IBM has recently announced that the sensitive data of patients of the Johnson & Johnson Health Care Systems subsidiary, Janssen CarePath, has been exposed. IBM is a business associate of Johnson & Johnson and manages the application and database that supports the Janssen CarePath platform. Janssen recently became aware of a method that could be used by unauthorized individuals to gain access to the database and notified IBM, which worked with the database provider and remediated the problem. IBM also conducted an investigation to determine if the database had been accessed by unauthorized individuals and confirmed unauthorized access had occurred on August 2, 2023; however, it was not possible to determine the nature of the access and if patient data had been exfiltrated.

Since patient data may have been accessed, IBM has issued notification letters to the affected Janssen CarePath customers. The data exposed included names in combination with one or more of the following data types: contact information, date of birth, health insurance information, medications, and healthcare conditions. IBM has offered the affected individuals 12 months of complimentary credit monitoring services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected. The data breach could be substantial as 1.16 million patients used the CarePath platform in 2022.

Hospital Sisters Health System Dealing with Cyberattack

Hospital Sisters Health System (HSHS) is currently dealing with a cybersecurity incident that forced it to take some of its IT systems offline. The phone system was taken out of action, but hospital and clinic phone lines have now mostly been restored. The hshs.org website was affected and is now redirecting to the domain hshsupdates.org, where regular updates are being posted for patients.

Hospital Sisters Health System is headquartered in Springfield, IL, and operates 15 hospitals in Illinois and Wisconsin, which have been working under downtime procedures until IT systems can be safely brought back online. All hospitals and emergency departments remain open, and patients are being received and treated; however patient billing services are still suspended. At this stage of the investigation, it is too early to tell to what extent, if any, patient data has been compromised.

The University of Massachusetts Chan Medical School Confirms PHI was Stolen in MOVEit Transfer Hack

The University of Massachusetts Chan Medical School has recently confirmed that the protected health information of 134,394 individuals was compromised by the Clop hacking group, which exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution.

The affected individuals had enrolled in a state program through the Worcester, MA-based medical school, such as the State Supplement Program, MassHealth Premium Assistance, MassHealth Community Case Management, or the Executive Office of Elder Affairs and Aging Services Access Points home care programs. The compromised information includes names, dates of birth, addresses, Social Security numbers, financial account numbers, and healthcare information (diagnosis, treatment information, prescription information, provider names, dates of service, claims information, and health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The post IBM Notifies Janssen CarePath Patients About Unauthorized Database Access appeared first on HIPAA Journal.

Fashion retailer Forever 21 has notified the Maine Attorney General of a data breach in which the health plan data of 539,207 current and former employees was exposed. Breach notifications letters are being sent to everyone potentially affected by the breach. However, the letters reveal little about the nature of the attack or what specific data was exposed.

According to the notification published on the Maine Attorney General website, Forever 21 experienced an “external system breach” between January 5 and March 21, 2023. The nature of the information breached is “name or other personal identifier in combination with Social Security number”, and identity theft services are being offered to those potentially affected.

The notification also includes a link to the company’s breach notification letter to potentially affected individuals. The letter provides limited information about the nature of the attack or what specific data was exposed, stating that an unauthorized third party “accessed certain Forever 21 systems” and “obtained select files from certain Forever 21 systems”.

With regards to what these select files might have contained, the letter states “the files involved contained some of your personal information, such as your name, Social Security number, date of birth, bank account number (without access code or pin), and information regarding your Forever21 health plan, including enrollment and premiums paid.”

Letter Raises More Questions than Answers

Forever 21 notes in the breach notification letter that the company has taken step to “help assure” the unauthorized third party no longer has access to the data, has not copied, retained, or further disclosed the data. This has led to speculation that Forever 21 paid a ransom to the unauthorized third party – which, historically, doesn’t “help assure” the data will not be further disclosed.

