NRC Health, a provider of patient survey services and software to more than 9,000 healthcare organizations, including 75% of the largest hospital systems in the United States and Canada, experienced a ransomware attack on February 11, 2020 that affected some of its computer systems.

NRC Health immediately took steps to limit the harm caused and shut down its entire environment, including its client-facing portals. A leading computer forensic investigation firm was engaged to determine the nature and extent of the attack and the incident has been reported to the Federal Bureau of Investigation.

According to the NRC Health website, the data of more than 25 million healthcare consumers in the United States and Canada is collected by NRC Health every year. Patient surveys conducted by NRC Health on behalf of its clients allow them to prove that patients are satisfied with the services they have received. That information is important for helping to improve patient care and also for determining how much Medicare reimbursement healthcare providers receive under the Affordable Care Act. Healthcare clients also used patient satisfaction scores to determine how much executives and physicians get paid.

NRC Health said significant progress has been made restoring its systems and services to customers and a full recovery is expected in the next few days. Notifications have been sent to its healthcare clients informing them about the attack and updates are being provided to clients on a daily basis until the incident is fully resolved.

In the notifications NRC Health said the initial findings of the investigation suggest no patient data or sensitive client information has been compromised.

Ransomware attacks on healthcare organizations have increased over the past year, after a fall in attacks in 2018. Several threat groups have taken to stealing patient data prior to the deployment of ransomware to encourage victims to pay the ransom demands. According to a recent analysis by Comparitech, there have been 172 healthcare ransomware attacks since 2016. Those attacks have cost the healthcare industry at least $157 million.

The post NRC Health Recovering from Ransomware Attack appeared first on HIPAA Journal.

Two communication errors have been reported by HIPAA-covered entities in the past few days, which has resulted in the impermissible disclosure of 5,339 patients’ personal and protected health information (PHI).

Mercy Health Physician Partners Southwest Discovers Impermissible Disclosure of PHI

Mercy Health Physician Partners Southwest in Byron Center, MI, started sending breach notification letters to patients on February 10, 2019 informing them that a third-party vendor contracted to Mercy Health made an error with a recent mailing.

Mercy Health had provided the mailing vendor with a list of 3,164 names and addresses to send letters to patients informing them about the recent departure of a physician. An error in the mailing resulted in names being mismatched with addresses and 2,487 patients were sent a letter addressed to a different patient. No other sensitive information was disclosed.

During the breach investigation it was discovered that there was no business associate agreement (BAA) in place with the vendor. The provision of the patient list was therefore an impermissible disclosure of PHI under HIPAA. Mercy Health has received satisfactory assurances that the mailing vendor is aware of its responsibilities under HIPAA and a BAA is now in place.

Hawaii Hospital Notifies Patients of Email Error

On February 3, 2019, an employee of Queen’s Health Systems in Hawaii sent an email with an attachment containing the PHI of 2,852 patients to an incorrect recipient. The attached file contained the PHI of 2,852 patients of The Queen’s Medical Center and Queen’s North Hawaii Community Hospital. The email error was detected the following day.

Efforts were made to contact the person who had been sent the email in error to ensure the patient list is deleted, but no response has been received. The email attachment included patient names, admission dates, discharge dates, health plan ID numbers, and limited information about the care received. The file also contained the diagnoses of 300 patients. The breach affected patients who received medical services after June 1, 2019.

No reports have been received to suggest patient information has been misused. Patients have been advised to monitor their explanation of benefits statements and to report any services that are listed but have not been received.

The post Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI appeared first on HIPAA Journal.

Bellevue, WA-based Overlake Medical Center & Clinics is notifying 109,000 patients that some of their personal and protected health information has potentially been compromised as a result of a December 2019 phishing attack.

The phishing attack was detected on December 9, 2019 and a password reset was performed to prevent further unauthorized access. Overlake determined that one email account was compromised on December 6, 2019 and access remained possible until December 9 when the account was secured. Further email accounts were compromised on December 9, but access was only possible for a few hours.

A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake. No Social Security numbers or financial information was compromised. The investigation uncovered no evidence of data theft and no reports have been received to suggest patient data has been misused.

Steps have now been taken to prevent similar breaches in the future including enhancing email security measures to block phishing emails, implementing multi-factor authentication for email accounts, enhancing security awareness training for employees, and implementing new email retention policies.

Overlake started mailing notification letters to affected patients on February 4, 2019. The data breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 7, 2019.

VibrantCare Rehabilitation Phishing Attack Impacts 1,655 Patients

The California physical therapy provider, VibrantCare Rehabilitation, has discovered an employee email account has been compromised following a response to a phishing email.

