Three ransomware attacks have been reported by healthcare organizations and vendors in the past few days. The PHI of almost 70,000 patients has potentially been compromised.

50,000 Individuals Affected by Ransomware Attack on Delaware Guidance Services for Children and Youth

Delaware Guidance Services for Children and Youth (DGS) was forced to pay a ransom to recover files that had been encrypted in a Christmas Day ransomware attack. DGS has not publicly disclosed how much was paid for the decryption keys to unlock the files on its data servers.

After recovering files, DGS engaged an IT firm to conduct a forensic analysis to determine whether the attackers had gained access to sensitive information prior to encrypting files. The firm found no evidence to suggest that any protected health information had been compromised or stolen. The attack appeared to have been conducted solely for the purpose of extorting money from DGS.

DGS started sending notification letters to the parents and guardians on February 26, 2019 alerting them that sensitive information had been exposed. The types of data in the files that were encrypted by the ransomware included names, addresses, birth dates, medical information, and Social Security numbers.

All affected individuals have been offered 12 months of complimentary credit monitoring services through MyIDCare.

The ransomware attack was reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach summary indicates the PHI of up to 50,000 individuals was potentially compromised in the attack.

Maffi Clinics Ransomware Attack Impacts 10,465 Patients

Maffi Clinics, a network of 5 plastic surgery and skin care clinics in Arizona, is alerting 10,465 patients that some of their protected health information was potentially compromised as a result of a September 11, 2018 ransomware attack.

The attack was promptly detected and remediated, limiting the potential for unauthorized data access. In its breach notification letter to patients, Maffi Clinics explained that the unauthorized access point was quickly detected and terminated, and systems were shut down to limit the harm caused. Access to Maffi Clinics’ systems was possible for just 5 hours.

An independent IT consulting firm was able to remove the ransomware and recover files from backups without data loss. No evidence was uncovered to suggest that the attackers had viewed or downloaded any patient information. Maffi Clinics also said no ransom demand was received.

While unauthorized PHI access is not suspected, if the attackers did access or download files, they would only have been able to view names, addresses, phone numbers, and pre-and post-operative records.

Maffi Clinics has taken steps to improve security and additional safeguards have now been implemented to prevent further ransomware and malware attacks. OCR was notified about the attack on March 6, 2019.

Direct Scripts Ransomware Attack Impacts 9,319 Individuals

Direct Scripts, an Ohio provider of pharmacy benefits management services, suffered a ransomware attack on January 30, 2019 which resulted in the encryption of files containing patients’ protected health information.

The affected server was found to contain customer names, addresses and prescription information. All other information stored by Direct Scripts was located on servers and computers that were not accessible to the attackers. No evidence has been uncovered to suggest any patient information has been misused.

Direct Scripts has sent notification letters to affected individuals and the incident has been reported to OCR. The OCR breach report indicates 9,319 individuals were potentially affected by the attack.

The post Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected appeared first on HIPAA Journal.

Michigan Attorney General Dana Nessel has issued a warning to Michigan residents about the ransomware attack on Detroit-based Wolverine Solutions Group, which she says may have affected more than 600,000 Michigan residents.

Nessel has advised all individuals who receive a breach notification letter to sign up for credit monitoring services, to monitor their accounts and EoB statements for signs of fraudulent use of their data, to place a fraud alert on their credit file and to consider freezing their credit file as a protection against fraud and identity theft.

The cyberattack on Wolverine Solutions Group occurred on or around September 23, 2018. Critical systems were mostly restored within a month, but it has taken considerably longer to determine which clients had been affected. Some clients were only notified about the extent of the attack in March.

While the types of information differ from company to company and individual to individual, the exposed information may include data elements such as names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information.

Healthcare organizations known to be affected include:

• Blue Cross Blue Shield of Michigan
• Mary Free Bed Rehabilitation Hospital
• Sparrow Health System
• McLaren Health Care
• Covenant Health Care
• Health Alliance Plan
• North Ottawa Community Health System
• Three Rivers Health
• Warren General Hospital
• University of Pittsburgh Medical Center Kane

The attack is believed to have started with the download of the Emotet Trojan, which in turn downloaded the ransomware that encrypted files containing protected health information. The Emotet Trojan has been used in several recent attacks in combination with Ryuk ransomware. Wolverine Solutions’ president Darryl English told the Daily Swig that the ransom demand was paid.