Additionally, although the notification letter includes details of the credit monitoring and identity theft services available to potentially affected individuals, there is no advice about obtaining a copy of PHI from individuals’ healthcare providers to ensure stolen data is not used to obtain healthcare or other health services (i.e., prescription drugs) in the individuals’ names.

This could mean that no Protected Health Information was exposed in the data breach, or that Forever 21 has omitted this important piece of advice for affected individuals. The latter is more likely if the data exposed in the external system breach included details of how the premiums were calculated or what payments had been made by the health plan for individuals’ treatments.

At the time of publication, Forever 21 has not reported the data breach to HHS’ Office for Civil Rights. However, as the date the breach was discovered on the Maine Attorney General website is entered as August 4, 2023, the company has until October 3, 2023, to notify the agency – if Protected Health Information was exposed and the external system breach qualifies as a HIPAA data breach.

The post Employee Health Plan Data Exposed in Forever 21 Data Breach appeared first on HIPAA Journal.

The parent company of the Mom’s Meals home delivery meal service – PurFood LLC – has published a Notice of Data Event on its website and filed a Data Breach Notification with the Maine Attorney General following a cyberattack earlier this year in which personal information relating to 1,237,681 customers, employees, and contractors is believed to have been stolen.

PurFood LLC – trading as Mom’s Meals – delivers refrigerated ready-to-eat meals nationwide to customers with special nutritional requirements. As well as supplying private customers, the company works with more than five hundred health plans, managed care organizations, and other agencies to provide access to meals for people covered by Medicare and Medicare.

According to a Notice of Data Event on the company’s website, Mom’s Meals experienced a cyberattack between January 16, 2023, and February 22, 2023, that resulted in customer, employee, and contractor data being encrypted. An investigation into the cyberattack revealed the presence of data exfiltration software that may have been used to transfer data from PurFood’s servers.

The investigation determined that the encrypted files included personal and protected health information related to certain individuals. However, there is no guaranteed data was exfiltrated, and the Notice of Data Event notes the company has not seen any evidence of personal information being misused or further disclosed as a result of the Mom’s Meals data breach.

Nonetheless, the company has filed a Data Breach Notification with the Maine Attorney General and is in the process of notifying potentially affected individuals via U.S. Mail. At the time of publication, the company’s name does not appear on the HIPAA Breach Report. However, according to the Data Breach Notification, the date the breach was “discovered” is recorded as July 10, 2023.

What Data is Believed Stolen in the Mom’s Meal Data Breach?

The data believed stolen in the Mom’s Meal data breach includes dates of birth, driver’s license numbers, account information, payment card information, health information, medical record numbers, Medicare and Medicaid identifiers, treatment information, diagnosis codes, meal categories and costs, health insurance information, Social Security numbers, and patient ID numbers.

In order to prevent a repeat of the incident, PurFood states in its breach notification letter that the company has taken a number of steps to strengthen its security network and is reviewing its existing policies and procedures to identify any additional measures and safeguards that may be necessary. It is also providing credit monitoring, fraud consultation, and identity theft restoration services for a year.

Individuals who receive a breach notification letter relating to the Mom’s Meals data breach are advised to register for the credit monitoring services provided by the company, examine any correspondence from Medicare, Medicaid, or an insurer to ensure the services mentioned have been received (and report any discrepancies), and monitor their credit report – placing a freeze on the credit report if they are concerned about being a victim of identity theft.

The post PHI Included in Mom’s Meals Data Breach appeared first on HIPAA Journal.

Medical records extracted during the recent Prospect Medical Holdings ransomware attack are being allegedly offered for sale on the dark web according to social media sources. The notification of the sale has been interpreted as a signal to Prospect Medical Holdings to quickly respond to the hackers’ ransom demands.

On August 3, the Prospect Medical Holdings health system was hit by a ransomware attack that crippled operations at the health system’s 17 hospitals and 166 outpatient clinics. At the time, the perpetrators of the attack were unknown. However, last week, a notice appeared on the Rhysida dark leak site, claiming responsibility for the attack.

