The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July that took its email and phone system out of action and limited its lab and radiology services. The cyberattack, which involved ransomware, took certain systems out of action for several weeks. It is now two months after the attack and the external email system is still not working.

The clinic’s medical record system was not breached, so the data potentially viewed and/or obtained were limited. The attack was performed by an overseas adversary, according to a statement issued by the clinic. It is unclear whether the ransom was paid. The clinic said, “We followed the recommendations our cybersecurity firm made to us in consultation with the FBI.”

The investigation into the breach confirmed that the attackers potentially accessed the protected health information of 85 patients, all of whom have now been notified. The types of information involved were EMR data downloaded in order to send claims to insurance companies.

Separate breach notification letters were also sent to 308,000 patients. Those individuals are not believed to be at risk but have been advised to be vigilant and to look out for suspicious emails.

NorthShore University Health System, UK HealthCare, & Main Line Health Victims of Blackbaud Ransomware Attack

NorthShore University Health System, University of Kentucky (UK) HealthCare, and Main Line Health have recently announced that they have been affected by the ransomware attack on their business associate, Blackbaud.

The attacker gained access to Blackbaud’s systems between February 7 and May 20, 2020 and backups of databases were stolen by the attackers prior to the deployment of ransomware. Blackbaud paid the ransom and obtained the keys to decrypt files and received assurances that all information stolen in the attack has been securely and permanently deleted.

NorthShore University Health System, based in Evanston, IL, confirmed the data of 348,000 patients were compromised in the attack. The compromised data were limited to names, dates of birth, and limited clinical information. The risk to affected individuals is believed to be low.

UK HealthCare said the data of approximately 163,000 donors who had previously been patients were compromised in the attack. The breached information was limited to names, addresses, dates of birth, medical record numbers, admission dates, area of service and attending doctors.

The attack also involved the donor database of Main Line Health. The database contained patient donors’ or prospective donors’ names, ages, genders, dates of birth, medical record numbers, date(s) of treatment, department(s) of service and treating physicians. 60,595 individuals are known to have been affected.

The post Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack appeared first on HIPAA Journal.

Imperium Health Management, a Louisville, KY-based provider of development services to Accountable Care Organizations (ACOs), is notifying 139,114 individuals that some of their protected health information was potentially compromised in a recent phishing attack.

Imperium Health learned of the attack on April 23, 2020. The investigation revealed one email account was breached on April 21, 2020 and a second email account was breached on April 24, 2020 due to the employees responding to phishing emails. The emails contained links that appeared to be legitimate but directed the employees to a website where their email credentials were harvested.

A review of the compromised email accounts revealed they contained protected health information such as patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information. Imperium Health was notified that the accounts contained PHI on June 18, 2020.

A third-party computer forensic firm assisted with the investigation and confirmed the breach only involved the two email accounts. Access was not gained to any other Imperium Health systems. While it is possible that patient information was viewed or obtained, to date no evidence has been uncovered to indicate patient information was viewed, obtained, or misused in any way.

Imperium Health has implemented additional security measures to protect its systems from further cyberattacks, which include the use of two-factor authentication on email accounts for remote access and new protocols for the secure transfer of sensitive information. The workforce has also been re-educated on email security and how to identify phishing emails.

Atrium Health and Saint Luke’s Foundation Impacted by Blackbaud Ransomware Attack

Saint Luke’s Health Foundation has confirmed the personal and demographic information of 360,212 individuals was compromised in the recent Blackbaud ransomware attack.

The attackers obtained a copy of a backup of a database which was used as leverage to extort funds from Blackbaud. The data is understood to have been obtained at some point between February 7, 2020 and May 20, 2020. Blackbaud chose to pay the ransom demand to obtain the keys to unlock the files encrypted by the ransomware and prevent any further disclosures of data stolen in the attack. Blackbaud does not believe any data were disclosed by the attacker or otherwise made available to the public and believes all data stolen in the attack have now been permanently deleted.

Data compromised in the attack included names, mailing addresses, email addresses, telephone numbers, and/or date of birth. A limited number of patients may have had guarantors’ names compromised, along with some patient medical information such as dates of service and departments where care was provided.

