Adventist Health Sonora in California has discovered an unauthorized individual has gained access to the email account of a hospital associate and potentially viewed patient information.

The email account breach was detected by Adventist Health Sonora’s information security team on September 30, 2019. Immediate action was taken to secure the compromised Office 365 account and an investigation was launched to determine the extent of the breach.

The investigation confirmed that access to the Office 365 account was gained following a response to a phishing email and that it was an isolated incident. No other email accounts or systems were affected.

The purpose of the attack appears to have been to redirect invoice payments and defraud the hospital and its vendors, rather than to obtain sensitive patient information.

According to Adventist Health Sonora, a comprehensive review of the affected account revealed on October 14, 2019 that the account contained the protected health information of 2,653 patients. The types of information exposed included names, dates of birth, medical record numbers, health insurance information, hospital account numbers, and medical information related to the care provided at the hospital.

No evidence was uncovered to suggest any patient information was acquired by the attacker but, out of an abundance of caution, affected patients have been notified and offered complimentary identity theft protection services for 12 months.

Great Plains Health Has Recovered 80% of Systems Impacted by November 2019 Ransomware Attack

Great Plains Health in North Platte, NE, experienced a ransomware attack in November 2019 which saw its network encrypted. The decision was taken not to pay the ransom and instead to restore systems from backups. It has been a time-consuming and painstaking process, but hospital officials have announced that the process is now 80% completed.

Restoration of systems was prioritized with the most important patient systems restored first. It took two weeks for critical patient systems to be recovered. Members of staff worked round the clock to ensure systems were restored in the shortest possible time frame. Throughout the attack and recovery process patients continued to receive medical services and no patients were turned away or redirected to other healthcare facilities.

Hospital officials have now announced that all major IT systems have now been brought back online and the ransomware attack is no longer having any impact on any kind of patient care. Only archives now need to be restored, which contain information rarely used by the hospital.

The post Phishing Attack Reported by Adventist Health Sonora appeared first on HIPAA Journal.

Health Quest, now part of Nuvance Health, has discovered the phishing attack it experienced in July 2018 was more extensive than previously thought.

Several employees were tricked into disclosing their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A leading cybersecurity firm was engaged to assist with the investigation and determine whether any patient information had been compromised.

In May 2019, Quest Health learned that the protected health information of 28,910 patients was contained in emails and attachments in the affected accounts and notification letters were sent to those individuals. The compromised accounts contained patient names, contact information, claims information, and some health data.

A secondary investigation of the breach revealed on October 25, 2019 that another employee’s email account was compromised which contained protected health information. According to the substitute breach notification on the Quest Health website, the compromised information varied from patient to patient, but may have included one or more of the following data elements in addition to names:

Dates of birth, Social Security numbers, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), provider name(s), dates of treatment, treatment and diagnosis information, health insurance plan member and group numbers, health insurance claims information, financial account information with PIN/security code, and payment card information.

No evidence of unauthorized viewing of patient data was uncovered and no reports have been received to indicate any patient information was misused. Out of an abundance of caution additional letters were mailed to patients on January 10, 2020.

Quest Health is now using multi-factor authentication on its email accounts and has strengthened security processes and provided additional training to its HQ employees on phishing and other cybersecurity issues.

It is currently unclear how many additional patients have been affected. At the time of posting, the breach report on the HHS’ Office for Civil Rights breach portal still states 28,910 individuals were impacted.

The post Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack appeared first on HIPAA Journal.

The Portland, ME-based healthcare provider InterMed is notifying 33,000 patients that some of their protected health information has potentially been compromised as a result of a phishing attack.

The attack was detected on September 6, 2019. An internal investigation confirmed that the account was compromised on September 4 and the attackers had access to the account until September 6, 2019.

A leading national computer forensic firm was engaged to investigate the breach and discovered a further three email accounts had also been compromised between September 7 and September 10, 2019.

A comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or attachments, if any, had been viewed by the attackers.

The types of information in the compromised accounts varied from patient to patient and may have included patients’ names, dates of birth, health insurance information, and some clinical information. A “very limited” number of patients also had their Social Security number exposed.

