A large-scale phishing attack on Charleston, SC-based Roper St. Francis Healthcare has seen attackers gain access to the email accounts of 13 employees.

The phishing attack was detected on November 30, 2018 and action was taken to block access to a corporate email account. The investigation into the breach revealed further email accounts had been compromised. The affected accounts were accessed by the attacker between November 15 and December 1, 2018.

A third-party computer forensics firm was hired to investigate the breach, which revealed some of the compromised accounts contained patient information including names, medical record numbers, health insurance information, details about services received from Roper St. Francis Healthcare, and for a limited number of patients, Social Security numbers and financial information.

All affected patients were notified by mail on January 25, 2019 and have been offered complimentary credit monitoring services. While PHI was potentially accessed, no reports have been received to suggest any PHI has been misused.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal. It is currently unclear exactly how many patients have been affected.

Minnesota Department of Human Services Phishing Attack Impacts 3,000 Minnesotans

Minnesota Department of Human Services Commissioner Tony Lourey has announced that the email account of a county worker has been compromised as a result of a response to a phishing email.

The account was accessed by the attacker in September 2018. The account was used to send further phishing emails to the employee’s contacts.

An analysis of the compromised account revealed it included information such as names, phone numbers, email addresses, dates of birth, and information about child protection services. In total, the personal information of approximately 3,000 individuals was potentially compromised. 30 individuals also had their Social Security number, driver’s license number and/or financial information exposed.

The phishing attack was detected the following day and remote access to the account was blocked. The delay in issuing notifications was due to the time taken to analyze the emails in the account.

Since the attack occurred, a new tool has been deployed to block phishing emails and employees have received additional training.

The post 13 Accounts Compromised in Roper St. Francis Healthcare Phishing Attack appeared first on HIPAA Journal.

Jacksonville, FL-based FABEN Obstetrics and Gynecology has experienced a ransomware attack which saw files encrypted on a server that housed patients’ protected health information (PHI).

The ransomware was detected on November 21, 2018 and resulted in widespread file encryption. An investigation was launched to determine the extent of the attack and whether any patients’ PHI was accessed or stolen by the attackers.

An analysis of the files on the server confirmed that files containing patients’ PHI had been encrypted. FABEN determined that the attackers had not accessed the files and that no data had been exfiltrated from the server.

The ransomware variant used in the attack was GandCrab. While free decryptors have been made available for some GandCrab ransomware variants, they do not work on the latest versions of the ransomware. A ransom demand was received by FABEN although the decision was taken not to pay the attackers for the key to decrypt the files.

The files that had been encrypted were created between January 2007 and April 10, 2017, and included clinical electronic medical records containing names, diagnosis information, treatment information, and other information related to medical services provided to patients, including visit dates, labor and delivery information.

FABEN reports that it was only possible to restore files that had been created between 2007 and April 2014. There was a problem recovering records from between September 11, 2014 and April 10, 2017. Those files have been permanently lost.

They included information such as names, blood sugar logs, blood pressure logs, medical records provided to FABEN by patients in paper form during the above time period, and documentation related to the Family and Medical Leave Act.

“Since the infected files were encrypted but not exfiltrated, there is no increased risk of identity theft, nor is there an increased risk that a third party may view your protected health information at this time as a result of the ransomware attack,” wrote FABEN in substitute breach notice uploaded to the FABEN website. Only patients whose information was unrecoverable are receiving breach notification letters.

The ransomware attack has been reported to law enforcement and the HHS’ Office for Civil Rights. The investigation into the attack is ongoing. FABEN is attempting to determine exactly how the ransomware was installed, the source of the attack, and its ultimate extent.

Private security consultants have been hired to assess security and additional security procedures have already been implemented. FABEN is also using additional backup servers to prevent further data loss, should another attack occur in the future.

The post FABEN Obstetrics and Gynecology Informs 6,092 Patients of Ransomware-Related Data Loss appeared first on HIPAA Journal.

A burglary at the offices of the addiction treatment services provider Integrity House has resulted in the exposure of patients’ protected health information.

Several electronic devices were stolen in the burglary, including desktop computers, laptop computers and tablets. An investigation by the Integrity House IT team confirmed that some patients’ protected health information was stored on the devices.

The burglary was discovered by staff on November 25, 2018. Law enforcement was notified but the stolen devices have not been recovered. The IT department determined that one of the stolen devices contained information such as names, birth dates, Social Security numbers, health insurance information, and a limited amount of treatment information.

While it is probable that the devices were stolen for their resale value rather than any sensitive information they contained, it is possible that patient information could be accessed and may be misused. Consequently, as a precaution, Integrity House has offered all affected individuals free identity theft protection and credit monitoring services.

The burglary has prompted Integrity House to implement additional safeguards to prevent further incidents of this nature from occurring and has taken steps to improve privacy protections for patients. These include augmenting physical security in all facilities, strengthening passwords, implementing additional policies concerning the handling of personal information, and the use of encryption on all hard drives.

“The privacy and protection of personal information is a top priority for Integrity House and we sincerely apologize for any concern or inconvenience that this may cause,” wrote Integrity House in its substitute breach notice.

All individuals affected by the breach have now been notified by mail and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The breach summary on the OCR website indicates the PHI of 7,206 individuals was stored on the stolen devices.

The post Thieves Stole Devices Containing PHI of 7,200 Patients of Integrity House appeared first on HIPAA Journal.

Verity Health System, a Redwood City-based network of 6 hospitals in California, has announced that the protected health information of certain patients has potentially been compromised as a result of a November 27, 2018 phishing attack.

