Michigan’s largest healthcare system, Beaumont Health, has announced that unauthorized individuals have gained access to the email accounts of some of its employees and potentially viewed or obtained patient information stored in emails and email attachments.

On March 29, 2020, Beaumont Health learned that the email account breach, which occurred almost 10 months ago, resulted in the exposure and potential theft of patient information. The investigation of the breach revealed the email accounts were accessed by unauthorized individuals between May 23, 2019 and June 3, 2019. A forensic investigation was performed to determine the extent and scope of the breach, along with a manual review of all emails in the compromised accounts. That review has taken some time to complete, hence the delay in issuing breach notification letters.

The breached email accounts were discovered to contain the protected health information of around 5% of its 2.3 million patients, which is around 112,000 individuals. The types of information exposed and potentially stolen varied from patient to patient and may have included names in combination with one or more of the following data elements: Dates of birth, diagnoses, diagnosis codes, treatment locations, treatment types, procedures, prescription information, internal patient account numbers and medical record numbers. A “limited” number of Social Security numbers and other data was also potentially compromised. While email account access was confirmed, it was not possible to tell if the attackers accessed or stole patient information.

The breach has prompted Beaumont Health to provide further training to the workforce to help employees recognize phishing and other malicious emails. Internal procedures have also been revised and additional technical safeguards have been implemented to prevent further breaches in the future.

This is the second data breach to be announced by Beaumont Health this year. In January, the health system notified 1,182 patients that a former employee had been accessing the records of patients who had received treatment after an automobile accident. The former employee is understood to have disclosed the data to a personal injury lawyer.

The post Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach appeared first on HIPAA Journal.

Washington University School of Medicine is notifying 14,795 oncology patients that some of their protected health information was stored in an email account that was breached in January 2020.

An unauthorized individual gained access to the email account of a research supervisor in the Division of Oncology between January 12, 2020 and January 13, 2020 as a result of a response to a phishing email. Upon discovery of the breach, immediate action was taken to secure the account and prevent further unauthorized access and a third-party computer forensics firm was engaged to assist with the investigation.

A painstaking review of emails and email attachments in the account revealed they contained the following patient information: Names, dates of birth, medical record numbers, patient account numbers, limited treatment and/or clinical information, including diagnoses, provider names, and lab test results. Certain patients also had their health insurance information and/or Social Security numbers exposed.

Affected individuals are now being notified about the breach and individuals whose Social Security numbers were potentially compromised have been offered complimentary membership to credit monitoring and identity protection services.

Washington University School of Medicine has taken steps to improve email security and has reinforced education with its employees to help them identify suspicious emails.

Phishing Attack Reported by Doctors Community Medical Center

Doctors Community Medical Center in Maryland is alerting certain patients to a breach of their protected health information.

The data breach was identified in January 2020 when suspicious activity was detected in its payroll system. An investigation into the breach revealed a small number of employees had been duped by phishing emails and had disclosed their account credentials to the attackers. In addition to gaining access to the employees’ email accounts, the attackers also had access to the employees’ payroll information.

The investigation confirmed that the first accounts were breached on November 6, 2019, with access possible until January 30, 2020. Around February 13, 2020, Doctors Community Medical Center determined that some of the compromised email accounts contained data sheets that included patient information.

A forensic investigation conducted by third-party investigators was unable to confirm if patient data had been accessed, copied, or disclosed, although no reports have been received to suggest patient information has been misused. Since unauthorized data access could not be ruled out, patients have been notified and offered complimentary credit monitoring and identity restoration services.

The types of information that were potentially compromised included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, military identification numbers, financial account information, diagnoses, treatment information, prescription information, provider names, medical record numbers, patient IDs, Medicare/Medicaid numbers, health insurance information, treatment cost information, and access credentials.

The health system is reviewing and updating its policies and procedures and additional safeguards will be implemented to prevent further attacks.

The post Washington University School of Medicine Breach Impacts 14,795 Oncology Patients appeared first on HIPAA Journal.

The Sparks, NV orthodontics practice, Andrews Braces, has experienced a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day.

