Deer Oaks Behavioral Health, a mental health service in San Antonio, TX, fell victim to a ransomware attack on September 1, 2023. According to its breach notice, its antivirus software immediately detected and contained the threat, and encryption was limited to a single segment of its network.

A third-party cybersecurity firm was engaged to investigate the security breach determine the root cause of the attack and identify the extent to which its network had been breached. The forensic investigation confirmed that files stored on the compromised network server included patients’ protected health information. The review of the files was completed on September 29, 2023, and confirmed they contained information such as names, addresses, dates of birth, Social Security numbers, diagnosis codes, insurance information, and treatment service types. Deer Oaks then verified contact information and notification letters started to be mailed to the affected individuals on October 31, 2023.

The breach has been reported to the Maine Attorney General as affecting up to 171,871 individuals, including 460 Maine residents. The affected individuals have been offered identity theft protection and credit monitoring services through IDX. Deer Oaks said data privacy and security are among its highest priorities, and it moved quickly to secure its systems, investigate the breach, notify the affected individuals, and implement additional measures to further improve security. The investigation into the attack is ongoing but notifying the infected individuals was a priority.

Healthcare organizations continue to be targeted by ransomware groups. While there are growing numbers of attacks involving data theft and extortion without file encryption, around three-quarters of attacks on healthcare organizations see data encrypted, according to Sophos. NCC Group recently reported an 86% month-over-month increase in healthcare ransomware attacks in September. While some of the large ransomware groups have a policy of not attacking healthcare providers, there has been an alarming increase in active ransomware groups. NCC Group tracked 86% more active ransomware groups in September 2023 than the same time last year, and several of these groups have conducted large numbers of attacks and have no issue with attacking healthcare organizations.

The post Ransomware Attack on Texas Mental Health Service Provider Impacts 172K Patients appeared first on HIPAA Journal.

Western Washington Medical Group, a team of more than 100 providers serving patients in Snohomish, Skagit, Island, and Whatcom counties in Washington state, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that has affected up to 350,863 patients.

At this stage, little is known about the Western Washington Medical Group data breach. The breach was reported to OCR on October 26, 2023, but there is no notice on the medical group’s website or the Washington Attorney General’s website at this stage. All that is currently known is this was a hacking/IT incident involving one or more network servers. Based on the HHS breach summary, the breach occurred at Western Washington Medical Group and did not involve any business associates.

This post will be updated when further information becomes available.

Dakota Eye Institute Reports Hacking.IT Incident Impacting 107,143 Patients

Bismarck, ND-based Dakota Eye Institute (DEI), has recently reported a data breach to OCR that involved the protected health information of up to 107,143 patients. DEI explained in its website substitute data breach notification that it experienced a cybersecurity incident and engaged third-party cybersecurity experts to assess, contain, and remediate the incident.

No information was provided about the nature of the breach when it was detected, for how long its systems were accessed or data was exposed, nor the types of information involved. The OCR breach report indicates no business associate involvement. Affected individuals are being notified by mail and have been offered complimentary credit monitoring services. DEI said it has reviewed and enhanced its data security policies and procedures to help reduce the likelihood of a similar event in the future.

Dallas County Investigating Attempted Ransomware Attack

Dallas County officials have confirmed that they detected a cybersecurity incident on October 19, 2023, which appears to have been an attempted ransomware attack. The cybersecurity experts engaged to assist with containing the incident were able to prevent any files from being encrypted. Access is thought to have been gained via a phishing email. The investigation into the breach is ongoing and little information has been released at this stage, such as whether sensitive data was exfiltrated in the attack. Further information will be released as the forensic investigation advances.

On October 28, 2023, the Play hacking group claimed responsibility for the attack and added Dallas County to its data leak site. Currently, no stolen data has been leaked on the dark web site; however, the threat group has given county officials until Friday, November 3, 2023, to make contact and pay the ransom, otherwise the stolen data will be published. The group does not state how much data was stolen, only that the data obtained includes private documents of Dallas County departments.

The Play hacking group is known to target government entities and was behind an earlier attack on the City of Oakland in California. The group published stolen data when the ransom was not paid. In that attack, they stole the personal data of city employees, including financial information, IDs, passports, and human rights violation information.

