Medical Eye Services (CA), Prospect Medical Services (CA), McAlester Regional Health Center (OK), PeakMed (CO), Catholic Charities of Long Island (NY), & The Endocrine and Psychiatry Center (TX) have recently notified patients that their personal and health information has been exposed.

Medical Eye Services Says PHI of 370,000 Patients Stolen in MOVEit Transfer Hack

California-based Medical Eye Services, Inc. has recently confirmed that the protected health information of 346,828 individuals was stolen from the MOVEIt Transfer server used by the vision benefits management provider, MESVision, between May 28, 2023, and May 31, 2023. A zero-day vulnerability was exploited by the Clop cyber threat group, as part of a series of attacks on more than 2,300 organizations globally.

MESVision discovered it had been affected on August 23, 2023, and has since rebuilt its MOVEit server and implemented additional technical safeguards to prevent further breaches. The stolen data included names, dates of birth, Social Security numbers, subscriber/member IDs, policy numbers, group numbers, and claim numbers. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.

109,728 Connecticut Residents Impacted by Ransomware Attack on Prospect Medical Services

Between July 31, 2023, and August 1, 2023, the Rhysida ransomware group gained access to the network of Los Angeles, CA-based Prospect Medical Holdings. The breach was detected by Prospect Medical on August 1, 2023, and the breach was reported to the HHS’ Office for Civil Rights on September 29, 2023, as affecting 342,376 individuals, and individual notification letters were mailed the same day.

On November 13, 2023, additional notification letters were sent to 109,728 patients of the Eastern Connecticut Health Network (ECHN) Medical Group. The affected individuals had received healthcare services at Manchester Memorial Hospital, Rockville General Hospital, or Waterbury Hospital. Prospect Medical said the compromised information included names, addresses, dates of birth, diagnosis, lab results, medications, and other treatment information, and for some individuals, Social Security numbers and/or driver’s license numbers. Individuals who had their Social Security numbers or driver’s license numbers exposed have been offered 2 years of complimentary credit monitoring and identity theft protection services.

McAlester Regional Health Center Cyberattack Affects 38,000 Patients

McAlester Regional Health Center in Oklahoma has recently notified 37,731 patients about a security incident that was detected on May 8, 2023. Immediate action was taken to secure its network and a third-party cybersecurity firm was engaged to investigate to determine the nature and scope of the incident, which confirmed that files containing patient data had been exposed. A third-party vendor was engaged to review the affected files and the process was completed on October 23, 2023. Notification letters were mailed to the affected individuals on November 15, 2023. The exposed information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and other government ID numbers.

McAlester Regional Health Center has tightened firewall restrictions, rewritten and strengthened its password policy, implemented password changes across the organization for every account, and increased restrictions on file sharing. Affected individuals have been provided with complimentary single-bureau credit monitoring services at no cost.

Compromised Credentials Used to Access PeakMed Network

PeakMed, a Colorado primary care provider, has started notifying 27,800 patients about a security breach that was detected on August 30, 2023.  An investigation of suspicious network activity confirmed that an unauthorized individual had obtained an employee’s credentials and used them to access its network between July 24, 2023, and August 30, 2023.

The documents that were accessed, and potentially acquired, were found to contain patient names along with one or more of the following: address, Social Security number, driver’s license number, date of birth, medical record number, financial account information, payment card information, electronic signature, billing/claims information, medical provider’s name, Medicare/Medicaid identification, medication information, treatment information, and health insurance information. PeakMed said all system passwords were reset when the breach was discovered, and 2-factor authentication has been implemented for all employee accounts.

Catholic Charities of Long Island Cyberattack Affects 13,000 Patients

Catholic Charities of the Diocese of Rockville Centre, doing business as Catholic Charities of Long Island in New York, has notified 13,000 patients that some of their personal information was exposed and potentially acquired by unauthorized individuals. Access appears to have been gained to its network via the Cisco AnyConnect VPN.

Unusual network activity was detected on September 3, 2023, and access to the network was immediately disconnected. A third-party cybersecurity firm was engaged to investigate the incident and determined that an unauthorized third party had accessed files that contained patient data, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, passports, and medical information.

The list of affected individuals was finalized on October 24, 2023, and notification letters were mailed on November 2, 2023. Catholic Charities has taken several steps to improve security, including installing threat hunting and endpoint detection and response solutions.

Endocrine and Psychiatry Center Discovers Theft of Historic Data

The Endocrine and Psychiatry Center in Texas has recently sent notifications to patients advising that some of their protected health information has been removed from its systems by an unauthorized individual. The theft occurred at some point prior to March 20, 2023, and involved data generated prior to 2017. A comprehensive review of the affected files was conducted and concluded on October 15, 2023, that the following information had potentially been compromised: full name, Social Security number, driver’s license number or other government identification number, date of birth, financial account information, credit or debit card information, treatment/diagnosis information, and/or health insurance information.

According to the notification sent to the Maine attorney General, 28,531 individuals were affected. The Endocrine and Psychiatry Center has offered those individuals a complimentary membership to the Equifax Credit Watch Gold service.

