Harrisburg Medical Center, which is part of the Southern Illinois Healthcare network, has recently started notifying 147,826 individuals that some of their personal and protected health information has been compromised. Notification letters about the Harrisburg Medical Center data breach started to be sent to the affected individuals on December 12, 2023; however, the cyberattack was detected a year previously on December 23, 2022.

According to the notification letter sent to the Maine Attorney General, Harrisburg Medical Center discovered and blocked the attack on December 23, 2022, and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and extent of the attack. The investigation confirmed that protected health information had been exposed between December 19, 2022, and December 23, 2023, and during that time, files were removed from its systems.

Harrisburg Medical Center said it conducted a review of the documents involved and confirmed on August 24, 2023 – 8 months after the attack was detected – that the files contained names and Social Security numbers, along with some or all of the following information: date of birth, diagnosis/conditions, lab results, and prescription information. Some individuals may also have had their health insurance information, driver’s license/state ID number, digital/electronic signature, and/or financial account number exposed or stolen. No explanation was given about why it took a further four months to issue individual notifications to the affected individuals.

Despite the data breach occurring in December 2022 and PHI being confirmed as involved on August 24, 2023, the incident is still not showing on the HHS’ Office for Civil Rights breach portal. The HIPAA Breach Notification Rule states that breaches must be reported within 60 months of discovery of the breach.

Unsurprisingly, given the length of time taken to notify the affected individuals and the lack of transparency, patients have been looking to take legal action over the breach and theft of their data. Several law firms have opened investigations with a view to filing class action lawsuits.

The post Harrisburg Medical Center Data Breach: PHI of 148,000 Individuals Compromised in 2022 appeared first on HIPAA Journal.

Pan-American Life Insurance Group MoveIT Data Breach

The Pan-American Life Insurance Group in Louisiana has confirmed that it was one of the victims of the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in late May 2023 by the Clop hacking group. Progress Software released a patch to fix the previously unknown vulnerability on May 31, 2023; however, by that time the Clop hacking group had already mass exploited the flaw to gain access MOVEit servers. More than 2,600 organizations worldwide are now known to have been affected and between 78 and 83 million individuals have had their data stolen in the attacks.

The Pan-American Life Insurance Group said it immediately stopped using the MOVEit Transfer tool for file transfers when it was notified about the vulnerability and hired a cybersecurity firm to determine if the flaw had been exploited. The investigation confirmed that files had indeed been stolen. A review of those files was initiated, and on October 5, 2023, it was confirmed that they contained personal and protected health information, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

The Pan-American Life Insurance Group has arranged for the affected individuals to be provided with 24 months of complimentary credit monitoring and identity theft protection services. The breach was reported to the HHS’ Office for Civil Rights in two separate breach reports that affected 105,387 and 94,807 individuals.

Dameron Hospital Investigating Cyberattack

Dameron Hospital in Stockton, CA, has confirmed that it recently suffered a cyberattack that has affected some of its network systems. The lack of critical systems has caused disruption and some procedures have been rescheduled until all systems are brought back online; however, a spokesperson for the hospital confirmed that its patient care operations and emergency department are continuing to function as normal. An investigation has been launched to determine the nature and scope of the incident and to whether any patient data has been exposed or stolen. Further information will be released as the investigation progresses.

Hunters International Claim Responsibility for Cyberattack on Covenant Care

Covenant Care, a provider of skilled nursing, residential care, and home healthcare in California and Nevada, appears to have experienced a cyberattack involving data theft. The Hunters International hacking group has added Covenant Care to its data leak site has been adding patient data to that site, indicating Covenant Care has refused to pay the ransom. Covenant Care has not confirmed whether the hacking group’s claims are genuine.

Covenant Care is no stranger to data breaches, having fallen victim to multiple phishing attacks in the past 5 years, including one in 2019 that affected 7,858 patients and another in 2022 that involved the PHI of 23,093 patients. In response to the 2019 attack, the HHS’ Office for Civil Rights issued technical assistance to help Covenant Care with its security management process.

The post Pan-American Life Insurance Group Data Breach Affects 200,000 Individuals appeared first on HIPAA Journal.

Second Class Action Lawsuit Filed Over North Healthcare Data Breach

A second class action lawsuit has been filed against Norton Healthcare in response to its May 2023 ransomware attack in which the protected health information of up to 2.5 million patients was exposed and potentially stolen.

