East River Medical Imaging in New York has started notifying 605,809 patients that some of their protected health information has been exposed or stolen in a cyberattack that was detected on September 20, 2023. The network was immediately taken offline, and a forensic investigation was launched to determine the nature and scope of the incident. The investigation determined there had been unauthorized access to its network between August 31, 2023, and September 20, 2023, and during that time, files containing patient data had been accessed and copied from its network.

The compromised information varied from individual to individual and may have included names, contact information, insurance information, exam and/or procedure information, referring physician names, imaging results, and/or Social Security numbers. Employee data was also compromised, including names, contact information, financial account information, Social Security numbers, and/or driver’s license numbers.

East River Medical Imaging said it has enhanced its network monitoring capabilities and will continue to assess and supplement its security controls. Notification letters started to be mailed to the affected individuals on November 22, 2023. Individuals whose Social Security numbers and/or driver’s license numbers were compromised have been offered complimentary credit monitoring services.

The Fred Hutchinson Cancer Center Suffers Thanksgiving Cyberattack

The Fred Hutchinson Cancer Center in Seattle, WA, has confirmed that it detected unauthorized network activity on its clinical network during Thanksgiving week. An investigation into the unauthorized activity is ongoing and it is not yet clear if any patient data has been compromised. The network was taken offline within 72 hours of the security incident being identified and the clinical network is currently still offline. The MyChart online patient portal and its research network were unaffected. Care continued to be provided to patients and staff are working round the clock to resolve the issue and bring systems back online. No time frame could be provided on how long that process will take.

The Fred Hutchinson Cancer Center was one of several healthcare providers to be attacked at Thanksgiving. Several hospitals operated by Ardent Health Services were affected by a ransomware attack and were forced to cancel appointments and divert ambulances.

1st Source Bank Confirms MOVEit Transfer Hack

1st Source Bank has confirmed that the protected health information of 1,477 individuals was stolen in May 2023 when hackers exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution. The breach was discovered on June 1, 2023, and the review of the affected files and the collection of information required to issue notifications was completed on or around October 27, 2023. The compromised information includes names and Social Security numbers. Complimentary identity monitoring services have been provided to the affected individuals for 12 months.

The post East River Medical Imaging Cyberattack Affects 606,000 Patients appeared first on HIPAA Journal.

Proliance Surgeons, a Seattle, WA-based surgical group that has around 100 locations in Washington state, has notified 437,392 individuals that some of their protected health information may have been stolen in a ransomware attack earlier this year. The breach notice on the website of Proliance Surgeons states that a forensic investigation was conducted by third party cybersecurity experts which confirmed that some files had been removed from its network before files were encrypted.

On May 24, 2023, it was confirmed that files containing patients’ protected health information may have been accessed or acquired on February 11, 2023. At the time it was unclear exactly how many individuals had been affected. A comprehensive review was conducted of all files potentially accessed or acquired in the attack, which confirmed they contained names in combination with one or more of the following: date of birth, Social Security number, medical treatment information, health insurance information, phone number, email address, financial account number, driver license or other identification information, and usernames and passwords.

Proliance Surgeons said immediate action was taken to protect patients’ private information and cybersecurity protocols have since been enhanced. There is no mention of credit monitoring or identity theft protection services. At least one lawsuit has already been filed against Proliance Surgeons in response to the breach.

Medical College of Wisconsin Says 240,000 Individuals Affected by MOVEIt Transfer Hack

The Medical College of Wisconsin (MCW) has confirmed that the protected health information of 240,667 individuals was stolen by the Clop hacking group, which exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution.  MCW was contacted on May 31 by Progress Software and implemented the patch and recommended mitigation measures but discovered the vulnerability had already been exploited on or around May 27, 2023.

The forensic investigation and document review was completed on or around September 21, 2023, and confirmed that the stolen data included full names, dates of birth, Social Security numbers, driver’s license/government identification numbers, financial account information, medical record/patient account number(s), medical diagnosis/treatment information, medical provider name(s), lab results, prescription information, and health insurance information.

Notification letters started to be mailed to the affected individuals on November 14, 2023. Individuals who had their Social Security numbers stolen have been offered complimentary credit monitoring and identity theft protection services.

