HIPAA Breach News

Mille Lacs Health System Phishing Attack Impacts 10,600 Patients

Posted by HIPAA Journal

Onamia, Mn-based Mille Lacs Health System has experienced a phishing attack that potentially resulted in the exposure of more than 10,000 patients’ protected health information.

Phishing emails were sent to some of its employees containing links that directed them to a website that requested their email credentials. A small number of employees were fooled by the scam.

Mille Lacs Health System learned about the phishing attack on November 14, 2020 and launched an investigation to determine the extent of the breach. On February 24, 2020, it was confirmed that the stolen email credentials were used by the attacker to access email accounts between August 26, 2019 and January 7, 2020. A review of the compromised email accounts was completed on April 22, 2020 and confirmed that patient information may have been accessed.

Information potentially compromised includes first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and for certain individuals, Social Security numbers.  No evidence was found to suggest patient information was obtained or misused by the attackers.

All accounts have been secured, a full password reset was performed for all email accounts, and additional measures have been implemented to strengthen email security. Affected individuals were notified about the breach by mail on May 11, 2020 and have been offered complimentary credit monitoring services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 10,630 patients were affected by the breach.

North Shore Pain Management Experiences Ransomware Attack

North Shore Pain Management in Massachusetts has experienced a manual AKO ransomware attack and the data of some of its patients was stolen.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal and, at the time of writing, there is no substitute breach notice on the company’s website. The breach was covered on databreaches.net, which reports that approximately 4GB of data relating to the company has been published on the Tor site used by the attackers. More than 4,000 files containing patient and employee information has been dumped online.

The files contained a range of sensitive protected health information including Social Security numbers, health information, and insurance information.

PsyGenics Employee Emailed Client Information to Personal Email Account

The Detroit-based occupational therapy, speech therapy, and family therapy provider, PsyGenics, Inc., has discovered one of its employees forwarded a spreadsheet containing customer information to a personal email account. The breach was detected on March 25, 2020 as part of a regular security review. The email was sent on March 24, 2020.

The spreadsheet contained information such as customers’ names, diagnosis codes, provider names, and appointment times. No other information such as treatment notes were detailed in the spreadsheet. No reason was given as to why the employee sent the spreadsheet to their personal email account. PsyGenics says it found no evidence of attempted or actual misuse of client information.

The post Mille Lacs Health System Phishing Attack Impacts 10,600 Patients appeared first on HIPAA Journal.

Management and Network Services Notifies 30,132 Patients About PHI Breach

Posted by HIPAA Journal

Management and Network Services (MNS), LLC, a Dublin, OH-based provider of administrative support services to post-acute healthcare providers, has discovered the email accounts of some of its employees have been compromised.

In a May 4, 2020 breach notification letter, MNS explained that it learned on or around August 21, 2019 that several employee email accounts had been subjected to unauthorized access between April and July of 2019. The analysis of the email accounts recently revealed five accounts contained the protected health information of patients of its clients.

The information in emails and email attachments varied from individual to individual and may have included the following data elements: name, medical treatment information, diagnosis information/codes, medication information, dates of service, insurance provider, health insurance number, date of birth, and Social Security number. A limited number of individuals also had their driver’s license number, State ID card number, and/or financial account information exposed.

MNS has taken steps to improve email security such as enhancing password policies across the entire organization and implementing multi-factor authentication for all employee email accounts.

The HHS’ Office for Civil Rights breach portal shows 30,132 patients had some of their PHI exposed.

Santa Rosa & Rohnert Park Oral Surgery Suffers Email Security Breach

Santa Rosa & Rohnert Park Oral Surgery on Portland, OR has discovered the email account of one of its employees was accessed by an unauthorized individual. The breach was detected on March 11, 2020 when suspicious activity was detected in the email account. The forensic investigation revealed the email account was breached on December 20, 2019 and access remained possible until March 11, 2020 when the account was secured. The compromised account was found to contain a range of protected health information which may have been viewed or acquired by the attacker.

Affected individuals have been offered complimentary membership to the MyIDCare credit monitoring and identity theft protection service from ID Experts. Santa Rosa & Rohnert Park Oral Surgery is reviewing and enhancing its policies and procedures and will take further steps to improve information security.

