HIPAA Breach News

Ransomware Groups Attack 3 Healthcare Providers

Posted by Steve Alder

Liberty Hospital in Kansas City is recovering from a cyberattack that has disrupted its IT systems. The cyberattack was detected on the morning of December 19, 2023, and the decision was taken to divert ambulances to other facilities until access to IT systems was restored. Some appointments have been canceled and will be rescheduled. Liberty Hospital has only released limited information about the attack; however, KMBC News obtained a copy of a ransom note. The hackers claim to have downloaded all confidential data stored on its systems and gave the hospital 72 hours to make contact. The threat actor behind the attack is currently unknown.

The Qilin ransomware group has recently added the Neurology Center of Nevada to its data leak site and claims to have exfiltrated at least 198 GB of sensitive data. Neurology Center of Nevada has not publicly confirmed whether the claims of Qilin are genuine. There is no mention of a cyberattack or data breach on its website. If Qilin’s claims are genuine, this will be the second ransomware attack in a year for the Neurology Center of Nevada.

The DragonForce threat group, which was responsible for a recent attack on the Heart of Texas Behavioral Health Network, has claimed responsibility for an attack on Greater Cincinnati Behavioral Health Services and has added it to its data leak site. DragonForce claims to have exfiltrated 72.4 GB of data in the attack although the stolen data has not been uploaded to the group’s data leak site. Greater Cincinnati Behavioral Health Services has not made any announcement about a cyberattack.

4 Over, LLC Notifies Group Health Plan Members About November 2022 Cyberattack

The Glendale, CA-based printing company, 4 Over, LLC, has experienced a cyberattack in which hackers gained access to parts of its network that contained the protected health information of 6,491 members of its group health plan. Suspicious activity was detected within its network on November 19, 2022, and the forensic investigation confirmed there had been unauthorized network access between November 16, 2022, and November 19, 2022. Notification letters started to be sent to the affected individuals on December 5, 2023, more than a year after the breach was detected. 4 Over said the delay was due to undertaking “a time-intensive and thorough review” of the impacted documents.

The information potentially removed from its systems included full names, Social Security numbers, driver’s license or state-issued identification numbers, financial account numbers or credit or debit card numbers, Passport numbers, medical information, treatment information, diagnosis information, health insurance information, and dates of birth. 4 Over said it is reviewing its existing policies and procedures regarding cybersecurity and is evaluating additional measures and safeguards to protect against this type of incident in the future.

Email Accounts Compromised at VNS Health

VNS Health Home Care, VNS Health Hospice Care, and VNS Health Personal Care in New York recently notified patients that an unauthorized third party gained access to the email accounts of some of its employees and potentially viewed or obtained some of their protected health information. Unauthorized access was detected on August 14, 2023, and the investigation revealed several employee email accounts had been accessed by an unauthorized third party between August 10, 2023, and August 14, 2023.

On September 14, 2023, VNS Health determined that emails and associated files in the accounts contained information such as names, dates of birth, addresses, phone numbers, diagnosis and treatment information, and health insurance information. VNS Health said the email accounts appeared to have been compromised to defraud individual VNS personnel rather than to obtain patient information.

VNS Health has implemented additional safeguards and measures to further protect and monitor its systems, including technical systems enhancements, updated security policies and protocols, and staff education. The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,175 VNS Health Personal Care patients and 13,584 members of VNS Health’s Health Plans.

Lake County Health Department Reports Email Account Breach

Lake County Health Department in Illinois is investigating a security incident involving unauthorized access to an employee’s email account. The account breach was detected on November 1, 2023, and the investigation confirmed that the account contained partially de-identified information relating to Lake County residents who may have been part of a disease cluster or outbreak investigated by the health department between July 2014 and October 2023.

No evidence was found that indicated any information in the email account was exfiltrated, but data theft could not be ruled out. The information in the account only included names, addresses, ZIP codes, dates of birth, phone numbers, email addresses, and diagnoses/conditions. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

PHI Potentially Obtained in Fresno Surgical Hospital Cyberattack

Fresno Surgical Hospital in California experienced a cyberattack that was detected and blocked on November 4, 2023. Third-party cybersecurity experts were engaged to investigate to determine the nature and extent of the incident and confirmed that some data had been removed from its network on November 4, 2023. All files on the compromised parts of the network were reviewed, and on December 11, 2023, Fresno Surgical Hospital confirmed that personal information may have been involved.

