HIPAA Breach News

Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals

Posted by Steve Alder

The Californian law firm Orrick, Herrington & Sutcliffe has recently confirmed that a cyberattack that was detected in March 2023 has affected more than 637,000 individuals. The Orrick, Herrington & Sutcliffe data breach was reported to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals, then on July 20, 2023, the law firm notified the Maine Attorney General that the breach had affected 152,818 individuals. An updated notification was sent to the Maine Attorney General on August 18, 2023, with an increased total of 461,100 affected individuals. Another update was issued on December 29, 2023, with an increased total of 637,620 individuals. This appears to be the final total, as the law firm said it does not anticipate providing notifications on behalf of any further affected businesses.

The services provided by Orrick, Herrington & Sutcliffe include legal counsel for companies that have suffered security incidents and data breaches, including handling regulatory requirements such as notifications to state authorities and the individuals whose sensitive data was exposed. The law firm’s experience in issuing notifications has grown considerably in 2023 with its own consumer notifications, which were sent in July, August, September, and November.

The nature of the services provided by the law firm means many of the individuals affected by the data breach had been affected by data breaches at other companies who availed of Orrick, Herrington & Sutcliffe’s services for their own breach responses. For instance, individuals who had vision plans from EyeMed Vision Care, dental plans from Delta Dental, and health insurance from MultiPlan and Beacon Health Options (Carelon). Another client affected was the U.S. Small Business Administration.

Settlement Proposed to Resolve Class Action Data Breach Lawsuits

Several lawsuits were filed in response to the data breach that Orrick, Herrington & Sutcliffe has chosen to settle quickly. Four of those lawsuits made similar claims and were consolidated into a single class action lawsuit in California Federal Court – In Re: Orrick, Herrington & Sutcliffe LLP Data Breach Litigation. The lawsuits alleged the law firm should have been well aware of the risk of ransomware attacks and data breaches due to extensive media reports, warnings from the Federal Bureau of Investigation, and the attacks suffered by the law firm’s clients. They claimed the cyberattack and data breach could have and should have been prevented had the law firm implemented necessary and appropriate cybersecurity measures and followed industry best practices for cybersecurity.

In a court filing on December 21, 2023, Orrick, Herrington & Sutcliffe said a settlement is being finalized and an agreement in principle has been reached. The law firm said it expects to present the settlement to U.S. District Judge Susan Illston for approval in early January. Orrick, Herrington & Sutcliffe issued a statement saying it regretted the “inconvenience and distraction that this malicious incident caused,” and that the law firm is happy to have reached a settlement within a year to bring the matter to a close. Details of the settlement have yet to be made public; however, attorney William Federman, who is representing the plaintiffs, confirmed that the settlement is reasonable and fair and will resolve all pending litigation.

The post Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals appeared first on HIPAA Journal.

Email Accounts Compromised at The Foleck Center, Mountain Dermatology Specialists

Posted by Steve Alder

The Foleck Center in Virginia and Mountain Dermatology Specialists in Colorado have discovered unauthorized access to employee email accounts and the exposure of patient data.

The Foleck Center Discovers Forwarding Rule on Employee Email Account

The Foleck Center, a provider of cosmetic, implant, and general dentistry services in Norfolk, Hampton, and Virginia Beach, has recently notified 6,965 patients that some of their protected health information has been acquired by an unauthorized individual.

On October 26, 2023, The Foleck Center was made aware that one of its employees had a forwarding rule on their email account that sent emails to a Gmail account. The Foleck Center contacted its managed IT service provider, which performed a forensic investigation. Rather than this being a HIPAA violation by the employee, the forensic investigation revealed that an unauthorized third party had gained access to the email account and set up the forwarding rule on September 4, 2023.

Copies of all emails sent to the employee’s account between September 4, 2023, and October 31, 2023, were forwarded to the Gmail account. The Gmail account had not been sent up by the employee or anyone else at The Foleck Center. The IT company secured the account and implemented additional safeguards to prevent mailbox rules from being set up for external forwarding.