Atrium Health, one of the nation’s leading healthcare systems with over 900 care locations, has also confirmed it was affected by the Blackbaud ransomware attack. Data compromised in the attack include patients’ first and last names, contact information, demographic information (including date of birth, guarantor information, decedent status (if applicable) and internally generated patient ID numbers), treatment dates, locations of service, and treating physicians’ names. Minors affected by the breach also had the name and relationship of their guarantor exposed. Patients who made a donation to Atrium Health had the date of the donation and amount included in the stolen data.

The post PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack appeared first on HIPAA Journal.

The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days.

Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation.

Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach.

The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals impacted by the breach, but the total is rapidly approaching 1 million.

Blackbaud is one of the largest providers of fundraising database and support services for health care organizations, educational institutions, and other non-profits worldwide. The company maintains records for more than 25,000 non-profit organizations.

The ransomware attack occurred on or around May 14, 2020; however, the attackers had initially gained access to its systems several months previously in February 2020. Blackbaud took action to limit the extent of the file encryption and contained the attack by May 20, 2020. Prior to the deployment of ransomware, the attackers were able to exfiltrate a subset of data from Blackbaud’s self-hosted environment, including the platform used by many healthcare organizations for engagement and fundraising.

Blackbaud’s cloud services are extensively used by healthcare organizations the world over, including 30 of the top 32 largest nonprofit hospitals, but the company said its public cloud environment was not affected and neither was the majority of its self-hosted environment.

In the most part the breach was limited to the names of donors, individuals who had attended fundraising events in the past, and community members with relationships with the affected healthcare organizations.

In addition to names, demographic information such as addresses, dates of birth, telephone numbers, and email addresses were compromised, and in some cases, donation dates, donation amounts and other donor profile information. For the majority of affected healthcare organizations, highly sensitive information such as bank account information, credit card information, and Social Security numbers were not affected.

Blackbaud issued a statement about the breach confirming the ransom demand was paid in order to obtain the keys to decrypt data and to prevent any malicious use of the data stolen in the attack.

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly… We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident,” explained Blackbaud in its ransomware and data breach notification.

The post Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million appeared first on HIPAA Journal.

Tucson, AZ-based Assured Imaging, a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services, has announced it has suffered a ransomware attack that resulted in the encryption of its medical record system.

Assured Imaging discovered the attack on May 19, 2020 and worked quickly to stop any further unauthorized access and restore the encrypted data. Assisted by a third-party computer forensics firm, Assured Imaging investigated the ransomware attack to determine the scope of the breach. The investigation revealed an unauthorized individual gained access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated “limited data” prior to the deployment of ransomware.

The forensic investigation confirmed data had been stolen but it was not possible to determine exactly what information was exfiltrated by the attackers. A review was conducted to identify all types of information that could potentially have been accessed. The compromised system was found to contain full names, addresses, dates of birth, patient IDs, facility used, treating clinicians’ names, medical histories, services performed, assessments of the service performed, and recommendations on future testing.

Assured Imaging is unaware of any misuse of patient data but does encourage all affected individuals to monitor their accounts and credit reports for any sign or fraudulent activity.

The incident has been reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates up to 244,813 individuals were affected by the attack.

Email Breach Affects 6,000 Roper St. Francis Healthcare Patients

Charleston, SC-based Roper St. Francis Healthcare has data breach involving a single email account. The breach was detected on July 8, 2020, with the investigation revealing the email account was compromised between June 13, 2020 and June 17, 2020.

The forensic investigation confirmed the email account contained patients’ names, dates of birth, medical record or patient account numbers, and limited clinical and/or treatment information, including providers’ names, diagnoses, and/or procedure information. The health insurance information and/or Social Security numbers of a limited number of individuals were also stored in the email account. Approximately 6,000 patients have been affected by the breach.

Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services. Roper St. Francis Healthcare has reinforced training on email security and has augmented its email security measures.

This is not the first phishing attack to be reported by Roper St. Francis this year. In February, the healthcare provider announced the email accounts of 13 employees had been compromised as a result of a phishing attack between November 15 2018 and December 1, 2018.  The PHI of 35,253 patients was compromised in the breach.

