HIPAA Breach News

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

Posted by HIPAA Journal

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data.

The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court.

The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months.

A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to $1 million, although it is unclear whether that insurance policy paid out and if the ransom was paid. Regardless, it was not possible to recover all data encrypted in the attack and some patients’ protected health information was not recovered.

The lawsuit alleged violations of the Washington State Consumer Privacy Act, the Washington State Uniform Healthcare Information Act, the Washington State Consumer Privacy Act, the state Constitution’s Right to Privacy, that Grays Harbor Community Hospital and Harbor Medical Group were negligent for failing to protect the privacy of patients, breach of express contract, breach of implied contract, and an intrusion upon seclusion/ invasion of privacy.

Grays Harbor Community Hospital and Harbor Medical Group agreed to the settlement with no admission of liability. All claims stated in the lawsuit have been denied.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement of $185,000 to cover the claims of the 88,000 patients affected by the ransomware attack. Affected patients can submit claims up to a maximum of $210 per person to cover out-of-pocket monetary losses incurred as a result of the breach and up to three hours of documented lost time dealing with the fallout from the breach at a rate of $15 per hour.

Claims up to $2,500 will also be accepted to cover provable other losses incurred that were more likely than not due to the ransomware attack. All available credit monitoring insurance and identity theft insurance must be exhausted before Grays Harbor is responsible for any larger payouts. If the claims exceed $185,000 they will be paid pro rata to reduce costs.

Class members have until July 27, 2020 to exclude themselves from the settlement or submit an objection. A fairness hearing has been scheduled for August 31, 2020. To receive a share of the settlement fund, a claim must be submitted by December 23, 2020.

Following the ransomware attack, steps were taken to improve security and more than $300,000 has been invested in information security. A further $60,000 will be spent on security improvements over the next three years.

This is the second data breach settlement to be announced this week. A settlement was also proposed by UnityPoint health to resolve a lawsuit filed by victims of two 2018 phishing-related data breaches. That settlement will see UnityPoint Health make a minimum of $2.8 million available to cover claims and, very unusually, no cap has been placed on claims payments, so the final settlement amount could be substantial.

The post $185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit appeared first on HIPAA Journal.

Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected

Posted by HIPAA Journal

HIPAA Journal previously reported on an April 2020 ransomware attack on Magellan Health. Further information on the attack has now been released that shows the scale of the attack.

The incident has now been listed on the HHS’ Office for Civil Rights breach portal as affecting 6 Magellan entities, each of which has reported the incident separately. Several other entities have also submitted breach reports confirming their patients and subscribers have also been affected.

It is too early to tell exactly how many individuals have been affected by the ransomware attack, but the total as of July 1, 2020 exceeds 364,000, making the attack the third largest healthcare data breach to be reported in 2020. There may still be some entities that have yet to report the breach.

Entities known to have been impacted by the breach are listed in the table below.

Affected Entity Entity Type Individuals Affected
Magellan Healthcare, Maryland Business Associate 50,410
Magellan Complete Care of Florida Health Plan 76,236
Magellan Rx Pharmacy Healthcare Provider 33,040
Magellan Complete Care of Virginia Health Plan 3,568
Merit Health Insurance Company Health Plan 102,748
National Imaging Associates Business Associate 22,560
University of Florida Jacksonville Healthcare Provider 54,002
University of Florida, Health Shands Healthcare Provider 13,146
University of Florida Healthcare Provider 9,182
Total   364,892

In contrast to many of the healthcare ransomware attacks that have been reported in recent weeks, where access to networks was gained through brute force attacks on remote desktop services or the exploitation of vulnerabilities in VPNs, this attack started with a spear phishing email in which a Magellan client was impersonated. That email was sent on April 6 and the ransomware was deployed less than a week later.

Magellan explained in its substitute breach notification letter sent to the California Attorney General’s Office that the attacker downloaded malware that was designed to steal login credentials and passwords, and gained access to a single Magellan corporate server and stole employee information. The data stolen in the attack related to current employees and included the following data elements: Address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number. For a limited number of employees, usernames and passwords were also obtained.

