HIPAA Breach News

Ambulances Diverted After Westchester Medical Center Health Network Cyberattack

Posted by Steve Alder

Westchester Medical Center Health Network (WMCHealth) has experienced a cyberattack that affected its information technology systems. The attack was detected last week, and at 10 p.m. on Friday, October 20, 2023, the decision was taken to shut down all connected IT systems. The downtime was expected to last for 24 hours, and systems were brought back online on a rolling basis over the weekend. All systems were restored by Monday, October 24.

Without access to essential IT systems, the decision was taken to divert ambulances at HealthAlliance of the Hudson Valley facilities, including HealthAlliance Hospital in Kingston, Margaretville Hospital in Margaretville, and the skilled nursing facility, Mountainside Residential Care Center in Margaretville. The diversion ended on Saturday night and the hospitals resumed patient admissions, although stroke patients are still being taken to alternative facilities.

WMCHealth said the New York State Department of Health and Ulster and Delaware County officials were notified about the attack and it has been working with law enforcement, including the FBI, and has engaged a third-party cybersecurity firm to assist with the investigation. The first priority was ensuring patient safety, which is why ambulances were diverted. The hospitals remained open throughout and continued to accept walk-in patients, who were assessed, treated, and released, or transferred to alternative WMCHealth facilities.

The investigation of the attack is ongoing, and it has not yet been determined if any patient data was compromised. Should that turn out to be the case, notifications will be issued as soon as possible.

PHI Compromised in Cyberattack on Fellowship Village

Fellowship Village, a retirement community in Bernards Township, NJ, has recently announced a security breach that was detected on or around August 9, 2023. The forensic investigation confirmed that there had been unauthorized access to its network between July 27, 2023, and August 9, 2023, during which time files containing sensitive information may have been accessed and exfiltrated.

The review of the affected files is ongoing, but it has been confirmed that protected health information may have been compromised. The information involved includes a combination of names, addresses, Social Security numbers, patient identification numbers, medical record numbers, medical information, treatment information, diagnosis information, health insurance information, driver’s license/state identification numbers, financial account information, and dates of birth.

Policies and procedures are being reviewed and security will be enhanced to prevent further data breaches. To meet breach reporting requirements, the HHS’ Office for Civil Rights has been notified and told at least 501 individuals were affected. The total will be updated when the full scale of the breach is determined.

Hackers Gained Access to PHI of BHI Energy Health Plan Members

BHI Energy, a Weymouth, MA-based provider of project management and staffing support to the nuclear, fossil, wind, hydro, and government energy markets, has discovered an unauthorized third party gained access to certain systems within its network. The breach was detected on or around June 29, 2023, and the subsequent investigation confirmed on September 1, 2023, that business records had been accessed, some of which contained individuals’ personally identifiable information (PII).

In total, the PII of 91,269 individuals was potentially compromised, including the 4,049 members of its health plan. The compromised data included first, middle, and last name, address, date of birth, and Social Security number, and potentially health information. Affected individuals have been offered complimentary credit monitoring and identity theft protection services. Additional security measures have been implemented to improve data security and prevent similar breaches in the future.

MOVEit Transfer Hacking Victims

NASCO

NASCO, an Atlanta, GA-based provider of benefits administration services to health plans, has confirmed that it was affected by the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution, which was used to transfer files to its health plan clients.  The vulnerability was exploited on May 30, 2023, the day before Progress Software released the patch to fix the flaw. NASCO said it learned that it had been affected on July 12, 2023. While no misuse of the stolen data has been detected, notification letters have been issued and the 2,956 affected individuals have been offered complimentary credit monitoring and identity theft protection services for up to 24 months. The breached information included names and Social Security numbers.

Meadville Medical Center

Meadville Medical Center in Pennsylvania has confirmed that it was affected by the MOVEit Transfer hacks. The file transfer solution was used by Westat Inc., which provided data collection and management services as part of the National Hospital Care Survey (NHCS). The breach was detected on May 30, 2023, and involved the protected health information of approximately 1,300 patients. Westat has offered the affected individuals 12/24 months of complimentary credit monitoring services.