PHI of 3,683 Ashtabula County Medical Center Patients Exposed Online

Ashtabula County Medical Center (ACMC), an affiliate of Cleveland Clinic, is notifying 3,683 patients that some of their protected health information has been exposed online. On or around January 6, 2020, ACMC posted an Excel spreadsheet on a website to comply with government requirements about medical cost disclosures. On March 12, 2020, ACMC learned that a limited amount of protected health information had been accidentally included in the spreadsheet.

The exposed information was limited to patients’ names, diagnoses, and health and treatment histories. No Social Security numbers or financial data were exposed. Out of an abundance of caution, affected individuals have been offered a 12-month complimentary membership to identity theft recovery services through IDExperts.

ACMC has now updated its policies and procedures and has implemented additional safeguards to prevent similar breaches in the future.

Phishing Attack Exposed PHI at Orchard Medical Consulting

Orchard Medical Consulting, a provider of nurse case management services for workers’ compensation claims, has announced that an unauthorized individual gained access to the email account of one of its employees and potentially accessed protected health information stored in the account.

The attack was detected on January 30, 2020 and immediate action was taken to secure the account. The investigation revealed the account contained names, dates of birth, and for a very small number of individuals, Social Security number, and medical information such as diagnosis, treatment plan, and/or health history.

No evidence of data access, data theft, or misuse of PHI has been discovered. Affected individuals have been offered complimentary membership to TransUnion Interactive’s myTrueIdentity credit monitoring service out of an abundance of caution. To prevent further breaches, email security has been strengthened, policies and procedures updated, and multi-factor authentication has been implemented.

The post Management and Network Services Notifies 30,132 Patients About PHI Breach appeared first on HIPAA Journal.

Magellan Health Suffers Ransomware Attack

Posted by HIPAA Journal

The Fortune 500 company Magellan Health has announced it experienced a ransomware attack in April that resulted in the encryption of files and theft of some employee information.

The ransomware attack was detected by Magellan Health on April 11, 2020 when files were encrypted on its systems. The investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6. The attacker had fooled the employee by impersonating a client of Magellan Health.

Magellan Health engaged the cybersecurity firm Mandiant to assist with the investigation into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and exfiltrated a subset of that data prior to the encryption of files. The attacker also downloaded malware that was used to steal login credentials.

The data stolen by the hacker related to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited number of usernames and passwords were also stolen in the attack.

Magellan Health is unaware of any attempts to use that data but has advised affected individuals to be alert to the possibility of identity theft and misuse of their data. Affected individuals have been offered a complimentary 3-year membership to Experian’s IdentityWorks identity theft detection and resolution service.

Magellan Health is working closely with law enforcement and is aggressively investigating the breach and steps have already been taken to improve security to prevent similar breaches in the future.

It is currently unclear how many individuals have been affected by the breach.

The ransomware attack comes just a few months after the company discovered some of its subsidiaries suffered phishing attacks. Magellan Rx Management, Magellan Healthcare, and National Imaging Associates were all affected. Announcements about the breaches were made in September and November 2019, with the phishing attacks allowing unauthorized individuals to gain access to employee email accounts in July 2019.  The emails in the compromised accounts contained the protected health information of 55,637 members.

The post Magellan Health Suffers Ransomware Attack appeared first on HIPAA Journal.

Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners

Posted by HIPAA Journal

Saint Francis Healthcare Partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email system.

The attack occurred on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially compromised.  The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial information or Social Security numbers were compromised.

The investigation uncovered no evidence to suggest patient information was accessed, stolen, or misused. Steps have now been taken to improve data security practices and all affected patients have been notified by mail.

Florida Internal Medicine Practice Suffers Ransomware Attack

Daniel Bendetowicz, MD, PA is notifying 3,314 patients that their protected health information has been exposed as a result of a ransomware attack. The attack occurred on March 25, 2020 resulting in the encryption of its computer systems, including patient records. Backup files were not affected so files could be recovered without paying the ransom.

In these types of ransomware attacks, files are not typically accessed by the attackers prior to file encryption; however, data access could not be ruled out so notification letters have been sent to affected patients. Dr. Bendetowicz explained in the breach notification letters that names, addresses, dates of birth, Social Security numbers, health insurance information, and medical information were potentially compromised.

