Concentra, a Texas-based physical and occupational health provider, has confirmed it was affected by a cyberattack at its transcription service provider, PJ&A. PJ&A has already reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting almost 9 million patients; however, some PJ&A clients have chosen to report the breach to OCR themselves, including Concentra.

On January 9, 2024, Concentra confirmed that the protected health information of 3,998,162 patients was compromised in the PJ&A cyberattack, bringing the total number of affected individuals up to at least 14 million. That makes it the largest healthcare data breach of 2023. That total is likely to grow further, although by how much is not currently clear as PJ&A has not publicly disclosed which clients have been affected nor the total number of records that were compromised in the attack.

The Nevada-based medical transcription company and many of the affected clients are being sued over the data breach. At least 40 lawsuits have already been filed against PJ&A alleging negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard the sensitive health data it is provided by its clients. Some of the lawsuits name the affected healthcare companies as co-defendants.

Concentra said the information compromised includes full names and one or more of the following data elements: date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. Some individuals may also have had their Social Security number compromised, as well as insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers. There is no mention of credit monitoring and identity theft protection services being made available. Concentra has advised the affected individuals to monitor their accounts closely for signs of misuse of their information and to consider placing a fraud alert on their credit files.

Business associates of HIPAA-covered entities are prime targets for hackers as they typically store large volumes of sensitive data, and it is clear from recent breach reports that hackers are targeting business associates. A breach of this scale naturally raises questions about the security measures that were implemented at PJ&A and how it was possible for hackers to gain access to so much data. Given the high risk of cyberattacks, network segmentation should have been implemented to ensure that if its defenses were breached, hackers would only be able to gain access to limited data.

January 5, 2024: PJ&A Data Breach Total Grows as Kansas City Hospital Confirms 502K-Record Breach

North Kansas City Hospital and its subsidiary Meritas Health Corporation have recently announced that they were affected by the massive data breach at Perry, Johnson, and Associates (PJ&A).

PJ&A, a provider of medical transcription services, discovered the cyberattack on July 21, 2023, and in November, reported the breach to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals; however, some of its affected clients have chosen to report the breach themselves, including North Kansas City Hospital. The Missouri hospital said the protected health information of 502,438 individuals was compromised between March 27, 2023, and May 2, 2023, when hackers had access to PJ&A’s systems. At least 9,454,650 individuals are now known to have had their data compromised in the PJ&A data breach.

North Kansas City Hospital and Meritas worked with PJ&A to determine which individuals had been affected and the types of data involved, and that process was completed on November 7, 2023. During the analysis, North Kansas City Hospital also identified data belonging to the Clay County Public Health Center. The types of data involved were limited to demographic information such as name, date of birth, gender, phone number and address; health insurance information; and some clinical information. No Social Security numbers were compromised.

After learning of the breach, North Kansas City Hospital and Meritas implemented additional safeguards, reviewed their policies and procedures for data privacy and security, and discontinued sharing data with PJ&A. North Kansas City Hospital and Meritas have now severed all ties with PJ&A. North Kansas City Hospital has advised all affected individuals to be vigilant against incidents of identity theft and fraud by reviewing their accounts, explanations of benefits, and credit reports for suspicious activity, and to report any suspicious activity to the affiliated institutions immediately.

December 29, 2023: Class Action Lawsuits Filed Over PJ&A Data Breach

After such a large data breach, it was inevitable that class action lawsuits would be filed by individuals who had their sensitive protected health information stolen. Many law firms have opened investigations into the PJ&A data breach and class action lawsuits have started to be filed against PJ&A and the healthcare providers that used the company for medical transcription services.

Class Action Lawsuit Filed Against Northwell Health and PJ&A

At least one class action lawsuit has been filed against PJ&A and Northwell Health, New York’s largest health system. Almost 4 million patients of Northwell Health had their protected health information compromised in the PJ&A data breach.

The lawsuit was filed on behalf of plaintiffs David Mayo and Madeleine E. Schwartz and similarly situated Northwell Health patients whose PHI was compromised in the data breach. The lawsuit alleges the defendants failed to implement reasonable and adequate security measures which left their sensitive data vulnerable to cyberattacks. The information compromised in the data breach included names, birthdates, Social Security numbers, addresses, medical record numbers, hospital account numbers, admission diagnoses, and times and dates of service. The lawsuit also takes issue with the length of time taken to issue notification letters. They were sent on November 3, 2023, more than 6 months after the data breach was detected.

The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, unjust enrichment, and a violation of the New York Deceptive Trade Practices Act and seeks declaratory and other equitable relief, injunctive relief, restitution, damages, attorneys’ fees, and a jury trial.

