HIPAA Breach News

Dickinson County Health Suffers Ransomware Attack

Posted by HIPAA Journal

Michigan-based Dickinson County Health has suffered a malware attack that has taken its EHR system offline. The attack has forced the health system to adopt EHR downtime procedures and record patient data using pen and paper. The attack commenced on October 17, 2020 and disrupted computer systems at all its clinics and hospitals in Michigan and Wisconsin.

Systems were shut down to contain the malware and third-party security experts have been retained to investigate the breach and restore its systems and data. While the attack caused considerable disruption, virtually all patient services remained fully operational. It is currently unclear whether patient data were accessed or stolen by the attackers.

“We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” said Chuck Nelson, DCHS CEO. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.”

25,000 Individuals Potentially Impacted by Passavant Memorial Homes Security Breach

Passavant Memorial Homes Family of Services (PMHFOS), a Pennsylvania-based provider of support services for individuals with intellectual disabilities, autism, and behavioral health needs, has experienced a security breach in which the protected health information of its clients may have been compromised.

The incident occurred on August 15, 2020. An unauthorized individual used the contact form on its website to send a message to an authorized user confirming a username and password had been obtained that gave access to its systems. The message alerted PMHFOS to the vulnerability and the individual claimed no malicious actions were taken.

The breach was investigated by a third-party computer forensics experts who determined that malware had not been installed and no files had been encrypted; however, it was not possible to determine whether any individually identifiable information had been accessed or exfiltrated.  Scans were conducted on the dark web to determine whether any client information had been released, but no information was found. A review of the systems that were accessible revealed they contained the PHI of 25,000 individuals.

In response to the breach PMHFOS disabled the compromised account, performed a system-wide password reset, provided further security awareness training to employees, and updated its network security measures. Two-factor authentication has also been implemented. The breach was reported to law enforcement and PMHFOS’ cyber insurance carrier.

Email Error Exposed Email Addresses of Michigan Medicine Patients

Ann Arbor-MI-based Michigan Medicine has started notifying 1,062 patients that their names, email addresses, and limited health information may have been accessed by unauthorized individuals.

Michigan Medicine sent an email communication in late September to patients advising them about an Inflammatory bowel Disease event; however, the email addresses of patients were not added to the blind carbon copy (BCC) field and could therefore be viewed by all other individuals on the mailing list.

The email did not contain highly sensitive information, although it may have been possible to determine the names of patients from their email addresses and the email identified individuals as suffering from inflammatory bowel disease.

When the error was discovered, separate emails were sent to all individuals on the mailing list informing them about the error and instructing them to delete the first email. Letters were also sent to affected patients on October 16. Michigan Medicine has now changed its procedures for emailing patients to prevent similar errors in the future.

The post Dickinson County Health Suffers Ransomware Attack appeared first on HIPAA Journal.

Piedmont Cancer Institute Phishing Attack Impacts 5,000 Patients

Posted by HIPAA Journal

Piedmont Cancer Institute (PCI) in Atlanta, GA is notifying 5,226 patients that some of their protected health information may have been viewed or obtained by an unauthorized individual who gained access to the email account of one of its employees.

Assisted by a third-party cybersecurity firm, PCI determined the email account was compromised for more than a month, with the unauthorized individual first accessing the account on April 5, 2020. The account was secured on May 8, 2020.

A review of the compromised account concluded on August 8, 2020 and revealed it contained a variety of protected health information. In addition to names, affected patients had one or more of the following data elements exposed: date of birth, medical information such as diagnosis and treatment information, financial account information, and/or credit/debit card number.

To prevent further breaches, PCI has implemented multi-factor authentication on its email accounts and has provided further training to the workforce on email security.

Potential Data Breach Discovered by McLaren Oakland Hospital

McLaren Oakland Hospital in Pontiac, MI has discovered the protected health information of 2,219 patients has been exposed and may have been accessed by unauthorized individuals.

On July 10, 2020, McLaren Oakland became aware that a computer desktop file contained an unauthorized and unsecure link to a file containing the protected health information of current and former patients.