InterMed started mailing breach notification letters to affected patients on November 5, 2019. Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number was exposed.

Steps have now been taken to improve email security and training has been reinforced to ensure employees adhere to email security best practices.

Phishing Attack Impacts 11,308 Patients of Central Maine Orthopaedics

11,308 patients of Central Maine Orthopaedics, part of Spectrum Healthcare Partners, are being notified that some of their protected health information has potentially been viewed by an unauthorized individual who gained access to the email account of one of its employees.

Spectrum Healthcare Partners discovered the unauthorized access on November 14, 2019 and immediately secured the affected account. The investigation revealed the account had been breached on November 5, 2019. A review of the emails and attachments in the account revealed they contained patients’ names, dates of birth, addresses, health insurance information, clinical and treatment information, and amounts owed to Central Maine Orthopaedics.

While it was confirmed that the attacker remotely accessed the account, no evidence was uncovered to suggest patient information was obtained or misused.

Affected patients were notified out of an abundance of caution on January 13, 2020 and have been advised to monitor their explanation of benefits and account statements for any sign of fraudulent use of their information.

Spectrum Healthcare Partners has strengthened its technical controls and is providing more stringent security training to employees.

4,564-Record Breach Reported by Children’s Hope Alliance

The Barium Springs, NC-based child welfare agency, Children’s Hope Alliance, has announced that a laptop computer containing sensitive information has been stolen.

According to the substitute breach notice on the Children’s Hope Alliance website, the laptop was stolen on October 7, 2019. A digital forensic firm was engaged to determine whether the laptop contained any sensitive information. The investigation is ongoing, but the initial finding show documents on the device contained information such as names, addresses, Social Security numbers, tax identification numbers, dates of birth, usernames and passwords, and medication and dosage information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 4,564 individuals have been impacted. The breach summary states that this was a hacking/IT incident involving email. It is unclear at this stage whether this is an error, a separate breach, or if the laptop was used to hack into the employee’s email account.

The post 44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners appeared first on HIPAA Journal.

SouthEast Eye Specialist (SEES) Group in Franklin, TN, is notifying 13,000 patients that some of their protected health information has been exposed as a result of a recent phishing attack.

It is unclear from the SEES Group’s substitute breach notice when the phishing attack occurred, but on November 1, 2019, SEES Group determined patient information was contained in email accounts that were accessed by unknown individuals.

The breach was discovered when the IT department identified suspicious activity in some employee email accounts. A third-party computer forensics company was retained to assist with the investigation and determine whether any emails or email attachments containing patient information had been viewed or copied by the attackers.

The investigation uncovered no evidence to suggest that patient information was viewed or obtained by unauthorized individuals, but it was not possible to rule out the possibility that patient information had been compromised.

A painstaking analysis of all emails in the affected accounts revealed they contained information on patients including names, treatment information, and Social Security numbers.

SEES Group is now reviewing its information security policies and procedures and email security will be augmented to prevent similar incidents from occurring in the future.

2,008 Patients Notified About btyDental Ransomware Attack

btyDental, a network of dental practices in Anchorage, AK, is notifying 2,008 patients about a ransomware attack that involved some of their protected health information.

Ransomware was installed on some of its servers on or around November 17, 2019. The servers contained patients’ X-ray images along with their names. The servers contained no other protected health information, which was stored in systems unaffected by the attack.

Steps were immediately taken to restore the affected servers and third-party IT consultants were retained to assist with the investigation. No evidence was found to suggest any patient images were accessed or obtained by the attackers.

btyDental has reviewed its security policies and procedures and has taken steps to prevent similar attacks from occurring in the future and will continue to evaluate the security of its systems and implement the most up-to-date security measures.

The post Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients appeared first on HIPAA Journal.

A California healthcare provider was attacked with ransomware and two weeks on and its medical record system is still out of action.

Enloe Medical Center in Chico, CA, discovered the attack on January 2, 2020. Its entire network was encrypted, including its electronic medical record (EMR) system, which prevented staff from accessing patient information. Emergency protocols were immediately implemented to ensure care could still be provided to patients and only a limited number of elective medical procedures had to be rescheduled.