Cape Fear Valley Health

Cape Fear Valley Health in Fayetteville, NC, was also affected by the MOVEit Transfer hack at Westat. Files were copied that included the protected health information of 1,943 patients, most of whom had been treated between February 2023 and May 2023. The stolen data included names, addresses, dates of birth, and diagnoses.  Affected individuals have been offered 12/24 months of complimentary credit monitoring services.

The post Ambulances Diverted After Westchester Medical Center Health Network Cyberattack appeared first on HIPAA Journal.

September 2023 Healthcare Data Breach Report

Posted by Steve Alder

September was a much better month for healthcare data privacy, with the lowest number of reported healthcare data breaches since February 2023. In September, 48 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is well below the 12-month average of 57 data breaches a month.

For the second successive month, there was a fall in the number of breached records, which dropped 36.6% month-over-month. Across the 48 reported data breaches, the protected health information of 7,556,174 individuals was exposed or impermissibly disclosed. September’s total was below the 12-month average of 7,906,890 records per month, but this year has seen two particularly bad months for data breaches. More healthcare records were exposed in May and June than were exposed in all of 2020!

The high number of breached records can partly be attributed to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit solution, which is used by healthcare organizations and their business associates for transferring files. According to Emsisoft, which has been tracking the MOVEit data breaches, 2,553 organizations were affected by the attacks globally, and 19.2% of those were in the health sector. Most of these breaches are now believed to have been reported.

Largest Healthcare Data Breaches in September 2023

There were 16 data breaches reported in September that involved 10,000 or more records, four of which – including the largest data breach of the month – were due to the mass exploitation of the vulnerability that affected the MOVEit Transfer and MOVEit Cloud solutions (CVE-2023-34362). The healthcare industry continues to be targeted by ransomware and extortion gangs, including Clop, Rhysida, Money Message, NoEscape, Karakurt, Royal, and ALPHV (BlackCat). Three of the 10,000+ record data breaches were confirmed as ransomware attacks, although several more are likely to have involved ransomware or extortion. It is common for HIPAA-covered entities not to disclose details of hacking incidents.

While hacking incidents often dominate the headlines, the healthcare industry suffers more insider breaches than other sectors, and September saw a major insider breach at a business associate. An employee of the business associate Maximus was discovered to have emailed the protected health information of 1,229,333 health plan members to a personal email account.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Arietis Health, LLC FL Business Associate 1,975,066 Hacking/IT Incident MOVEit Hack (Clop)
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking/IT Incident Employee of a business associate (Maximus) emailed documents to a personal email account
Nuance Communications, Inc. MA Business Associate 1,225,054 Hacking/IT Incident MOVEit Hack (Clop)
International Business Machines Corporation NY Business Associate 630,755 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Temple University Health System, Inc. PA Healthcare Provider 430,381 Hacking/IT Incident Hacking incident at business associate (no information released)
Prospect Medical Holdings, Inc. CA Business Associate 342,376 Hacking/IT Incident Rhysida ransomware attack
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 315,915 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Oak Valley Hospital District CA Healthcare Provider 283,629 Hacking/IT Incident Hacked network server
Bienville Orthopaedic Specialists LLC MS Healthcare Provider 242,986 Hacking/IT Incident Hacked network server (data theft confirmed)
Amerita KS Healthcare Provider 219,707 Hacking/IT Incident Ransomware attack on parent company (PharMerica) by Money Message group
Community First Medical Center IL Healthcare Provider 216,047 Hacking/IT Incident Hacked network server
OrthoAlaska, LLC AK Healthcare Provider 176,203 Hacking/IT Incident Hacking incident (no information released)
Acadia Health, LLC d/b/a Just Kids Dental AL Healthcare Provider 129,463 Hacking/IT Incident Ransomware attack – Threat group confirmed data deletion
Founder Project Rx, Inc. TX Healthcare Provider 30,836 Hacking/IT Incident Unauthorized access to email account
Health First, Inc. FL Healthcare Provider 14,171 Hacking/IT Incident Unauthorized access to email account
MedMinder Systems, Inc. MA Healthcare Provider 12,146 Hacking/IT Incident Hacked network server

