HIPAA Breach News

PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN

Posted by HIPAA Journal

Jacksonville, FL-based North Florida OB-GYN has discovered hackers gained access to certain parts of its computer system containing patients’ personal and health information and deployed a virus that encrypted files.

Upon discovery of the breach on July 27, 2019, networked computer systems were shut down and breach response and recovery procedures were initiated. Third party IT consultants assisted with the investigation and confirmed that parts of its networked computer systems had been subjected to unauthorized access and a virus had been used to encrypted certain files. The investigation revealed its systems had most likely been compromised on or before April 29, 2019.

While system access was confirmed, no evidence of unauthorized data access or theft of personal or medical information was found; however, unauthorized data access and data exfiltration could not be ruled out.

Protected health information potentially compromised in the attack varied from patient to patient and may have include name, demographic information, birth date, driver’s license number, ID card number, Social Security number, health insurance information, employment information, diagnoses, treatment information, and medical images.

Affected individuals have been advised to remain vigilant and review their account statements to check for unauthorized use of their information. It does not appear that affected individuals are being offered credit monitoring and identity theft protection services.

North Florida OB-GYN has been able to recover virtually all files encrypted in the attack. It is unclear whether a ransom demand was issued and paid, or if the files were recovered from backups. North Florida OB-GYN has already taken steps to strengthen security to prevent similar incidents from occurring in the future.

The breach has been reported to the HHS’ Office for Civil Rights and appropriate state authorities. The breach has yet to appear on the OCR breach portal, so it is currently unclear how many patients have ben affected. This post will be updated as and when further information becomes available.

Tomo Drug Testing Discovers Sensitive Information on Drug Testing Subjects Has Been Compromised

Springfield, MO-based Tomo Drug Testing, a provider of drug screening services, has discovered an unauthorized individual has gained access to a database containing the sensitive information of drug screening subjects, including names, Social Security numbers, driver’s license numbers, state identification numbers, and drug test results.

According to a statement released by the company, the database was accessed on April 23, 2019 and May 9, 2019 by an unidentified individual who claimed to have downloaded and removed certain information from the database.

Tomo Drug Testing learned of the breach on April 23, 2019 and launched an investigation into the breach. Forensics experts were called in to determine whether information had been removed or deleted from the database. While it was not possible to determine whether the database had been copied and stolen, certain items were found to have been removed or deleted from the database.

The database appeared to have been accessed using compromised credentials. Upon discovery of the breach, the password and privileges on the account used to access the database were changed. All data has now been migrated to a more secure system and the previous system has now been decommissioned. Tomo Drug Testing is continuing to implement additional security controls to prevent further incidents from occurring in the future.

Determining who was affected and the types of information in the database was a lengthy process. It took until July 1, 2019 to discover all individuals impacted by the breach and obtained up-to-date contact information. A substitute breach notice has been issued to media outlets as it was not possible find contact information for all individuals affected.

Notification letters have now been sent and affected individuals have been offered complimentary credit monitoring and identity theft protection services as a precaution. It is currently unclear how many individuals have been impacted.

The post PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN appeared first on HIPAA Journal.

Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack

Posted by HIPAA Journal

Another healthcare provider has announced it will be permanently closing its doors as a direct result of a ransomware attack. The devastating attack occurred at Wood Ranch Medical in Simi Valley, CA, which recently announced that the practice will permanently close on December 17, 2019.

The attack occurred on August 10, 2019 and resulted in its servers being infected with ransomware. The attack caused widespread file encryption and prevented medical records from being accessed. The extent of the attack was such that computer systems were permanently damaged making file recovery impossible. The practice had created backups of patient records, but those backups were also encrypted and could not be used to restore patient data.

Ransomware attacks are usually conducted with the sole purpose of extorting money. Files are encrypted and a ransom demand is issued. If the ransom is not paid, files remain permanently encrypted. Payment of the ransom comes with no guarantee that file recovery will be possible and encourages further attacks. For these reasons the FBI recommends ransom payments are never made.

In this case, the practice believes that the sole aim of the attack was to obtain payment and no patient records are believed to have been accessed by the attackers or downloaded from its servers. Nonetheless, affected patients have been advised to exercise caution and monitor their credit reports and explanation of benefits statements for any sign of fraudulent activity. The types of information potentially compromised included names, addresses, dates of birth, health information, and health insurance information.

