Verity Health System patients’ PHI was exposed in a phishing attack in 2016, in two further phishing attacks in November 2018, and the 6-hospital health system has now announced yet another attack occurred in January 2019. The latest phishing incident has impacted 14,894 patients. Across the three incidents, three employees’ email accounts were compromised.

Verity Health System explained in its breach notification letters that no evidence was uncovered to suggest any patients’ protected health information had been accessed by unauthorized individuals. The attacks are believed to have been conducted for use in further phishing attacks on other individuals in the organization, although PHI access could not be ruled out.

The types of information exposed in the latest attack includes names, addresses, contact telephone numbers, dates of birth, diagnoses, treatment information, health insurance policy numbers, subscriber numbers, patient ID numbers, and billing codes. Some of the files attached to emails also included Social Security numbers and driver’s license numbers. Some Verity Health employees also had personal information exposed.

Patients affected by the breach had previously received medical services at Verity Health’s O’Connor Hospital, St. Louise Regional Hospital, St. Francis Medical Center, St. Vincent Medical Center, and Seton Medical Center, including the Seton Coastside campus. Some Verity Medical Foundation patients were also affected.

All patients affected by the breach have now been notified by mail and individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring services for 12 months.

In all of the phishing attacks, Verity Health identified the breach quickly and promptly terminated unauthorized access to the compromised accounts. The accounts were then disabled and affected computers were disconnected from the network and all emails that the attackers sent from the compromised accounts were deleted from the email network.

The attacks have prompted Verity Health to deploy a new phishing training module and all employees will be required to complete the training. A new project has also been launched to improve email security, which includes compulsory password resets and disabling unknown URLs.

The post Verity Health System Suffers Third Phishing Breach in 3 Months appeared first on HIPAA Journal.

The Pennsylvania medical device manufacturer and software developer, ZOLL Medical Corporation, has started notifying 277,319 patients about the exposure of some of their personal and medical information.

The information was contained in emails that had been archived using a third-party email archiving solution. During a server migration, archived emails were exposed and could potentially have been accessed by unauthorized individuals.

Upon discovery of the breach, ZOLL initiated an investigation and hired a third-party computer forensics company to determine whether any unauthorized individuals had accessed emails and viewed or downloaded patient information.

The investigation revealed protections had been removed on November 8, 2018 and emails remained accessible until December 28, 2018. No evidence was uncovered to suggest any sensitive information was accessed by unauthorized individuals, but it was not possible to rule out the possibility that personal and medical information had been compromised.

An analysis of the archived emails revealed they contained patient names, addresses, dates of birth and a limited amount of medical information. A small percentage of affected patients also had their Social Security number exposed.

As a precaution against identity theft and fraud, all patients affected by the breach have been offered complimentary credit monitoring and identity theft protection services for 12 months.

ZOLL has confirmed that the email archiving company has secured all exposed emails and has implemented measures to prevent further data breaches. ZOLL has said it has conducted a review of its own processes for managing third-party vendors and has updated policies and procedures to prevent any further data breaches.

The post Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure appeared first on HIPAA Journal.

Another unsecured healthcare database has been discovered which contains an estimated 37,000 records.

The discovery was made on March 1, 2019 by security researcher Jeremiah Fowler. A brief analysis of the database appeared to show the records belonged to the New Jersey healthcare provider, Home Health Radiology Services LLC. The database contained highly sensitive patient information such as names, addresses, phone numbers, and dates of birth along with medical notes, diagnoses, treatment information, insurance information, and in some cases, Social Security numbers.

In a recent blog post on securitydiscovery.com, Fowler explained that 37,000 case files were found along with 1,540 doctor’s information records, chat logs, emails, support tickets, and many other sensitive files.

The records were mostly contained in an Elastic database which could be accessed over the internet by anyone without the need for any authentication.

The unsecured database was reported to Home Health Radiology Services, which promptly secured the database to prevent any further unauthorized access. It is currently unclear how long the database was accessible over the internet and whether anyone other than Fowler viewed the data.

The incident is one of many similar breaches that have occurred as a result of protections being removed from servers and databases. Also this week, a fax server used by Sacramento, CA-based medical software provider Meditab Software Inc., was discovered to have had protections removed which allowed healthcare faxes to be viewed in real time over the internet. More than 6 million records were reportedly housed on the server.

