Sunrise Treatment Center in Cincinnati, OH is alerting 3,660 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of an employee. The breach occurred on February 26, 2020 and was detected the following day.

A forensic investigation of the breach was completed on April 15, 2020 and confirmed that the email account contained patient information such as first and last names, birth dates, descriptions of the treatment provided, medications, health plan numbers, account balances, treatment dates, and some Social Security numbers.

While patient information may have been accessed, the purpose of the attack was to try to convince Sunrise employees to wire money to a foreign bank account. A fraudulent wire transfer was detected and blocked before any money left Sunrise accounts.

Sunrise found no evidence to suggest patient information was accessed or obtained in the attack but, as a precaution, Sunrise has offered affected patients complimentary membership to credit monitoring services for 12 months. Following the breach, a third-party specialist was engaged to conduct a comprehensive security assessment and additional safeguards have now been implemented to prevent further attacks.

PHI of Gateway Health Members Exposed in Business Associate Phishing Attack

Gateway Health, a managed care organization serving members in Pennsylvania, has discovered the protected health information of some of its members has potentially been compromised.

Gateway Health uses National Imaging Associates (NIA) to review orders for imaging services. On April 11, 2020, NIA discovered its systems had been breached and an unauthorized individual had gained access to its email system. The investigation confirmed that access to emails was gained following a response to a phishing email.

The compromised emails included Gateway Health members’ names, dates of birth, Gateway ID numbers, treatment information, payment and health plan information.

The compromised email account was used to conduct further phishing attacks. No evidence was found to suggest Gateway Health members’ information was accessed or stolen and no reports have been received about misuse of members’ personal and protected health information.

NIA has taken steps to improve security and has offered all affected Gateway Health members complimentary membership to credit monitoring services for 12 months.

Hanger Clinic Reports Improper Disposal Incident

Hanger Prosthetics & Orthotics, Inc., doing business as Hanger Clinic, has discovered a storage facility used by its Kirksville location in Missouri was accessed by storage facility staff who disposed of boxes of files containing patient records.

When Hanger Clinic learned about the incident, staff members were sent to the storage facility to secure the remaining records. Those records have now been recovered and the storage facility is no longer being used.

The files contained the records of 6,033 patients. Information in the files included names, addresses, dates of birth, dates of service, medical record numbers, treatment histories, copies of driver’s licenses, prescription information, insurance information, and Social Security numbers.

As a precaution against identity theft and fraud, affected patients have been offered complimentary identity theft protection and credit monitoring services.

The post Breaches Reported by Hanger Clinic, Gateway Health, and Sunrise Treatment Center appeared first on HIPAA Journal.

Rangely District Hospital in Colorado has started notifying patients that some of their protected health information was stored on parts of its network that were affected by an April 2020 ransomware attack.

The ransomware attack was discovered on April 9, 2020 and steps were taken to contain the attack, but it was not possible to prevent the encryption of certain files, some of which contained patient information.

Rangely District Hospital said the initial attack on its systems occurred on April 2, 2020, but ransomware was not deployed until April 9, 2020. The hospital reports that the encryption process was automated, and no evidence was found to suggest data was accessed or exfiltrated. The investigation indicates a foreign threat actor conducted the attack, but it was not possible to determine who was responsible.

While patient data is not believed to be obtained, it was not possible to rule out unauthorized access. Files encrypted by the ransomware that could potentially have been viewed included the following types of personal and protected health information: Names, dates of birth, social security numbers, addresses, telephone numbers, driver’s license copies, dates of service or hospital admissions, diagnoses and conditions, treatment or procedure notes and orders, imaging studies, medications, and health insurance and claims and billing information.

While it was possible to recover many files from backups without paying the ransom, some patient data remains inaccessible. In addition to the files containing patient information, files essential to a legacy software system were also encrypted and could not be recovered. Rangely District Hospital used a ‘Meditech’ database for storing patient records between August 2012 and August 2017 and the legacy software is required to view patient records in the database. The database itself was not affected by the attack, but without the software, patient records from that 5-year period cannot be accessed. The records of certain patients who received home health services between June 2019 and April 2020 are also still inaccessible. Rangely District Hospital is currently exploring other options for accessing the database.

Patient Information Potentially Compromised in Electronic Waveform Lab Ransomware Attack

Electronic Waveform Lab, a Huntington Beach, CA-based manufacturer of medical, surgical, ophthalmic, and veterinary instruments, has announced it has suffered a ransomware attack that resulted in the encryption of data on some of its servers.