Bladen County, North Carolina Suffers Cyberattack

Bladen County in North Carolina is dealing with a cyberattack in which sensitive data was compromised. County officials said the attack impacted multiple server and internet-based systems, and the incident is being investigated by the North Carolina Joint Cybersecurity Task Force, which has helped to secure its servers. Rodney Hester, chairman of the Bladen County Board of Commissioners, confirmed that the county had emergency preparedness plans in place to deal with this kind of incident and confirmed that all emergency services remained operational throughout, although the county has been operating in a limited capacity since the attack.

The nature of the attack has not been disclosed, such as whether ransomware was involved. If ransomware was used, the ransom will not be paid as North Carolina prohibits ransom payments to ransomware gangs. It is currently unclear how many individuals have had their information stolen in the attack.

The post Healthcare Data Breach Round-Up: November 16, 2023 appeared first on HIPAA Journal.

Sutter Health, a healthcare provider serving Northern California, has recently confirmed that patient data was compromised in a hacking incident at one of its business associates, Virgin Pulse. Virgin Pulse was contracted to provide important notices and communications to patients and was provided with patient data to fulfill that role.

Virgin Pulse used Progress Software’s MOVEit Transfer file transfer tool, which had a vulnerability that was exploited by the Clop Group. Progress Software released a patch to fix the vulnerability on May 31, and Virgin Pulse said it moved quickly to apply the patch and recommended mitigation steps; however, the vulnerability had already been exploited. The vulnerability was exploited in attacks on more than 2,300 organizations and the data of more than 60 million individuals was stolen, including the data of 845,441 Sutter Health patients.

Sutter Health was informed by Virgin Pulse on September 22, 2023, that it had been affected by the hack, almost 4 months after the cyberattack occurred, but did not get the final report until October 24, 2023. The compromised data included names, dates of birth, health insurance information, provider names, treatment cost information, and diagnoses/treatment information. Sutter Health said the affected individuals have been offered a complimentary 1-year membership to a credit monitoring and identity theft protection service.

Northern Iowa Therapy Confirms Extent of March 2023 Security Incident

Waverly, IA-based Northern Iowa Therapy (NIT) has recently confirmed that the records of 5,100 patients have been exposed. The privacy breach was first identified on March 10, 2023, when NIT discovered a limited number of patient records in an account unaffiliated with NIT. An investigation was launched, and third-party forensic experts were engaged to investigate. NIT first announced the security incident on June 21, 2023, and conducted a review of the documents involved. On October 4, 2023, it was determined that patient data had been exposed. Contact information was then verified, and notification letters were sent on October 27, 2023.

The exposed information varied from individual to individual and may have included names, addresses, dates of birth, email addresses, phone numbers, medical information, mental/physical condition, Medicare IDs, Social Security numbers, driver’s license numbers, diagnoses, treatment information, dates of service, billing & claims information, health insurance information, and patient account numbers.

NIT said it continuously evaluates and modifies its security practices to enhance the privacy and security of the personal information it stores and will continue to do so.

West Central District Health Department Notifies Patients About May 2023 Cyberattack

The West Central District Health Department (WDCHD) in Nebraska has recently confirmed there has been unauthorized access to its network and patient data has been exposed. The forensic investigation confirmed that certain portions of its network were accessed between May 18, 2023, and May 23, 2023, and the review of the affected files was completed on September 18, 2023.

In its November 13, 2023, breach notice, WDCHD confirmed that the exposed information included names in combination with one or more of the following: Social Security number, driver’s license number, state ID number, and/or financial account number. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

NoEscape Ransomware Group Claims Responsibility for Attacks on 2 Healthcare Organizations

The NoEscape ransomware group has claimed responsibility for attacks on two healthcare organizations, Southeastern Orthopaedic Specialists in Greensboro, NC, and Carespring in Loveland, OH. NoEscape claims to have exfiltrated 3 GB of data from Southeastern Orthopaedic Specialists and 364 GB of data from Carespring and has issued threats on its data leak site to release the stolen data if the ransom demands are not met. In addition to data encryption and data theft/leaks, the NoEscape group often conducts DDoS attacks on victims who do not attempt to negotiate, and the group claims to have conducted such an attack on Southeastern Orthopaedic Specialists. At present no data has been released, and neither organization has publicly confirmed a cyberattack or data breach.

The post Sutter Health Confirms 84K Individuals Affected by Cyberattack on Business Associate appeared first on HIPAA Journal.

Concentra, a Texas-based physical and occupational health provider, has confirmed it was affected by a cyberattack at its transcription service provider, PJ&A. PJ&A has already reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting almost 9 million patients; however, some PJ&A clients have chosen to report the breach to OCR themselves, including Concentra.

On January 9, 2024, Concentra confirmed that the protected health information of 3,998,162 patients was compromised in the PJ&A cyberattack, bringing the total number of affected individuals up to at least 14 million. That makes it the largest healthcare data breach of 2023. That total is likely to grow further, although by how much is not currently clear as PJ&A has not publicly disclosed which clients have been affected nor the total number of records that were compromised in the attack.

The Nevada-based medical transcription company and many of the affected clients are being sued over the data breach. At least 40 lawsuits have already been filed against PJ&A alleging negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard the sensitive health data it is provided by its clients. Some of the lawsuits name the affected healthcare companies as co-defendants.

