Texas-based Hunt Regional Healthcare has discovered a May 2018 cyberattack was much more extensive than previously thought. On May 14, 2019, Hunt Regional was informed by the FBI that its systems had been the subject of a sophisticated, targeted cyberattack in May 2018 and that a small subset of its patients had had their protected health information (PHI) exposed. Those individuals had previously received medical services at Hunt Regional Medical Center.

The PHI was stored in a limited area of the network to which the hackers had gained access and those individuals were notified about the breach in July 2019. A more detailed investigation was then conducted with assistance provided by third-party computer forensics experts, who discovered the hackers had gained access to other parts of the network that were not initially thought to have been compromised.

These additional parts of the network contained the PHI of patients of other facilities in the network: Hunt Regional Medical Center in Greenville, Hunt Regional Emergency Medical Center – Commerce, Hunt Regional Emergency Medical Center – Quinlan, Hunt Regional Home Care, Hunt Regional Lab Solutions, Hunt Regional Open Imaging – Greenville, Hunt Regional Open Imaging – Rockwall, Hunt Regional Outpatient Behavioral Health, Hunt Regional Infusion Center, and Texas Oncology Greenville.

Medical records were potentially compromised which included personal information such as names, contact telephone numbers, dates of birth, race, religious preferences, and Social Security numbers.

It was not possible to determine exactly which records were accessed or copied by the attackers so the decision was taken to send notification letters to the entire database of patients to make sure all individuals were made aware of the possibility that their information had been compromised. All individuals have been offered credit monitoring and identity theft protection services and through IDCare, which includes a $1 million identity theft insurance policy.

Hunt Regional had implemented appropriate safeguards prior to the attack to prevent the unauthorized accessing of patient information. Assisted by third party cybersecurity professionals, Hunt Regional has implemented further safeguards to strengthen data security.

The initial breach report submitted to the HHS’ Office for Civil Rights in July 2019 indicated 3,700 patients had been affected. The breach summary has yet to be updated with the new total.

The post Hunt Regional Healthcare Revises May 2018 Data Breach Total appeared first on HIPAA Journal.

In June 2019, Gary, Indiana-based Methodist Hospitals discovered an unauthorized individual had gained access to the email account of one of its employees following the detection of suspicious activity in the employee’s email account.

An investigation was immediately launched and third-party computer forensics experts were called in to determine the extent of the breach and whether any patient information had been accessed or copied by the attacker. The investigation revealed two email accounts had been compromised as a result of employees responding to phishing emails.

It took until August 7, 2019 for the forensic investigators to determine that a breach had occurred and patient information had been compromised. One of the compromised email accounts was discovered to have been accessed by an unauthorized individual from March 13, 2019 to June 12, 2019, and the second account was subjected to unauthorized access on June 12, 2019 and from July 1 to July 8.

As is typical in forensic investigations, it was not possible to determine whether the attacker viewed or copied patient information contained in emails and email attachments, but it was also not possible to rule out the possibility. At the time of issuing breach notification letters in October, no reports had been received to suggest patient information had been misused.

The types of information potentially compromised in the phishing attacks varied from patient to patient. In addition to patient names, the following information may have been compromised: Address, date of birth, Social Security number, driver’s license number, state ID number, passport number, medical record number, CSN number, HAR number, Medicare number, Medicaid number, diagnosis information, treatment information, health insurance subscriber, group, and/or plan number, group identification number, financial account number, payment card information, electronic signature, username and password.

Methodist Hospitals is reviewing its policies and procedures and will be implementing additional safeguards to improve defenses against phishing attacks in the future.

Affected individual have been advised to monitor their account statements and explanation of benefit statements for signs of fraudulent activity. The substitute breach notification letter on the Methodist Hospitals website makes no mention of credit monitoring and identity theft protection services for breach victims.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 68,039 patients have been affected by the breach.

The post 68,000 Patients of Methodist Hospitals Impacted by Phishing Attack appeared first on HIPAA Journal.

The Omaha, NE-based 14-hospital health system, CHI Health, has experienced a ransomware attack in which the protected health information of approximately 48,000 patients has potentially been compromised.

The attack was discovered on August 1, 2019 and affected an old electronic health record system that contained the medical records patients who had received medical services at CHI Health’s Lakeside Orthopedic Clinic prior to April 2016.

The investigation confirmed that a database used by the medical record system had been encrypted in the attack. A full investigation into the attack was launched and while it is possible that patient information was accessed or copied by the attackers, no evidence of unauthorized data access or data exfiltration was discovered and there have been no reports of misuse of patient information. The attack appears to have been conduced solely with the aim of extorting money from CHI Health.

