Ellicott City, MD-based Lorien Health Services, which runs 9 assisted living facilities in Maryland, has announced it was the victim of a ransomware attack on June 6, 2020.

Third party cybersecurity experts were retained to assist with the investigation and determine whether patient information had been accessed by the attackers. On June 10, 2020, it was confirmed that the attackers had accessed files containing residents’ names, addresses, dates of birth, diagnoses, treatment information, and Social Security numbers and some employee information. Some of that data was stolen in the attack.

The attack was conducted by the operators of Netwalker ransomware. When Lorien Health Services refused to pay the ransom, a sample of the stolen data was published online.

Lorien Health reported the breach to the FBI and the ransomware attack is being investigated. The breach report submitted to the Department of Health and Human Services indicates the compromised systems contained the protected health information of 47,754 individuals. Those individuals have been offered complimentary credit monitoring and identity theft protection services. Notification letters were sent to all impacted individuals on June 16, 2020, just 10 days after the attack.

Accu Copy of Greenville Security Breach Impacts 21,800 Patients

Accu Copy of Greenville, Incorporated, a NC-based company that provides printing and billing statement mailing services to businesses, has discovered unauthorized individuals gained access to one of its servers and may have accessed documents containing the protected health information of patients of Physicians East, a healthcare provider serving eastern North Carolina.

Accu Copy detected the breach on April 10, 2020 and promptly took steps to prevent any further unauthorized access. The investigation into the breach concluded the unauthorized individual first accessed the server on April 1, 2020. On May 15, 2020, Accu Copy confirmed patient data may have been accessed and a review of the files on the server was completed on June 26, 2020.

The server was discovered to contain billing statements for 21,800 patients. The statements related to a Physicians East office visit and contained names, addresses, diagnosis information, treatment information, provider name, and the cost of treatment.

Following the breach, all passwords were changed, and assistance was sought from a cybersecurity company to help improve security.

Coalinga Valley Health Clinics Discovers Improper PHI Access by Former Employee

A former employee of Coalinga Valley Health Clinics, Inc. is alleged to have removed documents from its offices that contained the protected health information of some of its patients.

The Coalinga, CA-based healthcare provider was notified about the alleged data theft by the Coalinga Police Department on April 17, 2020. The employee’s access to health records was immediately terminated and an investigation was launched to determine the extent of the unauthorized access. The Police Department recovered all documents that had been removed from the office and returned them to Coalinga Valley Health Clinics.

Coalinga Valley Health Clinics found no evidence to suggest the documents were taken by the employee in order to misuse patient data, but affected individuals have nonetheless been advised to be alert to the possibility data misuse and have been offered a complimentary 12-month membership to the myTrueIdentity identity theft prevention service.

Coalinga Valley Health Clinics has taken steps to prevent similar breaches in the future and the employee has been terminated.

Email Security Breach Reported by National Cardiovascular Partners

National Cardiovascular Partners, a division of Fresenius Medical Care North America, is alerting patients to a possible breach of their personal and protected health information.

On May 19, 2020, National Cardiovascular Partners discovered an unauthorized individual had gained access to the email account of an employee. The account was immediately secured and an investigation was launched. The investigation revealed the email account was breached on April 27, 2020. A review of the compromised account was completed on June 18, 2020 and confirmed the account contained patients’ protected health information.

National Cardiovascular Partners believes the attack was conducted with the aim of defrauding the company, rather than to obtain patient data. No evidence was found to suggest patient data was accessed or acquired by the attacker.

National Cardiovascular Partners has taken steps to improve email security and further email security training has been provided to its employees. Affected patients have been offered a 12-month complimentary membership to Experian’s IdentityWorks identity theft protection service.

The post 47,754 Individuals Impacted by Lorien Health Services Ransomware Attack appeared first on HIPAA Journal.

The Pennsylvania physician-owned radiology practice, Quantum Imaging and Therapeutic Associates, has announced that reports have been received about a non-physician employee who allegedly shared an x-ray of a male patient’s genitalia with members of a Facebook group.

The sharing of medical images on social media networks, without patient consent, is a violation of patient privacy and HIPAA. Quantum issued a statement on Facebook confirming reports had been received about a privacy breach and said “Quantum is committed to respecting the privacy of its patients and is deeply disheartened by these reports,” no further information has been released about the breach pending the results of the investigation. The matter has been reported to Fairview Township police and an investigation has been launched, but no arrests have been made at this stage. Several individuals have commented on the Facebook post claiming the image could be viewed by ‘thousands’ of people.

US HealthCenter Discovered Email Account Breach

The health risk management corporation, US HealthCenter has discovered an email account has been accessed by an unauthorized individual, who may have viewed or obtained the personal and protected health information of members of the Cost Plus World Market’s (Cost Plus) Wellness Program.