Out of an abundance of caution, identity theft protection services have been offered to all affected patients. Steps have also been taken to improve security to prevent further attacks in the future.

Houston Methodist Hospital Notifies 2,000 Patients of PHI Theft

Houston Methodist Hospital is notifying 1,987 heart patients that some of their protected health information was stored on portable storage devices that were stolen from the vehicle of a vendor representative in mid-February.

The individual was employed by the medical device manufacturer and operated the 3D imaging technology in the hospital’s cardiac catheterization lab.

The hard drives were left in a vehicle from where they were stolen. The hospital reports that the room where the hard drives were stored was locked, and removal of the devices was against hospital protocol and violated established technical safeguards and contractual obligations. The representative believed the room was only locked due to the late hour of the day.

The hard drives contained medical images that included a patient’s name, gender, date of birth, and a code number. The images could only be viewed with specialist software. The clinic reported the theft to law enforcement and hired a private investigator, but the hard drives could not be located.

Email Error Leads to Breach at Ascension Eastwood Clinic

An employee of Ascension Eastwood Clinic in Southfield, MI sent an email to patients on April 15, 2020 explaining the practice was transitioning to telehealth services due to COVID-19 to help prevent the spread of the disease.

An error was made sending the email and patients’ email addresses were not added to the BCC field of the email and could therefore be viewed by other patients. As a result of the error, email addresses and, in some cases, patients’ full names were disclosed to other patients. Apart from allowing a patient to be identified as a patient of the clinic, no other information was exposed.

The HHS’ Office for Civil Rights breach portal shows 999 patients were affected.

The post Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners appeared first on HIPAA Journal.

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Posted by HIPAA Journal

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months.

The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020.

The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed.

No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital.

This is not the first incident of its type to occur at Lurie Children’s Hospital. A similar incident was discovered in November 2019, when the hospital learned that a former employee accessed the medical records of patients without authorization between September 2018 and September 2019.

Mercy Health Fires Nurse for Multiple Privacy Violations

Mercy Health has also recently taken action against an employee for alleged violations of the HIPAA Privacy Rule. A nurse at Hackley Hospital in Muskegon, MI was terminated on April 3, 2020. The termination came shortly after the nurse raised concerns in media interviews about the level of preparedness of the hospital for the COVID-19 pandemic and how the alleged lack of preparedness put safety at risk. The nurse contacted the Michigan Nurses Association Labor Union, which claimed that Mercy Health fired the nurse for speaking out. The Labor Union also filed a charge with the National Labor Relations Board.

“Howe’s termination came on the evening of April 3, days after he had publicly raised concerns about lack of appropriate PPE and the need for improved screening measures to keep nurses and healthcare workers safe during the COVID-19 pandemic,” said the Labor Union in an April 21, 2020 press release.

10 days after the nurse was fired, and one day after the press release was issued by the Labor Union, Mercy Health released a press release of its own stating the nurse was fired for multiple violations of HIPAA Rules. Mercy Health said it does not usually share details about employment matters related to its workers but was compelled to speak out due to the “misinformation campaign” led by the Labor Union.

Mercy Health claims the fired nurse, Justin Howe, was terminated for accessing the medical records of multiple patients over a period of several days. The records were for not for patients receiving treatment at the campus where the nurse worked and there was no legitimate work reason for accessing those records. Mercy Health claims that Howe was not the only nurse terminated for improper medical record access.

According to Mercy Health’s press release, “We have mechanisms in place to monitor for inappropriate access of privileged information. As part of this review process, Mr. Howe along with others were terminated for the same. This investigative effort is still in process.”

The post Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations appeared first on HIPAA Journal.

Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility

Posted by HIPAA Journal

Several healthcare providers have been affected by an unusual data breach at Waupaca, WI-based STAT Informatics Solutions, LLC. STAT provides secure medical records services to several healthcare providers which includes scanning paper files so they can be added to hospital medical record systems.

On March 3, 2020, a STAT facility in Lebanon, TN was hit by a tornado, which caused extensive damage to the building and some of the records stored in the facility. STAT notified all affected clients the same day, and representatives of those healthcare providers visited the site to assist with locating and securing medical records in the facility.