The types of information involved varied from patient to patient and may have included names in combination with one or more of the following: demographic/ contact information such as address and date of birth, medical and/or treatment information such as provider and facility names, medical record number or other patient identifiers, diagnosis information, procedure information, and other clinical information. Fresno Surgical Hospital said security and monitoring capabilities are being enhanced and systems are being hardened to minimize the risk of similar incidents in the future.

The post Ransomware Groups Attack 3 Healthcare Providers appeared first on HIPAA Journal.

Heart of Texas Behavioral Health Network Cyberattack Affects 63,776 Individuals

Posted by Steve Alder

The Heart of Texas Behavioral Health Network (HOTBHN), formerly the Heart of Texas Region MHMR Center, a provider of services to individuals and families with developmental and intellectual disabilities, has recently announced that an unauthorized individual may have accessed the sensitive information of 63,776 individuals in a recent cyberattack.

The attack was detected on October 22, 2023, access to the network was immediately shut down, and a third-party forensic incident response firm was engaged to investigate the breach and determine the extent of the unauthorized activity. HOTBHN said it “found no evidence that patient information had been specifically misused,” but confirmed that patient information had been exposed to a third party. The types of information exposed varied from individual to individual and may have included one or more of the following. first and last name, address, Social Security number, date of birth, medical record number, health insurance policy number, and medical and treatment information.

HOTBHN said it has reviewed and enhanced its technical safeguards to prevent a similar incident in the future and has notified the affected individuals and offered them complimentary credit monitoring services and identity theft protection services for 12 months. A threat group known as DragonForce has claimed responsibility for the attack and claims to have exfiltrated almost 56 GB of data. HOTBHN has been added to the group’s data leak site, but the data is not currently accessible.

United Healthcare Services, Inc. Notifies 4,264 Individuals About Email Account Breach

United Healthcare Services, Inc. Single Affiliated Covered Entity (UHS) has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 4,264 individuals. An unauthorized individual gained access to the email account of an employee of Equality Health, an Accountable Care Organization that serves some UHC members. The account was accessed between April 11, 2023, and April 12, 2023. Equality Health notified UHS about the breach on October 16, 2023. The review of the account confirmed that the following information was contained in the email account: names, dates of birth, genders, addresses, Social Security numbers, UHC member ID numbers, Medicare ID numbers, Medicare plan information, and primary care provider information.

According to UHS, the breach was the result of an employee error and a previous inappropriate disclosure of patient information. In September 2020, a UHC employee sent member information to an Equality Health employee when attempting to confirm whether their primary care provider was in Equality Health’s network. The UHC employee should not have included the information in the email when doing so. Neither UHS nor Equality Health was aware of the impermissible disclosure until recently. Equality Health’s investigation uncovered no evidence of misuse of any of the exposed data.

The affected individuals have been notified and Equality Health has offered them complimentary credit monitoring services. The employee responsible for the initial impermissible disclosure has received further training.

14,040 Individuals Impacted by Coos Health and Wellness Cyberattack

The Coos, OR, Public Health Department, Coos Health & Wellness, has recently notified 14,040 individuals that some of their protected health information was exposed and potentially obtained by unauthorized individuals in an April 2023 cyberattack.

Unauthorized activity was detected within its network on November 28, 2023. The forensic investigation confirmed that an unauthorized individual gained access to the network on or around April 28, 2023, and potentially acquired certain files. The file review confirmed on November 20, 2023, that the exposed information included names, Social Security numbers, driver’s license numbers, state identification numbers, medical information, and health insurance information. Notification letters have now been issued and the affected individuals have been offered 12 months of complimentary services through IDX. Coos Health & Wellness said it has implemented additional security features to prevent similar incidents in the future.

City of Homer Reports Lost Device Containing PHI of 1,412 Individuals

The City of Homer in Alaska has recently confirmed that the protected health information of 1,412 individuals was stored on a portable storage device that has gone missing. The device was used to assist the City with its data migration efforts, and it appears to have been misplaced. A thorough search was conducted but the device could not be located.  The device contained a backup of medical information collected by the City in the course of responding to emergency medical service and transportation calls, which may have included Social Security numbers and/or dates of birth. City officials are unaware of any attempted or actual misuse of the exposed data.

The post Heart of Texas Behavioral Health Network Cyberattack Affects 63,776 Individuals appeared first on HIPAA Journal.

November 2023 Healthcare Data Breach Report

Posted by Steve Alder

After two months of declining healthcare data breaches, there was a 45% increase in reported breaches of 500 or more healthcare records. In November, 61 large data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – three more than the monthly average for 2023. From January 1, 2023, through November 30, 2023, 640 large data breaches have been reported.