The practice hired a third-party forensic investigator to assess the scope and extent of the attack and determine whether patient information had been accessed or exfiltrated prior to encryption. While it is not uncommon for ransomware attacks to involve data theft, the investigation did not uncover any evidence to suggest data had been obtained by the attackers. This appeared to be an automated attack with the sole aim of encrypting data to extort money from the practice.

The practice regularly backed up patient data and stored its backups securely, so it was possible to restore the encrypted files without paying the ransom. Data theft is not suspected but the possibility could not be ruled out, so notification letters have been sent to all affected patients. The types of data which could potentially have been accessed by the attacker included names, addresses, dates of birth, Social Security numbers, email addresses, and health information.

Andrews Braces has now implemented additional security solutions and has taken other steps to harden security to prevent further attacks in the future.

EVERSANA Sends Notification Letters to Patients About 2019 Data Breach

EVERSANA, an independent provider of global services to the life sciences industry, has discovered an unauthorized individual gained access to the email accounts of some of its employees in 2019.

EVERSANA was notified about unusual activity in its employees’ accounts and determined that the accounts had been accessed by an unauthorized individual through a legacy technology environment. The investigation revealed the accounts were compromised between April 1 and July 3, 2019.

The accounts contained information from a limited number of patient services programs. No evidence of unauthorized data access was found, but it is possible that the attacker(s) accessed the sensitive information of certain patients. A comprehensive review of the affected accounts concluded in February and confirmed the following data elements were potentially compromised: Names, addresses, Social Security numbers, driver’s license numbers, state identification numbers, passport numbers, tax identification numbers, debit/credit card information, financial account information, usernames and passwords, health information, treatment information, diagnoses, provider names, MRN/patient ID numbers, Medicare/Medicaid numbers, health insurance information, treatment cost information, and/or prescription information.

EVERSANA has updated its legacy technology environment and has implemented further safeguards to strengthen security. Affected individuals have now been notified and offered 12 months’ complimentary membership to credit monitoring and identity restoration services.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected by the breach.

The post PHI of 16,600 Patients Potentially Compromised in Ransomware Attack on Andrews Braces appeared first on HIPAA Journal.

The Saint Francis Ministries health system has announced that the email account of one of its employees was accessed by an unauthorized individual, who may have obtained patient information.

The breach was identified on December 19, 2019 when suspicious activity was detected in an employee’s email account.  A third-party computer forensics firm was engaged to investigate the breach and determined on February 12, 2020 that the account was subjected to unauthorized access between December 13, 2020 and December 20, 2019. It was not possible to tell if the attacker accessed emails containing patient information or downloaded any email data, but no reports have been received to suggest any patient information has been misused.

A review of the affected accounts was completed on March 24, 2020 which revealed that the following information was potentially compromised: Name, date of birth, Social Security number, driver’s license number, state ID number, bank/financial account number, credit or debit card number, diagnosis, treatment information, prescription information, provider name, medical record number, Medicare/Medicaid number, health insurance information, treatment cost information, and username and password.

Saint Francis Ministries started mailing notification letters to affected individuals on April 12. Complimentary credit monitoring and identity theft protection services have been offered to affected patients and steps are being taken to improve email security to prevent similar breaches in the future.

2,651 Patients of Hartford Healthcare Potentially Impacted by Phishing Attack

Hartford Healthcare, a healthcare network serving patients in Connecticut and Rhode Island, announced on April 13, 2020 that it has been the victim of a phishing attack. The attack was discovered on February 13, 2020 when unusual activity was detected in the email accounts of two employees.

Assisted by a third-party computer forensics team, Hartford Healthcare determined that the attackers accessed the email accounts between February 13 and February 14, 2020.

At least one of the email accounts was discovered to include the protected health information of certain patients, such as names, medical record numbers, health insurance information, and other health-related data. The email accounts also contained the Social Security numbers of 23 patients.

Hartford Healthcare said 2,651 patients have been affected and are now being notified. The 23 individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services for 2 years.

The post Phishing Attacks Reported by Hartford Healthcare and Saint Francis Ministries appeared first on HIPAA Journal.

Delaware-based Brandywine Urology Consultants has announced it experienced a ransomware attack on January 25, 2020 that resulted in the encryption of files on its servers and computers. The scope of the attack was limited and the practice’s electronic medical record system was not affected. No medical records were exposed or compromised in the attack.

