Okta, a San Francisco-based provider of cloud identity and access management solutions, has confirmed that the personal information of 4,961 current and former employees has been exposed in a third-party data breach at its vendor, Rightway Healthcare.

Rightway Healthcare provides support to Okta employees and their dependents and helps them find healthcare providers and rates. According to the breach notice provided to the Maine attorney General, Okta was notified by Rightway on October 12, 2023, that there had been unauthorized access to an eligibility census file, which was used in connection with the services provided to Okta. The file contained employee names, Social Security Numbers, and health or medical insurance plan numbers. Rightway’s investigation revealed the unauthorized activity occurred on September 23, 2023. The stolen files were from April 2019 through 2020. Okta said complementary credit monitoring, identity restoration, and fraud detection services have been offered to the affected individuals.

Customer Support System Breached

Okta has also been investigating a breach of its own customer support system and announced the breach a few days after confirming the breach at Rightway Healthcare. In this incident, an unauthorized individual gained access to the files of 134 of its customers.

Okta’s investigation into this breach revealed it was most likely caused by an employee signing into their personal Google profile using the Chrome web browser on their Okta-managed laptop. The employee had saved the credentials of their Okta service account in their personal Google account.

The employee’s Okta credentials were used to access client session cookies, which allowed the attacker to bypass login screens and multi-factor authentication. 134 Okta customers were affected, but only 5 Okta sessions were accessed. Three of the Okta customers affected have publicly disclosed the breach – 1Password, BeyondTrust, and Cloudflare. Okta said its investigation revealed the unauthorized activity occurred between September 28 to October 17, 2023.

The investigation of the breach was complicated due to the failure to identify file downloads in customer support vendor logs. When a user opens and views support files, a specific log event is generated along with a record ID that is tied to the file; however, if the user navigates away directly to the Files tab in the customer support system, different log events and record IDs are generated.

The threat actor navigated directly to the Files tab, and Okta’s initial investigation focused only on access to support cases using the initial log event and record ID. It was only when BeyondTrust identified a suspicious IP address on October 13, that Okta identified the additional file access events and linked them to the compromised employee account.

The post Okta: Third-Party Vendor Incident and Breach of Customer Support System appeared first on HIPAA Journal.

Cook County Health in Chicago, Illinois has recently confirmed that the protected health information of up to 1.2 million patients has potentially been obtained by an unauthorized individual in a cyberattack on one of its business associates.

Cook County Health operates  John H. Stroger, Jr. Hospital of Cook County and Provident Hospital of Cook County in Chicago, four pharmacies, two health services including the Cook County Department of Public Health, and 15 community health centers in Cook County, the most populous county in Illinois. Cook County Health contracted with Perry Johnson & Associates, Inc. (PJ&A), a Nevada medical transcription service provider, which was provided access to patient data to complete its contracted duties.

On July 21, 2023, PJ&A notified Cook County Health that a data security incident had been detected and was under investigation. PJ&A engaged third-party cybersecurity experts to assist with the investigation and notified law enforcement, including the Federal Bureau of Investigation, and has been assisting the FBI with its investigation. According to the PJ&A substitute breach notice, a security breach was detected on May 2, 2023, and the subsequent forensic investigation confirmed its systems were accessed by an unauthorized individual between March 27, 2023, and May 2, 2023.

On July 26, 2023, PJ&A notified Cook County Health that patient data was stored in systems that had been accessed in the attack and that its forensic investigation had confirmed that the unauthorized individual accessed and exfiltrated the data of Cook County Health patients between April 7, 2023, and April 19, 2023. Cook County Health said it stopped sharing data with PJ&A when it was notified about the data breach and has since terminated its business relationship with the firm. A final list of the affected individuals was provided to Cook County Health on October 9, 2023. Cook County Health said it was one of many organizations affected by the PJ&A data breach.

Cook County Health has confirmed that the breach only involved the systems at PJ&A. Its own IT systems were not affected. The information that was exposed or stolen included names, dates of birth, addresses, medical record numbers, encounter numbers, medical information, and dates/times of service. Approximately 2,600 patients also had their Social Security numbers exposed. PJ&A explained in its breach notice that other customers had similar data stolen, which may also have included insurance information and clinical information, as well as other information found in medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the names of healthcare providers.