The breached email inbox was used to receive completed Annual Preventive Screening affidavits from participants. Questions from Wellness Program participants about the program were also sent to the email account. US HealthCenter discovered the unauthorized access on April 13, 2020 when the account was used to send phishing emails to Cost Plus wellness plan participants. During the time that the account was accessible, the unauthorized individual was able to view and forward emails.

The review of emails in the account showed they contained participants’ names, employee numbers, dates of birth, physician signatures, dates of exams, and limited health information.

The account was immediately secured and the email account is now hosted on a new Microsoft Office 365 platform, which has better security protections and multi-factor authentication has been added to all email accounts. US HealthCenter did not find any evidence to suggest personal information has been misused.

Delaware Department of Health and Social Services Discovered Impermissible PHI Disclosure

The Delaware Department of Health and Social Services has discovered a spreadsheet containing protected health information was accidentally shared with four students.

Four seniors at the University of Delaware had requested information for a project to help them identify service gaps in the community and were sent a spreadsheet. The students required information such as the age range of individuals and their disability status but identifying information had not been removed prior to the spreadsheet being shared. The students were able to view full names, birth dates, diagnoses, and county information related to 350 individuals.

The students gave a presentation of their report via Zoom on May 8, in which data was presented that included patients’ PHI. The Delaware Department of Health and Social Services immediately ended the presentation when it was discovered protected health information had been included. The students were ordered to delete the data and the employee who sent the spreadsheet has been disciplined.

The post Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach appeared first on HIPAA Journal.

The Central California Alliance for Health has discovered an unauthorized individual gained access to the email accounts of several employees and potentially viewed or copied information in emails and email attachments. The breach was detected on May 7, 2020 and prompt action was taken to secure the affected accounts. In each case, the accounts were accessed for a period of about one hour.

A review of the compromised accounts revealed they contained a limited amount of protected health information of Central California Alliance for Health members such as Alliance Care management program records, dates of birth, claims information, demographic information, Medi-Cal ID numbers, referral information, and medical information. No financial information or Social Security numbers were compromised.

Following the breach, a full password reset was performed for all email accounts, including those that were not compromised. Further training on email security has also been provided to employees.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 35,883 members.

Hutton & Hale, D.D.S., Inc. Hack Impacts 8,394 Patients

Dr. Ann Hale of Hutton & Hale, D.D.S., Inc. has started notifying 8,394 patients that some of their protected health information may have been obtained by a hacker who gained access to the practice’s databases and computer systems on May 25, 2020.

Those systems contained patients’ medical records and protected health information such as names, addresses, contact telephone numbers, Social Security numbers, and X-ray data information.

All affected patients have been offered complimentary membership to identity theft protection and credit monitoring services for 12 months and will be protected by a $1,000,000 identity theft insurance policy. No reports have been received to date to suggest any patient information has been misused.

The practice is adding additional safeguards to its web server infrastructure to prevent further security breaches.

Wisconsin Department of Corrections Breach Impacts 1,853 Individuals

The Wisconsin Department of Corrections has discovered information on individuals in its treatment facilities was exposed on the websites of three vendors contracted to manage canteen orders. The data was discovered by an employee on May 15, 2020. Affected individuals were notified on June 15, 2020.

The exposed information was limited to names along with information about the treatment facility where they are located. That information should have been masked on the websites. The error has now been corrected and the information is no longer accessible via the internet.

The post 36,000 Members Affected by Central California Alliance for Health Email Breach appeared first on HIPAA Journal.

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members.

The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information.

An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals.

The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have been offered 24 months of free credit monitoring and identity theft protection services.

49,500 Providence Health Plan Members Affected by Business Associate Data Breach

49,511 members of the Oregon-based Providence Health Plan have been affected by a data breach at one of its business associates.

On April 17, 2020, Brooklyn-based Zipari alerted Providence Health Plan about a coding error that allowed documents related to employer-sponsored health plans to be exposed online. The coding error was detected by Zipari on April 9, 2020. The investigation revealed the documents had been accessed by unauthorized individuals in May, September, and November 2019. The documents contained member names, employer names, and dates of birth. No other information was compromised.

The breach prompted Providence Health Plan to arrange a third-party audit of Zipari’s data security practices. Affected plan members have been offered complimentary credit monitoring services.

Central California Alliance for Health Discovers ‘Many’ Email Accounts Breached

On May 7, 2020, Central California Alliance for Health (CCAH) discovered an unauthorized individual gained access to the email accounts of some of its employees and potentially viewed and obtained the protected health information of some of its members. According to the breach notice submitted to the California Attorney General’s office, many CCAH email accounts were subjected to unauthorized access for about one hour.

