People Incorporated Mental Health Services, a provider of integrated behavioral and mental health services in Minnesota, is notifying 27,500 patients that some of their protected health information was exposed in an email account breach between April 28, 2020 and May 4, 2020.

Prompt action was taken to block further access to the email accounts and an investigation was launched to determine the nature and scope of the breach. Assisted by third-party cybersecurity experts, and after conducting a manual document review, People Incorporated discovered on September 8, 2020 that the email accounts contained patients’ personal and protected health information. While third party access to the email accounts had occurred, no evidence was found to indicate any information was stolen or has been misused.

The PHI in the compromised accounts included names, dates of birth, addresses, treatment information, insurance information, and medical record numbers and, for a limited number of individuals, Social Security numbers, financial account information, health insurance information, and driver’s license or state identification numbers. Credit monitoring services have been offered to individuals whose Social Security number was potentially compromised.

People Incorporated has taken steps to ensure threats are identified and remediated more rapidly in the future, additional technical security measures have been implemented, and further training has been provided to employees on the identification and handling of malicious messages.

PHI Potentially Compromised in My Choice Housecalls Burglary

My Choice HouseCalls, an in-home primary care provider in Jacksonville, Florida, experienced a break-in at its administrative offices on or around September 3, 2020 and several computers were stolen. The theft was reported to law enforcement, but the stolen equipment has not been recovered.

A forensic examination confirmed the computers contained the following types of patient information: Names, addresses, provider names, provider routes, facilities where patients are located, patient profile pictures, types of visits, medical histories, diagnoses,  durable medical equipment supplier names, the companies providing home health services and their notes, insurance information and patient and provider contact information.

My Choice HouseCalls is now implementing whole drive encryption to prevent the exposure of patient information in the event of another burglary. The breach report submitted to the HHS’ Office for Civil Rights shows 3,370 patients have been affected.

The post PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls appeared first on HIPAA Journal.

First Impressions Orthodontics, a subsidiary of Professional Dental Alliance of Connecticut PLLC, experienced a ransomware attack on September 28, 2020 that potentially saw the protected health information of 23,000 patients accessed by the attackers.

Backups were regularly performed and stored securely, so patient data could be recovered without having to pay the ransom. In addition to the 23,000 First Impressions Orthodontics patients, 5,000 patients of Kids First Dentistry & Orthodontics who had x-rays performed at First Impressions Orthodontics were also impacted by the breach.

The types of data potentially compromised included names, addresses, telephone numbers, email addresses, contact telephone numbers, Social Security numbers, dental insurance numbers, dental records, dental images, service charge amounts, and payments received for services provided. Patients who only had their x-ray images compromised only had their name, date of birth, and insurance information exposed.

Affected individuals were notified in accordance with HIPAA requirements, but no evidence of data access, theft, or misuse were found. Out of an abundance of caution, affected individuals have been offered a complimentary 2-year membership to credit monitoring and identity theft protection services.

Suspected Ransomware Attack Forces Hendrick Health into EHR Downtime Procedures

Hendrick Health in Texas has experienced a cyberattack that has forced it to take its IT network and EHR offline while the threat is remediated. The suspected ransomware attack occurred on November 9, 2020 and affected Hendrick Health’s medical center on the main campus and some of its clinics. Hendrick Medical Center Brownwood and Hendrick Medical Center South were not affected by the attack.

Hendrick Health said patient care was not affected and inpatient services were continuing; however, some patients were redirected to alternative campuses for medical care while the attack was remediated, and some outpatient services had to be rescheduled.

Hendrick Health is working around the clock to restore its systems. In the meantime, staff have switched to pen and paper to record patient information.

The post Ransomware Attacks Impact First Impressions Orthodontics, Kids First Dentistry & Orthodontics, and Hendrick Health Patients appeared first on HIPAA Journal.