Cook County Health said it will start mailing notification letters to the affected individuals this week and will provide them with information on the steps they can take to protect themselves against misuse of their personal and protected health information. Individuals who have had their Social Security numbers exposed will be offered complimentary credit monitoring and identity theft protection services. While data theft has been confirmed, Cook County Health said it is unaware of any attempted or actual misuse of patient data.

Cook County Health reported to the Department of Health and Human Services’ Office for Civil Rights on September 24, 2023, as affecting at least 500 individuals. The HIPAA Breach Notification Rule requires data breaches to be promoted no later than 60 days from the discovery of the breach, so 500 was used as a placeholder until PJ&A provided the final list of affected individuals.

PJ&A said it has implemented additional technical restrictions in its systems and has deployed an endpoint detection and response system to monitor for any unauthorized access. Cook County Health was not the only client to have been affected by the incident, although at this stage it is unclear how many of its clients have had data stolen and how many individuals in total have been affected.

Vendors that provide services to the healthcare industry that require access to patient data are attractive targets for cybercriminals. They often store large amounts of healthcare data and work with many different hospitals and health systems. Oftentimes, they have privileged access to the networks of their healthcare provider clients, so an attack on a business associate could provide a threat actor with access to the networks of many organizations. Cybercriminal gangs are constantly looking for ways to maximize the return on their efforts, so attacking a business associate makes perfect sense.

While there are more attacks on healthcare providers than business associates, attacks on business associates allow cybercriminals to obtain large quantities of data. An analysis of healthcare data breaches in the first half of 2023 by Critical Insight found that almost 50% of the healthcare records exposed or stolen in the first half of the year were due to cyberattacks on the third-party business associates of healthcare providers and health plans. Data breaches at business associates of healthcare providers and health plans involved an average of 304,000 healthcare records, compared to an average of 86,000 records for attacks on healthcare providers and health plans.

“Hackers are increasingly targeting the weakest links and vulnerable points in the supply chain, specifically business associates or third-party companies that offer services to healthcare organizations,” John Delano, healthcare cybersecurity strategist at Critical Insight. “Now more than ever, healthcare organizations must remain vigilant of their security and exposures within their supply chain as attackers constantly adapt new strategies.”

The post Cook County Health Says Information of 1.2 Million Patients Has Potentially Been Compromised appeared first on HIPAA Journal.

Deer Oaks Behavioral Health, a mental health service in San Antonio, TX, fell victim to a ransomware attack on September 1, 2023. According to its breach notice, its antivirus software immediately detected and contained the threat, and encryption was limited to a single segment of its network.

A third-party cybersecurity firm was engaged to investigate the security breach determine the root cause of the attack and identify the extent to which its network had been breached. The forensic investigation confirmed that files stored on the compromised network server included patients’ protected health information. The review of the files was completed on September 29, 2023, and confirmed they contained information such as names, addresses, dates of birth, Social Security numbers, diagnosis codes, insurance information, and treatment service types. Deer Oaks then verified contact information and notification letters started to be mailed to the affected individuals on October 31, 2023.

The breach has been reported to the Maine Attorney General as affecting up to 171,871 individuals, including 460 Maine residents. The affected individuals have been offered identity theft protection and credit monitoring services through IDX. Deer Oaks said data privacy and security are among its highest priorities, and it moved quickly to secure its systems, investigate the breach, notify the affected individuals, and implement additional measures to further improve security. The investigation into the attack is ongoing but notifying the infected individuals was a priority.

Healthcare organizations continue to be targeted by ransomware groups. While there are growing numbers of attacks involving data theft and extortion without file encryption, around three-quarters of attacks on healthcare organizations see data encrypted, according to Sophos. NCC Group recently reported an 86% month-over-month increase in healthcare ransomware attacks in September. While some of the large ransomware groups have a policy of not attacking healthcare providers, there has been an alarming increase in active ransomware groups. NCC Group tracked 86% more active ransomware groups in September 2023 than the same time last year, and several of these groups have conducted large numbers of attacks and have no issue with attacking healthcare organizations.

