Ambry Genetics, an Aliso Viejo, CA-based genetic testing laboratory, is notifying 232,772 individuals that some of their protected health information was exposed as a result of a recent email security breach. At almost 233,000 records, this is the second largest healthcare data breach to be reported in 2020.

Ambry Genetics discovered an unauthorized individual gained access to an employee’s email account between January 22 and January 24, 2020 and potentially viewed and obtained the protected health information of its customers. The security team and third-party computer forensics experts were unable to determine if any information in the compromised accounts was accessed or stolen, but no reports have been received to suggest any personal information has been misused.

The email accounts were reviewed and found to contain information such as names, medical information, and other information related to the services provided by Ambry Genetics. A small number of individuals also had their Social Security number exposed.

Ambry Genetics has taken steps to enhance security and further training on email security is being provided to its employees.

Former Arizona Endocrinology Center Physician Takes PHI of 74,000 Patients to New Employer

Arizona Endocrinology Center is alerting 74,122 patients that some of their protected health information has been impermissibly disclosed to another medical group by a physician after he left the practice.

Before Dr. Dwivedi left Arizona Endocrinology Center, he downloaded patient data and disclosed the information to his new employer, More MD. Patient names, telephone numbers, addresses, medical record numbers, and the names of patients’ primary doctor were downloaded from the EHR. No Social Security numbers, health insurance information, or financial data was obtained by Dr. Dwivedi.

Arizona Endocrinology Center learned of the incident on February 17, 2020 when patients started reporting they had received text messages from More MD advising them that Dr. Dwivedi had moved to the medical group. More MD also advertised its services in the text messages. The breach investigation revealed the data was downloaded on January 12, 2020.

Arizona Endocrinology Center has told its patients that it has no business relationship with More MD and Dr. Dwivedi no longer works for the practice, so it has been difficult to obtain solid assurances that patient data has now been deleted and will not be used. The practice explained on its website that “our patients and their families are free to contact Dr. Dwivedi and More MD directly to ask them about their personal information.”

The post 233,000 Patients Notified About PHI Breach at Genetic Testing Lab appeared first on HIPAA Journal.

Michigan’s largest healthcare system, Beaumont Health, has announced that unauthorized individuals have gained access to the email accounts of some of its employees and potentially viewed or obtained patient information stored in emails and email attachments.

On March 29, 2020, Beaumont Health learned that the email account breach, which occurred almost 10 months ago, resulted in the exposure and potential theft of patient information. The investigation of the breach revealed the email accounts were accessed by unauthorized individuals between May 23, 2019 and June 3, 2019. A forensic investigation was performed to determine the extent and scope of the breach, along with a manual review of all emails in the compromised accounts. That review has taken some time to complete, hence the delay in issuing breach notification letters.

The breached email accounts were discovered to contain the protected health information of around 5% of its 2.3 million patients, which is around 112,000 individuals. The types of information exposed and potentially stolen varied from patient to patient and may have included names in combination with one or more of the following data elements: Dates of birth, diagnoses, diagnosis codes, treatment locations, treatment types, procedures, prescription information, internal patient account numbers and medical record numbers. A “limited” number of Social Security numbers and other data was also potentially compromised. While email account access was confirmed, it was not possible to tell if the attackers accessed or stole patient information.

The breach has prompted Beaumont Health to provide further training to the workforce to help employees recognize phishing and other malicious emails. Internal procedures have also been revised and additional technical safeguards have been implemented to prevent further breaches in the future.

This is the second data breach to be announced by Beaumont Health this year. In January, the health system notified 1,182 patients that a former employee had been accessing the records of patients who had received treatment after an automobile accident. The former employee is understood to have disclosed the data to a personal injury lawyer.

The post Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach appeared first on HIPAA Journal.

Washington University School of Medicine is notifying 14,795 oncology patients that some of their protected health information was stored in an email account that was breached in January 2020.

An unauthorized individual gained access to the email account of a research supervisor in the Division of Oncology between January 12, 2020 and January 13, 2020 as a result of a response to a phishing email. Upon discovery of the breach, immediate action was taken to secure the account and prevent further unauthorized access and a third-party computer forensics firm was engaged to assist with the investigation.

A painstaking review of emails and email attachments in the account revealed they contained the following patient information: Names, dates of birth, medical record numbers, patient account numbers, limited treatment and/or clinical information, including diagnoses, provider names, and lab test results. Certain patients also had their health insurance information and/or Social Security numbers exposed.

Affected individuals are now being notified about the breach and individuals whose Social Security numbers were potentially compromised have been offered complimentary membership to credit monitoring and identity protection services.

Washington University School of Medicine has taken steps to improve email security and has reinforced education with its employees to help them identify suspicious emails.