The North Dakota Department of Health, Department of Human Services, Cavalier County Health District, and other state agencies were impacted by a phishing attack that saw multiple employee email accounts compromised between November 23 and December 23, 2019.

The breach investigation did not uncover any evidence to suggest protected health information was stolen or misused or that the attack was conducted in order to obtain patient information. An analysis of the compromised accounts revealed they contained names, dates of birth, addresses, medical diagnoses and treatment information, driver’s license numbers and mothers’ maiden name and, for a limited number of individuals, Social Security numbers and/or financial information.

The breach report submitted to the HHS’ Office for Civil Rights indicates 35,416 individuals were affected by the breach. All individuals affected have been notified and those who had their Social Security number exposed have been offered free membership to credit monitoring services. North Dakota has since taken steps to improve email security to prevent attacks from succeeding in the future.

Delaware Division of Public Health Alerts 10,000 About Impermissible Disclosure of COVID-19 Test Results

The Delaware Division of Public Health has experienced a breach of protected health information that has affected approximately 10,000 individuals. A temporary member of staff sent two unencrypted emails containing COVID-19 test results to an unauthorized individual on August 13, 2020 and August 20, 2020. The first email contained the results of tests conducted between July 16, 2020 and August 10, 2020, and the second included results from tests taken on August 15, 2020.

The Delaware Division of Public Health discovered the HIPAA breach on September 16, 2020. The emails were meant for internal distribution to individuals who had assisted in obtaining the test results, but they were also sent to one unauthorized individual who reported receiving the email in error. The email and data have been deleted and the Division of Public Health has no reason to think there has been any further disclosure of the information. The file attachment contained names, dates of birth, phone numbers, test dates, test locations, and test results.

The Division of Public Health has reviewed its HIPAA-related policies and procedures, provided further HIPAA training to staff members, and has implemented additional training for temporary staff. The individual who made the error is no longer employed within the division of Public Health.

The post North Dakota and Delaware State Departments Report Breaches of PHI appeared first on HIPAA Journal.

Luxottica, the world’s largest eyewear company, experienced a cyberattack that affected some of the websites operated by the company.

Luxottica is the owner of eyewear brands such as Ray-Ban, Oakley, and Persol and produces designer eyewear for many well-known fashion brands. It also operates the EyeMed vision benefits company and partners with LensCrafters, Target Optical, EyeMed, Pearle Vision, and other eye care providers.

Luxottica partners are provided with web-based appointment scheduling software that allows patients to book appointments with eye care providers online and by phone. According to a recent breach notification, the appointment scheduling application was hacked by unknown individuals on August 5, 2020 and the attackers potentially gained access to the personal and protected health information of patients of its eye care partners.

Luxottica discovered the cyberattack on August 9, 2020 and immediately took steps to contain the breach. The subsequent investigation confirmed personal and protected health information were potentially accessed and acquired by the attackers. The types of data exposed included names, contact information, appointment dates and times, health insurance policy numbers, appointment notes, doctors’ notes, and information related to eye care treatment, including health conditions, procedures, and prescriptions. A limited number of patients also had their credit card number and/or Social Security number exposed.

Luxottica is unaware of any cases of misuse of personal or protected health information but, as a precaution, individuals whose financial information or Social Security number was potentially compromised have been offered a 2-year complimentary membership to Kroll’s identity theft protection service. Notifications started to be sent to the 829,454 individuals affected by the breach on October 27, 2020.

This is not the only security breach to have affected Luxottica this year. On September 18, 2020, the eyewear company suffered a Nefilim ransomware attack that caused significant outages and disruption to services in Italy and China. Sensitive information was also stolen in the attack prior to the deployment of ransomware.

The post Luxottica Data Breach Impacts 829,454 Individuals in the United States appeared first on HIPAA Journal.

Timberline Billing Service, LLC, a Des Moines, IA-based Medicaid billing company, has suffered a ransomware attack that resulted in the encryption and theft of data.