The post Ransomware Attack on Texas Mental Health Service Provider Impacts 172K Patients appeared first on HIPAA Journal.

Western Washington Medical Group, a team of more than 100 providers serving patients in Snohomish, Skagit, Island, and Whatcom counties in Washington state, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that has affected up to 350,863 patients.

At this stage, little is known about the Western Washington Medical Group data breach. The breach was reported to OCR on October 26, 2023, but there is no notice on the medical group’s website or the Washington Attorney General’s website at this stage. All that is currently known is this was a hacking/IT incident involving one or more network servers. Based on the HHS breach summary, the breach occurred at Western Washington Medical Group and did not involve any business associates.

This post will be updated when further information becomes available.

Dakota Eye Institute Reports Hacking.IT Incident Impacting 107,143 Patients

Bismarck, ND-based Dakota Eye Institute (DEI), has recently reported a data breach to OCR that involved the protected health information of up to 107,143 patients. DEI explained in its website substitute data breach notification that it experienced a cybersecurity incident and engaged third-party cybersecurity experts to assess, contain, and remediate the incident.

No information was provided about the nature of the breach when it was detected, for how long its systems were accessed or data was exposed, nor the types of information involved. The OCR breach report indicates no business associate involvement. Affected individuals are being notified by mail and have been offered complimentary credit monitoring services. DEI said it has reviewed and enhanced its data security policies and procedures to help reduce the likelihood of a similar event in the future.

Dallas County Investigating Attempted Ransomware Attack

Dallas County officials have confirmed that they detected a cybersecurity incident on October 19, 2023, which appears to have been an attempted ransomware attack. The cybersecurity experts engaged to assist with containing the incident were able to prevent any files from being encrypted. Access is thought to have been gained via a phishing email. The investigation into the breach is ongoing and little information has been released at this stage, such as whether sensitive data was exfiltrated in the attack. Further information will be released as the forensic investigation advances.

On October 28, 2023, the Play hacking group claimed responsibility for the attack and added Dallas County to its data leak site. Currently, no stolen data has been leaked on the dark web site; however, the threat group has given county officials until Friday, November 3, 2023, to make contact and pay the ransom, otherwise the stolen data will be published. The group does not state how much data was stolen, only that the data obtained includes private documents of Dallas County departments.

The Play hacking group is known to target government entities and was behind an earlier attack on the City of Oakland in California. The group published stolen data when the ransom was not paid. In that attack, they stole the personal data of city employees, including financial information, IDs, passports, and human rights violation information.

The post Western Washington Medical Group Reports 350,000-Record Data Breach appeared first on HIPAA Journal.

Hospital Sisters Health System (HSHS) in Springfield, IL, and Prevea Health in Green Bay, WI, were affected by a cyberattack in late August which caused an outage on August 27, 2023, that affected its computer systems, phone lines, and websites. The outage lasted for several days, during which time HSHS and Prevea operated under downtime procedures. The attack took its websites and certain applications offline, including the MyChart and MyPrevea applications. HSHS was also unable to process online payments as its computer system was offline, but care continued to be provided to patients.

HSHS decided to suspend collecting payments for outstanding bills while it was recovering from the attack, although some of its partners in Illinois and Wisconsin continued to send bills to patients. In early September, HSHS published an open letter to patients warning them about the potential misuse of their information, as reports had been received from some patients who had been contacted by email, SMS, and phone by an unidentified third party that claimed to be a HSHS representative who was attempting to obtain payment for services. In the letter, HSHS advised patients not to respond to suspicious requests via email, SMS, and phone for payment and to carefully check bills before making any payment. HSHS said if a message or SMS is received, to save it and email it to questions@hshs.org to allow it to be investigated and HSHS and Prevea Health would determine if such a request was legitimate or fraudulent.

HSHS has now confirmed that an unauthorized third party had accessed its systems that contained the personal and protected health information of patients and HSHS employees and said it has been investigating the breach and reviewing the data potentially compromised in the incident. While the open letter suggests that there was attempted misuse of stolen data, HSHS said it is unaware of any cases of fraud or identity theft. On October 26, 2023, notification letters started to be sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. HSHS said it takes time to fully investigate incidents and notify the affected individuals, and more time is required for the data review process; however, notifications are being issued on a rolling basis.