While it was possible to tell which emails had been forwarded between September 4, 2023, and October 31, 2023, it was not possible to determine if any other emails in the account had been read or copied. All emails were reviewed to check which patient data had been exposed or stolen, and all individuals whose PHI was present in the account were notified. The information exposed varied from individual to individual and may have included names, addresses, dates of birth, employer name and address, dates and office locations of treatment/appointments, employer name and address, our patient and system ID numbers, and insurance information. A limited number of patients also had their Social Security numbers and/or driver’s licenses exposed.

The Foleck Center said it already provides HIPAA and security awareness training for employees several times a year, and additional training is now being provided to improve password and network security further.

Email Account Breach Reported by Mountain Dermatology Specialists

Mountain Dermatology Specialists in Edwards and Dillion, CO, has also recently reported an email account breach that was detected on October 26, 2023. An unauthorized individual gained access to the email account of one of its employees and used the account to send phishing emails to contacts within the mailbox.

The forensic investigation confirmed there had been unauthorized access to the email account between October 24, 2023, and October 26, 2023. A review of the emails in the account confirmed that the protected health information of 2,705 patients was exposed, including full names, addresses, dates of birth, phone numbers, email addresses, dates of treatment, types of treatment, conditions/diagnoses, medications, health insurance information, and cost/billing information/amount paid. A limited number of individuals also had their Social Security numbers and/or compensation/benefits information exposed.

Mountain Dermatology Specialists said it has implemented additional technical safeguards, performed password resets, and reinforced security awareness training for the workforce.

The post Email Accounts Compromised at The Foleck Center, Mountain Dermatology Specialists appeared first on HIPAA Journal.

Parathon by JDA eHealth Systems Confirms July 2023 Cyberattack

Posted by Steve Alder

Parathon by JDA eHealth Systems, a revenue cycle management company in Naperville, Illinois, has recently notified state attorneys general that it suffered a cyberattack on July 27, 2023. In its December 22, 2023, notification to the Montana Attorney General, Parathon explained that unauthorized individuals were able to access the protected health information of patients of its clients. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: address, date of birth, and/or protected health information, including but not limited to diagnosis, claims information, and health insurance information.

The notification does not state whether files were encrypted in the attack, but Parathon said data was stolen and a ransom payment was demanded. Parathon said, “We have taken all efforts possible to mitigate any further exposure of your personal information and related identity theft.” The Akira threat group claimed responsibility for the attack and added Parathan to its data leak site but has since removed the listing which suggests the ransom was paid. Akira claimed to have stolen 560GB of data.

In its breach notification letters, Parathon said, “We are committed to doing everything we can to protect the privacy and security of the personal information in our care.” Additional safeguards have been implemented, security measures have been enhanced to better protect the data in its systems, and Parathon has reviewed its policies and procedures relating to data security. Parathon said it has found no evidence to indicate any misuse of the stolen data, but as a precaution, has offered three complimentary services to the affected individuals: single bureau credit monitoring, single bureau credit report, and single bureau credit score, which are being provided by Cyberscout.

It is unclear how many clients were affected. The HIPAA Journal has been able to confirm that one of the affected clients is NorthShore University Health System. While state attorneys general have been notified, the incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

31,000 Individuals Affected by Cyberattack on Eye Physicians of Central Florida

Eye Physicians of Central Florida, PLLC, has recently announced that the protected health information of 31,189 patients has been exposed and potentially stolen in a recent cyberattack. Eye Physicians of Central Florida, a division of Florida Pediatric Associates, identified suspicious network activity on November 5, 2023. Steps were immediately taken to prevent further unauthorized access to its systems and a forensic investigation was launched to determine the nature and scope of the incident.