An investigation into the attack revealed an unknown individual gained access to its systems between February 12, 2020 and March 4, 2020 and deployed ransomware. Prior to the encryption of files, some information was exfiltrated from its systems.

Timberline’s clients include around 190 schools in Iowa. School districts in the state that have been impacted by the breach have now been notified. It is currently unclear exactly how many schools were affected and if the breach was limited to schools in Iowa. Timberline also has offices in Kansas and Illinois.

The types of data potentially obtained by the attacker included names, dates of birth, Medicaid ID numbers, and billing information. A limited number of Social Security numbers were also potentially compromised. While data theft occurred, no reports have been received to indicate any data have been misused.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 116,131 individuals.

University of California San Francisco Suffers PHI Breach

University of California San Francisco (UCSF) has suffered a cyberattack in which personal and health information held by the UCSF School of Medicine was potentially compromised. The cyberattack was detected on June 1, 2020 and involved a limited part of the School of Medicine’s IT systems. No further information on the exact nature of the attack has been released.

A leading cybersecurity consultant was retained to assist with the investigation and determined records relating to current and former UCSF employees, students, collaborators, and research participants may have been compromised. Those records contained names, government ID numbers, Social Security numbers, medical information, health insurance information, and some financial information. UCSF says it is unaware of any misuse of personal information.

UCSF has been working with third party cybersecurity consultants to reinforce its IT security defenses to prevent further breaches in the future.

The post Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals appeared first on HIPAA Journal.

A roundup of privacy and security incidents recently reported by HIPAA-covered entities and business associates that involved the exposure of disclosure of protected health information.

Server Breach Impacts Patients of Northwest Eye Surgeons and Sight Partners

Northwest Eye Surgeons LLC and Sight Partners LLC have started notifying 20,838 patients that some of their protected health information was stored on a server that was accessed by an unauthorized third party.

The breach was detected on May 1, 2020 and an investigation was immediately launched to determine the extent and scope of the breach. A third-party cybersecurity firm was engaged to assist with the investigation, and the review of the affected server was completed on July 31, 2020. A different IT firm was then engaged on August 7, 2020 to identify all protected health information stored on the server to determine which patients were affected.

The review revealed the server contained information such as patients’ names, dates of birth, Social Security numbers, driver’s license numbers, ID numbers, financial account and credit card information, medical information and insurance information.

No evidence was found to indicate patient information was removed from the server or has been misused, but out of an abundance of caution, affected patients have been offered complimentary membership to Equifax Credit Watch Gold credit monitoring, identity theft protection, and dark web monitoring services for two years.

Email Breach at Distributor Affects 3,429 Users of DJO Mobility Products

DJO, LLC, a Lewisville, TX-based provider of medical technologies to improve patient mobility, is alerting 3,429 patients that some of their protected health information has potentially been accessed by an unauthorized individual in an email breach at a former independent distributor.

An email account used by an employee of All Pro Sports was compromised in a phishing attack. The email account was accessed and used to send phishing emails to individuals in the employee’s contact list. An analysis of the email account revealed it contained limited information relating to users of DJO products in the central Florida. The exposed information was limited to names, addresses, email addresses, dates of birth, physician names, product information, information related to the product prescription, and for a limited number of individuals, Medicare numbers.

The email breach was discovered by All Pro Sports on August 17, 2020 and steps were immediately taken to secure the account. DJO conducted a thorough investigation of the incident, engaged a leading IT forensics company to assist with the investigation, and confirmed that no other systems or information were involved. Affected patients were notified about the breach in October.

Lawrence General Hospital Reports Data Security Incident

Lawrence General Hospital in Massachusetts has reported a data security incident in which unauthorized individuals potentially accessed a limited amount of patient information. A security breach was identified on September 19, 2020 which disrupted its IT systems. The investigation revealed an unauthorized individual gained access to its systems on September 9, 2020. Access was possible until September 19 when the network was secured.

