The Central California Alliance for Health has discovered an unauthorized individual gained access to the email accounts of several employees and potentially viewed or copied information in emails and email attachments. The breach was detected on May 7, 2020 and prompt action was taken to secure the affected accounts. In each case, the accounts were accessed for a period of about one hour.

A review of the compromised accounts revealed they contained a limited amount of protected health information of Central California Alliance for Health members such as Alliance Care management program records, dates of birth, claims information, demographic information, Medi-Cal ID numbers, referral information, and medical information. No financial information or Social Security numbers were compromised.

Following the breach, a full password reset was performed for all email accounts, including those that were not compromised. Further training on email security has also been provided to employees.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 35,883 members.

Hutton & Hale, D.D.S., Inc. Hack Impacts 8,394 Patients

Dr. Ann Hale of Hutton & Hale, D.D.S., Inc. has started notifying 8,394 patients that some of their protected health information may have been obtained by a hacker who gained access to the practice’s databases and computer systems on May 25, 2020.

Those systems contained patients’ medical records and protected health information such as names, addresses, contact telephone numbers, Social Security numbers, and X-ray data information.

All affected patients have been offered complimentary membership to identity theft protection and credit monitoring services for 12 months and will be protected by a $1,000,000 identity theft insurance policy. No reports have been received to date to suggest any patient information has been misused.

The practice is adding additional safeguards to its web server infrastructure to prevent further security breaches.

Wisconsin Department of Corrections Breach Impacts 1,853 Individuals

The Wisconsin Department of Corrections has discovered information on individuals in its treatment facilities was exposed on the websites of three vendors contracted to manage canteen orders. The data was discovered by an employee on May 15, 2020. Affected individuals were notified on June 15, 2020.

The exposed information was limited to names along with information about the treatment facility where they are located. That information should have been masked on the websites. The error has now been corrected and the information is no longer accessible via the internet.

The post 36,000 Members Affected by Central California Alliance for Health Email Breach appeared first on HIPAA Journal.

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members.

The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information.

An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals.

The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have been offered 24 months of free credit monitoring and identity theft protection services.

49,500 Providence Health Plan Members Affected by Business Associate Data Breach

49,511 members of the Oregon-based Providence Health Plan have been affected by a data breach at one of its business associates.

On April 17, 2020, Brooklyn-based Zipari alerted Providence Health Plan about a coding error that allowed documents related to employer-sponsored health plans to be exposed online. The coding error was detected by Zipari on April 9, 2020. The investigation revealed the documents had been accessed by unauthorized individuals in May, September, and November 2019. The documents contained member names, employer names, and dates of birth. No other information was compromised.

The breach prompted Providence Health Plan to arrange a third-party audit of Zipari’s data security practices. Affected plan members have been offered complimentary credit monitoring services.

Central California Alliance for Health Discovers ‘Many’ Email Accounts Breached

On May 7, 2020, Central California Alliance for Health (CCAH) discovered an unauthorized individual gained access to the email accounts of some of its employees and potentially viewed and obtained the protected health information of some of its members. According to the breach notice submitted to the California Attorney General’s office, many CCAH email accounts were subjected to unauthorized access for about one hour.

A review of the compromised email accounts revealed they contained names, dates of birth, demographic information, Medi-Cal ID numbers, Alliance Care Management Program records, claims information, medical information, and referral information.

A full password reset was performed on all CCAH email accounts and further training has been provided to the workforce on email security. CCAH is unaware of any misuse of members information.

The post Health Plan Member Portals Accessed Using Stolen Credentials appeared first on HIPAA Journal.

Healthcare Fiscal Management Inc. (HFMI), a Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, has experienced a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by the attackers.

An unauthorized individual gained access to HFMI systems on April 12, 2020 and deployed a ransomware payload the following day which encrypted data on its systems. The systems accessed by the attacker were found to contain the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020.

In total, the data of approximately 58,000 patients may have been accessed and obtained by the attackers, although data access/theft could not be confirmed. The PHI stored on the compromised systems was limited to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and dates of service.

