Campbell County Health in Gillette, WY, has experienced a ransomware attack that has disabled hospital systems and is preventing access to patient information. The attack started in the early hours of Friday September 20, 2019 according to the Department of Health.

An investigation into the attack has been launched and efforts are continuing to remove the ransomware, restore encrypted files, and bring systems back online; however, at the time of writing, Campbell County Health is continuing to experience major disruption to medical services.

Campbell County Health reports that all of its systems have been affected. At this stage, no evidence has been uncovered to suggest patient information has been subjected to unauthorized access or misused.

The Emergency Department, Maternal Child (OB) department, and the Walk-In Clinic remain open and staff are on hand to triage and treat patients. Transfers to alternate facilities will be arranged, if appropriate, and the County’s Emergency Medical Services (EMS) has additional ambulances to meet demand. Patients already receiving care are being looked after and individuals who receive a higher level of care will be transferred to other facilities.

The cyberattack has been reported all appropriate authorities, including the Wyoming Office of Homeland Security. At this stage it is unclear how the ransomware was installed, whether file recovery is possible, or if the ransom demand will be paid.

Campbell County Health is not able to provide an ETA when all services will return to normal. The telephone system has now been brought back online and regular updates on the attack and the status of patient services are being posted on the Campbell County Health website.

The attack is the latest in a string of ransomware attacks on healthcare facilities, cities, municipalities and government agencies.

The post Campbell County Health Ransomware Attack Causing Major Disruption to Patient Services appeared first on HIPAA Journal.

The Scottsville, AZ-based managed care company, Magellan Health, has discovered two of its subsidiaries have experienced phishing attacks that exposed the protected health information of members of Albuquerque, NM-based Presbyterian Health Plan.

The phishing attacks were experienced by National Imaging Associates and Magellan Healthcare, which both provide services to Presbyterian Health Plan. Both incidents were reported to the Department of Health and Human Services’ Office for Civil Rights on September 17, 2019.

The National Imaging Associates incident was discovered on July 5 and affected 589 individuals and the Magellan Healthcare breach was discovered on July 12 and affected 55,637 individuals. Both incidents occurred within a few days but they are not believed to be related.

The email accounts of two employees were breached on May 28 and June 6, 2019. Both of those individuals handled data related to members of the health plan. The investigation determined the aim of the attack was to compromise email accounts to use them to distribute spam email. No evidence was uncovered to suggest emails in the accounts were accessed by the attackers and neither have any reports been received to suggest there has been any misuse of plan members’ data.

Affected individuals had some or all of the following information exposed: Member’s name, date of birth, member ID number, provider name, health benefit authorization information, date(s) of service, and billing codes. A limited number of plan members also have their Social Security number exposed. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number was exposed.

As a result of the attacks, Magellan Health’s information security team has implemented additional authentication measures and email security has been bolstered. The employee security awareness training program has also been enhanced.

It has been a bad few months for Presbyterian Health Plan members. The health plan was also affected by another targeted phishing attack which affected 183,400 plan members. That incident was reported to OCR in August. The investigation of that attack suggests the attackers were trying to obtain sensitive information.

The post Magellan Health Discovers Two Unrelated Phishing Attacks Exposed the Data of 56,226 Presbyterian Health Plan Members appeared first on HIPAA Journal.

Ramsey County has discovered an August 2018 phishing attack has impacted far more individuals than initially thought. The victim count has been increased from 599 to 117,905.

The initial breach report stated the email accounts of 26 employees were compromised in a phishing attack on or around August 9. The attack was identified promptly and the affected accounts were secured. The individuals responsible conducted the attack in order to re-route employees’ paychecks.

The initial investigation, conducted with assistance from a data security firm, concluded on October 12, 2018 that the attackers would have been able to access sensitive information contained in the compromised accounts. The accounts were discovered to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical information.

Ramsey County reported the breach to the HHS’ Office for Civil Rights on December 11, 2018 and notified affected clients. The initial breach report indicated 599 clients had been affected. 9 months on and Ramsey County has announced that 117,905 individuals have had their personal and health data exposed.

On or around May 21, 2019, County officials learned that the email accounts of two of the 26 employees contained ‘limited amounts’ of health information related to services provided to the Minnesota Department of Human Services under the Child & Teen Checkups program and the support provided to the St. Paul-Ramsey County Public Health Department.

The information contained in those accounts includes names, addresses, dates of birth, patient identifiers, appointment dates, appointment types, patient master index numbers, household identification numbers, and the names of patients’ representatives. Social Security numbers, diagnoses, treatment and prescription information were not exposed. No evidence of data theft was uncovered, and no reports have been received indicating there has been any misuse of patient information.

Ramsey County had issued an update about the breach on July 1, 2019 stating a further 4,638 individuals had been affected and 3,272 additional notifications were sent. Ramsey County has said that in total, 116,255 breach notification letters have now been sent.