Data Stolen in Ransomware Attack on Rock County, Wisconsin

Legal Counsel for Rock County in Wisconsin has issued notification letters about a cyberattack and data breach that affected 25,823 individuals. According to the notification letters, suspicious activity was detected within its computer systems on or around September 29, 2023. The forensic investigation confirmed that unauthorized individuals had access to its network between September 22, 2023, to September 30, 2023, and during that time, acquired certain files from its network.

A review of the affected files was initiated to determine the individuals affected and the types of data stolen in the attack. That review is ongoing, but it has been confirmed that the data impacted included names and Social Security numbers. Complimentary credit monitoring services have been offered to the affected individuals.

The nature of the attack was not disclosed, other than the attack involving data theft. The HIPAA Journal has confirmed that this was a ransomware attack by the Cuba ransomware group, which has listed Rock County on its data leak site. Victims are therefore strongly advised to take advantage of the credit monitoring services being offered.

The post Almost 440,000 Individuals Affected by Cyberattack on Proliance Surgeons appeared first on HIPAA Journal.

The State of Maine has confirmed that the protected health information of 453,894 individuals was stolen in the recent mass hacking of a zero-day vulnerability in Progress Software’s MoveIT Transfer solution. Progress Software released a patch to fix the vulnerability on May 31, 2023; however, the vulnerability had already been exploited. The State of Maine’s investigation confirmed that the vulnerability had been exploited between May 28, 2023, and May 29, 2023, and sensitive data had been stolen by the Clop hacking group.

The breach was limited to its MOVEit server, and no other systems were compromised. The Clop hacking group claimed they were only interested in hacking businesses and said they would delete all data stolen from governments; however, the State of Maine is urging all affected individuals to ignore those claims and take steps to protect themselves against fraud. The individuals affected may have been Maine residents, employees, or could have received services from or interacted with a state agency. Maine also participates in data sharing agreements with other organizations to enhance the services it offers to residents and the public.

The data exposed would depend on the interactions with state agencies. All affected individuals who had their Social Security numbers or taxpayer identification numbers stolen have been offered two years of complimentary credit monitoring and identity protection services.

Affinity Legacy Inc. Affected by MOVEit Hack

Affinity Legacy Inc., formerly known as Affinity Health Plan, Inc., has confirmed that it was affected by the recent MOVEit Transfer hacks. The breach occurred at one of its business associates, which provided claims processing services, and used the software solution for file transfers.

The vulnerability was exploited between May 30 and June 2, 2023, and on June 21, 2023, the vendor determined that certain files had been downloaded by the attackers that contained the protected health information of 5,538 individuals who were either Affinity Health Plan members prior to 2019, or EmblemHealth Medicare Advantage Plan members after 2019. The stolen data included names, mailing addresses, dates of birth, Social Security numbers, Medicare numbers and/or medical diagnosis codes. Complimentary personal identity and privacy protection services have been offered to the affected individuals.

The Charles Lea Center Suffers Ransomware Attack

The Charles Lea Center, a non-profit organization in Spartanburg County, SC, has recently notified 1,250 individuals that some of their personal information was compromised in a June 2023 ransomware attack. The incident was detected on June 19, 2023, when a portion of its network was encrypted. A ransom demand was issued, and the threat actor claimed to have exfiltrated a limited number of files from its systems.

While the forensic investigation could not determine the specific types of information that had been compromised, the file review confirmed on October 2, 2023, that the exposed files contained names, Social Security numbers, dates of birth, and some medical treatment information. The Charles Lea Center has offered the affected individuals complimentary credit monitoring services and has advised them to monitor their financial account statements regularly for signs of fraud. The Charles Lea Center said it had taken steps to ensure the privacy of data before the attack and will be augmenting those measures to further enhance security.

Detroit Chassis Health Plan Member Data Exposed

Detroit Chassis in Michigan, a provider of niche vehicle manufacturing solutions, was the victim of a sophisticated cyberattack that occurred on or around March 12, 2023. When the attack was detected, immediate action was taken to secure its systems and third-party cybersecurity experts were engaged to investigate. The investigation confirmed that the attackers had access to parts of its network that contained the data of 958 members of its health plan which was stored on an email server that was in the process of being decommissioned.

