HIPAA Breach News

Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

Posted by HIPAA Journal

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible.

The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis.

The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville.

This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took its computer systems out of action. In that case, backups were used to restore data and its systems were rebuilt from scratch. The health center was able to recover data without paying a ransom, although its systems were offline for around three weeks while the attack was remediated.

The health center consulted with third-party IT specialists and the FBI after the latest attack and the decision was taken to pay the ransom for the keys to decrypt files. Park DuValle CEO Elizabeth Ann Hagan-Grigsby explained to WDRB reporters that it was not possible to rebuild its systems and recover data from backups after the latest attack.

The ransom was paid in two installments, the first was made two weeks ago and the final payment was made last week. The latest payment was for 6 Bitcoin. Approximately $70,000 was paid in total. The health center expects to have fully restored its systems by August 1, 2019.

The ransom payment is only a small part of the cost of a ransomware attack. Hagan-Grigsby said the attack has so far cost around $1 million.

While the ransomware prevented files from being accessed, Hagan-Grigsby does not believe there has been a data breach. She said the Department of Health and Human Services has been notified but was told there was no data breach. no evidence was found to suggest unencrypted patient information was viewed and its firewall logs show no data was exfiltrated from its systems.

The Park DuValle ransomware is one of several healthcare ransomware attacks to be reported in the past few days. Ransomware attacks have also recently been reported by Springhill Medical Center in Alabama, Harbor Community Hospital in Washington, and Dr. Carl Bilancione’s dental office in Maitland, Florida.

An attack was also reported by Bayamón Medical Center in Puerto Rico, which also affected its affiliated Puerto Rico Women and Children’s Hospital. The attack impacted more than 520,000 patients.

The post Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI appeared first on HIPAA Journal.

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

Posted by HIPAA Journal

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018.

The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years.

Average Data Breach Costs $3.92 Million

Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year.

Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors.

Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.

Healthcare Data Breaches Cost $429 per Record

In healthcare, the average cost of a breach has increased to $429 per record from $408 last year – an increase of 5.15%. The financial sector has the second highest breach costs. Financial industry breaches cost an average of $210 per record – less than half the per record cost of a healthcare data breach.

Fortunately, mega data breaches are relatively rare but when they do occur the costs can soar. Mega data breaches are classed as breaches of more than 1 million records. IBM projected losses due to a data breach of $1 million records would be $42 million, whereas a breach of 50 million records would cost $388 million to resolve. The recent data breach at American Medical Collection Agency, which is known to have affected 18 healthcare providers and 25 million individuals, would fit halfway along that cost scale.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”

The survey was conducted by the Ponemon Institute on 507 companies that have experienced a data breach in the past year and involved 3,211 interviews with individuals with knowledge of the breach. Breach costs were determined using an activity-based costing (ABC) method, which identifies activities and assigns a cost to each based on actual use.

The Effects of A Data Breach Are Felt For Years

In this year’s study, IBM analyzed the financial impact of a data breach including the longtail financial costs. The analysis revealed the financial repercussions of a data breach are felt for years. The majority of the breach costs are realized in the first year after the breach when 67% of the cost is accrued. 22% of the cost is accrued in the second year, and 11% of the cost comes 2 or more years after the breach. In highly regulated industries such as healthcare, the longtail costs are higher.

For the majority of businesses, the biggest cost is loss of business after a data breach. Across all industry sectors, loss of business has been the biggest breach cost for the past 5 years, which now costs businesses an average of $1.42 million or 36% of their total breach cost. The average loss of customers following a data breach is 3.9%, although the figure is higher for healthcare organizations who often struggle to retain patients after a breach.

Breach costs are affected by several factors, including the nature of the breach and the organization’s size. The average cost of a data breach at an SMB with fewer than 500 employees is $2.5 million or 5% of annual revenue. With such crippling costs, it is easy to see why so many SMBs fail within 6 months of experiencing a data breach.

Malicious attacks were most common (51%) and were also the costliest breaches to resolve. Malicious attacks cost 25% more to resolve than breaches caused by system glitches or human error. Malicious attacks are now occurring much more frequently. There was a 21% increase in malicious attacks between 2014 and 2019.

The study identified several factors which reduce the cost of a data breach. The most important step to take to reduce breach costs is to form an incident response (IR) team. Companies that had formed an IR team, developed an IR plan, and extensively tested that plan, reduced their breach costs by an average of $1.23 million.