The post Western Washington Medical Group Reports 350,000-Record Data Breach appeared first on HIPAA Journal.

Hospital Sisters Health System (HSHS) in Springfield, IL, and Prevea Health in Green Bay, WI, were affected by a cyberattack in late August which caused an outage on August 27, 2023, that affected its computer systems, phone lines, and websites. The outage lasted for several days, during which time HSHS and Prevea operated under downtime procedures. The attack took its websites and certain applications offline, including the MyChart and MyPrevea applications. HSHS was also unable to process online payments as its computer system was offline, but care continued to be provided to patients.

HSHS decided to suspend collecting payments for outstanding bills while it was recovering from the attack, although some of its partners in Illinois and Wisconsin continued to send bills to patients. In early September, HSHS published an open letter to patients warning them about the potential misuse of their information, as reports had been received from some patients who had been contacted by email, SMS, and phone by an unidentified third party that claimed to be a HSHS representative who was attempting to obtain payment for services. In the letter, HSHS advised patients not to respond to suspicious requests via email, SMS, and phone for payment and to carefully check bills before making any payment. HSHS said if a message or SMS is received, to save it and email it to questions@hshs.org to allow it to be investigated and HSHS and Prevea Health would determine if such a request was legitimate or fraudulent.

HSHS has now confirmed that an unauthorized third party had accessed its systems that contained the personal and protected health information of patients and HSHS employees and said it has been investigating the breach and reviewing the data potentially compromised in the incident. While the open letter suggests that there was attempted misuse of stolen data, HSHS said it is unaware of any cases of fraud or identity theft. On October 26, 2023, notification letters started to be sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. HSHS said it takes time to fully investigate incidents and notify the affected individuals, and more time is required for the data review process; however, notifications are being issued on a rolling basis.

HSHS said the appropriate authorities have been informed about the breach; however, the incident has yet to appear on the HHS’ Office for Civil Rights breach portal and neither HSHS nor Previa have publicly confirmed how many individuals have potentially been affected.

The post Hospital Sisters Health System Starts Notifying Individuals About August Cyberattack appeared first on HIPAA Journal.

Peerstar LLC, a Pennsylvania-based provider of mental health support services, said 11,438 patients have been notified about the exposure and potential theft of their protected health information. Suspicious activity was detected on its network on March 7, 2023, and third-party security experts were engaged to investigate the incident and assess the security of its systems. On May 17, 2023, it was confirmed that an unauthorized third party had access to its systems between February 22, 2023, and March 3, 2023, and protected health information had been exposed. Peerstar said it is unaware of any actual or attempted misuse of patient data.

The types of information exposed varied from individual to individual and may have included the following: first and last name, address, phone number, email address, Social Security number, date of birth, admission date, discharge date, physical or mental health condition, treatment and diagnosis information, driver’s license number or government-issued identification number, financial account number, credit or debit card number, digital signature, birth or marriage certificate, healthcare payment information, and/or health insurance information, including, application and claims history, and policy number or subscriber identification number.

Peerstar has confirmed that additional cybersecurity safeguards are being implemented, employee cybersecurity training has been enhanced, and cybersecurity policies, procedures, and protocols are being improved.

Fredericksburg Foot & Ankle Center Reports April 2023 Data Breach

Fredericksburg Foot & Ankle Center in Fredericksburg, VA, has reported a data breach to the Maine Attorney General that has affected up to 14,912 individuals. In the October 25, 2023, breach notice, the healthcare provider did not disclose when it was first alerted to a potential breach, but said it learned on September 5, 2023, that files were accessed by an unauthorized third party on or around April 21, 2023.

The files included patients protected health information including names, other personal identifiers, and Social Security numbers. Affected individuals have been provided with complimentary single bureau credit monitoring services and said it will continue to evaluate and modify its practices and internal controls to enhance the security and privacy of personal information.

La Red Health Center Investigating Cyberattack

La Red Health Center in Georgetown, DE, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 501 individuals. 501 is frequently used as a placeholder to meet breach reporting requirements when the total number of affected individuals has yet to be determined.

La Red Health Center said suspicious activity was detected within its network on April 11, 2023. Assisted by third-party security experts, the healthcare provider determined that there had been unauthorized access to its network between March 27, 2023, and April 6, 2023. On August 21, 2023, the affected files were confirmed, and a review was initiated to determine the individuals affected and to obtain up-to-date contact information. The website breach notice does not state what information was compromised in the attack.

