Phishing attacks have recently been reported by Tennessee Orthopaedic Alliance, Jefferson Dental Care Healthcare Management, and Munson Healthcare.

81,146 Patients Affected by Tennessee Orthopaedic Alliance Phishing Attack

Tennessee Orthopaedic Alliance (TOA) has discovered unauthorized individuals have gained access to the email accounts of two employees. TOA became aware of the breach on October 18, 2019 when unusual activity was detected in an employee’s email account. The account was immediately secured, and third-party computer forensics experts were engaged to investigate the breach. The investigation revealed a second email account had also been compromised and the accounts were accessed by unauthorized individuals between August 16, 2019 and October 14, 2019.

TOA determined on January 3, 2019 that the compromised email accounts contained names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, diagnostic information, treatment information, and treatment costs.

Patients were notified about the breach on February 14, 2019. Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services. While PHI in the accounts could have been accessed by the attackers, TOA found no evidence to indicate patient information has been misused.

The HHS’ Office for Civil Rights breach portal indicates 81,146 patients were affected by the breach.

Jefferson Dental Care Healthcare Management Notifies 45,748 Patients About PHI Exposure

Jefferson Dental Care Healthcare Management in Dallas, TX, has discovered an unauthorized individual accessed the email account of an employee between July 21, 2019 and Aug. 26, 2019.

Suspicious email account activity was detected on or around October 19, 2019 and the account was immediately secured. JDH Healthcare Management determined on December 10, 2019 that the account contained the PHI of 45,748 patients. While no evidence was found to indicate patient information was accessed by the attacker, it is possible that names, addresses, dates of birth, medical treatment information, medical histories, health insurance information, payment information, patient numbers, and medical record numbers may have been compromised. Complimentary credit monitoring and identity protection services have been offered to affected patients.

JDH Healthcare Management is reviewing its policies and procedures and additional safeguards will be implemented to improve email security.

Patients Notified of Munson Healthcare Phishing Attack

Munson Healthcare in Traverse City, MI, has discovered unauthorized individuals have gained access to the email accounts of some of its employees. Assisted by third-party computer forensic experts, Munson Healthcare determined that the email accounts were subjected to unauthorized access between July 31, 2019 and October 22, 2019.

A review of the affected email accounts was completed on January 16, 2020. The accounts were found to contain patient names, dates of birth, insurance information, and treatment and diagnostic information. The accounts also contained a limited number of financial account numbers, driver’s license numbers, and Social Security numbers.

Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised. Munson Healthcare will be implementing additional technical safeguards to prevent similar breaches in the future.

The post Tennessee Orthopaedic Alliance Phishing Attack Impacts Over 81,000 Patients appeared first on HIPAA Journal.

Rady Children’s Hospital-San Diego, the largest children’s hospital in California, discovered a security breach on January 3, 2020 in which the protected health information of certain patients was potentially accessed by an unauthorized individual.

A computer used by the radiology department had been remotely accessed by an unauthorized individual via an open internet port. A digital forensics firm was engaged to investigate the breach and determined that the computer was compromised on June 20, 2019 and access remained possible until the port was closed on January 3, 2020.

An analysis of the compromised device revealed on February 5, 2020 that names and genders of patients were potentially compromised along with the type and date of imaging studies and, for some patients, their date of birth, medical record number, referring physician’s name, and/or a description of the imaging study. No financial information, Social Security numbers, diagnoses, or medical images were compromised. Complimentary credit monitoring services have been offered to affected patients.

Rady Children’s Hospital is working closely with the digital forensics firm to determine what additional security measures are required to prevent further cyberattacks in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

Multiple Email Accounts Breached in Aveanna Healthcare Phishing Attack

Atlanta, GA-based Aveanna Healthcare, the largest provider of pediatric home care in the United States, has discovered the email accounts of several employees were compromised over the summer of 2019.

Aveanna Healthcare first identified suspicious activity in the email accounts of some of its employees on August 24, 2019. Third-party computer forensics specialists were engaged to assist with the investigation and determine the nature and extent of the attack. The investigation revealed several email accounts were compromised between July 9, 2019 and August 24, 2019. It was not possible to determine if any patient information was accessed or stolen by the attackers. The review of the compromised email accounts was completed on December 19, 2019.