A rapid breach response greatly reduces breach costs. The average time from breach to discovery is 279 days. Companies that identified and remediated the breach inside 200 days saved an average of $1.2 million.

The post 2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs appeared first on HIPAA Journal.

June 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.

 

While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June.

Largest Healthcare Data Breaches in June 2019

The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by the breach at American Medical Collection Agency report the breach.

9 of the ten largest healthcare data breaches in June were hacking/IT incidents and the top six breaches involved network servers. Three email security breaches and one improper disposal incident round out the top ten.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2,964,778 Hacking/IT Incident Network Server
Inform Diagnostics, Inc. Healthcare Provider 173,617 Hacking/IT Incident Network Server
EyeCare Partners, LLC [on behalf of affiliated covered entities] Healthcare Provider 141,165 Hacking/IT Incident Network Server
TenX Systems, LLC d/b/a ResiDex Software Business Associate 90,000 Hacking/IT Incident Network Server
Shingle Springs Health and Wellness Center Healthcare Provider 21,513 Hacking/IT Incident Network Server
Desert Healthcare Services, LLC Healthcare Provider 8,000 Hacking/IT Incident Network Server
Summa Health Healthcare Provider 7,989 Hacking/IT Incident Email
Community Physicians Group Healthcare Provider 5,400 Hacking/IT Incident Email
Community Healthlink Healthcare Provider 4,598 Hacking/IT Incident Email
Adventist Health Physician Services Healthcare Provider 3,797 Improper Disposal Paper/Films

The Year So Far

As you can see in the graph below, 2019 is shaping up to be a bad year for healthcare data breaches. In the first 6 months of 2019, the records of 9,652,575 Americans were exposed, impermissibly disclosed, or stolen. That is already almost double the records exposed in 2017 and last year’s total will soon be exceeded. The data breach at American Medical Collection Agency has yet to appear in the figures below. That breach alone will raise the 2019 total to almost 35 million healthcare records. That’s more healthcare records than were breached in 2016, 2017, and 2018 combined.

Causes of June 2019 Healthcare Data Breaches

There was a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents in June, which accounted for 83% of all breaches reported. There were 12 unauthorized access/disclosure incidents reported in June, but they typically involved small numbers of records. Unauthorized access/disclosure incidents impacted 18,165 patients. The mean breach size was 1,813 records and the median breach size was 1,502 records.

There were 13 hacking/IT incidents reported in June. While these breaches only accounted for 43% of all incidents reported in June, 3,424,422 healthcare records were compromised in those breaches – 99.19% of all records breached in June. The mean breach size was 263,417 records and the median breach size was 7,995 records.

There were three theft incidents reported involving 3,424 records. The mean breach size was 1,141 records and the median breach size was 1,282 records. One loss incident was reported that impacted 2,634 patients and one improper disposal incident exposed the PHI of 3,797 patients.

Location of Breached Protected Health Information

Phishing attacks are continuing to cause problems for healthcare providers, but so too is ransomware. There was a sharp increase in ransomware attacks in Q1 and the trend continued in Q2. Ransomware may have fallen out of favor with cybercriminals in 2018, but it appears to be back in vogue in 2019. Email is usually the most common location of breached PHI, but there was a fairly even split between networks server and email incidents in June. The rise in ransowmare and malware attacks in June account for the increase in network server incidents.

 

June 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers reported 24 data breaches in June, one breach was reported by a health plan and one by a healthcare clearinghouse. While only one data breach was reported by a business associate, a further 7 data breaches had some business associate involvement.

 

June 2019 Healthcare Data Breaches by State

June’s 30 healthcare data breaches affected covered entities in 20 states. Arizona and California were the worst affected with three reported breaches. Florida, Massachusetts, Maryland, Minnesota, Missouri, and Ohio each experienced two breaches, and one breach was reported in each of Arkansas, Iowa, Illinois, Indiana, Kentucky, Michigan, Nevada, Pennsylvania, Texas, Virginia, Vermont, and Wyoming.

HIPAA Enforcement Actions in June 2019

One HIPAA enforcement action came to a conclusion in June. Premera Blue Cross agreed to settle a multi-state lawsuit over its 10.4-million-record data breach in 2017.