Concentra said the information compromised includes full names and one or more of the following data elements: date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. Some individuals may also have had their Social Security number compromised, as well as insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers. There is no mention of credit monitoring and identity theft protection services being made available. Concentra has advised the affected individuals to monitor their accounts closely for signs of misuse of their information and to consider placing a fraud alert on their credit files.

Business associates of HIPAA-covered entities are prime targets for hackers as they typically store large volumes of sensitive data, and it is clear from recent breach reports that hackers are targeting business associates. A breach of this scale naturally raises questions about the security measures that were implemented at PJ&A and how it was possible for hackers to gain access to so much data. Given the high risk of cyberattacks, network segmentation should have been implemented to ensure that if its defenses were breached, hackers would only be able to gain access to limited data.

January 5, 2024: PJ&A Data Breach Total Grows as Kansas City Hospital Confirms 502K-Record Breach

North Kansas City Hospital and its subsidiary Meritas Health Corporation have recently announced that they were affected by the massive data breach at Perry, Johnson, and Associates (PJ&A).

PJ&A, a provider of medical transcription services, discovered the cyberattack on July 21, 2023, and in November, reported the breach to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals; however, some of its affected clients have chosen to report the breach themselves, including North Kansas City Hospital. The Missouri hospital said the protected health information of 502,438 individuals was compromised between March 27, 2023, and May 2, 2023, when hackers had access to PJ&A’s systems. At least 9,454,650 individuals are now known to have had their data compromised in the PJ&A data breach.

North Kansas City Hospital and Meritas worked with PJ&A to determine which individuals had been affected and the types of data involved, and that process was completed on November 7, 2023. During the analysis, North Kansas City Hospital also identified data belonging to the Clay County Public Health Center. The types of data involved were limited to demographic information such as name, date of birth, gender, phone number and address; health insurance information; and some clinical information. No Social Security numbers were compromised.

After learning of the breach, North Kansas City Hospital and Meritas implemented additional safeguards, reviewed their policies and procedures for data privacy and security, and discontinued sharing data with PJ&A. North Kansas City Hospital and Meritas have now severed all ties with PJ&A. North Kansas City Hospital has advised all affected individuals to be vigilant against incidents of identity theft and fraud by reviewing their accounts, explanations of benefits, and credit reports for suspicious activity, and to report any suspicious activity to the affiliated institutions immediately.

December 29, 2023: Class Action Lawsuits Filed Over PJ&A Data Breach

After such a large data breach, it was inevitable that class action lawsuits would be filed by individuals who had their sensitive protected health information stolen. Many law firms have opened investigations into the PJ&A data breach and class action lawsuits have started to be filed against PJ&A and the healthcare providers that used the company for medical transcription services.

Class Action Lawsuit Filed Against Northwell Health and PJ&A

At least one class action lawsuit has been filed against PJ&A and Northwell Health, New York’s largest health system. Almost 4 million patients of Northwell Health had their protected health information compromised in the PJ&A data breach.

The lawsuit was filed on behalf of plaintiffs David Mayo and Madeleine E. Schwartz and similarly situated Northwell Health patients whose PHI was compromised in the data breach. The lawsuit alleges the defendants failed to implement reasonable and adequate security measures which left their sensitive data vulnerable to cyberattacks. The information compromised in the data breach included names, birthdates, Social Security numbers, addresses, medical record numbers, hospital account numbers, admission diagnoses, and times and dates of service. The lawsuit also takes issue with the length of time taken to issue notification letters. They were sent on November 3, 2023, more than 6 months after the data breach was detected.

The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, unjust enrichment, and a violation of the New York Deceptive Trade Practices Act and seeks declaratory and other equitable relief, injunctive relief, restitution, damages, attorneys’ fees, and a jury trial.

The lawsuit – David Mayo, et al. v. Northwell Health Inc., et al. – was filed in the US District Court for the Eastern District of New York. The plaintiffs are represented by Jason P. Sultzer and Philip J. Furia of The Sultzer Law Group PC; Jeffrey K. Brown and Andrew Costello of Leeds Brown Law PC; Charles E. Schaffer and Nicholas J. Elia of Levin Sedran & Berman LLP; and Jeffrey S. Goldenberg and Todd B Naylor of Goldenberg Schneider LPA.

Lawsuit Filed Against Salem Community Hospital and PJ&A

A lawsuit was filed on December 20, 2023, by Michael Stone and Leeanne Varner against Salem Community Hospital and PJ&A over the data breach, which exposed sensitive data such as names, Social Security numbers, birth dates, medical record numbers, hospital account numbers and date(s) of service.

The lawsuit alleges the PJ&A data breach was the result of the defendants failing to follow cybersecurity best practices and not adequately training their staff, despite an increased risk of cyberattacks in the healthcare sector. The lawsuit also claims the defendants unnecessarily delayed issuing notification letters, which were not sent until November 10, 2023, which left the plaintiffs and class members at risk of identity theft and fraud, when early notification would have allowed them to take steps to secure their accounts.

The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, and unjust enrichment, and seeks a jury trial, injunctive relief, damages and restitution, and attorneys’ fees.

