CHI St. Luke’s Health-Memorial Lufkin in Texas has started notifying patients that some of their protected health information may have been accessed by an unauthorized individual.

St Luke’s threat management team investigated a security breach involving a network server on March 25, 2020. Third-party vendors conducted a forensic investigation and determined on April 23, 2020 that the email accounts of two employees may have been accessed by an unapproved outside party.

The investigation did not uncover evidence confirming unauthorized PHI access or data theft, but the possibility could not be ruled out. The email accounts contained names, diagnosis information, dates of services, and facility account numbers. Based on the investigation, St. Luke’s does not believe patient data has been used inappropriately but has offered certain patients complimentary credit monitoring services through Experian as a precaution.

The security breach was thoroughly investigated, data access logs were checked, and a threat intelligence analysis was performed. All passwords were reset across the facility, hardware has been replaced and upgraded, changes have been made to software to improve security, and processes for accessing the network have been changed.

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

RiverPointe Post Acute Reports Loss of 633 Patients’ PHI

RiverPointe Post Acute Carmichael, CA has notified 633 nursing home residents that some of their protected health information has been exposed. A USB storage device containing names, insurance ID numbers, and some Social Security numbers was sent in the mail but was lost in transit. When the device was not received, the loss was reported to the postal service and a search was performed, but the storage device could not be located.

While no specific evidence was uncovered to indicate the device was obtained by an unauthorized individual, affected residents have been offered complimentary identity theft protection services as a precaution. Further training has now been provided to employees on data security.

Email Error Exposed PHI of 11,500 Iowa Total Care Members

Iowa Total Care has discovered the protected health information of thousands of patients has been impermissibly disclosed by an employee. On April 29, 2020, an employee sent an Excel spreadsheet containing claims data to a large provider organization. The file contained the protected health information of patients that had not received medical care at the organization.

The spreadsheet contained names, Medicaid ID numbers, dates of birth, and procedure and diagnosis codes of 11,581 patients. The provider is a HIPAA covered entity so is aware of the need to safeguard protected health information and has confirmed that the spreadsheet was deleted and had not been shared or copied.

Iowa Total Care has re-educated the employee concerned and has implemented additional safeguards to prevent similar errors in the future.

The post Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care appeared first on HIPAA Journal.

Landmark Hospital of Athens in Georgia has suspended three employees who are suspected of accessing, copying or disclosing patient records. The potential HIPAA breach may be linked to a lawsuit that was filed against the 42-bed hospital on June 22, 2020 by four nurses who allege the hospital has been falsifying COVID-19 test results in what they describe as a “COVID-19 coverup”.

The nurses allege that five of their patients had tested positive for COVID-19 after displaying symptoms and after the positive result, the hospital administrator reordered COVID-19 tests for those patients. The nurses allege that for the retests, samples were intentionally collected without following proper sampling protocols. They claim that this was done deliberately to reduce the chance of a positive test result.

The nurses, who are named as Jane Doe and John Doe in the lawsuit, are seeking immediate court intervention “to stop the hospital concealing and mishandling a COVID-19 outbreak in the facility.” The nurses also want the hospital to temporarily stop receiving and discharging patients. The nurses also seek damages as they claim they have been unnecessarily exposed to COVID-19.

The nurses allege the falsification of COVID-19 test results allowed patients to be discharged, freeing up beds for other patients so the hospital could continue to bill Medicare for services and maintain patient volume.

The lawsuit alleges the patients who had tested positive were not isolated from other patients and no PPE was provided to nurses treating those patients. They also claim that the air conditioning system was not working for the period of time the patients were in the facility. Mobile air conditioners are used which take air from patient rooms and blow it into corridors, which they claim increased the risk of other patients and staff members contracting COVID-19. The air conditioning system uses dry hydrogen peroxide to reduce the risk of contaminants being circulated.

The nurses claim they voiced their concerns with Landmark’s administration, but no action was taken hence the legal action. They allege the actions of the hospital has created a public health risk, and placed patients and hospital employees and their families at risk.

Marie Saylor, CEO of Landmark Hospital of Athens, issued a statement saying the hospital will “vigorously investigate allegations and defend our hospital and its staff against misleading and false claims… we have always made the safety and well-being of our patients and staff our top priority, and continue to do so as we manage the local impact of the COVID-19 pandemic.”

The post Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach appeared first on HIPAA Journal.