The notice of security incident on the Magellan Health websites confirms patients of Magellan Health and its subsidiaries and affiliates were also impacted, and the following types of data were exposed: Treatment information, health insurance account information, member ID, other health-related information, email addresses, phone numbers, and physical addresses.  In certain instances, Social Security numbers were also affected.

No mention is made on the June 12, 2020 website notice whether protected health information was also stolen in the attack. In all cases, Magellan Health says no evidence has been uncovered to date to suggest any patient or employee information has been misused.

The post Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected appeared first on HIPAA Journal.

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed.

The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018.

The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month before the breach was detected and email accounts were secured. Notification letters were sent to affected individuals in August 2018.

A lawsuit was filed soon after the announcement about the breach was made. The lawsuit alleged UnityPoint Health mishandled the breach and misrepresented the nature, breadth, scope, harm, and cost of the breach. It was alleged that UnityPoint Health did not notify affected individuals within the 60-day time frame demanded by the HIPAA Breach Notification Rule and when notifications were issued, patients were not informed that their Social Security numbers had been exposed.

In the breach notification letters UnityPoint Health explained that no evidence was found to suggest the protected health information exposed in the attack was or will be used for unintended purposes, suggesting affected patients were not placed at risk. UnityPoint Health also failed to offer breach victims credit monitoring or identity theft protection services, even though Social Security numbers and river’s license numbers had been exposed.

UnityPoint Health attempted to have the lawsuit dismissed and was partially successful. In July 2019, a US District Court Judge partially dismissed some of the claims in the lawsuit, although other claims were allowed to proceed. The judge ruled that the plaintiffs’ alleged facts sufficient to establish there was an objectively reasonable likelihood of future identity theft.

A settlement was proposed on June 26, 2020 to resolve the lawsuit and will provide victims with monetary and injunctive relief. Under the terms of the proposed settlement, UnityPoint Health has agreed to make a minimum of $2.8 million available to class members to cover claims. Each affected individual can submit a claim of up to $1,000 to cover documented ordinary out-of-pocket expenses such as credit monitoring and identity theft protection services, and up to 3 hours in lost time charged at $15 per hour.

A claim of up to $6,000 can be made per person to cover extraordinary expenses which includes documented out-of-pocket expenses and up to 10 hours per person at $15 per hour for time lost arranging credit monitoring services, credit freezes, and other actions taken as a result of the breach.  In contrast to most data breach settlements, UnityPoint Health has not placed a cap on extraordinary expenses claims, so UnityPoint Health will cover actual losses if breach victims submit a valid claim. All victims will also be entitled to a year’s membership to credit monitoring and identity theft protection services and will be protected by a $1 million insurance policy against identity theft. The credit monitoring services and insurance policy are estimated to cost around $200 per class member.

The four breach victims named in the lawsuit will also be entitled to claim an additional $2,500 per person. The full costs of notice and claims administration and attorney fees will be paid by UnityPoint Health up to a maximum value of $1.58 million.

UnityPoint Health has also agreed to make improvements to network and data security and will undergo an annual audit by a third-party security firm to ensure that security measures are adequate, and the healthcare provider is complying with its security policies.

Given the lack of a cap on claims, this could turn out to be one of the largest ever healthcare data breach settlements. The settlement will now need to be approved by a judge and could be finalized by the end of the year.

The post UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care

Posted by HIPAA Journal

CHI St. Luke’s Health-Memorial Lufkin in Texas has started notifying patients that some of their protected health information may have been accessed by an unauthorized individual.

St Luke’s threat management team investigated a security breach involving a network server on March 25, 2020. Third-party vendors conducted a forensic investigation and determined on April 23, 2020 that the email accounts of two employees may have been accessed by an unapproved outside party.

The investigation did not uncover evidence confirming unauthorized PHI access or data theft, but the possibility could not be ruled out. The email accounts contained names, diagnosis information, dates of services, and facility account numbers. Based on the investigation, St. Luke’s does not believe patient data has been used inappropriately but has offered certain patients complimentary credit monitoring services through Experian as a precaution.

