HIPAA Breach News

CentroMed Notifies 350,000 Individuals About PHI Exposure

Posted August 22, 2023 by Steve Alder

El Centro Del Barrio, doing business as CentroMed in San Antonio, TX, has alerted 350,000 patients that some of their protected health information was potentially compromised in a hacking incident that was detected on June 12, 2023. The forensic investigation confirmed that some of its IT systems were accessed by unauthorized individuals on June 9, 2023, and access to files containing protected health information was confirmed and data theft could not be ruled out. The affected files contained the information of current and former patients, employees, and employee and provider spouses, partners, and dependents.

The affected patient data included names, addresses, dates of birth, Social Security numbers, financial account information, medical records numbers, health insurance plan member IDs, and claims data (including any diagnoses listed on claims). Employee and spouse/partner/dependent information data included names, Social Security numbers, financial account information, health insurance plan member IDs, and claims data. The affected individuals started to be notified by mail on August 11, 2023. CentroMed said additional safeguards and technical security measures have been implemented to prevent similar breaches in the future.

MOVEit Transfer Hacking Victims

Several more organizations have confirmed that they had data stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution.

Unum Group

Unum Group has confirmed that the protected health information of 531,732 individuals was compromised. Suspicious activity was detected within its environment on June 1, 2023, and it was confirmed on July 22, 2023, that the following data types had been compromised: name, date of birth, address, Social Security number or individual tax identification number, medical, health insurance claim, and policy information. A limited number of individuals also had financial information and/or other government-issued identification numbers compromised. Credit monitoring and identity protection services have been offered.

UMass Chan Medical School

UMass Chan Medical School said the protected health information of 134,000 individuals was compromised in the attack. The breach was discovered on June 1, 2023, and it determined the individuals and compromised data types on July 27, 2023. The information involved varied from individual to individual and may have included the following data types: name, date of birth, mailing address, diagnosis/treatment information, prescription information, provider name, date(s) of service, claim information, health insurance member ID number, other health insurance-related information, Social Security number, and financial account information. Credit monitoring and identity protection services have been offered.

Sovos Compliance

Sovos Compliance, a provider of tax compliance and business-to-government reporting software, reported its breach to the Maine Attorney General as affecting a total of 18,513 individuals, although its OCR breach report indicates the PHI of 4,563 individuals was compromised in the attack. The breach was discovered on June 12, 2023, and the investigation confirmed personally identifiable information and Social Security numbers had been stolen. Credit monitoring and identity protection services have been offered.

Data Media Associates

Data Media Associates, a billing service provider to UB Dental Clinic in Buffalo, NY, said its investigation confirmed on July 20, 2023, that the data of 765 UB Dental patients was compromised. The breach was limited to patients who received billing statements between May 4 and May 26, 2023. The compromised information involved the following data elements: practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments, or adjustments.

The post CentroMed Notifies 350,000 Individuals About PHI Exposure appeared first on HIPAA Journal.

July 2023 Healthcare Data Breach Report

Posted August 21, 2023 by Steve Alder

There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.

There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.

The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.

Largest Healthcare Data Breaches Reported in July

HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.

The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Type of Breach	Cause of Breach
HCA Healthcare	TN	Business Associate	11,270,000	Hacking/IT Incident	Hacking Incident – External, electronic storage facility used by a business associate
Centers for Medicare & Medicaid Services	MD	Health Plan	1,362,470	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion (Maximus)
Florida Health Sciences Center, Inc. dba Tampa General Hospital	FL	Healthcare Provider	1,313,636	Hacking/IT Incident	Hacking incident – Ransomware attack
Pension Benefit Information, LLC	MN	Business Associate	1,209,825	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Allegheny County	PA	Healthcare Provider	689,686	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
United Healthcare Services, Inc. Single Affiliated Covered Entity	CT	Health Plan	398,319	Hacking/IT Incident	Hacking incident
Johns Hopkins Medicine	MD	Healthcare Provider	310,405	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Harris County Hospital District d/b/a Harris Health System	TX	Healthcare Provider	224,703	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Precision Anesthesia Billing LLC	FL	Business Associate	209,200	Hacking/IT Incident	Hacking incident – Ransomware attack
Fairfax Oral and Maxillofacial Surgery	VA	Healthcare Provider	208,194	Hacking/IT Incident	Hacking incident
The Chattanooga Heart Institute	TN	Healthcare Provider	170,450	Hacking/IT Incident	Hacking incident – Data theft confirmed
Phoenician Medical Center, Inc	AZ	Healthcare Provider	162,500	Hacking/IT Incident	Hacking incident – Data theft confirmed
UT Southwestern Medical Center	TX	Healthcare Provider	98,437	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Hillsborough County, Florida (County Government)	FL	Healthcare Provider	70,636	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Family Vision of Anderson, P.A.	SC	Healthcare Provider	62,631	Hacking/IT Incident	Hacking incident – Ransomware attack
Jefferson County Health Center	IA	Healthcare Provider	53,827	Hacking/IT Incident	Hacking incident – Data theft confirmed (Karakurt threat group)
New England Life Care, Inc.	ME	Healthcare Provider	51,854	Hacking/IT Incident	Hacking incident
Care N’ Care Insurance Company, Inc.	TX	Health Plan	33,032	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc)
Synergy Healthcare Services	GA	Business Associate	25,772	Hacking/IT Incident	Hacking incident
Rite Aid Corporation	PA	Healthcare Provider	24,400	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Life Management Center of Northwest Florida, Inc.	FL	Healthcare Provider	19,107	Hacking/IT Incident	Hacking incident
Saint Francis Health System	OK	Healthcare Provider	18,911	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Pennsylvania Department of Human Services	PA	Healthcare Provider	16,390	Unauthorized Access/Disclosure	Hacking incident – Unauthorized access to a system test website
The Vitality Group, LLC	IL	Business Associate	15,569	Hacking/IT Incident	Hacking incident – MOVEit Transfer data theft/extortion
Wake Family Eye Care	NC	Healthcare Provider	14,264	Hacking/IT Incident	Hacking incident – Ransomware attack
East Houston Med and Ped Clinic	TX	Healthcare Provider	10,000	Unauthorized Access/Disclosure	Storage unit sold that contained boxes of patient records