Data Breach Types and Data Locations

Hacking and other IT incidents continue to dominate the breach reports. In September, hacking/IT incidents accounted for 81.25% of all reported data breaches of 500 or more records (39 incidents) and 87.23% of the exposed or stolen records (6,591,496 records). The average data breach size was 169,013 records and the median data breach size was 4,194 records.

There were 9 data breaches classified as unauthorized access/disclosure incidents, across which 964,678 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 107,186 records and the median breach size was 2,834 records.

There were no reported incidents involving the loss or theft of paper records or electronic devices containing ePHI, and no reported incidents involving the improper disposal of PHI.

Given the large number of hacking incidents, it is no surprise that network servers were the most common location of breached protected health information. 7 incidents involved unauthorized access to email accounts.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in September, with 30 healthcare providers reporting data breaches. There were 11 data breaches reported by business associates and 7 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered a data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate.

To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

Business associate data breaches are often severe as if a hacker gains access to the network of a business associate, they can access the data of all clients of that business associate. In September the average size of a business associate data breach was 5,864,823 records (median: 2,729 records). The average size of a healthcare provider data breach was 1,372,101 records (median: 7,267 records), and the average health plan data breach involved 319,250 records (median: 2,834 records).

Geographical Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported by HPAA-regulated entities in 24 states. California, Florida, and New York were the worst affected states with 4 breaches each.

State Breaches
California, Florida & New York 4
Georgia, Illinois & Texas 3
Alabama, Connecticut, Massachusetts, Minnesota, Mississippi, Missouri, New Jersey, Pennsylvania & Virginia 2
Arizona, Arkansas, Indiana, Kansas, Kentucky, Maryland, Nevada, North Carolina & Tennessee 1

HIPAA Enforcement Activity in September 2023

All healthcare data breaches of 500 or more records are investigated by OCR to determine whether they were the result of non-compliance with the HIPAA Rules. OCR has a backlog of investigations due to budgetary constraints, and HIPAA violation cases can take some time to be resolved. In September, OCR announced that one investigation had concluded and a settlement had been reached. The case dates back to March 2014, when an online media source reported that members of the health plan were able to access the PHI of other members via its online member portal. The breach was reported to OCR as affecting fewer than 500 plan members and OCR launched a compliance review in February 2016. Three years later, another breach was reported – a mailing error, this time affecting 1,498 plan members.

OCR investigated LA Care Health Plan again and found multiple violations of the HIPAA Rules – A risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and an impermissible disclosure of the ePHI of 1,498 individuals. The case was settled, and LA Care Health Plan agreed to adopt a corrective action plan and pay a $1,300,000 penalty.

State attorneys general are also authorized to investigate healthcare data breaches and fine organizations for HIPAA violations. From 2019 to 2022, there were relatively few financial penalties imposed for HIPAA violations or equivalent violations of state laws, but there has been a significant increase in enforcement actions in 2023. Between 2019 and 2022 there were 12 enforcement actions by state attorneys general that resulted in financial penalties. 11 penalties have been imposed so far in 2023.

In September, three settlements were announced by state attorneys general. The first, and the largest, was in California, which fined Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49 million. Kaiser was found to have violated state laws by improperly disposing of hazardous waste and violating HIPAA and state laws by disposing of protected health information in regular trash bins.

The Indiana Attorney General announced that a settlement had been reached with Schneck Medical Center following an investigation of a data breach involving the PHI of 89,707 Indiana residents. The settlement resolved alleged violations of violations of the HIPAA Privacy, Security, and Breach Notification Rules, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act. Schneck Medical Center paid a $250,000 penalty and agreed to improve its security practices.