The breach report submitted to the California Attorney General shows 5,004 California residents were affected. It is currently unclear how many patients in other states have also been affected. Californian patients were notified about the breach on February 14, 2020 and were offered complimentary credit monitoring and identity theft protection services for 12 months through TransUnion. Aveanna Healthcare determined that the following information of California residents was contained in the accounts: Names, Social Security numbers, driver’s license numbers, bank and financial information, State ID numbers, medical information, and health insurance information.

Endeavor Energy Resources Phishing Attack Impacts 5,100 Individuals

The oil and gas exploration form, Endeavor Energy Resources, has announced it has experienced a phishing attack that potentially saw unauthorized individuals gain access to the personal and health information of 5,103 current and former employees.

The attack was detected on January 14, 2020 when unusual activity was detected in the Office 365 email account of one of its employees. On February 7, 2020, Endeavour determined the compromised email account contained the names and health plan ID numbers of current and former Endeavor employees, employees of Endeavor affiliates, and dependents who also participate in the health plan.

Steps have now been taken to improve email security to prevent similar attacks in the future. At this stage of the investigation, Endeavor has found no evidence to suggest any information in the account has been misused.

The post Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources appeared first on HIPAA Journal.

The Lake Success, NY-based home health company, Personal Touch Home Care (PTHC), has started notifying patients that a recent ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc., has potentially seen some of their protected health information compromised.

Crossroads informed PTHC on December 1, 2019 that the ransomware attack affected its Pennsylvania data center where PTHC’s electronic medical records were hosted. The ransomware attack prevented patient records from being accessed for a few days. While the EHR system was down, staff at PTHC switched to emergency protocols and used pen and paper to record patient information.

The encrypted data has now been recovered. It is unclear whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were affected.

The compromised medical records contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment information.

PTHC is currently unaware of the extent to which PHI was compromised and whether the attackers obtained PHI prior to the encryption of data. At this stage of the investigation, no evidence has been found to suggest patient information was exfiltrated prior to the deployment of the ransomware. Crossroads is still investigating the attack.

The incident was reported to the Department of Health and Human Services’ Office for Civil Rights as 17 separate breach reports, one for each of the offices affected. The data breaches were reported separately as each office is a separate legal entity. In total, the PHI of 156,409 patients and caregivers across 6 states has been compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The following offices were affected by the attack:

This is the third major business associate ransomware attack to be reported in the past few days. A ransomware attack on the Albany, NY-based accounting and tax firm BST & Co. CPAs LLC affected patients of the Community Care Physicians medical group, and NRC Health, a provider of patient survey services and software, experienced an attack that impacted some of its healthcare clients.

The post Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company appeared first on HIPAA Journal.

The Albany, NY-based accounting, tax, and advisory firm, BST & Co. CPAs LLC, has experienced a Maze ransomware attack that has affected patients of the New York medical group, Community Care Physicians P.C.

The Maze ransomware gang is one of a handful of threat groups that steal data from victims prior to deploying their ransomware payload. A threat is then issued to publish the stolen data if the ransom is not paid. Some of the data stolen in the attack has since been published by the gang, including names, dates of birth, addresses, contact telephone numbers, and Social Security numbers of BST employees.

BST has issued a statement saying a computer virus was detected on December 7, 2019 which prevented access to its files. In addition to internal data, some information related to local clients was also potentially compromised, including Community Care Physicians.

A leading computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The forensics experts determined the virus was active on the network from December 4, 2019 to December 7, 2019 and that the attackers had gained access to parts of the network where client data was stored. BST managed to recover the encrypted data from backups.

BST confirmed the individuals affected by the breach by February 5, 2020 and notification letters were sent by BST on February 14, 2020. The compromised client data included names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

United Regional Phishing Attack Affects up to 2,000 Patients

Wichita Falls, TX-based United Regional Health Care System has announced it has suffered a phishing attack that has seen the email account of one of its employees accessed by an unauthorized individual. The attack occurred in July 2019, but it took until December 2019 to complete the investigation and review the email account to determine whether patient information was compromised.

