were not interested in patient data.

However, since unauthorized data access could not be ruled out, all affected patients have been notified and, out of an abundance of caution, have been offered complimentary identity theft protection services. Steps have since been taken to improve defenses against ransomware attacks.

According to the breach summary on the HHS’ Office for Civil Rights breach portal, the PHI of 19,908 patients was encrypted in the attack.

Children’s Hospital of Pittsburgh Foundation Affected by Blackbaud Inc. Ransomware Attack

Children’s Hospital of Pittsburgh Foundation has been notified by one of its business associates that the protected health information of some of its patients has potentially been accessed by unauthorized individuals.

Blackbaud Inc., a provider of customer relationship management systems for non-profit organizations, suffered a ransomware attack and a file containing limited patient data was accessed by the attacker. The incident occurred between February 7, 2020 and May 20, 2020.

The file contained information such as patients’ names, addresses, birth dates and other general demographic data. Blackbaud paid the ransom and was able to recover its data. Blackbaud does not believe any data was shared with any third party or was made public.

Blackbaud was able to quickly identify and correct the vulnerability that was exploited, and security of its IT systems has been hardened, including making improvements to access management, network segmentation, and the deployment of additional endpoint and network-based platforms.

Email Account Breach Identified by Premier Healthcare Partners

Premier Healthcare Partners in Dayton, OH has discovered an unauthorized individual has gained access to the email accounts of some of its employees and potentially viewed or obtained the protected health information of certain patients of the Clinical Neuroscience Institute, Help Me Grow Brighter Futures, Samaritan Behavioral Health Inc. (SBHI), and CompuNet Clinical Laboratories.

Upon discovery of the breach the accounts were immediately secured, and an investigation was launched to determine the nature and scope of the breach. The breach was detected on June 8, 2020 and it was confirmed on July 17 that email accounts had been accessed by an individual with no connection to Premier Healthcare Partners.

A comprehensive review of the breached email accounts is currently underway and affected patients will be notified if their PHI has been exposed when the review has been completed. At this stage, no evidence has been found to indicate PHI has been accessed, copied, or misused.

The post Almost 20,000 Patients Affected by Owens Ear Center Ransomware Attack appeared first on HIPAA Journal.

Long Island City, NY-based Boyce Technologies Inc, which makes transport communication systems and recently switched its production facilities to produce ventilators for hospitals during the pandemic, has been attacked with DoppelPaymer ransomware. Data was stolen prior to file encryption and a sample of the stolen data has been published on the threat actor’s blog. The stolen data includes purchase orders, assignment forms, and other sensitive data.

Boyce Technologies Inc. was approved by the FDA to manufacture ventilators and was producing around 300 machines a day. Those ventilators have been used in hospitals in New York and the company is now making ventilators for other areas. The ransomware attack has threatened the production of those ventilators and has potentially put lives at risk.

Piedmont Orthpedics/OrthoAtlanta, a network of orthopedic and sports medicine centers in the greater Atlanta area, has been attacked by threat actors using Pysa (Mespinosa) ransomware. As with the attack on Boyce Technologies, prior to the encryption of files the threat actors exfiltrated sensitive data. According to databreaches.net, around 3.5 GB of data have been published online, including files that contain patients’ protected health information. Olympia House Rehab in Petaluma, CA and the Center for Fertility and Gynecology in Los Angeles, CA have both been attacked with Netwalker ransomware and have had data stolen and published online, including patients’ protected health information.

Muskingum Valley Health Centers in Zanesville, OH notified has recently notified 7,447 patients that some of their protected health information was potentially obtained by threat actors prior to the use of ransomware on the medical record system used by OB GYN Specialists of Southeastern Ohio Inc.

The EHR contained the records of patients who received care between 2012 and 2017. The attack occurred on May 31, 2020 and was identified on June 2. The investigation found no evidence suggesting patient information was stolen prior to the use of ransomware, although the possibility of data theft could not be ruled out. The attackers potentially had access to names, dates of birth, addresses, Social Security numbers, diagnoses, medical conditions, lab test results, treatment information, insurance claim information, and financial information. Affected individuals have been offered 24 months of complimentary credit monitoring and identity theft recovery services. Security policies, procedures and password requirements have been updated to prevent further attacks.