The security breach was thoroughly investigated, data access logs were checked, and a threat intelligence analysis was performed. All passwords were reset across the facility, hardware has been replaced and upgraded, changes have been made to software to improve security, and processes for accessing the network have been changed.

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

RiverPointe Post Acute Reports Loss of 633 Patients’ PHI

RiverPointe Post Acute Carmichael, CA has notified 633 nursing home residents that some of their protected health information has been exposed. A USB storage device containing names, insurance ID numbers, and some Social Security numbers was sent in the mail but was lost in transit. When the device was not received, the loss was reported to the postal service and a search was performed, but the storage device could not be located.

While no specific evidence was uncovered to indicate the device was obtained by an unauthorized individual, affected residents have been offered complimentary identity theft protection services as a precaution. Further training has now been provided to employees on data security.

Email Error Exposed PHI of 11,500 Iowa Total Care Members

Iowa Total Care has discovered the protected health information of thousands of patients has been impermissibly disclosed by an employee. On April 29, 2020, an employee sent an Excel spreadsheet containing claims data to a large provider organization. The file contained the protected health information of patients that had not received medical care at the organization.

The spreadsheet contained names, Medicaid ID numbers, dates of birth, and procedure and diagnosis codes of 11,581 patients. The provider is a HIPAA covered entity so is aware of the need to safeguard protected health information and has confirmed that the spreadsheet was deleted and had not been shared or copied.

Iowa Total Care has re-educated the employee concerned and has implemented additional safeguards to prevent similar errors in the future.

The post Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care appeared first on HIPAA Journal.

Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach

Posted by HIPAA Journal

Landmark Hospital of Athens in Georgia has suspended three employees who are suspected of accessing, copying or disclosing patient records. The potential HIPAA breach may be linked to a lawsuit that was filed against the 42-bed hospital on June 22, 2020 by four nurses who allege the hospital has been falsifying COVID-19 test results in what they describe as a “COVID-19 coverup”.

The nurses allege that five of their patients had tested positive for COVID-19 after displaying symptoms and after the positive result, the hospital administrator reordered COVID-19 tests for those patients. The nurses allege that for the retests, samples were intentionally collected without following proper sampling protocols. They claim that this was done deliberately to reduce the chance of a positive test result.

The nurses, who are named as Jane Doe and John Doe in the lawsuit, are seeking immediate court intervention “to stop the hospital concealing and mishandling a COVID-19 outbreak in the facility.” The nurses also want the hospital to temporarily stop receiving and discharging patients. The nurses also seek damages as they claim they have been unnecessarily exposed to COVID-19.

The nurses allege the falsification of COVID-19 test results allowed patients to be discharged, freeing up beds for other patients so the hospital could continue to bill Medicare for services and maintain patient volume.

The lawsuit alleges the patients who had tested positive were not isolated from other patients and no PPE was provided to nurses treating those patients. They also claim that the air conditioning system was not working for the period of time the patients were in the facility. Mobile air conditioners are used which take air from patient rooms and blow it into corridors, which they claim increased the risk of other patients and staff members contracting COVID-19. The air conditioning system uses dry hydrogen peroxide to reduce the risk of contaminants being circulated.

The nurses claim they voiced their concerns with Landmark’s administration, but no action was taken hence the legal action. They allege the actions of the hospital has created a public health risk, and placed patients and hospital employees and their families at risk.

Marie Saylor, CEO of Landmark Hospital of Athens, issued a statement saying the hospital will “vigorously investigate allegations and defend our hospital and its staff against misleading and false claims… we have always made the safety and well-being of our patients and staff our top priority, and continue to do so as we manage the local impact of the COVID-19 pandemic.”

The post Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach appeared first on HIPAA Journal.

Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute

Posted by HIPAA Journal

North Shore Pain Management (NSPM) in Massachusetts has started notifying 12,472 patients that some of their protected health information has been stolen by hackers. The breach was detected on April 21, 2020 and the investigation confirmed that the attackers first gained access to its systems on April 16, 2020.