No evidence was found to indicate any of the PHI in the file had been viewed by unauthorized individuals and no reports have been received indicating any misuse of patient information. Affected individuals have been advised to monitor their accounts and credit reports for any sign of misuse of their information as a precaution. Affected individuals have also been offered complimentary membership to identity theft protection and monitoring services.

Upon discovery of the PHI exposure, the link was disabled. The investigation revealed the link had been inadvertently rendered insecure by an employee. McLaren Oakland has reviewed its policies and procedures with staff and additional training on patient privacy and data security has been provided to employees.

Patient Records Stolen from Edmonds, WA Health and Wellness Clinic

The Health and Wellness Clinic in Edmonds, WA, a provider of “natural medicine and physical care solutions,” has suffered a break-in in which patient records were stolen.

A storage room located off the massage suite at the clinic and had a locked external door which was forced open by a burglar over the weekend of August 29-30. The room appeared to have been searched, papers had been removed from some of the files, and a box of files was discovered to be missing. The stolen records contained information such as names, dates of birth, Social Security numbers, health histories, and treatment information.

The break-in was reported to the police department which conducted an investigation that has resulted in the identification of a suspect and the box of stolen records has now been recovered. It is currently unclear how many records were taken from the clinic.

The post Piedmont Cancer Institute Phishing Attack Impacts 5,000 Patients appeared first on HIPAA Journal.

Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack

Posted by HIPAA Journal

Universal Health Services has confirmed that all 250 of its hospitals in the United States are back up and running after a suspected ransomware attack that knocked out its systems for 3 weeks. The attack started on or around September 27, 2020. All systems were brought back online by October 12. An update was posted on the UHS website this week saying, “With back-loading of data substantially complete at this point, hospitals are resuming normal operations.”

While systems were down, clinicians were forced to work on pen and paper in order to continue providing care for patients and, at some locations, patients had to be diverted to alternate facilities to receive treatment.

The health system reported the security breach as a malware attack which forced it to shut down its network; however, several insiders took to Reddit to voice their concerns and explain that this was a ransomware attack. Based on the data posted by those insiders, the attack appeared to have involved Ryuk ransomware. The operators of Ryuk ransomware are known to exfiltrate data prior to the deployment of ransomware; however, UHS maintains that no evidence has been found to indicate employee or patient data were accessed, copied, or misused.

Sen. Mark Warner, D-VA has written to UHS Chairman and CEO Alan Miller seeking answers to several questions about the attack and the cybersecurity measures that had been put in place to prevent and limit the severity of a ransomware or malware attack. In the letter, Sen. Warner said he had “grave concerns about United Health Services’ digital medical records and clinical healthcare operations succumbing to an apparent ransomware attack.”

UHS serves more than 3.5 million patients each year across its 250 hospitals and is one of the largest hospital operators in the United States. “With the full resources of a Fortune 500 company receiving over $11 billion in annual revenue, UHS’s patients expect and deserve that their provider’s cybersecurity posture to be sufficiently mature and robust to prevent major interruptions to health care operations,” said Sen. Warner.

Sen. Warner questioned whether UHS had segmented its network to prevent the lateral movement of hackers and stop an attack from spreading to affect all facilities. Sen. Warner also questioned whether clinical medical devices had been isolated from administrative systems and networks to ensure that in the event of a cyberattack those devices would not be interrupted.

In light of the posts made by insiders, Sen. Warner asked if UHS paid a ransom for the keys to decrypt files, whether any patient data was rendered inaccessible as a result of the attack, and if any healthcare data was exfiltrated from UHS owned or operated facilities.

Sen. Warner is seeking answers to those and other questions about UHS cybersecurity practices within 2 weeks.

The post Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack appeared first on HIPAA Journal.

228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack

Posted by HIPAA Journal

Legacy Community Health Services in Texas is alerting 228,009 patients about a data breach involving some of their protected health information (PHI). The PHI was stored in an email account that was accessed by an unauthorized individual.

The breach was detected on July 29, 2020, one day after an employee responded to a phishing email and disclosed login credentials to the attacker. The account was immediately secured and a computer forensics firm was engaged to assist with the investigation.

