Northwood Inc., a Madison Heights, MI-based HIPAA business associate, has announced that a hacker has gained access to the email account of one of its employees and potentially viewed or obtained sensitive patient information.

The breach was discovered on May 6, 2019 while investigating suspicious activity related to an employee’s email account. When a breach was confirmed, a leading computer forensics expert was hired to assist with the investigation and determine the nature and full extent of the attack.

The forensic investigation revealed the employee’s email account was accessed by an unauthorized individual(s) from May 3 to May 6. No evidence was found to suggest any emails had been viewed or copied, but data access and data theft could not be ruled out.

All emails and email attachments in the account had to be checked to determine whether they contained any patient information. On June 19, Northwood determined patients’ protected health information had been exposed and may have included a patient’s name along with one or more of the following data elements: Address, date of birth, provider name, dates of service, medical record number, patient ID number, diagnosis and diagnosis codes, medical device description, treatment information, and health plan membership number. A small subset of patients also had their Social Security number, driver’s license number, and health insurance provider name exposed.

Affected patients had received durable medical devices from Northwood or had their devices managed by the company. The compromised email account also contained information relating to healthcare providers and their exclusion status with the CMS.

When the breach was discovered, Northwood disabled the compromised account and, as a precaution, performed a password reset on all employee email accounts. Further training has been provided to employees to help them identify email threats and email security has been strengthened. All patients affected by the breach have now been notified by mail and offered complimentary credit monitoring services.

Northwood has reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The breach has been reported as four separate incidents, affecting 583, 3881, 5563, and 5000 patients – 15,027 patients in total.

Palisades Eye Surgery Center Breach Impacts Almost 2,700 Patients

Rockville Eye Surgery Center LLC dba Palisades Eye Surgery Center has experienced a cyberattack in which the protected health information of 2,696 patients was exposed.

The patient information was stored in an email account that was accessed by a hacker. The breach was reported to OCR on July 17, 2019. No further information about the breach has been released so it is currently unclear what types of information were exposed and the nature of the attack.

This is the second cyberattack to be experienced by the eye surgery center in the past 18 months. On January 23, 2018, the PHI of 10 prospective patients was subjected to unauthorized access.

The post 15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate appeared first on HIPAA Journal.

Edgepark Medical Supplies (EMS) has discovered an unauthorized individual has gained access to certain customer accounts and changed addresses and had their orders redirected to other addresses. On May 13, 2019, EMS discovered the potential breach and disabled the affected online accounts.

The investigation revealed an unauthorized individual gained access to the accounts by using brute force tactics, often referred to as a password spraying attack. This is an automated, sustained attempt to gain access to accounts by using commonly used passwords and dictionary words until the correct password is guessed.

Once account passwords had been guessed, shipping addresses were changed to redirect orders. It is possible that orders have been placed by the attacker unbeknown to Edgepark.com account holders. EMS is still investigating the breach and will be issuing refunds to any customers who have been charged for fraudulent orders.

In addition to fraudulent use of their accounts, the following information may have been viewed/obtained by the hacker: Customer name, address, date of birth, products ordered through the website, and health insurance information.

The HHS’ Office for Civil Rights breach portal shows 6,572 Edgepark.com customers were affected by the breach. EMS is reevaluating its security controls and will be implementing additional measures to prevent similar breaches in the future.

This is the third large data breach to be reported by EMS in the past 5 years. Malware was installed on its network in 2014 for 9 months before it was detected. The breach affected 4,230 patients. In January 2018, 4,586 patients had a limited amount of PHI impermissibly disclosed due to a mailing error.

Cancer Treatment Centers of America Reports 3,904-Record Data Breach

An email account breach has occurred at Cancer Treatment Centers of America’s Eastern Regional Medical Center. The breach was detected on June 6, 2019 when unusual activity was detected in an employee’s email account.  The password for the account was immediately changed to prevent further access and an internal investigation was launched. Unauthorized access to the account first occurred on May 4, 2019 and continued until May 15.

It is unclear whether the attacker viewed emails in the account or copied any patient information. No evidence of data theft or fraudulent use of patient information has been found.

An analysis of the compromised account revealed it contained the protected health information of 3,904 patients. The types of information exposed varied from patient to patient and may have included the patient’s name along with one or more of the following data elements: Address, phone number, date of birth, medical record number, other patient identifiers, medical information and health insurance information.

Eastern Regional Medical Center has provided further training to employees to raise awareness of common security threats and technical controls are being evaluated and will be augmented to improve email security.

The post Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies appeared first on HIPAA Journal.

Wise Health System in Decatur, TX, has started sending notifications to patients to inform them that some of their protected health information (PHI) has been exposed as a result of a phishing attack. 35,899 patients have potentially been affected.

The attack occurred on March 14, 2019. Several employees received phishing emails and some responded and disclosed their account credentials. The credentials were then used to gain access to the Employee Kiosk, where the attacker(s) attempted to reroute payroll direct deposits.  Attempts were made to redirect approximately 100 direct deposit payments.

Wise Health had policies in place that require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5 and the unusually high number of checks raised the alarm. Thanks to the two-check policy, the fraud was prevented and no payments were redirected.  A system wide password change was immediately performed to lock out the attackers and two third-party forensic firms were hired to investigate the breach.  The breach was also reported to the FBI.

The sole purpose of the attack appears to have been to reroute direct deposits, although the stolen credentials would have allowed access to be gained to employee email accounts. Those accounts contained patients’ names, medical record numbers, diagnostic information, treatment information, and health insurance information.

Wise Health System does not believe PHI was accessed by the attackers and no reports have been received which suggest any patient information has been misused. Both forensics firms and the FBI share that point of view. The investigators all agreed they have never seen a direct deposit attack such as this where the attackers have stolen patient data. These gangs specialize in direct deposit fraud. The attackers in this case were traced to Africa by the FBI, which has now closed its investigation.