Wood Ranch Medical’s website now only displays the substitute breach notice, as operations are wound down. “WRM takes the protection of its patients’ information seriously and sincerely apologizes for any inconvenience this incident may cause.” The incident affects 5,835 patients, all of whom have been sent notification letters by mail. Over the next two months, the practice will be working with patients to help them find alternative medical practitioners in the area who will be able to serve their healthcare needs.

This incident highlights the catastrophic consequences of ransomware attacks. In this case the attack has not only forced a practice to close and made staff unemployed, it has also caused considerable disruption for patients and the permanent loss of their health records.

This is not the first practice that has been forced to shut down as a result of a ransomware attack and it is unlikely to be the last. Earlier this year, Brookside ENT and Hearing Center in Battle Creek, MI similarly experienced a ransomware attack that permanently encrypted patient records. Its owners took the decision to close the business and take early retirement rather than rebuild the practice from scratch.

The post Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack appeared first on HIPAA Journal.

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Posted by HIPAA Journal

Sen. Mark Warner (D-Virginia) has written to TridentUSA demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA.

Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security.

The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million Americans had been left exposed on the Internet due to PACS security failures. Those medical images were stored on 187 U.S. servers, including those used by MobileXUSA.

In the letter, Sen. Warner said “It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices – no software vulnerabilities were involved, and no explicit hacking was required [to access the images].”

Sen. Warner said HIPAA requires security controls to be applied to keep sensitive data protected, including medial images stored in PACS, and that both TridentUSA and MobileXUSA have a duty under HIPAA to ensure their PACS are not publicly accessible and that proper controls are applied to prevent unauthorized access and data theft.

By October 9, 2019, Sen. Warner requires answers to questions about the cybersecurity practices at both companies to determine how medical images in the PACS were exposed and why the lack of security protections was not detected internally.

Specifically, Sen Warner wants to know about the audit and monitoring tools employed to analyze its HIPAA-mandated audit trails, whether systems that access the PACS and DICOM images comply with current standards and use access management controls, what identify and access management controls are applied for IP-addresses and port filters, if a VPN or SSL is required to communicate with the PACS, the frequency of vulnerability scans and internal HIPAA compliance audits, what server encryption processes are in use, and whether the companies have an internal security team or if security is outsourced.

PACS and the DICOM image format have been designed to facilitate the sharing of medical images within an organization and with authorized third parties, but it is the responsibility of each organization to ensure that those systems are secured to protect patient privacy.

Healthcare organizations can face many challenges securing their PACS without negatively impacting workflows. To help healthcare organizations secure their systems, NCCoE has recently released new NIST guidance for healthcare providers to help them secure the PACS ecosystem.

The post Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS appeared first on HIPAA Journal.

Ransomware Attacks Reported by People’s Injury Network Northwest and Berry Family Services

Posted by HIPAA Journal

Kent, WA-based People’s Injury Network Northwest (PINN), a physical rehabilitation company for industrial rehabilitation patients, has experienced a ransomware attack in which patient information may have been accessed by the attackers.

The attack occurred on April 22, 2019 and saw three servers infected with ransomware. The attack was discovered the following day and the servers were taken offline. The decision was taken not to pay the ransom demand and encrypted files were restored from backups. PINN reports that it was possible to recover most of the data on the servers.

A computer forensics firm was retained to conduct an investigation to determine whether the attackers gained access to or stole information on the servers. No evidence of unauthorized data access or data theft were discovered; however, it was not possible to rule out to possibility of unauthorized data access or exfiltration. Consequently, the decision was taken to notify patients whose personal and protected health information was potentially compromised.

Affected individuals had received services from PINN up to and including April 22, 2019. The types of information potentially compromised included names, addresses, dates of birth, driver’s license numbers, and diagnosis information.

Affected individuals have been offered one year’s complimentary subscription to credit monitoring and identity theft protection services through ID Experts. According to PINN’s substitute breach notification letter, 12,502 Washington residents were potentially affected by the attack. Notification letters were sent on September 12, 2019.

Berry Family Services Ransomware Attack

Rowlett, TX-based Berry Family Services, a provider of services to the disabled and their families, experienced a ransomware attack on July 10, 2019 that locked its computer systems and encrypted customer information.