In addition to an increase in data breaches, there was a massive increase in the number of breached records. 22,077,489 healthcare records were exposed or compromised across those 61 incidents – a 508% increase from October. November was the second-worst month of the year in terms of breached records behind July, when 24 million healthcare records were reported as breached. There is still a month of reporting left but 2023 is already the worst-ever year for breached healthcare records. From January 1, 2023, through November 30, 2023, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.

Largest Healthcare Data Breaches in November 2023

November was a particularly bad month for large data breaches, with 28 breaches of 10,000 or more records, including two breaches of more than 8 million records. Two of the breaches reported in November rank in the top ten breaches of all time and both occurred at business associates of HIPAA-covered entities. The largest breach occurred at Perry Johnson & Associates, Inc. (PJ&A) a provider of medical transcription services. The PJ&A data breach was reported to OCR as affecting 8,952,212 individuals, although the total is higher, as some of its clients have chosen to report the breach themselves. Hackers had access to the PJ&A network for more than a month between March and May 2023.

The second-largest breach was reported by Welltok, Inc. as affecting 8,493,379 individuals. Welltok works with health plans and manages communications with their subscribers. The Welltok data breach is one of many 2023 data breaches involving the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution by the Clop hacking group. Globally, more than 2,615 organizations had the vulnerability exploited and data stolen.

A further three data breaches were reported that involved the protected health information of more than 500,000 individuals. Sutter Health was also one of the victims of the mass hacking of the MOVEit vulnerability and had the data of 845,441 individuals stolen, as did Blue Shield of California (636,848 records). In both cases, the MOVEit tool was used by business associates of those entities. East River Medical Imaging in New York experienced a cyberattack that saw its network breached for three weeks between October and September 2023, during which time the hackers exfiltrated files containing the PHI of 605,809 individuals. All 28 of these large data breaches were hacking incidents that saw unauthorized access to network servers.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hacking and data theft incident
Welltok, Inc. CO Business Associate 8,493,379 Hacking incident (MOVEit Transfer)
Sutter Health CA Healthcare Provider 845,441 Hacking incident at business associate (MOVEit Transfer)
California Physicians’ Service d/b/a Blue Shield of California CA Health Plan 636,848 Hacking incident at business associate (MOVEit Transfer)
East River Medical Imaging, PC NY Healthcare Provider 605,809 Hacking and data theft incident
State of Maine ME Health Plan 453,894 Hacking incident (MOVEit Transfer)
Proliance Surgeons WA Healthcare Provider 437,392 Ransomware attack
Medical Eye Services, Inc. NY Business Associate 377,931 Hacking incident (MOVEit Transfer)
Medical College of Wisconsin WI Healthcare Provider 240,667 Hacking incident (MOVEit Transfer)
Warren General Hospital PA Healthcare Provider 168,921 Hacking and data theft incident
Financial Asset Management Systems (“FAMS”) GA Business Associate 164,796 Ransomware attack
Morrison Community Hospital District IL Healthcare Provider 122,488 Ransomware attack (BlackCat)
South Austin Health Imaging LLC dba Longhorn Imaging Center TX Healthcare Provider 100,643 Hacking and data theft incident (SiegedSec threat group)
Mulkay Cardiology Consultants at Holy Name Medical Center, P.C. NJ Healthcare Provider 79,582 Ransomware attack (NoEscape)
International Paper Company Group Health and Welfare Plan (the “IP Plan”) TN Health Plan 78,692 Hacking incident at business associate (MOVEit Transfer)
CBIZ KA Consulting Services, LLC NJ Business Associate 30,806 Hacking incident (MOVEit Transfer)
Endocrine and Psychiatry Center TX Healthcare Provider 28,531 Hacking and data theft incident
Blue Shield of California OR Blue Shield of California Promise Health Plan CA Business Associate 26,523 Hacking incident at business associate (MOVEit Transfer)
Wyoming County Community Health System NY Healthcare Provider 26,000 Hacking and data theft incident
Westat, Inc. MD Business Associate 20,045 Hacking incident (MOVEit Transfer)
Psychiatry Associates of Kansas City KS Healthcare Provider 18,255 Hacking and data theft incident
Southwest Behavioral Health Center UT Healthcare Provider 17,147 Hacking and data theft incident
TGI Direct, Inc. MI Business Associate 16,113 Hacking incident (MOVEit Transfer)
Pharmacy Group of Mississippi, LLC MS Healthcare Provider 13,129 Hacking and data theft incident
U.S. Drug Mart, Inc. TX Healthcare Provider 13,016 Hacking and data theft incident at business associate
Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island NY Healthcare Provider 13,000 Hacking and data theft incident
Foursquare Healthcare, Ltd. TX Healthcare Provider 10,890 Ransomware attack
Saisystems International, Inc. CT Business Associate 10,063 Hacking and data theft incident

