It is becoming increasingly common for threat actors to use ransomware to encrypt files to prevent data access, but also to steal data and threaten to publish or sell on the stolen data if the ransom is not paid. This new tactic is intended to increase the likelihood of victims paying the ransom.

The Center for Facial Restoration in Miramar, FL, is one of the latest healthcare providers to experience such an attack. Richard E. Davis MD FACS of The Center for Facial Restoration received a ransom demand on November 8, 2019 informing him that his clinic’s server had been breached and data had been stolen. The attacker said the data could be publicly exposed or traded with third parties if the ransom was not paid.

Dr. Davis filed a complaint with the FBI’s Cyber Crimes Center and met with the FBI agents investigating the attack. After the attack occurred, Dr. Davis was contacted by around 15-20 patients who had also been contacted by the attacker and issued with a ransom demand. The patients were told that their photographs and personal data would be published if the ransom demand was not paid.

According to Dr. Davis’s substitute breach notice, the compromised server contained the data of approximately 3,600 patients. While it is possible the attackers stole the files of all patients, there are reasons to suspect only a very small number of patient photographs and personal data may have been stolen.

It has taken some time to determine which patients have been affected as much of the information held on patients was stored as scanned patient intake forms rather than a database. Each file had to be opened and checked manually and that was a painstakingly slow and labor intensive process.

The types of data exposed was limited to photocopies of driver’s licenses or passports, home addresses, email addresses, telephone numbers, insurance policy numbers, and credit card numbers, most of which only showed the last 4 digits.

All patients potentially affected by the attack have now been notified and steps have been taken to improve security, including replacing all hard drives and implementing new firewalls and anti-malware software. The ransom demand was not paid.

Children’s Choice Pediatrics Ransomware Attack Impacts 12,689 Patients

Children’s Choice Pediatrics in McKinney, TX, is notifying 12,689 patents that some of their protected health information may have been accessed by unauthorized individuals who used ransomware to try to extort money from the practice.

The attack occurred on or around October 27, 2019 and resulted in the encryption of data on its network. Children’s Choice had backed up all data and attempts were made to recover all files encrypted by the ransomware. That process has been completed, but it was not possible to restore all patient data. Some patient records could not be recovered.

Affected patients have been advised to be alert to the possibility of data misuse and to monitor their account statements for signs of fraudulent activity. No reports have been received to suggest any patient data was stolen or has been misused.  Children’s Choice has now strengthened security to prevent similar attacks from occurring in the future.

The post Ransomware Attacks Reported by Florida and Texas Healthcare Providers appeared first on HIPAA Journal.

Alomere Health in Alexandria, MN is notifying almost 50,000 patients that some of their protected health information was potentially accessed by unauthorized individuals as a result of a phishing attack.

Alomere Health learned about the phishing attack on November 6, 2019 and launched an internal investigation which confirmed the account was accessed by an unauthorized individual between October 31 and November 1, 2019.

A computer forensics company was engaged to assist with the investigation and discovered on November 10, 2019 that a second email account had been breached on November 6.

A comprehensive review of the compromised accounts revealed some emails and email attachments contained protected health information. The types of information potentially compromised in the attack varied from patient to patient and may have included the following data elements: Names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, and/or diagnosis information. A limited number of Social Security numbers and driver’s license numbers were also found in the accounts.

Alomere Health was unable to confirm whether any emails or email attachments containing protected health information were accessed or copied by the attackers, but unauthorized PHI access and data theft could not be ruled out. On January 3, 2020, Alomere Health sent notifications to all 49,351 patients whose information was present in the email accounts.

Individuals whose Social Security number or driver’s license number were exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months. No reports of misuse of patient information have been received to date.

Alomere Health has now added more layers to its cyber defenses and further security awareness training has been given to employees to help them identify phishing emails and other email-based threats.

The post Alomere Health Phishing Attack Impacts 49,351 Patients appeared first on HIPAA Journal.

Portland, OR-based Native American Rehabilitation Association of the Northwest, Inc., (NARA), a provider of education, physical and mental health services and substance abuse treatment services to native Americans, is alerting certain individuals about a malware infection that has potentially allowed unauthorized individuals to gain access to their protected health information.