No evidence was found to indicate emails were viewed by the attacker or that electronic protected health information was stolen, although the possibility of data theft could not be totally discounted. The compromised email account contained patient names, dates of service, and health information related to care at Legacy, along with a limited number of Social Security numbers. Complimentary membership to a credit monitoring and identity protection service was been offered to individuals whose SSN was compromised.

Email security has been reinforced since the attack and the staff has been retrained on identifying and avoiding phishing emails.

Georgia Department of Human Services Discovers Breach of Multiple Employee Email Accounts

The email accounts of several employees of the Georgia Department of Human Services have been accessed by unauthorized individuals. The email accounts contained the personal and protected health information of parents and children who were involved in Child Protective Services (CPS) cases with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services learned in August that the attackers potentially accessed emails containing personal and health information. The breach investigation revealed access to the email accounts was gained between May 3, 2020 and May 15, 2020.

The types of data exposed varied from individual to individual and may have included full names, names of household members, relationship to the child receiving services, county of residence, DFCS case number, DFCS identification numbers, date of birth, age, number of times contacted by DFCS, an identifier of whether face-to-face contact was medically appropriate, phone numbers, email addresses, social security number, Medicaid identification number, Medicaid medical insurance identification number, medical provider name and appointment dates.

Psychological reports, counseling notes, medical diagnoses, and substance abuse information relating to 12 individuals were also included in the compromised email accounts, along with one individual’s bank account information.

VOXX International Suffers Ransomware Attack

VOXX International Corporation has confirmed it suffered a ransomware attack on July 7, 2020 in which the protected health information of members of its benefit plans was potentially compromised. Information stored in files on the affected servers included names, addresses, email addresses, dates of birth, Social Security numbers, financial account numbers, and/or health insurance information of current and former employees and their dependents and beneficiaries.

An investigation into the attack revealed the attackers had access to the servers between June 4, 2020 and July 7, 2020 and prior to the deployment of ransomware, some of the files on the servers were accessed by the attackers. The review of the files revealed they contained the PHI of 6,034 individuals.

VOXX has now implemented an endpoint threat detection and response tool and is taking other measures to enhance the security of its network. All affected individuals have been offered complimentary membership to Experian’s IdentityWorks identity theft resolution services.

Einstein Healthcare Network Suffers Phishing Attack

1,821 patients of Philadelphia, PA-based Einstein Healthcare Network are being notified that some of their protected health information has potentially been accessed by unauthorized individuals who gained access to certain employee email accounts. The email security breach was detected on August 10, 2020. The investigation revealed the attacker gained access to email accounts between August 5 and August 17, 2020.

A review of the compromised email accounts revealed they contained patients’ names, dates of birth, medical record or patient account numbers, and/or treatment or clinical information, such as diagnoses, medications, providers, types of treatment, or treatment locations. Certain patients also had their health insurance information and/or Social Security number exposed.

It was not possible to determine if any emails were accessed or copied by the attackers, but since data theft could not be ruled out, patients whose Social Security number was exposed have been offered a 1 year complimentary membership to credit monitoring and identity protection services.

Einstein Healthcare Network has re-trained employees on how to identify and avoid suspicious emails and steps have been taken to improve the security of its email environment.

The post 228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack appeared first on HIPAA Journal.

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost.

HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.

By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost.

Under the OCR HIPAA Right of Access Initiative, complaints from individuals who have been denied access to their medical records or have faced delays in receiving a copy of their records are investigated. When violations of the HIPAA right of access are uncovered, financial penalties are issued. The aim of penalties is to encourage compliance by making noncompliance very costly.

The latest financial penalty was imposed on NY Spine, a private medical practice with offices in New York and Miami that specializes in neurology and pain management. OCR received a complaint from a patient in July 2019 who claimed to have sent multiple requests to NY Spine in June 2019 requesting a copy of her protected health information.

NY Spine responded to the requests and provided some of her records but failed to provide the diagnostic films that she had specifically requested. It took intervention from OCR for NY Spine to provide those records. The patient was finally provided with a complete copy of all the requested records in October 2020, 16 months after the first request was submitted.