The Colorado Attorney General announced that a settlement had been reached with Broomfield Skilled Nursing and Rehabilitation Center over a breach of the protected health information of 677 residents. The settlement resolved alleged violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices. A penalty of $60,000 was paid to resolve the alleged violations, with $25,000 suspended, provided corrective measures are implemented.

The post September 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

236,000 Individuals Affected by Fairfax Oral and Maxillofacial Surgery Ransomware Attack

Posted by Steve Alder

Fairfax Oral and Maxillofacial Surgery in Virginia has confirmed that the protected health information of up to 235,931 individuals was potentially compromised in a ransomware attack in May 2023. The security incident was detected on May 16, 2023, when files were encrypted on its systems. The forensic investigation determined that an unauthorized third party had access to its network between May 15 and May 16, 2023.

According to the breach notification submitted to the Maine Attorney General, the investigation did not find any evidence of data theft, although the possibility that files were stolen could not be ruled out. The review of the files on the affected parts of the network determined they contained information such as names, driver’s license numbers, health insurance information, medical history information, and for some individuals, Social Security numbers. Fairfax Oral and Maxillofacial Surgery said it has taken steps to reduce the risk of this type of incident occurring in the future, including enhancing its technical security measures. A complimentary one-year membership to the Experian IdentityWorksSM Credit 3B service has been offered to the affected individuals.

Henwood Family Dentistry Says 7,300 Patients Affected by Cyberattack

Borgfeld Dental Center PLLC, doing business as Henwood Family Dentistry in San Antonio, TX, has recently announced that the protected health information of 7,300 patients was potentially accessed by unauthorized individuals in August. The security breach was detected on August 17, 2023, and the forensic investigation determined that access was gained to a desktop computer via a remote-access tool, and the credentials for a user account were used to access its network.

Henwood Family Dentistry said it is aware that one of its patients has been contacted directly by the attacker, and has advised patients not to engage with the attacker if they are contacted. The Federal Bureau of Investigation has been notified about the attack and is investigating. The types of data exposed varied from individual to individual and may have included one or more of the following: full name, date of birth, address, telephone number, email address, Social Security number, driver’s license number, government-issued identification number, health insurance information, and/or information regarding dental/orthodontic care.

Henwood Family Dentistry said it took several mitigation steps, including blocking the unauthorized access, changing passwords, replacing the hard drives of the affected computers, and has reviewed its security strategies and systems to identify possible enhancements. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Piedmont Healthcare Affected by Cyberattack on Administrative Services Provider

Piedmont Healthcare, Inc., a 23-hospital health system serving the southeast United States, was affected by a cyberattack on its claims processing and administrative services provider, Pharm-Pacc. The attack was detected on March 24, 2023, and on or around March 15, 2023, it was confirmed that protected health information stored on Pharm-Pacc’s systems was accessed. Piedmont Healthcare was notified it was affected on July 14, 2023. Pharm-Pacc has offered the affected individuals 12 months of credit monitoring, fraud consultation, and identity theft restoration services. 895 Piedmont patients are known to have been affected.

Surround Care Impacted by Navvis & Company Cyberattack

Surround Care, LLC, a wholly owned subsidiary of Navvis & Company, has confirmed that the protected health information of 917 individuals has been exposed in a cyberattack. The attack was detected on July 25, 2023, and the forensic investigation confirmed that an unauthorized third party had access to its network between July 12, 2023, and July 25, 2023. The exposed information included names, dates of birth, Medicaid/Medicare ID numbers, health plan information, medical treatment information, medical record numbers, patient account numbers, case identification numbers, provider/ doctor information, health record information, and for some individuals, Social Security numbers. Surround Care said no evidence of any identity theft or fraud has been identified in connection with this incident.