Phishing Attack Reported by Doctors Community Medical Center

Doctors Community Medical Center in Maryland is alerting certain patients to a breach of their protected health information.

The data breach was identified in January 2020 when suspicious activity was detected in its payroll system. An investigation into the breach revealed a small number of employees had been duped by phishing emails and had disclosed their account credentials to the attackers. In addition to gaining access to the employees’ email accounts, the attackers also had access to the employees’ payroll information.

The investigation confirmed that the first accounts were breached on November 6, 2019, with access possible until January 30, 2020. Around February 13, 2020, Doctors Community Medical Center determined that some of the compromised email accounts contained data sheets that included patient information.

A forensic investigation conducted by third-party investigators was unable to confirm if patient data had been accessed, copied, or disclosed, although no reports have been received to suggest patient information has been misused. Since unauthorized data access could not be ruled out, patients have been notified and offered complimentary credit monitoring and identity restoration services.

The types of information that were potentially compromised included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, military identification numbers, financial account information, diagnoses, treatment information, prescription information, provider names, medical record numbers, patient IDs, Medicare/Medicaid numbers, health insurance information, treatment cost information, and access credentials.

The health system is reviewing and updating its policies and procedures and additional safeguards will be implemented to prevent further attacks.

The post Washington University School of Medicine Breach Impacts 14,795 Oncology Patients appeared first on HIPAA Journal.

The Sparks, NV orthodontics practice, Andrews Braces, has experienced a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day.

The practice hired a third-party forensic investigator to assess the scope and extent of the attack and determine whether patient information had been accessed or exfiltrated prior to encryption. While it is not uncommon for ransomware attacks to involve data theft, the investigation did not uncover any evidence to suggest data had been obtained by the attackers. This appeared to be an automated attack with the sole aim of encrypting data to extort money from the practice.

The practice regularly backed up patient data and stored its backups securely, so it was possible to restore the encrypted files without paying the ransom. Data theft is not suspected but the possibility could not be ruled out, so notification letters have been sent to all affected patients. The types of data which could potentially have been accessed by the attacker included names, addresses, dates of birth, Social Security numbers, email addresses, and health information.

Andrews Braces has now implemented additional security solutions and has taken other steps to harden security to prevent further attacks in the future.

EVERSANA Sends Notification Letters to Patients About 2019 Data Breach

EVERSANA, an independent provider of global services to the life sciences industry, has discovered an unauthorized individual gained access to the email accounts of some of its employees in 2019.

EVERSANA was notified about unusual activity in its employees’ accounts and determined that the accounts had been accessed by an unauthorized individual through a legacy technology environment. The investigation revealed the accounts were compromised between April 1 and July 3, 2019.

The accounts contained information from a limited number of patient services programs. No evidence of unauthorized data access was found, but it is possible that the attacker(s) accessed the sensitive information of certain patients. A comprehensive review of the affected accounts concluded in February and confirmed the following data elements were potentially compromised: Names, addresses, Social Security numbers, driver’s license numbers, state identification numbers, passport numbers, tax identification numbers, debit/credit card information, financial account information, usernames and passwords, health information, treatment information, diagnoses, provider names, MRN/patient ID numbers, Medicare/Medicaid numbers, health insurance information, treatment cost information, and/or prescription information.

EVERSANA has updated its legacy technology environment and has implemented further safeguards to strengthen security. Affected individuals have now been notified and offered 12 months’ complimentary membership to credit monitoring and identity restoration services.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected by the breach.

The post PHI of 16,600 Patients Potentially Compromised in Ransomware Attack on Andrews Braces appeared first on HIPAA Journal.

The Saint Francis Ministries health system has announced that the email account of one of its employees was accessed by an unauthorized individual, who may have obtained patient information.

The breach was identified on December 19, 2019 when suspicious activity was detected in an employee’s email account.  A third-party computer forensics firm was engaged to investigate the breach and determined on February 12, 2020 that the account was subjected to unauthorized access between December 13, 2020 and December 20, 2019. It was not possible to tell if the attacker accessed emails containing patient information or downloaded any email data, but no reports have been received to suggest any patient information has been misused.

A review of the affected accounts was completed on March 24, 2020 which revealed that the following information was potentially compromised: Name, date of birth, Social Security number, driver’s license number, state ID number, bank/financial account number, credit or debit card number, diagnosis, treatment information, prescription information, provider name, medical record number, Medicare/Medicaid number, health insurance information, treatment cost information, and username and password.

Saint Francis Ministries started mailing notification letters to affected individuals on April 12. Complimentary credit monitoring and identity theft protection services have been offered to affected patients and steps are being taken to improve email security to prevent similar breaches in the future.