Under HIPAA, covered entities are required to notify OCR of a breach within 60 days of discovery. If the number of affected individuals is not known at the time, a provisional total can be provided. The breach report can then be updated when further information becomes available.

Breach investigations can take some time to complete, as the extent of a cyberattack may not initially be apparent. Investigations can take several months to complete. In this case, the investigation was complicated as several of the employees whose email accounts were compromised provided services to multiple departments within the County. Ramsey County said that made it difficult to fully evaluate all the information in the compromised accounts.

The post Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905 appeared first on HIPAA Journal.

New Jersey-based Shore Specialty Consultants Pulmonology Group (SSCPG) is notifying 9,700 patients that some of their protected health information (PHI) has potentially been subjected to unauthorized access as a result of a recent security breach.

On July 8, 2019, SSCPG discovered a hacker gained access to a network server containing patient information. The breach was detected within a day and the server was secured. A forensic investigation of the breach did not uncover any evidence to suggest patient information was accessed or stolen, but the possibility could not be ruled out.

The compromised server contained the PHI of patients who had previously participated in sleep studies at SSCPG. Highly sensitive information such as Social Security numbers, health insurance information and financial information were not exposed. The breach was limited to patients’ names, dates of birth, details of the care received at SSCPG, and some information relating to the sleep study.

The breach prompted SSCPG to conduct a review of its policies and procedures and additional security measures are being implemented. Employees have also been provided with further training.

Little Rock Plastic Surgery Notifies Patients of Internal HIPAA Breach

Little Rock Plastic Surgery (LRPS) in Arkansas has discovered a former nurse downloaded and stole the PHI of several patients.

LRPS discovered the HIPAA breach on July 15, 2019. The investigation revealed the former employee accessed the clinic’s vendor accounts without authorization in order to obtain patient information related to treatments and appointment dates. Reports, photos, and other files containing PHI were downloaded and removed from LRPS by the nurse.

LRPS has taken steps to ensure the stolen information is returned or permanently destroyed. The incident has also been reported to the Department of Health and Human Services’ Office for Civil Rights, the Arkansas Attorney General’s office, and the Arkansas Board of Nursing. Affected patients have been notified by mail.

Fedcap Breach Impacts 2,158 Patients

Fedcap Rehabilitation, a New York-based provider of vocational training and employment resources, is alerting 2,158 current and former clients about a recent security breach.

Fedcap officials launched an investigation following the discovery of a fraudulent wire transfer. On May 28, 2019, Fedcap officials confirmed that an unauthorized individual gained access to the email accounts of seven employees.

The breach investigation revealed the accounts were compromised between September 20, 2018 and January 27, 2019. While the aim of the attack was to steal money from Fedcap, it is possible that the attacker gained access to sensitive client information in the compromised email accounts.

An analysis of the compromised accounts has now been completed. Affected patients were notified on August 29, 2019 that the following types of information were potentially accessed/stolen: Names, birth dates, Social Security numbers, passport numbers, driver’s license numbers, account/routing numbers, payment card information, diagnoses, medications, treatment information, medical histories, healthcare provider names, service dates, health insurance information, and group numbers.

To date, Fedcap has not received any reports to suggest any client information has been misused. The breach prompted Fedcap to implement multi-factor authentication on all email accounts and additional procedures have been implemented to strengthen its security processes.

Affected clients have been advised to review their financial accounts, insurance, and explanation of benefits statements for fraudulent activity.

The post Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients appeared first on HIPAA Journal.

East Central Indiana School Trust (ECIST) has started notifying more than 3,200 individuals that some of their protected health information (PHI) has been exposed as a result of a recent phishing attack.

On May 19, 2019, an employee was fooled into disclosing email account credentials which were used by the attacker to gain access to that individual’s email account. The breach was detected on May 22, 2019 and the account was secured.

A third-party computer forensics company was retained to investigate the breach and determine whether patient information was compromised or stolen in the attack. The forensics firm did not uncover any evidence to suggest emails in the account were opened or downloaded by the attacker, but the possibility of unauthorized data access and theft could not be ruled out.

The compromised email account contained information such as employees’ and dependents’ names, dates of birth, Social Security numbers, driver’s license numbers, prescription details, health insurance information, and some medical information.

The breach has been reported to the HHS’ Office for Civil Rights as potentially impacting up to 3,259 trust members’ employees and their dependents.

PHI Exposed in Fraser Phishing Attack

Fraser, a Minnesota-based provider of autism and early childhood mental health services, experienced a phishing attack on August 6, 2019 involving a single employee’s email account.

The attack was identified promptly and the compromised email account was secured within a few hours. Fraser launched an investigation into the breach and, assisted by its IT vendors, determined that the attacker potentially accessed client information.