North Shore Pain Management (NSPM) in Massachusetts has started notifying 12,472 patients that some of their protected health information has been stolen by hackers. The breach was detected on April 21, 2020 and the investigation confirmed that the attackers first gained access to its systems on April 16, 2020.

The substitute breach notice on the NSPM website does not provide details about the nature of the attack, but it has been independently confirmed by Emsisoft and databreaches.net as a ransomware attack involving AKO ransomware. The gang responsible for the attack dumped 4GB of data stolen in the attack on their Tor site when the ransom demand was not paid.

The dumped files contain a range of sensitive data on employees and patients. The NSPM breach notice confirms the files stolen in the attack contained patient names, dates of birth, health insurance information, account balances, financial information, diagnosis and treatment information, and for certain patients, ultrasound and MRI images. Social Security numbers were also obtained for patients whose SSN is used as their health insurance /member number.

Since the stolen data has been exposed online and is in the hands of cybercriminals, affected patients have been advised to monitor their financial statements and explanation of benefits statements closely for any sign of misuse of their data. Patients whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services. NSPM has now retained a new IT management vendor and is taking steps to enhance cybersecurity.

The AKO ransomware operators, like many groups that manually deploy ransomware, steal data prior to file encryption to increase the chance of a ransom being paid. The AKO gang often requires two ransom payments to be paid. One covers the cost of the decryptor and a second payment is often required to ensure any data stolen in the attack is deleted. Lawrence Abrams of Bleeping Computer has been in touch with the gang who said two ransom demands are issued to companies with large revenues. The ransom payment to delete files is variable, ranging from $100,000 to $2,000,000.

The gang said some healthcare providers have only paid the ransom to have the data deleted and did not pay for the decryptor. It is unclear whether a ransom was paid by NSPM.

Florida Orthopaedic Institute Suffers Ransomware Attack

Tampa, FL-based Florida Orthopaedic Institute has announced it was attacked with ransomware on April 9, 2020 and patient data on its servers was encrypted. An internal investigation was conducted which revealed the personal and protected health information of patients may have been stolen prior to the encryption of files. Florida Orthopaedic Institute is unaware of any misuse of patient information as a result of the attack.

Florida Orthopaedic Institute engaged a third-party computer forensic firm to assist with the investigation and steps have been taken to restore the encrypted data and secure its systems. Affected patients have now been notified and have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services.

The types of data encrypted and potentially obtained by the attackers included names, dates of birth, Social Security numbers, medical information related to appointment times, physician locations, diagnosis codes, payment amounts, insurance plan identification numbers, payer identification numbers, claims addresses, and/or FOI claims history.

Florida Orthopaedic Institute is working with third-party experts to enhance security to prevent further cyberattacks in the future.

The breach has not yet been added to the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

The post Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute appeared first on HIPAA Journal.

American Medical Technologies, a Irvine, CA-based provider of wound care solutions and medical supplies, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially accessed and copied the protected health information of some of its patients.

The breach was identified on or around December 17, 2019 when suspicious activity was detected in the email account. The investigation confirmed the attacker potentially had access to protected health information such as names, medical record numbers, Social Security numbers, diagnosis information, health insurance policy numbers, subscriber numbers, medical histories, HIPAA account information, driver’s license/state identification numbers, and/or taxpayer ID numbers. No evidence was fund to suggest patient information was viewed or stolen in the attack, but unauthorized data access and data exfiltration could not be ruled out.

A comprehensive analysis of the email accounts was conducted which was completed on May 14, 2020. The review revealed the account contained the PHI of 47,767 patients, who have now been notified about the breach by mail. Affected patients have been offered complimentary credit monitoring services.

Following the breach, two independent security firms were engaged to conduct a review of email security and additional security measures have now been implemented based on their recommendations. Steps have also been taken to improve data security on the firm’s web server infrastructure.

3,663 Patients Notified About Kentuckiana Regional Planning & Development Agency Phishing Attack

Kentuckiana Regional Planning & Development Agency (KIPDA) in Louisville, KY has discovered a single email account has been accessed by an unauthorized individual. The breach was detected on February 18, 2020 when KIPDA discovered a large number of emails had been sent from the account. The account was immediately secured, and an investigation was launched to determine the nature and scope of the breach.

Assisted by a third-party digital forensics firm, KIPDA determined the email account was accessed between January 29, 2020 and February 14, 2020. The investigation confirmed on April 9, 2020 that protected health information may have been viewed or copied, but it was not possible to tell which, if any, emails in the account had been accessed.