The lawsuit – David Mayo, et al. v. Northwell Health Inc., et al. – was filed in the US District Court for the Eastern District of New York. The plaintiffs are represented by Jason P. Sultzer and Philip J. Furia of The Sultzer Law Group PC; Jeffrey K. Brown and Andrew Costello of Leeds Brown Law PC; Charles E. Schaffer and Nicholas J. Elia of Levin Sedran & Berman LLP; and Jeffrey S. Goldenberg and Todd B Naylor of Goldenberg Schneider LPA.

Lawsuit Filed Against Salem Community Hospital and PJ&A

A lawsuit was filed on December 20, 2023, by Michael Stone and Leeanne Varner against Salem Community Hospital and PJ&A over the data breach, which exposed sensitive data such as names, Social Security numbers, birth dates, medical record numbers, hospital account numbers and date(s) of service.

The lawsuit alleges the PJ&A data breach was the result of the defendants failing to follow cybersecurity best practices and not adequately training their staff, despite an increased risk of cyberattacks in the healthcare sector. The lawsuit also claims the defendants unnecessarily delayed issuing notification letters, which were not sent until November 10, 2023, which left the plaintiffs and class members at risk of identity theft and fraud, when early notification would have allowed them to take steps to secure their accounts.

The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, and unjust enrichment, and seeks a jury trial, injunctive relief, damages and restitution, and attorneys’ fees.

The lawsuit – Stone et al. v. Salem Community Hospital et al – was filed in the U.S. District Court of the Northern District of Ohio. The plaintiffs are represented by Jeffrey S. Goldenberg and Todd B. Naylor of Goldenberg Schneider, LPA; Jason P. Sultzer & Philip J. Furia of The Sulzer Law Group P.C.; Jeffrey K. Brown & Andrew Costello of Leeds Brown Law, P.C; and Charles E. Schaffer & Nicholas J. Elia of Levin Sedran & Berman LLP.

November 19, 2023: PJ&A Data Breach Announced: Almost 9 Million Patients Affected

Almost 9 million patients have been affected by a cyberattack on the transcription service provider, Perry Johnson & Associates. The PJ&A data breach is the second-largest healthcare data breach this year and the 6^th largest healthcare data breach ever reported.

PJ&A is a Henderson, Nevada-based provider of transcription services to organizations in the medical, legal, and government sectors and the largest privately owned provider of transcription services in the United States. PJ&A detected unauthorized activity within its IT systems on May 2, 2023, and immediate action was taken to isolate its systems and prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the attack, and whether sensitive data was exfiltrated from its systems.

The forensic investigation confirmed that there had been unauthorized access to its network for more than a month between March 27, 2023, and May 2, 2023, and during that time, there had been unauthorized access to data provided by its clients. PJ&A notified its clients about the cyberattack on July 21, 2023, and in the following days confirmed there had been unauthorized access to data; however, the investigation was ongoing and it was not possible to confirm exactly what types of information had been exposed or the number of individuals affected.

The PJ&A data breach investigation was completed on September 28, 2023, and on September 29, 2023, PJ&A started providing the results of its investigation to the affected clients. PJ&A said the information accessed by the unauthorized party varied from individual to individual and may have included name, address, date of birth, medical record number, hospital account number, admission diagnosis, date/time of service, Social Security number, insurance information, and medical and clinical information. The medical and clinical information contained in the transcription files may have included, laboratory and diagnostic testing results, medications, the name of the treatment facility, and healthcare provider name. Credit card information, bank account information, and usernames/passwords were not provided to PJ&A so were not exposed.

On November 2, 2023, the breach was reported to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals. PJ&A said that after notifying the affected clients it worked with them to notify the individuals identified during its review. When data breaches occur at business associates of HIPAA-covered entities, the business associate often reports the data breach to OCR; however, depending on the terms of the business associate agreements, individual covered entities may choose to report the breach themselves. It is currently unclear whether the 8,952,212 total includes all affected individuals or if some clients are reporting the breach themselves. The total reported to OCR only includes individuals who had their protected health information exposed and will not include clients in other sectors.

PJ&A explained in its HIPAA-required breach notice that it has not detected any attempted or actual misuse of the stolen data and has already taken steps to prevent similar breaches in the future, including updating its technical security measures. PJ&A made no mention of whether credit monitoring and identity theft protection services were being offered to the affected individuals, although some affected clients have said that those services have been made available.

Clients Affected

PJ&A has not publicly disclosed how many of its clients have been affected. At this stage, the HIPAA Journal has confirmed the names of several affected clients and will update this post when further information becomes available.

Cook County Health (IL)

Cook County Health operates John H. Stroger, Jr. Hospital of Cook County and Provident Hospital of Cook County in Chicago, four pharmacies, two health services including the Cook County Department of Public Health, and 15 community health centers in Cook County, Illinois.

Individuals affected: 1.2 million

Northwell Health (NY)

Northwell Health, formerly North Shore-Long Island Jewish Health System, is the largest healthcare provider and private employer in New York State and operates 23 hospitals including its flagship North Shore University Hospital and Long Island Jewish Medical Center, as well as 700 outpatient facilities.