NY Spine and OCR agreed to settle the case for $100,000. NY Spine is also required to adopt a corrective action plan and will be monitored by OCR for compliance for 2 years.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

The post OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative appeared first on HIPAA Journal.

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Posted by HIPAA Journal

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million.

A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information.

The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during the breach investigation. In addition to the financial penalty, CHSPCS agreed to adopt a robust corrective action plan to address privacy and security failures discovered by OCR’s investigators.

Victims of the breach took legal action against CHS over the theft of their PHI and CHS settled the class action lawsuit in 2019 for $3.1 million. The latest settlement means CHS and its affiliates have paid $10.4 million in settlements over the breach.

“A patient’s personal information—especially health information—deserves the highest level of protection,” said Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”

CHS and its affiliates were found to have failed to implement reasonable and appropriate security measures to ensure the confidentiality, integrity, and availability of protected health information on its systems. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,” said Iowa Attorney General Tom Miller.

The states participating in the action were Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

In addition to paying the financial penalty, CHS and its affiliates have agreed to adopt a corrective action plan and implement additional security measures to ensure the security of its systems. Those measures include developing a written incident response plan, providing security awareness and privacy training to all personnel with access to PHI, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for its business associates, and conducting regular audits of all business associates.

CHS must also conduct an annual risk assessment, implement and maintain a risk-based penetration testing program, implement and maintain intrusion detection systems, data loss protection measures, and email filtering and anti-phishing solutions. All system activity must be logged, and those logs must be regularly reviewed for suspicious activity.

“Community Health Systems is pleased to have resolved this six-year old matter,” said a spokesperson for CHS in a statement about the settlement. “The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack.”

The post Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation appeared first on HIPAA Journal.

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization

Posted by HIPAA Journal

Mayo Clinic has started notifying more than 1,600 patients that some of their protected health information has been viewed by a former employee without authorization.

Mayo Clinic confirmed on August 5, 2020 that a licensed health care professional had accessed the records of patients when there was no legitimate reason for doing so. The employee was ending their employment with Mayo Clinic when the privacy breach was discovered and the individual no longer works at Mayo Clinic.

The reason for accessing the medical records is not known and Mayo Clinic has not disclosed when the privacy breach occurred. Mayo Clinic explained that the access was limited in duration and no evidence was found to suggest any information was printed or retained by the employee.

The types of information accessed included names, dates of birth, demographic information, medical record numbers, medical images, and clinical notes. No financial information or Social Security numbers were viewed. Mayo Clinic has reported the unauthorized access to the Rochester Police Department and the FBI, and the privacy breach is being investigated.

Mayo Clinic said there was a delay in issuing notifications as the investigation into the privacy breach took time to complete. Affected individuals have now been notified, but the nature of data accessed means they do not need to take any action in relation to the breach.

UMMA Community Clinic Discovers Insider Breach

University Muslim Medical Association (UMMA) Community Clinic in Los Angeles has discovered a former employee sent a secured file containing patients’ protected health information to a personal email account. The incident was discovered on July 1, 2020, two days after the file was emailed.

UMMA has received written confirmation from the former employee that the file has been securely deleted and UMMA is unaware of any further disclosures or misuse of the information in the file.

UMMA has implemented additional policies and procedures to prevent similar privacy breaches in the future. It is currently clear how many individuals have been affected or the types of protected health information contained in the secured file.

AAA Ambulance Service Notifies Patients About Attempted Ransomware Attack

AAA Ambulance Service in Mississippi is notifying patients about an attempted ransomware attack that occurred on or about July 1, 2020. Prompt action was taken to prevent the encryption of data on its systems and an internal investigation was launched to determine the extent of the security breach. Assisted by third-party computer forensics experts, AAA Ambulance Service determined on August 26, 2020 that patient data may have been accessed or exfiltrated by the attackers prior to the deployment of ransomware.

The types of data potentially compromised include patients’ names in combination with one or more of the following data elements: Social Security number, driver’s license number, date of birth, financial account number, diagnosis information, treatment information, patient account number, prescription information, medical record number and/or health insurance information.

