Singing River Health System in Mississippi, which operates Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital, detected unusual activity within its IT systems last week and is investigating a potential cyberattack. On Monday, the health system took its IT systems offline to preserve system integrity and downtime procedures remain in place.

Shannon Wall, SRHS Chief Marketing Officer, said “We are working diligently with third-party specialists to investigate the source of this disruption and to confirm its impact on our systems as soon as possible. We have also engaged with the appropriate law enforcement authorities.” She also confirmed that the IT security team is working around the clock to investigate the incident, ensure systems are secured, and will start bringing systems back online when it is safe to do so. A timeline has not been provided on when systems will be restored. Further details on the nature of the attack, such as if this is a ransomware incident, have not been released.

The health system is continuing to see patients but there are delays due to the lack of access to IT systems. Radiology services at its clinics have been halted, although will continue at its hospitals. At this stage of the investigation, it is unclear to what extent, if any, patient data has been compromised.

MOVEit Hacking Victims

More healthcare organizations have confirmed they have been affected by the mass exploitation of a zero day vulnerability in the MOVEit Transfer file transfer solution by the Clop hacking group. The vulnerability was identified on May 31, 2023, and a patch was released that day by Progress Software; however, the vulnerability had already been exploited and data exfiltrated by the Clop threat actors.

The Harris Center for Mental Health and IDD

The Harris Center for Mental Health and IDD in Houston, TX, has recently confirmed that the protected health information of 599,367 individuals was compromised in the attack. The Harris Center does not use the MOVEit Transfer solution; however, one of its service providers did and had data stolen. The internal investigation confirmed on August 9, 2023, that the compromised protected health information included names, addresses, dates of birth, Social Security numbers, and health insurance information. The Harris Center started sending written notifications to the affected individuals on August 17, 2023.

UofL Health

UofL Health in Louisville, KY, said its internal investigation confirmed on June 21, 2023, that the hackers gained access to files that contained patient names, addresses, dates of birth, patient account numbers, dates of service, member ID numbers, and Social Security numbers. The affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services. UofL Health has reported the breach to the appropriate authorities, but it is currently unclear how many patients have been affected.

Baesman Group, Inc.

The Baesman Group, Inc., a Hilliard, OH-based provider of CRM, customer loyalty, and marketing services, confirmed it had been affected by the MOVEit hacks, and had data stolen on May 29, 2023. Notification letters are being sent to the 4,000 individuals that were affected. The substitute breach notification on its website does not state what types of data were stolen in the attack.

The post Mississippi Health System Investigating Cyberattack appeared first on HIPAA Journal.

Morris Hospital & Healthcare Centers in Illinois has started notifying 248,943 individuals about a cyberattack that was detected on April 4, 2023. When the breach was detected, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident and confirmed that files containing protected health information had been exfiltrated from its systems by unauthorized individuals.

The stolen files included the protected health information of current and former patients, employees, and their dependents and beneficiaries, including names, addresses, dates of birth, Social Security numbers, medical record numbers, account numbers, and diagnostic/treatment codes. While there has been no detected misuse of the stolen data, affected individuals have been advised to be cautious and take advantage of the complimentary identity theft resolution services that have been offered.

Morris Hospital & Healthcare Centers did not state the identity of the attackers in the notification letters, nor mention the nature of the attack. The HIPAA Journal can confirm that the Royal Ransomware group has claimed responsibility for the attack and added Morris Hospital to its dark web data leak site on May 22, 2023, along with some of the data that was compromised in the attack.

Jefferson Health DEXA Scan Backup Drive Lost or Stolen

Jefferson Health has recently started notifying patients of its Cherry Hill Hospital in New Jersey that some of their protected health information may have been compromised. Data was stored on a backup drive that was connected to its DEXA scan device. During routine maintenance, its vendor discovered the backup drive to be missing. An investigation was launched; however, it was not possible to determine what happened to the drive and it has been presumed lost or stolen.

The backup drive contained names, dates of birth, medical record numbers, study dates, and, for some individuals, mailing addresses. The device also included other information, but it could not be accessed without valid credentials and the appropriate software and technology. That information included diagnoses, phone numbers, Social Security numbers, insurance information, driver’s license numbers, and scans. Jefferson Health said it is reviewing and enhancing its security protocols to prevent similar incidents in the future.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pathways to Wellness Medication Clinics Reports Ransomware Attack

Patients of Pathways to Wellness Medication Clinics in Oakland, Union City, and Pleasanton in California have been notified that some of their protected health information was exposed in a cyberattack that was detected on March 28, 2023. An unauthorized individual gained access to and disabled its network. Third-party cybersecurity experts were engaged to investigate the breach and secure its systems and technical safeguards have been reviewed and are being updated to better protect patient data.