The lawsuit – Stone et al. v. Salem Community Hospital et al – was filed in the U.S. District Court of the Northern District of Ohio. The plaintiffs are represented by Jeffrey S. Goldenberg and Todd B. Naylor of Goldenberg Schneider, LPA; Jason P. Sultzer & Philip J. Furia of The Sulzer Law Group P.C.; Jeffrey K. Brown & Andrew Costello of Leeds Brown Law, P.C; and Charles E. Schaffer & Nicholas J. Elia of Levin Sedran & Berman LLP.

November 19, 2023: PJ&A Data Breach Announced: Almost 9 Million Patients Affected

Almost 9 million patients have been affected by a cyberattack on the transcription service provider, Perry Johnson & Associates. The PJ&A data breach is the second-largest healthcare data breach this year and the 6^th largest healthcare data breach ever reported.

PJ&A is a Henderson, Nevada-based provider of transcription services to organizations in the medical, legal, and government sectors and the largest privately owned provider of transcription services in the United States. PJ&A detected unauthorized activity within its IT systems on May 2, 2023, and immediate action was taken to isolate its systems and prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the attack, and whether sensitive data was exfiltrated from its systems.

The forensic investigation confirmed that there had been unauthorized access to its network for more than a month between March 27, 2023, and May 2, 2023, and during that time, there had been unauthorized access to data provided by its clients. PJ&A notified its clients about the cyberattack on July 21, 2023, and in the following days confirmed there had been unauthorized access to data; however, the investigation was ongoing and it was not possible to confirm exactly what types of information had been exposed or the number of individuals affected.

The PJ&A data breach investigation was completed on September 28, 2023, and on September 29, 2023, PJ&A started providing the results of its investigation to the affected clients. PJ&A said the information accessed by the unauthorized party varied from individual to individual and may have included name, address, date of birth, medical record number, hospital account number, admission diagnosis, date/time of service, Social Security number, insurance information, and medical and clinical information. The medical and clinical information contained in the transcription files may have included, laboratory and diagnostic testing results, medications, the name of the treatment facility, and healthcare provider name. Credit card information, bank account information, and usernames/passwords were not provided to PJ&A so were not exposed.

On November 2, 2023, the breach was reported to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals. PJ&A said that after notifying the affected clients it worked with them to notify the individuals identified during its review. When data breaches occur at business associates of HIPAA-covered entities, the business associate often reports the data breach to OCR; however, depending on the terms of the business associate agreements, individual covered entities may choose to report the breach themselves. It is currently unclear whether the 8,952,212 total includes all affected individuals or if some clients are reporting the breach themselves. The total reported to OCR only includes individuals who had their protected health information exposed and will not include clients in other sectors.

PJ&A explained in its HIPAA-required breach notice that it has not detected any attempted or actual misuse of the stolen data and has already taken steps to prevent similar breaches in the future, including updating its technical security measures. PJ&A made no mention of whether credit monitoring and identity theft protection services were being offered to the affected individuals, although some affected clients have said that those services have been made available.

Clients Affected

PJ&A has not publicly disclosed how many of its clients have been affected. At this stage, the HIPAA Journal has confirmed the names of several affected clients and will update this post when further information becomes available.

Cook County Health (IL)

Cook County Health operates John H. Stroger, Jr. Hospital of Cook County and Provident Hospital of Cook County in Chicago, four pharmacies, two health services including the Cook County Department of Public Health, and 15 community health centers in Cook County, Illinois.

Individuals affected: 1.2 million

Northwell Health (NY)

Northwell Health, formerly North Shore-Long Island Jewish Health System, is the largest healthcare provider and private employer in New York State and operates 23 hospitals including its flagship North Shore University Hospital and Long Island Jewish Medical Center, as well as 700 outpatient facilities.

Individuals affected: Northwell Health Issued a draft statement saying 3,891,565 individuals had been affected, but that statement was later retracted and the final total has not yet been confirmed.

Salem Regional Medical Center (OH)

Salem Regional Medical Center in Salem, OH, has confirmed it was affected by the PJ&A data breach, which the hospital said occurred between March 2 and May 2, 2023. The breached information included names, Social Security numbers, dates of birth, addresses, phone numbers, medical records, and hospital account numbers. The hospitals said PJ&A is providing free identity theft protection.

Individuals affected: Unknown

Mercy Medical Center (IA)

Mercy Medical Center has confirmed that 97,132 patients have been affected by a data breach at the medical transcription firm, Perry Johnson and Associates (PJ&A). The Cedar Rapids, IA, 450-bed hospital explained that there was no breach of its own systems; however, data provided to PJ&A to allow the firm to perform its contracted duties had been exposed and potentially stolen.

PJ&A discovered on May 2, 2023, that unauthorized individuals had gained access to its network and third-party cybersecurity experts were engaged to investigate the incident. PJ&A determined that Mercy Medical Center data was involved on October 5, 2023, and informed Mercy Medical Center on October 10, 2023, that a backup of a database had been obtained by the hackers that included the data of its patients. The review of the data confirmed that names, dates of birth, addresses, admission/discharge dates, Social Security numbers, and medical examination information had been stolen.