The affected servers only contained a limited amount of personal and health information of patients such as names, addresses, diagnosis codes, and some treatment information. The forensic experts investigating the ransomware attack were unable to determine whether patient data was accessed or obtained by the attackers prior to data encryption, but the possibility could not be ruled out.

Electronic Waveform Lab had implemented security measures before the attack to protect patient information but, in this instance, they were not sufficient to block the attack. Security measures have now been reviewed and are being enhanced to prevent similar breaches in the future.

Electronic Waveform Lab was able to restore its servers and data. No patient information was lost as a result of the attack.

The post Ransomware Attacks Reported by Rangely District Hospital and Electronic Waveform Lab appeared first on HIPAA Journal.

The Florida-based population health management company and healthcare provider Cano Health has discovered the email accounts of three employees have been accessed by an unauthorized individual who set up a mail forwarder on the email accounts that sent emails to external addresses.

The breach was detected on April 13, 2020, but the investigation revealed the accounts were compromised two years previously, on or around May 18, 2018. All emails sent to and from the accounts between May 18, 2018 and April 13, 2020 are believed to have been obtained and have potentially been accessed.

A review of the emails confirmed they contained personal and protected health information such as names, contact information, dates of birth, healthcare information, insurance information, social security numbers, government identification numbers and/or financial account numbers.

Cano Health is in the process of notifying affected individuals and has advised them to regularly review their accounts and benefits statements for signs of fraudulent activity. Cano Health will be providing affected patients with complimentary credit monitoring services.

Cano Health is taking steps to improve email security. “We are committed to continuously updating our information security to guard against new and emerging threats,” said Cano Health Chief Executive Officer, Dr. Marlow Hernandez-Cano.

The breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.

City of Philadelphia Phishing Attack Impacts 33,376 Patients

The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) has announced it has experienced a cyberattack that has resulted in the exposure of the protected health information of 33,376 individuals.

On March 31, 2020, suspicious activity was detected in the email account of an employee, although the breach investigation confirmed on April 2, 2020 that two email accounts had been compromised. The investigation into the phishing attack is ongoing and forensics experts are currently reviewing the email accounts, but no evidence has been found indicating patient data was accessed or exfiltrated by the attackers.

The breach affects patients with intellectual disabilities who had previously received services from the Division of Intellectual disAbility Services (IDS). The types of information compromised varied from patient to patient and may have included the following data elements: Names, dates of birth, addresses, Social Security numbers, health insurance information, account and/or medical record numbers, diagnoses, dates of service, provider names, and brief descriptions of the services the individual had applied for or were receiving from IDS. A limited number of scans of birth certificates and Social Security cards were also included in the compromised accounts.

Breach notification letters will be sent to affected individuals by mail in the coming weeks and complimentary credit monitoring services will be provided.

Several steps have been taken to prevent similar breaches from occurring in the future. Staff will be provided with further education to help them recognize phishing emails and monitoring of network activity has been increased.

Email Security Breach Experienced by MU Health Care

Columbia, MO-based MU Health Care has started notifying patients about an email security breach that was detected on September 21, 2019.

The attacker gained access to the email accounts of certain University of Missouri students affiliated with MU Health Care. The affected students had created email accounts with a third party that suffered a data breach in which email credentials were stolen. Those credentials were then used to access the students’ university email accounts between September 21 and September 26, 2019.

The breach only affected the students whose accounts were accessed. Their email accounts contained information such as names, dates of birth, Social Security numbers, and limited treatment and clinical information.

The breach highlights how important it is to use a unique password for all accounts.

The post Cano Health Discovers 2-Year Email Account Breach appeared first on HIPAA Journal.

The Everett & Hurite Ophthalmic Association (EHOA), a team of ophthalmology specialists serving Pittsburgh, PA & Warrendale, PA, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially viewed patient information.

EHOA became aware of a breach on March 23, 2020 when suspicious activity was detected in the employee’s email account. After securing the account, third party forensic specialists were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, which was breached between February 25, 2020 and March 25, 2020.

A comprehensive review of emails and attachments in the account revealed they contained the protected health information of 34,113 patients. The majority of patients had their names included in an internal report that was used for reporting to the HHS’ Centers for Medicare and Medicaid Services (CMS). For certain individuals, their Social Security number, financial data, health insurance details, date of birth, and health and treatment information were also exposed. No evidence was uncovered to suggest patient information was viewed or downloaded by the person who accessed the account.

EHOA has notified all affected patients, has provided further training to its employees, and is enhancing its policies and procedures to prevent similar breaches in the future.

Castro Valley Health, Inc. Discovers PHI was Exposed on Docker Hub

Castro Valley Health, Inc. has discovered patient information was accidentally transferred to a third-party website, Docker Hub, and could potentially have been accessed by unauthorized individuals.