The practice acted quickly and took steps to isolate the attack and reduce the harm caused. After securing its systems, a complete scan was performed to ensure no malicious software or code remained and it was determined that the attack had been completely neutralized.

A third-party security company was engaged to thoroughly investigate the attack and determine whether the attackers had gained access to or stole patient information. While many ransomware gangs conduct manual attacks and steal data prior to deploying their ransomware payload, the investigation suggests this was an automated attack that was conducted with the sole purpose of encrypting files to extort money from the practice.

The investigation into the attack is ongoing but, to date, no evidence of unauthorized data access or data theft has been uncovered; however, it was not possible to rule out unauthorized data access so notification letters are now being sent to all patients whose protected health information was stored on parts of the system that were compromised in the attack.

According to the substitute breach notice on the Brandywine Urology Consultants website, the types of information that may have been compromised included names, addresses, Social Security numbers, medical file numbers, claims data, and other financial and personal information.

The IT security firm and the practice have been assessing security protections, policies, and procedures and steps have been taken to improve security to ensure the integrity of its systems and prevent future data breaches. The central server used by the practice has been replaced and any computers affected by the attack have either been reimaged or replaced. Antivirus software has been updated and penetration tests are being conducted to identify any other areas where security needs to be improved.

The breach summary on the HHS’ Office for Civil Rights breach portal indicates 131,825 patients were potentially impacted by the attack.

The post Ransomware Attack Potentially Impacts More Than 113,000 Patients of Brandywine Urology Consultants appeared first on HIPAA Journal.

The pharmacy benefits consulting firm Confido has started notifying 3,600 of its clients’ employees, members, and their dependents, that some of their personal information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account.

The email account breach was detected on December 12, 2020 and an investigation was launched to determine the scale and scope of the breach. Assisted by a third-party security firm, Confido determined on January 17, 2020 that an unauthorized individual had access to the email account for a period of two weeks between November 29, 2019 and December 12, 2019. It was not possible to determine if information in the email account was downloaded, but the possibility could not be ruled out.

A comprehensive review of the email account revealed it contained names, dates of birth, health insurance information, Social Security numbers, prescription information, treatment information, and clinical information such as diagnoses and provider names.

Individuals affected by the breach were notified on February 10, 2020. Complimentary credit monitoring services have been offered to individuals whose Social Security number was exposed.

The breach has prompted Confido to provide further security awareness training to its employees and additional procedures have been implemented to strengthen email security.

Healthcare Resource Group Phishing Attack Impacts Barlow Respiratory Hospital Patients

Healthcare Resource Group, a provider of billing services to Barlow Respiratory Hospital in Los Angeles, CA, discovered that an employee’s email account was accessed by an unauthorized individual. An investigation was conducted which revealed the email account was accessed between November 4, 2019 and November 30, 2019.

An analysis of the email account revealed emails and attachments contained a limited amount of protected health information of current and former Barlow Respiratory Hospital patients.

A third-party firm was engaged to review the account to determine what types of information had ben compromised. The review was completed on February 27, 2020 and revealed patient names had been exposed along with one or more of the following data elements: Date of birth, Social Security number, driver’s license number, medical record number, patient account number, health insurance information, treatment information, and medical billing or claims information.

Healthcare Resource Group sent notifications to affected patients on behalf of Barlow Respiratory Hospital on April 7, 2020. One year’s membership to credit monitoring and identity theft restoration services has been offered to affected patients.

The post PHI Exposed in Phishing Attacks on Healthcare Resource Group and Confido appeared first on HIPAA Journal.

The Otis R. Bowen Center for Human Services, an Indiana-based provider of mental health and addiction recovery healthcare services, has announced that unauthorized individuals have gained access to the email accounts of two of its employees.

It is unclear when the email account breaches occurred and for how long unauthorized individuals had access to the email accounts. In its website substitute breach notification, The Otis R. Bowen Center said an independent digital forensic investigation revealed on January 28, 2020 that PHI had potentially been accessed as a result of the attack. The review of the accounts has now been completed to determine which patients have been affected and those individuals have been individually notified by main. No mention was made about the types of information that were potentially compromised.