Individuals affected: Northwell Health Issued a draft statement saying 3,891,565 individuals had been affected, but that statement was later retracted and the final total has not yet been confirmed.

Salem Regional Medical Center (OH)

Salem Regional Medical Center in Salem, OH, has confirmed it was affected by the PJ&A data breach, which the hospital said occurred between March 2 and May 2, 2023. The breached information included names, Social Security numbers, dates of birth, addresses, phone numbers, medical records, and hospital account numbers. The hospitals said PJ&A is providing free identity theft protection.

Individuals affected: Unknown

Mercy Medical Center (IA)

Mercy Medical Center has confirmed that 97,132 patients have been affected by a data breach at the medical transcription firm, Perry Johnson and Associates (PJ&A). The Cedar Rapids, IA, 450-bed hospital explained that there was no breach of its own systems; however, data provided to PJ&A to allow the firm to perform its contracted duties had been exposed and potentially stolen.

PJ&A discovered on May 2, 2023, that unauthorized individuals had gained access to its network and third-party cybersecurity experts were engaged to investigate the incident. PJ&A determined that Mercy Medical Center data was involved on October 5, 2023, and informed Mercy Medical Center on October 10, 2023, that a backup of a database had been obtained by the hackers that included the data of its patients. The review of the data confirmed that names, dates of birth, addresses, admission/discharge dates, Social Security numbers, and medical examination information had been stolen.

PJ&A issued notifications on behalf of many of its clients and reported the data breach to the HHS’ Office for Civil Rights on November 3, 2023, as affecting 8.95 million individuals; however, Mercy Medical Center chose to report the breach to the HHS directly and sent individual notifications on December 8, 2023. It took Mercy Medical Center 2 months from being notified about the breach to perform the necessary steps to allow notifications to be issued. Mercy Medical Center has arranged complimentary credit monitoring services for the affected patients and has confirmed that it is no longer using PJ&A’s medical transcription services.

Individuals Affected: 97,132

Crouse Health (NY)

Syracuse, NY-based Crouse Health has confirmed that it was affected by the PJ&A data breach and that patients had the following types of information exposed: first and last name, date of birth, address, sex, phone number, medical record number, health insurance information, dates of admission and discharge, attending physician identifiers, hospital room number, and visit type. Fewer than 10% also had a transcript of care dictated by the patient’s physician, and/or the patient’s Social Security number. PJ&A has notified the affected patients.

Individuals Affected: Undisclosed

PJ&A Data Breach Investigations and Lawsuits

All data breaches affecting 500 or more individuals are investigated by the HHS’ Office for Civil Rights to determine if there have been failures to comply with the HIPAA Rules. State Attorneys General also investigate data breaches and can impose civil monetary penalties for violations of HIPAA and state laws. PJ&A has only disclosed limited information about the nature of the breach so far and, based on the information available, there are no indications that any federal or state data security regulations have been violated.

Class action lawsuits are commonly filed after healthcare data breaches and a breach of this magnitude is likely to see many class action lawsuits filed. As of December 20, 2023, more than two dozen lawsuits have been filed against PJ&A over the data breach, all of which make similar claims – That PJ&A was negligent for failing to implement appropriate safeguards to protect patient data. A motion has been filed to consolidate the lawsuits which is due to be heard by the U.S. Judicial Panel on Multidistrict Litigation on January 25, 2023.

While the data breach occurred at PJ&A, several lawsuits have also been filed against the healthcare providers that used PJ&A for medical transcription, including Northwell Health.

One of Many Large Data Breaches in 2023

This year is on track to be another bad year for healthcare data breaches. As of November 15, 2023, 583 data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights, but it is the size of the data breaches that is most alarming. So far this year, the protected health information of 102,407,662 individuals has been confirmed as exposed or stolen, which is almost double the 51,903,629 records that were breached in 2023. If large data breaches continue to be reported at current rates, 2023 looks set to become the worst-ever year in terms of the number of breached records.

OCR recently confirmed that hacking incidents now account for 77% of healthcare data breaches, and there has been a 239% increase in large data breaches in the past 4 years and a 278% increase in ransomware attacks. The number of data breaches being reported indicates healthcare providers are struggling with cybersecurity in the face of increasingly sophisticated and numerous attacks.

New York recently announced that it is taking steps to address the problem by introducing stricter cybersecurity regulations for hospitals after a series of cyberattacks that affected patient care. New York Governor Kathy Hochul also confirmed that $500 million has been made available to help hospitals make the necessary improvements to cybersecurity. New York is leading the way by taking steps to improve healthcare cybersecurity but given the seriousness of the problem, this should not be a matter for individual states to try to resolve. More needs to be done by Congress to combat the problem, such as updates to HIPAA and/or financial incentives and assistance for improving cybersecurity.