The transfer of patient data occurred between 2016 and 2017 and was discovered on April 21, 2020. Docker Hub is used for creating, managing, and delivering container applications and for image sharing between teams. Files were uploaded to the website that contained patient information such as names, dates of birth, medical record numbers, care start dates, admission visit dates, names of nurses who provided treatment, and physical/speech therapist names. No Social Security numbers, financial information, or clinical/diagnostic data were exposed.

Castro Valley Health said that while data could potentially have been accessed, the data was heavily coded and could not be read without first decoding the data. No evidence was found to suggest any patient data was viewed or downloaded by unauthorized individuals during the time it was exposed. The only person known to have accessed the data was the person who discovered the data and reported the breach to the HHS’ Office for Civil Rights.

Castro Valley Health has now notified all individuals whose data was exposed, and steps have been taken to prevent similar breaches in the future, including updating policies and procedures, conducting additional security audits and risk assessments, and re-educating employees.

The post Everett & Hurite Ophthalmic Association Email Breach Impacts 34,000 Patients appeared first on HIPAA Journal.

University of Utah Health has suffered another phishing attack, with the latest incident resulting in the exposure of the protected health information (PHI) of 2,700 patients.

This is the third phishing incident to be reported to the HHS’ Office for Civil Rights by the University of Utah this year. The previous incidents were reported on March 21 and April 3 and affected 3,670 and 5,000 patients respectively.

In the latest attack, an unauthorized individual gained access to employee email accounts between April 6 and May 22, 2020 as a result of responses to phishing emails. The email accounts were promptly secured, and an investigation was launched to determine whether the attackers gained access to patients’ PHI.

It was not possible to tell whether PHI was accessed or exfiltrated, but the accounts did contain a limited amount of PHI which was potentially accessed. An analysis of emails and attachments in the compromised accounts revealed they contained names, medical record numbers, dates of birth, and some clinical information related to the medical services received at University of Utah Healthcare facilities.

The investigation into the phishing attacks is ongoing, but so far, no evidence has been found to indicate any PHI was stolen by the attackers and no reports have been received to suggest there has been misuse of PHI. Notification letters started to be sent to affected patients on June 5, 2020.

University of Utah Health explained in its substitute breach notice that its information security protocols are being reviewed and security procedures will be reinforced with its employees to improve resilience to phishing attacks in the future. Security enhancements will be implemented across the entire enterprise and multi-factor authentication will be used to prevent email account access if credentials are compromised in the future.

The post University of Utah Health Suffers Further Phishing Attack appeared first on HIPAA Journal.

The Commonwealth of Kentucky Personnel Cabinet has announced that two data breaches occurred between late April and Early May. The attacks resulted in the exposure of the protected health information of around 1,000 members of the Kentucky Employees’ Health Plan.

The first attack occurred between April 21 and April 27 and a second occurred in mid-May. In both cases, the attackers used stolen credentials to gain access to accounts.

In the first attack, legitimate credentials were used to gain access to StayWell systems. StayWell is a third-party vendor that manages a well-being and incentive portal for health plan members.

Through the portal, plan members are empowered to take care of their health and lead healthier lifestyles. Plan members who meet their health goals by completing certain actions and challenges are rewarded with points that can be exchanged for gift cards.

The first cyberattack was detected and investigated by StayWell, the Commonwealth Office of Technology, and the Kentucky Personnel Cabinet. It was determined that while the attackers gained access to the portal, they were not able to view highly sensitive information such as Social Security numbers, dates of birth, and addresses – the types of information commonly sought by identity thieves; however, the attackers were able to biometric screening information and health assessment data. The attackers were also able to access redeem points that had been accumulated by members, which were exchanged for gift cards. The hackers fraudulently redeemed approximately $100,000 of points. 971 individuals were affected by the first breach.

StayWell implemented several security enhancements after the first attack; however, the hackers struck again and gained access to the government email accounts of 42 plan members in the second attack and used accumulated points to fraudulently obtain $7,700 in gift cards.

According to StayWell, the second data breach occurred as a direct result of the first and appears to have been due to password reuse. Certain plan members had used the same password for the portal as they did for their government email accounts, which allowed the hackers to access the email accounts.

The second breach serves as a reminder about the danger of reusing passwords on multiple accounts and platforms. Strong passwords should always be set to prevent passwords from easily being guessed, and unique strong passwords should be set on each platform or account. Password managers are useful for storing strong passwords, but it is essential that a very strong password is set as the password manager master password.