Hamilton Health Center Reports Impermissible Disclosure of 10,000 Patients’ PHI

Harrisburg, PA-based Hamilton Health Center, Inc. has announced the protected health information of 10,393 individuals was impermissibly disclosed as a result of a recent phishing attack.

Hamilton Health Center learned on June 19, 2020 that a spreadsheet containing patient information had been sent to an unauthorized individual in response to a phishing email. The spreadsheet contained patients’ full names, member IDs, and dates of birth, along with one or more of the following data elements: Diagnosis, treatment, physical condition medications, dates of laboratory tests and/or examinations, and/or the name of the patient’s provider.

While the above data were impermissibly disclosed, no reports have been received to indicate any information has been misused. Affected individuals are being encouraged to monitor their explanation of benefits statements for any sign of misuse of their information.

The post Assured Imaging Ransomware Attack Affects Almost 245,000 Patients appeared first on HIPAA Journal.

Northwestern Memorial HealthCare has discovered the personal information of individuals who had previously made donations to Northwestern Memorial HealthCare was potentially compromised in the recent Blackbaud ransomware attack. An unauthorized individual first gained access to Blackbaud systems on February 7, 2020, with the access possible until May 20,2020 when ransomware was deployed.

Prior to the use of ransomware, the attacker may have accessed a backup of a database that contained names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information. The database also contained the Social Security numbers and/or financial/payment card information of 5 individuals. In total, the information of 55,983 Northwestern Memorial HealthCare donors was potentially compromised in the attack.

Northwestern Memorial HealthCare is conducting a review of its third-party database storage vendors and its relationship with Blackbaud in order to prevent similar data breaches in the future.

Names and Health Insurance Information of 15,000 Lafayette Fire Department Ambulance Users Compromised

On July 27, 2020, the City of Lafayette, CO experienced a ransomware attack that disrupted the phone, email, online payment, and reservation systems and prevented the city from accessing essential data. After assessing the cost/benefits of all options, the decision was taken to pay the $45,000 ransom rather than risk extensive disruption and damage to its online operations.

Prior to the deployment of ransomware, the attackers may have gained access to personal information stored on Lafayette’s computer network. In addition to the personal information, including Social Security numbers, of city employees, and usernames and passwords of individuals who used certain online services, the attackers potentially gained access to the names and health insurance identification numbers of 15,000 individuals who had been transported by the Lafayette Fire Department ambulance prior to January 1, 2018.

The city has cleaned and rebuilt its system servers and computers, crypto-safe backup systems have been deployed, and additional cybersecurity measures are being implemented to prevent further ransomware attacks.

Cook Children’s Medical Center Breach Impacts 1,768 Individuals

Fort Worth, TX-based Cook Children’s Medical Center has discovered a box of radiology images to be missing from a locked storage room. A search was conducted for the missing storage discs, but they could not be located. The protected health information contained on the discs was limited to names, dates of birth, medical record numbers, service dates, physician names, and scan types.

The images required specialist software to view, but some of the protected health information could have been viewed without specialist software. The images related to 1,768 individuals who had undergone hip and spine imaging between 2005 and 2014.  No reports have been received to suggest any information on the discs has been misused. All affected individuals have now been notified.

PHI of 2,102 Individuals Potentially Compromised in D&S Residential Holdings Phishing Attack

Austin, TX-based D&S Residential Holdings has discovered an unauthorized individual gained access to some employee email accounts between April 20, 2020 and June 15, 2020 as a result of responses to phishing emails.

D&S Residential Holdings conducted a comprehensive investigation, assisted by a leading computer security firm, but was unable to determine whether any information in the email accounts was accessed or stolen by the attackers.

A review of the email accounts revealed they contained protected health information. Individuals whose Social Security number was compromised in the attack have been offered 12 months of complimentary credit monitoring and identity theft protection services.  The breach report submitted to the HHS’ Office for Civil Rights indicates 2,102 individuals were affected by the breach.

The post 56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack appeared first on HIPAA Journal.