The protected health information included in emails and email attachments was limited to names, addresses, dates of birth, diagnosis and treatment information, billing and procedure codes, and Medicaid ID number. Certain patients also had their Social Security number and/or driver’s license details exposed.

KIPDA explained in its substitute breach notice that several steps have been taken to improve security, which include increasing the frequency of password changes, the implementation of 2-factor authentication on email accounts, the use of secure data files for storing sensitive data, and updates to policies and procedures that now require email data to be regularly and securely deleted from email accounts.

Employees have also been provided with further training on procedures and cybersecurity, and the risks associated with sharing sensitive data via email have been highlighted. KIPDA is also considering restricting access to its network to individuals located within the United States.

The post American Medical Technologies Email Breach Affects 47,767 Patients appeared first on HIPAA Journal.

Sunrise Treatment Center in Cincinnati, OH is alerting 3,660 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of an employee. The breach occurred on February 26, 2020 and was detected the following day.

A forensic investigation of the breach was completed on April 15, 2020 and confirmed that the email account contained patient information such as first and last names, birth dates, descriptions of the treatment provided, medications, health plan numbers, account balances, treatment dates, and some Social Security numbers.

While patient information may have been accessed, the purpose of the attack was to try to convince Sunrise employees to wire money to a foreign bank account. A fraudulent wire transfer was detected and blocked before any money left Sunrise accounts.

Sunrise found no evidence to suggest patient information was accessed or obtained in the attack but, as a precaution, Sunrise has offered affected patients complimentary membership to credit monitoring services for 12 months. Following the breach, a third-party specialist was engaged to conduct a comprehensive security assessment and additional safeguards have now been implemented to prevent further attacks.

PHI of Gateway Health Members Exposed in Business Associate Phishing Attack

Gateway Health, a managed care organization serving members in Pennsylvania, has discovered the protected health information of some of its members has potentially been compromised.

Gateway Health uses National Imaging Associates (NIA) to review orders for imaging services. On April 11, 2020, NIA discovered its systems had been breached and an unauthorized individual had gained access to its email system. The investigation confirmed that access to emails was gained following a response to a phishing email.

The compromised emails included Gateway Health members’ names, dates of birth, Gateway ID numbers, treatment information, payment and health plan information.

The compromised email account was used to conduct further phishing attacks. No evidence was found to suggest Gateway Health members’ information was accessed or stolen and no reports have been received about misuse of members’ personal and protected health information.

NIA has taken steps to improve security and has offered all affected Gateway Health members complimentary membership to credit monitoring services for 12 months.

Hanger Clinic Reports Improper Disposal Incident

Hanger Prosthetics & Orthotics, Inc., doing business as Hanger Clinic, has discovered a storage facility used by its Kirksville location in Missouri was accessed by storage facility staff who disposed of boxes of files containing patient records.

When Hanger Clinic learned about the incident, staff members were sent to the storage facility to secure the remaining records. Those records have now been recovered and the storage facility is no longer being used.

The files contained the records of 6,033 patients. Information in the files included names, addresses, dates of birth, dates of service, medical record numbers, treatment histories, copies of driver’s licenses, prescription information, insurance information, and Social Security numbers.

As a precaution against identity theft and fraud, affected patients have been offered complimentary identity theft protection and credit monitoring services.

The post Breaches Reported by Hanger Clinic, Gateway Health, and Sunrise Treatment Center appeared first on HIPAA Journal.

Rangely District Hospital in Colorado has started notifying patients that some of their protected health information was stored on parts of its network that were affected by an April 2020 ransomware attack.

The ransomware attack was discovered on April 9, 2020 and steps were taken to contain the attack, but it was not possible to prevent the encryption of certain files, some of which contained patient information.

Rangely District Hospital said the initial attack on its systems occurred on April 2, 2020, but ransomware was not deployed until April 9, 2020. The hospital reports that the encryption process was automated, and no evidence was found to suggest data was accessed or exfiltrated. The investigation indicates a foreign threat actor conducted the attack, but it was not possible to determine who was responsible.

While patient data is not believed to be obtained, it was not possible to rule out unauthorized access. Files encrypted by the ransomware that could potentially have been viewed included the following types of personal and protected health information: Names, dates of birth, social security numbers, addresses, telephone numbers, driver’s license copies, dates of service or hospital admissions, diagnoses and conditions, treatment or procedure notes and orders, imaging studies, medications, and health insurance and claims and billing information.