The decision was taken to pay the ransom to recover customer information in order to continue to support the Dallas and Rockwell Counties’ Home and Community-Based Services and Texas Home Living programs. The amount of the ransom has not been publicly disclosed.

The purpose of the attack is believed to have been to extort money rather than steal sensitive information, but the possibility of unauthorized data access and exfiltration could not be ruled out. The information potentially accessed was limited to customers’ names, addresses, dates of birth, Social Security numbers, medical insurance information, and related health information.

The breach report submitted to the HHS’ Office for Civil Rights indicates 1,751 patients have potentially been affected by the ransomware attack. Out of an abundance of caution, affected individuals have been offered one year of credit monitoring and identity theft protection services through Kroll at no cost.  Steps have already been taken to improve defenses against ransomware attacks to prevent similar breaches from occurring in the future.

The post Ransomware Attacks Reported by People’s Injury Network Northwest and Berry Family Services appeared first on HIPAA Journal.

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Posted by HIPAA Journal

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

The post Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches appeared first on HIPAA Journal.

August 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the average monthly breaches in 2018 (29.5 per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.

 

August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total).

Breached Healthcare Records by Year

Causes of August 2019 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in August. The average breach size was 18,833 records and the median breach size was 5,248 records.

There were 12 unauthorized access/disclosure incidents reported in August which breached 77,316 healthcare records. Those incidents breached an average of 6,443 records and the mean breach size was 1,281 records.  There were 3 loss incidents and 2 theft incidents. The theft incidents saw 17,650 records potentially compromised and 32,346 records were exposed due to the loss of paperwork or electronic devices. The mean loss breach size was 10,782 records and the mean theft breach size was 8,825 records.

Causes of August 2019 Healthcare Data Breaches

Location of Breached PHI

Phishing continues to pose serious problems for healthcare organizations. Out of the 49 reported breaches, 46.94% – 23 breaches – involved PHI stored in email accounts. The majority of those email breaches were due to phishing attacks.

There were 9 breaches reported that involved PHI stored on network servers, several of which involved ransomware. There were 7 breaches involving paper records/films, highlighting the need for enhanced physical security and administrative controls.

Four breaches involved portable electronic devices such as zip drives and laptop computers. These types of breaches have reduced considerably in recent years largely through the use of encryption, which should be implemented on all portable electronic devices used to store ePHI.

Location of Breached PHI in August 2019 Healthcare Data Breaches

Defending against phishing attacks is a major challenge, and one that can only be solved through layered defenses and staff training. Technological solutions such as spam filters, web filters, firewall rules, multi-factor authentication, and DMARC should be implemented to block phishing attempts, but the sophisticated nature of many phishing campaigns means even layered defenses may be bypassed. End user training is therefore essential. Employees must be trained how to recognize email threats and conditioned how to respond when suspicious emails land in their inboxes.

An annual training session may have been sufficient to provide protection a few years ago, but the increased number of attacks and diverse nature of email threats means a single annual training session is no longer enough. Annual classroom-based training sessions should be augmented with more regular refresher training sessions, cybersecurity bulletins, and email alerts about new threats to watch out for. Phishing simulation exercises are also very beneficial for helping identify individuals who require further training and to find out how effective training has been at reducing susceptibility to phishing attacks.

Largest Healthcare Data Breaches in August 2019

Listed below are the top ten healthcare data breaches reported in August 2019. The largest breach of the month was a phishing attack on Presbyterian Healthcare Services, which saw 183,370 healthcare records breached. The Conway Regional Health System, NorthStar Anesthesia, and Source 1 Healthcare Solutions breaches were also due to phishing attacks.

The Wisconsin Diagnostic Laboratories breach, which affected 114,985 individuals, the 33,370-record breach at Mount Sinai Hospital, and the 29,644-record breach at Integrated Regional Laboratories were all due to the hacking of business associate AMCA.

