Marlton, NJ-based Continuum Health Alliance has recently confirmed that it has experienced a security incident that exposed the data of 377,119 patients of its client, Consensus Medical Group, a physician-owned medical group in Evesham, NJ. Continuum identified unauthorized activity within its network on October 19, 2023, and after taking steps to secure its systems, third-party cybersecurity specialists were engaged to identify the suspicious activity. The forensic investigation confirmed that an unauthorized third party had gained access to some of its systems between October 18 and October 19, and acquired certain files.

On February 16, 2024, Continuum announced on its website that it was investigating the incident while the investigation was ongoing. The file review was completed on March 8, 2024, when it was confirmed that the exposed data included patients’ names and Social Security numbers. Continuum then worked to verify the information and obtain up-to-date address information, and notification letters were mailed on April 29, 2024.

Continuum has implemented additional safeguards to prevent further security incidents and has provided additional training to its workforce. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Guardant Health Discovers Online Exposure of Patient Data

Guardant Health, a medical laboratory in Redwood City, CA, that performs cancer screening tests on samples provided by physicians and hospitals, has recently notified patients of some of its clients that their protected health information has been exposed online. Guardant Health did not state in its notification letters when it discovered the data exposure, only that an employee inadvertently uploaded a file containing patient data to an online platform in October 2020. Guardant Health immediately removed the file when the error was discovered, and on March 4, 2024, it was confirmed that unidentified third parties downloaded the file between September 8, 2023, and February 28, 2024.

The protected health information in the file varied from patient to patient and included some or all of the following: name, age, medical record and identification numbers, and medical information such as treatment information, dates of treatment, and test results. No financial information or Social Security numbers were present in the file. Guardant Health said it has enhanced its technical controls and has provided further employee training to prevent similar incidents in the future. The breach has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Continuum Health Alliance Data Breach Affects 377,000 Consensus Medical Group Patients appeared first on HIPAA Journal.

The Cypress, CA-based revenue cycle management company, Designed Receivable Solutions (DRS), has recently confirmed the details of a data breach that was reported to the HHS’ Office for Civil Rights on March 23, 2024, as involving the protected health information of 129,584 individuals, and the Maine Attorney General as affecting 498,686 individuals.

On January 22, 2024, DRS identified suspicious activity within its network. Third-party cybersecurity specialists were engaged to investigate the incident and determine the cause of the activity. The investigation confirmed that an unauthorized actor accessed its systems and viewed and exfiltrated files from its systems. On March 8, 2024, after a time-consuming and detailed review of the files, DRS confirmed that they contained the personal and protected health information of current and former patients of its healthcare clients.

Following that determination, DRS has been working with the affected clients to review and verify the affected information and obtain up-to-date contact information to allow notification letters to be issued.  DRS said the types of data involved varied from individual to individual and may have included names, addresses, dates of birth, health insurance information, dates of service, and Social Security numbers. DRS has reviewed its policies and procedures related to data privacy and is taking steps to reduce the risk of a similar incident in the future and has offered the affected individuals complimentary credit monitoring services.

As OCR recently confirmed in a website Q&A regarding breach notification letters, HIPAA-covered entities are ultimately responsible for ensuring notification letters are sent to the affected individuals when there is a data breach at a business associate, but the covered entity may delegate the responsibility of providing individual notices to the business associate.

DRS is issuing notification letters on behalf of the following covered entity clients:

• Air Methods
• AMG Healthcare Management Services
• CAN Emergency Physicians
• Cedars-Sinai Medical Center
• CHA Hollywood Presbyterian Medical Center, L.P.
• Core Orthopaedics Medical Center
• GEM Physicians Group
• Marshall Medical Center
• OptumCare Management, LLC
• Redlands Community Hospital
• Ridgecrest Regional Hospital
• South Coast ER Medical Group
• Southland Medical Corporation
• Springhill Emergency Physicians
• Sycamore Physicians, LLC
• USC Arcadia Hospital (formerly Methodist Hospital of Southern California)
• Valkyrie Clinical Trials, Inc.

