HealthEquity is notifying 190,000 individuals that some of their protected health information has been exposed as a result of a phishing attack.

HealthEquity is a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, either through employers or health plans. These services include health savings accounts (HSAs), health flexible spending arrangements (FSAs), limited purpose FSAs, and dependent care reimbursement accounts (DCRAs).

In order to provide those services, HealthEquity has access to protected health information, some of which is communicated via email for business purposes. On October 5, 2018, HealthEquity’s security team discovered two Office 365 email accounts had been accessed by an unauthorized individual.

On October 20, 2018, following an analysis into the cyberattack, HealthEquity confirmed that two employee email accounts had been breached and that those accounts contained the sensitive personal information of employees and individuals who benefited from its services through their health plan or employer.

The investigation determined that one of the email accounts was accessed by an unauthorized third party on October 5, 2018. The second email account was first breached on September 4, 2018 and was subsequently accessed by an unauthorized individual on multiple occasions up to October 3, 2018.

While the investigation confirmed that the accounts had been accessed, it is currently unclear whether any emails in the accounts were opened and viewed or copied. No reports of misuse of information have been received.

The types of information that were potentially accessed include names, account types, Social Security numbers, employer names, and health plan names.

Many breached entities that discover highly sensitive protected health information has been compromised offer credit monitoring and identity theft protection services to breach victims. Those services are usually provided for 12 months or, less frequently, for 24 months without charge. HealthEquity took the decision to offer breach victims access to those services for five years without charge. Breach victims will also be protected by a $1,000,000 insurance reimbursement policy. Those services have been provided through MyIDCare.

In addition to provided extended protection to breach victims, HealthEquity has taken steps to improve email security and has updated its security protocols. Measures currently taken include the provision of further training to its workforce, the implementation of additional technical security controls, and enhanced monitoring of email accounts for suspicious activity.

The post HealthEquity Notifies 190,000 Individuals of Phishing-Related PHI Breach appeared first on HIPAA Journal.

Southwest Washington Regional Surgery Center in Vancouver, WA, has suffered a phishing attack that has resulted in the exposure of 2,393 patients’ protected health information.

The breach was confined to a single email account and no evidence was uncovered to suggest any emails have been accessed or downloaded by the attacker. An extensive investigation was conducted with assistance provided by a third-party cybersecurity firm. The investigation concluded on September 25.

The investigation included a manual review of all emails in the compromised account to identify patients affected and the types of information that may have been compromised.

Southwest Washington Regional Surgery Center explained in its breach notice that the beach was limited to the following PHI elements: Names, driver’s license numbers, Social Security numbers, medical information, and for a limited number of patients, credit card numbers.

The investigation revealed the email account was compromised on May 27, 2018 and access remained possible until August 13, 2018.

Patients impacted by the breach were sent breach notification letters on November 6, 2018 and have been offered complimentary credit monitoring and identity theft restoration services for 12 months. Information has also been provided on the steps that should take to reduce the risk of identity theft and fraud.

The breach has prompted Southwest Washington Regional Surgery Center to enhance its email access protocols to prevent further successful phishing attacks, passwords were reset, and its password policy updated.

The post 2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack appeared first on HIPAA Journal.

A July 2018 ransomware attack on May Eye Care Center in Hanover, PA saw a range of sensitive patient information encrypted, including data in its electronic medical record system.

The ransomware attack was discovered by May Eye Care on July 29, 2018. The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers.

May Eye Care Center called in a leading computer forensics company to investigate the breach and an IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols. Security has now been improved to prevent further attacks.

A ransom demand was received, but no payment was made. May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data.

Al patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 11. The breach summary on the OCR Breach Portal indicates 30,000 patients were impacted by the incident.

May Eye Care Center believes the sole purpose of the attack was to obtain a ransom payment. No evidence has been uncovered to suggest any patients’ protected health information was accessed by the attackers and no reports of misuse of PHI have been received. However, since data theft cannot be ruled out, all patients have been advised to check their credit reports, accounts, and explanation of benefits statements for any sign of fraudulent activity.

The post 30,000 Patients Impacted by May Eye Care Center Ransomware Attack appeared first on HIPAA Journal.

Metrocare Services, the largest provider of mental health services in North Texas, has suffered a phishing attack that has resulted in the exposure of 1,804 patients’ protected health information.

Several employee email accounts were compromised in the attack, with the first account breach occurring on August 2, 2018. Metrocare did not discover the phishing attacks until September 4.

As soon as the breach was discovered, steps were taken to secure the accounts. Metrocare has also given its employees additional training on information security, additional measures are being introduced to improve the security of its information technology infrastructure, and email security has been strengthened.

The investigation into the breach could not determine whether any emails containing patients’ protected health information were accessed by the attackers, but data access could not be ruled out. No reports have been received that suggest any PHI has been misused.

The types of information that were exposed differed from patient to patient and included data such as names, dates of birth, driver’s license numbers, health insurance information, information relating to services received from Metrocare, and in some cases, Social Security numbers.

Metrocare started notifying affected patients by mail on November 1. Patients whose Social Security numbers were potentially compromised have been offered 12 months of complimentary credit monitoring and identity protection services. All patients impacted by the breach have been advised to check their Explanation of Benefits statements for healthcare services that have not been received or authorized.

Summit Medical Group Notifies Patients of Potential PHI Exposure

Summit Medical Group is notifying certain patients that some of their protected health information has potentially been compromised.

The information was recorded in a notebook that was maintained by a medical assistant in its Berkeley Heights dermatology office. On September 5, 2018, Summit Medical Group’s management and privacy office was informed that the notebook was missing.