Utah Pathology Services has announced an unauthorized individual has gained access to the email account of an employee and attempted to redirect funds from Utah Pathology. The breach was detected promptly, the compromised email account was secured, and the attempted fraud was unsuccessful and did not involve any patient information.

Independent IT and forensic investigators were engaged to assist with the investigation and help determine the extent of the breach. The investigation is ongoing, but it has now been confirmed that the compromised email account contained the personal and protected health information of around 112,000 patients.

The purpose of the attack appears to have been to redirect funds to an account under the control of the attacker, rather than to steal patient data; however, the possibility of data theft could not be ruled out and affected individuals are now being notified about the breach.

The compromised email account contained the following types of information in addition to patient names: Gender, date of birth, mailing address, phone number, email address, health insurance information, internal record numbers, and diagnostic information related to pathology services. A small number of affected individuals had their Social Security number exposed.

No evidence of misuse of patient information has been found to date but, out of an abundance of caution, affected individuals have been offered 12 months complimentary membership to Cyberscout’s identity monitoring service.

Utah Pathology Services is reviewing its privacy and security measures and additional safeguards will be implemented, as appropriate, to prevent further breaches in the future.

Valley Health Systems Suffers Ransomware Attack

Valley Health Systems, a healthcare provider serving around 75,000 patients in southern West Virginia, southeastern Ohio and eastern Kentucky, was attacked with ransomware on or around August 22, 2020.

As is common in manual ransomware attacks, prior to the encryption of data, files were exfiltrated by the attackers and were used to pressure the healthcare provider into paying the ransom. Some of the data stolen in the attack has been published on a leak site.

Valley Health Systems continued to provide medical services to patients while recovering from the attack and patient care was unaffected. Several systems are still affected and are being slowly restored and brought back online. Third-party cybersecurity experts have been assisting with the investigation and recovery.

According to a statement VHS provided to databreaches.net, “Unfortunately, the threat actor has released some of our information. We are doing everything we can to understand what information is at risk and to protect patient information.” Databreaches.net confirmed that the attack involved Sodinikibi (REvil) ransomware.

VHS said, “We are committed to completing a full forensic review following the resolution of this outage, and we will take all appropriate action, which may include notifying affected patients, in response to our findings. We have also taken steps to notify the FBI and intend to fully cooperate with any investigation into this incident.”

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Utah Pathology Services Email Breach Potentially Affects 112,000 Patients appeared first on HIPAA Journal.

A former nursing home employee has been accused of stealing the identities of dozens of nursing home residents and using their accounts to pay her bills.

The woman, Anna Zur, 39, of Franklin Park, IL, previously worked in the corporate office of a care facility and abused her access rights to residents’ information to obtain documents and financial information, which she sent to a personal email account. She has been accused of stealing the identities of residents and using their accounts to purchase goods and services and pay her bills.

The Palos Heights Police Department conducted a year-long investigation into cases of identity theft and fraud and issued a warrant for the woman’s arrest. She was taken into custody on August 26, 2020 and has been charged with felony counts of wire fraud and continuing a financial crimes enterprise. The woman has been linked to 35 cases of identity theft and is alleged to have defrauded individuals out of $25,000.

Patient Data Stolen in Ventura Orthopedics Ransomware Attack

The Californian healthcare provider Ventura Orthopedics has experienced a manual ransomware attack and has had patient information stolen and published online. The stolen data was identified by Databreaches.net when checking the new data leak site used by the operators of Conti-Ryuk ransomware. Data from the attack was also found on the leak site used by the Maze ransomware operators.

The dumped data was found to contain patient information such as names, dates of birth, medications, and lab test results. In total, more than 1,800 files have been leaked online.

There has been no announcement made by Ventura Orthopedics about the ransomware attack at the time of writing and no information is detailed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected by the attack.

Comanche County Hospital Authority Impacted by Magellan Health Ransomware Attack

Comanche County Hospital has announced that the protected health information of 1,112 individuals was compromised in the ransomware attack on the pharmacy benefits vendor, Magellan Health in April 2020.