November 2023 Data Breach Causes and Data Locations

Many of the month’s breaches involved the mass hacking of a vulnerability in the MOVEit Transfer solution by the Clop threat group. MOVEit data breaches continue to be reported, despite the attacks occurring in late May. According to the cybersecurity firm Emsisoft, at least 2,620 organizations were affected by these breaches, and 77.2 million records were stolen. 78.1% of the affected organizations are based in the United States.  Progress Software is currently being investigated by the U.S. Securities and Exchange Commission over the breach. Hacking/ransomware attacks accounted for 88.52% of the month’s data breaches (54 incidents) and 99.94% of the breached records (22,064,623 records). The average data breach size was 408,604 records and the median breach size was 10,477 records.

Ransomware gangs continue to target the healthcare industry, and in November several ransomware groups listed stolen healthcare data on their leak sites including NoEscape and BlackCat. Many hacking groups choose not to use ransomware and instead just steal data and threaten to sell or publish the data if the ransom is not paid, such as Hunter’s International and SiegedSec. Since there is little risk of ransomware actors being apprehended and brought to justice, the attacks are likely to continue. OCR is planning to make it harder for cyber actors to succeed by introducing new cybersecurity requirements for healthcare organizations. These new cybersecurity requirements will be voluntary initially but will later be enforced. New York has also announced that stricter cybersecurity requirements for hospitals will be introduced in the state, and financial assistance will be offered.

There were 6 data breaches classified as unauthorized access/disclosure incidents, across which 10,371 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 1,481 records and the median breach size was 1,481 records. There was one reported incident involving the theft of paperwork that contained the protected health information of 2,495 individuals. For the second consecutive month, there were no reported loss or improper disposal incidents. The most common location of breached PHI was network servers, which accounted for 77% of all incidents. 10 incidents involved PHI stored in email accounts.

Where did the Data Breaches Occur?

The OCR data breach portal shows healthcare providers were the worst affected HIPAA-regulated entity in November, with 42 reported data breaches. There were 13 data breaches reported by business associates and 6 data breaches reported by health plans. The problem with these figures is they do not accurately reflect where the data breaches occurred. When a business associate experiences a data breach, they may report it to OCR, the affected covered entities may report the breach or a combination of the two. As such, the raw data often does not accurately reflect the number of data breaches occurring at business associates of HIPAA-covered entities. The data used to compile the charts below has been adjusted to show where the data breach occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 28 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State Number of Breaches
California 8
New York 6
Illinois & Texas 5
Connecticut, Florida, Georgia, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, New Jersey, Oregon, South Carolina & Washington 2
Arizona, Colorado, Maryland, Massachusetts, Mississippi, Nevada, Ohio, Pennsylvania, Tennessee, Utah & Wisconsin 1

HIPAA Enforcement Activity in November 2023

OCR announced one enforcement action in November. A settlement was agreed with St. Joseph’s Medical Center to resolve allegations of an impermissible disclosure of patient information to a reporter. OCR launched an investigation following the publication of an article by an Associated Press reporter who had been allowed to observe three patients who were being treated for COVID-19. The article included photographs and information about the patients and was circulated nationally. OCR determined that the patients had not provided their consent through HIPAA authorizations, therefore the disclosures violated the HIPAA Privacy Rule. St. Joseph Medical Center settled the alleged violations and paid an $80,000 financial penalty.

HIPAA is primarily enforced by OCR although State Attorneys General may also investigate HIPAA-regulated entities and they also have the authority to issue fines for HIPAA violations. In November, one settlement was announced by the New York Attorney General to resolve alleged violations of HIPAA and state laws. U.S. Radiology Specialists Inc. was investigated over a breach of the personal and protected health information of 198,260 individuals, including 95,540 New York Residents. The New York Attorney General’s investigation determined that U.S. Radiology Specialists was aware that vulnerabilities existed but failed to address those vulnerabilities in a timely manner. Some of those vulnerabilities were exploited by cyber actors in a ransomware attack. U.S. Radiology Specialists agreed to pay a $450,000 financial penalty and ensure full compliance with HIPAA and state laws.

The post November 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Class Action Lawsuits Filed Against ESO Solutions Over Data Breach

Posted by Steve Alder

Class action lawsuits have started to be filed against ESO Solutions over its recently disclosed cyberattack and data breach that affected almost 2.7 million individuals. The data breach involved sensitive information such as names, contact information, and Social Security numbers and affected many of the company’s healthcare clients.