The first lawsuit was filed in the summer on behalf of plaintiff Lanisha Malone in U.S. District Court after her personal information was misused. She was contacted by her bank to inform her about a suspicious $1,5000 charge to her account which had been blocked. The lawsuit alleged the Louisville, KY-based health system had failed to implement appropriate security measures to safeguard the sensitive data of patients and that Norton Healthcare had failed to issue timely notification letters to allow the affected patients to take steps to protect themselves against identity theft and fraud.

Norton Healthcare announced in May 2023 that an investigation had been launched into a cyberattack; however, at the time the extent of the breach had yet to be established and it was unclear how many individuals had been affected and it was therefore not possible to issue individual notification letters. Norton Healthcare provided an update on the attack in December and confirmed that the cyberattack involved ransomware and that the ransom was not paid. Notification letters started to be mailed on December 8, 2023.

On December 14, 2023, a second class action lawsuit was filed against Norton Healthcare over the ransomware attack on behalf of Margaret Garrett of Crestwood, KY, and similarly situated individuals. The latest lawsuit alleges Norton Healthcare violated the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately protect patient information and also takes issue with the alleged lack of transparency about the ransomware attack and data breach. Norton Healthcare has now confirmed the types of data potentially compromised in the attack but has been unable to say exactly how many individuals were affected or the specific types of data that were compromised in the attack.

The lawsuit claims that the sensitive data of patients and employees is now in the hands of cybercriminals and could be used for identity theft and fraud and that now that sensitive data has been sold or posted in public forums, patients and employees could be contacted directly by the ALPHV/BlackCat ransomware group and threatened with further exposure of their sensitive data, especially patients with sexually transmitted diseases or terminal illnesses. Recently, a cyberattack on the Fred Hutchinson Cancer Center has resulted in patients being extorted directly by hackers after the decision was taken by Fred Hutchinson Cancer Center not to pay the ransom.

The lawsuit – Gerrett v. Norton Healthcare Inc. was filed in U.S. District Court for the Western District of Kentucky and seeks class action status, a jury trial, damages, and legal fees. The plaintiff and class are represented by Andrew W. Ferich and Carlynne A. Wagner of Ahdoot & Wolfson, PC, and John C Whitfield of Whitfield Coleman Montoya, PLLC.

Norton Healthcare said it takes the privacy and security of patient and employee data very seriously and plans to vigorously defend itself in any litigation over the ransomware attack and data breach.

December 11, 2023: Norton Healthcare Notifies 2.5 Million Individuals About May 2023 Ransomware Attack

The Kentucky-based health system, Norton Healthcare, has recently confirmed that the personal and protected health information of patients and employees was exposed, and potentially stolen, in a May 2023 ransomware attack. According to the breach report submitted to the Maine Attorney General, the Norton Healthcare data breach has affected up to 2.5 million individuals.

Norton Healthcare operates eight hospitals in Kentucky and Indiana. On May 9, 2023, suspicious activity was identified within its network and it was later determined that ransomware had been used. Immediate action was taken to secure its network and a forensic investigation was conducted to determine the extent of the breach. The investigation confirmed that an unauthorized third party had access to its network between May 7, 2023, and May 9, 2023, including network storage devices that contained sensitive patient and employee data. Norton Healthcare’s medical record system and Norton MyChart were not accessed and remained secure.

Throughout the investigation, Norton Healthcare provided updates on its website, with the first announcement made on May 11, 2023. Norton Healthcare previously confirmed that it was able to recover the affected files from backups, and started to do so on May 10, 2023; however, the investigation and file review have taken several months. Those processes have now concluded and notification letters started to be sent to the affected individuals on December 8, 2023.

The Norton Healthcare data breach was reported to the HHS’ Office for Civil Rights on July 7, 2023, to meet the breach reporting requirements of the HIPAA Breach Notification Rule, but an interim figure of 501 individuals was provided as it had yet to be determined how many individuals had been affected. In mid-November, Norton Healthcare determined that “based on the data available to it, and out of an abundance of caution,” the most efficient approach was to notify all current (as of May 10, 2023) and former patients, employees, employee dependents and beneficiaries about the ransomware attack. If a notification letter is received it does not necessarily mean that personal and protected health information has been stolen, only that sensitive information may have been exposed.

The types of data involved may have included names in combination with one or more of the following: contact information, Social Security Number, date of birth, health information, insurance information, and medical identification number, and for certain individuals, driver’s license number, other government ID numbers, financial account numbers, and digital signatures. Norton Healthcare said it has enhanced its security safeguards since the attack and has not found any additional indicators of compromise as its networks were restored. As a precaution against misuse of data, Norton Healthcare has arranged for the affected individuals to be provided with complimentary credit monitoring and identity theft protection services for up to 24 months.