While no reports of misuse of patient data had been received up to July 5, 2023, data theft may have occurred. The exposed information included: first name, last name, address, health insurance information, provider name, Social Security number, date of birth, and gender. Affected individuals have been offered complimentary single bureau credit monitoring services. The incident has not yet been added to the Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Morris Hospital & Healthcare Centers Notifies Almost 249,000 Patients About April Cyberattack appeared first on HIPAA Journal.

El Centro Del Barrio, doing business as CentroMed in San Antonio, TX, has alerted 350,000 patients that some of their protected health information was potentially compromised in a hacking incident that was detected on June 12, 2023. The forensic investigation confirmed that some of its IT systems were accessed by unauthorized individuals on June 9, 2023, and access to files containing protected health information was confirmed and data theft could not be ruled out. The affected files contained the information of current and former patients, employees, and employee and provider spouses, partners, and dependents.

The affected patient data included names, addresses, dates of birth, Social Security numbers, financial account information, medical records numbers, health insurance plan member IDs, and claims data (including any diagnoses listed on claims). Employee and spouse/partner/dependent information data included names, Social Security numbers, financial account information, health insurance plan member IDs, and claims data. The affected individuals started to be notified by mail on August 11, 2023. CentroMed said additional safeguards and technical security measures have been implemented to prevent similar breaches in the future.

MOVEit Transfer Hacking Victims

Several more organizations have confirmed that they had data stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution.

Unum Group

Unum Group has confirmed that the protected health information of 531,732 individuals was compromised. Suspicious activity was detected within its environment on June 1, 2023, and it was confirmed on July 22, 2023, that the following data types had been compromised: name, date of birth, address, Social Security number or individual tax identification number, medical, health insurance claim, and policy information. A limited number of individuals also had financial information and/or other government-issued identification numbers compromised. Credit monitoring and identity protection services have been offered.

UMass Chan Medical School

UMass Chan Medical School said the protected health information of 134,000 individuals was compromised in the attack. The breach was discovered on June 1, 2023, and it determined the individuals and compromised data types on July 27, 2023. The information involved varied from individual to individual and may have included the following data types: name, date of birth, mailing address, diagnosis/treatment information, prescription information, provider name, date(s) of service, claim information, health insurance member ID number, other health insurance-related information, Social Security number, and financial account information. Credit monitoring and identity protection services have been offered.

Sovos Compliance

Sovos Compliance, a provider of tax compliance and business-to-government reporting software, reported its breach to the Maine Attorney General as affecting a total of 18,513 individuals, although its OCR breach report indicates the PHI of 4,563 individuals was compromised in the attack. The breach was discovered on June 12, 2023, and the investigation confirmed personally identifiable information and Social Security numbers had been stolen. Credit monitoring and identity protection services have been offered.

Data Media Associates

Data Media Associates, a billing service provider to UB Dental Clinic in Buffalo, NY, said its investigation confirmed on July 20, 2023, that the data of 765 UB Dental patients was compromised. The breach was limited to patients who received billing statements between May 4 and May 26, 2023. The compromised information involved the following data elements: practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments, or adjustments.

The post CentroMed Notifies 350,000 Individuals About PHI Exposure appeared first on HIPAA Journal.

Cummins Behavioral Health Systems Inc. in Avon, IN, has recently reported a data security incident to the Maine attorney general that has affected 157,688 patients. On March 9, 2023, a ransom note was detected within its computer environment that had been placed there by an unauthorized individual. No file encryption occurred; however, the attacker claimed to have infiltrated sensitive data.

The forensic investigation confirmed that an unauthorized individual had access to its network between February 2, 2023, and March 9, 2023. The information removed from its systems included names, addresses, dates of birth, Social Security numbers, driver’s license/State ID numbers, financial account information, payment card information, usernames/passwords, health insurance information, and medical information. System security has been strengthened to prevent similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Email Encryption Failure Exposed Client Data at Redwood Coast Regional Center

Redwood Coast Regional Center (RCRC), a provider of services to individuals with developmental disabilities in Del Norte, Humboldt, Lake, and Mendocino Counties in California, has alerted 1,345 individuals about the exposure of some of their data. On June 14, RCRC’s mail server encryption software failed due to a system outage, which resulted in public health information being shared in plain text messages, which could potentially have been intercepted by unauthorized individuals. The exposed data was limited to client names, UCI numbers, addresses, dates of birth, and/or authorized service information. No information was exposed that would put clients at risk of identity theft. RCRC said it is reviewing its procedures and practices to prevent similar data exposures in the future.

Coastal Orthopedics Alerts Patients About Cyberattack and Data Breach

Bradenton, FL-based Coastal Orthopedics & Sports Medicine of Southwest Florida has recently confirmed that hackers gained access to its network and potentially obtained patient data. The cyberattack was detected on June 11, 2023, and the subsequent forensic investigation confirmed unauthorized access to its network between June 6, 2023, and June 11, 2023, and data exfiltration.