The attack also affected the telephone system which was taken out of action on the day of the attack. The telephone system was restored the following day but its EMR system is still out of action and employees are continuing to rely on pen and paper for recording patient data.

While there were some cancelled appointments in the first week after the attack, Enloe Medical Center says care is being provided to patients without delay while work continues to restore its systems. No information has been released on the type of ransomware involved, but the initial findings of the investigation suggest patient data has not been compromised.

“Upon learning of this incident, we immediately took steps to restore critical operating systems and ensure the security of our network. At this point in time, we have no indication or evidence that suggests patient medical data has been compromised,” said Kevin Woodward, Enloe’s chief financial officer. The ransomware attack has been reported to local and federal law enforcement agencies and the investigation is continuing.

Ransomware attacks have been increasing throughout 2019 and there are no signs of the attacks abating. In addition to file encryption, several ransomware gangs have adopted a new tactic to increase the probability of the ransom being paid. Prior to the deployment of ransomware, sensitive data is being stolen.

Recent attacks involving the MegaCortex, LockerGoGa, Maze, and Sodinokibi ransomware variants have seen data stolen prior to the deployment of ransomware. The threat actors using Maze and Sodinokibi ransomware have issued threats to expose the stolen data if the ransom is not paid. Both have followed through on those promises and have published sensitive data when the decision was taken not to pay the ransom.

The post Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack appeared first on HIPAA Journal.

It is becoming increasingly common for threat actors to use ransomware to encrypt files to prevent data access, but also to steal data and threaten to publish or sell on the stolen data if the ransom is not paid. This new tactic is intended to increase the likelihood of victims paying the ransom.

The Center for Facial Restoration in Miramar, FL, is one of the latest healthcare providers to experience such an attack. Richard E. Davis MD FACS of The Center for Facial Restoration received a ransom demand on November 8, 2019 informing him that his clinic’s server had been breached and data had been stolen. The attacker said the data could be publicly exposed or traded with third parties if the ransom was not paid.

Dr. Davis filed a complaint with the FBI’s Cyber Crimes Center and met with the FBI agents investigating the attack. After the attack occurred, Dr. Davis was contacted by around 15-20 patients who had also been contacted by the attacker and issued with a ransom demand. The patients were told that their photographs and personal data would be published if the ransom demand was not paid.

According to Dr. Davis’s substitute breach notice, the compromised server contained the data of approximately 3,600 patients. While it is possible the attackers stole the files of all patients, there are reasons to suspect only a very small number of patient photographs and personal data may have been stolen.

It has taken some time to determine which patients have been affected as much of the information held on patients was stored as scanned patient intake forms rather than a database. Each file had to be opened and checked manually and that was a painstakingly slow and labor intensive process.

The types of data exposed was limited to photocopies of driver’s licenses or passports, home addresses, email addresses, telephone numbers, insurance policy numbers, and credit card numbers, most of which only showed the last 4 digits.

All patients potentially affected by the attack have now been notified and steps have been taken to improve security, including replacing all hard drives and implementing new firewalls and anti-malware software. The ransom demand was not paid.

Children’s Choice Pediatrics Ransomware Attack Impacts 12,689 Patients

Children’s Choice Pediatrics in McKinney, TX, is notifying 12,689 patents that some of their protected health information may have been accessed by unauthorized individuals who used ransomware to try to extort money from the practice.

The attack occurred on or around October 27, 2019 and resulted in the encryption of data on its network. Children’s Choice had backed up all data and attempts were made to recover all files encrypted by the ransomware. That process has been completed, but it was not possible to restore all patient data. Some patient records could not be recovered.

Affected patients have been advised to be alert to the possibility of data misuse and to monitor their account statements for signs of fraudulent activity. No reports have been received to suggest any patient data was stolen or has been misused.  Children’s Choice has now strengthened security to prevent similar attacks from occurring in the future.

The post Ransomware Attacks Reported by Florida and Texas Healthcare Providers appeared first on HIPAA Journal.