HSHS said the appropriate authorities have been informed about the breach; however, the incident has yet to appear on the HHS’ Office for Civil Rights breach portal and neither HSHS nor Previa have publicly confirmed how many individuals have potentially been affected.

The post Hospital Sisters Health System Starts Notifying Individuals About August Cyberattack appeared first on HIPAA Journal.

Peerstar LLC, a Pennsylvania-based provider of mental health support services, said 11,438 patients have been notified about the exposure and potential theft of their protected health information. Suspicious activity was detected on its network on March 7, 2023, and third-party security experts were engaged to investigate the incident and assess the security of its systems. On May 17, 2023, it was confirmed that an unauthorized third party had access to its systems between February 22, 2023, and March 3, 2023, and protected health information had been exposed. Peerstar said it is unaware of any actual or attempted misuse of patient data.

The types of information exposed varied from individual to individual and may have included the following: first and last name, address, phone number, email address, Social Security number, date of birth, admission date, discharge date, physical or mental health condition, treatment and diagnosis information, driver’s license number or government-issued identification number, financial account number, credit or debit card number, digital signature, birth or marriage certificate, healthcare payment information, and/or health insurance information, including, application and claims history, and policy number or subscriber identification number.

Peerstar has confirmed that additional cybersecurity safeguards are being implemented, employee cybersecurity training has been enhanced, and cybersecurity policies, procedures, and protocols are being improved.

Fredericksburg Foot & Ankle Center Reports April 2023 Data Breach

Fredericksburg Foot & Ankle Center in Fredericksburg, VA, has reported a data breach to the Maine Attorney General that has affected up to 14,912 individuals. In the October 25, 2023, breach notice, the healthcare provider did not disclose when it was first alerted to a potential breach, but said it learned on September 5, 2023, that files were accessed by an unauthorized third party on or around April 21, 2023.

The files included patients protected health information including names, other personal identifiers, and Social Security numbers. Affected individuals have been provided with complimentary single bureau credit monitoring services and said it will continue to evaluate and modify its practices and internal controls to enhance the security and privacy of personal information.

La Red Health Center Investigating Cyberattack

La Red Health Center in Georgetown, DE, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 501 individuals. 501 is frequently used as a placeholder to meet breach reporting requirements when the total number of affected individuals has yet to be determined.

La Red Health Center said suspicious activity was detected within its network on April 11, 2023. Assisted by third-party security experts, the healthcare provider determined that there had been unauthorized access to its network between March 27, 2023, and April 6, 2023. On August 21, 2023, the affected files were confirmed, and a review was initiated to determine the individuals affected and to obtain up-to-date contact information. The website breach notice does not state what information was compromised in the attack.

The post Data Breaches Reported by Peerstar, La Red Health Center, Fredericksburg Foot & Ankle Center appeared first on HIPAA Journal.

The University of Michigan (UM) has recently announced it fell victim to a cyberattack in the summer that resulted in unauthorized access to the sensitive data of students, applicants, alumni, donors, employees, contractors, University Health Service and School of Dentistry patients, and research study participants.

UM detected suspicious activity within its computer network on August 23, 2023, and took immediate action to contain the incident and prevent further unauthorized access. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between August 23, 2023, and August 27, 2023.

A review was conducted to identify files that may have been accessed and the types of data involved. The exposed data varied from individual to individual and may have included the following:

• Students, applicants, alumni, donors, employees, and contractors: Name, Social Security number, driver’s license or other government-issued ID number, financial account or payment card number, and/or health information.
• Research study participants and University Health Service and School of Dentistry patients: Name, Social Security number, driver’s license or government-issued ID number, financial account/payment card number, or health insurance information, University Health Service and School of Dentistry clinical information such as medical record number or diagnosis or treatment or medication history, and/or information related to participation in certain research studies.

