HIPAA Breach News

Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware

Posted by HIPAA Journal

Long Island City, NY-based Boyce Technologies Inc, which makes transport communication systems and recently switched its production facilities to produce ventilators for hospitals during the pandemic, has been attacked with DoppelPaymer ransomware. Data was stolen prior to file encryption and a sample of the stolen data has been published on the threat actor’s blog. The stolen data includes purchase orders, assignment forms, and other sensitive data.

Boyce Technologies Inc. was approved by the FDA to manufacture ventilators and was producing around 300 machines a day. Those ventilators have been used in hospitals in New York and the company is now making ventilators for other areas. The ransomware attack has threatened the production of those ventilators and has potentially put lives at risk.

Piedmont Orthpedics/OrthoAtlanta, a network of orthopedic and sports medicine centers in the greater Atlanta area, has been attacked by threat actors using Pysa (Mespinosa) ransomware. As with the attack on Boyce Technologies, prior to the encryption of files the threat actors exfiltrated sensitive data. According to databreaches.net, around 3.5 GB of data have been published online, including files that contain patients’ protected health information. Olympia House Rehab in Petaluma, CA and the Center for Fertility and Gynecology in Los Angeles, CA have both been attacked with Netwalker ransomware and have had data stolen and published online, including patients’ protected health information.

Muskingum Valley Health Centers in Zanesville, OH notified has recently notified 7,447 patients that some of their protected health information was potentially obtained by threat actors prior to the use of ransomware on the medical record system used by OB GYN Specialists of Southeastern Ohio Inc.

The EHR contained the records of patients who received care between 2012 and 2017. The attack occurred on May 31, 2020 and was identified on June 2. The investigation found no evidence suggesting patient information was stolen prior to the use of ransomware, although the possibility of data theft could not be ruled out. The attackers potentially had access to names, dates of birth, addresses, Social Security numbers, diagnoses, medical conditions, lab test results, treatment information, insurance claim information, and financial information. Affected individuals have been offered 24 months of complimentary credit monitoring and identity theft recovery services. Security policies, procedures and password requirements have been updated to prevent further attacks.

41 healthcare providers reported ransomware attacks in the first half of 2020 according to Emsisoft. The double-extortion attacks involving threats to publish or sell data if the ransom is not paid are growing, with many threat groups now adopting this tactic. According to Emsisoft, around 1 in 10 ransomware attacks now involve data theft.

The post Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware appeared first on HIPAA Journal.

Children’s Hospital Colorado Suffers Phishing Attack

Posted by HIPAA Journal

Children’s Hospital Colorado is notifying 2,553 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual between April 6-12, 2020.

Credentials to access the account were obtained when an employee responded to a phishing email. The phishing attack was identified by the hospital on June 22, 2020 and the account was immediately secured. A review of the emails and email attachments in the account revealed they contained patient names, zip codes, dates of service, medical record numbers, and clinical diagnosis information.

Steps have since been taken to harden email security defenses, platforms are being evaluated for educating staff on cybersecurity, and technical controls related to email are also being reviewed.

Stolen Hoag Clinic Laptop Contained Unencrypted PHI

On June 5, 2020, a laptop computer issued to an employee of the Hoag Clinic in Costa Mesa, CA was stolen from a vehicle parked in the worksite parking lot in Newport Beach. The theft was discovered the same day and law enforcement was notified, but the laptop computer has not been recovered.

The IT security team determined the laptop contained the protected health information of 738 individuals, including first and last names, middle initial, address, phone number, date of birth, age, medical record number, e-mail address, physician name, whether the patient is being followed by case management, if a COVID-19 test has been conducted, if the individual had been transferred to case management, if a telehealth visit had been scheduled, communication status notes, and if the individual was interested in home health.

The Hoag clinic has re-educated the workforce on security safeguards, enhanced policies covering the transportation of laptop computers between worksites, and a thorough security assessment has been conducted to ensure all appropriate cybersecurity safeguards are in place. Affected individuals have been offered complimentary membership to the Experian IdentityWorks identity theft detection and resolution service for 12 months.

The post Children’s Hospital Colorado Suffers Phishing Attack appeared first on HIPAA Journal.

PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center

Posted by HIPAA Journal

The Freeport, IL-based healthcare system FHN is notifying certain patients that some of their protected health information has potentially been obtained by an unauthorized individual who gained access to the email accounts of several employees between February 12 and February 13, 2020.