The post Concentra Confirms Almost 4 Million Patients Affected by PJ&A Data Breach appeared first on HIPAA Journal.

Ransomware attacks have been announced by Financial Asset Management Systems and The Harris Center for Mental Health. Munsen Healthcare is investigating a cyberattack on Munsen Healthcare Otsego Hospital, and St. Bernards Healthcare has confirmed that patient information was compromised in a MOVEit Transfer hack.

The Harris Center for Mental Health Recovering from a Ransomware Attack

The Harris Center for Mental Health in Texas has recently fallen victim to a ransomware attack. The incident was detected on November 7, 2023, when staff members were prevented from accessing files. The network was immediately shut down to limit the harm caused, and cybersecurity consultants were engaged to assist with the recovery and investigation.

The Harris Center for Mental Health said it is continuing to provide care to patients; however, the lack of access to electronic systems has inevitably led to delays. At this stage of the investigation, it is unclear whether patient data has been compromised.

This is the second major incident to affect The Harris Center for Mental Health this year. A service provider used the MOVEit Transfer tool, a vulnerability in which was exploited to provide unauthorized access to sensitive data in May 2023. The protected health information of 599,367 individuals was stolen in the attack.

Ransomware Attack on Financial Asset Management Systems Affects 165,000 Patients

Financial Asset Management Systems (FAMS), a business management consultancy and debt collection firm, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 164,796 patients. In its substitute breach notice, FAMS said it experienced a “network disruption” incident, which prevented access to certain files on its network. The forensic investigation and review of the exposed files was completed on August 31, 2023, and confirmed that the exposed information included names, billing account numbers, costs paid, balances due, and the name of the affected FAMS client. The affected individuals started to be notified on October 20, 2023, and credit monitoring and identity theft protection services have been offered to the affected individuals.

Munsen Healthcare Otsego Hospital Investigating Cyberattack

Munsen Healthcare has confirmed that it is investigating a cyberattack on Munsen Healthcare Otsego Hospital in Gaylord, MI. Munsen Healthcare said computer systems were shut down in response to the security incident and a third-party cybersecurity company has been engaged to conduct a forensic investigation to determine the nature and scope of the attack.

Details about the nature of the attack, such as if this was a ransomware/extortion incident, have not been publicly disclosed, and it has yet to be determined if patient data has been exposed or obtained.

Business Associate Data Breach Affects 89,500 St. Bernards Healthcare Patients

Jonesboro, AR-based St. Bernards Healthcare, Inc., a health system serving northeast Arkansas and southeast Missouri, has recently announced that the protected health information of 89,556 patients has been exposed in a data breach at one of its third-party vendors.

St. Bernards Healthcare contracted with Welltok Inc. to provide an online contact management platform. The platform was used to communicate important notices and communications through its subsidiary, Tea Leaves Health LLC. Welltok used Progress Software’s MOVEit Transfer product, a zero-day vulnerability in which was patched on May 31, 2023; however, the vulnerability had already been exploited on May 30. Welltok discovered it had been affected by the mass exploitation of the vulnerability on July 26, 2023, and its investigation revealed on August 11, 2023, that sensitive data was exfiltrated in the attack.

St. Bernards Healthcare was notified about the breach by Welltok on September 14, 2023, and was told about the full scope of the breach on October 18, 2023. The information stolen in the attack included names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, patient identification numbers, health insurance information, providers’ names, and medical treatment/diagnosis information. Welltok started to notify the affected individuals on November 13, 2023.

The post Ransomware Gangs Hit Debt Collection Firm and Mental Healthcare Provider appeared first on HIPAA Journal.

Another client of the medical transcription firm Perry Johnson & Associates (PJ&A) has confirmed it has also been affected by the recent PJ&A data breach. New Hyde Park, NY-based Northwell Health, the largest health system in New York, has confirmed that it was notified on July 21, 2023, by PJ&A about the cyberattack that occurred between April 7 and April 19, 2023.

On September 28, 2023, PJ&A completed its initial investigation and was able to confirm the extent of the breach. According to News12 Long Island, Northwell Health initially released a draft statement indicating 3,891,565 individuals had been affected, although the statement was later recalled and Northwell Health said it was unable to confirm exactly how many individuals had been affected.

Northwell Health said the breach involved names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician and healthcare provider names. Some patients also had their Social Security numbers exposed. Northwell Health said the breach occurred at PJ&A and no Northwell Health systems were affected. Affected individuals will be offered complimentary credit monitoring services, although no evidence has been uncovered to indicate any patient data has been misused.

This is the second major vendor data breach to affect Northwell Health patients this year. Northwell Health was also affected by a hacking incident at vendor Nuance Communications. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023. Nuance Communications reported the breach to the HHS as affecting 1,225,054 individuals, although it is unclear how many, if any, Northwell Health patients are included in that total.