The types of information contained in the database included patient names, addresses, contact telephone numbers, dates of birth, Social Security numbers, diagnoses, treatment information, and other medical information.

Affected individuals have been notified about the breach by mail and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights and other appropriate authorities.

Out of an abundance of caution, all affected individuals have been offered a 12-month complimentary subscription to credit monitoring and identity theft protection services. CHI Health has also taken steps to reduce the likelihood of similar breaches occurring in the future.

The post CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients appeared first on HIPAA Journal.

Cancer Treatment Centers of America (CTCA) is notifying certain patients that some of their protected health information (PHI) has been exposed as a result of a phishing-related email security breach that occurred in July 2019 at its Southeastern Regional Medical Center.

The attack was identified on July 29, 2019 when suspicious activity was detected in the email account of a CTCA staff member. The breach investigation revealed the attacker had gained access to the account for a period of around 7 days from July 22.

Upon detection of the breach, the user’s email account was secured to prevent further unauthorized access. The investigation did not uncover any evidence to suggest patient information in emails and email attachments were accessed or copied by the attacker, but the possibility could not be ruled out.

The types of information potentially accessed included names along with addresses, phone numbers, dates of birth, health insurance information, medical information, and medical record numbers, and other patient identifiers.

No Social Security numbers were exposed in the breach, so credit monitoring and identity theft protection services are not being provided. Affected patients have been advised to monitor their explanation of benefits statements and report any suspected fraudulent activity to their insurers.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 3,290 patients have been affected by the latest breach.

In total, five breaches have been reported to OCR by CTCA since late November 2018. The first, reported to OCR on November 6, 2018, affected 41,948 patients of Western Regional Medical Center in Arizona. 3,904 patients of Eastern Regional Medical Center in Pennsylvania and 3,904 patients of Southeastern Regional Medical Center were affected by phishing attacks reported to OCR on July 12. A further 16,819 patients of Southeastern Regional Medical Center were affected by a phishing attack reported to OCR on May 10, 2019.

Humana Notifies Lafayette Customers of Employee-Related Data Breach

A former Humana employee who was terminated in December 2018 for emailing a customer list to a personal email account is believed to have disclosed that information to another individual.

The list contained the details of approximately 500 customers in the Lafayette, LA area. This list contained member names, addresses, email addresses, telephone numbers, dates of birth, Humana ID numbers, and plan numbers.

The breach was investigated internally and as part of that investigation, the former employee’s wife confirmed that she and her husband used the list to contact Humana customers between April and May 2019 in an attempt to try to solicit business for their own insurance brokerage firm. Humana has been assured that the list was not disclosed to anyone else.

Affected individuals have now been notified and have been told to contact Humana if they believe there has been any fraudulent use of their information.

The post Cancer Treatment Centers of America Experiences Another Phishing Attack appeared first on HIPAA Journal.

UAB Medicine is alerting patients about an August 7, 2019 phishing attack that resulted in the email accounts of several employees of UAB Medical Center in Birmingham, AL being accessed by the attackers.

Upon discovery of the breach, the passwords on affected email accounts were changed to prevent further unauthorized access and UAB Medicine engaged a leading cybersecurity firm to investigate the breach.

An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 19,557 patients, including names and one or more of the following data elements: Medical record number, date of birth, dates of service, location of service, diagnoses, and treatment information. A limited number of patients also had their Social Security number exposed.

UAB Medicine provides security awareness training to its workforce and has taught employees how to identify phishing emails. In this instance, despite that training, several employees responded to the emails and disclosed their email account credentials. Those credentials were used to gain access to email accounts and the payroll system. The health system said the email used in the attack was a fake business survey that appeared to have been sent internally from an executive’s email account.

The aim of the attack appears to have been to gain access to the payroll system to divert employees’ payroll deposits. The attack was detected and blocked before any payroll deposits were redirected. While it is possible that the attackers viewed/copied patient information, no evidence of unauthorized PHI access or data exfiltration was identified and there have been no reports of misuse of patients’ PHI.

Affected individuals have been advised to monitor their accounts and explanation of benefits statements for signs of fraudulent activity and have been offered 12 months’ subscription to credit monitoring and identity theft protection services at no cost. Steps are being taken to improve email security to prevent similar breaches from occurring in the future.

The post UAB Medicine Phishing Attack Impacts 19,000 Patients appeared first on HIPAA Journal.

Goshen Health in Indiana has started notifying 9,160 patients that some of their protected health information (PHI) may have been compromised in a phishing-related email breach in August 2018.

Upon discovery of the breach the compromised email accounts were secured and the breach was investigated. At the time, the security breach was determined not to require notifications to patients as PHI did not appear to have been compromised. However, on August 1, 2019, Goshen Health became aware that the compromised email accounts did contain the PHI of certain patients and notification letters were necessary.