FHN announced on April 20, 2020 that the investigation had confirmed that a breach occurred, but it took time to determine the information that may have been viewed or obtained. It was not possible to determine whether patient information contained in the accounts was viewed or obtained, but data access could not be ruled out. Affected individuals were notified on July 31, 2020.

The compromised accounts contained names, dates of birth, health insurance information, medical record numbers, patient account numbers, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information. A limited number of Social Security numbers and driver’s license numbers were also potentially compromised.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers and/or drivers’ license numbers were exposed.

FHN has provided further training to its employees to help them identify and avoid suspicious emails and steps have been taken to strengthen email security, including the use of 2-factor authentication.

3,127 Patients Impacted by Email Security Incident at Elkins Rehabilitation & Care Center

In February 2019, Elkins Rehabilitation & Care Center (ERCC) in West Virginia discovered unauthorized individuals had gained access to the email accounts of some of its employees. An internal investigation by the IT security team revealed several computer systems had been infected with malware between February 4, 2019 and February 7, 2019. The IT security team worked fast to identify and remove the malware, and a full password reset was performed on all email accounts. When ERCC learned that the malware was capable of exfiltrating emails, an e-discovery expert was engaged to review all emails in the account to determine the information that was potentially stolen in the attack.

The review of the accounts was completed on July 1, 2020 and notification letters have now been sent to all affected individuals. The breached accounts contained personal and protected health information of current and former residents and employees such as first and last names, limited protected health information, Social Security numbers, and/or driver’s license numbers. Complimentary identity theft restoration and credit monitoring services have been offered to affected individuals.

Steps have been taken to prevent further breaches in the future, including the replacement of hard drives on computers infected with the malware and the installation of new antivirus and antimalware solutions on all computers. Additional security awareness training has also been provided to its employees.

The post PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center appeared first on HIPAA Journal.

69,777 Patients Impacted by Allergy and Asthma Clinic of Fort Worth Hacking Incident

Posted by HIPAA Journal

Allergy and Asthma Clinic of Fort Worth has discovered an unauthorized individual gained access to its computer systems and potentially obtained patients’ billing information. The breach was detected on June 4, 2020 and steps were immediately taken to prevent further unauthorized access. The breach investigation revealed the hacker gained access to the network on May 20, 2020.

A review of the compromised computer systems revealed the hacker potentially accessed files containing patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance information, and information regarding the reason for visits.

Cybersecurity professionals were retained to conduct a review Allergy and Asthma Clinic of Fort Worth’s security measures and additional protections will be implemented, as appropriate, to strengthen network security to prevent further data breaches.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 69,777 individuals were affected by the breach.

Chinese Hackers Targeted Biotech Firm Working on COVID-19 Vaccine

The Massachusetts-based biotech firm Moderna has been targeted by hackers looking for COVID-19 research data. Moderna has been working on a vaccine for COVID-19 and announced its vaccine candidate in January. According to Reuters, the firm identified “information reconnaissance activities” in January and has been in contact with the FBI over the suspected attack.

The firm is believed to have been targeted by the Chinese hackers indicted by the Department of Justice in July for conducting an 11-year campaign of cyber espionage attacks on U.S. businesses and government agencies.

The reconnaissance is believed to have been part of an attempt to steal data related to Moderna’s mRNA COVID-19 vaccine, which has recently entered a phase III clinical trial.

“Moderna remains highly vigilant to potential cybersecurity threats, maintaining an internal team, external support services and good working relationships with outside authorities to continuously assess threats and protect our valuable information,” said Moderna spokesperson Ray Jordan.

The post 69,777 Patients Impacted by Allergy and Asthma Clinic of Fort Worth Hacking Incident appeared first on HIPAA Journal.

PHI of Customers Stolen in Looting Incidents at Cub Pharmacies

Posted by HIPAA Journal

Another pharmacy chain has announced that the protected health information of some of its customers has been stolen by looters in late May during the period of civil unrest.

Between May 27-30, 2020, 8 Cub pharmacies in the Minneapolis area were broken into and items were stolen, including paperwork containing the protected health information of its customers. Items taken from the pharmacies included locked safes that contained credit card authorization forms and prescriptions that had been processed and were awaiting collection. Binders containing printed records of past prescriptions and orders that were in the process of being prepared were taken from 6 of the pharmacies in Minneapolis and St. Paul.

The information on the credit card forms included the cardholder name, credit card number, expiry date, and the amount of the transaction, but did not include the CVV code which is required to make purchases over the telephone. These forms only related to individuals who had arranged to have prescriptions delivered or mailed, not for customers who paid by credit card in person in a pharmacy.