Northwell Health is the second PJ&A client to confirm it has been affected by the cyberattack and data breach. Last week, Cook County Health in Chicago said 1.2 million patients had their PHI exposed and that it was one of several PJ&A clients to be affected. Cook County Health said it terminated its relationship with PJ&A when it was informed about the data breach and had difficulty confirming exactly how many individuals had been affected. It did not receive the final list of affected patients until October 9, 2023.

The latest confirmation suggests almost 5 million patients may have been affected by the breach and had their protected health information exposed or stolen in the attack. That number could well rise over the coming days and weeks as further clients confirm they have been affected. At present there is no breach notice on the HHS’ Office for Civil Rights website from PJ&A, although the breach is now shown on the website of the California Attorney General. Since the California Attorney General only posts breach notification letters, which do not usually state how many individuals have been affected, the scale of the breach cannot yet be determined.

The post New York’s Largest Health System Affected by PJ&A Data Breach appeared first on HIPAA Journal.

The state of Maine has confirmed that it was affected by the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. The state learned of the vulnerability on May 31, 2023, when a patch was released by Progress Software to fix the flaw; however, the vulnerability had already been exploited by the Clop hacking group and files containing sensitive data were downloaded between May 28, 2023, and May 29, 2023.

The files contained the sensitive data of state residents, employees, and individuals who received services from state agencies. More than half of the employees affected worked at the state Department of Health and Human Services, and between 10% and 30% worked at the Department of Education. The breached information included names, dates of birth, driver’s license numbers, Social Security numbers, and health and medical information.

According to the notice filed with the Maine Attorney General, the data of 1,324,118 individuals was impacted, 534,194 of whom were Maine residents. Notification letters are now being issued and complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed or stolen.

Greater Rochester Independent Practice Association Affected by MOVEit Hacks

Greater Rochester Independent Practice Association (GRIPA) in New York was also affected by the MOVEit hacks. GRIPA said it learned of the breach on May 31, 2023, when the patch was provided by Progress Software. Its forensic investigation confirmed on June 5, 2023, that files had been removed from its MOVEit server that included patients’ protected health information. A third-party vendor was engaged to review the files and the review was completed on September 1, 2023.

GRIPA said medical records were not compromised and the impacted data was very limited in nature. Affected individuals are being told what information was affected in their individual notifications. The compromised information included information such as the name of their doctor, date of last visit, and prescription information. If Social Security numbers were compromised, affected individuals can sign up for complimentary credit monitoring services.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 279,156 individuals.

Tri-City Medical Center Diverts Ambulances Following Cyberattack

Tri-City Medical Center in Oceanside, CA, is currently dealing with a cyberattack that has forced it to take certain systems offline. On November 9, 2023, the hospital was diverting ambulances to other hospitals as a precaution, although the medical center said it is prepared to manage emergency cases that may arrive in private vehicles and that it is working with other healthcare providers in the community to ensure that healthcare services are provided.

A forensic investigation has been launched to determine the nature and scope of the incident and whether sensitive data was stolen. Further information will be released in the coming days and weeks as the investigation progresses.

Optum Medical Group’s Crystal Run Healthcare Investigating Potential Cyberattack

Crystal Run Healthcare in Middletown, NY, which has been acquired by Optum Medical Group, says it is experiencing system issues that are impacting some of its services, resulting in longer than usual wait times. The disruption started on or around November 3, 2023, and as of November 10, 2023, the healthcare provider had still not recovered. The cause of the outage was not stated in the notification, but it is fair to assume that it was a cyberattack.

Butler County Confirms October Cyberattack

Butler County in Pennsylvania has confirmed that it has experienced a data security incident. The attack was detected in early October, and by the end of the month, it had been confirmed that the individual responsible had gained access to personally identifiable information, mostly relating to criminal court proceedings. The review of the affected data is ongoing and, at this stage of the investigation, the county has not yet confirmed exactly what data was stolen and how many individuals were affected.

Notification letters will be mailed to the affected individuals when the review has been completed and county officials said credit monitoring services will be offered. This is the second security breach to affect the county in as many months. In September, a jail employee’s account was accessed and personally identifiable information was compromised.

The post State of Maine Says 1.3 Million Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

Mulkay Cardiology Consultants at Holy Name Medical Center has recently confirmed that it fell victim to a ransomware attack. The attack was detected on September 5, 2023, when files on its network were encrypted. According to the breach notice, Mulkay was able to rebuild its systems and recover the encrypted files from backups.

Third-party forensics experts were engaged to investigate the breach and determined that its systems were compromised between September 1, 2023, and September 5, 2023, and during that time, files were exfiltrated that contained personal and protected health information. The compromised information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers or state IDs, medical treatment information, and health insurance information. Mulkay said it has enhanced its technical safeguards to prevent similar incidents in the future. Affected individuals have been notified and offered complimentary credit monitoring services.