“Data breaches can be devastating to the affected individuals,” said Nessel on Monday. “It’s important this office provide affected customers with any and all available resources to help limit the effects of this – or any – breach. And today, we’re doing just that.”

Under state laws, Wolverine was not obliged to notify the attorney general of the breach. Nessel discovered the breach from media reports and has written to Wolverine requesting further information about the incident. Most other states require notifications of data breaches to be sent to the state attorney general. This breach could well trigger an update to data breach notification laws in Michigan.

While AG Nessel has put the number of affected individuals at 600,000 or more, the final total is not yet confirmed and, according to Wolverine, could be in the high six figures.

Wolverine Solutions is issuing notifications to affected individuals and is offering them free access to credit monitoring and identity theft protection services.

The post More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel appeared first on HIPAA Journal.

A Massachusetts business associate has discovered the electronic protected health information (ePHI) of 2,088 individuals has potentially been viewed by unauthorized individuals. The ePHI was stored on an employee’s laptop computer that was stolen on August 23, 2018.

RSC Insurance Brokerage, dba Re-Solutions, started notifying affected healthcare providers about the breach of their patients’ PHI on January 22, 2019, 5 months after the discovery of the theft of the laptop.

According to the breach notice submitted to the California Attorney General, a third-party cyber security firm was called in to help determine what files had been stored on the laptop, the types of information that was accessible, and how many individuals had potentially been impacted.

The theft was reported to law enforcement at the time and the employee’s credentials were changed to ensure that the laptop could not be used to access RSC systems. However, files were stored on the laptop and could potentially be accessed as while the device was protected with a password, it was not encrypted.

No evidence of unauthorized data access was discovered, and RSC said no reports have been received to suggest there has been any misuse of the data.

To protect affected individuals from identity theft and fraud, complimentary membership to Experian’s IdentityWorks identity theft protection service has been offered for 12 months. Affected individuals have also been advised to check their explanation of benefits statements from their health insurer for services that are listed but have not been received.

RSC said that security measures are being enhanced to prevent any information stored on portable electronic devices from being exposed in the future.

The Department of Health and Human Services’ Office for Civil Rights (OCR) was notified about the breach on March 1, 2019. The HIPAA Breach Notification Rule requires notification letters to be issued within 60 days of the discovery of a breach. It is unclear why it took so long to determine that PHI has been exposed.

Arizona Medicaid Agency Mailing Error Impacts 3,146 Individuals

Arizona’s Medicaid agency, the Arizona Health Care Cost Containment System (AHCCCS), has announced that it has experienced a privacy breach as a result of an error mailing IRS 1095-B forms to Arizona Medicaid recipients. IRS 1095-B forms are reports that an individual has been enrolled in a qualified health plan.

AHCCCS sent a mailing to 1.87 million members earlier in 2019 but discovered that 3,146 of the forms had been delivered to incorrect addresses. No Social Security numbers were detailed on the forms, only names and dates of birth.

In all cases, the mailing error resulted in that information being disclosed to one other individual. AHCCCS has started mailing individuals affected by the breach to notify them of the privacy breach, which has been attributed to a programming error.

The post Business Associate Starts Issuing Notifications About August 2018 Laptop Theft appeared first on HIPAA Journal.

Pasquotank-Camden Emergency Medical Services (PCEMS) has discovered hackers have infiltrated a server that housed its billing system, which contained the protected health information of 20,420 patients.

As a result of the intrusion, the hackers potentially gained access to the highly sensitive information of individuals who had previously received medical services from PCEMS.

The types of information stored on the server included names, birth dates, Social Security numbers, and some medical information that had been collected by PCEMS.

The breach was reported immediately to the Sheriff of Pasquotank County and federal law enforcement agencies, who determined that the hackers were based outside the United States. No evidence was found to indicate patients’ protected health information was stolen and at the time of issuing notification letters to patients, no reports had been received to suggest patient information had been misused.