Premera Blue Cross is one of the nations largest health insurers. In early 2018, Premera discovered hackers had gained access to its network by exploiting an unpatched software vulnerability. The investigation into the breach revealed there had been basic security failures. The case, led by Washington State Attorney General Bob Ferguson, was settled for $10,000,000.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

The Department of Health and Human Services’ Office for Civil Rights did not issue any financial penalties for HIPAA violations in June.

The post June 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate

Posted by HIPAA Journal

Northwood Inc., a Madison Heights, MI-based HIPAA business associate, has announced that a hacker has gained access to the email account of one of its employees and potentially viewed or obtained sensitive patient information.

The breach was discovered on May 6, 2019 while investigating suspicious activity related to an employee’s email account. When a breach was confirmed, a leading computer forensics expert was hired to assist with the investigation and determine the nature and full extent of the attack.

The forensic investigation revealed the employee’s email account was accessed by an unauthorized individual(s) from May 3 to May 6. No evidence was found to suggest any emails had been viewed or copied, but data access and data theft could not be ruled out.

All emails and email attachments in the account had to be checked to determine whether they contained any patient information. On June 19, Northwood determined patients’ protected health information had been exposed and may have included a patient’s name along with one or more of the following data elements: Address, date of birth, provider name, dates of service, medical record number, patient ID number, diagnosis and diagnosis codes, medical device description, treatment information, and health plan membership number. A small subset of patients also had their Social Security number, driver’s license number, and health insurance provider name exposed.

Affected patients had received durable medical devices from Northwood or had their devices managed by the company. The compromised email account also contained information relating to healthcare providers and their exclusion status with the CMS.

When the breach was discovered, Northwood disabled the compromised account and, as a precaution, performed a password reset on all employee email accounts. Further training has been provided to employees to help them identify email threats and email security has been strengthened. All patients affected by the breach have now been notified by mail and offered complimentary credit monitoring services.

Northwood has reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The breach has been reported as four separate incidents, affecting 583, 3881, 5563, and 5000 patients – 15,027 patients in total.

Palisades Eye Surgery Center Breach Impacts Almost 2,700 Patients

Rockville Eye Surgery Center LLC dba Palisades Eye Surgery Center has experienced a cyberattack in which the protected health information of 2,696 patients was exposed.

The patient information was stored in an email account that was accessed by a hacker. The breach was reported to OCR on July 17, 2019. No further information about the breach has been released so it is currently unclear what types of information were exposed and the nature of the attack.

This is the second cyberattack to be experienced by the eye surgery center in the past 18 months. On January 23, 2018, the PHI of 10 prospective patients was subjected to unauthorized access.

The post 15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate appeared first on HIPAA Journal.

AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records

Posted by HIPAA Journal

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is fast approaching 24 million records and 15 healthcare providers are now known to have been affected.

The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers.

AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and BioReference Laboratories. Many more healthcare providers have made announcements in the past week.

AMCA has been issuing breach notification letters to affected individuals whose financial information was exposed, but other individuals have not yet been notified. For example, Austin Pathology recently confirmed it has been affected by the breach. Austin Pathology was told around 1,800 breach notification letters had been sent to Austin Pathology patients whose financial information was exposed.

Austin Pathology has confirmed that 46,500 patients have been impacted. The 44,700 patients who have yet to be notified had their name, address, telephone number, date of birth, dates of service, provider details, and account balances exposed. It could well be weeks before all affected patients are notified.

AMCA Data Breach Victims

Affected Entity Records Exposed
Quest Diagnostics/Optum360 12,900,000
LabCorp 7,700,000
BioReference Laboratories/Opko Health 422,600
Penobscot Community Health Center 13,000
Clinical Pathology Associates 2,200,000
Carecentrix 500,000
Austin Pathology Associates 46,500
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
American Esoteric Laboratories Unconfirmed
CBLPath Inc. Unconfirmed
Sunrise Laboratories Unconfirmed
Natera Unconfirmed
South Texas Dermatopathology PLLC Unconfirmed
Laboratory of Dermatology ADX, LLC Unconfirmed

 

So far, the protected health information of 23,799,100 individuals is known to have been exposed, and as more providers confirm numbers, that total will continue to swell.

As it stands, the AMCA data breach is the second largest healthcare data breach ever reported, behind Anthem’s 78.8 million-record-breach that was discovered in 2015.