The Otis R. Bowen Center said the investigation did not uncover any evidence to suggest that any PHI had been misused as a result of the breach but, out of an abundance of caution, affected individuals have been offered complimentary membership to credit monitoring and identity theft protection services through Kroll.

In response to the breach, The Otis R. Bowen Center has taken steps to improve email and network security and is working closely with leading cybersecurity experts to improve the security of its digital environment.

The Department of Health and Human Services’ breach portal indicates the compromised email accounts contained the protected health information of 35,804 patients.

Phishing Attack Reported by University of Minnesota Physicians

University of Minnesota Physicians has discovered two employee email accounts have been compromised as a result of responses to phishing emails. In each case, the phishing attacks were detected shortly after the email accounts were compromised and action was taken on January 31, 2020 and February 4, 2020 to secure the accounts.

An unauthorized individual had access to one account for less than two days, and the second account was accessible only for a few hours.

A comprehensive investigation was conducted by third-party computer forensics experts, but it was not possible to determine if any emails in the accounts were viewed or copied by the attackers.  A review of the email accounts was conducted by third-party specialists who determined the email accounts contained patient names, telephone numbers, addresses, dates of birth, demographic information (race, gender, ethnicity), Social Security numbers, insurance ID numbers, location of treatment, provider names, limited medical history information, and case numbers.

UMPhysicians started sending notification letters to affected individuals on March 30, 2020 and is offering complimentary membership to credit monitoring and identity theft protection services through Kroll for 12 months.

UMPhysicians said multiple email security controls were in place at the time the email accounts were attacked, including multi-factor authentication. Employees had also been provided with security awareness training and phishing simulation exercises are regularly conducted.

Refresher training has now been provided to employees and UMPhysicians is looking into measures that can be implemented to further improve email security.

The OCR breach portal indicates 683 patients were affected by the breach.

The post 35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach appeared first on HIPAA Journal.

Stockdale Radiology in California has announced that patient data has been compromised as a result of a ransomware attack on January 17, 2020.

An internal investigation confirmed that the attackers gained access to patients’ first and last names, addresses, refund logs, and personal health information, including doctor’s notes. Stockdale Radiology said a limited number of patient files were publicly exposed by the attackers.  Stockdale Radiology also discovered on January 29, 2020, that further patient information may have been accessed, but has not been publicly disclosed.

Systems were immediately shut down to prevent any further unauthorized data access and a third-party computer forensics firm was engaged to investigate the breach and determine how access was gained and who was affected. The FBI was immediately notified about the attack and arrived at Stockdale Radiology within 30 minutes. The FBI investigation into the breach is ongoing.

In response the attack, Stockdale Radiology has conducted a review of internal data management and its security protocols and has taken steps to enhance cybersecurity to prevent further attacks in the future.

According to the breach report on the HHS’ Office for Civil Rights website, 10,700 patients were affected by the breach.

Affordacare Urgent Care Clinics Suffer Ransomware Attack

Abilene, TX-based Affordacare Urgent Care Clinics has started notifying patients that some of their protected health information may have been compromised as a result of a ransomware attack. The attack was discovered on February 4, 2020 and is believed to have started on or around February 1, 2020.

An analysis of the breach revealed the attackers gained access to its servers and deployed Maze ransomware. Prior to deploying the ransomware, the attackers downloaded patient information. Some of that data has been publicly exposed.

The types of data on the compromised servers included names, addresses, telephone numbers, ages, dates of birth, visit dates, visit locations, reasons for visits, health insurance provider names, health insurance policy numbers, insurance group numbers, treatment codes and descriptions, and healthcare provider comments.  No financial information, electronic health records, or Social Security numbers were compromised.

Affected individuals have been offered complimentary credit monitoring, identity theft protection, and identity recovery services.

Improper Disposal Incident Reported by Georgia Department of Human Services

The Georgia Department of Human Services has announced that staff in Augusta, GA improperly disposed of boxes of confidential case files containing the records of individuals who received services from the Division of Family & Children Services (DFCS) before June 12, 2017 and individuals who received services from the Division of Aging Services (DAS) before 2017.