The breach at Grays Harbor Community Hospital was due to a ransomware attack and the Renown Health breach was due to the loss of a portable storage device. The cause of the breach at Timothee T. Wilkin, D.O. has not been confirmed.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Presbyterian Healthcare Services Healthcare Provider 183370 Hacking/IT Incident
Wisconsin Diagnostic Laboratories Healthcare Provider 114985 Hacking/IT Incident
Grays Harbor Community Hospital Healthcare Provider 88399 Hacking/IT Incident
Conway Regional Health System Healthcare Provider 37000 Unauthorized Access/Disclosure
Mount Sinai Hospital Healthcare Provider 33730 Hacking/IT Incident
Integrated Regional Laboratories, LLC Healthcare Provider 29644 Hacking/IT Incident
Renown Health Healthcare Provider 27004 Loss
NorthStar Anesthesia, P.A. Healthcare Provider 19807 Unauthorized Access/Disclosure
Source 1 Healthcare Solutions LLC Business Associate 15450 Hacking/IT Incident
Timothee T. Wilkin, D.O. Healthcare Provider 15113 Hacking/IT Incident

 

August 2019 Healthcare Data Breaches by Covered Entity Type

42 of the month’s 49 data breaches were reported by healthcare providers and three incidents were reported by health plans. Business associates reported 4 breaches and a further 8 incidents had some business associate involvement.

August 2019 Healthcare Data Breaches by Covered Entity Type

August 2019 Healthcare Data Breaches by State

August’s healthcare data breaches affected entities based in 26 states. Texas was the worst affected with 5 reported breaches. 4 breaches were reported by entities based in Washington state, and three breaches were suffered by entities based in Arkansas, New York, and Pennsylvania.

California, Georgia, Illinois, Massachusetts, Minnesota, Missouri, New Mexico, Ohio, Oregon, and Wisconsin each experienced 2 breaches and one breach was reported by an entity based in each of Connecticut, Florida, Iowa, Kansas, Michigan, Nevada, New Jersey, Oklahoma, Rhode Island, Tennessee, and Virginia.

HIPAA Enforcement Activity in August 2019

There were no civil monetary penalties or settlements between the HHS and HIPAA-covered entities/business associates in August, and also no HIPAA-related enforcement activities by state attorneys general.

AMCA Data Breach Update

The AMCA data breach affected at least 24 healthcare organizations, 23 of which have now submitted breach reports to the Department of Health and Human Service’ Office for Civil Rights. The confirmed breach total currently stands at 26,043,743 records with a further 16,100 records expected to be added to that total.  These breaches were mostly reported to OCR in July and August.

Healthcare Organization Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,500,000
2 LabCorp 10,251,784
3 Clinical Pathology Associates 1,733,836
4 Carecentrix 467,621
5      Laboratories/Opko Health 425,749
6 American Esoteric Laboratories 409,789
7 Sunrise Medical Laboratories 401,901
8 Inform Diagnostics 173,617
9 CBLPath Inc. 141,956
10 Laboratory Medicine Consultants 140,590
11 Wisconsin Diagnostic Laboratories 114,985
12 CompuNet Clinical Laboratories 111,555
13 Austin Pathology Associates 43,676
14 Mount Sinai Hospital 33,730
15 Integrated Regional Laboratories 29,644
16 Penobscot Community Health Center 13,299
17 Pathology Solutions 13,270
18 West Hills Hospital and Medical Center / United WestLabs 10,650
19 Seacoast Pathology, Inc 8,992
20 Arizona Dermatopathology 5,903
21 Laboratory of Dermatology ADX, LLC 4,082
22 Western Pathology Consultants 4,079
23 Natera 3,035
24 South Texas Dermatopathology LLC TBC (Est. 16,100)
Total Records Breached 26,043,743

The post August 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Campbell County Health Ransomware Attack Causing Major Disruption to Patient Services

Posted by HIPAA Journal

Campbell County Health in Gillette, WY, has experienced a ransomware attack that has disabled hospital systems and is preventing access to patient information. The attack started in the early hours of Friday September 20, 2019 according to the Department of Health.

An investigation into the attack has been launched and efforts are continuing to remove the ransomware, restore encrypted files, and bring systems back online; however, at the time of writing, Campbell County Health is continuing to experience major disruption to medical services.

Campbell County Health reports that all of its systems have been affected. At this stage, no evidence has been uncovered to suggest patient information has been subjected to unauthorized access or misused.

The Emergency Department, Maternal Child (OB) department, and the Walk-In Clinic remain open and staff are on hand to triage and treat patients. Transfers to alternate facilities will be arranged, if appropriate, and the County’s Emergency Medical Services (EMS) has additional ambulances to meet demand. Patients already receiving care are being looked after and individuals who receive a higher level of care will be transferred to other facilities.