HFMI had prepared for such an event and had viable backups that were used to restore data the same day to a different hosting provider and a forensic investigation firm was engaged to investigate the breach. The forensic investigators confirmed the data is not in the possession of the attackers and is not accessible over the internet.

Security experts have been reviewing security controls and, based on their recommendations, steps will be taken to strengthen security. HFMI has offered all affected individuals complimentary credit monitoring and identity theft protection services as a precaution against identity theft and fraud.

Friendship Community Care Phishing Attack Impacts 9,745 Patients

Russellville, AR-based Friendship Community Care (FCC), a nonprofit provider of care for adults and children with disabilities, fell victim to a phishing attack in January 2020.

The breach was discovered on February 4, 2020 when suspicious activity was detected in an employee’s email account. Forensic investigators assisted with the investigation and determined on February 5, 2020 that an unauthorized individual had gained access to the email account, but further investigation revealed several Office 365 email accounts had been compromised using credentials obtained in the phishing attack.

FCC learned on February 7, 2020 that the email accounts contained protected health information. A comprehensive review of the email accounts confirmed that the PHI of 9,745 individuals may have been accessed, although no evidence was found to suggest emails were viewed or obtained by the attacker.

The compromised accounts contained  names, addresses, dates of birth, Social Security numbers, client ID numbers, Medicare IDs/Medicaid IDs, employer ID numbers, patient numbers, medical information, driver’s license numbers, state ID card numbers, student ID numbers, financial account information, mother’s maiden names, birth certificates, marriage certificates, disability codes, and facial photographs.

Affected individuals have been offered complimentary credit monitoring and identity protection services. A review of email security was conducted, and steps are being taken to enhance security to prevent similar breaches in the future.

The post Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack appeared first on HIPAA Journal.

Claremont, NC-based Choice Health Management Services, a provider of rehabilitation services and operator of several nursing homes in North and South Carolina, has experienced an email security breach affecting employees, and current and former patients.

The security breach was detected in late 2019 when suspicious activity was detected in the email accounts of some of its employees. An internal investigation was launched which determined on January 17, 2020 that the email accounts of 17 employees had been subjected to unauthorized access. Since it was not possible to determine which emails and/or email attachments had been opened by the attackers, a third-party firm was engaged to assist with the investigation. While the review concluded on March 27, 2020 that the compromised accounts contained sensitive information, it was unclear which facilities affected individuals had visited for treatment. It took until May 12, 2020 to tie those individuals to a particular facility.

The compromised accounts contained a wide range of sensitive information including names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, credit card information, financial account information, employer identification number, username with password or associated security questions, email address with password or associated security questions, date of service, provider name, medical record number, patient number, medical information, diagnostic or treatment information, surgical information, medications, and/or health insurance information.

Notifications have been sent to affected patients and steps have been taken to improve security to prevent future data breaches. The HHS’ Office for Civil Rights breach portal indicates 11,650 individuals were affected.

19,000 Patients Affected by Phishing Attack on Houston Health Clinic

The Houston, TX federally qualified health center, Legacy Community Health, is notifying approximately 19,000 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of one of its employees.

On April 10, 2020, an employee responded to an email believing it to be a legitimate request and disclosed credentials that allowed their email account to be accessed. The breach was discovered on April 16, 2020 and the email account was immediately secured.

Assisted by a third-party computer forensics firm, Legacy Community Health confirmed the breach was limited to one email account which was found to contain patient names, dates of service, and health information related to the care provided at its clinics.

The investigation into the breach is ongoing and notifications will soon be sent to all individuals whose information has been exposed. At this stage, no evidence has been found to suggest any patient information was obtained or misused.

Legacy Community Health is taking steps to improve email security and has enabled multi-factor authentication on its email accounts. Further training has also been provided to staff to help them identify and avoid phishing emails.

The post 30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks appeared first on HIPAA Journal.