The compromised email account contained a Fraser waitlist spreadsheet that detailed clients’ names, internal ID numbers, home cities, ZIP codes, notes about scheduling preferences, and details of the services for which clients were being referred.

Fraser is reviewing and updating its procedures for the internal exchange of client information and its systems will continued to be monitored closely to ensure that its security systems are working correctly.

The HHS’ Office for Civil Rights breach portal indicates 2,890 individuals have potentially been affected by the breach.

The post Phishing Incidents Reported by Fraser and East Central Indiana School Trust appeared first on HIPAA Journal.

The Utah physician group, Premier Family Medicine, is notifying 320,000 patients that some of their protected health information has potentially been compromised as a result of a recent ransomware attack.

The attack occurred on July 8, 2019 and temporarily prevented access to patient data and certain systems. According to the August 30, 2019 breach notice on its website, the physician group notified law enforcement and engaged the services of technical consultants to investigate the breach and regain access to its systems and patient data. It is unclear whether the ransom demand was paid. The breach affected all ten of its Utah County locations.

“Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems,” said Premier Family Medicine chief administrator, Robert Edwards.

Community Psychiatric Clinic Breaches Impact 15,537 Patients

Community Psychiatric Clinic, a provider of mental health services in Seattle, WA, has experienced three email security breaches that have affected a total of 15,537 patients.

Sound, a Washington provider of mental health and addiction treatment services, has recently announced it is combining its services with those of Community Psychiatric Clinic. The merger is expected to be completed in the fall of 2019.

Currently, limited information is available on the breaches. No press releases appear to have been issued and there is no mention of the breaches on the Sound website. The Department of Health and Human Services’ Office for Civil Rights’ breach portal lists three separate incidents, all reported on August 15, 2019. Those incidents affected 3,030, 6,641, and 5,866 patients.

HIPAA Journal contacted Sound requesting further information on the incident(s), but no response has been received to date.  Further information on the Community Psychiatric Clinic breach will be posted here as and when further information becomes available.

Alive Hospice Breach Notification Breaches Further Patient Information

Tennessee-based Alive Hospice experienced a data breach earlier this year which warranted notifications to affected patients. Those notifications were sent on July 3, 2019; however, a mail merge error caused letters to be sent to incorrect recipients.

The letters did not contain any patient information other than the name of the intended recipient. Anyone receiving the letter would know that the intended recipient was a patient of the Alive Hospice.

Alive Hospice has notified all affected individuals by mail and steps have been taken to prevent similar mailing errors in the future. It is currently unclear how many patients have been affected.

The post Utah Ransomware Attack Impacts 320,000 Patients appeared first on HIPAA Journal.

Community Psychiatric Clinic, a provider of mental health services in Seattle, WA, has experienced three email security breaches that have affected a total of 15,537 patients.

Sound, a Washington provider of mental health and addiction treatment services, has recently announced it is combining its services with those of Community Psychiatric Clinic. The merger is expected to be completed in the fall of 2019.

Currently, limited information is available on the breaches. No press releases appear to have been issued and there is no mention of the breaches on the Sound website. The Department of Health and Human Services’ Office for Civil Rights’ breach portal lists three separate incidents, all reported on August 15, 2019. Those incidents affected 3,030, 6,641, and 5,866 patients.

HIPAA Journal contacted Sound requesting further information on the incident(s), but no response has been received to date.

Further information on the Community Psychiatric Clinic breach will be posted here as and when further information becomes available.

Metro Mobility Email Account Breach Impacts 15,000 Individuals

Metro Mobility, a transport service for people with disabilities in the twin Cities region, has discovered the email account of an employee has been subjected to unauthorized access.

The email account breach was discovered on August 14, 2019 and the compromised account was immediately secured. The forensic investigation of the breach revealed the email account was compromised on June 13, 2019.

The compromised email account was discovered to contain the protected health information of approximately 15,000 patients. The breach involved patient names, collection/drop-off addresses, dates and times of rides, and any special instructions provided to Metro Mobility drivers regarding the collections and drop-offs.

The forensic investigation did not uncover any evidence to suggest emails in the account were accessed or copied, but the possibility could not be ruled out. The breach has been reported to the St. Paul Police Department and an investigation into the breach is continuing.

Alive Hospice Breach Notification Breaches Further Patient Information

Tennessee-based Alive Hospice experienced a data breach earlier this year which warranted notifications to affected patients. Those notifications were sent on July 3, 2019; however, a mail merge error caused letters to be sent to incorrect recipients.

The letters did not contain any patient information other than the name of the intended recipient. Anyone receiving the letter would know that the intended recipient was a patient of the Alive Hospice.

Alive Hospice has notified all affected individuals by mail and steps have been taken to prevent similar mailing errors in the future. It is currently unclear how many patients have been affected.

The post Community Psychiatric Clinic and Metro Mobility Data Breaches Impact 30,000 Patients appeared first on HIPAA Journal.