Since data theft could not be ruled out, PCEMS has offered all affected patients 12 months of free credit monitoring and identity theft protection services through ID Experts. Affected patients will also be covered by a $1,000,000 insurance reimbursement policy. Enrollment in these services is not automatic. Patients have until May 26, 2019 to register for the services.

PCEMS is now reviewing its cybersecurity protections and will be taking steps to enhance cybersecurity to prevent similar breaches in the future.

Oklahoma Heart Hospital Notifies Patients of Potential ePHI Breach

Oklahoma Heart Hospital is notifying 1,221 patients that some of their protected health information was stored on desktop computers that were stolen in January.

Four desktop computers were stolen from the outpatient clinic at Mercy Hospital in Oklahoma City, OK. Oklahoma Heart Hospital was in the process of relocating those offices when the theft occurred.

The stolen computers were not encrypted so patient information could potentially be accessed by the thieves. Patient information on the computers was present in stored email messages that had been sent between hospital employees and was limited to names, addresses, phone numbers, dates of birth, and clinical information such as blood pressure logs and lab values. Medical records are stored on a secure server and were not exposed.

Oklahoma Heart Hospital has now revised its policies and procedures to prevent similar breaches in the future.

The post 20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack appeared first on HIPAA Journal.

Emerson Hospital in Concord, MA, is alerting 6,300 patients that some of their protected health information has been exposed due to a security breach at a third-party vendor in May 2018.

The hospital explained that the breach occurred between May 9 and May 17, 2018 and was an unauthorized disclosure incident. A former employee of MiraMed Global Services, a company that helps the hospital collect payments, was discovered to have sent files containing protected health information to a third-party who was not authorized to receive the information.

The files contained the types of information usually sought by identity thieves, including names, addresses, Social Security numbers, and insurance policy information. Financial information and health information were not compromised.

The employee responsible was fired over the breach and the matter was reported to law enforcement. It is unclear whether the employee responsible has been charged over the theft.

A forensic investigation confirmed that ePHI had been stolen, but a spokesperson for the hospital issued a statement saying, “A detailed forensic investigation showed that the files were of such poor quality that a third-party did not find the data useful.”

Even though the information does not appear to have been misused, as a precaution, all affected patients have been offered identity theft protection services through Experian IdentityWorks for 24 months without charge.

This is the second healthcare institution to report that it has been affected by the breach. Rush System for Health also reported a similar case to OCR on February 28, 2019. Even though names, Social Security numbers, birthdates, and insurance information was also compromised, Rush reported that patients faced a low-risk of fraud since no financial information was compromised. Approximately 45,000 of its patients were affected.

It is not known whether any other healthcare organizations have been affected by the MiraMed breach.

The post Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor appeared first on HIPAA Journal.

The Aliso Viejo, CA-based provider of residential care and skilled nursing facilities, Covenant Care, has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or obtained the protected health information of 7,858 patients.

On January 29, 2019, suspicious activity was detected in relation to the employee’s email account. Third-party forensics investigators were called in to help determine the nature and scale of the breach. The investigation revealed the email account was compromised on January 22, 2019. Access remained possible until the account was secured on January 29.

A review of the compromised email account was completed on February 13, 2019 and confirmed that during the time that the account was accessible, emails and email attachments could have been opened. An analysis of the messages revealed they contained patient information.

The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number, diagnoses, provider(s) name, treatment location(s), Medicare covered days, Medicare billing amounts, admission and re-admission dates, dates of service, discharge dates, and information related to medical equipment, home health services, outpatient services, and hospice services.

At the time of issuing notifications, no evidence had been uncovered to suggest any patient information was accessed, stolen, or misused; however, out of an abundance of caution, patients were notified and have been offered 12 months of credit monitoring and identity theft restoration services at no charge. Notifications started to be sent on March 6, 2019.

Covenant Care reports that strict security safeguards had been implemented prior to the breach and that further controls will be put in place to increase email security. All technical, administrative, and physical safeguards are being reviewed to identify any further areas where improvements can be made, and employees will be provided with further training on email security and security awareness in general.

The post Covenant Care Email Account Breach Impacts 7,858 Patients appeared first on HIPAA Journal.