The cost of AMCA’s breach response has been considerable. AMCA has sent more than 7 million breach notification letters, IT consultants have been hired to assist with the investigation, and as of June 19, 2019, $3.8 million had been spent on the breach response. $2.5 million of that came from RMCB CEO Russell Fuchs, who lent the company the money to cover the cost of the breach notifications. RMCB has since filed for Chapter 11 protection.

AMCA will also be investigated by state attorneys general and the HHS’ Office for Civil Rights to determine whether the breach could be attributed to poor security and noncompliance with HIPAA. OCR has previously fined defunct companies for historic HIPAA violations. Bankruptcy does not offer protection against regulatory fines.

The post AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records appeared first on HIPAA Journal.

Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies

Posted by HIPAA Journal

Edgepark Medical Supplies (EMS) has discovered an unauthorized individual has gained access to certain customer accounts and changed addresses and had their orders redirected to other addresses. On May 13, 2019, EMS discovered the potential breach and disabled the affected online accounts.

The investigation revealed an unauthorized individual gained access to the accounts by using brute force tactics, often referred to as a password spraying attack. This is an automated, sustained attempt to gain access to accounts by using commonly used passwords and dictionary words until the correct password is guessed.

Once account passwords had been guessed, shipping addresses were changed to redirect orders. It is possible that orders have been placed by the attacker unbeknown to Edgepark.com account holders. EMS is still investigating the breach and will be issuing refunds to any customers who have been charged for fraudulent orders.

In addition to fraudulent use of their accounts, the following information may have been viewed/obtained by the hacker: Customer name, address, date of birth, products ordered through the website, and health insurance information.

The HHS’ Office for Civil Rights breach portal shows 6,572 Edgepark.com customers were affected by the breach. EMS is reevaluating its security controls and will be implementing additional measures to prevent similar breaches in the future.

This is the third large data breach to be reported by EMS in the past 5 years. Malware was installed on its network in 2014 for 9 months before it was detected. The breach affected 4,230 patients. In January 2018, 4,586 patients had a limited amount of PHI impermissibly disclosed due to a mailing error.

Cancer Treatment Centers of America Reports 3,904-Record Data Breach

An email account breach has occurred at Cancer Treatment Centers of America’s Eastern Regional Medical Center. The breach was detected on June 6, 2019 when unusual activity was detected in an employee’s email account.  The password for the account was immediately changed to prevent further access and an internal investigation was launched. Unauthorized access to the account first occurred on May 4, 2019 and continued until May 15.

It is unclear whether the attacker viewed emails in the account or copied any patient information. No evidence of data theft or fraudulent use of patient information has been found.

An analysis of the compromised account revealed it contained the protected health information of 3,904 patients. The types of information exposed varied from patient to patient and may have included the patient’s name along with one or more of the following data elements: Address, phone number, date of birth, medical record number, other patient identifiers, medical information and health insurance information.

Eastern Regional Medical Center has provided further training to employees to raise awareness of common security threats and technical controls are being evaluated and will be augmented to improve email security.

The post Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies appeared first on HIPAA Journal.

21,400 Patients Impacted by St. Croix Hospice Phishing Attack

Posted by HIPAA Journal

St. Croix Hospice, a provider of hospice care throughout the Midwest, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed patient information.

The breach was detected on May 10, 2019 when suspicious email activity was detected in the account. A third-party computer forensics firm was hired to assist with the investigation and discovered several employees’ email accounts were compromised between April 23, 2019 and May 11, 2019.

It was not possible to determine whether any patient information had been accessed or copied, but the forensics firm did confirm that the accounts had been subjected to unauthorised access.

An extensive systemic review of the compromised email accounts was conducted to identify which patients had had their protected health information exposed. On June 21, 2019, it was confirmed that protected health information had been exposed. The review has now been completed and patients are being notified that their name, address, financial information, Social Security number, health insurance information, medical history, and treatment information may have been compromised.

All affected patients have been offered complimentary credit monitoring and identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 21,407 patients were impacted by the breach.

Hunt Regional Healthcare Victim of Cyberattack

Greenville, TX-based Hunt Regional Healthcare has announced it experienced a cyberattack on May 14, 2019 in which hackers gained access to its computer network and the protected health information of certain patients.

The attackers potentially accessed files containing patient names, telephone numbers, dates of birth, Social Security numbers, race, and religious preferences. The incident has been reported to the FBI and Hunt Regional Healthcare is assisting in the investigation.