Two lawsuits – Claybo v. ESO Solutions Inc. and Essie Jones f/k/a Essie McVay v. ESO Solutions Inc. – were filed in the U.S. District Court for the Western District of Texas Austin Division, that allege ESO Solutions failed to implement reasonable and appropriate industry-standard security measures to ensure the privacy and confidentiality of patient data. The lawsuits also allege ESO Solutions did not properly train staff members on data security protocols, failed to detect a breach of its systems and the theft of data in a timely manner, and then failed to issue timely notifications to the affected individuals. The lawsuits also allege that the data security failures violate the Health Insurance Portability and Accountability Act (HIPAA).

As a direct result of those failures, hackers gained access to the plaintiffs’ and class members’ sensitive data and the plaintiffs and class members now face an imminent and ongoing risk of identity theft and fraud and have suffered other injuries as a result of the breach and have incurred out-of-pocket expenses. The lawsuits seek a jury trial, class action certification, an award of damages, injunctive relief, and attorneys’ fees. The plaintiffs and class members are represented by Joe Kendall of Kendall Law Group PLLC, Bryan L. Bleichner and Philip J. Krzeski of Chestnut Cambronne PA, Alexandra M. Honeycutt of Milberg Coleman Bryson Phillips Grossman LLC.

December 21, 2023: ESO Solutions Data Breach: 2.7 Million Individuals Affected

ESO Solutions, a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, has confirmed that it fell victim to a ransomware attack in September 2023 that resulted in file encryption. ESO Solutions identified suspicious activity within its network on September 28, 2023, and took immediate action to isolate its systems and prevent further unauthorized access to its network.

Third-party digital forensics experts were engaged to investigate the attack and determine the extent of the unauthorized activity. The forensics team confirmed on October 23, 2023, that the attackers had access to parts of its network containing the personal and protected health information of 2.7 million individuals. The information compromised in the incident included names, dates of birth, injury type, injury date, treatment date, treatment type, and, in some cases, Social Security numbers. The attack was reported to the Federal Bureau of Investigation and ESO Systems has worked cooperatively with the FBI during its investigation. A ransom demand was issued by the attackers; however, ESO Systems was able to recover the encrypted files from backups.

ESO Systems notified its affected customers and has been in frequent contact with them to assist them with their response efforts and offered to issue notifications to patients of its customers. ESO Systems started mailing notification letters on December 12, 2023. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.

The following healthcare organizations are known to have been affected:

  • Ascension – Ascension Providence Hospital in Waco
  • Baptist Memorial Health Care System – Mississippi Baptist Medical Center
  • CaroMont Health
  • Community Health Systems – Merit Health Biloxi & Merit Health River Oaks
  • ESO EMS Agency
  • Forrest Health – Forrest General Hospital
  • HCA Healthcare – Alaska Regional Hospital
  • Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
  • Providence St Joseph Health (AKA Providence) – Providence Kodiak Island Medical Center & Providence Alaska Medical Center
  • Tallahassee Memorial HealthCare – Tallahassee Memorial
  • Universal Health Services (UHS) – Manatee Memorial Hospital & Desert View Hospital
  • Valley Health System  – Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital

“Given that patient safety and personal information is at risk, organizations cannot afford to put off strengthening their cybersecurity postures. On an average day, more than 55,000 physical and virtual assets are connected to organizational networks; yet an astounding 40% of these assets are left unmonitored – leaving critical, exploitable gaps. Attackers are taking advantage of these gaps; this attack proves that improper access to one machine can mean chaos for an organization,” said Mohammad Waqas, CTO, Healthcare, of the asset intelligence cybersecurity company, Armis. “This attack also highlights the importance of educating organizations that assets incorporate more than simply hardware or medical devices. Other assets that can come under attack include virtual assets, data artifacts, personal health information, user access, among others. It’s critical for healthcare organizations to not only look at cyber risk from a vulnerability perspective, but also factor in assets supporting clinical workflows or storing patient information. By having a comprehensive view of assets, organizations can prioritize compensating controls and risk reduction tactics to help contain and mitigate cyber-attacks. Being able to monitor all assets for anomalous behaviors, connection attempts, and analyze other aspects of attempted access provides the level of visibility needed to help establish preventative policies.”