Detroit Chassis said, “While we believe there is a reasonable basis to conclude this information was not subject to unauthorized acquisition, we were unable to rule it out.” The server contained information such as names, addresses, dates of birth, Social Security numbers, driver’s licenses, financial account information, passport numbers, credit card numbers, state identification numbers, usernames and access information for non-financial accounts, medical information, health insurance numbers and information related to its employee prescription benefits plan.

Medical Records Stolen in Lakeview Healthcare System Break-in

Lakeview Healthcare System, a central Florida health system, had a break-in at its Fern Drive location in Leesburg on September 29, 2023.  The break-in occurred around 5 a.m. and the intruder stole three password-protected mobile devices and medical records that contained the protected health information of patients. The paper records included information such as names, addresses, diagnosis and treatment information, and billing information.

Lakeview Healthcare System said it has engaged in extensive remediation efforts to minimize the risk of similar incidents in the future, has reviewed its security policies and procedures, and has re-educated the workforce on data security and secure document storage. Physical security measures are being assessed at each location, including using more shred bins, upgrading physical locks, and implementing additional access controls to allow for faster and more precise termination of access.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,495 individuals.

The post State of Maine Reports 450,000-Record Data Breach appeared first on HIPAA Journal.

California Physicians’ Service, which does business as Blue Shield of California, has confirmed that it has been affected by the mass exploitation of a vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The breach has been reported to the HHS’ Office for Civil Rights in two separate breach reports, one involving the data of 636,848 Blue Shield of California plan members and another that has affected 26,523 Blue Shield of California or Blue Shield of California Promise Health Plan members.

The breach occurred at an unnamed vendor of Blue Shield of California that managed vision benefits. The vendor used the MOVEit Transfer solution to transfer large files as part of its contracted duties. A zero-day vulnerability in the MOVEIt Transfer solution was exploited between May 28, and May 31, 2023, and files were exfiltrated that included members’ names, birthdates, addresses, subscriber ID numbers, subscribers’ names, birthdates, Social Security numbers, group ID numbers, vision providers’ names, patient ID numbers, vision claims numbers, vision-related treatment and diagnosis information, and vision-related treatment cost information. The Clop hacking group claimed responsibility for the hacks.

Blue Shield of California said its own systems were not compromised. The breach was limited to the MOVEit Transfer server. Credit monitoring and identity restoration services have been offered to the affected individuals.

Wyoming County Community Health System Confirms March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has experienced a cybersecurity incident that has caused network disruption. The security breach was detected on March 28, 2023, and the subsequent forensic investigation determined that files had been exposed on that date and may have been accessed or acquired by unauthorized individuals. A review was then conducted of the files to determine the individuals and types of data involved, and that process was completed on November 8, 2023. The review confirmed up to 26,000 individuals had been affected and had some or all of the following information exposed: name, Social Security number, driver’s license/state identification number, date of birth, biometric data, medical information, health insurance information, and account number.

Notification letters were sent to the affected individuals on November 16, 2023. Wyoming County Community Health System said it has implemented additional measures to enhance network security and minimize the risk of a similar incident occurring in the future.

Westside Community Services Confirms Cyberattack and Data Theft

The San Francisco, CA-based social services organization, Westside Community Services, has notified 2,484 individuals about a security breach involving unauthorized access to its network between April 25, 2023, and May 1, 2023. Third-party cybersecurity professionals were engaged to conduct a forensic investigation and confirmed that files had been exfiltrated from its network. The document review was completed on October 16, 2023.

The stolen files included full names along with one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, passport numbers, other government identification numbers, financial account information, credit or debit card information, usernames and passwords associated with one or more online accounts, medical information (date of service, provider name, medical record number, patient number, medical history, surgical information, medication, and/or treatment information), and/or health insurance policy information. Westside Community Services said it continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information and will continue to do so.

Unauthorized Email Access Reported by Molina Healthcare of Iowa

Molina Healthcare of Iowa, Inc. says it discovered on November 22, 2023, that there had been unauthorized access to an employee email account between September 25 and 26, 2023. It was not possible to determine if any information in the email account was copied, but the review of the emails confirmed that they contained the protected health information of 1,647 Medicaid recipients. Those individuals have been notified about the breach by mail. Molina Healthcare of Iowa said the breach did not affect any members covered by other managed care organizations.