The compromised systems contained patient names, internal patient ID numbers, insurance type, internal visit ID numbers and, for a very limited number of patients, some clinical information. The Social Security numbers of 5 patients were also potentially compromised.

Notifications were sent to affected individuals on November 5, 2020. Lawrence General Hospital said enhancements have been made to its intrusion detection systems in response to the breach.

Spreadsheet Error Exposed Limited PHI of Mary Rutan Hospital Patients

Mary Rutan Hospital in Bellefontaine, OH has discovered a limited amount of patient information has been exposed due to a spreadsheet error. A link was added to the hospital’s website to provide information on Diagnosis Related Groups; a patient classification system that standardizes prospective payment to hospitals. DRG payments covers charges associated with an inpatient stay at the hospital.

The link directed individuals to a spreadsheet which was discovered to have multiple tabs, on which limited patient information was visible. Two of the tabs contained patient names, patient account numbers, birth dates, dates of service, reasons for visit, DRG codes, visit costs, insurance payment amounts, adjusted amounts, and any balances due for 1,677 patients. High risk data were not included on the spreadsheet.

No evidence was found to indicate the information was viewed by unauthorized individuals. The link was deactivated the same day the error was discovered.

Tri-State Specialists Notifies 17,500 Patients About Email Error

Tri-State Specialists, a network of orthopedic surgery clinics serving residents in Iowa, South Dakota, and Nebraska, is notifying 17,050 patients about an incident that resulted in the impermissible disclosure of their names and email addresses to a small number of current and former patients.

On September 16, 2020, Tri-State Specialists discovered an email had been sent by an employee that included patients’ names and email addresses in an attached file. No other patient information was included in the file. Patients have been advised to be vigilant for spam messages as a result of the disclosure of their email addresses.

In response to the breach, Tri-State Specialists have revised policies and procedures related to the sending of emails to prevent similar breaches in the future. The importance of data privacy has been re-emphasized with the workforce.

The post PHI Incidents Recently Reported by Healthcare Providers and Business Associates appeared first on HIPAA Journal.

Lafayette, LA-based Provider Health Services, Paragould-based Arkansas Methodist Medical Center, and Miami, FL-based lntelliRad Imaging have announced they have been affected by an email security breach at one of their business associates.

All three entities have a lockbox service with IBERIABANK to collect and process payments. IBERIABANk uses Technology Management Resources, Inc. (TMR) as a third‐party lockbox service provider for capturing and processing payment data for the lockbox. TMR discovered on July 3, 2020 that one of its employee’s email accounts had been accessed by an unauthorized individual, and that individual may have accessed or exfiltrated images containing protected health information.

TMR notified affected customers on August 21, 2020 and confirmed that the threat actor potentially viewed images of checks and other images that contained protected health information within the TMR’s iRemit application. The unauthorized access occurred between August 5, 2018 and May 31, 2020, with most of the activity occurring between February 2020 and May 2020.

Provider Health Services said in its substitute breach notice that the PHI potentially viewed was limited to names, addresses, Social Security numbers, and some medical information.

Arkansas Methodist Medical Center said in addition to above information, checking account numbers and routing numbers found on personal checks and information submitted with payments such as AMMC account numbers were also potentially compromised.

lntelliRad imaging reports that patient names, addresses, Social Security numbers, bank account and routing number, diagnosis and treatment information, test results, health insurance information, and other information related to patient medical care were also potentially compromised.

TMR has since taken several steps to prevent further breaches, including implementing additional firewall rules to carefully control access to the iRemit website, including restricting access from other countries

Arkansas Methodist Medical Center reported the breach as affecting 4,916 of its patients, 1,700 patients of Provider Health Services were affected, and lntelliRad imaging said 1,862 patients were affected.

The post Healthcare Providers Affected by Email Account Breach at Payment Processing Vendor appeared first on HIPAA Journal.