PJ&A issued notifications on behalf of many of its clients and reported the data breach to the HHS’ Office for Civil Rights on November 3, 2023, as affecting 8.95 million individuals; however, Mercy Medical Center chose to report the breach to the HHS directly and sent individual notifications on December 8, 2023. It took Mercy Medical Center 2 months from being notified about the breach to perform the necessary steps to allow notifications to be issued. Mercy Medical Center has arranged complimentary credit monitoring services for the affected patients and has confirmed that it is no longer using PJ&A’s medical transcription services.

Individuals Affected: 97,132

Crouse Health (NY)

Syracuse, NY-based Crouse Health has confirmed that it was affected by the PJ&A data breach and that patients had the following types of information exposed: first and last name, date of birth, address, sex, phone number, medical record number, health insurance information, dates of admission and discharge, attending physician identifiers, hospital room number, and visit type. Fewer than 10% also had a transcript of care dictated by the patient’s physician, and/or the patient’s Social Security number. PJ&A has notified the affected patients.

Individuals Affected: Undisclosed

PJ&A Data Breach Investigations and Lawsuits

All data breaches affecting 500 or more individuals are investigated by the HHS’ Office for Civil Rights to determine if there have been failures to comply with the HIPAA Rules. State Attorneys General also investigate data breaches and can impose civil monetary penalties for violations of HIPAA and state laws. PJ&A has only disclosed limited information about the nature of the breach so far and, based on the information available, there are no indications that any federal or state data security regulations have been violated.

Class action lawsuits are commonly filed after healthcare data breaches and a breach of this magnitude is likely to see many class action lawsuits filed. As of December 20, 2023, more than two dozen lawsuits have been filed against PJ&A over the data breach, all of which make similar claims – That PJ&A was negligent for failing to implement appropriate safeguards to protect patient data. A motion has been filed to consolidate the lawsuits which is due to be heard by the U.S. Judicial Panel on Multidistrict Litigation on January 25, 2023.

While the data breach occurred at PJ&A, several lawsuits have also been filed against the healthcare providers that used PJ&A for medical transcription, including Northwell Health.

One of Many Large Data Breaches in 2023

This year is on track to be another bad year for healthcare data breaches. As of November 15, 2023, 583 data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights, but it is the size of the data breaches that is most alarming. So far this year, the protected health information of 102,407,662 individuals has been confirmed as exposed or stolen, which is almost double the 51,903,629 records that were breached in 2023. If large data breaches continue to be reported at current rates, 2023 looks set to become the worst-ever year in terms of the number of breached records.

OCR recently confirmed that hacking incidents now account for 77% of healthcare data breaches, and there has been a 239% increase in large data breaches in the past 4 years and a 278% increase in ransomware attacks. The number of data breaches being reported indicates healthcare providers are struggling with cybersecurity in the face of increasingly sophisticated and numerous attacks.

New York recently announced that it is taking steps to address the problem by introducing stricter cybersecurity regulations for hospitals after a series of cyberattacks that affected patient care. New York Governor Kathy Hochul also confirmed that $500 million has been made available to help hospitals make the necessary improvements to cybersecurity. New York is leading the way by taking steps to improve healthcare cybersecurity but given the seriousness of the problem, this should not be a matter for individual states to try to resolve. More needs to be done by Congress to combat the problem, such as updates to HIPAA and/or financial incentives and assistance for improving cybersecurity.

The post Concentra Confirms Almost 4 Million Patients Affected by PJ&A Data Breach appeared first on HIPAA Journal.

Ransomware attacks have been announced by Financial Asset Management Systems and The Harris Center for Mental Health. Munsen Healthcare is investigating a cyberattack on Munsen Healthcare Otsego Hospital, and St. Bernards Healthcare has confirmed that patient information was compromised in a MOVEit Transfer hack.

The Harris Center for Mental Health Recovering from a Ransomware Attack

The Harris Center for Mental Health in Texas has recently fallen victim to a ransomware attack. The incident was detected on November 7, 2023, when staff members were prevented from accessing files. The network was immediately shut down to limit the harm caused, and cybersecurity consultants were engaged to assist with the recovery and investigation.

The Harris Center for Mental Health said it is continuing to provide care to patients; however, the lack of access to electronic systems has inevitably led to delays. At this stage of the investigation, it is unclear whether patient data has been compromised.

This is the second major incident to affect The Harris Center for Mental Health this year. A service provider used the MOVEit Transfer tool, a vulnerability in which was exploited to provide unauthorized access to sensitive data in May 2023. The protected health information of 599,367 individuals was stolen in the attack.

Ransomware Attack on Financial Asset Management Systems Affects 165,000 Patients

Financial Asset Management Systems (FAMS), a business management consultancy and debt collection firm, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 164,796 patients. In its substitute breach notice, FAMS said it experienced a “network disruption” incident, which prevented access to certain files on its network. The forensic investigation and review of the exposed files was completed on August 31, 2023, and confirmed that the exposed information included names, billing account numbers, costs paid, balances due, and the name of the affected FAMS client. The affected individuals started to be notified on October 20, 2023, and credit monitoring and identity theft protection services have been offered to the affected individuals.