MOVEit Hacking Victims

Many HIPAA-covered entities and business associates have reported being affected by the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit file transfer solution in May 2023. IBM and San Diego Pace have now confirmed that they were affected.

IBM

IBM has started notifying 630,755 individuals that some of their protected health information was stolen by the Clop group when it exploited the MOVEit vulnerability in late May. The attack on IBM also affected the Missouri Department of Social Services (DSS), which reported that names, department client numbers, dates of birth, benefit eligibility status or coverage, and medical claims information, were compromised in the attack. The Colorado Department of Health Care Policy & Financing (HCPF) was also affected and said the protected health information of 4,091,794 individuals was stolen. In total, the data of more than 10 million individuals is believed to have been stolen in the attack on IBM.

San Diego PACE

San Diego PACE, a specialized health plan for individuals over 55 years of age, has confirmed that the information of some of its members has been stolen in a cyberattack on one of its vendors. Cognisight is a business associate that provides healthcare management services to San Diago PACE and uses Progress Software’s MOVEit solution for file transfers. The MOVEit solution was compromised in late May and on June 5, 2023, it was confirmed that some plan member data had been stolen. The delay in issuing notifications was due to the time taken to review the affected files and obtain up-to-date contact information. Affected individuals have been offered complimentary credit monitoring services.

The post 236,000 Individuals Affected by Fairfax Oral and Maxillofacial Surgery Ransomware Attack appeared first on HIPAA Journal.

Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million

Posted by Steve Alder

Inmediata has agreed to a $1.4 million settlement to resolve a multi-state investigation of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification laws.

On January 15, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) notified the Puerto Rico-based healthcare clearinghouse that a server containing the protected health information that it maintained had not been properly secured, resulting in files being indexed by search engines that could be found, accessed, and downloaded by anyone with Internet access. The files on the server contained the protected health information of 1,565,338 individuals and some of those files dated as far back as May 2016.

The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notifications to individuals affected by a data breach without undue delay and no later than 60 days from the discovery of a data breach. Despite being notified about the breach by OCR, the primary HIPAA regulator, Inmediata waited three months to mail notification letters, and when notification letters were mailed, a mailing error occurred, resulting in letters being sent to incorrect addresses.

Many Americans are unaware of the services provided by healthcare clearinghouses as they do not have any direct contact with them. Healthcare clearinghouses such as Inmediata facilitate transactions between healthcare providers and insurers and are classed as HIPAA-covered entities, which means they must ensure they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The multi-state investigation found the content of the letters to lack clarity which resulted in confusion for some consumers as to why Inmediata had their data and caused some individuals to dismiss the notification letters as illegitimate.

The multi-state investigation was led by the Indiana Attorney General, assisted by an Executive Committee consisting of the attorneys general in Connecticut, Michigan, and Tennessee. Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin also participated.

The attorneys general alleged violations of the HIPAA Security Rule for failing to implement reasonable and appropriate data security safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to conduct a secure code review at any point prior to the data breach, and violations of the HIPAA Breach Notification Rule and state data breach notification laws for failing to provide the affected individuals with timely and complete information about the data breach.

The $1.4 million settlement will be divided among the participating states and Inmediata has also agreed to strengthen its data security and breach notification practices. The requirements include the implementation and maintenance of a comprehensive information security program, which must include secure code reviews and search engine crawling controls. An incident response plan must also be developed that includes specific policies and procedures regarding consumer notification letters, and Inmediata must undergo annual third-party security assessments for the next five years. Last year, Inmediata settled a class action lawsuit over the data breach for $1.125 million.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Connecticut Attorney General, William Tong.

The post Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million appeared first on HIPAA Journal.

60,000 Individuals Affected by Texas Medical Liability Trust Data Breach

Posted by Steve Alder

The Texas Medical Liability Trust (TMLT) has reported a data breach to the Maine Attorney General on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group that has affected 59,901 individuals.