To limit the potential for unauthorized access, a tall fence was erected around the building while the medical records were located and secured. Two security guards were also posted on site 24/7 to prevent unauthorized individuals from accessing the building.

The majority of the medical records were found in the remnants of the building, but the records were determined to be unsalvageable and have now been securely destroyed.

While it is possible that unauthorized individuals may have viewed some paperwork relating to patients, no evidence has been uncovered to suggest that was the case and patients are not believed to be at risk of financial harm. Out of an abundance of caution, patients whose records were stored in the building are being notified by mail and will be offered complimentary credit monitoring services.

The medical records at the facility contained the following types of information: Full names, Social Security numbers, addresses, dates of birth, medical record numbers, account numbers, medical images, diagnoses, nursing and physician documentation, test results, medications, and other types of information typically found in medical records.

The following healthcare providers have confirmed they were affected by the incident.

  • Bayfront Health Port Charlotte, FL
  • Bayfront Health Punta Gorda, FL
  • Commonwealth Health Wilkes-Barre General Hospital, PA (518 records)
  • Commonwealth Health Moses Taylor Hospital, PA (1,905 records)
  • Poplar Bluff Regional Medical Center, MO (1,619 records)

The post Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility appeared first on HIPAA Journal.

Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals

Posted by HIPAA Journal

BJC Healthcare has announced that the email accounts of three of its employees have been accessed by an unauthorized individual after the employees responded to phishing emails.

Suspicious activity was detected in the email accounts on March 6, 2020 and the accounts were immediately secured. A leading computer forensics firm was engaged to conduct an investigation which revealed the three accounts had only been accessed for a limited period of time on March 6. It was not possible to tell if patient data was viewed or obtained by the attacker.

A review of the accounts revealed they contained the data of patients at 19 BJC and affiliated hospitals. Protected health information in emails and attachments varied from patient to patient and may have included the following data elements:

Patients’ names, medical record numbers, patient account numbers, dates of birth, and limited treatment and/or clinical information, which included provider names, visit dates, medications, diagnoses, and testing information. The health insurance information, Social Security numbers, and driver’s license numbers of certain patients were also potentially compromised.

All patients affected by the breach will be notified by mail when the email account review is completed. Patients whose driver’s license or Social Security number has potentially been compromised will be offered complimentary credit monitoring and identity theft protection services.

BJC HealthCare said additional security measures will be implemented to prevent incidents such as this in the future and staff will be retrained to help them identify and avoid suspicious emails.

The following BJC HealthCare and affiliated hospitals were affected by the breach:

  • Alton Memorial Hospital
  • Barnes-Jewish Hospital
  • Barnes-Jewish St. Peters Hospital
  • Barnes-Jewish West County Hospital
  • BJC Behavioral Health
  • BJC Corporate Health Services
  • BJC Home Care
  • BJC Medical Group
  • Boone Hospital Center
  • Christian Hospital
  • Memorial Hospital Belleville
  • Memorial Hospital East
  • Missouri Baptist Medical Center
  • Missouri Baptist Physician Services, LLC
  • Missouri Baptist Sullivan Hospital
  • Parkland Health Center Boone Terre
  • Parkland Health Center Farmington
  • Progress West Hospital
  • Louis Children’s Hospital

The post Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals appeared first on HIPAA Journal.

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

Posted by HIPAA Journal

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months.

LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach.

A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data.

Raymond Eugenio holds shares in LabCorp which lost value as a result of the data breaches and filed the lawsuit on April 23, 2020 to recover those and other losses. The lawsuit names LabCorp as the defendant along with 12 of the company’s executives and directors, including LabCorp CIO Lance Berberian, CFO Glenn Eisenberg, and director Adam Schechter.

The lawsuit alleges that prior to the AMCA breach and subsequently, LabCorp failed to implement appropriate cybersecurity procedures and did not have sufficient oversight of cybersecurity, which directly resulted in the two data breaches.

In an SEC filing, LabCorp explained the AMCA data breach cost the company $11.5 million in 2019 in response and remediation costs, but the lawsuit points out that the figure is just a fraction of the total losses and does not cover the cost of litigation that followed. Several class action lawsuits have been filed by victims of the AMCA data breach that name LabCorp so the total losses are not known to its shareholders. The lawsuit also states that the second breach has not been acknowledged publicly or in any SEC filings. As such, Eugenio alleges LabCorp failed in its responsibility to its shareholders and breached its duties of loyalty, care, and good faith.