The HIPAA Journal asked Waqas about the other steps that hospitals can take to improve their defenses against ransomware attacks. “Healthcare organizations of all types must prioritize cyber exposure management to mitigate all cyber asset risks, remediate vulnerabilities, block threats and protect the entire attack surface. Security and IT pros must also consider incorporating critical strategies into their cybersecurity programs, like network segmentation, to increase healthcare cybersecurity. Segmenting a network is a massive project that can span many years, however, it is the project that will accomplish the greatest risk reduction in a healthcare environment,” explained Waqas.

“What’s key for these projects is the proper planning and understanding that a segmentation project will have multiple phases – discovery and inventory, behavioral and communication mapping, policy creation, prioritization, testing, implementation and automation. One growing trend is a risk-based prioritization approach wherein instead of a traditional method of segment lists created by manufacturer or type, organizations can achieve a much faster ROI by identifying and prioritizing the segmentation of critical vulnerable devices first to achieve maximum risk reduction upfront. Cybersecurity pros at healthcare organizations should incorporate these types of solutions and methods right away to help in preventing these types of attacks from impacting their organizations directly, and for protecting them and their patients in the wake of an attack against one of their third-party suppliers.”

The post Class Action Lawsuits Filed Against ESO Solutions Over Data Breach appeared first on HIPAA Journal.

Cardiovascular Consultants Data Breach Affects 484,000 Individuals

Posted by Steve Alder

Cardiovascular Consultants Ltd., an Arizona-based healthcare provider with offices in Phoenix, Scottsdale, and Glendale, has recently reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 484,000 individuals.

On September 29, 2023, Cardiovascular Consultants identified suspicious activity within its computer systems and initialed its incident response and recovery procedures. An investigation was launched and a third-party cybersecurity company was engaged to assist with the investigation, which revealed unauthorized individuals had access to its systems on or before September 27, 2023.

Cardiovascular Consultants has now confirmed that the hackers exfiltrated files containing sensitive data and used ransomware to encrypt files on the network. Those files were reviewed and found to contain patient data such as names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records.

The data of account guarantors was also stored on the compromised parts of the network, including names, mailing addresses, telephone numbers, dates of birth, and email addresses, and also information about insurance policy holder/subscribers such as names, mailing addresses, telephone numbers, dates of birth, insurance policy information, and, in some cases, Social Security numbers.

Affected individuals were notified about the breach on December 2, 2023, and 24 months of complimentary credit monitoring, identity theft protection, and fraud resolution services have been offered to the affected individuals.  Cardiovascular Consultants has confirmed that additional security measures have been implemented to improve its defenses against cyberattacks in the future.

The post Cardiovascular Consultants Data Breach Affects 484,000 Individuals appeared first on HIPAA Journal.

MedStar Mobile Health Data Breach Settlement Proposed

Posted by Steve Alder

A settlement has been proposed by the Metropolitan Area EMS Authority to resolve a class action lawsuit that was filed by individuals affected by a 2022 cyberattack and data breach. Metropolitan Area EMS Authority is a Fort Worth, TX-based operator of an emergency and non-emergency ambulance service and does business as MedStar Mobile Healthcare. On October 20, 2022, unauthorized network activity was discovered, and the forensic investigation revealed unauthorized individuals had accessed parts of its network where patient data was stored. The hackers were able to access the protected health information of 612,000 individuals, including names, contact information, dates of birth, and limited medical information. The affected individuals were notified on December 19, 2022.

A class action lawsuit – Kaether v. Metropolitan Area EMS Authority d/b/a MedStar Mobile Healthcare – was filed in Texas District Court in response to the breach that alleged negligence for failing to secure sensitive patient data. The lawsuit also alleged breach of implied contract, negligence per se, breach of fiduciary duty, public disclosure of private facts, and unjust enrichment. Metropolitan Area EMS Authority chose to settle the lawsuit with no admission of liability or wrongdoing and will make an unspecified sum available to cover claims from individuals affected by the data breach, including a subclass of individuals who had HIPAA-covered protected health information exposed.

Under the terms of the settlement, individuals who were notified about the breach who have experienced unreimbursed out-of-pocket losses that are reasonably traceable to the data breach may submit claims for up to $3,000 to cover the losses, including travel expenses, long-distance phone calls, bank fees, credit costs, and any unreimbursed expenses and monetary losses from identity theft or fraud. Members of the HIPAA subclass may also claim up to four hours of lost time at $20 per hour. Claims must be accompanied by documented evidence that losses have been experienced. All class members will be entitled to a complimentary 12-month membership to a single-bureau credit monitoring service which includes a $1 million identity theft insurance policy. Metropolitan Area EMS Authority has also agreed to implement additional cybersecurity measures to better protect the sensitive data it stores and is providing its workforce with additional security awareness training. Measures that will be implemented by the end of the year include multifactor authentication and disabling Outlook Anywhere.