The post Data Breaches Reported by Peerstar, La Red Health Center, Fredericksburg Foot & Ankle Center appeared first on HIPAA Journal.

The University of Michigan (UM) has recently announced it fell victim to a cyberattack in the summer that resulted in unauthorized access to the sensitive data of students, applicants, alumni, donors, employees, contractors, University Health Service and School of Dentistry patients, and research study participants.

UM detected suspicious activity within its computer network on August 23, 2023, and took immediate action to contain the incident and prevent further unauthorized access. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between August 23, 2023, and August 27, 2023.

A review was conducted to identify files that may have been accessed and the types of data involved. The exposed data varied from individual to individual and may have included the following:

• Students, applicants, alumni, donors, employees, and contractors: Name, Social Security number, driver’s license or other government-issued ID number, financial account or payment card number, and/or health information.
• Research study participants and University Health Service and School of Dentistry patients: Name, Social Security number, driver’s license or government-issued ID number, financial account/payment card number, or health insurance information, University Health Service and School of Dentistry clinical information such as medical record number or diagnosis or treatment or medication history, and/or information related to participation in certain research studies.

UM said it is working with third-party cybersecurity experts to harden its systems and better protect sensitive data. Notification letters were mailed to the affected individuals on October 23, 2023, who have been offered complimentary credit monitoring services. The incident has yet to appear on the HHS’ Office for Civil Rights website so it is currently unclear how many individuals have been affected.

Westat & Radius Global Solutions Confirm Scale of MOVEit Hacks

The Rockville, MD-based professional services provider, Westat, Inc., has recently reported a MOVEit Transfer data breach to the HHS’ Office for Civil Rights. The notification covers 50,065 individuals who had their PHI exposed, such as names, dates of birth, and Social Security numbers. The Clop hacking group exploited a zero-day vulnerability between May 28 and May 29, 2023, and exfiltrated human resources files. Westat mailed notification letters to affected individuals on July 21, 2023. Credit monitoring services have been offered to the affected individuals. Meadville Medical Center in Pennsylvania and Cape Fear Valley Health in Fayetteville, NC, were among the affected clients.

The Edina, MN-based accounts receivable, customer relations, and revenue cycle management solution provider, Radius Global Solutions, has notified the HHS that the PHI of 135,742 individuals was compromised when the Clop hackers exploited the MOVEit Transfer zero-day flaw. Radius learned that it was affected on June 1, 2023, and said the hackers stole files that contained names, dates of birth, Social Security numbers, treatment codes, treatment locations, and treatment payment histories. Complimentary identity monitoring and protection services have been offered to the affected individuals.

Radius filed two notices with the Maine Attorney General about the breach, the first on September 1, 2023, which said 632,204 individuals had been affected and a second notice was filed on September 15, 2023, stating 9,979 individuals had been affected.

The post PHI of University of Michigan Health Service and School of Dentistry Patients Exposed appeared first on HIPAA Journal.

Brooklyn Premier Orthopedics (BPO) in New York has confirmed the protected health information of 48,459 patients may have been viewed or obtained in a recent cyberattack. According to BPO’s October 5, 2023, breach notice, unauthorized individuals gained access to parts of its network where patient data was stored, including names, addresses, dates of birth, Social Security numbers, and medical treatment information.

The investigation did not uncover any evidence to indicate any of that information has been misused; however, the affected patients have been advised to be vigilant and monitor their accounts carefully. Complimentary credit monitoring and identity theft protection services have been offered. BPO has reviewed and enhanced its security policies and practices to reduce the likelihood of similar incidents occurring in the future.

Almost 11,000 Atlas Healthcare Residents and Patients Affected by Cyberattack

The Connecticut senior living and care provider, Atlas Healthcare, has warned 10,831 of its assisted living residents and rehabilitation patients that some of their protected health information was exposed in a January 2023 cyberattack. The exposed information includes names, addresses, dates of birth, Social Security numbers, medical and health insurance information, driver’s license numbers, and financial information. The affected individuals had received care at Arbors of Hop Brook or Manchester Rehabilitation and Healthcare Center in Manchester, CT, or Vernon Rehabilitation and Healthcare Center in Vernon, CT.