Munsen Healthcare Otsego Hospital Investigating Cyberattack

Munsen Healthcare has confirmed that it is investigating a cyberattack on Munsen Healthcare Otsego Hospital in Gaylord, MI. Munsen Healthcare said computer systems were shut down in response to the security incident and a third-party cybersecurity company has been engaged to conduct a forensic investigation to determine the nature and scope of the attack.

Details about the nature of the attack, such as if this was a ransomware/extortion incident, have not been publicly disclosed, and it has yet to be determined if patient data has been exposed or obtained.

Business Associate Data Breach Affects 89,500 St. Bernards Healthcare Patients

Jonesboro, AR-based St. Bernards Healthcare, Inc., a health system serving northeast Arkansas and southeast Missouri, has recently announced that the protected health information of 89,556 patients has been exposed in a data breach at one of its third-party vendors.

St. Bernards Healthcare contracted with Welltok Inc. to provide an online contact management platform. The platform was used to communicate important notices and communications through its subsidiary, Tea Leaves Health LLC. Welltok used Progress Software’s MOVEit Transfer product, a zero-day vulnerability in which was patched on May 31, 2023; however, the vulnerability had already been exploited on May 30. Welltok discovered it had been affected by the mass exploitation of the vulnerability on July 26, 2023, and its investigation revealed on August 11, 2023, that sensitive data was exfiltrated in the attack.

St. Bernards Healthcare was notified about the breach by Welltok on September 14, 2023, and was told about the full scope of the breach on October 18, 2023. The information stolen in the attack included names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, patient identification numbers, health insurance information, providers’ names, and medical treatment/diagnosis information. Welltok started to notify the affected individuals on November 13, 2023.

The post Ransomware Gangs Hit Debt Collection Firm and Mental Healthcare Provider appeared first on HIPAA Journal.

Another client of the medical transcription firm Perry Johnson & Associates (PJ&A) has confirmed it has also been affected by the recent PJ&A data breach. New Hyde Park, NY-based Northwell Health, the largest health system in New York, has confirmed that it was notified on July 21, 2023, by PJ&A about the cyberattack that occurred between April 7 and April 19, 2023.

On September 28, 2023, PJ&A completed its initial investigation and was able to confirm the extent of the breach. According to News12 Long Island, Northwell Health initially released a draft statement indicating 3,891,565 individuals had been affected, although the statement was later recalled and Northwell Health said it was unable to confirm exactly how many individuals had been affected.

Northwell Health said the breach involved names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician and healthcare provider names. Some patients also had their Social Security numbers exposed. Northwell Health said the breach occurred at PJ&A and no Northwell Health systems were affected. Affected individuals will be offered complimentary credit monitoring services, although no evidence has been uncovered to indicate any patient data has been misused.

This is the second major vendor data breach to affect Northwell Health patients this year. Northwell Health was also affected by a hacking incident at vendor Nuance Communications. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023. Nuance Communications reported the breach to the HHS as affecting 1,225,054 individuals, although it is unclear how many, if any, Northwell Health patients are included in that total.

Northwell Health is the second PJ&A client to confirm it has been affected by the cyberattack and data breach. Last week, Cook County Health in Chicago said 1.2 million patients had their PHI exposed and that it was one of several PJ&A clients to be affected. Cook County Health said it terminated its relationship with PJ&A when it was informed about the data breach and had difficulty confirming exactly how many individuals had been affected. It did not receive the final list of affected patients until October 9, 2023.

The latest confirmation suggests almost 5 million patients may have been affected by the breach and had their protected health information exposed or stolen in the attack. That number could well rise over the coming days and weeks as further clients confirm they have been affected. At present there is no breach notice on the HHS’ Office for Civil Rights website from PJ&A, although the breach is now shown on the website of the California Attorney General. Since the California Attorney General only posts breach notification letters, which do not usually state how many individuals have been affected, the scale of the breach cannot yet be determined.

The post New York’s Largest Health System Affected by PJ&A Data Breach appeared first on HIPAA Journal.

The state of Maine has confirmed that it was affected by the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. The state learned of the vulnerability on May 31, 2023, when a patch was released by Progress Software to fix the flaw; however, the vulnerability had already been exploited by the Clop hacking group and files containing sensitive data were downloaded between May 28, 2023, and May 29, 2023.

The files contained the sensitive data of state residents, employees, and individuals who received services from state agencies. More than half of the employees affected worked at the state Department of Health and Human Services, and between 10% and 30% worked at the Department of Education. The breached information included names, dates of birth, driver’s license numbers, Social Security numbers, and health and medical information.

According to the notice filed with the Maine Attorney General, the data of 1,324,118 individuals was impacted, 534,194 of whom were Maine residents. Notification letters are now being issued and complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed or stolen.

Greater Rochester Independent Practice Association Affected by MOVEit Hacks

Greater Rochester Independent Practice Association (GRIPA) in New York was also affected by the MOVEit hacks. GRIPA said it learned of the breach on May 31, 2023, when the patch was provided by Progress Software. Its forensic investigation confirmed on June 5, 2023, that files had been removed from its MOVEit server that included patients’ protected health information. A third-party vendor was engaged to review the files and the review was completed on September 1, 2023.

GRIPA said medical records were not compromised and the impacted data was very limited in nature. Affected individuals are being told what information was affected in their individual notifications. The compromised information included information such as the name of their doctor, date of last visit, and prescription information. If Social Security numbers were compromised, affected individuals can sign up for complimentary credit monitoring services.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 279,156 individuals.

