The Florida physician network, Aegis Medical Group, has started notifying 9,800 patients that their protected health information may have been accessed by a former employee. That individual is understood to have attempted to sell patient records to third parties suspected of being involved in identity theft and fraud.

Aegis Medical Group was informed by law enforcement on September 11, 2019 about the employee. The law enforcement investigation determined that the employee attempted to sell the data of just two patients. Working with law enforcement, the physician network determined that the records of up to 9,800 patients were potentially accessed by the employee between July 24, 2019 and September 9, 2019.

The information contained in the records was limited to first and last names, dates of birth, account numbers, postal addresses, diagnosis information, and Social Security numbers. Approximately 75% of the records that may have been accessed were physical records rather than electronic copies.

Following notification by law enforcement, Aegis Medical Group immediately terminated the employee. It is unclear at this point in time whether the former employee has been charged.

Due to the nature of data exposed, all affected patients have been advised to monitor their accounts, explanation of benefits statements, and credit card statements for signs of misuse of their information and have been told about other steps they can take to prevent identity theft and fraud. Complimentary credit monitoring and identity theft protection services are also being provided.

Aegis Medical Group has confirmed that all physical records were stored properly although, to improve security, physical records are now being converted to digital formats as digital records are easier to secure and monitor for unauthorized access. Employees have been notified about the incident, told about the consequences of improper PHI access, and the importance of maintaining the confidentiality and security of patient records.

The post Former Aegis Medical Group Employee Potentially Accessed 9,800 Records Without Authorization appeared first on HIPAA Journal.

Solara Medical Supplies, LLC, a Chula Vista, CA-based provider of medical devices and disposable medical products, has announced that the protected health information of many of its customers has potentially been compromised as a result of a phishing attack.

On June 28, 2019, Solara Medical identified suspicious activity in the email account of an employee and an investigation was launched to determine the nature and scope of the breach.  Assisted by third party computer forensics experts, Solara Medical learned that the breach was far more extensive, and several Office 365 email accounts had been compromised between April 2, 2019 and June 20, 2019.

A programmatic and manual review of all compromised accounts was conducted to determine which patients’ protected health information had potentially been accessed. The information in the email accounts varied from patient to patient and included patients’ first and last names in combination with one or more of the following data elements: Address, birth date, employee ID number, Social Security number, health insurance information, financial information, credit card/debit card number, passport details, state ID number, driver’s license number, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid ID.

Upon discovery of the breach, Solara Medical immediately secured the compromised accounts and has since implemented additional security measures to improve email security. Individuals affected by the breach have been notified and offered complimentary credit monitoring and identity theft protection services for 12 months out of an abundance of caution.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights, but it has yet to be displayed on the OCR breach portal, so it is currently unknown how many individuals have been affected.

Select Health Network Phishing Attack Reported

The Mishawaka, IN-based physician hospital organization, Select Health Network, has also announced that the protected health information of certain individuals has potentially been compromised as a result of a phishing attack.

Suspicious activity was detected in the email accounts of certain employees and a team of computer forensics experts was engaged to investigate a potential breach. The investigation revealed several email accounts were compromised between May 22, 2019 and June 13, 2019.

The results of an audit of the compromised email accounts was provided to Select Health Network on October 1, 2019, which confirmed that a wide range of protected health information was contained in the compromised accounts.

The types of information exposed varied from individual to individual and may have included first and last names in addition to one or more of the following data elements: Address, date of birth, member id number, health insurance information, medical history, treating/referring physician’s name, treatment information, treatment cost, health insurance policy number, and medical record number. A limited number of individuals also had their Social Security number exposed.

Select Health Network is unaware of any misuse of patient information as a result of the breach. Individuals whose Social Security numbers have been exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Select Health Network has conducted a review of its policies and procedures and additional safeguards are being implemented to improve email security and prevent further attacks of this nature.

The post Solara Medical Supplies and Select Health Network Report Phishing Attacks appeared first on HIPAA Journal.

An AWS S3 storage bucket belonging to Sunshine Behavioral Health, LLC, a San Juan Capistrano, CA-based network of drug and alcohol addiction rehabilitation centers, has been misconfigured, resulting in the exposure of sensitive patient information.

The misconfigured AWS S3 bucket was initially reported to databreaches.net in August 2019. Sunshine Behavioral Health was contacted and the bucket was secured; however, the data exposure does not appear to have been reported to the HHS’ Office for Civil Rights, there is no breach report on the California Attorney General’s website, and no mention of the breach on the Sunshine Behavioral Health website, even though it has been more than 60 days since Sunshine Behavioral Health was made aware of the breach.