The New Jersey physician-owned multispecialty medical practice conducted a search for the missing notebook but it couldn’t be located. Employees were interviewed and footage from security cameras was checked. According to Summit Medical Group, the notebook was only ever used in the dermatology office and no evidence of theft was discovered.

The notebook contained written notes on patients seen by the medical assistant since January 12, 2018. The types of information recorded in the notebook varied for each patient and included names, addresses, dates of birth, telephone numbers, health insurance numbers, Medicare IDs, and treatment information.

Since the notebook may have been stolen, patients have been advised to monitor their account and explanation of benefits statements and remain vigilant for incidents of identity theft and fraud.

The post 1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack appeared first on HIPAA Journal.

Upstate University Hospital in Syracuse, NY, is notifying 1,216 patients that some of their protected health information (PHI) has been impermissibly accessed by a former employee.

Upstate University Hospital discovered the breach on September 12, 2018, which prompted a full investigation to determine which patients had had their privacy violated. The investigation revealed that the former employee first accessed patient health records without any legitimate work reason for doing so on November 3, 2016. Patient records continued to be accessed until October 23, 2017.

The investigation did not uncover any evidence to suggest any information had been printed, copied, or forwarded outside the organization.

It is unclear why the former employee accessed the records. No information on the motives behind the privacy violations has been made public.

Highly sensitive information such as Social Security numbers, financial information, health insurance information and other information typically sought by identity thieves were not compromised and remained secure at all times.

The breach was limited to names, ages, addresses, medical record numbers, dates of service, types of services received, diagnoses, treatment information, and details of prescriptions.

All staff members at the hospital with access to PHI already receive in-depth training on maintaining the privacy and security of patient information and are aware of their responsibilities with respect to HIPAA.

The privacy breach has prompted Upstate University Hospital to conduct a review of safeguards to keep patient health information private and confidential and those safeguards have now been strengthened.

The post 1,216 Patient Records Impermissibly Accessed by Former Upstate University Hospital Employee appeared first on HIPAA Journal.

Falls Church, VA-based Inova Health System has started notifying 12,331 patients that some of their protected health information has been accessed by an unauthorized individual.

Inova Health System was contacted by law enforcement on September 5, 2018 over a suspected breach of patients’ billing information. A leading computer forensics firm was engaged to conduct an investigation into the breach to determine the nature of the attack and the extent of the breach.

The investigation revealed its billing system was first accessed by an unauthorized individual in January 2017, and again between July and October 2017. Access was gained using the login credentials of an Inova employee.

Peculiarly, Inova also reported that the same individual also gained access to paper billing records of a small number of patients in December 2016, which suggests that this may have been an insider breach involving a former employee, business associate or another individual with access to Inova facilities. However, no information about the individual responsible for the breach has been made public by Inova.

The types of information that were accessed included patient names, addresses, birth dates, medical record numbers, and Social Security numbers. Treatment information of a limited number of patients was also potentially accessed.

The data breach has prompted Inova to enhance its security processes. Additional monitoring tools have been deployed to identify unauthorized access, password policies have been updated with respect to password complexity, and new limitations on the transmission of information have been implemented. Employees have been retrained on securing sensitive information before leaving their workstations unattended and on password security. A review of security policies and procedures has also been conducted.

Inova started mailing breach notification letters to affected patients on November 2 and is assisting law enforcement with its investigation.

All patients affected by the breach have been offered one year of credit monitoring and identity theft protection services without charge.

The post Billing Records of 12,331 Patients of Inova Health System Have Been Compromised appeared first on HIPAA Journal.

Altus Hospital in Baytown, TX, has experienced a ransomware attack that resulted in the encryption of many hospital records.

The electronic medical record system was not affected, although some of the encrypted files contained patients’ protected health information including names, home addresses, contact telephone numbers, birth dates, Social Security numbers, credit card information, driver’s license numbers, and medical information.

The attack was discovered on September 3, 2018. Altus Hospital received a ransom demand; however, assisted by a third-party security consultant, Altus Hospital was able to restore all affected files from backups.

The investigator determined that the attacker gained access to the hospital’s servers before deploying a Dharma ransomware variant. Altus Hospital believes the aim of the attack was solely to extort money from the hospital. Data access and theft of patient information is not believed to have occurred.

While the attack was limited to Baytown hospital servers, some of the information stored on those servers came from the following affiliated entities: Altus Women’s Center of Baytown, LP, LP, Clarus Imaging (Baytown), Oprex Surgery (Baytown), LP, Clarus Imaging (Beaumont), LP, Altus Radiation Oncology Baytown, LP, and Zerenity Baytown, LP.

Altus Hospital has retained external risk and security consultants who are helping to make improvements to the hospital’s cybersecurity defenses.

PHI of 2,393 Patients of Southwest Washington Regional Surgery Center Compromised

Southwest Washington Regional Surgery Center has discovered an unauthorized individual has gained access to the email account of one of its employees as a result of a phishing attack.

The email account was breached on May 27, 2018 and access continued until August 13, 2018. Following an extensive forensic investigation of the breach and a manual review of all emails in the compromised account, Southwest Washington Regional Surgery Center determined on September 25 that the email account contained the protected health information of 2,393 of its patients.

The types of information that may have been accessed differed from patient to patient and may have included names, driver’s license numbers, Social Security numbers, diagnoses, treatment information, details of surgical procedures performed, prescribed medications, lab test results, and health insurance information. Some patients’ credit card numbers have also potentially been compromised.

Credit monitoring and identity theft restoration services are being offered to all patients whose Social Security number or driver’s license number were potentially accessed by the attacker.

Southwest Washington Regional Surgery Center has updated passwords and improved email access protocols to prevent further phishing attacks.

The post Altus Hospital Baytown Suffers Dharma Ransomware Attack appeared first on HIPAA Journal.