Unusual activity was detected in the email account and third-party computer specialists were called in to investigate a potential breach. The investigation revealed the email account was accessed by an unauthorized individual between August 20, 2019 and August 27, 2019. A painstaking analysis of the email account revealed it contained the protected health information of 1,655 patients.

The exposed information varied from patient to patient. In addition to first and last names, the exposed information included demographic information, financial account information, credit or debit card information, Social Security numbers, driver’s license numbers, government or state identification numbers, military identification numbers, passport numbers, alien registration numbers, student identification numbers, medical and treatment information, health insurance information, Medicare or Medicaid numbers, patient numbers, medical record numbers, and prescription information.

No evidence of data access or data theft was found and no reports have been received to suggest patient information has been misused; however, as a precaution, affected patients have been advised to monitor their accounts, explanations of benefits, and credit reports for suspicious activity.

VibrantCare Rehabilitation is now reviewing and enhancing its existing policies to prevent further phishing attacks in the future.

The post PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack appeared first on HIPAA Journal.

MyEyeDr. Optometry of Colorado P.C, a network of vision care offices, is notifying 1,475 Colorado residents that some of their protected health information was potentially compromised prior to a recent ransomware attack.

Certain MyEyeDr. systems were accessed by the attacker on December 11, 2019 and ransomware was downloaded and deployed. Steps were immediately taken by MyEyeDr. to prevent further unauthorized access and restore all affected records. The ransom was not paid.

While it was possible to restore the majority of encrypted data, some files could not be recovered and remain encrypted. A third-party computer forensics firm was engaged to investigate the attack and determine whether any data had been stolen prior to file encryption. The forensics firm found no evidence to suggest data had been exfiltrated and the attack is believed to have only involved file encryption with a view to extorting money from MyEyeDr.

A review of the affected systems revealed they contained patient information such as names, dates of birth, diagnoses, clinical information, and treatment information. Affected patients had received services at MyEyeDr. locations in Colorado between December 1 and December 10, 2019 inclusive.

Improper Disposal incident Affects 7,983 patients of Today’s Vision Willowbrook

MyEyeDr. has also announced a separate incident that resulted in the exposure of the protected health information of 7,983 patients of Today’s Vision Willowbrook, which was acquired by Capital Vision Services d/b/a MyEyeDr. in February 2019.

On or around May 21, 2019, MyEyeDr. discovered historic records of Today’s Vision Willowbrook patients had been disposed of in an improper manner. The records had been discarded in a dumpster near Tomball, Texas, instead of being securely destroyed.

The records contained information such as names, addresses, dates of birth, Social Security numbers, clinical information, and billing information and related to patients who visited Today’s Vision Willowbrook between 1997 and 2003.

The incorrect disposal was reported by the media. Local law enforcement officers visited and collected the records. MrEyeDr. said “Based on the prompt action of the Tomball police in securing the records, there is no indication that any unauthorized third parties had or will have an opportunity to misuse any of the patient information contained in the records at issue.”

MyEyeDr. has confirmed that the records were never in the possession of any MyEyeDr. employees and the records do not appear to have been dumped by employees of Today’s Vision Willowbrook.

Monroe County Hospital & Clinics Email Breach Impacts 7,500 Patients

Albia, IA-based Monroe County Hospital & Clinics has discovered an unauthorized individual has gained access to its email system and potentially viewed or obtained the protected health information of approximately 7,500 patients.

The attack was discovered on December 19, 2019 and a computer forensic expert was engaged to investigate the breach and determine the size and scope of the attack. The investigation revealed several employee email accounts had been accessed by unknown individuals between October 28, 2019 and January 20, 2020.

The compromised accounts were discovered to contain protected health information. The exposed information varied from patient to patient and may have included name, address, date of birth, medical record number, date(s) of service, insurance status, payor type, diagnosis codes, reason for visits, and other treatment related information. Some patients also had their Social Security number exposed. Complimentary membership to credit monitoring services has been offered to affected individuals.

Upon discovery of the breach, passwords were reset to prevent further unauthorized account access and employees have been provided with further security awareness training. Additional security measures are also being considered to prevent attacks in the future.

The post MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident appeared first on HIPAA Journal.

Wise Health System in Decatur, TX, is notifying 66,934 patients that some of their protected health information was potentially compromised in a phishing attack that occurred on March 14, 2019.

Wise Health System previously reported the phishing attack to the Department of Health and Human Services’ Office for Civil Rights on July 13, 2019 as having affected 35,899 individuals. That total has now been updated following the completion of a data audit. The data audit commenced in June 2019 and has only just been completed. New notifications started to be sent to affected patients on February 13, 2020.