Suspicious activity was detected within its IT environment on October 12, 2022. Steps were taken to secure its systems and third-party forensics specialists were engaged to investigate. They determined that an unauthorized actor had access to its environment between October 2, 2022, and October 13, 2022, and during that time, files containing protected health information may have been accessed that included names, Social Security numbers, EIN/Tax Identification numbers, state identification/driver’s license information, and financial account information. It took until August 18, 2023, to complete the review of the affected files.

Complimentary credit monitoring services have been offered to the affected individuals and a review of policies, procedures, and processes related to the storage and access of sensitive information has been conducted.

Email Account Breach Affects Patients of Bloom Health Centers

On July 5, 2023, Bloom Health Centers in Timonium, MD, identified suspicious activity in its Microsoft 365 email environment. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to identify the activity. Assisted by a third-party cybersecurity firm, Bloom Health Centers determined that the email account of one of its clinicians was accessed without authorization on or around June 23, 2023.

The review of the account was completed on August 7, 2023, and confirmed the account contained the protected health information of 1,545 patients including names, addresses, email addresses, telephone numbers, dates of birth, and medical information such as medications and diagnoses. That information may have been accessed or acquired during the incident; however, no instances of misuse of patient data have been identified.

The affected individuals have now been notified by mail and credit monitoring and identity theft protection services have been offered. Email security measures have been enhanced and further training on data protection best practices have been provided to all members of the workforce.

Prime Therapeutics/Magellan Rx Management Report Email Account Breach

Prime Therapeutics, a Minnesota-based pharmacy benefit management company serving health plans, employers, and government programs, and the next-generation pharmacy organization, Magellan Rx Management, a Prime Therapeutics company, have experienced a data breach involving the protected health information of 6,050 individuals.

The compromised data was stored in an employee’s mobile email account, which was discovered on July 11, 2023, to have been accessed by an unauthorized individual. The compromised credentials were disabled, the unauthorized individual’s IP address was blacklisted, and a review was conducted to determine what information had been exposed. While evidence of unauthorized data access was not found, the attacker may have been able to view names, addresses, dates of birth, member ID numbers, and medication(s).

Prime Therapeutics said it will continue to review internal procedures for potential improvements to strengthen account security and is evaluating additional safeguards to help prevent similar incidents from reoccurring in the future.

Carthage Area Hospital and Claxton Hepburn Medical Center Dealing with Cyberattack

Carthage Area Hospital and Claxton Hepburn Medical Center in Northern New York experienced a cyberattack on August 31, 2023. The hospitals put their emergency rooms on diversion and appointments were cancelled as a precaution due to IT systems being taken offline.

The FBI, New York State Department of Health, and the Department of Homeland Security were notified about the attack and the government is aware of the threat actor behind the attack but has not disclosed which group was responsible. The incident has been contained but the investigation is ongoing. At this stage of the investigation, it appears that patient data has not been compromised.

The post 60,000 Individuals Affected by Texas Medical Liability Trust Data Breach appeared first on HIPAA Journal.

Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG

Posted by Steve Alder

Seymour, IN-based Schneck Medical Center has settled a lawsuit with the Indiana attorney general, Todd Rokita, over a 2021 ransomware attack and data breach that affected 89,707 Indiana residents. Schneck Medical Center has agreed to pay a penalty of $250,000 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws and will implement additional safeguards to prevent further data breaches.

According to the lawsuit, Schneck Medical Center conducted a risk analysis in December 2020 which revealed many critical security issues, but Schneck Medical Center failed to address them. 9 months later, on or around September 29, 2021, security flaws were exploited by a malicious actor who gained access to the network, exfiltrated sensitive patient data, and then deployed ransomware to encrypt files. The information stolen in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, diagnoses, and health insurance information.

Schneck Medical Center was quick to alert patients to the cyberattack through a statement on its website on September 29, 2021; however, the Indiana AG alleged that Schneck Medical Center failed to disclose the risk patients faced and did not encourage them to take steps to protect themselves against identity theft and fraud, even though Schneck Medical Center was aware at the time that a large quantity of sensitive data had been stolen.