The lawsuit alleges LabCorp failed to implement effective internal policies, procedures, and controls to protect patient information, there was insufficient oversight of compliance with federal and state regulations and its internal policies and procedures, LabCorp did not have a sufficient data breach response plan in place, PHI was provided to AMCA without ensuring the company had sufficient cybersecurity controls in place, LabCorp did not ensure that individuals and entities affected by the breach were noticed in a timely manner, and that the company did not make adequate public disclosures about the data breaches.

The lawsuit seeks reimbursement for damages sustained as a result of the breaches and public acknowledgement of the January 2020 data breach. the lawsuit also calls for a reform of corporate governance and internal procedures and requires a board-level committee to be set up and an executive officer position appointed to ensure adequate oversight of data security.

The post Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches appeared first on HIPAA Journal.

Ransomware Attacks Claim Three More Healthcare Victims

Posted by HIPAA Journal

Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. The attack resulted in several IT systems being taken out of action, including its Meditech electronic medical record system, which has been rendered inoperable. The attack is currently being investigated and assistance is being provided by a third-party computer forensics firm.

Parkview Medical Center is currently working around the clock to bring its systems back online and recover the encrypted data. In the meantime, medical services continue to be offered to patients, who remain the number one priority. Staff have switched to pen and paper to record patient information until systems can be brought back online. Despite not having access to important systems, the medical center says the level and quality of care provided to patients has not changed.

A spokesperson for the medical center said, “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible.” The hospital’s website still says systems remain out of action on Wednesday, April 29.

It is not known if this was a manual or automated ransomware attack and if any sensitive data was exfiltrated by the attackers prior to the deployment of ransomware.

ExecuPharm Attacked with Maze Ransomware

On March 13, 2020, the King of Prussia, PA-based pharmaceutical company ExecuPharm experienced a Maze ransomware attack in which sensitive data was stolen. The Maze ransomware operators conduct manual ransomware attacks and steal data from victims before encrypting data. They also threaten to publish the data if the ransom payment is not made, as was the case with this attack.

The attackers have previously stated in a press release that they would be halting ransomware attacks on medical organizations during the COVID-19 pandemic, but that clearly does not appear to apply to pharma firms. In this case the data uploaded to the Maze website includes financial information, documents, database backups, and other sensitive data.

According to a statement issued by ExecuPharm, aa leading cybersecurity company has been retained to assist with the investigation and determine the nature and scope of the breach. The incident has been reported to law enforcement and all affected parties have been notified.

In addition to company information, the personal data of employees has also been accessed and exfiltrated by the attackers. That information includes Social Security numbers, financial information, driver licenses, passport numbers, bank account information, IBAN/SWIFT numbers, credit card numbers, national insurance numbers, beneficiary information and other sensitive data. Some data relating to its parent company, Parexel, was also stolen in the attack. Affected individuals have been offered identity theft monitoring services for 12 months free of charge.

The company has rebuilt its servers from backups and once systems have been restored, all data will be recovered from backups. Measures are also being implemented to harden security against these types of attacks, which include multi-factor authentication for remote connections, endpoint protection, and detection and response forensics tools on all systems. Email security measures have also been improved to block ransomware emails.

Brandywine Counselling and Community Services Suffers Ransomware Attack

Brandywine Counselling and Community Services in Delaware has also recently been attacked with ransomware.

The attack was detected on February 10, 2020 and a computer forensic firm was hired to assist with the investigation. The investigation determined servers impacted by the attack contained some client information which was acquired by the attackers.

The attack has been reported to the HHS’ Office for Civil Rights as affecting 4,262 individuals. The data stolen in the attack includes clients’ names, addresses, dates of birth, and/or limited clinical information, such as provider name(s), diagnosis, prescription(s), and/or treatment information, and a limited number of Social Security numbers and driver’s license numbers.

Individuals whose Social Security number or driver’s license number was compromised have been offered complimentary credit monitoring and identity theft protection services. Additional security measures are being implemented to prevent further ransomware attacks in the future.

The post Ransomware Attacks Claim Three More Healthcare Victims appeared first on HIPAA Journal.