The post Almost 500,000 Individuals Affected by Designed Receivable Solutions Data Breach appeared first on HIPAA Journal.

The medical device manufacturer Livanova, the Massachusetts community behavioral health center Aspire Health Alliance, and Santa Rosa Behavioral Healthcare Hospital in California have experienced ransomware attacks that exposed patient data.

Livanova, London, UK

Livanova, a UK-headquartered medical device manufacturer specializing in cardiac surgery and neuromodulation devices, has suffered a ransomware attack that disrupted portions of its IT systems. The ransomware attack was discovered on November 19, 2023, and the forensic investigation confirmed that hackers gained access to its network on October 26, 2023. The LockBit ransomware group claimed responsibility for the attack.

Livanova announced in a SEC filing in November that it was dealing with a cyberattack; however, it was initially unclear to what extent patient data was involved. On April 10, 2024, Livanova confirmed that the personal and protected health information of U.S. patients had been exfiltrated from its systems in the attack. In an April 25, 2024, announcement, Livanova said the investigation is ongoing however it has been determined that information such as names, contact information, dates of birth, Social Security numbers, health insurance information, and medical information such as diagnoses, conditions, treatment information, prescription information, medical record number, device serial numbers, and physician names were involved.

The affected individuals have been advised to monitor their credit reports and account statements and to be alert to unsolicited communications involving personal information. Livnova has arranged for complimentary identity protection and credit monitoring services to be provided to the affected U.S. patients. It is currently unclear how many individuals have been affected. In a February 2024 earnings call, the company confirmed that the company had incurred costs of around $2.6 million in Q4, 2023, as a result of the attack.

Aspire Health Alliance, Massachusetts

Aspire Health Alliance, a state-designated community behavioral health center with facilities in Quincy, Braintree, and Marshfield in Massachusetts, has notified 17,490 individuals about a cyberattack that was detected on September 13, 2023. Suspicious activity was identified within its computer network and a third-party forensic investigation confirmed that its systems had been accessed by an unauthorized third party that acquired certain files and data stored on its network.

A comprehensive review was conducted to determine the types of data involved, and that process was completed on February 26, 2024, when it was confirmed that personal and protected health information was involved. The types of data varied from individual to individual and may have included names, other personal identifiers, and Social Security numbers. While data was exposed or acquired, no reports have been received to indicate any patient data has been misused. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were impacted, and additional security measures have been implemented to reduce the risk of a similar incident occurring in the future.

Santa Rosa Behavioral Healthcare Hospital, California

Santa Rosa Behavioral Healthcare Hospital, part of the Northern California Behavioral Health System (NCBHS), has fallen victim to a cyberattack that disrupted some of its IT systems. The attack was detected on January 28, 2024, and a third-party forensic investigation confirmed that an unauthorized third party accessed its network between January 27, 2024, and January 28, 2024. During that time, files containing patient data were accessed or acquired.

The file review confirmed that the following types of information had been exposed or stolen: names, dates of birth, medical record numbers, services received, dates of services, treating physician, and for some patients, Social Security numbers and/or driver’s license numbers. Affected patients have been advised to monitor the statements they receive from their healthcare providers and health insurers and report any services they haven’t received. Individuals whose Social Security or driver’s license numbers were involved have been offered complimentary identity theft protection services. The incident has been reported to regulators but is not yet shown on the Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Data Stolen from Livanova in October 2023 Ransomware Attack appeared first on HIPAA Journal.

A Portland, ME-based accounting and consulting firm has recently reported a data breach to the Maine Attorney General that involved the personal information of 1,107,354 individuals. Berry, Dunn, McNeil & Parker, LLC (BerryDunn) provides health data analytics services to healthcare providers, health insurers, and government regulatory and healthcare policy agencies and its clients provide BerryDunn with personal and health data to allow the firm to perform its contracted services.