The substitute breach notice on the NSPM website does not provide details about the nature of the attack, but it has been independently confirmed by Emsisoft and databreaches.net as a ransomware attack involving AKO ransomware. The gang responsible for the attack dumped 4GB of data stolen in the attack on their Tor site when the ransom demand was not paid.

The dumped files contain a range of sensitive data on employees and patients. The NSPM breach notice confirms the files stolen in the attack contained patient names, dates of birth, health insurance information, account balances, financial information, diagnosis and treatment information, and for certain patients, ultrasound and MRI images. Social Security numbers were also obtained for patients whose SSN is used as their health insurance /member number.

Since the stolen data has been exposed online and is in the hands of cybercriminals, affected patients have been advised to monitor their financial statements and explanation of benefits statements closely for any sign of misuse of their data. Patients whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services. NSPM has now retained a new IT management vendor and is taking steps to enhance cybersecurity.

The AKO ransomware operators, like many groups that manually deploy ransomware, steal data prior to file encryption to increase the chance of a ransom being paid. The AKO gang often requires two ransom payments to be paid. One covers the cost of the decryptor and a second payment is often required to ensure any data stolen in the attack is deleted. Lawrence Abrams of Bleeping Computer has been in touch with the gang who said two ransom demands are issued to companies with large revenues. The ransom payment to delete files is variable, ranging from $100,000 to $2,000,000.

The gang said some healthcare providers have only paid the ransom to have the data deleted and did not pay for the decryptor. It is unclear whether a ransom was paid by NSPM.

Florida Orthopaedic Institute Suffers Ransomware Attack

Tampa, FL-based Florida Orthopaedic Institute has announced it was attacked with ransomware on April 9, 2020 and patient data on its servers was encrypted. An internal investigation was conducted which revealed the personal and protected health information of patients may have been stolen prior to the encryption of files. Florida Orthopaedic Institute is unaware of any misuse of patient information as a result of the attack.

Florida Orthopaedic Institute engaged a third-party computer forensic firm to assist with the investigation and steps have been taken to restore the encrypted data and secure its systems. Affected patients have now been notified and have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services.

The types of data encrypted and potentially obtained by the attackers included names, dates of birth, Social Security numbers, medical information related to appointment times, physician locations, diagnosis codes, payment amounts, insurance plan identification numbers, payer identification numbers, claims addresses, and/or FOI claims history.

Florida Orthopaedic Institute is working with third-party experts to enhance security to prevent further cyberattacks in the future.

The breach has not yet been added to the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

The post Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute appeared first on HIPAA Journal.

American Medical Technologies Email Breach Affects 47,767 Patients

Posted by HIPAA Journal

American Medical Technologies, a Irvine, CA-based provider of wound care solutions and medical supplies, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially accessed and copied the protected health information of some of its patients.

The breach was identified on or around December 17, 2019 when suspicious activity was detected in the email account. The investigation confirmed the attacker potentially had access to protected health information such as names, medical record numbers, Social Security numbers, diagnosis information, health insurance policy numbers, subscriber numbers, medical histories, HIPAA account information, driver’s license/state identification numbers, and/or taxpayer ID numbers. No evidence was fund to suggest patient information was viewed or stolen in the attack, but unauthorized data access and data exfiltration could not be ruled out.

A comprehensive analysis of the email accounts was conducted which was completed on May 14, 2020. The review revealed the account contained the PHI of 47,767 patients, who have now been notified about the breach by mail. Affected patients have been offered complimentary credit monitoring services.

Following the breach, two independent security firms were engaged to conduct a review of email security and additional security measures have now been implemented based on their recommendations. Steps have also been taken to improve data security on the firm’s web server infrastructure.

3,663 Patients Notified About Kentuckiana Regional Planning & Development Agency Phishing Attack

Kentuckiana Regional Planning & Development Agency (KIPDA) in Louisville, KY has discovered a single email account has been accessed by an unauthorized individual. The breach was detected on February 18, 2020 when KIPDA discovered a large number of emails had been sent from the account. The account was immediately secured, and an investigation was launched to determine the nature and scope of the breach.