Causes of July 2023 Data Breaches

Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.

There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.

Where did the Data Breaches Occur?

The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.

The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.

Geographical Distribution of Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.

State	Breaches
Texas	7
Florida	6
California	5
Maryland, Pennsylvania & Tennessee	4
Arizona & North Carolina	3
Connecticut, Illinois & Minnesota	2
Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington	1

HIPAA Enforcement Activity in July 2023

There were no enforcement actions announced by OCR or state attorneys general in July to resolve HIPAA violations.

The post July 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cummins Behavioral Health Reports 157K Record Data Breach

Posted August 16, 2023 by Steve Alder

Cummins Behavioral Health Systems Inc. in Avon, IN, has recently reported a data security incident to the Maine attorney general that has affected 157,688 patients. On March 9, 2023, a ransom note was detected within its computer environment that had been placed there by an unauthorized individual. No file encryption occurred; however, the attacker claimed to have infiltrated sensitive data.

The forensic investigation confirmed that an unauthorized individual had access to its network between February 2, 2023, and March 9, 2023. The information removed from its systems included names, addresses, dates of birth, Social Security numbers, driver’s license/State ID numbers, financial account information, payment card information, usernames/passwords, health insurance information, and medical information. System security has been strengthened to prevent similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Email Encryption Failure Exposed Client Data at Redwood Coast Regional Center

Redwood Coast Regional Center (RCRC), a provider of services to individuals with developmental disabilities in Del Norte, Humboldt, Lake, and Mendocino Counties in California, has alerted 1,345 individuals about the exposure of some of their data. On June 14, RCRC’s mail server encryption software failed due to a system outage, which resulted in public health information being shared in plain text messages, which could potentially have been intercepted by unauthorized individuals. The exposed data was limited to client names, UCI numbers, addresses, dates of birth, and/or authorized service information. No information was exposed that would put clients at risk of identity theft. RCRC said it is reviewing its procedures and practices to prevent similar data exposures in the future.

Coastal Orthopedics Alerts Patients About Cyberattack and Data Breach

Bradenton, FL-based Coastal Orthopedics & Sports Medicine of Southwest Florida has recently confirmed that hackers gained access to its network and potentially obtained patient data. The cyberattack was detected on June 11, 2023, and the subsequent forensic investigation confirmed unauthorized access to its network between June 6, 2023, and June 11, 2023, and data exfiltration.

The breach investigation is ongoing, so it is currently unclear how many individuals have been affected or the exact types of information involved; however, the compromised data is likely to include a combination of names, Social Security numbers, patient identification numbers, medical record numbers, diagnosis information, other medical information, addresses, driver’s license number, health insurance information, financial account information, and dates of birth. Policies, procedures, and processes are being reviewed to reduce the likelihood of a similar event in the future and notification letters will be sent to the affected individuals when the file review has been completed.

Capital Neurological Surgeons Reports Email Account Breach

Capital Neurological Surgeons in Sacramento, CA, has recently discovered that an unauthorized individual gained access to an employee email account and potentially obtained patient information. The email account was accessed on January 17, 2023, with the forensic investigation confirming on July 20, 2023, that the account contained protected health information.