2,651 Patients of Hartford Healthcare Potentially Impacted by Phishing Attack

Hartford Healthcare, a healthcare network serving patients in Connecticut and Rhode Island, announced on April 13, 2020 that it has been the victim of a phishing attack. The attack was discovered on February 13, 2020 when unusual activity was detected in the email accounts of two employees.

Assisted by a third-party computer forensics team, Hartford Healthcare determined that the attackers accessed the email accounts between February 13 and February 14, 2020.

At least one of the email accounts was discovered to include the protected health information of certain patients, such as names, medical record numbers, health insurance information, and other health-related data. The email accounts also contained the Social Security numbers of 23 patients.

Hartford Healthcare said 2,651 patients have been affected and are now being notified. The 23 individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services for 2 years.

The post Phishing Attacks Reported by Hartford Healthcare and Saint Francis Ministries appeared first on HIPAA Journal.

Delaware-based Brandywine Urology Consultants has announced it experienced a ransomware attack on January 25, 2020 that resulted in the encryption of files on its servers and computers. The scope of the attack was limited and the practice’s electronic medical record system was not affected. No medical records were exposed or compromised in the attack.

The practice acted quickly and took steps to isolate the attack and reduce the harm caused. After securing its systems, a complete scan was performed to ensure no malicious software or code remained and it was determined that the attack had been completely neutralized.

A third-party security company was engaged to thoroughly investigate the attack and determine whether the attackers had gained access to or stole patient information. While many ransomware gangs conduct manual attacks and steal data prior to deploying their ransomware payload, the investigation suggests this was an automated attack that was conducted with the sole purpose of encrypting files to extort money from the practice.

The investigation into the attack is ongoing but, to date, no evidence of unauthorized data access or data theft has been uncovered; however, it was not possible to rule out unauthorized data access so notification letters are now being sent to all patients whose protected health information was stored on parts of the system that were compromised in the attack.

According to the substitute breach notice on the Brandywine Urology Consultants website, the types of information that may have been compromised included names, addresses, Social Security numbers, medical file numbers, claims data, and other financial and personal information.

The IT security firm and the practice have been assessing security protections, policies, and procedures and steps have been taken to improve security to ensure the integrity of its systems and prevent future data breaches. The central server used by the practice has been replaced and any computers affected by the attack have either been reimaged or replaced. Antivirus software has been updated and penetration tests are being conducted to identify any other areas where security needs to be improved.

The breach summary on the HHS’ Office for Civil Rights breach portal indicates 131,825 patients were potentially impacted by the attack.

The post Ransomware Attack Potentially Impacts More Than 113,000 Patients of Brandywine Urology Consultants appeared first on HIPAA Journal.

The pharmacy benefits consulting firm Confido has started notifying 3,600 of its clients’ employees, members, and their dependents, that some of their personal information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account.

The email account breach was detected on December 12, 2020 and an investigation was launched to determine the scale and scope of the breach. Assisted by a third-party security firm, Confido determined on January 17, 2020 that an unauthorized individual had access to the email account for a period of two weeks between November 29, 2019 and December 12, 2019. It was not possible to determine if information in the email account was downloaded, but the possibility could not be ruled out.

A comprehensive review of the email account revealed it contained names, dates of birth, health insurance information, Social Security numbers, prescription information, treatment information, and clinical information such as diagnoses and provider names.

Individuals affected by the breach were notified on February 10, 2020. Complimentary credit monitoring services have been offered to individuals whose Social Security number was exposed.

The breach has prompted Confido to provide further security awareness training to its employees and additional procedures have been implemented to strengthen email security.

Healthcare Resource Group Phishing Attack Impacts Barlow Respiratory Hospital Patients

Healthcare Resource Group, a provider of billing services to Barlow Respiratory Hospital in Los Angeles, CA, discovered that an employee’s email account was accessed by an unauthorized individual. An investigation was conducted which revealed the email account was accessed between November 4, 2019 and November 30, 2019.

An analysis of the email account revealed emails and attachments contained a limited amount of protected health information of current and former Barlow Respiratory Hospital patients.

A third-party firm was engaged to review the account to determine what types of information had ben compromised. The review was completed on February 27, 2020 and revealed patient names had been exposed along with one or more of the following data elements: Date of birth, Social Security number, driver’s license number, medical record number, patient account number, health insurance information, treatment information, and medical billing or claims information.

Healthcare Resource Group sent notifications to affected patients on behalf of Barlow Respiratory Hospital on April 7, 2020. One year’s membership to credit monitoring and identity theft restoration services has been offered to affected patients.

The post PHI Exposed in Phishing Attacks on Healthcare Resource Group and Confido appeared first on HIPAA Journal.