The breach investigation is ongoing, so it is currently unclear how many individuals have been affected or the exact types of information involved; however, the compromised data is likely to include a combination of names, Social Security numbers, patient identification numbers, medical record numbers, diagnosis information, other medical information, addresses, driver’s license number, health insurance information, financial account information, and dates of birth. Policies, procedures, and processes are being reviewed to reduce the likelihood of a similar event in the future and notification letters will be sent to the affected individuals when the file review has been completed.

Capital Neurological Surgeons Reports Email Account Breach

Capital Neurological Surgeons in Sacramento, CA, has recently discovered that an unauthorized individual gained access to an employee email account and potentially obtained patient information. The email account was accessed on January 17, 2023, with the forensic investigation confirming on July 20, 2023, that the account contained protected health information.

The information potentially compromised varied from patient to patient and may have included names in combination with one or more of the following: Social Security numbers, date of birth, driver’s license numbers or state identification numbers, medical information (diagnosis/clinical information, treatment type or location, doctor name, medical procedure information, medical record number, patient account number, and/or prescription information), and/or health insurance policy information. Affected individuals were notified by mail on August 4, 2023. The delay in issuing notification letters was due to the lengthy file review. Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers compromised.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently clear how many individuals have been affected.

The post Cummins Behavioral Health Reports 157K Record Data Breach appeared first on HIPAA Journal.

Tift Regional Medical Center in Georgia has started notifying 180,142 patients that their personal and protected health information was compromised in a cyberattack that was detected on or around August 16, 2022. According to the notification letters, there was no encryption of systems, access was not gained to its electronic medical record system, and the network remained available to staff and patients. The forensic investigation of the incident indicated files “were or may have been accessed or copied without authorization between August 11, 2022, and August 17, 2022.” The attack was conducted by the Hive ransomware group, which was the subject of a law enforcement takedown in January 2023. The Hive group claimed to have stolen 1TB of data in the attack, some of which was released on its data leak site.

The affected patients were informed that the files contained names, dates of birth, Social Security numbers, and medical information. Complimentary credit monitoring services have been offered for 12 months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach, and the HHS was notified on time (October 14, 2022). A provisional total of 500 records was reported as it was not known at the time how many individuals had been affected. Individual notifications are also required in that same time frame. Tift Regional Medical Center did not explain in the notification letters why there was a delay in sending the notification letters.

Health Plan Member Data Compromised in Ransomware Attack on the City of Dallas

The city of Dallas suffered a ransomware attack on May 3, 2023, that impacted several of its websites and IT systems. Online services were offline for several days with some IT systems across its network down for several weeks following the attack. The city has reportedly paid at least $8.6 million for hardware, software, incident response, and consulting services in response to the Royal ransomware attack. The city has recently notified the HHS’ Office for Civil Rights that the protected health information of 30,253 members of its self-insured group health plans had their data stolen in the attack, including names, addresses, social security numbers, and medical and health information.

Confirmed MOVEit Transfer Hacks by the Clop Hacking Group

The following HIPAA-regulated entities have recently confirmed that they were affected by the MOVEit Transfer hacks by the Clop group in late May 2023. A zero day vulnerability was exploited in Progress Software’s file transfer solution, data was stolen, and ransom demands were issued.

United Healthcare Services, Inc., MN.

Individuals affected: 398,319

Attacked entity: United Healthcare Services.

Information compromised: name, date of birth, address, phone number, email address, plan identification number, policy information, student identification number, Social Security number or national identification number, and claim information, including claim numbers, provider information, dates of service, diagnosis codes, prescription information, and financial information associated with claims.

Credit Monitoring: Norton LifeLock credit monitoring and identity theft protection for 24 months.

VNS Health Plans, NY

Individuals affected: 103,775

Attacked entity: VNS Health Plans’ claims processing vendor, TMG Health Inc.

Information compromised: name, mailing address, telephone number, email address, date of birth, social security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service.

Credit Monitoring: Personal Identity and Privacy Protection through IDX for 12 months.

Vecino Health Centers, TX

Individuals affected: No information at this stage.

Attacked entity: Harris Health.

Information compromised: name, date of birth, prescription date(s).

Credit Monitoring: Not stated in the substitute breach notice.

The post Tift Regional Medical Center Patients Notified About August 2022 Cyberattack appeared first on HIPAA Journal.

The Colorado Department of Health Care Policy and Financing (HCPF), which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, has recently confirmed that the protected health information of 4,091,794 individuals was compromised. The attack occurred at IBM, one of its vendors, and involved the MOVEit Transfer application that was used by IBM for file transfers. HCPF said its own systems were not affected.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and the records of 46 million individuals are known to have been compromised.