NARA reports that the attack occurred on November 4, 2019. The malware initially bypassed security systems but was detected later that afternoon. The threat was contained by November 5, 2019 and all passwords on email accounts were reset by November 6.

The malware was determined to be the Emotet Trojan: A credential stealer that can also exfiltrate emails and email attachments. It is therefore possible that the attackers obtained emails and attachments in the compromised accounts, some of which included protected health information.

According to a NARA press release issued on January 3, 2020, the forensic investigation confirmed that the protected health information of 344 individuals was either accessed by the attackers or there was a high risk of the information being accessed. Another group of patients was also potentially affected. For this group, no evidence of unauthorized access was found.

The types of information contained in the email accounts varied from person to person and may have included names, home addresses, Social Security numbers, birth dates, and medical record or patient ID numbers. A limited number of individuals also had clinical information exposed, including diagnoses, services received, treatment information, and treatment dates.

In total, up to 25,187 individuals may have been affected, according to the HHS’ Office for Civil Rights’ Breach portal.

“It is sad that there are people in the world whose intent is to cause harm and distress to vulnerable populations such as our clients,” said Jacqueline Mercer, CEO of NARA NW. “Words cannot express how truly sorry we are that our clients and NARA NW have been subjected to this malware attack.”

A new endpoint protection solution has now been implemented on all computers which monitors for suspicious activity. Policies and procedures are being reviewed and will be updated as necessary and staff have been provided with further security awareness training.

Mercy Health Lorain Hospital Laboratory Patients Affected by Mailing Error

RCM Enterprise Services, Inc., a provider of patient billing services to Mercy Health Lorain Hospital Laboratory in Ohio, is alerting certain patients about an impermissible disclosure of some of their individually identifiable personal information.

An error was accidentally introduced in the invoice mailing process which allowed Social Security numbers to be viewable through the windows of envelopes used for a medical invoice mailing sent by RCM’s contracted mailing vendor on or around November 7, 2019.

The invoices should only have had name, street address, city, state, and zip code visible. The error resulted in an individual’s name and street address being visible along with that individual’s Social Security number instead of the city and zip code.

“We take this incident, as well as information privacy and security, very seriously, and have enhanced our procedures in order to prevent the occurrence of a similar incident,” said Barbara Shaub, Director, Revenue Cycle Management of RCM.

No reports have been received to suggest there has been any misuse of patient information. As a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. It is currently unclear how many individuals have been affected.

The post Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack appeared first on HIPAA Journal.

North Ottawa Community Health System (NOCH) has discovered an employee at North Ottawa Community Hospital in Grand Haven, MI, accessed the medical records of patients without authorization over a period of 3 years.

The matter was brought to the attention of the health system on October 15 by another employee. An investigation into the alleged inappropriate access was launched on October 17 and the employee was suspended pending the outcome of the investigation.

NOCH confirmed on November 25, 2019 that the employee had accessed the medical records of 4,013 patients without any legitimate work reason for doing so between May 2016 and October 2019. There appeared to be no discernible pattern to the unauthorized access. Patient records appeared to have been accessed at random.

No evidence was found to suggest that any patient information was stolen. NOCH believes the employee was accessing patient information out of curiosity.

The types of information potentially accessed included names, dates of birth, Social Security numbers, Medicare and Medicaid numbers, health insurance information, and some health information. Any patient whose Social Security number was viewable has been offered complimentary credit monitoring and identity theft protection services for 12 months.

Further training on NOCH policies covering medical record access have been provided to all staff members and employee access to patient records has been tightened.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. It is up to OCR to decide if any further action is taken against the employee over the HIPAA violation.

Cyberattack Forces Shutdown of Center for Health Care Services’ Computer Systems

The Center for Health Care Services (CHCS) in San Antonio, TX, experienced a cyberattack over the holiday period which forced it to shut down its computer systems.

CHCS provides healthcare services for individuals with mental health disorders, developmental disabilities, and substance abuse disorder and operates several walk-in clinics and outreach centers in San Antonio.