Norton Healthcare did not confirm the name of the ransomware group behind the attack, but the BlackCat ransomware group claimed responsibility. Norton Healthcare is facing legal action over the attack, with one lawsuit alleging Norton Healthcare failed to implement appropriate safeguards to prevent attacks and did not issue timely notifications to the affected individuals.

The post Norton Healthcare Data Breach: Second Class Action Lawsuit Filed appeared first on HIPAA Journal.

Foursquare Healthcare Ltd, a Rockwall, TX-based operator of short-term rehabilitation, skilled nursing, and long-term nursing care facilities has recently confirmed it experienced a ransomware attack in September. The ransomware attack was detected on September 27, 2023, and the forensic investigation confirmed the attackers accessed its network between September 27, 2023, and September 29, 2023, and acquired certain files that contained employee and patient information. The information in the files varied from individual to individual and included names along with one or more of the following: address, billing information, Social Security number, banking information, and clinical information regarding care received at its clinics.

The attack did not cause any material disruption to Foursquare care or services and no evidence has been found to indicate that any of the stolen data has been misused for identity theft or fraud. Foursquare said it has received assurances that all of the stolen data has been deleted. That usually, but not always, means the ransom was paid. Foursquare said it believes the incident has been contained and it will continue to monitor its systems for unauthorized activity.

The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of 10,890 patients. Foursquare has offered the affected individuals two years of complimentary credit monitoring and identity theft protection services and while assurances were provided that the stolen data has been deleted, Foursquare encourages the affected patients and employees to be vigilant against identity theft and fraud.

Hi-School Pharmacy Suffers Ransomware Attack

The Vancouver, WA-based drug store chain, Hi-School Pharmacy, has recently notified the Maine Attorney General about a data breach that has affected 17,676 individuals. On November 3, 2023, Hi-School Pharmacy experienced a cyberattack that caused network disruption. The forensic investigation confirmed on November 21, 2023, that the attackers had access to parts of the network that contained protected health information including names and Social Security numbers. Notification letters were sent to the affected individuals on November 5, 2023. Credit monitoring and identity theft protection services have been offered to the affected individuals.

The post Ransomware Attacks Reported by Foursquare Healthcare and Hi-School Pharmacy appeared first on HIPAA Journal.

Ontario, CA-based Prime Healthcare has been affected by a data breach at its revenue cycle management vendor, CBIZ KA. The vendor used Progress Software’s MOVEit Transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group in late May 2023. Prime Healthcare received a copy of the stolen files from CBIZ KA on September 20, 2023, and has confirmed that they contained names in combination with one or more of the following: date of birth, address, medical record number, Social Security Number, admission date, and discharge date.

Prime Healthcare operates 45 hospitals, although only 9 were affected: Saint Clare’s Hospital, Saint Michael’s Medical Center, and St. Mary’s General Hospital in New Jersey, Roxborough Memorial Hospital, Lower Bucks Hospital, and Suburban Community Hospital in Pennsylvania, Garden City Hospital and Lake Huron Medical Center in Michigan, and Landmark Medical Center in Rhode Island. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity protection services.

PHI Compromised in Cyberattack on Sierra County, CA

Sierra County in California experienced a “sophisticated cyberattack” on or around February 21, 2023. Sierra County detected the breach on March 5, 2023, secured its systems to prevent further unauthorized access, and engaged third-party cybersecurity experts to investigate the breach. The investigation revealed the attackers had access to parts of the network that contained information such as names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, driver’s license or government ID numbers, medical/prescription or health insurance related information, drug or alcohol screening results, credit or debit card numbers, biometric data, or financial account/routing numbers. No evidence has been found that indicates actual or attempted misuse of the impacted data. The Department of Public Health and Department of Behavioral Health confirmed that the protected health information of 2,463 individuals was exposed and potentially stolen in the attack.

Email Account Breach Reported by Advarra, Inc.

Advarra, Inc., a Columbia, MD-based provider of integrated research compliance solutions, has discovered unauthorized access to an employee email account. The email account breach was detected on October 26, 2023, and the account was immediately disabled. The forensic investigation confirmed that the breach was limited to a single account, with the unauthorized access commencing on October 25, 2023. The attacker copied information from the account that included names and Social Security numbers. The breach was recently reported to the Maine Attorney General as affecting 1,782 individuals. No evidence of misuse of the stolen data has been identified; however, as a precaution, affected individuals have been offered complimentary credit monitoring services for 24 months and those individuals are being encouraged to take advantage of those services.

The post 9 Prime Healthcare Hospitals Affected by MOVEit Data Breach appeared first on HIPAA Journal.