The investigation confirmed there had been unauthorized access to parts of its network where patient information was stored. At the time of issuing notification letters to the affected individuals on December 6, 2023, no evidence had been found to indicate any actual or attempted misuse of patient data; however, out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The types of data exposed included names, addresses, dates of birth, medical diagnosis and treatment information, provider names, patient ID numbers, procedure codes, dates of service, treatment cost information, financial account information, state ID, health insurance information, and/or prescription information.

Eye Physicians of Central Florida said it is reviewing its current policies and procedures related to data security and will make improvements, as necessary to harden security.

The post Parathon by JDA eHealth Systems Confirms July 2023 Cyberattack appeared first on HIPAA Journal.

At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023

Posted by Steve Alder

Last year was a particularly bad year for ransomware attacks. According to an analysis by the cybersecurity firm Emsisoft, 46 hospital systems suffered ransomware attacks in 2023, up from 25 in 2022 and 27 in 2021. Across those 46 attacks, at least 141 hospitals were directly affected and experienced disruption due to the lack of access to IT systems and patient data.

It is difficult to accurately report on ransomware attacks in the healthcare sector, as many victims fail to disclose whether ransomware was used. Breach notification letters to the affected individuals and state Attorneys General often describe ransomware attacks as cyberattacks, unauthorized access, hacking incidents, security incidents, or encryption events, and as such, the number of attacks experienced in the sector is likely to be significantly understated. Emsisoft’s State of Ransomware in the U.S.: Report and Statistics 2023 reveals 2,207 U.S. hospitals, schools, and governments were directly impacted by ransomware in 2023 and many others were indirectly impacted via attacks on their supply chains.

Without access to patient records and essential IT systems, hospitals are often forced to put their emergency departments on redirect, with ambulances sent to neighboring healthcare facilities. Other hospitals in the region are placed under an increased strain due to the sharp increase in the number of patients, and the resource constraints caused by the increase in patients has a negative impact on time-sensitive conditions such as acute stroke.

The outages caused by these attacks mean scheduled appointments often need to be canceled and rescheduled and bottlenecks occur with lab testing and radiology, resulting in delays to diagnosis and treatment, longer patient stays, a slowing of patient throughput, and the disruption inevitably results in poorer patient outcomes. While there have been no reported deaths in the United States as a direct result of ransomware attacks, studies have shown that following a ransomware attack, there is an increase in medical complications and mortality rates. One study, conducted by McGlave, Neprash, and Nikpay of the University of Minnesota School of Public Health, found that in-hospital mortality for patients already admitted at the time of a ransomware attack increased. The attacks also caused a 17%-25% reduction in hospital volume during the initial attack week, and they estimated that between 2016 and 2021, ransomware attacks killed between 42 and 67 Medicare patients.

These attacks naturally have a significant financial impact. According to the Verizon Cost of a Data Breach Report, the average cost of a healthcare data breach increased to its highest ever level in 2023, costing an average of $11 million, a 53% increase since 2020. Emsisoft said 32 of the 46 attacks on health systems resulted in sensitive data, including protected health information, being stolen.

The average ransom payment in 2028 was $5,000, but by 2023 the average payment increased by 29,900% to around $1.5 million. The increased profits from ransomware attacks allow ransomware groups to scale their operations, pay initial access brokers, and purchase zero-days, which means even more attacks can be conducted. Fewer victims are now paying ransoms which means ransom demands need to increase to make up for the shortfall. Some ransomware groups have also started engaging in more aggressive tactics, such as contacting patients and demanding payment. Some attacks on plastic surgery centers have resulted in intimate images being publicly posted and patients being told they needed to pay to have those images removed from the Internet. One group contacted individual patients and threatened them with the release of their sensitive data and demanded $50 per patient to delete their data.

Many ransomware groups operate out of countries that turn a blind eye to the attacks, and some nation states are thought to use ransomware groups as proxies. While international law enforcement operations have successfully disrupted some ransomware groups, the individuals involved are rarely brought to justice. With so much money involved and a low risk of being caught, attacks are unlikely to reduce and may even continue to increase. The solution suggested by Emsisoft and many other experts is simple. Since ransomware attacks are conducted by financially motivated threat actors, making attacks unprofitable is the easiest way of tackling the problem. Governments should therefore ban ransom payments and cut off this very lucrative income stream.