Dissent of databreaches.net followed up on the breach in November and discovered that files were still exposed. The URLs of the PDF files in the bucket were still accessible and could be viewed without the need for a password. If the URLs had been obtained while the bucket was exposed, the PDF files could have been accessed and downloaded. In total, 93,000 patient files were stored in the S3 bucket.

According to Dissent, the files did not correspond to 93,000 patients. Some patients had multiple files and some of the files appeared to contain test data or were templates. Further contact was made with Sunshine Behavioral Health, but no reply was received, although the email was read as the URLs are no longer accessible.

It is unclear how many patients have been affected, how long the files were exposed online, and whether they were accessed by unauthorized individuals during that time. The files were mostly billing records, some of which contained full names, birth dates, email addresses, postal addresses, telephone numbers, full credit card numbers, partial expiry dates, full CVV codes, and health insurance information.

The post 93,000 Files Belonging to California Addiction Treatment Center Exposed Online appeared first on HIPAA Journal.

University of North Carolina Chapel Hill School of Medicine has experienced a phishing attack in which the protected health information of 3,716 patients has potentially been accessed by unauthorized individuals.

An investigation by third-party forensics experts confirmed that several employee email accounts were compromised between May 17, 2018 and June 18, 2018. It is unclear when the security breach was first detected.

The types of information in emails and email attachments in the compromised accounts varied from patient to patient and may have included names, birth dates, demographic information, Social Security numbers, health insurance details, financial account information, and credit card numbers.

Affected individuals were notified about the breach on November 12, 2019. Patients whose Social Security numbers were potentially compromised have been offered complimentary credit monitoring and identity theft protection services.

Multi-factor authentication has now been implemented and employees have been provided with further cybersecurity and phishing awareness training.

Three Email Accounts Compromised in Phishing Attack on Starling Physicians

The Connecticut physician group, Starling Physicians P.C. has announced that the personal and health information of certain patients has potentially been compromised in a phishing attack.

The attack occurred on February 8, 2019 and a third-party forensics firm was engaged to conduct an investigation into the breach and assess the nature on scope of the attack. Three employee email accounts were discovered to have been compromised.

Starling Physicians learned on September 12 that the compromised email accounts contained names, addresses, dates of birth, Social Security numbers, passport numbers, health insurance information, billing information, and medical information of certain patients. It is unclear when the phishing attack was discovered.

Notification letters were sent to affected patients on November 12, 2019. Patients whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services.

It is currently unclear exactly how many patients have been affected. A spokesperson for the group said the incident impacted fewer than 0.01 percent of active patients.

The post Phishing Attacks Reported by UNC Chapel Hill School of Medicine and Starling Physicians appeared first on HIPAA Journal.

Main Street Clinical Associates, PA., in Durham, NC has informed certain patients that some of their protected health information was stored on devices that were stolen from its offices.

The theft occurred when the Main Street offices had been evacuated due to a severe gas explosion. Staff at the office were ordered to evacuate the building on April 10, 2019 following an explosion in an adjacent building. Files and equipment were left on desks due to the urgent evacuation, and the room containing patient records was left unlocked. The damage to the building was extensive. Staff were not permitted to re-enter the building until September 9, 2019. When the staff returned, it was discovered the offices had been looted and equipment had been stolen. Two laptop computers had been taken, along with the cell phone of a clinician, and a printer containing some patient information.

Main Street explained in a recent press release that the laptop computers and cell phone were password-protected, as were files that contained patient information. Since they devices were not encrypted, it is possible that patient information could have been accessed. The devices contained information such as names, driver’s license numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.

Main Street has changed passwords to prevent patient information from being accessed and is monitoring for any attempted misuse of the devices. Patients known to have had their information exposed, for whom up to date contact information is held, are being notified by mail. Since it was not possible to determine exactly which patients have been affected, several media outlets have also been notified about the breach.

Loyola Medicine Notifies Patients of Theft of Autopsy Photos

Loyola Medicine in Maywood, IL has announced a camera containing autopsy photographs has been stolen from Loyola University Medical Center. The camera contained images of 18 deceased patients. Photographs of nine of those individuals had not been uploaded to the patients’ medical record files and have been permanently lost.

According to a CBS 2 report, the photographs had not been uploaded to the hospital system as a new camera had been purchased and it was not supplied with a cable to allow the photographs to be uploaded, so they remained on the memory card.