Since unauthorized PHI access and data theft could not be ruled out, to ensure patients are protected, notification letters were sent on July 12, 2019 and affected patients have been offered a 12 month complimentary membership to ID Experts MyIDCare service (Credit monitoring, Identity theft recovery, and insurance coverage).

Wise Health System is reviewing its security policies and procedures and will be taking steps to reinforce security.

The post Wise Health System Phishing Attack impacts 35,899 Patients appeared first on HIPAA Journal.

Clinical Pathology Laboratories in Texas has recently discovered the protected health information (PHI) of approximately 2.2 million of its patients has potentially been compromised in the data breach at American Medical Collection Agency (AMCA).

AMCA provides debt collection services to many healthcare companies, which requires access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website allowed hackers to can access to the site, and through it, the PHI of patients. Hackers had access to the payment website for 8 months before the breach was detected.

As of today, July 18, 2019, five AMCA clients have confirmed they have been affected by the breach. First came Quest Diagnostics, which announced through an SEC filing that 11.9 million of its patients had been affected. That was closely followed by LabCorp’s announcement that 7.7 million records had been exposed.  BioReference Laboratories also confirmed that around 422,000 of its patients had been affected, and recently 13,000 patients of Penobscot Community Health Center in Maine have been confirmed to have been affected. To date, more than 22.2 million patients are known to have been affected by the breach.

All of the above healthcare providers were notified in May, two months after AMCA became aware of the breach. However, only limited information about the breach was provided initially as AMCA continued to investigate.

Clinical Pathology Laboratories was notified in May but was not provided with sufficient information about who had been affected, so its breach announcement had to be delayed. AMCA has now confirmed that names, addresses, birth dates, dates of service, account balances, and credit/debit card or banking information were potentially compromised.

AMCA has started sending notification letters to all affected Clinical Pathology Laboratories patients. So far, around 34,500 letters have been sent. Those individuals had their personal and financial information exposed. AMCA has since discovered a further 2.2 million patients had their data exposed, although credit/debit card and banking information was not held for those customers.

As has been the case with all other affected entities, Clinical Pathology Laboratories has stopped doing business with AMCA. AMCA’s parent company has filed for Chapter 11 protection, several lawsuits have been filed, and several state Senators have written to AMCA demanding answers. OCR will also be keen to discover how such a major breach could have occurred and fail to be detected for 8 months. Questions will also be asked about the breach response. Despite discovering the breach in March 2019 or earlier, it took until June 4 for notification letters to start being issued.

The post 2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach appeared first on HIPAA Journal.

Another healthcare provider has discovered it has been affected by the security breach at American Medical Collection Agency (AMCA).

AMCA recently discovered an unauthorized individual had gained access to systems containing protected health information (PHI) provided by its clients. Its systems were first subjected to unauthorized access on August 1, 2018 and the breach persisted until March 30, 2019.

Penobscot Community Health Center (PCHC), a not for profit health center in Bangor, ME, contracted with AMCA for billing collection services. AMCA notified PCHC on May 15, 2019 that the PHI of approximately 13,000 of its patients had potentially been compromised.

In order to provide billing collection services, AMCA was provided with a limited amount of PHI. The only PHI provided to AMCA was for patients whose accounts had been sent to AMCA for debt collection and in each case the information disclosed was limited to the minimum necessary amount.

During the 8 months that AMCA systems were subjected to unauthorized access the following types of information were potentially viewed or copied: Names, daters of birth, referring medical provider names, and other medical information related to the services received at PCHC. For a limited number of patients, credit card information may also have been compromised.

PCHC has terminated its business relationship with AMCA and is currently attempting to retrieve and secure all patient data provided to the firm.

PCHC joins Quest Diagnostics, BioReference Laboratories, and LabCorp as confirmed victims of the breach. Other healthcare organizations may also have been affected. To date, more than 20 million individuals are known to have been affected by the AMCA breach.

AMCA’s parent company has filed for bankruptcy and is attempting to liquidate assets to cover the cost of the breach response.

The post Penobscot Community Health Center Victim of AMCA Breach appeared first on HIPAA Journal.

Vermont-based Adirondack Health is notifying approximately 25,000 patients that some of their protected health information has potentially been obtained by a hacker.

The information may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. A subset of patients also had their Social Security number exposed.

Adirondack Health is part of Adirondacks Accountable Care Organization (ACO), which includes various different healthcare providers. For monitoring purposes and to help improve the quality of services provided to patients, ACO receives and analyzes certain patient information.

ACO recently discovered an unauthorized individual had gained access to the email account of an employee. The breach was detected on March 4, 2019 and the account was immediately secured. The hacker had access to the account for a period of two days.

ACO checked every email and attachment in the compromised account to determine whether any PHI had been exposed. There was only one item in the compromised account that included private information: An email discussion about patients in the North Country who missed a baby health screening appointment.

The conversation related to an ACO population health analysis. Attached to the email was a ‘gap-in-care’ spreadsheet that contained PHI. No evidence was uncovered which suggested the email was opened, but the possibility could not be ruled out.

Breach notification letters were sent to affected patients in early July, but it has taken some time to verify some patients’ current addresses. Approximately 25,000 letters have now been sent and only a few remain.

Patients whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services. All patients have been advised to monitor their financial accounts and explanation of benefits statements and to be alert to the risk of fraudulent use of their information.

A spokesperson for Adirondack Health said the email account was accessed remotely by an individual outside the United States. The account breach was not due to a phishing attack.

Adirondack Health has since updated its policies and procedures regarding the use of email for communicating files containing PHI.

The post Email Account Hack Affects 25,000 Adirondack Health Patients appeared first on HIPAA Journal.