Cub discovered the theft of items immediately upon entering the stores between May 28-30. A review of CCTV footage revealed further customer information had been taken when the stores were looted. Where possible, customers affected by the breach were notified directly, although it was not possible to identify all affected customers in that manner, as it was not possible to determine which customers’ PHI was included in the stolen binders.

The customer information obtained by the looters was limited and did not include the types of information sought by identity thieves. Cub does not believe that affected individuals are at risk of identity theft; however, as a precaution, all affected individuals are being encouraged to review their financial and explanation of benefits statements for any signs of misuse of their information. No cases of misuse of customer information have been received to date.

Cub is the fourth pharmacy chain to announce that customer information was compromised in recent break-ins. Breaches have also been reported by Walgreens (72,143 individuals), CVS Pharmacy (21,289 individuals) and Kroger (10974 individuals). According to the DEA, more than a third of the 476 retail pharmacies in Philadelphia were looted and many pharmacies in other areas across the United States have also suffered destructive attacks and have had prescription drugs and other items stolen.

The post PHI of Customers Stolen in Looting Incidents at Cub Pharmacies appeared first on HIPAA Journal.

6,000 Patients Notified About Email Security Breach at Beaumont Health

Posted by HIPAA Journal

Beaumont Health, the largest healthcare provider in Michigan, has started notifying approximately 6,000 patients that some of their protected health information has potentially been accessed by unauthorized individuals.

On June 5, 2020, Beaumont Health learned that email accounts accessed by unauthorized individuals between January 3, 2020 and January 29, 2020 contained the protected health information including names, dates of birth, diagnoses, diagnosis codes, procedure and treatment information, type of treatment provided, prescription information, patient account numbers, and medical record numbers.

While the email accounts were accessed by unauthorized individuals, no evidence was found to suggest emails or email attachments in the accounts were viewed or copied by the attackers and no reports have been received that suggest patient data has been misused.

This is the second phishing-related breach to be announced by Beaumont Health this year. In April, Beaumont Health started notifying 112,211 individuals that some of their PHI was contained in email accounts that were breached in late 2019.

Beaumont Health has taken steps to improve its internal procedures to allow it to identify and remediate threats more rapidly in the future and additional safeguards have been implemented to improve email security, including the use of multi-factor authentication. Further training has also been provided to employees on the identification and handling of malicious emails.

Medical Files Southcare Minute Clinic

Southcare Minute Clinic in Wilmington, NC, is being investigated by the North Carolina Department of Health and Human Services over the improper disposal of medical files. The Wilmington Police Department responded to a call advising them that sensitive documents and hazardous waste had been disposed of in a regular dumpster behind the former Southcare Minute Clinic at 1506 Market St.

The dumpster was found to contain paperwork that included patient information, used needles, and other hazardous waste. The police confirmed that HIPAA Rules had been violated but determined no crime had been committed. The dumpster has since been removed and there is no longer any threat to public safety. The North Carolina Department of Health and Human Services will determine whether a financial penalty is appropriate.

Samaritan Medical Center Investigating Potential Security Breach

Samaritan Medical Center in Watertown, NY has announced it has experienced a security incident that has forced it to take its computer systems offline. Staff have switched to pen and paper while the attack is remediated and while care is still being provided to patients. No patients have been transferred to other facilities, but the decision was taken to cancel some non-urgent appointments. No further information on the exact nature of the security breach has been released at this stage.

The post 6,000 Patients Notified About Email Security Breach at Beaumont Health appeared first on HIPAA Journal.

PHI Compromised in CVS Pharmacy and Walgreens Break-ins

Posted by HIPAA Journal

CVS Pharmacy is alerting certain patients that some of their personal and protected health information has been lost following several incidents at its pharmacies between May 27, 2020 and June 8, 2020. During that time frame, several of its pharmacies were affected by looting and vandalism incidents. Unauthorized individuals gained access to several of its stores and stole filled prescriptions from pharmacy waiting bins. Vaccine consent forms and paper prescriptions were also lost and potentially stolen in the incidents.

The types of information compromised include names, addresses, dates of birth, medication names, prescriber information, and primary care provider information. No reports have been received to date to indicate there has been any misuse of customer information.

CVS Pharmacy has reported the incidents to the HHS’ Office for Civil Rights collectively as affecting 21,289 individuals.