A review of the compromised email accounts revealed they contained names, dates of birth, demographic information, Medi-Cal ID numbers, Alliance Care Management Program records, claims information, medical information, and referral information.

A full password reset was performed on all CCAH email accounts and further training has been provided to the workforce on email security. CCAH is unaware of any misuse of members information.

The post Health Plan Member Portals Accessed Using Stolen Credentials appeared first on HIPAA Journal.

Healthcare Fiscal Management Inc. (HFMI), a Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, has experienced a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by the attackers.

An unauthorized individual gained access to HFMI systems on April 12, 2020 and deployed a ransomware payload the following day which encrypted data on its systems. The systems accessed by the attacker were found to contain the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020.

In total, the data of approximately 58,000 patients may have been accessed and obtained by the attackers, although data access/theft could not be confirmed. The PHI stored on the compromised systems was limited to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and dates of service.

HFMI had prepared for such an event and had viable backups that were used to restore data the same day to a different hosting provider and a forensic investigation firm was engaged to investigate the breach. The forensic investigators confirmed the data is not in the possession of the attackers and is not accessible over the internet.

Security experts have been reviewing security controls and, based on their recommendations, steps will be taken to strengthen security. HFMI has offered all affected individuals complimentary credit monitoring and identity theft protection services as a precaution against identity theft and fraud.

Friendship Community Care Phishing Attack Impacts 9,745 Patients

Russellville, AR-based Friendship Community Care (FCC), a nonprofit provider of care for adults and children with disabilities, fell victim to a phishing attack in January 2020.

The breach was discovered on February 4, 2020 when suspicious activity was detected in an employee’s email account. Forensic investigators assisted with the investigation and determined on February 5, 2020 that an unauthorized individual had gained access to the email account, but further investigation revealed several Office 365 email accounts had been compromised using credentials obtained in the phishing attack.

FCC learned on February 7, 2020 that the email accounts contained protected health information. A comprehensive review of the email accounts confirmed that the PHI of 9,745 individuals may have been accessed, although no evidence was found to suggest emails were viewed or obtained by the attacker.

The compromised accounts contained  names, addresses, dates of birth, Social Security numbers, client ID numbers, Medicare IDs/Medicaid IDs, employer ID numbers, patient numbers, medical information, driver’s license numbers, state ID card numbers, student ID numbers, financial account information, mother’s maiden names, birth certificates, marriage certificates, disability codes, and facial photographs.

Affected individuals have been offered complimentary credit monitoring and identity protection services. A review of email security was conducted, and steps are being taken to enhance security to prevent similar breaches in the future.

The post Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack appeared first on HIPAA Journal.

Claremont, NC-based Choice Health Management Services, a provider of rehabilitation services and operator of several nursing homes in North and South Carolina, has experienced an email security breach affecting employees, and current and former patients.

The security breach was detected in late 2019 when suspicious activity was detected in the email accounts of some of its employees. An internal investigation was launched which determined on January 17, 2020 that the email accounts of 17 employees had been subjected to unauthorized access. Since it was not possible to determine which emails and/or email attachments had been opened by the attackers, a third-party firm was engaged to assist with the investigation. While the review concluded on March 27, 2020 that the compromised accounts contained sensitive information, it was unclear which facilities affected individuals had visited for treatment. It took until May 12, 2020 to tie those individuals to a particular facility.

The compromised accounts contained a wide range of sensitive information including names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, credit card information, financial account information, employer identification number, username with password or associated security questions, email address with password or associated security questions, date of service, provider name, medical record number, patient number, medical information, diagnostic or treatment information, surgical information, medications, and/or health insurance information.

Notifications have been sent to affected patients and steps have been taken to improve security to prevent future data breaches. The HHS’ Office for Civil Rights breach portal indicates 11,650 individuals were affected.

19,000 Patients Affected by Phishing Attack on Houston Health Clinic

The Houston, TX federally qualified health center, Legacy Community Health, is notifying approximately 19,000 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of one of its employees.

On April 10, 2020, an employee responded to an email believing it to be a legitimate request and disclosed credentials that allowed their email account to be accessed. The breach was discovered on April 16, 2020 and the email account was immediately secured.

Assisted by a third-party computer forensics firm, Legacy Community Health confirmed the breach was limited to one email account which was found to contain patient names, dates of service, and health information related to the care provided at its clinics.

The investigation into the breach is ongoing and notifications will soon be sent to all individuals whose information has been exposed. At this stage, no evidence has been found to suggest any patient information was obtained or misused.

Legacy Community Health is taking steps to improve email security and has enabled multi-factor authentication on its email accounts. Further training has also been provided to staff to help them identify and avoid phishing emails.

The post 30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks appeared first on HIPAA Journal.