“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them,” said Emsisoft Threat Analyst, Brett Callow. “The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”

The post At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023 appeared first on HIPAA Journal.

Class Action Lawsuits Filed Over HealthEC Data Breach

Posted by Steve Alder

January 12, 2024: Class Action Lawsuits Filed Over HealthEC Data Breach

Multiple class action lawsuits have been filed against HealthEC LLC over a recently disclosed data breach that affected almost 4.5 million individuals. Hackers gained access to HealthEC’s population health management platform between July 14, and July 23, 2024, and obtained the sensitive data of patients of its healthcare provider clients, per The HIPAA Journal report below.

One of the class action lawsuits – Victoria Lempinen v. Health EC LLC – was filed in the U.S. District Court of New Jersey on behalf of Victoria Lempinen and similarly situated individuals who had their personal and protected health information compromised in the data breach.  The lawsuit alleges that HealthEC lost control of the sensitive data of almost 4.5 million individuals as a direct result of the failure to maintain reasonable and appropriate cybersecurity protocols and the lack of encryption of sensitive data on its network. The security failures are alleged to violate the FTC Act and Health Insurance Portability and Accountability Act (HIPAA). Further, the plaintiff argues that HealthEC did not have policies and procedures in place to ensure that sensitive data was deleted in a timely manner when it was no longer needed.

In addition to suffering a preventable data breach, HealthEC is alleged to have unnecessarily delayed issuing notifications, which were issued in December 2023, more than 5 months after the data breach occurred. This, it is argued, denied the opportunity for victims of the breach to take steps to protect themselves against identity theft and fraud. When notification letters were issued, the lawsuit alleges HealthEC failed to disclose important details about the breach, such as when the cyberattack and data breach were first detected, the dates of the investigation, the vulnerabilities that were exploited by the hackers, and the measures undertaken in response to the cyberattack to ensure that similar breaches are prevented in the future.

The lawsuit claims the plaintiff and class have suffered injuries including invasion of privacy, theft of private information, loss or diminished value of private information, lost time and opportunity costs, loss of benefit of the bargain, and an increase in spam calls, texts, and emails, and the plaintiff and class members now face an increased risk of identity theft and fraud. The 75-page lawsuit alleges negligence, breach of third-party beneficiary contract, breach of confidence, invasion of privacy, and unjust enrichment and seeks class action certification, a jury trial, and damages, restitution, and injunctive relief, including an order from the court to compel HealthEC to implement a raft of measures to improve data security. The plaintiffs and class are represented by Vicki J.  Maniatis and Gary M. Klinger of Millberg Coleman Bryson Phillips Grossman LLC.

A second lawsuit was filed against HealthEC LLC on behalf of plaintiff Bree Marano and similarly situated individuals that makes similar claims, including the failure to comply with FTC guidelines, industry standards, and HIPAA. Those failures include inadequate cybersecurity measures given the level or risk of a cyberattack, insufficient monitoring of its network for intrusions, and the failure to issue adequate and timely individual notifications about the data breach. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and breach of confidence, and claims the defendant has done absolutely nothing of value to provide the plaintiff and class with relief for the damages they have suffered as a result of the data breach.

January 3, 2024: HealthEC Data Breach Affects Almost 4.5 Million Individuals

HealthEC, an Edison, New Jersey-based analytics software vendor, has recently confirmed that the protected health information of 4,452,782 individuals has been exposed and potentially stolen in a recent cyberattack. HealthEC is the developer of a platform that healthcare organizations use to identify high-risk patients, close care gaps, and recognize barriers to optimal care. More than 1 million healthcare professionals in 18 U.S. states use the platform’s analytics to gain insights to improve patient outcomes.