Assisted by a third-party digital forensics firm, KIPDA determined the email account was accessed between January 29, 2020 and February 14, 2020. The investigation confirmed on April 9, 2020 that protected health information may have been viewed or copied, but it was not possible to tell which, if any, emails in the account had been accessed.

The protected health information included in emails and email attachments was limited to names, addresses, dates of birth, diagnosis and treatment information, billing and procedure codes, and Medicaid ID number. Certain patients also had their Social Security number and/or driver’s license details exposed.

KIPDA explained in its substitute breach notice that several steps have been taken to improve security, which include increasing the frequency of password changes, the implementation of 2-factor authentication on email accounts, the use of secure data files for storing sensitive data, and updates to policies and procedures that now require email data to be regularly and securely deleted from email accounts.

Employees have also been provided with further training on procedures and cybersecurity, and the risks associated with sharing sensitive data via email have been highlighted. KIPDA is also considering restricting access to its network to individuals located within the United States.

The post American Medical Technologies Email Breach Affects 47,767 Patients appeared first on HIPAA Journal.

May 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.

Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has changed little during the pandemic.

Threat activity does not appear to have dropped, so the fall in reported cyberattacks and data breaches could indicate that threat actors have taken the decision not to attack healthcare providers on the front line in the fight against COVID-19. The Maze ransomware gang publicly stated that it would not target healthcare providers during the COVID-19 pandemic, but many other ransomware gangs appear to have stepped up their attacks and are making no such concessions.

It is also possible that rather than cyberattacks and data breaches falling, covered entities and business associates have not been detecting breaches or have delayed reporting. The reason for the fall in reported breaches is likely to become clearer over the coming weeks and months and we will see if this is part of a new trend or if the drop is simply a blip.

While it is certainly good news that the number of breaches has fallen, there was a significant increase in the number of exposed and compromised healthcare records. There were 10 fewer data breaches reported in May 2020 than April, but 1,064,652 healthcare records were breached in May. That is more than twice the number of records breached in April.

Largest Healthcare Data Breaches in May 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Elkhart Emergency Physicians, Inc. IN Healthcare Provider 550,000 Improper Disposal
BJC Health System MO Business Associate 287,876 Hacking/IT Incident
Saint Francis Healthcare Partners CT Business Associate 38,529 Hacking/IT Incident
Everett & Hurite Ophthalmic Association PA Healthcare Provider 34,113 Hacking/IT Incident
Management and Network Services, LLC OH Business Associate 30,132 Hacking/IT Incident
Sanitas Dental Management FL Healthcare Provider 19,000 Loss
Mediclaim, LLC MI Business Associate 14,931 Hacking/IT Incident
Woodlawn Dental Center OH Healthcare Provider 14,419 Hacking/IT Incident
Mat-Su Surgical Associates, APC AK Healthcare Provider 13,146 Hacking/IT Incident
Mille Lacs Health System MN Healthcare Provider 10,630 Hacking/IT Incident

Causes of May 2020 Healthcare Data Breaches

The largest healthcare data breach of the month affected Elkhart Emergency Physicians, Inc. and involved the improper disposal of paper records by business associate Central Files Inc. Elkhart Emergency Physicians was one of seven Indiana healthcare providers to be affected by the breach. In total, the records of 554,876 patients were exposed as a result of that improper disposal incident. There was one other improper disposal incident reported in May, making this the joint second biggest cause of data breaches in the month. Those improper disposal incidents accounted for 52.17% of breached records in May. The mean breach size was 69,434 records and the median breach size was 938 records.

There were 8 reported unauthorized access/disclosure incidents reported, although those breaches only accounted for 2.35% of breached records in May. The mean breach size was 3,124 records and the median breach size was 3,220 records.

Hacking/IT incidents once again topped the list as the main cause of healthcare data breaches, accounting for 39.28% of the month’s breaches and 43.69% of breached records in May. The mean breach size was 42,290 records and the median breach size was 14,419 records.