StayWell said it is working on further security enhancements and has requested all affected members set stronger, unique passwords. The Personnel Cabinet will make resources, tools, and training available to help state employees and other users of the StayWell platform improve security.

The post $107,000 Stolen from Kentucky Employees’ Health Plan Members in Two Recent Cyberattacks appeared first on HIPAA Journal.

St Joseph Health System in North Central Indiana is alerting patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals. The breach did not happen at St Joseph Health, but at one of its business associates.

Central Files Inc, a secure record storage facility in South Bend, IN, was contracted to securely store patient records in compliance with federal and state regulations and to destroy certain records in accordance with HIPAA Rules. Central Files Inc. has now permanently closed but was required to continue to store patient records until an alternative secure records facility could be located.

Between April 1 and April 9, 2020, several healthcare groups affiliated with St Joseph Health System were notified that confidential records containing information patient information had been dumped in a location in the South Bend area at some point prior to April 1, 2020.

The records discovered at the site were in poor condition. According to the substitute breach notification on the St Joseph Health System website, the records were “showing signs of moisture damage, mold, and rodent infestation, and damage from being mixed with trash and other debris.” Attempts were made to identify patients whose data had been exposed, but trained safety personnel determined that inspecting the majority of the records would be hazardous to health and recommended the best course of action was to arrange for the records to be securely destroyed.

The records that could safely be salvaged have been recovered and St Joseph Health System has engaged a vendor to recover the remaining records from the site. That process was completed on May 20, 2020 and arrangements have been made to have those records securely and permanently destroyed.

In many cases, the records were old and contained out of date information. Some of the documentation included paper copies of medical records and billing statements that contained information such as names, contact information, Social Security numbers, dates of services, and clinical and diagnostic information. Patients have been notified about the breach and told that no evidence was found to suggest any information has been misused, although the possibility of unauthorized access could not be ruled out.

The records related to the following entities

• Saint Joseph Health System (From 1999 to 2013)
• Allied Physicians of Michiana (From 1995 to 2007)
• New Avenues (From June 2004 to December 2015)
• South Bend Medical Foundation (From 2009 to 2015)
• Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (From 2002 to 2010)
• Michiana Hematology Oncology (From 2002 to 2004)
• Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)

The breach has yet to appear on the HHS’ Office for Civil Rights website so it is currently unclear how many patients have been affected.

The post St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records appeared first on HIPAA Journal.

The Oakland, CA-based healthcare provider, Kaiser Permanente, has discovered a former employee accessed the radiology records of thousands of patients without authorization over a period of 8 years.

The privacy breach was discovered in late March and the employee was placed on administrative leave while an internal investigation was conducted. Kaiser Permanente was unable to find any legitimate work reason for the employee accessing the records and determined that the access fell outside of the scope of the employee’s job functions. The first instance of unauthorized access occurred in 2012 and the employee continued to access radiology records until her actions were discovered in March 2020.

The employee worked as an imaging technician in the radiology department and has now been fired over the HIPAA violation. While unauthorized accessing of protected health information was confirmed, Kaiser Permanente found no evidence to suggest that patient information was copied or was used to commit fraud or any criminal activities.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on May 22, 2020 by Kaiser Foundation Health Plan of the Mid-Atlantic States. The breach report shows that over an 8-year period the imaging technician impermissibly accessed the records of 2,756 patients.

All affected individuals are now being notified about the privacy breach by mail.

Ridgeview Institute – Monroe Employee Terminated Over Unauthorized PHI Access and Impermissible Disclosure

Ridgeview Institute – Monroe in Georgia, a provider of mental health and addiction treatment services, has discovered a former employee accessed the records of certain patients without authorization and sent copies of patient information to a personal email account.

The privacy breach was discovered on January 14, 2020, prompting an internal investigation to determine the nature and scope of the breach. It took some time to determine exactly what information had been copied and which patients were affected, hence the delay in notifying affected individuals.

The information in the stolen documents was determined to include patients’ full names, birth dates, Social Security numbers, patient ID numbers, health insurance provider names, diagnoses, treatment information, prescriptions, medical procedures, lab test and other test results.

The employee admitted accessing and copying patient information without authorization and said the data had been subsequently disclosed to her attorney and one other individual.

No reason was provided as to why the information was copied and impermissibly disclosed. According to the Ridgeview Institute, assurances have been obtained from the unauthorized individual to whom the information was disclosed that the documents will not be shared with another parties and the employee, who no longer works at Ridgeview, has confirmed that all other copies of the documents have been destroyed.

All affected patients are in the process of being notified and complimentary identity theft protection services are being offered.

The post Kaiser Permanente Discovers 8-Year Employee HIPAA Breach appeared first on HIPAA Journal.