No evidence has been found to suggest any patient data has been misused, but out of an abundance of caution, affected individuals have been offered complimentary credit monitoring services. AAA Ambulance Service is implementing additional safeguards to prevent similar breaches in the future.

Seven Counties Services Suffers 13,375-Record Data Breach

Seven Counties Services in Kentucky is alerting 13,375 patients about a breach of their protected health information. Seven Counties Services was targeted in a phishing attack that saw the email accounts of 13 employees accessed by an unauthorized individual. The breach was detected by the Seven Counties’ IT department on July 28, 2020 and the compromised email accounts were immediately secured. The attack began on July 27, 2020 and continued until July 30, 2020.

A review of the compromised email accounts revealed they contained reports that included protected health information such as names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, diagnoses, and dates of service. It was not possible to determine if any emails in the accounts were opened, viewed, or downloaded by the attackers.

The Seven Counties Services IT department has improved access controls, implemented location-based multi-factor authentication, and the workforce has been re-educated on phishing and email spoofing attacks.

The post Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization appeared first on HIPAA Journal.

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records.

On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights.

OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018.

SJHMC did respond to the requests and provided some, but not all, of the requested records. The mother made contact with SJHMC again on May 2, May 10 and May 15, 2018 to request the records that had not been provided. SJHMC responded and sent additional records, but not the specific records that had been requested. It took until December 19, 2019 for SJHMC to provide all the records she had requested – 22 months after the initial request had been sent.

SJHMC agreed to pay the $160,000 financial penalty to settle the case with no admission of liability. SJHMC will also adopt a corrective action plan to address all areas of noncompliance and will be monitored for compliance by OCR for two years.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

The post OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks

Posted by HIPAA Journal

Prairieville, LA-based Magnolia Pediatrics is notifying 12,861 patients that some of their protected health information has potentially been compromised in a ransomware attack that occurred on or around March 26, 2020.

The ransomware attack was investigated by its IT vendor, LaCompuTech, which determined only its master boot record had been affected and patient information had not been accessed, encrypted or exported by the attackers. The IT vendor determined a HIPAA breach had not occurred and the incident therefore did not need to be reported to the HHS’ Office for Civil Rights and notification letters to patients were not warranted.

However, OCR informed Magnolia Pediatrics on September 11, 2020 that the incident was a reportable data breach and patient notification letters were required. OCR explained that any hacker who was able to access the master boot record must have had full control of the server and therefore had access to any protected health information stored on that server.

Protected health information stored on the server included patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information, including diagnoses, lab test results, treating physicians’ names, medications, medical histories, and dates of service.

Magnolia Pediatrics said the investigation uncovered no evidence to suggest any patient data was exfiltrated and no patient information was encrypted in the attack. Magnolia Pediatrics is taking several steps to improve security, including the use of multi-factor authentication on its servers and systems, improved filtering for email and traffic, multiple intrusion prevention and detection systems, and a systematic risk analysis and remediation process has been implemented for its computer systems. Further cybersecurity awareness training has been provided to the workforce and the dark web is being monitored for any email addresses associated with Magnolia Pediatrics.

Magnolia Pediatrics has terminated its relationship with LaCompuTech and has engaged a leading information technology and security provider to oversee the security of its computer systems.

This is the second ransomware attack to have affected Magnolia Pediatrics in the past 14 months. The earlier attack occurred on August 23, 2019 and impacted 11,100 patients.

Accents on Health Suffers Ransomware Attack

The Lone Tree, CO-based chiropractor, Accents on Health, suffered a ransomware attack on August 5, 2020 which encrypted data on its computer systems. Cybersecurity forensics specialists were engaged to investigate the breach and determine whether patient data had been accessed or exfiltrated by the attackers.

No evidence was found to suggest patient information was exfiltrated prior to the attack, but data theft could not be ruled out. The affected computer systems contained the protected health information of 2,000 patients, including full names, addresses, dates of birth, account numbers, Social security numbers, medical information, diagnosis codes, and insurance information.

No reports have been received to suggest protected health information has been misused. Accents on Health is now reviewing its software, systems, policies, and procedures and will implement additional safeguards to prevent further cyberattacks.

The post Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks appeared first on HIPAA Journal.