Walgreens Reports Series of Break-ins and Theft of PHI

Walgreens Pharmacy has reported similar incidents at its pharmacies over the same period. According to the breach notification sent to the California Attorney General’s office, various groups of individuals broke into Walgreens stores in several locations between May 26, 2020 and June 5, 2020. The individuals stole many items from the stores, some of which contained the personal and protected health information of its customers.

These included a limited number of hard drives that were connected to cash registers, an automation device used for printing prescription labels, filled prescriptions that were awaiting collection, and some paper records.  Social Security numbers and financial information were not compromised.

The information obtained by unauthorized individuals varied from customer to customer and may have included the following types of information: First and last name, address, phone number, date of birth/age, prescription number, prescriber name, health plan name and group number, vaccination information (including eligibility information), medication name (including strength, quantity, and description), email address, balance rewards number, photo ID number, driver’s license information, state ID number, military ID number, and passport (e.g. for customer purchasing drugs such as pseudoephedrine).

Following the break-ins, Walgreens immediately took steps to prevent fraud, such as closing out and re-entering impacted prescriptions and reversing insurance claims for filled prescriptions. It is currently unclear how many individuals have been affected.

The post PHI Compromised in CVS Pharmacy and Walgreens Break-ins appeared first on HIPAA Journal.

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules.

Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017.

The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. Through the risk analysis, Lifespan ACE determined that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of risk but failed to implement encryption. The lack of encryption was a violation of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also discovered Lifespan ACE had not implemented policies and procedures that required the tracking of portable devices with access to a network containing ePHI, nor was there a comprehensive inventory of those devices, in violation of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but both entities had failed to enter into a business associate agreement with each other. Lifespan ACE had also not obtained a signed business associate agreement from its healthcare provider affiliates, in violation of 45 C.F.R. § 164.502(e).

As a result of the compliance failures, Lifespan ACE was responsible for the impermissible disclosure of the ePHI of 20,431 individuals when the laptop was stolen – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, pay the financial penalty, and adopt a comprehensive corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, create an inventory of all electronic devices, implement encryption and configure access controls, and review and revise its policies and procedures with respect to device and media controls. Those policies and procedures must be distributed to the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the duration of the two-year CAP.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

This is the second HIPAA penalty to be announced by OCR in the past week. On July 23, 2020, OCR announced Metropolitan Community Health Services dba Agape Health Services had been fined $25,000 for longstanding, systemic noncompliance with the HIPAA Security Rule.

The post OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures appeared first on HIPAA Journal.

University of Utah Reports Phishing Attack Involving the PHI of Up to 10,000 Patients

Posted by HIPAA Journal

The University of Utah has experienced a phishing attack that has potentially involved the protected health information of up to 10,000 patients. This is the 4th data breach to be reported to the Department of Health and Human Services by the University of Utah in 2020. All four incidents are listed as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (1,909 individuals), April 3, 2020 (5,000 individuals), and March 21, 2020 (3,670 individuals).

Unauthorized individuals gained access to employee email accounts between January 22, 2020 and May 22, 2020, according to the substitute breach notice on the University of Utah Health website. It is unclear at this stage if the latest breach report also involved access to employee email accounts in the same time frame.

Kathy Wilets, Director of Public Relations at University of Utah Health provided a statement to databreaches.net in which she explained that the phishing incidents were being treated as separate incidents but may have been part of a coordinated campaign. She said the latest incident potentially involved access to a limited amount of patient information and the number of individuals affected – 10,000 – is an estimate. The investigation may reveal fewer individuals were affected. Steps have since been taken to improve email security, including the implementation of 2-factor authentication.

Highpoint Foot and Ankle Center Ransomware Attack Impacts 25,554 Patients

Highpoint Foot and Ankle Center in New Britain Township, PA suffered a ransomware attack in May 2020 in which patient information was encrypted and potentially accessed or exfiltrated by the attackers. Highpoint Foot and Ankle discovered the attack on May 20, 2020 when staff were prevented from accessing certain files on the network.

An investigation was launched which revealed an unauthorized individual had remotely installed ransomware on its computer systems. No evidence was found to suggest patient data was accessed by the attacker prior to file encryption nor have any reports been received that indicate patient information has been misused.

A third-party computer forensics firm was hired to assist with the investigation and determined files containing the protected health information of 25,554 patients were potentially compromised. The files contained names, addresses, dates of birth, social security numbers, diagnoses, treatment information, and release states.

Additional safeguards have now been implemented to protect patient records and all patients affected by the breach have been notified by mail.

The post University of Utah Reports Phishing Attack Involving the PHI of Up to 10,000 Patients appeared first on HIPAA Journal.