41 healthcare providers reported ransomware attacks in the first half of 2020 according to Emsisoft. The double-extortion attacks involving threats to publish or sell data if the ransom is not paid are growing, with many threat groups now adopting this tactic. According to Emsisoft, around 1 in 10 ransomware attacks now involve data theft.

The post Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware appeared first on HIPAA Journal.

Children’s Hospital Colorado is notifying 2,553 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual between April 6-12, 2020.

Credentials to access the account were obtained when an employee responded to a phishing email. The phishing attack was identified by the hospital on June 22, 2020 and the account was immediately secured. A review of the emails and email attachments in the account revealed they contained patient names, zip codes, dates of service, medical record numbers, and clinical diagnosis information.

Steps have since been taken to harden email security defenses, platforms are being evaluated for educating staff on cybersecurity, and technical controls related to email are also being reviewed.

Stolen Hoag Clinic Laptop Contained Unencrypted PHI

On June 5, 2020, a laptop computer issued to an employee of the Hoag Clinic in Costa Mesa, CA was stolen from a vehicle parked in the worksite parking lot in Newport Beach. The theft was discovered the same day and law enforcement was notified, but the laptop computer has not been recovered.

The IT security team determined the laptop contained the protected health information of 738 individuals, including first and last names, middle initial, address, phone number, date of birth, age, medical record number, e-mail address, physician name, whether the patient is being followed by case management, if a COVID-19 test has been conducted, if the individual had been transferred to case management, if a telehealth visit had been scheduled, communication status notes, and if the individual was interested in home health.

The Hoag clinic has re-educated the workforce on security safeguards, enhanced policies covering the transportation of laptop computers between worksites, and a thorough security assessment has been conducted to ensure all appropriate cybersecurity safeguards are in place. Affected individuals have been offered complimentary membership to the Experian IdentityWorks identity theft detection and resolution service for 12 months.

The post Children’s Hospital Colorado Suffers Phishing Attack appeared first on HIPAA Journal.

The Freeport, IL-based healthcare system FHN is notifying certain patients that some of their protected health information has potentially been obtained by an unauthorized individual who gained access to the email accounts of several employees between February 12 and February 13, 2020.

FHN announced on April 20, 2020 that the investigation had confirmed that a breach occurred, but it took time to determine the information that may have been viewed or obtained. It was not possible to determine whether patient information contained in the accounts was viewed or obtained, but data access could not be ruled out. Affected individuals were notified on July 31, 2020.

The compromised accounts contained names, dates of birth, health insurance information, medical record numbers, patient account numbers, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information. A limited number of Social Security numbers and driver’s license numbers were also potentially compromised.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers and/or drivers’ license numbers were exposed.

FHN has provided further training to its employees to help them identify and avoid suspicious emails and steps have been taken to strengthen email security, including the use of 2-factor authentication.

3,127 Patients Impacted by Email Security Incident at Elkins Rehabilitation & Care Center

In February 2019, Elkins Rehabilitation & Care Center (ERCC) in West Virginia discovered unauthorized individuals had gained access to the email accounts of some of its employees. An internal investigation by the IT security team revealed several computer systems had been infected with malware between February 4, 2019 and February 7, 2019. The IT security team worked fast to identify and remove the malware, and a full password reset was performed on all email accounts. When ERCC learned that the malware was capable of exfiltrating emails, an e-discovery expert was engaged to review all emails in the account to determine the information that was potentially stolen in the attack.

The review of the accounts was completed on July 1, 2020 and notification letters have now been sent to all affected individuals. The breached accounts contained personal and protected health information of current and former residents and employees such as first and last names, limited protected health information, Social Security numbers, and/or driver’s license numbers. Complimentary identity theft restoration and credit monitoring services have been offered to affected individuals.