Individuals wishing to object to the settlement, or exclude themselves must do so by January 24, 2024, and claims must be submitted no later than February 23, 2024. The final fairness hearing has been scheduled for April 3, 2024. The plaintiff and class members were represented by Joe Kendall of the Kendall Law Group PLLC and Gary M Klinger
and Alexander Wolf of Milberg Coleman Bryson Phillips Grossman PLLC.

The post MedStar Mobile Health Data Breach Settlement Proposed appeared first on HIPAA Journal.

Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

Horizon Actuarial Services has proposed a $8.73 million settlement to resolve all claims related to a hacking incident and data breach in 2022 that affected 227,953 individuals. Horizon Actuarial Services was contacted by a cyber actor in November 2022 who claimed to have stolen sensitive data in a cyberattack. The investigation confirmed there had been unauthorized access to two servers between November 10 and 11, 2021. The data stolen in the attack included names, dates of birth, Social Security numbers, and health plan information. Horizon Actuarial Services negotiated with the cyber actor and made a payment to prevent the stolen data from being sold, published, or misused.

A lawsuit – Sherwood, et al. v. Horizon Actuarial Services LLC – was filed in the U.S. District Court for the Northern District of Georgia on behalf of individuals affected by the data breach that alleged Horizon Actuarial Services had failed to implement reasonable and appropriate measures to protect the sensitive data stored on its servers. Horizon Actuarial Services has not admitted to any wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, a $8,733,446.36 fund will be established to cover claims from individuals who have experienced unreimbursed losses as a result of the data breach.

Class members may submit claims for reimbursement for up to $5,000 to cover out-of-pocket expenses reasonably traceable to the data breach and up to 5 hours of lost time at $25 per hour. All claimants can submit a claim for a $50 payment, and individuals who were California residents at the time of the data breach will be able to claim an additional $50 ($100 in total). The payments may be lower depending on the number of claims and will be paid pro rata.

Individuals wishing to object to or exclude themselves from the settlement must do so by January 22, 2024. Individuals wishing to submit a claim must do so by February 21, 2024. A final approval hearing has been scheduled for March 25, 2024. The plaintiffs and class members were represented by Terence R Coates of Markovits Stock & Demarco LLC, Gary M Klinger of Milberg Coleman Bryson Phillips Grossman PLLC, and Kenya J Ready of Morgan & Morgan.

The post Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Delta Dental of California Data Breach: 7 Million Individuals Affected

Posted by Steve Alder

Delta Dental of California Says 6,928,932 Individuals Affected by MOVEit Hack

Delta Dental of California has recently confirmed that it was one of the victims of Clop hacking group’s mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution.  Delta Dental of California, part of the Delta Dental Plans Association, provides dental insurance to 45 million people. According to the breach notification sent to the Maine Attorney General, the information of almost 7 million individuals was stolen in the attack, including members of Delta Dental of California plans and those of its affiliates.

Delta Dental discovered on June 1, 2023, that the SQL injection vulnerability – CVE-2023-34362 – in the MOVEit Transfer solution had been exploited. Progress Software had released an emergency patch to fix the flaw on May 31, 2023; however, the Russia-linked Clop group exploited the flaw between May 27 and May 30, 2023, before the patch was applied and exfiltrated data from Delta Dental’s MOVEit server.

On July 6, 2023, Delta Dental confirmed that plan members’ data had been accessed and acquired without authorization, and third-party computer forensics experts were engaged to help with analytics and data mining to determine exactly what data had been stolen. Due to the extent of the data involved, the analysis has only just been completed, with the final list of the affected individuals and types of data involved finalized on November 27, 2023. Notification letters started to be sent to those individuals on December 14, 2023.

Delta Dental said the stolen data includes names in combination with one or more of the following: address, Social Security number, driver’s license number, other state identification number, passport number, financial account information, tax identification number, individual health insurance policy number, and/or health information. The affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services.

Delta Dental stressed in its notification letters that this was a mass exploitation incident that affected thousands of companies; however, the Delta Dental of California data breach stands out due to the number of individuals affected. With 6,928,932 dental plan members affected, this is the third largest healthcare MOVEit-related breach to have been reported, behind Maximus Inc. (11 million) and Welltok (8.5 million).