HCPF said the breach involved the data of Health First Colorado and CHP+ users and included names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, addresses and other contact information, demographic/income information, health insurance information and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEIt server from May 27 to May 31, 2023.

Florida Healthy Kids, a provider of health and dental insurance to children in Florida was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Last month, Johns Hopkins Health System confirmed that it was investigating a cyberattack that impacted systems used by Johns Hopkins University and Johns Hopkins Health System, and the data breach was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System as affecting 2584 individuals and by Howard County General Hospital as affecting 2975 individuals. Johns Hopkins has now confirmed that its MOVEit server was attacked, and Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals and will be offering complimentary credit monitoring and identity theft protection services to those individuals.

The post Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack appeared first on HIPAA Journal.

Last month, Johns Hopkins Health System announced it was investigating a cyberattack and data breach, which was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System and Howard County General Hospital as affecting more than 5,500 individuals.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and more than 41 million records are now confirmed as having been compromised. Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The Colorado Department of Health Care Policy and Financing, which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, was also affected. The protected health information of Health First Colorado and CHP+ users was compromised in the attack, including names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, contact information, demographic/income information, health insurance information, and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident was reported to the Maine Attorney General as affecting up to 4,091,794 individuals.

The Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEit server from May 27 to May 31, 2023. Florida Healthy Kids, a provider of health and dental insurance to children in Florida, was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

The Ottumwa Fire Department in Iowa has recently fired employees for alleged violations of the HIPAA Rules and other misconduct. The City of Ottumwa launched an investigation of three members of the fire department, two of whom have been terminated and one left the department in lieu of termination for “behaviors that violated department rules, safe practices, and the values and standards of the City of Ottumwa”.

The city engaged the law firm, Dentons Davis Brown, to investigate allegations of misconduct, which included sexual activity while on duty, disclosures of sensitive information to unauthorized individuals, and allowing unauthorized individuals to ride in fire vehicles.

Firefighters Derek Fye and Dillon McPherson were discovered to have violated the HIPAA rules by divulging patient information obtained by the fire department when responding to incidents, which included medical histories, conditions, and other information. Captain Bill Keith was similarly fired for HIPAA violations, allowing unauthorized individuals to ride in fire vehicles, failing to report instances of employee misconduct, and failing to adequately lead those under his command. Kye and Keith are entitled to request a hearing.

Brigham and Women’s Hospital Exposed Patient Data Over the Internet

Brigham and Women’s Hospital in Boston, MA, has alerted 987 patients about the impermissible disclosure of some of their protected health information. According to the notification letters, the data of patients who participated in a research study/quality improvement project has been exposed online. Graphs had been created as part of the study/project to share with others within the healthcare community using a data analytics tool called Tableau.

The graphs, which only included high-level and summary information, were accidentally posted to the public version of the Tableau tool; however, a link was included that, if clicked, allowed access to sensitive information including names, addresses, medical record numbers, dates of birth, email addresses, and phone numbers. Clinical information that could have been accessed included diagnoses, lab results, medications, and procedures. The exposed data varied from individual to individual. Affected individuals were notified on August 4, 2023.

For the research study, the data was published on the tool on February 25, 2018, and for the quality improvement project, on January 14, 2023. The publicly accessible link was discovered on June 8, 2023, and was removed on June 13. The research study data was accessible between February 25, 2018 – June 13, 2023, and the quality improvement project data was exposed between January 14, 2023 – June 13, 2023.

IVF Michigan Notifies Patients About February 2023 Ransomware Attack

IVF Michigan has recently notified 9,383 patients that some of their protected health information was compromised in a February 25, 2023, ransomware attack. IVF Michigan, which includes Ohio Fertility Centers, said its security software detected the attack almost immediately and disconnected systems from the internet and shut them down. IVF Michigan learned of the breach on February 28.  The incident was investigated by its security services vendor and it was determined that files had been accessed and were likely exfiltrated; however, no evidence has been found to indicate any misuse of patient data.

The files potentially obtained in the attack included names, addresses, zip codes, birth dates, driver’s license numbers, Social Security numbers, diagnoses, conditions, lab results, medications, treatment information, claims information, and credit card/bank account numbers. The information involved varied from individual to individual.

Jefferson County Health Center Reports Hacking Incident

Jefferson County Health Center in Fairfield, IA, has discovered unauthorized individuals gained access to its network between April 24, 2023, and May 30, 2023, and may have obtained files containing patients’ protected health information. The breach was detected on May 30, 2023, when suspicious activity was identified within its network.

While unauthorized network access was confirmed, evidence of data theft was not found; however, it is possible that sensitive data was stolen in the attack such as names, medical histories, diagnoses, medical treatment information, and health insurance information. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ottumwa Fire Department Fires Employees for Misconduct and HIPAA Violations appeared first on HIPAA Journal.