Another statement was released two months later on November 26, 2021, confirming that files had been stolen in the attack; however, Schneck Medical Center failed to disclose that protected health information had been exposed, despite being aware that PHI had been stolen. Schneck Medical Center also failed to issue timely individual notifications, which were not mailed until May 13, 2022 – 226 days after the discovery of the data breach. Schneck Medical Center also claimed in a May 13, 2022, substitute breach notice that data theft was discovered on March 17, 2022, when Schneck Medical Center was aware on September 29, 2023, that data had been stolen.

The Indiana attorney general alleged multiple violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule and violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act.

Schneck Medical Center Compensates Patients for Losses

Schneck Medical Center has also recently settled a consolidated class action lawsuit for $1.3 million. Two lawsuits were filed in response to the ransomware attack and data breach by patients Jalen Nierman, Bryce Sheaffer, Jennifer Renoll, Patricia White, and Nigel Myers who sought compensation for the data breach. The plaintiffs alleged Schneck Medical Center failed to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. Schneck Medical Center agreed to a settlement with no admission of wrongdoing.

Under the terms of the settlement, class members are entitled to claim up to $500 in ordinary expenses, including up to 4 hours of lost time at $15 per hour. Individuals who incurred extraordinary expenses due to the data breach can claim up to $6,000. Claims may be paid pro rata, depending on the number of claims received. The settlement also includes 27 months of free credit monitoring and identity theft protection services and coverage through a $1 million identity theft insurance policy.

The post Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG appeared first on HIPAA Journal.

L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million

Posted by Steve Alder

The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.

In 2016, a media outlet reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal over a 2-day period in 2014 due to a manual processing error. OCR informed L.A. Care Health Plan it had initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach caused by a mailing error that saw members receive the ID cards of other health plan members.

OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.

  1. A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
  3. A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
  4. A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
  5. A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
  6. The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).

L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The post L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million appeared first on HIPAA Journal.

Kaiser Pays $49 Million to Settle Improper Disposal Investigation

Posted by Steve Alder

California Attorney General Rob Bonta has announced a $49 million settlement has been reached with Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals to resolve allegations of improper disposal of hazardous waste, medical waste, and protected health information.

Oakland, CA-based Kaiser is the largest healthcare provider in California with more than 700 healthcare facilities in the state, serving more than 8.8 million patients. An investigation was launched by 6 district attorneys from Alameda, San Bernardino, San Francisco, San Joaquin, San Mateo, and Yolo counties into the unlawful dumping of dangerous items.  Undercover staff from the district attorneys’ offices inspected dumpsters at 16 different Kaiser facilities. The dumpsters were not secured and the contents were destined for disposal in landfill sites.

The inspectors found hundreds of items of hazardous and medical waste, including aerosols, cleansers, sanitizers, batteries, syringes, medical tubing containing body fluids, pharmaceuticals, and electronic wastes. The dumpsters also contained more than 10,000 paper records that contained the protected health information of 7,700 patients. The California Department of Justice later joined the investigation and expanded it statewide at other Kaiser facilities. Kaiser was alleged to have violated the Health Insurance Portability and Accountability Act (HIPAA), and California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.

In response to the investigation, Kaiser engaged a third-party consultant to conduct more than 1,100 trash audits at its facilities and its operating procedures have been updated to ensure proper waste disposal across its facilities in California. The settlement consists of $37,513,000 in civil penalties, $4,832,000 in attorneys’ fees and costs, and $4,905,000 for supplemental environmental projects. A further $1.75 million in civil monetary penalties must be paid if Kaiser has not invested a further $3.5 million in its Californian facilities to provide enhanced environmental compliance measures.

Kaiser is also required to retain an independent third-party auditor to conduct more than 520 trash compactor audits at its California facilities to make sure hazardous items and protected health information are not being disposed of in regular trash, and at least 40 programmatic field audits must be conducted each year for the next 5 years to evaluate compliance with its policies covering hazardous waste, medical waste, and protected health information.