In March 2019, several employees responded to phishing emails and disclosed their account credentials. The attackers used those credentials to access the Employee Kiosk and attempted to reroute payroll direct deposits. Wise Health System reports that attempts were made to reroute approximately 100 direct deposit payments.

Security protocols required two checks to be issued to employees following a change to direct deposit information. This security measure was key to identifying the scam and preventing the misdirection of direct deposit payments. The large number of checks printed on April 5, 2019 raised a red flag and suggested unauthorized individuals had gained access to its systems.

A system-wide password reset was performed to lock the attackers out of the system and two independent computer forensics firms were engaged to investigate the breach. The cyberattack was also reported to the FBI. The FBI investigation revealed the attackers were based in Africa and the case has now been closed.

Wise Health System, the two computer forensics firms, and the FBI share the belief that patient information was not accessed by the attackers. The criminal gangs behind these campaigns are solely concerned with rerouting payroll direct deposits and there have previously been no confirmed reports of data theft by these gangs. However, the email credentials obtained by the attackers would have allowed them to access email accounts that contained protected health information such as names, medical record numbers, diagnostic information, health insurance information, and treatment information.

Out of an abundance of caution, affected patients have been offered credit monitoring, identity theft recovery, and identity theft insurance coverage through the ID Experts MyIDCare service for 12 to 24 months. Following the breach, Wise Health System implemented measures to improve its cybersecurity posture.

PSL Services Discovered Employee Email Account Breach

Peregrine Corporation, dba PSL Services has discovered unauthorized individuals have gained access to the email accounts of several employees from December 16, 2019 through December 19.

A breach was suspected when suspicious activity was detected in the email account of an employee. A third-party computer forensics firm was engaged to investigate the breach and discovered several email accounts had been compromised.

The types of information contained in the compromised email accounts varied from patient to patient and included names, dates of birth, Social Security numbers, driver’s license numbers, medical information, and Medicare numbers.

The compromised accounts are being reviewed to determine which patients have been affected. The incident is still being investigated and the final number of individuals affected has not yet been determined. Affected individuals are being offered free identity theft protection services and written notices will be sent to affected individuals as soon as possible.

PSL Services is reviewing its security measures and will implement additional safeguards to prevent similar breaches from occurring in the future.

The post Wise Health System Notifies 66,934 Patients of Phishing Attack appeared first on HIPAA Journal.

On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group affiliated with Boston Children’s Hospital, experienced a malware attack that caused a system outage which prevented its 500+ pediatricians, nurse practitioners, and physician assistants from accessing patient data and scheduling calendars.

PPOC has approximately 200 servers, 11 of which were impacted by the attack. IT teams at PPOC and Boston Children’s Hospital worked swiftly to contain the malware and the affected servers have now been quarantined. Servers unaffected by the attack were shut down as a precautionary measure. Boston Children’s Hospital issued a statement confirming its systems were unaffected by the attack.

Patients were advised to reschedule non-urgent appointments as health records cannot be accessed until the malware is removed and the servers are brought back online. Children’s Hospital issued a statement on Wednesday saying progress was being made restoring the servers, but it was still unclear how long the recovery process would take.

PPOC has over 100 practices across the state of Massachusetts and serves more than 350,000 patients. It is currently unclear what type of malware was involved and whether it allowed hackers to gain access to patient data.

Central Kansas Orthopedic Group Suffers Ransomware Attack

Central Kansas Orthopedic Group (CKOG) in Great Bend, KS suffered a ransomware attack in November 2019 that resulted in the encryption of patient records.

The attack was discovered on November 11, 2019. The attackers sent a ransom demand which CKOG refused to pay. All encrypted files, including patient medical records, were successfully restored from backups.

A third-party forensic investigator was retained to assist with the investigation and determine whether patient data had been accessed or copied by the attackers prior to the deployment of ransomware. The investigation uncovered no evidence to suggest the attackers accessed or stole patient data and no reports of data misuse have been received.

The types of information that could potentially have been accessed included names, addresses, email addresses, dates of birth, state-issued ID numbers, driver’s license numbers, health information related to treatment provided by CKOG, Social Security numbers, and health insurance information. All affected patients have been notified by mail and offered identity theft protection services through ID Experts.

CKOG is now reviewing its security platform and has started implementing additional security protocols to harden its security posture.

The HHS’ Office for Civil Rights breach portal shows 17,214 patients were potentially affected by the attack.

The post Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital appeared first on HIPAA Journal.