According to a spokesperson for Loyola Medicine, steps have been taken to prevent further breaches of this nature from occurring, including providing further training for staff and improving physical security.

The families of the deceased patients have now been notified of the loss of photographs and the privacy breach has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The post PHI Theft Incidents Reported by Loyola Medicine and Main Street Clinical Associates appeared first on HIPAA Journal.

Further healthcare organizations have confirmed they have been affected by a data breach at Magellan Health National Imaging Associates, a business associate of several HIPAA-covered entities that provides managed pharmacy and radiology benefits services.

Danville, PA-based Geisinger Health Plan announced last month that 5,848 of its members had been affected by the breach. In the past few days, health insurance company Florida Blue and the Tennessee state Medicaid program, TennCare, have made similar announcements.

Albuquerque, NM-based Presbyterian Health Plan also confirmed that it had been affected and 56,226 of its members had been affected. Further information can be found on this link.

The phishing attack occurred on May 28, 2019. Magellan Health NIA learned of the breach on July 5, 2019 and took action to secure the affected email account. The breach was detected when the compromised account was used to send out large quantities of spam email.

The internal investigation confirmed that the mailbox had been accessed on several occasions by an individual based outside the United States. The purpose of the attack appears to have been solely to use the email account to send out spam. No evidence was found to indicate protected health information had been accessed or stolen, but the possibility could not be discounted.

TennCare was advised it had been affected on September 11, a day after Magellan Health discovered it had been impacted. Magellan Health NIA notified Geisinger Health Plan about the breach on September 24, and Florida Blue was alerted on September 25.

Florida Blue has not yet disclosed exactly how many of its members have been affected, only stating that fewer than 1% of its 5 million members had their protected health information exposed. The information compromised in the attack was limited to name, date of birth, member ID number, health plan name, provider name, drug name, name of imaging procedures performed, benefit authorization outcome, and authorization number. Florida Blue is providing complimentary credit monitoring services to affected members.

TennCare has confirmed that 43,847 individuals were impacted by the breach. the following information as potentially compromised: Names, member ID numbers, health plan information, provider names, names of prescribed medications, and Social Security numbers. TennCare has confirmed that members affected by the breach are being offered credit monitoring services as a precaution against misuse of their information.

The post Tens of Thousands of TennCare and Florida Blue Members Impacted by Phishing Attack on Business Associate appeared first on HIPAA Journal.

Salem Health Hospitals & Clinics in Oregon experienced a phishing attack on July 31, 2019 that resulted in an unauthorized individual gaining access to the email accounts of several employees. The breach was detected within a day of the accounts being accessed and the compromised accounts were secured.

Patients were notified about the breach on September 27 and were told that a review of the affected accounts was underway. The compromised email accounts were expected to contain a limited amount of patient information such as names, dates of birth, and information related to the medical services patients had received. At the time of issuing the notice, the investigation into the breach was ongoing.

On Thursday, November 7, 2019, Salem Health spokesperson, Elijah Penner, said “The incident was reviewed thoroughly, and Salem Health has no indication that any patient information has been misused.” No evidence was uncovered to suggest patient information in emails and email attachments was accessed.

Salem Health has advised affected patients to exercise caution and monitor their accounts and explanation of benefits statements for signs of fraudulent activity. Email security is being enhanced and Salem Health will be reinforcing education of employees to help them identify and avoid malicious emails in the future.

The breach has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been impacted by the security breach.

Delta Dental of Arizona Notifies Members About July Phishing Attack

The Glendale, AZ-based detail insurance company, Delta Dental of Arizona, has announced it has experienced an email security breach in which the information of plan members has been exposed. The security breach came to light on July 8, 2019 following the detection of suspicious activity in an employee’s email account.

The attacker used the employee’s credentials to access the email account on July 8. According to the substitute breach notice on the Delta Dental website, determining which members had information exposed was “a lengthy and labor-intensive process.”

Delta Dental of Arizona issued a statement on November 8, 2019 confirming the investigation found no evidence of unauthorized data access, although it was not possible to rule out unauthorized data access. Consequently, affected members have been notified as a precaution.

The types of information in the email account included names, addresses, dates of birth, member ID numbers, Social Security numbers, driver’s license numbers, passport numbers, financial account information, credit/debit card numbers, dental insurance information, usernames/passwords, and digital signatures.

The incident has yet to be listed on the HHS’ Office for Civil Rights breach portal so it is unclear how many members have been affected.

The post Salem Health Hospitals & Clinics and Delta Dental of Arizona Notify Patients About Phishing Attacks appeared first on HIPAA Journal.