The Office 365 credentials of a Verity Health employee were obtained by a hacker as a result of a response to a phishing email. For a period of approximately one and a half hours, an unauthorized individual gained access to the employee’s email account and sent further phishing emails to Verity Health employees and other individuals in the employee’s contact list. The emails contained a hyperlink that directed the recipients to a malicious website. An investigation into the breach confirmed that none of the recipients of the phishing emails had disclosed their login credentials.

The aim of the attacker appeared to be to gain access to further account credentials rather than to obtain sensitive data contained in the compromised account; however, it is possible that some patients’ personal information was viewed or possibly obtained while account access was possible. Fortunately, fast detection and remediation of the security breach reduced the potential for information theft.

An analysis of the emails and email attachments in the account confirmed that they contained some protected health information, but it was not possible to determine whether any of the emails had been opened or copied. No messages in the account were forwarded to other email addresses and no reports have been received to suggest any patient information has been obtained and misused.

Patients whose protected health information has potentially been compromised have now been informed of the breach by mail. The breach notification letters state that the types of information contained in the account included names, phone numbers, addresses, dates of birth, Social Security numbers, dates of service, treatment information, medical conditions, billing codes, lab test results, health plan names and health insurance policy numbers, patient ID numbers, subscriber numbers, claims information, and information relating to payment for medical care.

Upon discovery of the breach, the email account was disabled and the user’s computer was disconnected from the network. All unauthorized emails sent through the compromised account were deleted from the email system and email recipients who had clicked the link in the email also had their email accounts disabled as a precaution.

All users who clicked the link in the phishing emails have received further training and a new training module has been developed for all employees to raise awareness of the threat from phishing. A project has also been created and launched to enhance email security, which includes disabling all unknown URLs sent via email.

While the risk of identity theft and fraud is believed to be low, all individuals affected by the breach have been offered one year of identity theft and credit monitoring services without charge.

The breach has been reported to the California Attorney General’s Office and other relevant authorities. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear exactly how many individuals have been affected by the breach.

The post PHI Exposed in Verity Health System Phishing Attack appeared first on HIPAA Journal.

Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has experienced a data breach that has impacted more than 23,300 patients.

An email account breach was detected by CCPSA on November 23, 2018 when suspicious activity was detected related to an employee’s email account. The account appeared to have been used to send phishing emails to individuals in the employee’s contact list. Those emails attempted to convince the recipients to make fraudulent payments.

Action was promptly taken to lock the hacker out of the account and the entire email environment was secured. All users were required to set new, complex passwords. A third-party computer forensics firm was hired to investigate the attack and determine the scale of the breach. That investigation was concluded on December 14, 2018.

The investigation revealed the attacker had gained access to multiple email accounts between August 14 and November 23, 2018. The breach was determined to be limited to the email system. Its medical record system was unaffected.

An analysis of the compromised email accounts revealed they contained the electronic protected health information of more than 23,300 patients. In addition to patients’ names, the following information was also potentially compromised: Addresses, email addresses, phone numbers, dates of birth, dates of service, diagnoses, medical conditions, lab test results, information related to diagnostic studies, treatment information, insurance information, and for certain patients, costs of medical services, Social Security numbers, and driver’s license numbers.

Prior to the attack, CCPSA had implemented protections to prevent successful phishing attacks. Those protections have now been enhanced. Additionally, changes have been made to how authorized individuals can access the network and changes have also been made by the IT department to certain rules within its computer environment. Additional, mandatory security awareness training has also been provided to the entire workforce.

According to the breach summary posted on the Department of Health and Human Services’ Office for Civil Rights breach portal, the ePHI of 23,377 has been exposed.

The post 23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack appeared first on HIPAA Journal.

All-Star Orthopaedics is alerting patients of Irving, TX-based Las Colinas Orthopedic Surgery & Sports Medicine, PA, that some of their protected health information (PHI) was stored on a hard drive that has been stolen.

The hard drive contained X-ray and other diagnostic images of 76,000 patients, along with patients’ names and dates of birth. While the hard drive was not encrypted, special software is required to access the images. The image files would need to be opened in order to see patients’ names and dates of birth.

The hard drive was stolen on November 20, 2018. The theft was reported to the Department of Health and Human Services’ Office for Civil Rights on January 18, 2019 and breach notification letters have now been sent to all affected patients.

The theft has prompted All-Star Orthopaedics to implement new security protocols to prevent any further breaches of patients PHI and all portable hard drives will now be encrypted prior to transport.

Dermacare Brickell Data Breach Impacts 1,800 Patients

On November 20, 2018, the Miami medical practice Dermacare Brickell discovered paperwork containing the PHI of around 1,800 patients was missing.

The paperwork had been removed from a locked storage unit at The Vue Condominium, close to its office. The files related to patients who had received medical services at the practice between 2010 and 2013.

The medical practice determined that boxes of files had been mistakenly removed and disposed of a condominium association dumpster along with regular trash. The person responsible assured the practice that he did not read any of the files in the boxes and was unaware that the boxes contained patient files.

The improper disposal has been reported to the Miami Police Department and patients have been notified as a precaution, although no evidence has been uncovered to suggest any information has been viewed by unauthorized individuals or misused.

The files did not contain financial information or Social Security numbers, only names, birth dates, previous medical histories as provided by patients, and practice treatment notes.

All patient files will now be stored within its offices. The practice is in the process of transitioning to electronic medical records and all paper copies of records will be shredded once that process has been completed.

The post Stolen Hard Drive Contained PHI of 76,000 Texas Patients appeared first on HIPAA Journal.