HealthEC started mailing data breach notification letters to the affected individuals on December 22, 2023; however, the data breach occurred several months earlier. According to the notification letters, unauthorized individuals had access to HealthEC’s systems between July 14, 2023, and July 23, 2023. The forensic investigation revealed that during that time, files were removed.

HealthEC conducted a review of the affected files and determined that they contained the protected health information of its clients’ patients. HealthEC started notifying the affected clients on October 26, 2023, which included MD Valuecare in Virginia (112,005 records)  and Corewell Health in Michigan (1 million+ records). On December 21, 2023, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 4.52 million individuals.

The information compromised in the attack varied from patient to patient and may have included names along with one or more of the following: address, date of birth, Social Security number, medical record number, diagnosis and diagnosis codes, mental/physical condition, prescription information, provider name, beneficiary number, subscriber number, Medicaid/Medicare identification number, patient account number, patient identification number, and treatment cost information. HealthEC is offering the affected individuals complimentary credit monitoring services and has taken steps to improve security to prevent further data breaches in the future.

HealthEC is the second vendor to experience a data breach that has affected more than 1 million Corewell Health patients this year. Michigan Attorney General, Dana Nassel, has called for new legislation to be introduced in the state mandating prompt notifications in the event of a data breach, as in each case, Michiganians had to wait several months to discover that their sensitive health data had been stolen.

Entities Impacted by HealthEC Data Breach

The entities known to have been affected by the HealthEC data breach, as disclosed by HEalthEC on December 22, 2023 are:

  • Alliance for Integrated Care of New York, LLC
  • Advantage Care Diagnostic & Treatment Center, Inc.
  • Beaumont ACO
  • Community Health Care Systems
  • Compassion Health Care
  • Corewell Health
  • East Georgia Healthcare Center
  • HonorHealth
  • Hudson Valley Regional Community Health Centers
  • Illinois Health Practice Alliance, LLC
  • KidneyLink
  • Long Island Select Healthcare
  • Metro Community Health Centers
  • Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers
  • TennCare
  • State of Tennessee
  • University Medical Center of Princeton Physicians’ Organization
  • Upstate Family Health Center, Inc.

The post Class Action Lawsuits Filed Over HealthEC Data Breach appeared first on HIPAA Journal.

Michigan Attorney General Calls for New Data Breach Notification Law

Posted by Steve Alder

Michigan Attorney General Dana Nessel has called for legislative changes to hold companies in the state more accountable for data breaches after Corewell Health failed to disclose a data breach promptly. Corewell Health has been affected by two massive data breaches this year, both of which occurred at vendors and affected more than a million Corewell Health patients. The first breach occurred at Corewell Health vendor Welltok, which had data stolen in May when the Clop hacking group exploited a vulnerability in Progress Software’s MOVEit Transfer solution. Corewell Health patients were notified about the breach on December 1, 2023, more than 6 months after the breach occurred.

Michigan Attorney General, Dana Nessel

AG Nessel’s comments came in response to a second such breach, which occurred at HealthEC, a vendor used by Corewell Health for analyzing patient data. HealthEC discovered the breach in July 2023 and notified Corewell Health in October that the data of its patients had been compromised. AG Nessel explained that the department in the state that is responsible for consumer protection did not hear about the breach until December 27, 2023, more than 5 months after the breach was detected.

It often takes several months for individual data breach notification letters to be issued, but when sensitive data is stolen it can be misused immediately. Individuals need to know that their data has been stolen quickly so they can take steps to protect themselves against identity theft and fraud. In both cases, complimentary credit monitoring and identity theft protection services have been offered but some of the affected individuals have already fallen victim to identity theft and fraud. Had those individuals been made aware of the breaches sooner, losses could have been prevented. Nessel is advocating for legislation that requires companies to notify the state immediately when a data breach is discovered.