The breach occurred between August 2, 2018 and August 13, 2018. An unidentified, unauthorized individual gained access to the email accounts of two Goshen colleagues. Following the breach, Goshen Health enhanced its email security protections and as part of that process used additional forensic tools and technology to re-evaluate the breach.

Third-party forensics experts were retained in November 2018 to reassess the incident, but no evidence of unauthorized PHI access or PHI theft was uncovered. Part of the evaluation involved a detailed search of the compromised email accounts to determine whether they contained any sensitive patient information. Almost a year to the day after the first account compromise, the accounts were contained to contain the PHI of certain patients.

The PHI in the accounts included names, addresses, dates of birth, health insurance information, physicians’ names, Social Security numbers, driver’s license numbers, and limited clinical information.

The breach was reported to the HHS’ Office for Civil Rights on September 30, 2019 and notification letters were sent to affected patients the same day. Individuals whose Social Security number or driver’s license number were exposed have been offered 12 months of complimentary credit monitoring and identity theft protection services.

Further training has now been provided to staff members related to email security and phishing awareness.

The post Goshen Health Notifies 9,160 Patients of Historic PHI Breach appeared first on HIPAA Journal.

DCH Health System has been forced to close all three of its Alabama hospitals for all but critical new patients following a ransomware attack.

The attack prevented staff at DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center from accessing computer systems, which were taken out of action as a result of the attack which commenced in the early hours of Tuesday, October 1, 2019.

Access to its systems is being prevented by an unknown individual who is seeking an undisclosed sum for the keys to unlock the encryption. It is currently unclear whether the hospital or its insurer will pay the ransom or if systems will be restored from backups. Certain systems have been brought back online although access remains limited.

Emergency procedures have been implemented at all three hospitals to ensure day to day healthcare operations can continue. Care is being provided to patients currently at the hospital, and critical patients are being accepted, but individuals scheduled for outpatient procedures or tests have been advised to call before attending. Ambulance services have been advised to take patients to alternate facilities if possible.

Kaiser Permanente Alerts Certain Members to Email Security Breach

Kaiser Permanente is alerting certain members about an August 12, 2019 security breach that resulted in the email account of an employee of a provider being compromised by an unknown individual. Kaiser Permanente was alerted to the breach on August 19. The investigation revealed the account was compromised for a period of 13 hours.

The investigation did not uncover any evidence to suggest sensitive information had been viewed by the attacker or exfiltrated from the email system, and no reports have been received to suggest any PHI has been misused.

The compromised email account did not include any Social Security numbers, only the following types of PHI: name, age, date of birth, gender, date(s) of service, provider name, provider comments, payor name, diagnoses, medical history, benefit information, insurance coverage status, treatment information, procedure information, and service provided.

Affected individuals have been advised to monitor their explanation of benefits statements for signs of suspicious activity. It is currently unclear how many members have been affected by the breach.

The post DCH Health System Ransomware Attack Temporarily Cripples 3 Alabama Hospitals appeared first on HIPAA Journal.

Sarrell Dental, an Alabama-based not-for-profit provider of Children’s dental and optical services, has experienced a ransomware attack in which the protected health information of its patients may have been compromised.

Sarrell Dental is the largest provider of dental services in the state of Alabama and operates 17 clinics in the state. In July 2019, ransomware was deployed on its network which resulted in widespread file encryption. Upon discovery of the attack, the network was deactivated, and an investigation was launched. Affected clinics were closed for two weeks while the breach was investigated and systems were restored. A ransom demand was received but it was not paid. Patient information was restored from backups.

A third-party computer forensics team was engaged to assist with the investigation to determine the extent of the breach. That investigation revealed that the attackers may have first gained access to Sarrell Dental systems as early as January 2019. No evidence was found to suggest patient information was accessed or copied by the attackers, but the possibility could not be ruled out. To date, no reports have been received to suggest any patient information has been misused.

The parts of the system that were potentially accessed by the attackers were discovered to contain protected health information including names, addresses, birth dates, Social Security numbers, health insurance information, treatment information, dates of service, diagnosis codes, procedure codes, and the name of the treating dentist.

The incident was reported to law enforcement and the Department of Health and Human Services’Office for Civil Rights (OCR) has been notified. The OCR breach report indicates 391,472 patients potentially had their PHI exposed.

Sarrell Dental has since implemented additional security controls to prevent future attacks and network and system monitoring capabilities have been enhanced.

Notification letters were sent to affected patients on September 12, 2019. Affected individuals have been offered credit monitoring and identity theft protection services for 12 months at no cost.

The post 391,472 Patients Impacted by Sarrell Dental Ransomware Attack appeared first on HIPAA Journal.