Atlas Healthcare did not disclose details of the nature of the attack, such as if this was a data theft and extortion incident. As a precaution against identity theft and fraud, affected individuals have been offered complimentary memberships to a credit monitoring service.

Humana Members Affected by Breach at Subcontractor of Business Associate

Humana Inc. has recently confirmed there has been a data breach at a subcontractor of a business associate. Humana was notified about the incident on October 3, 2023, by its business associate PNC Bank. PNC handles funding for payments to its participating providers.

On August 9, 2023, PNC was informed by its payment processing subcontractor, Echo Health, about suspicious activity that was detected on its website. The investigation confirmed that an unauthorized individual accessed its website using valid payment information that had been obtained from a third-party billing company. That individual was able to access Explanation of Provider Payment documents, which included the PHI of 2,844 Humana members. The documents contained first and last names, Humana ID numbers, provider names, and dates of service.

Humana says Echo Health has implemented additional technical safeguards and controls on its applications to prevent similar incidents and has put additional alerts and fraud monitoring in place.

The post Cyberattacks Reported by Brooklyn Premier Orthopedics & Atlas Healthcare appeared first on HIPAA Journal.

The City of Philadelphia is investigating a breach of its email environment. Suspicious activity was detected in its email environment on May 24, 2023; however, according to a recent announcement, unauthorized activity continued for a further two months after the breach was first identified. The forensic investigation confirmed there was continued unauthorized access to email accounts until July 28, 2023.

Almost a month after the breach was contained, city officials confirmed that some of the compromised email accounts contained personal and protected health information. While the investigation is ongoing and a manual and programmatic review of the email accounts has not yet concluded, affected individuals are known to have had a combination of the following information exposed: names, addresses, dates of birth, other demographic and contact information, Social Security numbers, medical information such as diagnoses and treatment information, and limited financial information, such as claims information.

City officials said they will issue notifications to the affected individuals when the email account reviews have been completed. At this stage, it is unclear how many individuals have been affected and no explanation has been given as to why it took two months to contain the incident and almost 5 months from initial discovery to disclose the breach.

ALPHV Ransomware Group Claims Responsibility for Morrison Community Hospital Cyberattack

Morrison Community Hospital (MCH) in Illinois has announced it experienced a network security incident on September 24, 2023, and confirmed there has been unauthorized access to its network. A third-party cybersecurity firm has been engaged to assist with securing its network and help with the investigation to determine the extent of the unauthorized activity. The breach appears to only involve Explanation of Benefits statements.

According to an October 19, 2023, notice on its website, “MCH has no reason to believe that any individual’s information has been misused as a result of this event,”  and that it is providing written notice to the affected individuals. The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is unclear how many people have been affected. MCH said it has reviewed and enhanced its technical safeguards to prevent similar incidents in the future.

MCH did not disclose details about the nature of the attack; however, the ALPHV ransomware group has claimed responsibility and has added MCH to its data leak site. Samples of the stolen data were uploaded to the group’s data leak site on October 19, 2023, and the group has threatened to leak 5 terabytes of stolen data if the hospital does not comply with its demands.

Data Extortion Group Steals Data from Beverley Hills Plastic Surgery Practice

The Beverly Hills, CA-based plastic surgeon, Jaime S. Schwartz, M.D., appears to have fallen victim to a cyberattack. The Hunters International ransomware and data extortion group has added the plastic surgeon to its data leak site along with samples of photographs of four named patients.

The threat group claims to have exfiltrated 1.1 terabytes of data – 248,245 files – and said it is preparing to bulk email patients. There is currently no mention of a cyberattack or data breach on the plastic surgeon’s website and a breach has yet to appear on the websites of the California Attorney General and the HHS’ Office for Civil Rights.

The Federal Bureau of Investigation (FBI) recently issued a security alert warning that plastic surgery offices were being targeted by ransomware and data extortion groups. The first phase of attacks involves data theft, the stolen data is enhanced using open source information, and the final phase involves threats to leak data and attempted extortion of plastic surgeons and patients.

The post City of Philadelphia Says PHI Potentially Compromised in May 2023 Email Breach appeared first on HIPAA Journal.