Tri-City Medical Center Diverts Ambulances Following Cyberattack

Tri-City Medical Center in Oceanside, CA, is currently dealing with a cyberattack that has forced it to take certain systems offline. On November 9, 2023, the hospital was diverting ambulances to other hospitals as a precaution, although the medical center said it is prepared to manage emergency cases that may arrive in private vehicles and that it is working with other healthcare providers in the community to ensure that healthcare services are provided.

A forensic investigation has been launched to determine the nature and scope of the incident and whether sensitive data was stolen. Further information will be released in the coming days and weeks as the investigation progresses.

Optum Medical Group’s Crystal Run Healthcare Investigating Potential Cyberattack

Crystal Run Healthcare in Middletown, NY, which has been acquired by Optum Medical Group, says it is experiencing system issues that are impacting some of its services, resulting in longer than usual wait times. The disruption started on or around November 3, 2023, and as of November 10, 2023, the healthcare provider had still not recovered. The cause of the outage was not stated in the notification, but it is fair to assume that it was a cyberattack.

Butler County Confirms October Cyberattack

Butler County in Pennsylvania has confirmed that it has experienced a data security incident. The attack was detected in early October, and by the end of the month, it had been confirmed that the individual responsible had gained access to personally identifiable information, mostly relating to criminal court proceedings. The review of the affected data is ongoing and, at this stage of the investigation, the county has not yet confirmed exactly what data was stolen and how many individuals were affected.

Notification letters will be mailed to the affected individuals when the review has been completed and county officials said credit monitoring services will be offered. This is the second security breach to affect the county in as many months. In September, a jail employee’s account was accessed and personally identifiable information was compromised.

The post State of Maine Says 1.3 Million Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

Mulkay Cardiology Consultants at Holy Name Medical Center has recently confirmed that it fell victim to a ransomware attack. The attack was detected on September 5, 2023, when files on its network were encrypted. According to the breach notice, Mulkay was able to rebuild its systems and recover the encrypted files from backups.

Third-party forensics experts were engaged to investigate the breach and determined that its systems were compromised between September 1, 2023, and September 5, 2023, and during that time, files were exfiltrated that contained personal and protected health information. The compromised information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers or state IDs, medical treatment information, and health insurance information. Mulkay said it has enhanced its technical safeguards to prevent similar incidents in the future. Affected individuals have been notified and offered complimentary credit monitoring services.

The breach was reported to the Maine Attorney General as affecting 79,582, although since the breach is not yet showing on the HHS’ Office for Civil Rights breach portal, it is unclear how many patients were affected. While Mulkay has indicated this was a ransomware attack, the group responsible was not mentioned; however, this appears to have been an attack by the NoEscape group, which was the subject of a recent analyst note from the Health Sector Cybersecurity Coordination Center (HC3). While NoEscape claimed on its data leak site to have stolen around 60GB of data, including the personal information of 30,000 patients, the listing has since been removed, which usually means a ransom has been paid, although this has not been confirmed by the HIPAA Journal.

BHS Physicians Network Reports Email Account Breach

BHS Physicians Network has recently confirmed a breach of a Microsoft Office 365-hosted business email account that was used by a medical assistant. The email account breach was detected on August 11, 2023, and the investigation confirmed that access to the account was possible between July 28, 2023, and August 15, 2023. The email account contained files that included the protected health information of patients of First California Physician Partners, Georgia Northside Ear, Nose, and Throat, and Greater Dallas Healthcare Enterprises.

BHS Physicians Network has confirmed that the email account was separate from its internal network and systems, which were not affected. On August 30, 2023, it was determined that the account contained demographic information such as full name, date of birth, and address, medical and/or treatment information such as dates of service, provider and facility names, procedure codes, and billing and claims information, such as account and/or claim status, transaction and charge identification numbers, patient account identifiers, and payor information.

BHS Physicians Network said security and monitoring capabilities have been enhanced and systems are being hardened to prevent similar breaches in the future.  The breach was reported to the HHS’ Office for Civil Rights as affecting 1,857 individuals.

Life Generations Healthcare Email Accounts Compromised

Life Generations Healthcare (LGH), a Santa Ana, CA-based medical group, has recently announced that an unauthorized third party gained access to multiple employee email accounts between May 24 to June 13, 2023. While the breach notice does not state when the breach was detected, LGH has confirmed that the breach investigation revealed on October 4, 2023, that some of the accounts contained the protected health information of patients. The information exposed in the breach varied from patient to patient and may have included names, addresses, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license numbers/state IDs, and financial account information.

Notification letters have been sent to the affected individuals and patients who had their Social Security numbers and/or driver’s license numbers exposed have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal so it is unclear how many individuals have been affected.

MOVEit Transfer Hacking Victims

Cadence Bank

Cadence Bank has confirmed that it was affected by the recent mass hacking of the zero-day vulnerability in Progress Software’s MOVEit Transfer solution. The bank said the vulnerability was patched immediately when Progress Software released the patch; however, the vulnerability had already been exploited and data was stolen. Cadence Bank provides lockbox services to North Mississippi Health Services and its affiliates, and on June 18, 2023, the bank confirmed that the data of patients was involved. The compromised data included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical and/or treatment information, and billing and claims information.