BerryDunn’s Health Analytics Practice Group (HAPG) contracted with a managed service provider (MSP) called Reliable Networks of Maine, LLC (RMN), which manages systems on behalf of HAPG. On September 14, 2023, RMN notified HAPG that it had identified suspicious activity on its network, including in the systems it manages for HAPG. BerryDunn immediately initiated its incident response protocols and brought in third-party cybersecurity experts to investigate to determine the extent to which client data was involved.

The investigation confirmed that a threat actor gained access to the RMN network and used the vendor’s privileged access to steal data from the HAPG systems the MSP managed. A vendor was engaged to conduct a review of the affected files, and that process was completed on April 2, 2024. The information exposed or stolen in the incident included names, addresses, dates of birth, Social Security numbers, health insurance policy numbers, Medicare or Medicaid numbers, state or governmental ID numbers, passport numbers, and medical information. Notification letters were mailed to the affected individuals on April 25, 2024, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Those services include a $1 million identity theft reimbursement policy.

It is unclear how many of BerryDunn clients have been affected. BerryDunn has confirmed that it has decommissioned all systems under the control of RMN, migrated all HAPG data to secure internal BerryDunn servers, and said those servers are continuously monitored for unauthorized access under its cybersecurity program.

The post Health Data Analytics Firm Reports 1.1-Million Record MSP Data Breach appeared first on HIPAA Journal.

A bipartisan coalition of 22 state attorneys general sent a letter to UnitedHealth Group CEO Andrew Witty to express their concern about the response to the February 21, 2024, ransomware attack on Change Healthcare and the continuing problems faced by providers, pharmacies, and patients.

Providers and pharmacies in their various jurisdictions have reported catastrophic disruptions due to the extended outage and limited restoration of Change Healthcare’s services, and wholly inadequate responses from Change Healthcare and its payor partners. Many providers and pharmacies have said they are in jeopardy of collapse, with patients experiencing disruption to care due to delays in receiving vital prescription medications. In some cases, patients have been denied access to medications due to providers’ inability to conduct eligibility checks.

In the weeks following the attack, the Attorneys General have received increasingly dire messages from healthcare facilities, care providers, and patients due to the prolonged disruption to Change Healthcare’s services. The outage has caused problems with prescription drug access, there are catastrophic billing and payment backlogs, and other problems stemming from the continued lack of access to Change Healthcare’s services.

“Facilities that use Change Healthcare as their backbone to track services and claims have been unable to timely complete prior authorizations, confirm benefits, document and submit claims, and in some instances have even lost access to basic care IT infrastructure,” wrote the Attorneys General. “You must do more than you are currently to avoid imposing further harm to our states’ health care infrastructure and the patients who rely upon it.”

In addition to the lack of access to Change Healthcare’s systems, it has now been confirmed that there was a considerable data breach. UnitedHealth Group issued a statement confirming that personally identifiable and protected health information was compromised and that the data breach could affect “a substantial proportion of the U.S. population.” Further, “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”

The Attorneys General have been contacted by care providers and non-HG facilities who said they are unable to reach Change Healthcare staff who can provide timely information about the data that has been breached, how they can get financial support that does not impose unreasonable conditions such as waiver of liability, and how they can document and submit claims during the outage. While financial assistance has been provided, for many providers that have experienced financial difficulties due to the attack, the support offered has been “paltry”. Some independent providers have been quoted relief of as little as $10 per week.

In the letter, the Attorneys General outlined some of the specific actions that they believe need to be taken to help alleviate the harm caused by the outage. Those measures include the enhancement and expansion of financial assistance to all affected providers, ensuring providers and practices owned by UHG or its subsidiaries are not being offered more advantageous financial assistance than others, providing a dedicated helpline to allow providers to resolve unanswered questions, ensuring that the claims backlog is expeditiously resolved, to issuing timely notifications to the practices and patients whose data has been compromised. The Attorneys General also asked to be provided with an independent analysis confirming that UHG’s and Change Healthcare’s systems have been secured and the vulnerabilities that contributed to the cyberattack have been addressed.

The post Bipartisan Coalition of Attorneys General Call for UHG to Take Decisive Action to Help Providers and Patients appeared first on HIPAA Journal.