This is the third incident to affect Molina Healthcare of Iowa members this year. On May 31, 2023, Amerigroup inadvertently disclosed personal health information for 833 Iowa Medicaid members to 20 providers in explanation of payment notices; and on May 26, 2023, a Medicaid contractor confirmed there had been unauthorized access to its systems on March 6, 2023, which affected 233,000 Medicaid members.

Robeson Health Care Corporation Updates Data Breach Notice

Robeson Health Care Corporation has provided an update on a breach that was previously reported to the Maine Attorney General as affecting 15,045 individuals. The investigation has confirmed that a further 62,627 individuals have been affected. The incident has been previously covered by The HIPAA Journal in this post.

The post Hundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack appeared first on HIPAA Journal.

Capital Health has launched an investigation into a cybersecurity incident that caused it to experience a network outage earlier in the week. Law enforcement has been notified and third-party cybersecurity experts have been engaged to determine the extent and scope of the incident.

Capital Health operates two hospitals in New Jersey, Capital Health Medical Center – Hopewell and Capital Health Regional Medical Center in Trenton, as well as an outpatient facility in Hamilton Township. Capital Health’s IT team took immediate action to contain the incident and prevent further unauthorized access to its network and it is currently working around the clock to bring systems and data back online.

Capital Health is operating under established downtime protocols while access to electronic systems is not possible, with patient information recorded on paper charts. Capital Health said care continues to be provided to patients and its emergency rooms have remained open, although it was necessary to make some changes to elective surgical and procedure schedules, with some patients’ surgeries delayed, although the impact on surgical schedules is now minimal. Capital Health said outpatient radiology is still unavailable and neurophysiology and non-invasive cardiology testing is being rescheduled. All surgeries are being prioritized based on urgency and the critical nature of the patient’s condition.

Capital Health was unable to provide a timescale for the recovery process but anticipates operating on limited systems for at least the next week. The nature of the attack has not been disclosed and, at this stage of the investigation, it is too early to tell to what extent, if any, patient data has been affected. Capital Health said no evidence of unauthorized data access or data theft has been identified at this time. Further information on the incident will be released as the investigation progresses.

This is the second major cyberattack to affect New Jersey hospitals in the past week. On Thanksgiving Day, Hackensack Meridian Health confirmed that it was experiencing a network outage that affected two of its hospitals – Hackensack Meridian Mountainside Medical Center in Montclair and Hackensack Meridian Pascack Valley Medical Center in Westwood. Both hospitals are operated under a joint venture with Ardent Health Services. which experienced a ransomware attack last week that affected several of its hospitals.

The post Capital Health’s New Jersey Hospitals Affected by Cyberattack appeared first on HIPAA Journal.

At least 4 million New Yorkers in New York City and Syracuse had their sensitive information stolen in a data breach at the Nevada medical transcription service provider Perry Johnson & Associates (PJ&A). The PJ&A data breach was announced earlier this month and has affected almost 9 million individuals across the United States. While the breach has recently been announced, hackers first gained access to PJ&A’s systems in May 2023. Hackers had access to data such as names, addresses, dates of birth, medical record numbers, hospital account numbers, admission diagnosis, dates/times of service, Social Security numbers, insurance information, and medical and clinical information.

This week, New York Attorney General Letitia James issued a warning to all New Yorkers who have received a data breach notification from PJ&A to take steps to protect themselves against identity theft and fraud. New York healthcare providers affected include Northwell Health, the largest healthcare provider in New York, and Crouse Health in Syracuse.

When a data breach occurs at a business associate and the business associate issues notifications, there is potential for confusion. Individuals receiving notification letters are unlikely to be aware that the business associate had their data and may even dismiss the letter as a scam and take no action. After receiving notification letters from PJ&A, several individuals took to Reddit to seek answers as they were unsure whether the letters were genuine.

Attorney General James warned New Yorkers who receive a notification letter to be on alert as the stolen data may be misused. “I urge all New Yorkers affected by this data breach to stay alert and take these important steps to protect themselves,” said Attorney General James. “Bad actors can use the stolen information to impersonate individuals or cause financial harm. Identity theft is a serious issue, and my office will continue to take action to keep New Yorkers safe.” The same advice applies to all Americans who receive a notification letter.