The HIPAA Breach Notification Rule requires notification letters to be issued within 60 days of the discovery of a breach. The Delta Dental of California data breach was reported to the HHS’ Office for Civil Rights on September 6, 2023, within 60 days of discovering that PHI was involved. It was unclear at the time how many individuals were affected so an interim figure of 501 was used. “The delay between detecting the incident, responding to it, and identifying what data has been accessed and by whom, along with which individuals are impacted is not surprising. To determine this typically relies on specialist digital forensic and incident response providers who need to forensically comb through logs and individual data objects using a combination of forensic tools and deep cybersecurity expertise to piece together what happened down to the individual data objects,” Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, told The HIPAA Journal. “Modern data security tools can speed up the identification of what data is impacted, particularly at scale, so hopefully we will see these timeframes reduce as these tools get adopted. However, it will still take time to map those data objects to the individuals impacted at scale with forensic quality that can stand up in court.”

The post Delta Dental of California Data Breach: 7 Million Individuals Affected appeared first on HIPAA Journal.

November 14, 2023, Healthcare Data Breach Round Up

Posted by Steve Alder

A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights and State Attorneys General.

PHI Compromised in Cyberattack on Regional Family Medicine

Regional Family Medicine in Mountain Home, AR, has recently notified the Maine Attorney General about a data breach that involved the personal and protected health information of 80,166 individuals. An IT outage was experienced on June 26, 2023, which prevented access to certain local systems. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there had been unauthorized access to its network between June 8 and June 26, 2023.

The parts of the network that were compromised contained files that included information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, account numbers, and workplace evaluations. Following the attack, Regional Family Medicine enhanced its security measures to prevent similar breaches from occurring in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Florida Community Care Affected by MOVEit Hack at ILS

Florida Community Care, LLC, a Miami-Dade County, FL-based health plan has recently confirmed that information of 30,891 of its members was compromised when a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution was exploited. Progress Software released a patch for the flaw on May 31, 2023, however, the flaw had already been exploited.

The MOVEit Transfer tool was used by its business associate, Independent Living Systems. No Florida Community Care systems were compromised. The compromised information included names, subscriber numbers, and policy numbers. Independent Living Systems is notifying the affected individuals and is offering complimentary credit monitoring and remediation services.

Email Account Breach Reported by Neuromusculoskeletal Center of the Cascades

The protected health information of 22,328 patients of the Neuromusculoskeletal Center of the Cascades and the Cascade Surgicenter in Oregon has been exposed and potentially obtained by unauthorized individuals. Suspicious activity was identified in an employee’s email account on October 3, 2023. The investigation revealed multiple email accounts had been compromised between October 2, 2023, and October 3, 2023.

The review of the email accounts was completed on November 21, 2023, and confirmed they contained patient names along with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number, financial account number, routing number, financial institution name, credit/debit card information, treatment/diagnosis information, prescription information, provider name, medical record number, Medicare/Medicaid ID number, health insurance information, treatment cost, and/or digital signature. Email security policies and procedures have been reviewed and updated and credit monitoring and identity theft protection services have been offered to the affected patients.

PHI Exposed in Phishing Attack on The Amani Center

Columbia County Child Abuse Assessment Center, which does business as The Amani Center in Oregon, identified suspicious activity in an employee email account on August 18, 2023. The investigation revealed several email accounts had been compromised in the attack, which affected several businesses and organizations in its community and resulted in unauthorized access to accounts between August 7, 2023, and August 18, 2023.

The review of the accounts was completed on October 19, 2023, and confirmed the following information had been exposed: names, medical information, medical record numbers, health insurance information, Social Security numbers, driver’s license numbers, financial account information, treatment/diagnosis information, prescription information, medical record/patient ID numbers, health insurance information, treatment cost information, or other information provided to The Amani Center.

No evidence of misuse of patient data has been found, and while the risk of data misuse is believed to be low, complimentary credit monitoring and identity protection services have been offered to the affected individuals. The breach was reported to the Office for Civil Rights as affecting 2,374 individuals.

The Children’s Home of Wyoming Conference Email Breach

The Children’s Home of Wyoming Conference in Binghamton, NY, a provider of community services to children and families, identified suspicious activity in two employee email accounts on June 13, 2023. After securing the accounts, the affected mailboxes were reviewed, and on September 12, 2023, it was confirmed that one of those accounts contained protected health information.

The affected individuals had previously received medical treatment from the Children’s Home of Wyoming Conference. The exposed information included names, dates of birth, Social Security numbers, addresses, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information. Notification letters were sent on November 10, 2023, along with information to help those people prevent any misuse of their data. The breach was reported to the Office for Civil Rights as affecting 1,111 individuals.

The post November 14, 2023, Healthcare Data Breach Round Up appeared first on HIPAA Journal.