After being alerted to the incident, immediate action was taken to recover the boxes to prevent them from being accessed by unauthorized individuals. The Georgia Department of Human Services does not believe the files were accessed by unauthorized individuals during the time the files were left unprotected. All affected patients are being notified about the breach and policies and procedures are being reviewed to prevent similar incidents in the future.

According to the breach summary on the HHS’ Office for Civil Rights breach portal, the files contained the records of up to 500 individuals.

Email Error at NeoGenomics Impacts 911 Patients

NeoGenomics is alerting 911 patients that some of their PHI has been accidentally disclosed to an unauthorized individual.

On January 28, an employee was communicating with a patient about completing and returning a form to NeoGenomics and accidentally attached and sent the wrong Excel spreadsheet. The spreadsheet sent to the patient included data of patients who had laboratory tests performed between January 2018 and October 2019.

The spreadsheet contained patients’ first and last names, dates of birth, and the name of the tests performed by NeoGenomics. The results of the tests were not included in the spreadsheet and no other information was impermissibly disclosed. The error was reported to NeoGenomics by the patient, who confirmed in writing that the spreadsheet has been deleted.

Out of an abundance of caution, NeoGenomics has offered affected individuals complimentary credit monitoring services. NeoGenomics reports that the individual who made the error has been retrained and the workforce has been instructed to check documents and spreadsheets to ensure they are correct before being sent via email.

The post Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics appeared first on HIPAA Journal.

Stephan C Dean, the co-owner of a California record storage firm Surefile, reported a hacking/IT incident to the HHS’ Office for Civil Rights (OCR) on March 4, 2020 as impacting upwards of 70,000 individuals.

Stephan Dean and his wife have been engaged in a long running legal dispute with Kaiser Permanente over the return and deletion of electronic files containing patient information. Kaiser Permanente has been trying to get the files permanently deleted; however, Stephan Dean insists that Kaiser Permanente owes him money for services rendered. The on-and-off legal action was eventually dropped, but the emails were never returned or deleted.

Surefile worked with Kaiser Permanente and was provided with paper copies of medical records in 2008. When the agreement between Surefile and Kaiser Permanente ended, Stephan Dean returned the paper copies of the medical records to Kaiser Permanente; however, emails containing patient information that were sent to Stephan Dean by Kaiser Permanente remained on his computer. Stephan Dean filed a complaint with OCR over alleged HIPAA violations relating to the emails and lack of a business associate agreement, and while a case was opened and the matter was investigated by OCR, it was eventually closed with no penalty issued.

On August 20, 2019, Stephan Dean was informed by Microsoft that an unauthorized individual may have compromised his MSN email account. The account in question contained files such as spreadsheets that had been sent to Stephan Dean by Kaiser Permanente.

Stephan Dean recently spoke with Dissent of databreaches.net and explained that the 70,000 records only represent a sample of the data and the actual number, which could only be determined with forensic accounting, could well be close to 1 million records.

Databreaches.net reported on the initial breach in 2012 and continued to cover the story. A detailed write up of the legal dispute and latest breach can be found on the following link: https://www.databreaches.net/an-old-hipaa-incident-rears-its-very-ugly-head-again/

Golden Valley Health Centers Alerts Patients to Email Security Breach

Golden Valley Health Centers, a network of healthcare centers in the Merced, Modesto, and Central Velley regions of California, is alerting patients that some of their protected health information has been exposed. Patient information was stored in emails and email attachments in an account that was accessed by an unauthorized individual. The breach was discovered on March 3, 2020 and forensic investigators were called in to investigate.

An analysis of the accounts revealed they contained names, billing information, health insurance information, appointment records, and patient referral information. While the investigation confirmed that the email account had been accessed by an unauthorized individual, no evidence of data theft or data misuse was uncovered.

In response to the breach, Golden Valley Health Centers is reviewing and revising its information security policies and privacy practices and further training has been provided to the workforce.

The incident has yet to appear on the HHS’ Office for Civil rights breach portal so it is currently unclear how many individuals have been affected.

The post California Business Associate Reports Potential Breach of Upwards of 70,000 Records appeared first on HIPAA Journal.