The notice also announced an auction of data hacked in the attack – the data consisting of more than 500,000 Social Security Numbers, passports of clients and employees, drivers’ licenses, patient files (profiles and medical histories), financial and legal documents. In all, it is claimed, the sale consists of 1TB of unique files and a 1.3TB SQL database.

The notice was accompanied by several snapshots of the stolen data – some of which has been independently verified as genuine by comparing the snapshots to publicly available records – and a price tag of 50 Bitcoin ($1,298,340). The addition of the price tag has led some sources to comment that the notice is intended to accelerate a ransom payment.

It is not known at this time whether the sale will proceed or whether Prospect Medical Holdings will give in to the ransom demands. As of this past weekend, some services continue to be suspended and staff in some medical units are still having to rely on paper records. A spokesperson for Prospect Medical Holdings also issued the following statement:

“We have become aware that Prospect Medical data was taken by unauthorized actors, the nature of which is being actively examined. If the investigation determines that any protected health or personal information is involved, we will provide the appropriate notifications in accordance with applicable laws. Because our investigation is ongoing, we do not have additional information to share at this time. We are taking all appropriate measures to address this incident.”

The post Medical Records from Prospect Ransomware Attack Appear on Dark Web appeared first on HIPAA Journal.

Point32Health has reported operating losses of $102.7 million for the first 6 months of 2023 on $4.8 million in revenue, compared to losses of $25.8 million in the first 6 months of 2022 on $4.9 billion in revenue. The $76.9 million difference has largely been attributed to the ransomware attack it detected on April 17, 2023., although details of the actual cost of the attack have not been released.

The attack saw sensitive data exfiltrated from the systems of Harvard Pilgrim Health Care between March 28, 2023, and April 17, 2023, including the protected health information of current and former subscribers, their dependents, and current contracted providers. The compromised information included names, Social Security numbers, and taxpayer identification numbers. The breach was reported to the HHS’ Office for Civil Rights as affecting 2,550,922 individuals.

The attack resulted in systems being taken offline for several weeks, including the systems that support the Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). The recovery process was slow as systems had to be restored in a specific order. It took until late July – three months after the attack was detected – to fully resume normal operations, although it took until August to clear a backlog of 1 million claims that had been delayed due to the cyberattack.

Point32Health’s Chief Financial officer, Scott Walker claims the company is still on a solid financial footing and said the losses due to the cyberattack were transient and one-time in nature; however, Point32Health is likely to continue to face costs from the data breach. Multiple class action lawsuits have been filed over the data breach.

The post Ransomware Attack Key Factor in H1 Operating Losses of $102.6 Million for Point32 Health appeared first on HIPAA Journal.

Singing River Health System in Mississippi, which operates Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital, detected unusual activity within its IT systems last week and is investigating a potential cyberattack. On Monday, the health system took its IT systems offline to preserve system integrity and downtime procedures remain in place.

Shannon Wall, SRHS Chief Marketing Officer, said “We are working diligently with third-party specialists to investigate the source of this disruption and to confirm its impact on our systems as soon as possible. We have also engaged with the appropriate law enforcement authorities.” She also confirmed that the IT security team is working around the clock to investigate the incident, ensure systems are secured, and will start bringing systems back online when it is safe to do so. A timeline has not been provided on when systems will be restored. Further details on the nature of the attack, such as if this is a ransomware incident, have not been released.

The health system is continuing to see patients but there are delays due to the lack of access to IT systems. Radiology services at its clinics have been halted, although will continue at its hospitals. At this stage of the investigation, it is unclear to what extent, if any, patient data has been compromised.

MOVEit Hacking Victims

More healthcare organizations have confirmed they have been affected by the mass exploitation of a zero day vulnerability in the MOVEit Transfer file transfer solution by the Clop hacking group. The vulnerability was identified on May 31, 2023, and a patch was released that day by Progress Software; however, the vulnerability had already been exploited and data exfiltrated by the Clop threat actors.