The breach was reported to the Maine Attorney General as affecting 79,582, although since the breach is not yet showing on the HHS’ Office for Civil Rights breach portal, it is unclear how many patients were affected. While Mulkay has indicated this was a ransomware attack, the group responsible was not mentioned; however, this appears to have been an attack by the NoEscape group, which was the subject of a recent analyst note from the Health Sector Cybersecurity Coordination Center (HC3). While NoEscape claimed on its data leak site to have stolen around 60GB of data, including the personal information of 30,000 patients, the listing has since been removed, which usually means a ransom has been paid, although this has not been confirmed by the HIPAA Journal.

BHS Physicians Network Reports Email Account Breach

BHS Physicians Network has recently confirmed a breach of a Microsoft Office 365-hosted business email account that was used by a medical assistant. The email account breach was detected on August 11, 2023, and the investigation confirmed that access to the account was possible between July 28, 2023, and August 15, 2023. The email account contained files that included the protected health information of patients of First California Physician Partners, Georgia Northside Ear, Nose, and Throat, and Greater Dallas Healthcare Enterprises.

BHS Physicians Network has confirmed that the email account was separate from its internal network and systems, which were not affected. On August 30, 2023, it was determined that the account contained demographic information such as full name, date of birth, and address, medical and/or treatment information such as dates of service, provider and facility names, procedure codes, and billing and claims information, such as account and/or claim status, transaction and charge identification numbers, patient account identifiers, and payor information.

BHS Physicians Network said security and monitoring capabilities have been enhanced and systems are being hardened to prevent similar breaches in the future.  The breach was reported to the HHS’ Office for Civil Rights as affecting 1,857 individuals.

Life Generations Healthcare Email Accounts Compromised

Life Generations Healthcare (LGH), a Santa Ana, CA-based medical group, has recently announced that an unauthorized third party gained access to multiple employee email accounts between May 24 to June 13, 2023. While the breach notice does not state when the breach was detected, LGH has confirmed that the breach investigation revealed on October 4, 2023, that some of the accounts contained the protected health information of patients. The information exposed in the breach varied from patient to patient and may have included names, addresses, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license numbers/state IDs, and financial account information.

Notification letters have been sent to the affected individuals and patients who had their Social Security numbers and/or driver’s license numbers exposed have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal so it is unclear how many individuals have been affected.

MOVEit Transfer Hacking Victims

Cadence Bank

Cadence Bank has confirmed that it was affected by the recent mass hacking of the zero-day vulnerability in Progress Software’s MOVEit Transfer solution. The bank said the vulnerability was patched immediately when Progress Software released the patch; however, the vulnerability had already been exploited and data was stolen. Cadence Bank provides lockbox services to North Mississippi Health Services and its affiliates, and on June 18, 2023, the bank confirmed that the data of patients was involved. The compromised data included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical and/or treatment information, and billing and claims information.

Cadence Bank said it has enhanced security and monitoring practices and strengthened system security. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers, driver’s license numbers, and/or financial account information were involved. The breach was reported to the HHS’ Office for Civil Rights as affecting 13,862 individuals.

AlohaCare

AlohaCare, a Honolulu, HI-based community-led, non-profit health plan, has confirmed that the data of 12,982 members was compromised in the recent mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution. The vulnerability was patched as soon as the patch was released by Progress Software, however, the vulnerability had already been exploited. The data stolen included names, addresses, dates of birth, and Social Security numbers. Affected individuals have been offered complimentary credit monitoring services.

Ransomware Gangs Claim Responsibility for Attacks on Healthcare Providers

The following healthcare providers have recently been added to the data leak sites of ransomware groups. On the date of this post, ransomware attacks have not been confirmed by the victims and no data has actually been leaked.

Summit Health (LockBit 3.0)

Summit Health, a Berkeley Heights, NJ, based multi-specialty medical practice with more than 340 locations, has recently been added to the LockBit 3.0 data leak site. The ransomware group gave Summit Health a deadline of November 8, 2023, to pay the ransom or the stolen data would be published. Summit Health has not confirmed the attack and has yet to report a data breach. The LockBit 3.0 data leak site does not state what data was obtained in the attack.

Cardiovascular Consultants (Quilin)

Cardiovascular Consultants in Arizona appears to have fallen victim to a ransomware attack by the Quilin group, which has recently uploaded a 205.93 GB compressed file to its data leak site, which the group claims includes all data stolen in the attack; however, as of November 8, 2023, the link is not working and the data cannot be downloaded. Cardiovascular Consultants has yet to confirm the validity of the group’s claim.

The post November 8, 2023, Healthcare Data Breach Round-Up appeared first on HIPAA Journal.

The BlackCat (ALPHV) ransomware group has claimed responsibility for an attack on Henry Schein, a Fortune 500 distributor of dental and medical supplies and provider of practice management software and solutions for healthcare providers.