Steps have been taken to prevent further breaches in the future, including the replacement of hard drives on computers infected with the malware and the installation of new antivirus and antimalware solutions on all computers. Additional security awareness training has also been provided to its employees.

The post PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center appeared first on HIPAA Journal.

Allergy and Asthma Clinic of Fort Worth has discovered an unauthorized individual gained access to its computer systems and potentially obtained patients’ billing information. The breach was detected on June 4, 2020 and steps were immediately taken to prevent further unauthorized access. The breach investigation revealed the hacker gained access to the network on May 20, 2020.

A review of the compromised computer systems revealed the hacker potentially accessed files containing patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance information, and information regarding the reason for visits.

Cybersecurity professionals were retained to conduct a review Allergy and Asthma Clinic of Fort Worth’s security measures and additional protections will be implemented, as appropriate, to strengthen network security to prevent further data breaches.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 69,777 individuals were affected by the breach.

Chinese Hackers Targeted Biotech Firm Working on COVID-19 Vaccine

The Massachusetts-based biotech firm Moderna has been targeted by hackers looking for COVID-19 research data. Moderna has been working on a vaccine for COVID-19 and announced its vaccine candidate in January. According to Reuters, the firm identified “information reconnaissance activities” in January and has been in contact with the FBI over the suspected attack.

The firm is believed to have been targeted by the Chinese hackers indicted by the Department of Justice in July for conducting an 11-year campaign of cyber espionage attacks on U.S. businesses and government agencies.

The reconnaissance is believed to have been part of an attempt to steal data related to Moderna’s mRNA COVID-19 vaccine, which has recently entered a phase III clinical trial.

“Moderna remains highly vigilant to potential cybersecurity threats, maintaining an internal team, external support services and good working relationships with outside authorities to continuously assess threats and protect our valuable information,” said Moderna spokesperson Ray Jordan.

The post 69,777 Patients Impacted by Allergy and Asthma Clinic of Fort Worth Hacking Incident appeared first on HIPAA Journal.

Another pharmacy chain has announced that the protected health information of some of its customers has been stolen by looters in late May during the period of civil unrest.

Between May 27-30, 2020, 8 Cub pharmacies in the Minneapolis area were broken into and items were stolen, including paperwork containing the protected health information of its customers. Items taken from the pharmacies included locked safes that contained credit card authorization forms and prescriptions that had been processed and were awaiting collection. Binders containing printed records of past prescriptions and orders that were in the process of being prepared were taken from 6 of the pharmacies in Minneapolis and St. Paul.

The information on the credit card forms included the cardholder name, credit card number, expiry date, and the amount of the transaction, but did not include the CVV code which is required to make purchases over the telephone. These forms only related to individuals who had arranged to have prescriptions delivered or mailed, not for customers who paid by credit card in person in a pharmacy.

Cub discovered the theft of items immediately upon entering the stores between May 28-30. A review of CCTV footage revealed further customer information had been taken when the stores were looted. Where possible, customers affected by the breach were notified directly, although it was not possible to identify all affected customers in that manner, as it was not possible to determine which customers’ PHI was included in the stolen binders.

The customer information obtained by the looters was limited and did not include the types of information sought by identity thieves. Cub does not believe that affected individuals are at risk of identity theft; however, as a precaution, all affected individuals are being encouraged to review their financial and explanation of benefits statements for any signs of misuse of their information. No cases of misuse of customer information have been received to date.

Cub is the fourth pharmacy chain to announce that customer information was compromised in recent break-ins. Breaches have also been reported by Walgreens (72,143 individuals), CVS Pharmacy (21,289 individuals) and Kroger (10974 individuals). According to the DEA, more than a third of the 476 retail pharmacies in Philadelphia were looted and many pharmacies in other areas across the United States have also suffered destructive attacks and have had prescription drugs and other items stolen.

The post PHI of Customers Stolen in Looting Incidents at Cub Pharmacies appeared first on HIPAA Journal.