The Harris Center for Mental Health and IDD

The Harris Center for Mental Health and IDD in Houston, TX, has recently confirmed that the protected health information of 599,367 individuals was compromised in the attack. The Harris Center does not use the MOVEit Transfer solution; however, one of its service providers did and had data stolen. The internal investigation confirmed on August 9, 2023, that the compromised protected health information included names, addresses, dates of birth, Social Security numbers, and health insurance information. The Harris Center started sending written notifications to the affected individuals on August 17, 2023.

UofL Health

UofL Health in Louisville, KY, said its internal investigation confirmed on June 21, 2023, that the hackers gained access to files that contained patient names, addresses, dates of birth, patient account numbers, dates of service, member ID numbers, and Social Security numbers. The affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services. UofL Health has reported the breach to the appropriate authorities, but it is currently unclear how many patients have been affected.

Baesman Group, Inc.

The Baesman Group, Inc., a Hilliard, OH-based provider of CRM, customer loyalty, and marketing services, confirmed it had been affected by the MOVEit hacks, and had data stolen on May 29, 2023. Notification letters are being sent to the 4,000 individuals that were affected. The substitute breach notification on its website does not state what types of data were stolen in the attack.

The post Mississippi Health System Investigating Cyberattack appeared first on HIPAA Journal.

Morris Hospital & Healthcare Centers in Illinois has started notifying 248,943 individuals about a cyberattack that was detected on April 4, 2023. When the breach was detected, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident and confirmed that files containing protected health information had been exfiltrated from its systems by unauthorized individuals.

The stolen files included the protected health information of current and former patients, employees, and their dependents and beneficiaries, including names, addresses, dates of birth, Social Security numbers, medical record numbers, account numbers, and diagnostic/treatment codes. While there has been no detected misuse of the stolen data, affected individuals have been advised to be cautious and take advantage of the complimentary identity theft resolution services that have been offered.

Morris Hospital & Healthcare Centers did not state the identity of the attackers in the notification letters, nor mention the nature of the attack. The HIPAA Journal can confirm that the Royal Ransomware group has claimed responsibility for the attack and added Morris Hospital to its dark web data leak site on May 22, 2023, along with some of the data that was compromised in the attack.

Jefferson Health DEXA Scan Backup Drive Lost or Stolen

Jefferson Health has recently started notifying patients of its Cherry Hill Hospital in New Jersey that some of their protected health information may have been compromised. Data was stored on a backup drive that was connected to its DEXA scan device. During routine maintenance, its vendor discovered the backup drive to be missing. An investigation was launched; however, it was not possible to determine what happened to the drive and it has been presumed lost or stolen.

The backup drive contained names, dates of birth, medical record numbers, study dates, and, for some individuals, mailing addresses. The device also included other information, but it could not be accessed without valid credentials and the appropriate software and technology. That information included diagnoses, phone numbers, Social Security numbers, insurance information, driver’s license numbers, and scans. Jefferson Health said it is reviewing and enhancing its security protocols to prevent similar incidents in the future.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pathways to Wellness Medication Clinics Reports Ransomware Attack

Patients of Pathways to Wellness Medication Clinics in Oakland, Union City, and Pleasanton in California have been notified that some of their protected health information was exposed in a cyberattack that was detected on March 28, 2023. An unauthorized individual gained access to and disabled its network. Third-party cybersecurity experts were engaged to investigate the breach and secure its systems and technical safeguards have been reviewed and are being updated to better protect patient data.

While no reports of misuse of patient data had been received up to July 5, 2023, data theft may have occurred. The exposed information included: first name, last name, address, health insurance information, provider name, Social Security number, date of birth, and gender. Affected individuals have been offered complimentary single bureau credit monitoring services. The incident has not yet been added to the Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Morris Hospital & Healthcare Centers Notifies Almost 249,000 Patients About April Cyberattack appeared first on HIPAA Journal.