UM said it is working with third-party cybersecurity experts to harden its systems and better protect sensitive data. Notification letters were mailed to the affected individuals on October 23, 2023, who have been offered complimentary credit monitoring services. The incident has yet to appear on the HHS’ Office for Civil Rights website so it is currently unclear how many individuals have been affected.

Westat & Radius Global Solutions Confirm Scale of MOVEit Hacks

The Rockville, MD-based professional services provider, Westat, Inc., has recently reported a MOVEit Transfer data breach to the HHS’ Office for Civil Rights. The notification covers 50,065 individuals who had their PHI exposed, such as names, dates of birth, and Social Security numbers. The Clop hacking group exploited a zero-day vulnerability between May 28 and May 29, 2023, and exfiltrated human resources files. Westat mailed notification letters to affected individuals on July 21, 2023. Credit monitoring services have been offered to the affected individuals. Meadville Medical Center in Pennsylvania and Cape Fear Valley Health in Fayetteville, NC, were among the affected clients.

The Edina, MN-based accounts receivable, customer relations, and revenue cycle management solution provider, Radius Global Solutions, has notified the HHS that the PHI of 135,742 individuals was compromised when the Clop hackers exploited the MOVEit Transfer zero-day flaw. Radius learned that it was affected on June 1, 2023, and said the hackers stole files that contained names, dates of birth, Social Security numbers, treatment codes, treatment locations, and treatment payment histories. Complimentary identity monitoring and protection services have been offered to the affected individuals.

Radius filed two notices with the Maine Attorney General about the breach, the first on September 1, 2023, which said 632,204 individuals had been affected and a second notice was filed on September 15, 2023, stating 9,979 individuals had been affected.

The post PHI of University of Michigan Health Service and School of Dentistry Patients Exposed appeared first on HIPAA Journal.

Brooklyn Premier Orthopedics (BPO) in New York has confirmed the protected health information of 48,459 patients may have been viewed or obtained in a recent cyberattack. According to BPO’s October 5, 2023, breach notice, unauthorized individuals gained access to parts of its network where patient data was stored, including names, addresses, dates of birth, Social Security numbers, and medical treatment information.

The investigation did not uncover any evidence to indicate any of that information has been misused; however, the affected patients have been advised to be vigilant and monitor their accounts carefully. Complimentary credit monitoring and identity theft protection services have been offered. BPO has reviewed and enhanced its security policies and practices to reduce the likelihood of similar incidents occurring in the future.

Almost 11,000 Atlas Healthcare Residents and Patients Affected by Cyberattack

The Connecticut senior living and care provider, Atlas Healthcare, has warned 10,831 of its assisted living residents and rehabilitation patients that some of their protected health information was exposed in a January 2023 cyberattack. The exposed information includes names, addresses, dates of birth, Social Security numbers, medical and health insurance information, driver’s license numbers, and financial information. The affected individuals had received care at Arbors of Hop Brook or Manchester Rehabilitation and Healthcare Center in Manchester, CT, or Vernon Rehabilitation and Healthcare Center in Vernon, CT.

Atlas Healthcare did not disclose details of the nature of the attack, such as if this was a data theft and extortion incident. As a precaution against identity theft and fraud, affected individuals have been offered complimentary memberships to a credit monitoring service.

Humana Members Affected by Breach at Subcontractor of Business Associate

Humana Inc. has recently confirmed there has been a data breach at a subcontractor of a business associate. Humana was notified about the incident on October 3, 2023, by its business associate PNC Bank. PNC handles funding for payments to its participating providers.

On August 9, 2023, PNC was informed by its payment processing subcontractor, Echo Health, about suspicious activity that was detected on its website. The investigation confirmed that an unauthorized individual accessed its website using valid payment information that had been obtained from a third-party billing company. That individual was able to access Explanation of Provider Payment documents, which included the PHI of 2,844 Humana members. The documents contained first and last names, Humana ID numbers, provider names, and dates of service.

Humana says Echo Health has implemented additional technical safeguards and controls on its applications to prevent similar incidents and has put additional alerts and fraud monitoring in place.

The post Cyberattacks Reported by Brooklyn Premier Orthopedics & Atlas Healthcare appeared first on HIPAA Journal.