Alomere Health in Alexandria, MN is notifying almost 50,000 patients that some of their protected health information was potentially accessed by unauthorized individuals as a result of a phishing attack.

Alomere Health learned about the phishing attack on November 6, 2019 and launched an internal investigation which confirmed the account was accessed by an unauthorized individual between October 31 and November 1, 2019.

A computer forensics company was engaged to assist with the investigation and discovered on November 10, 2019 that a second email account had been breached on November 6.

A comprehensive review of the compromised accounts revealed some emails and email attachments contained protected health information. The types of information potentially compromised in the attack varied from patient to patient and may have included the following data elements: Names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, and/or diagnosis information. A limited number of Social Security numbers and driver’s license numbers were also found in the accounts.

Alomere Health was unable to confirm whether any emails or email attachments containing protected health information were accessed or copied by the attackers, but unauthorized PHI access and data theft could not be ruled out. On January 3, 2020, Alomere Health sent notifications to all 49,351 patients whose information was present in the email accounts.

Individuals whose Social Security number or driver’s license number were exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months. No reports of misuse of patient information have been received to date.

Alomere Health has now added more layers to its cyber defenses and further security awareness training has been given to employees to help them identify phishing emails and other email-based threats.

The post Alomere Health Phishing Attack Impacts 49,351 Patients appeared first on HIPAA Journal.

Portland, OR-based Native American Rehabilitation Association of the Northwest, Inc., (NARA), a provider of education, physical and mental health services and substance abuse treatment services to native Americans, is alerting certain individuals about a malware infection that has potentially allowed unauthorized individuals to gain access to their protected health information.

NARA reports that the attack occurred on November 4, 2019. The malware initially bypassed security systems but was detected later that afternoon. The threat was contained by November 5, 2019 and all passwords on email accounts were reset by November 6.

The malware was determined to be the Emotet Trojan: A credential stealer that can also exfiltrate emails and email attachments. It is therefore possible that the attackers obtained emails and attachments in the compromised accounts, some of which included protected health information.

According to a NARA press release issued on January 3, 2020, the forensic investigation confirmed that the protected health information of 344 individuals was either accessed by the attackers or there was a high risk of the information being accessed. Another group of patients was also potentially affected. For this group, no evidence of unauthorized access was found.

The types of information contained in the email accounts varied from person to person and may have included names, home addresses, Social Security numbers, birth dates, and medical record or patient ID numbers. A limited number of individuals also had clinical information exposed, including diagnoses, services received, treatment information, and treatment dates.

In total, up to 25,187 individuals may have been affected, according to the HHS’ Office for Civil Rights’ Breach portal.

“It is sad that there are people in the world whose intent is to cause harm and distress to vulnerable populations such as our clients,” said Jacqueline Mercer, CEO of NARA NW. “Words cannot express how truly sorry we are that our clients and NARA NW have been subjected to this malware attack.”

A new endpoint protection solution has now been implemented on all computers which monitors for suspicious activity. Policies and procedures are being reviewed and will be updated as necessary and staff have been provided with further security awareness training.

Mercy Health Lorain Hospital Laboratory Patients Affected by Mailing Error

RCM Enterprise Services, Inc., a provider of patient billing services to Mercy Health Lorain Hospital Laboratory in Ohio, is alerting certain patients about an impermissible disclosure of some of their individually identifiable personal information.

An error was accidentally introduced in the invoice mailing process which allowed Social Security numbers to be viewable through the windows of envelopes used for a medical invoice mailing sent by RCM’s contracted mailing vendor on or around November 7, 2019.

The invoices should only have had name, street address, city, state, and zip code visible. The error resulted in an individual’s name and street address being visible along with that individual’s Social Security number instead of the city and zip code.

“We take this incident, as well as information privacy and security, very seriously, and have enhanced our procedures in order to prevent the occurrence of a similar incident,” said Barbara Shaub, Director, Revenue Cycle Management of RCM.

No reports have been received to suggest there has been any misuse of patient information. As a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. It is currently unclear how many individuals have been affected.

The post Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack appeared first on HIPAA Journal.