“The illegal disposal of hazardous and medical waste puts the environment, workers, and the public at risk. It also violates numerous federal and state laws,” said Attorney General Bonta. “As a healthcare provider, Kaiser should know that it has specific legal obligations to properly dispose of medical waste and safeguard patients’ medical information. I am pleased that Kaiser has been cooperative with my office and the district attorneys’ offices, and that it took immediate action to address the alleged violations.”

The post Kaiser Pays $49 Million to Settle Improper Disposal Investigation appeared first on HIPAA Journal.

Lifeline Systems Company Notifies Patients About August 2022 Cyberattack

Posted by Steve Alder

Lifeline Systems Company, a Marlborough, MA-based provider of patient alarm systems has recently notified 74,849 individuals about a data breach that occurred more than a year ago. According to the notification letters, unusual network activity was detected on August 6, 2022. Incident response protocols were immediately initiated, and a third-party computer forensic investigation was launched to investigate the nature of the incident.

The investigation confirmed that an unauthorized individual had access to its systems from July 27, 2022, to August 6, 2022, and accessed certain documents on its systems during that period. On August 18, 2022, Lifeline determined the documents included information for subscribers, employees, and individuals eligible to receive Lifeline services. The exposed information included names, driver’s license numbers, and Social Security numbers.

Due to the length of time taken to perform the document review, notification letters could not be sent until September 7, 2023. Complimentary credit monitoring services have been offered to individuals who had their Social Security number or driver’s license number exposed. Lifeline said it has enhanced its network monitoring capabilities and will continue to conduct audits of its systems to look for unauthorized activity.

Milan Eye Center Reports Breach at EHR Vendor

Milan Eye Center, an Atlanta, GA-based network of eye surgery centers, has started notifying 67,336 patients that some of their protected health information was compromised in an incident at its third-party vendor, iMedicWare Inc.  Milan Eye Center said it was informed about a data compromise incident on December 9, 202, and launched an investigation which concluded on July 24, 2023, that an unauthorized individual was able to access at least some historical patient archives maintained by iMedicWare between May 18, 2020, and July 23, 2020.

The records included information such as names, birth dates, telephone numbers, insurance coverage information, Social Security numbers, service locations, dates of service, and health statuses. It was not possible to determine exactly which patient records were accessed, so notification letters were sent to all individuals who received services on or before July 23, 2020. Complimentary credit monitoring services have been offered to the affected individuals.

Milan Eye Center confirmed it no longer uses iMedicWare as its electronic health record vendor and said additional technical safeguards and policies have been implemented to enhance information system security.

NOW Health Group Suffers Phishing Attack

Bloomingdale, IL-based NOW Health Group, Inc. has recently determined that the protected health information of 4,661 individuals was compromised in a phishing attack. The attack was detected on or around March 17, 2023, when suspicious activity was identified in its email environment. The forensic investigation determined that unauthorized individuals gained access to certain employee email accounts between March 17 and March 20. A review of the emails and documents in the accounts was completed on July 6, 2023. The information potentially compromised included names and Social Security numbers.

Additional safeguards have been implemented to improve email security and further training has been provided to employees to help them identify phishing attempts. Complimentary credit monitoring services have been offered to the affected individuals.

Mountain View Family Practice Reports June 2023 Cyberattack

Mountain View Family Practice in Baldwinville, MA, has alerted 5,139 about a June 11, 2023, cyberattack on its systems. The forensic investigation determined that an unauthorized individual had access to its systems between June 10 and June 11, 2023, and viewed and potentially obtained certain data stored on its systems, including names and Social Security numbers. Notifications were sent to the affected individuals on August 31, 2023, and credit monitoring and identity theft protection services have been offered.

The post Lifeline Systems Company Notifies Patients About August 2022 Cyberattack appeared first on HIPAA Journal.