Cadence Bank said it has enhanced security and monitoring practices and strengthened system security. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers, driver’s license numbers, and/or financial account information were involved. The breach was reported to the HHS’ Office for Civil Rights as affecting 13,862 individuals.

AlohaCare

AlohaCare, a Honolulu, HI-based community-led, non-profit health plan, has confirmed that the data of 12,982 members was compromised in the recent mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution. The vulnerability was patched as soon as the patch was released by Progress Software, however, the vulnerability had already been exploited. The data stolen included names, addresses, dates of birth, and Social Security numbers. Affected individuals have been offered complimentary credit monitoring services.

Ransomware Gangs Claim Responsibility for Attacks on Healthcare Providers

The following healthcare providers have recently been added to the data leak sites of ransomware groups. On the date of this post, ransomware attacks have not been confirmed by the victims and no data has actually been leaked.

Summit Health (LockBit 3.0)

Summit Health, a Berkeley Heights, NJ, based multi-specialty medical practice with more than 340 locations, has recently been added to the LockBit 3.0 data leak site. The ransomware group gave Summit Health a deadline of November 8, 2023, to pay the ransom or the stolen data would be published. Summit Health has not confirmed the attack and has yet to report a data breach. The LockBit 3.0 data leak site does not state what data was obtained in the attack.

Cardiovascular Consultants (Quilin)

Cardiovascular Consultants in Arizona appears to have fallen victim to a ransomware attack by the Quilin group, which has recently uploaded a 205.93 GB compressed file to its data leak site, which the group claims includes all data stolen in the attack; however, as of November 8, 2023, the link is not working and the data cannot be downloaded. Cardiovascular Consultants has yet to confirm the validity of the group’s claim.

The post November 8, 2023, Healthcare Data Breach Round-Up appeared first on HIPAA Journal.

The BlackCat (ALPHV) ransomware group has claimed responsibility for an attack on Henry Schein, a Fortune 500 distributor of dental and medical supplies and provider of practice management software and solutions for healthcare providers.

Henry Schein confirmed on October 15, 2023, that it had experienced a cybersecurity incident, which was detected on October 14, 2023. The incident affected a portion of its manufacturing and distribution business, which caused temporary disruption to its business operations.  More than three weeks on and the company is still experiencing technical difficulties with its website and webshop.  Third-party cybersecurity consultants have been engaged to investigate the breach and the data impact, and law enforcement has been notified. The incident is still being investigated; however, it has been determined that users of its client management software were unaffected.

According to the BlackCat group’s dark web data leak site, 35 terabytes of data were stolen in the attack, including payroll and shareholder data. The group claimed to have encrypted files and was negotiating with the company, and just when the company had almost completed restoring its systems, they were encrypted again as negotiations failed. BlackCat also threatened to publish some of the company’s payroll and shareholder data. The listing has since been removed, indicating negotiations have resumed.

Ventura Orthopedics Notifies Patients About 2020 Ransomware Attack

Ventura Orthopedics in California has recently started notifying patients that some of their protected health information was compromised in a July 20, 2020, ransomware attack. According to the company’s substitute breach notice, the security breach was discovered in September 2020 when files on its network were encrypted. A ransom demand was received, but Ventura Orthopedics was able to recover the encrypted files from data backups so the ransom was not paid. At the time, the investigation indicated the attackers gained access to the information of a single patient, who was notified at the time.

Further investigation into the incident has revealed additional patients were also affected. The hackers gained access to the files of a single physician and his physician assistant. Those files included names, dates of birth, and drug and laboratory testing results from 2016, 2017, and 2018. Notification letters are now being sent to those individuals.

According to DataBreaches, the Maze ransomware group added the company to its leak site and the Conti group later leaked the data of 1,850 individuals on its data leak site. The site tried to make contact with Ventura on several occasions and also filed a complaint with OCR about the incident, which OCR investigated. On September 13, 2023, the company said it had discovered additional data was involved, following a conference call with the site’s operator.

At present, the incident is not yet showing on the HHS’ Office for Civil Rights breach portal, and Ventura Orthopedics has not yet publicly disclosed how many individuals were affected.

PHI Exposed in Cyberattack on Edward C. Taylor, PhD

Edward C. Taylor, Ph.D., a provider of counseling and psychoeducational assessment services in Jacksonville, FL, has recently completed an investigation of a cyberattack. A security breach was detected on August 19, 2023, and third-party digital forensics specialists were engaged to investigate and determine the nature and scope of the incident. On or around October 5, 2023, it was confirmed that an unauthorized individual had gained access to its network for one day and exfiltrated files containing company information.

It was not possible to determine whether the stolen files contained any patient information; however, files were present on the compromised part of the network that included the protected health information of 6,684 patients. The exposed information included names, contact information, dates of birth, insurance information, information relating to mental health including clinical information, and diagnoses. Internal settings and controls have been updated and passwords changed to prevent similar breaches in the future.

The post BlackCat Ransomware Group Claims Responsibility for Attack on Henry Schein appeared first on HIPAA Journal.