Henry Schein confirmed on October 15, 2023, that it had experienced a cybersecurity incident, which was detected on October 14, 2023. The incident affected a portion of its manufacturing and distribution business, which caused temporary disruption to its business operations.  More than three weeks on and the company is still experiencing technical difficulties with its website and webshop.  Third-party cybersecurity consultants have been engaged to investigate the breach and the data impact, and law enforcement has been notified. The incident is still being investigated; however, it has been determined that users of its client management software were unaffected.

According to the BlackCat group’s dark web data leak site, 35 terabytes of data were stolen in the attack, including payroll and shareholder data. The group claimed to have encrypted files and was negotiating with the company, and just when the company had almost completed restoring its systems, they were encrypted again as negotiations failed. BlackCat also threatened to publish some of the company’s payroll and shareholder data. The listing has since been removed, indicating negotiations have resumed.

Ventura Orthopedics Notifies Patients About 2020 Ransomware Attack

Ventura Orthopedics in California has recently started notifying patients that some of their protected health information was compromised in a July 20, 2020, ransomware attack. According to the company’s substitute breach notice, the security breach was discovered in September 2020 when files on its network were encrypted. A ransom demand was received, but Ventura Orthopedics was able to recover the encrypted files from data backups so the ransom was not paid. At the time, the investigation indicated the attackers gained access to the information of a single patient, who was notified at the time.

Further investigation into the incident has revealed additional patients were also affected. The hackers gained access to the files of a single physician and his physician assistant. Those files included names, dates of birth, and drug and laboratory testing results from 2016, 2017, and 2018. Notification letters are now being sent to those individuals.

According to DataBreaches, the Maze ransomware group added the company to its leak site and the Conti group later leaked the data of 1,850 individuals on its data leak site. The site tried to make contact with Ventura on several occasions and also filed a complaint with OCR about the incident, which OCR investigated. On September 13, 2023, the company said it had discovered additional data was involved, following a conference call with the site’s operator.

At present, the incident is not yet showing on the HHS’ Office for Civil Rights breach portal, and Ventura Orthopedics has not yet publicly disclosed how many individuals were affected.

PHI Exposed in Cyberattack on Edward C. Taylor, PhD

Edward C. Taylor, Ph.D., a provider of counseling and psychoeducational assessment services in Jacksonville, FL, has recently completed an investigation of a cyberattack. A security breach was detected on August 19, 2023, and third-party digital forensics specialists were engaged to investigate and determine the nature and scope of the incident. On or around October 5, 2023, it was confirmed that an unauthorized individual had gained access to its network for one day and exfiltrated files containing company information.

It was not possible to determine whether the stolen files contained any patient information; however, files were present on the compromised part of the network that included the protected health information of 6,684 patients. The exposed information included names, contact information, dates of birth, insurance information, information relating to mental health including clinical information, and diagnoses. Internal settings and controls have been updated and passwords changed to prevent similar breaches in the future.

The post BlackCat Ransomware Group Claims Responsibility for Attack on Henry Schein appeared first on HIPAA Journal.

Okta, a San Francisco-based provider of cloud identity and access management solutions, has confirmed that the personal information of 4,961 current and former employees has been exposed in a third-party data breach at its vendor, Rightway Healthcare.

Rightway Healthcare provides support to Okta employees and their dependents and helps them find healthcare providers and rates. According to the breach notice provided to the Maine attorney General, Okta was notified by Rightway on October 12, 2023, that there had been unauthorized access to an eligibility census file, which was used in connection with the services provided to Okta. The file contained employee names, Social Security Numbers, and health or medical insurance plan numbers. Rightway’s investigation revealed the unauthorized activity occurred on September 23, 2023. The stolen files were from April 2019 through 2020. Okta said complementary credit monitoring, identity restoration, and fraud detection services have been offered to the affected individuals.

Customer Support System Breached

Okta has also been investigating a breach of its own customer support system and announced the breach a few days after confirming the breach at Rightway Healthcare. In this incident, an unauthorized individual gained access to the files of 134 of its customers.

Okta’s investigation into this breach revealed it was most likely caused by an employee signing into their personal Google profile using the Chrome web browser on their Okta-managed laptop. The employee had saved the credentials of their Okta service account in their personal Google account.

The employee’s Okta credentials were used to access client session cookies, which allowed the attacker to bypass login screens and multi-factor authentication. 134 Okta customers were affected, but only 5 Okta sessions were accessed. Three of the Okta customers affected have publicly disclosed the breach – 1Password, BeyondTrust, and Cloudflare. Okta said its investigation revealed the unauthorized activity occurred between September 28 to October 17, 2023.

The investigation of the breach was complicated due to the failure to identify file downloads in customer support vendor logs. When a user opens and views support files, a specific log event is generated along with a record ID that is tied to the file; however, if the user navigates away directly to the Files tab in the customer support system, different log events and record IDs are generated.