There was one loss incident involving a network server that contained the records of 19,000 patients. There were no reports of theft of physical records or devices containing electronic protected health information.

The graph below shows the location of breached protected health information. For the past several months, email has been the most common location of breached PHI due to the high number of healthcare phishing attacks. The number of reported phishing attacks dropped in May, hence the lower than average number of email-related breaches. While the number of incidents fell, there was one major phishing attack reported. An attack on BJC Health System saw 3 email accounts compromised. Those accounts included emails and attachments containing the PHI of 287,876 patients.

May 2020 Healthcare Data Breaches by Covered Entity Type

In line with virtually every other month since the HITECH Act mandated the HHS’ Office for Civil Rights to start publishing summaries of data breaches on its’ Wall of Shame’, healthcare providers were hardest hit, with 21 reported data breaches. It was a good month for health plans, with only one reported breach, but a particularly bad month for business associates. 6 business associates reported data breaches in May, and a further 8 breaches involved business associates but were reported by the covered entity.

Healthcare Data Breaches by State

Data breaches were reported by covered entities and business associates in 17 states in May. Indiana was the worst affected state with 7 reported breaches of 500 or more records, all of which were due to the improper disposal of records by business associate, Central Files, Inc.

There were 3 data breaches reported in each of Michigan and Ohio, two breaches reported by healthcare providers in Pennsylvania, and one breach was reported in each of Alaska, Arizona, California, Connecticut, Florida, Georgia, Illinois, Maryland, Minnesota, Missouri, Nebraska, New York, and Texas.

HIPAA Enforcement Activity in May 2020

There were no announcements about HIPAA penalties from the HHS’ Office for Civil Rights or state attorneys general in May 2020.

The post May 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

Posted by HIPAA Journal

The United States Attorney’s Office of the Western District of Pennsylvania has announced that a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC).

UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers.

The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency.

Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Johnson is alleged to have hacked into the database, exfiltrated PII, and sold the stolen data on darknet marketplaces such as AlphaBay Market to multiple worldwide buyers. Prosecutors also allege that in addition to selling the PII of UPMC employees, between 2014 and 2017 Johnson sold other PII on the darknet forums.

The PII stolen from UPMC was subsequently used in a massive campaign to defraud UPMC employees. Hundreds of fraudulent tax returns were filed in the names of UPMC employees, which prosecutors say resulted in around $1.7 million in false refunds being issued. Those refunds were converted into Amazon gift cards that were used to obtain around $885,000 in goods, which were mostly shipped to Venezuela to be sold in online marketplaces.

Two other people were charged in connection with the hacking of UPMC. In 2017, Venezuelan national, Maritza Maxima Soler Nodarse, pleaded guilty to conspiracy to defraud the United States and was involved in filing fraudulent tax returns. A Cuban national, Yoandy Perez Llanes, pleaded guilty to money laundering and aggravated identity theft in 2017. Maritza Maxima Soler Nodarse was sentenced to time served and was deported and Yoandy Perez Llanes will be sentenced in August 2020.

The breach investigation revealed access to the OracleSoft database was first gained on December 1, 2023. After gaining access to the database, a test query was performed and the data of approximately 23,500 individuals was accessed. Between January 21, 2014 and February 14, 2014, the database was accessed on multiple occasions each day and the data of tens of thousands of UPMC employees was stolen.

Johnson faces a long prison term if found guilty of the crimes. The conspiracy charge carries a maximum prison term of 5 years and a fine of up to $250,000. The wire fraud charges carry a maximum prison term of 20 years and a fine of up to $250,000 for each count and, there will be a mandatory 2-year prison term for aggravated identity theft and a fine of up to $250,000 for each count.

“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” said Timothy Burke, Special Agent in Charge, U.S. Secret Service, Pittsburgh Field Office.

“Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes,” said U.S. Attorney Brady.

The post Hacker Arrested and Charged Over 2014 UPMC Cyberattack appeared first on HIPAA Journal.