Magellan Health’s investigation revealed limited health information of benefit plan members was compromised in the attack such as names, addresses, payment, health insurance account information, and treatment information. No Social Security numbers or financial information were compromised.

The post Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000 appeared first on HIPAA Journal.

Severna Park, MD-based Dynasplint Systems, a manufacturer of proprietary stretching devices to improve joint motion, has experienced a cyberattack in which personal and protected health information may have been accessed or stolen.

The security breach occurred on May 16, 2020. Assisted by a digital forensics firm, Dynasplint Systems determined on June 4, 2020 that information such as names, addresses, dates of birth, Social Security numbers, and medical information was accessed by the attackers. The cyberattack was reported to the FBI and Dynasplint Systems is cooperating with the investigation to hold the individuals responsible accountable.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 102,800 individuals were potentially affected by the attack. Those individuals were notified on August 8, 2020 and have been offered complimentary identity monitoring and recovery services for 12 months through Kroll.

Texas Medical Clinical Research Organization Suffers Phishing Attack

Pinnacle Clinical Research, a San Antonio, TX-based medical clinical research organization that runs hepatological and gastroenterological clinical trials in San Antonio and Austin, TX has announced it has suffered a phishing attack.

The email account breach was detected in April 2020. Assisted by independent IT security and forensic investigators, Pinnacle Clinical Research determined on or around May 8, 2020 that the compromised email account contained the sensitive information of clinical trial participants.

The breach was limited to a single email account which was found to contain information such as names, mailing addresses, telephone numbers, medical histories, and treatment information. A subset of affected individuals may also have had one or more of the following data elements exposed: Date of birth, Social Security number, driver’s license number, state ID number, taxpayer ID number, passport number, credit card/financial account number, associated PIN or password, email address, and/or health insurance individual policy number.

The compromised email account was immediately secured when the breach was discovered and steps have since been taken to improve the privacy and security of information stored in its systems. Affected individuals have been offered complimentary identity theft protection and credit monitoring services for 12 months.

Phishing Attack Reported by the Institute for Integrative Nutrition

The Institute for Integrative Nutrition in New York City has discovered personal information has potentially been compromised in a March 2020 phishing attack. The email account breach was detected on June 22, 2020. The investigation revealed a single email account was accessed by an unauthorized individual between March 3-4, 2020.

Third party cybersecurity professionals assisted with an extensive forensic investigation and the manual document review confirmed that names and personal information, including Social Security numbers, had potentially been accessed, although no evidence was found suggesting data were stolen in the attack.

Out of an abundance of caution, affected individuals have been offered complimentary identity theft protection services and “significant measures” have been implemented to prevent further breaches in the future.

PHI Potentially Compromised in Phishing Attack on Colorado Mental Health Center

Lafayette, CO-based Mental Health Center of Boulder County Inc., aka Mental Health Partners, experienced a phishing attack in late March in which employee information and the protected health information of some of its clients were potentially compromised.

Assisted by forensic investigators, Mental Health Partners determined on July 22, 2020 that the following information may have been subjected to unauthorized access or could have been stolen in the attack: names; dates of birth; Social Security numbers; driver’s license or state identification card numbers; passport numbers; financial account information; medical record numbers; medical treatment information, including symptom, diagnosis, treatment, medication, and doctor information; and/or health insurance information.

Affected individuals have been offered complimentary credit monitoring services. No evidence was found to indicate data were stolen or misused. Mental Health Partners has reviewed its internal policies and procedures following the attack and additional safeguards are being implemented to enhance digital security.

Boxes of Medical Records Found at Texas Recycling Center

More than 2 dozen boxes of old medical records have been found at an Odessa, TX recycling center. The records appear to have come from West Texas Orthopedics, which is part of Midland Health. It is not known how the records came to be at the recycling center and why they were not disposed of securely in accordance with HIPAA Rules.

“We have a team on-site at Odessa Recycling Center. They have looked through all records and determined that they do not belong to us. The name West Texas Orthopedics has been used by other entities in the past, but these records predate our ownership,” said Midland Health in a statement issued about the breach.

The post Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals appeared first on HIPAA Journal.