It was not possible to determine whether emails were accessed or copied by the attacker, but unauthorized access and data theft could not be ruled out. The email account contained patient names, dates of birth, patient account and/or medical record numbers, and clinical information such as provider name and location, lab test results, diagnostic data, prescription information, procedures, and/or treatment information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, health insurance information, and/or passport information exposed.

Patients were notified about the breach on February 18, 2020. Individuals whose Social Security number or driver’s license number was included in the account have been offered complimentary credit monitoring and identity theft protection services.

The post Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group appeared first on HIPAA Journal.

NRC Health, a provider of patient survey services and software to more than 9,000 healthcare organizations, including 75% of the largest hospital systems in the United States and Canada, experienced a ransomware attack on February 11, 2020 that affected some of its computer systems.

NRC Health immediately took steps to limit the harm caused and shut down its entire environment, including its client-facing portals. A leading computer forensic investigation firm was engaged to determine the nature and extent of the attack and the incident has been reported to the Federal Bureau of Investigation.

According to the NRC Health website, the data of more than 25 million healthcare consumers in the United States and Canada is collected by NRC Health every year. Patient surveys conducted by NRC Health on behalf of its clients allow them to prove that patients are satisfied with the services they have received. That information is important for helping to improve patient care and also for determining how much Medicare reimbursement healthcare providers receive under the Affordable Care Act. Healthcare clients also used patient satisfaction scores to determine how much executives and physicians get paid.

NRC Health said significant progress has been made restoring its systems and services to customers and a full recovery is expected in the next few days. Notifications have been sent to its healthcare clients informing them about the attack and updates are being provided to clients on a daily basis until the incident is fully resolved.

In the notifications NRC Health said the initial findings of the investigation suggest no patient data or sensitive client information has been compromised.

Ransomware attacks on healthcare organizations have increased over the past year, after a fall in attacks in 2018. Several threat groups have taken to stealing patient data prior to the deployment of ransomware to encourage victims to pay the ransom demands. According to a recent analysis by Comparitech, there have been 172 healthcare ransomware attacks since 2016. Those attacks have cost the healthcare industry at least $157 million.

The post NRC Health Recovering from Ransomware Attack appeared first on HIPAA Journal.

Two communication errors have been reported by HIPAA-covered entities in the past few days, which has resulted in the impermissible disclosure of 5,339 patients’ personal and protected health information (PHI).

Mercy Health Physician Partners Southwest Discovers Impermissible Disclosure of PHI

Mercy Health Physician Partners Southwest in Byron Center, MI, started sending breach notification letters to patients on February 10, 2019 informing them that a third-party vendor contracted to Mercy Health made an error with a recent mailing.

Mercy Health had provided the mailing vendor with a list of 3,164 names and addresses to send letters to patients informing them about the recent departure of a physician. An error in the mailing resulted in names being mismatched with addresses and 2,487 patients were sent a letter addressed to a different patient. No other sensitive information was disclosed.

During the breach investigation it was discovered that there was no business associate agreement (BAA) in place with the vendor. The provision of the patient list was therefore an impermissible disclosure of PHI under HIPAA. Mercy Health has received satisfactory assurances that the mailing vendor is aware of its responsibilities under HIPAA and a BAA is now in place.

Hawaii Hospital Notifies Patients of Email Error

On February 3, 2019, an employee of Queen’s Health Systems in Hawaii sent an email with an attachment containing the PHI of 2,852 patients to an incorrect recipient. The attached file contained the PHI of 2,852 patients of The Queen’s Medical Center and Queen’s North Hawaii Community Hospital. The email error was detected the following day.

Efforts were made to contact the person who had been sent the email in error to ensure the patient list is deleted, but no response has been received. The email attachment included patient names, admission dates, discharge dates, health plan ID numbers, and limited information about the care received. The file also contained the diagnoses of 300 patients. The breach affected patients who received medical services after June 1, 2019.

No reports have been received to suggest patient information has been misused. Patients have been advised to monitor their explanation of benefits statements and to report any services that are listed but have not been received.

The post Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI appeared first on HIPAA Journal.