Currently, 34 U.S. states have laws that require the state Attorney General or state agencies to be issued with timely notifications about data breaches that exceed certain thresholds, but there are no such requirements in Michigan. Without mandatory data breach reporting to improve transparency, there is little the state can do regarding enforcement.

“What we would like to be able to do is to say, ‘You know, look, if you don’t properly secure and store data, or if you don’t report a data breach, you’re going to be subjected to significant fines.’ That’s what they do in other states, but not here in Michigan,” said Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection.”

Regarding data security failures that result in data breaches, Michigan could take action and fine companies that are discovered to have violated the Health Insurance Portability and Accountability Act. Several state Attorneys General have imposed financial penalties for HIPAA violations, including Connecticut, Indiana, Massachusetts, Minnesota, New York, and New Jersey.

The post Michigan Attorney General Calls for New Data Breach Notification Law appeared first on HIPAA Journal.

Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach

Posted by Steve Alder

Transformative Healthcare is facing legal action over a recently disclosed data breach that affected 911,757 patients of the Fallon Ambulance Service. The lawsuit also names Coastal Medical Transportation Systems, LLC, as a defendant. Coastal Medical Transportation Systems acquired Fallon Ambulance Services in September 2022, although the data breached was an archive copy of data from before the acquisition.

The lawsuit – Daniel Durgin v. Transformative Healthcare, LLC, and Coastal Medical Transportation Systems, LLC – was filed in the U.S. District Court for the District of Massachusetts on January 18, 2023, on behalf of Daniel Durgin, who received emergency medical transportation from the Fallon Ambulance Service before it ceased operations in December 2022. The lawsuit alleges the defendants should have known how to keep sensitive data protected, yet failed to implement reasonable and appropriate cybersecurity measures and comply with industry security standards, which allowed hackers to gain access to the plaintiff’s and class members’ sensitive data.

The lawsuit claims the plaintiff and class have incurred costs and expenses associated with the time spent mitigating the consequences of the data breach, including checking credit reports for signs of misuse of their data, purchasing credit monitoring services, and having to deal with withdrawal and purchase limits on their accounts, as well as the loss of property value of their personal information, and stress, nuisance, and aggravation of having to deal with the issues caused by the data breach.

The plaintiff and class asset claims of negligence, breach of implied contract, unjust enrichment/quasi-contract, and breach of fiduciary duty. The lawsuit seeks class-action status, a jury trial, monetary and statutory damages, and injunctive relief.

The plaintiff and class are represented by David Pastor of Pastor Law Office, PC, and Nicholas A. Migliaccio and Jason Rathod of Migliaccio & Rathod LLP.

January 2, 2024: More Than 911,000 Individuals Affected by Fallon Ambulance Service Data Breach

Legal counsel for Transformative Healthcare, a Newton MA-based medical, transportation & logistics company, has notified the HHS’ Office for Civil Rights about a data breach that has affected 911,757 individuals. The data breach affected individuals who had previously received services from the Fallon Ambulance Service, the Massachusetts medical transportation arm of Transformative Healthcare. Fallon responded to patient emergencies in the greater Boston area and provided administrative services for affiliated medical transportation companies.

In September 2022, Fallon Ambulance Service was acquired by Coastal Medical Transportation Systems and ceased business operations in December 2022. In order to comply with legal data retention requirements, Transformative Healthcare retained an archived copy of data that was previously stored on Fallon’s computer systems. On or around April 21, 2023, Transformative Healthcare detected unauthorized activity in its archive environment. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The forensic investigation confirmed that an unauthorized third party gained access to the archive on February 17, 2023, and retained access to the archive environment until April 22, 2023. During that time, files were copied from the archive.2

The affected files were reviewed and that process was completed on December 27, 2023, when it was confirmed that the files contained names, addresses, Social Security numbers, medical information including COVID-19 testing/ vaccination information, and information provided to Fallon in connection with employment or application for employment.