In February, almost 1 million records of UW medicine were discovered to have been exposed over the internet due to a database misconfiguration.

These incidents highlight the importance of putting policies and procedures in place to ensure that all servers and databases used storing patient health information are checked to ensure they have protections in place to prevent unauthorized data access, especially after any software upgrades have been performed or patches have been applied.

These are not just isolated incidents. In late 2018, a study by the enterprise threat management platform provider Intsights suggested as many as 30% of healthcare databases have been exposed online.

The post Database of New Jersey Healthcare Provider Found to be Leaking Patient Data appeared first on HIPAA Journal.

Three ransomware attacks have been reported by healthcare organizations and vendors in the past few days. The PHI of almost 70,000 patients has potentially been compromised.

50,000 Individuals Affected by Ransomware Attack on Delaware Guidance Services for Children and Youth

Delaware Guidance Services for Children and Youth (DGS) was forced to pay a ransom to recover files that had been encrypted in a Christmas Day ransomware attack. DGS has not publicly disclosed how much was paid for the decryption keys to unlock the files on its data servers.

After recovering files, DGS engaged an IT firm to conduct a forensic analysis to determine whether the attackers had gained access to sensitive information prior to encrypting files. The firm found no evidence to suggest that any protected health information had been compromised or stolen. The attack appeared to have been conducted solely for the purpose of extorting money from DGS.

DGS started sending notification letters to the parents and guardians on February 26, 2019 alerting them that sensitive information had been exposed. The types of data in the files that were encrypted by the ransomware included names, addresses, birth dates, medical information, and Social Security numbers.

All affected individuals have been offered 12 months of complimentary credit monitoring services through MyIDCare.

The ransomware attack was reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach summary indicates the PHI of up to 50,000 individuals was potentially compromised in the attack.

Maffi Clinics Ransomware Attack Impacts 10,465 Patients

Maffi Clinics, a network of 5 plastic surgery and skin care clinics in Arizona, is alerting 10,465 patients that some of their protected health information was potentially compromised as a result of a September 11, 2018 ransomware attack.

The attack was promptly detected and remediated, limiting the potential for unauthorized data access. In its breach notification letter to patients, Maffi Clinics explained that the unauthorized access point was quickly detected and terminated, and systems were shut down to limit the harm caused. Access to Maffi Clinics’ systems was possible for just 5 hours.

An independent IT consulting firm was able to remove the ransomware and recover files from backups without data loss. No evidence was uncovered to suggest that the attackers had viewed or downloaded any patient information. Maffi Clinics also said no ransom demand was received.

While unauthorized PHI access is not suspected, if the attackers did access or download files, they would only have been able to view names, addresses, phone numbers, and pre-and post-operative records.

Maffi Clinics has taken steps to improve security and additional safeguards have now been implemented to prevent further ransomware and malware attacks. OCR was notified about the attack on March 6, 2019.

Direct Scripts Ransomware Attack Impacts 9,319 Individuals

Direct Scripts, an Ohio provider of pharmacy benefits management services, suffered a ransomware attack on January 30, 2019 which resulted in the encryption of files containing patients’ protected health information.

The affected server was found to contain customer names, addresses and prescription information. All other information stored by Direct Scripts was located on servers and computers that were not accessible to the attackers. No evidence has been uncovered to suggest any patient information has been misused.

Direct Scripts has sent notification letters to affected individuals and the incident has been reported to OCR. The OCR breach report indicates 9,319 individuals were potentially affected by the attack.

The post Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected appeared first on HIPAA Journal.

Michigan Attorney General Dana Nessel has issued a warning to Michigan residents about the ransomware attack on Detroit-based Wolverine Solutions Group, which she says may have affected more than 600,000 Michigan residents.

Nessel has advised all individuals who receive a breach notification letter to sign up for credit monitoring services, to monitor their accounts and EoB statements for signs of fraudulent use of their data, to place a fraud alert on their credit file and to consider freezing their credit file as a protection against fraud and identity theft.