While it was possible to recover many files from backups without paying the ransom, some patient data remains inaccessible. In addition to the files containing patient information, files essential to a legacy software system were also encrypted and could not be recovered. Rangely District Hospital used a ‘Meditech’ database for storing patient records between August 2012 and August 2017 and the legacy software is required to view patient records in the database. The database itself was not affected by the attack, but without the software, patient records from that 5-year period cannot be accessed. The records of certain patients who received home health services between June 2019 and April 2020 are also still inaccessible. Rangely District Hospital is currently exploring other options for accessing the database.

Patient Information Potentially Compromised in Electronic Waveform Lab Ransomware Attack

Electronic Waveform Lab, a Huntington Beach, CA-based manufacturer of medical, surgical, ophthalmic, and veterinary instruments, has announced it has suffered a ransomware attack that resulted in the encryption of data on some of its servers.

The affected servers only contained a limited amount of personal and health information of patients such as names, addresses, diagnosis codes, and some treatment information. The forensic experts investigating the ransomware attack were unable to determine whether patient data was accessed or obtained by the attackers prior to data encryption, but the possibility could not be ruled out.

Electronic Waveform Lab had implemented security measures before the attack to protect patient information but, in this instance, they were not sufficient to block the attack. Security measures have now been reviewed and are being enhanced to prevent similar breaches in the future.

Electronic Waveform Lab was able to restore its servers and data. No patient information was lost as a result of the attack.

The post Ransomware Attacks Reported by Rangely District Hospital and Electronic Waveform Lab appeared first on HIPAA Journal.

The Florida-based population health management company and healthcare provider Cano Health has discovered the email accounts of three employees have been accessed by an unauthorized individual who set up a mail forwarder on the email accounts that sent emails to external addresses.

The breach was detected on April 13, 2020, but the investigation revealed the accounts were compromised two years previously, on or around May 18, 2018. All emails sent to and from the accounts between May 18, 2018 and April 13, 2020 are believed to have been obtained and have potentially been accessed.

A review of the emails confirmed they contained personal and protected health information such as names, contact information, dates of birth, healthcare information, insurance information, social security numbers, government identification numbers and/or financial account numbers.

Cano Health is in the process of notifying affected individuals and has advised them to regularly review their accounts and benefits statements for signs of fraudulent activity. Cano Health will be providing affected patients with complimentary credit monitoring services.

Cano Health is taking steps to improve email security. “We are committed to continuously updating our information security to guard against new and emerging threats,” said Cano Health Chief Executive Officer, Dr. Marlow Hernandez-Cano.

The breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.

City of Philadelphia Phishing Attack Impacts 33,376 Patients

The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) has announced it has experienced a cyberattack that has resulted in the exposure of the protected health information of 33,376 individuals.

On March 31, 2020, suspicious activity was detected in the email account of an employee, although the breach investigation confirmed on April 2, 2020 that two email accounts had been compromised. The investigation into the phishing attack is ongoing and forensics experts are currently reviewing the email accounts, but no evidence has been found indicating patient data was accessed or exfiltrated by the attackers.

The breach affects patients with intellectual disabilities who had previously received services from the Division of Intellectual disAbility Services (IDS). The types of information compromised varied from patient to patient and may have included the following data elements: Names, dates of birth, addresses, Social Security numbers, health insurance information, account and/or medical record numbers, diagnoses, dates of service, provider names, and brief descriptions of the services the individual had applied for or were receiving from IDS. A limited number of scans of birth certificates and Social Security cards were also included in the compromised accounts.

Breach notification letters will be sent to affected individuals by mail in the coming weeks and complimentary credit monitoring services will be provided.

Several steps have been taken to prevent similar breaches from occurring in the future. Staff will be provided with further education to help them recognize phishing emails and monitoring of network activity has been increased.

Email Security Breach Experienced by MU Health Care

Columbia, MO-based MU Health Care has started notifying patients about an email security breach that was detected on September 21, 2019.

The attacker gained access to the email accounts of certain University of Missouri students affiliated with MU Health Care. The affected students had created email accounts with a third party that suffered a data breach in which email credentials were stolen. Those credentials were then used to access the students’ university email accounts between September 21 and September 26, 2019.

The breach only affected the students whose accounts were accessed. Their email accounts contained information such as names, dates of birth, Social Security numbers, and limited treatment and clinical information.

The breach highlights how important it is to use a unique password for all accounts.

The post Cano Health Discovers 2-Year Email Account Breach appeared first on HIPAA Journal.