The threat actor navigated directly to the Files tab, and Okta’s initial investigation focused only on access to support cases using the initial log event and record ID. It was only when BeyondTrust identified a suspicious IP address on October 13, that Okta identified the additional file access events and linked them to the compromised employee account.

The post Okta: Third-Party Vendor Incident and Breach of Customer Support System appeared first on HIPAA Journal.

Cook County Health in Chicago, Illinois has recently confirmed that the protected health information of up to 1.2 million patients has potentially been obtained by an unauthorized individual in a cyberattack on one of its business associates.

Cook County Health operates  John H. Stroger, Jr. Hospital of Cook County and Provident Hospital of Cook County in Chicago, four pharmacies, two health services including the Cook County Department of Public Health, and 15 community health centers in Cook County, the most populous county in Illinois. Cook County Health contracted with Perry Johnson & Associates, Inc. (PJ&A), a Nevada medical transcription service provider, which was provided access to patient data to complete its contracted duties.

On July 21, 2023, PJ&A notified Cook County Health that a data security incident had been detected and was under investigation. PJ&A engaged third-party cybersecurity experts to assist with the investigation and notified law enforcement, including the Federal Bureau of Investigation, and has been assisting the FBI with its investigation. According to the PJ&A substitute breach notice, a security breach was detected on May 2, 2023, and the subsequent forensic investigation confirmed its systems were accessed by an unauthorized individual between March 27, 2023, and May 2, 2023.

On July 26, 2023, PJ&A notified Cook County Health that patient data was stored in systems that had been accessed in the attack and that its forensic investigation had confirmed that the unauthorized individual accessed and exfiltrated the data of Cook County Health patients between April 7, 2023, and April 19, 2023. Cook County Health said it stopped sharing data with PJ&A when it was notified about the data breach and has since terminated its business relationship with the firm. A final list of the affected individuals was provided to Cook County Health on October 9, 2023. Cook County Health said it was one of many organizations affected by the PJ&A data breach.

Cook County Health has confirmed that the breach only involved the systems at PJ&A. Its own IT systems were not affected. The information that was exposed or stolen included names, dates of birth, addresses, medical record numbers, encounter numbers, medical information, and dates/times of service. Approximately 2,600 patients also had their Social Security numbers exposed. PJ&A explained in its breach notice that other customers had similar data stolen, which may also have included insurance information and clinical information, as well as other information found in medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the names of healthcare providers.

Cook County Health said it will start mailing notification letters to the affected individuals this week and will provide them with information on the steps they can take to protect themselves against misuse of their personal and protected health information. Individuals who have had their Social Security numbers exposed will be offered complimentary credit monitoring and identity theft protection services. While data theft has been confirmed, Cook County Health said it is unaware of any attempted or actual misuse of patient data.

Cook County Health reported to the Department of Health and Human Services’ Office for Civil Rights on September 24, 2023, as affecting at least 500 individuals. The HIPAA Breach Notification Rule requires data breaches to be promoted no later than 60 days from the discovery of the breach, so 500 was used as a placeholder until PJ&A provided the final list of affected individuals.

PJ&A said it has implemented additional technical restrictions in its systems and has deployed an endpoint detection and response system to monitor for any unauthorized access. Cook County Health was not the only client to have been affected by the incident, although at this stage it is unclear how many of its clients have had data stolen and how many individuals in total have been affected.

Vendors that provide services to the healthcare industry that require access to patient data are attractive targets for cybercriminals. They often store large amounts of healthcare data and work with many different hospitals and health systems. Oftentimes, they have privileged access to the networks of their healthcare provider clients, so an attack on a business associate could provide a threat actor with access to the networks of many organizations. Cybercriminal gangs are constantly looking for ways to maximize the return on their efforts, so attacking a business associate makes perfect sense.

While there are more attacks on healthcare providers than business associates, attacks on business associates allow cybercriminals to obtain large quantities of data. An analysis of healthcare data breaches in the first half of 2023 by Critical Insight found that almost 50% of the healthcare records exposed or stolen in the first half of the year were due to cyberattacks on the third-party business associates of healthcare providers and health plans. Data breaches at business associates of healthcare providers and health plans involved an average of 304,000 healthcare records, compared to an average of 86,000 records for attacks on healthcare providers and health plans.

“Hackers are increasingly targeting the weakest links and vulnerable points in the supply chain, specifically business associates or third-party companies that offer services to healthcare organizations,” John Delano, healthcare cybersecurity strategist at Critical Insight. “Now more than ever, healthcare organizations must remain vigilant of their security and exposures within their supply chain as attackers constantly adapt new strategies.”

The post Cook County Health Says Information of 1.2 Million Patients Has Potentially Been Compromised appeared first on HIPAA Journal.