Hunt Regional Healthcare has said no evidence of unauthorized data access or data theft have been discovered, but patients are being notified as a precaution and are being offered free access to IDExperts credit monitoring and identity theft protection services.

It is currently unclear how many patients have been affected by the breach.

The post 21,400 Patients Impacted by St. Croix Hospice Phishing Attack appeared first on HIPAA Journal.

Wise Health System Phishing Attack impacts 35,899 Patients

Posted by HIPAA Journal

Wise Health System in Decatur, TX, has started sending notifications to patients to inform them that some of their protected health information (PHI) has been exposed as a result of a phishing attack. 35,899 patients have potentially been affected.

The attack occurred on March 14, 2019. Several employees received phishing emails and some responded and disclosed their account credentials. The credentials were then used to gain access to the Employee Kiosk, where the attacker(s) attempted to reroute payroll direct deposits.  Attempts were made to redirect approximately 100 direct deposit payments.

Wise Health had policies in place that require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5 and the unusually high number of checks raised the alarm. Thanks to the two-check policy, the fraud was prevented and no payments were redirected.  A system wide password change was immediately performed to lock out the attackers and two third-party forensic firms were hired to investigate the breach.  The breach was also reported to the FBI.

The sole purpose of the attack appears to have been to reroute direct deposits, although the stolen credentials would have allowed access to be gained to employee email accounts. Those accounts contained patients’ names, medical record numbers, diagnostic information, treatment information, and health insurance information.

Wise Health System does not believe PHI was accessed by the attackers and no reports have been received which suggest any patient information has been misused. Both forensics firms and the FBI share that point of view. The investigators all agreed they have never seen a direct deposit attack such as this where the attackers have stolen patient data. These gangs specialize in direct deposit fraud. The attackers in this case were traced to Africa by the FBI, which has now closed its investigation.

Since unauthorized PHI access and data theft could not be ruled out, to ensure patients are protected, notification letters were sent on July 12, 2019 and affected patients have been offered a 12 month complimentary membership to ID Experts MyIDCare service (Credit monitoring, Identity theft recovery, and insurance coverage).

Wise Health System is reviewing its security policies and procedures and will be taking steps to reinforce security.

The post Wise Health System Phishing Attack impacts 35,899 Patients appeared first on HIPAA Journal.

2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach

Posted by HIPAA Journal

Clinical Pathology Laboratories in Texas has recently discovered the protected health information (PHI) of approximately 2.2 million of its patients has potentially been compromised in the data breach at American Medical Collection Agency (AMCA).

AMCA provides debt collection services to many healthcare companies, which requires access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website allowed hackers to can access to the site, and through it, the PHI of patients. Hackers had access to the payment website for 8 months before the breach was detected.

As of today, July 18, 2019, five AMCA clients have confirmed they have been affected by the breach. First came Quest Diagnostics, which announced through an SEC filing that 11.9 million of its patients had been affected. That was closely followed by LabCorp’s announcement that 7.7 million records had been exposed.  BioReference Laboratories also confirmed that around 422,000 of its patients had been affected, and recently 13,000 patients of Penobscot Community Health Center in Maine have been confirmed to have been affected. To date, more than 22.2 million patients are known to have been affected by the breach.

All of the above healthcare providers were notified in May, two months after AMCA became aware of the breach. However, only limited information about the breach was provided initially as AMCA continued to investigate.

Clinical Pathology Laboratories was notified in May but was not provided with sufficient information about who had been affected, so its breach announcement had to be delayed. AMCA has now confirmed that names, addresses, birth dates, dates of service, account balances, and credit/debit card or banking information were potentially compromised.

AMCA has started sending notification letters to all affected Clinical Pathology Laboratories patients. So far, around 34,500 letters have been sent. Those individuals had their personal and financial information exposed. AMCA has since discovered a further 2.2 million patients had their data exposed, although credit/debit card and banking information was not held for those customers.

As has been the case with all other affected entities, Clinical Pathology Laboratories has stopped doing business with AMCA. AMCA’s parent company has filed for Chapter 11 protection, several lawsuits have been filed, and several state Senators have written to AMCA demanding answers. OCR will also be keen to discover how such a major breach could have occurred and fail to be detected for 8 months. Questions will also be asked about the breach response. Despite discovering the breach in March 2019 or earlier, it took until June 4 for notification letters to start being issued.

The post 2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach appeared first on HIPAA Journal.