While data was removed from the archive, neither Fallon nor Transformative Healthcare have found any evidence to indicate misuse of the data. Affected patients were notified by mail on December 27, 2023, and credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach appeared first on HIPAA Journal.

Anna Jaques Hospital Suffers Christmas Day Cyberattack

Posted by Steve Alder

Anna Jaques Hospital in Newburyport, MA, experienced a cyberattack on Christmas Day that resulted in an outage of its medical record system. The decision was taken to divert ambulances to other hospitals in the area until systems could be restored. On December 26, 2023, the emergency department started accepting patients. Few details have been released at this stage about the exact nature of the cyberattack and it is too early to tell if the attackers gained access to patient information. Third-party cybersecurity experts have been engaged and are investigating the attack and further information will be released as the investigation progresses.

Volunteer at NYC Health + Hospitals Impermissibly Accessed Patient Data

NYC Health + Hospitals has recently announced there has been an unauthorized disclosure of patients’ protected health information. NYC Health + Hospitals said it discovered on October 23, 2023, that an employee of NYC Health + Hospitals/Kings County allowed a Kings County volunteer to assist with processing laboratory test specimens for Kings County patients; however, the volunteer was not authorized to work in the laboratory and was not permitted to access patients’ protected health information.

While assisting in the laboratory, the volunteer accessed patients’ names, dates of birth, medical record numbers, locations within the hospital, and the laboratory tests ordered. Affected individuals had laboratory tests performed between October 2, 2021, and August 14, 2023. While PHI was impermissibly accessed, there are no indications that any of that information has been misused.

NYC Health + Hospitals said it has taken steps to prevent similar incidents from occurring in the future, including notifying all laboratory personnel that they are not permitted to provide non-employees with access to any NYC Health + Hospitals laboratories. NYC Health + Hospitals has also confirmed that the employee no longer works for NYC Health + Hospitals and has been barred from future employment at NYC Health + Hospitals, and the volunteer is no longer volunteering at NYC Health + Hospitals and has been barred from future volunteer work at NYC Health + Hospitals.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Anna Jaques Hospital Suffers Christmas Day Cyberattack appeared first on HIPAA Journal.

ProSmile Holdings Notifies Patients About July 2022 Data Breach

Posted by Steve Alder

ProSmile Holdings, LLC, a New Jersey dental service organization, started notifying patients on December 22, 2023, about a breach of its email environment. Suspicious activity was detected in July 2022, and a third-party cybersecurity company was engaged to investigate the unauthorized activity and determine if any sensitive data had been exposed or compromised. ProSmile Holdings was notified on December 1, 2022, that numerous email accounts had been compromised and accessed without authorization, and personal and protected health information may have been accessed or acquired.

On January 27, 2023, ProSmile Holdings engaged a vendor to conduct a review of the affected files, and the review was completed on November 29, 2023. The compromised information included names, dates of birth, Social Security numbers, driver’s license or other state identification card numbers, financial account numbers, payment card numbers, medical treatment information, diagnosis or clinical information, provider information, prescription information, and health insurance information.

ProSmile Holdings made an announcement about the data breach on March 28, 2023, but was unable to confirm at that time how many individuals had been affected or what data had been exposed. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

It is also unclear why it took 5 months to discover that patient data was involved, a further two months to initiate a document review, and 10 months to complete that review. The first announcement about the breach was not made for 7 months, and it has taken 17 months for individual notifications to be issued.

Valley Health System Affected by Data Breach at ESO Solutions

Valley Health System in Las Vegas has confirmed that it was affected by a ransomware attack and data breach at its software vendor, ESO Solutions, in late September. ESO notified Valley Health System about the breach in late October and confirmed that patient names, phone numbers, addresses, and some personal or health information were compromised. The breach has affected 5 Valley Health System hospitals: Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital. The affected individuals were notified about the breach on December 12, 2023.

The post ProSmile Holdings Notifies Patients About July 2022 Data Breach appeared first on HIPAA Journal.