The cyberattack on Wolverine Solutions Group occurred on or around September 23, 2018. Critical systems were mostly restored within a month, but it has taken considerably longer to determine which clients had been affected. Some clients were only notified about the extent of the attack in March.

While the types of information differ from company to company and individual to individual, the exposed information may include data elements such as names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information.

Healthcare organizations known to be affected include:

• Blue Cross Blue Shield of Michigan
• Mary Free Bed Rehabilitation Hospital
• Sparrow Health System
• McLaren Health Care
• Covenant Health Care
• Health Alliance Plan
• North Ottawa Community Health System
• Three Rivers Health
• Warren General Hospital
• University of Pittsburgh Medical Center Kane

The attack is believed to have started with the download of the Emotet Trojan, which in turn downloaded the ransomware that encrypted files containing protected health information. The Emotet Trojan has been used in several recent attacks in combination with Ryuk ransomware. Wolverine Solutions’ president Darryl English told the Daily Swig that the ransom demand was paid.

“Data breaches can be devastating to the affected individuals,” said Nessel on Monday. “It’s important this office provide affected customers with any and all available resources to help limit the effects of this – or any – breach. And today, we’re doing just that.”

Under state laws, Wolverine was not obliged to notify the attorney general of the breach. Nessel discovered the breach from media reports and has written to Wolverine requesting further information about the incident. Most other states require notifications of data breaches to be sent to the state attorney general. This breach could well trigger an update to data breach notification laws in Michigan.

While AG Nessel has put the number of affected individuals at 600,000 or more, the final total is not yet confirmed and, according to Wolverine, could be in the high six figures.

Wolverine Solutions is issuing notifications to affected individuals and is offering them free access to credit monitoring and identity theft protection services.

The post More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel appeared first on HIPAA Journal.

A Massachusetts business associate has discovered the electronic protected health information (ePHI) of 2,088 individuals has potentially been viewed by unauthorized individuals. The ePHI was stored on an employee’s laptop computer that was stolen on August 23, 2018.

RSC Insurance Brokerage, dba Re-Solutions, started notifying affected healthcare providers about the breach of their patients’ PHI on January 22, 2019, 5 months after the discovery of the theft of the laptop.

According to the breach notice submitted to the California Attorney General, a third-party cyber security firm was called in to help determine what files had been stored on the laptop, the types of information that was accessible, and how many individuals had potentially been impacted.

The theft was reported to law enforcement at the time and the employee’s credentials were changed to ensure that the laptop could not be used to access RSC systems. However, files were stored on the laptop and could potentially be accessed as while the device was protected with a password, it was not encrypted.

No evidence of unauthorized data access was discovered, and RSC said no reports have been received to suggest there has been any misuse of the data.

To protect affected individuals from identity theft and fraud, complimentary membership to Experian’s IdentityWorks identity theft protection service has been offered for 12 months. Affected individuals have also been advised to check their explanation of benefits statements from their health insurer for services that are listed but have not been received.

RSC said that security measures are being enhanced to prevent any information stored on portable electronic devices from being exposed in the future.

The Department of Health and Human Services’ Office for Civil Rights (OCR) was notified about the breach on March 1, 2019. The HIPAA Breach Notification Rule requires notification letters to be issued within 60 days of the discovery of a breach. It is unclear why it took so long to determine that PHI has been exposed.

Arizona Medicaid Agency Mailing Error Impacts 3,146 Individuals

Arizona’s Medicaid agency, the Arizona Health Care Cost Containment System (AHCCCS), has announced that it has experienced a privacy breach as a result of an error mailing IRS 1095-B forms to Arizona Medicaid recipients. IRS 1095-B forms are reports that an individual has been enrolled in a qualified health plan.

AHCCCS sent a mailing to 1.87 million members earlier in 2019 but discovered that 3,146 of the forms had been delivered to incorrect addresses. No Social Security numbers were detailed on the forms, only names and dates of birth.

In all cases, the mailing error resulted in that information being disclosed to one other individual. AHCCCS has started mailing individuals affected by the breach to notify them of the privacy breach, which has been attributed to a programming error.

The post Business Associate Starts Issuing Notifications About August 2018 Laptop Theft appeared first on HIPAA Journal.