The CHCS IT team determined that a single server had been compromised after being alerted about the cyberattack by federal officials. The decision was taken to shut down its entire computer system as a precaution. The IT department has started restoring its computer systems and bringing them back online one by one, starting with the systems at its largest clinics. The process is expected to take several days.

The cyberattack was part of a larger attack that started before the holiday period. It is currently unclear how many other organizations have been affected.

The post North Ottawa Community Health System Discovers 3-Year Insider Breach appeared first on HIPAA Journal.

Ann & Robert H. Lurie Children’s Hospital of Chicago, a pediatric specialty hospital in Chicago, IL, has discovered a former employee accessed the medical records of certain patients without a legitimate work reason for doing so. The unauthorized access occurred between September 10, 2018 and September 22, 2019.

The hospital learned of the HIPAA violation on November 15, 2019 and immediately terminated the employee’s access to all patient information while the incident was investigated. The employee was subsequently disciplined for the violation of HIPAA and hospital policies and was terminated.

The employee was unable to view full Social Security numbers, financial information, or health insurance information. The only types of information that could have been viewed were names, addresses, dates of birth, diagnoses, appointment dates, medical procedures, and other limited medical information.

The breach notice published on the hospital’s website makes no mention of the reason why the former employee was accessing patient information, but the hospital says there is no reason to suspect that any patient information has been stolen, further disclosed, or misused.

Patients affected by the breach were notified by mail on December 26, 2019. As a precaution against misuse of their personal and health information, affected patients have been advised to monitor the statements they receive from their healthcare provider. A spokesperson for the hospital said, “Lurie Children’s deeply regrets that this incident occurred,” and confirmed that steps have been taken to prevent any further incidents of this nature from occurring in the future, including providing further training for employees on the hospital’s policies regarding unauthorized accessing of patient records.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.

The post Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access appeared first on HIPAA Journal.

Roosevelt General Hospital in Portales, New Mexico has discovered malware on a digital imaging server used by its radiology department. The malware potentially allowed cybercriminals to gain access to the radiological images of around 500 patients.

The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server to prevent further unauthorized access and block communications with the attackers’ command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected.

The investigation into the breach did not uncover any evidence to suggest protected health information and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out.

The investigation into the security breach is continuing but the hospital’s IT department has confirmed that the breach was limited to the imaging server. Its medical record system and billing systems were unaffected. The types of information accessible through the compromised server included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.

All patients whose information was accessible through the server have been notified about the security breach by mail and have been advised to monitor their credit reports for any sign of fraudulent activity. No reports of misuse of patient information have been received by the hospital to date.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so the exact number of patients affected by the breach is not yet available. According to RGH Marketing and Public Relations Director, Jeanette Orrantia, the breach was reported to OCR within 60 days of discovery.

The post New Mexico Hospital Discovers Malware on Imaging Server appeared first on HIPAA Journal.

The State of Colorado is notifying 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error.

The error occurred on a Colorado Department of Human Services mailing of Notices to Reapply for food and cash assistance programs.

The error came to light on November 6, 2019. The investigation revealed 10,879 Notice to Reapply forms had been sent which contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms.

The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed.

Affected individuals were notified about the error on November 10, 2019 and have been advised to either shred the incorrect notices or take them to their local county human services’ office for secure disposal.

The risk of misuse of PHI is low due to the nature of disclosed information but, as a precaution, affected individuals have been offered complimentary credit monitoring services for 12 months.

Sinai Health System Phishing Attack Reported

Chicago-based Sinai Health System has discovered the email accounts of two of its employees have been compromised as a result of responses to phishing emails. No information has been disclosed about the date of the attack and when it was discovered, but Sinai Health System has reported that third-party computer forensics experts determined on October 16, 2019 that the compromised accounts contained protected health information which was potentially accessed by the attackers. No evidence of data theft was uncovered during the investigation and no reports have been received to suggest any PHI has been misused.

The types of information in the compromised accounts varied from patient to patient and may have included names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. Steps have already been taken to improve email security, including upgrading its email filtering controls. Staff have also received further security awareness training to help them identify malicious emails and email retention policies have been revised.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the compromised accounts contained the protected health information of 12,578 patients.

The post Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches appeared first on HIPAA Journal.