The cyberattack has been reported all appropriate authorities, including the Wyoming Office of Homeland Security. At this stage it is unclear how the ransomware was installed, whether file recovery is possible, or if the ransom demand will be paid.

Campbell County Health is not able to provide an ETA when all services will return to normal. The telephone system has now been brought back online and regular updates on the attack and the status of patient services are being posted on the Campbell County Health website.

The attack is the latest in a string of ransomware attacks on healthcare facilities, cities, municipalities and government agencies.

The post Campbell County Health Ransomware Attack Causing Major Disruption to Patient Services appeared first on HIPAA Journal.

Campbell County Health Ransomware Attack Causing Major Disruption to Patient Services

Posted by HIPAA Journal

Campbell County Health in Gillette, WY, has experienced a ransomware attack that has disabled hospital systems and is preventing access to patient information. The attack started in the early hours of Friday September 20, 2019 according to the Department of Health.

An investigation into the attack has been launched and efforts are continuing to remove the ransomware, restore encrypted files, and bring systems back online; however, at the time of writing, Campbell County Health is continuing to experience major disruption to medical services.

Campbell County Health reports that all of its systems have been affected. At this stage, no evidence has been uncovered to suggest patient information has been subjected to unauthorized access or misused.

The Emergency Department, Maternal Child (OB) department, and the Walk-In Clinic remain open and staff are on hand to triage and treat patients. Transfers to alternate facilities will be arranged, if appropriate, and the County’s Emergency Medical Services (EMS) has additional ambulances to meet demand. Patients already receiving care are being looked after and individuals who receive a higher level of care will be transferred to other facilities.

The cyberattack has been reported all appropriate authorities, including the Wyoming Office of Homeland Security. At this stage it is unclear how the ransomware was installed, whether file recovery is possible, or if the ransom demand will be paid.

Campbell County Health is not able to provide an ETA when all services will return to normal. The telephone system has now been brought back online and regular updates on the attack and the status of patient services are being posted on the Campbell County Health website.

The attack is the latest in a string of ransomware attacks on healthcare facilities, cities, municipalities and government agencies.

The post Campbell County Health Ransomware Attack Causing Major Disruption to Patient Services appeared first on HIPAA Journal.

Magellan Health Discovers Two Unrelated Phishing Attacks Exposed the Data of 56,226 Presbyterian Health Plan Members

Posted by HIPAA Journal

The Scottsville, AZ-based managed care company, Magellan Health, has discovered two of its subsidiaries have experienced phishing attacks that exposed the protected health information of members of Albuquerque, NM-based Presbyterian Health Plan.

The phishing attacks were experienced by National Imaging Associates and Magellan Healthcare, which both provide services to Presbyterian Health Plan. Both incidents were reported to the Department of Health and Human Services’ Office for Civil Rights on September 17, 2019.

The National Imaging Associates incident was discovered on July 5 and affected 589 individuals and the Magellan Healthcare breach was discovered on July 12 and affected 55,637 individuals. Both incidents occurred within a few days but they are not believed to be related.

The email accounts of two employees were breached on May 28 and June 6, 2019. Both of those individuals handled data related to members of the health plan. The investigation determined the aim of the attack was to compromise email accounts to use them to distribute spam email. No evidence was uncovered to suggest emails in the accounts were accessed by the attackers and neither have any reports been received to suggest there has been any misuse of plan members’ data.

Affected individuals had some or all of the following information exposed: Member’s name, date of birth, member ID number, provider name, health benefit authorization information, date(s) of service, and billing codes. A limited number of plan members also have their Social Security number exposed. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number was exposed.

As a result of the attacks, Magellan Health’s information security team has implemented additional authentication measures and email security has been bolstered. The employee security awareness training program has also been enhanced.

It has been a bad few months for Presbyterian Health Plan members. The health plan was also affected by another targeted phishing attack which affected 183,400 plan members. That incident was reported to OCR in August. The investigation of that attack suggests the attackers were trying to obtain sensitive information.

The post Magellan Health Discovers Two Unrelated Phishing Attacks Exposed the Data of 56,226 Presbyterian Health Plan Members appeared first on HIPAA Journal.