The suggested actions include using credit monitoring services to track credit reports and generate alerts when a change is made to a credit file, placing a credit freeze on credit reports to ensure that new credit accounts cannot be opened, placing fraud alerts on credit reports to inform lenders and creditors to take extra steps to confirm identity before issuing credit, and obtaining copies of medical records from healthcare providers, pharmacies, and health insurers and checking for anything that seems incorrect, as it could indicate medical identity theft.

Records should also be kept of any time spent protecting against identity theft and fraud and any expenses that are incurred. It may be possible to recover costs by participating in a class action lawsuit and if there is a settlement, proof of losses will likely need to be provided when submitting a claim.

The post NY Attorney General Warns New Yorkers About Identity Theft Risk from PJ&A Data Breach appeared first on HIPAA Journal.

Brentwood, Tennessee-based Ardent Health Services, which operates 30 hospitals and has more than 200 sites of care across the country, has suffered a ransomware attack that has impacted hospitals in 6 states – Texas, Idaho, Kansas, New Jersey, New Mexico, and Oklahoma. The attack has resulted in emergency rooms being placed on divert, with new emergency patients redirected to alternate healthcare facilities. Without access to IT systems, some non-urgent elective surgeries have been canceled and will be rescheduled when access is restored to IT systems.

Several Ardent Health Services facilities had already announced over the Thanksgiving weekend that they were investigating network outages that started on Thanksgiving Day. Emergency downtime protocols had been implemented and patient information was being recorded using pen and paper due to the lack of access to IT systems and patient data. Ardent Health Services issued a statement on Monday confirming that the disruption had been caused by a ransomware attack.

Unauthorized activity was first detected on the morning of November 23, 2023, and it was subsequently determined to have been caused by a ransomware attack. At the time of writing, no ransomware group has claimed responsibility for the attack. Ardent said it immediately took its network offline, suspended user access to its technology applications, corporate servers, Epic EMR system, and its Internet and clinical programs, and implemented its downtime protocols.

The health system is working to restore access to its IT systems as quickly as possible and, in the meantime, ambulances are likely to remain on divert until its IT operations have been restored. There is also likely to be ongoing disruption to its clinical and financial operations; however, patient care continues to be provided safely and effectively in all of its hospitals. Third-party cybersecurity experts have been engaged to assist with the investigation and determine the scope of the attack and the extent to which patient data was compromised, and the incident has been reported to law enforcement. A time frame could not be provided for how long it will take to restore its IT systems and determine the extent, if any, that that patient data has been compromised.

The HIPAA Journal first reported outages at several hospitals early on Monday. Details of the affected hospitals can be found in this post.

The post Ardent Health Services Ransomware Attack Affects Hospitals in 6 States appeared first on HIPAA Journal.

The BlackCat ransomware group conducted a ransomware attack on the Fortune 500 firm Henry Schein and claimed to have stolen 35 TB of sensitive data. The healthcare giant was engaged in ongoing discussions with the group but negotiations had stalled. According to a spokesperson for the BlackCat group, “We have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network.” Just as Henry Schein was about to finish restoring its systems, the BlackCat hackers struck again and re-encrypted its data.

Henry Schein confirmed in an October 15, 2023, announcement that it had been forced to take some of its systems offline to contain a cyberattack that had affected its manufacturing and distribution businesses. According to the announcement, the attack occurred the previous day. The company had been working around the clock to resolve the situation and bring its systems online, and as its investigation progressed it became clear that the ransomware group had gained access to sensitive customer and supplier information. That information included personal information, bank account information, and payment card numbers. Around two weeks after Henry Schein announced the attack, the BlackCat ransomware group claimed responsibility and added Henry Schein to its data leak site.

Henry Schein has now confirmed that the second attack resulted in applications such as its e-commerce platform being made unavailable; however, Henry Schein anticipated a quick recovery from the attack and only expected it to cause short-term disruption. Following the attack, the BlackCat group threatened to publish internal payroll data on its data leak site within a few hours if Henry Schein refused to negotiate, and claimed additional data would be released on a daily basis thereafter. Instead of posting data, BlackCat removed the listing. That could mean Henry Schein has started negotiating again or that a ransom payment has been made. Entries on the data leak sites of ransomware groups are typically only removed if a ransom has been paid.

The post BlackCat Ransomware Group Re-encrypts Henry Schein Data appeared first on HIPAA Journal.