The information potentially compromised varied from patient to patient and may have included names in combination with one or more of the following: Social Security numbers, date of birth, driver’s license numbers or state identification numbers, medical information (diagnosis/clinical information, treatment type or location, doctor name, medical procedure information, medical record number, patient account number, and/or prescription information), and/or health insurance policy information. Affected individuals were notified by mail on August 4, 2023. The delay in issuing notification letters was due to the lengthy file review. Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers compromised.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently clear how many individuals have been affected.

The post Cummins Behavioral Health Reports 157K Record Data Breach appeared first on HIPAA Journal.

Tift Regional Medical Center Patients Notified About August 2022 Cyberattack

Posted August 15, 2023 by Steve Alder

Tift Regional Medical Center in Georgia has started notifying 180,142 patients that their personal and protected health information was compromised in a cyberattack that was detected on or around August 16, 2022. According to the notification letters, there was no encryption of systems, access was not gained to its electronic medical record system, and the network remained available to staff and patients. The forensic investigation of the incident indicated files “were or may have been accessed or copied without authorization between August 11, 2022, and August 17, 2022.” The attack was conducted by the Hive ransomware group, which was the subject of a law enforcement takedown in January 2023. The Hive group claimed to have stolen 1TB of data in the attack, some of which was released on its data leak site.

The affected patients were informed that the files contained names, dates of birth, Social Security numbers, and medical information. Complimentary credit monitoring services have been offered for 12 months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach, and the HHS was notified on time (October 14, 2022). A provisional total of 500 records was reported as it was not known at the time how many individuals had been affected. Individual notifications are also required in that same time frame. Tift Regional Medical Center did not explain in the notification letters why there was a delay in sending the notification letters.

Health Plan Member Data Compromised in Ransomware Attack on the City of Dallas

The city of Dallas suffered a ransomware attack on May 3, 2023, that impacted several of its websites and IT systems. Online services were offline for several days with some IT systems across its network down for several weeks following the attack. The city has reportedly paid at least $8.6 million for hardware, software, incident response, and consulting services in response to the Royal ransomware attack. The city has recently notified the HHS’ Office for Civil Rights that the protected health information of 30,253 members of its self-insured group health plans had their data stolen in the attack, including names, addresses, social security numbers, and medical and health information.

Confirmed MOVEit Transfer Hacks by the Clop Hacking Group

The following HIPAA-regulated entities have recently confirmed that they were affected by the MOVEit Transfer hacks by the Clop group in late May 2023. A zero day vulnerability was exploited in Progress Software’s file transfer solution, data was stolen, and ransom demands were issued.

United Healthcare Services, Inc., MN.

Individuals affected: 398,319

Attacked entity: United Healthcare Services.

Information compromised: name, date of birth, address, phone number, email address, plan identification number, policy information, student identification number, Social Security number or national identification number, and claim information, including claim numbers, provider information, dates of service, diagnosis codes, prescription information, and financial information associated with claims.

Credit Monitoring: Norton LifeLock credit monitoring and identity theft protection for 24 months.

VNS Health Plans, NY

Individuals affected: 103,775

Attacked entity: VNS Health Plans’ claims processing vendor, TMG Health Inc.

Information compromised: name, mailing address, telephone number, email address, date of birth, social security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service.

Credit Monitoring: Personal Identity and Privacy Protection through IDX for 12 months.

Vecino Health Centers, TX

Individuals affected: No information at this stage.

Attacked entity: Harris Health.

Information compromised: name, date of birth, prescription date(s).

Credit Monitoring: Not stated in the substitute breach notice.

The post Tift Regional Medical Center Patients Notified About August 2022 Cyberattack appeared first on HIPAA Journal.

Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack

Posted August 14, 2023 by Steve Alder

The Colorado Department of Health Care Policy and Financing (HCPF), which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, has recently confirmed that the protected health information of 4,091,794 individuals was compromised. The attack occurred at IBM, one of its vendors, and involved the MOVEit Transfer application that was used by IBM for file transfers. HCPF said its own systems were not affected.

HCPF said the breach involved the data of Health First Colorado and CHP+ users and included names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, addresses and other contact information, demographic/income information, health insurance information and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEIt server from May 27 to May 31, 2023.

Florida Healthy Kids, a provider of health and dental insurance to children in Florida was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Last month, Johns Hopkins Health System confirmed that it was investigating a cyberattack that impacted systems used by Johns Hopkins University and Johns Hopkins Health System, and the data breach was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System as affecting 2584 individuals and by Howard County General Hospital as affecting 2975 individuals. Johns Hopkins has now confirmed that its MOVEit server was attacked, and Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals and will be offering complimentary credit monitoring and identity theft protection services to those individuals.

The post Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack appeared first on HIPAA Journal.

Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack

Posted August 14, 2023 by Steve Alder

Last month, Johns Hopkins Health System announced it was investigating a cyberattack and data breach, which was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System and Howard County General Hospital as affecting more than 5,500 individuals.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and more than 41 million records are now confirmed as having been compromised. Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The Colorado Department of Health Care Policy and Financing, which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, was also affected. The protected health information of Health First Colorado and CHP+ users was compromised in the attack, including names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, contact information, demographic/income information, health insurance information, and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident was reported to the Maine Attorney General as affecting up to 4,091,794 individuals.

The Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEit server from May 27 to May 31, 2023. Florida Healthy Kids, a provider of health and dental insurance to children in Florida, was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

Ottumwa Fire Department Fires Employees for Misconduct and HIPAA Violations

Posted August 10, 2023 by Steve Alder

The Ottumwa Fire Department in Iowa has recently fired employees for alleged violations of the HIPAA Rules and other misconduct. The City of Ottumwa launched an investigation of three members of the fire department, two of whom have been terminated and one left the department in lieu of termination for “behaviors that violated department rules, safe practices, and the values and standards of the City of Ottumwa”.

The city engaged the law firm, Dentons Davis Brown, to investigate allegations of misconduct, which included sexual activity while on duty, disclosures of sensitive information to unauthorized individuals, and allowing unauthorized individuals to ride in fire vehicles.

Firefighters Derek Fye and Dillon McPherson were discovered to have violated the HIPAA rules by divulging patient information obtained by the fire department when responding to incidents, which included medical histories, conditions, and other information. Captain Bill Keith was similarly fired for HIPAA violations, allowing unauthorized individuals to ride in fire vehicles, failing to report instances of employee misconduct, and failing to adequately lead those under his command. Kye and Keith are entitled to request a hearing.

Brigham and Women’s Hospital Exposed Patient Data Over the Internet

Brigham and Women’s Hospital in Boston, MA, has alerted 987 patients about the impermissible disclosure of some of their protected health information. According to the notification letters, the data of patients who participated in a research study/quality improvement project has been exposed online. Graphs had been created as part of the study/project to share with others within the healthcare community using a data analytics tool called Tableau.

The graphs, which only included high-level and summary information, were accidentally posted to the public version of the Tableau tool; however, a link was included that, if clicked, allowed access to sensitive information including names, addresses, medical record numbers, dates of birth, email addresses, and phone numbers. Clinical information that could have been accessed included diagnoses, lab results, medications, and procedures. The exposed data varied from individual to individual. Affected individuals were notified on August 4, 2023.

For the research study, the data was published on the tool on February 25, 2018, and for the quality improvement project, on January 14, 2023. The publicly accessible link was discovered on June 8, 2023, and was removed on June 13. The research study data was accessible between February 25, 2018 – June 13, 2023, and the quality improvement project data was exposed between January 14, 2023 – June 13, 2023.

IVF Michigan Notifies Patients About February 2023 Ransomware Attack

IVF Michigan has recently notified 9,383 patients that some of their protected health information was compromised in a February 25, 2023, ransomware attack. IVF Michigan, which includes Ohio Fertility Centers, said its security software detected the attack almost immediately and disconnected systems from the internet and shut them down. IVF Michigan learned of the breach on February 28. The incident was investigated by its security services vendor and it was determined that files had been accessed and were likely exfiltrated; however, no evidence has been found to indicate any misuse of patient data.

The files potentially obtained in the attack included names, addresses, zip codes, birth dates, driver’s license numbers, Social Security numbers, diagnoses, conditions, lab results, medications, treatment information, claims information, and credit card/bank account numbers. The information involved varied from individual to individual.

Jefferson County Health Center Reports Hacking Incident

Jefferson County Health Center in Fairfield, IA, has discovered unauthorized individuals gained access to its network between April 24, 2023, and May 30, 2023, and may have obtained files containing patients’ protected health information. The breach was detected on May 30, 2023, when suspicious activity was identified within its network.

While unauthorized network access was confirmed, evidence of data theft was not found; however, it is possible that sensitive data was stolen in the attack such as names, medical histories, diagnoses, medical treatment information, and health insurance information. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ottumwa Fire Department Fires Employees for Misconduct and HIPAA Violations appeared first on HIPAA Journal.

Missouri Department of Social Services Confirms Medicaid Recipients’ Data Compromised in MOVEit Hacks

Posted August 10, 2023 by Steve Alder

Four more entities have confirmed they were affected by the mass hacks of the MOVEit Transfer file transfer solution and had protected health information stolen.

Missouri Department of Social Services

The Missouri Department of Social Services (DSS) has confirmed that the data of Medicaid recipients was compromised in the recent mass MOVEit hacks by the Clop threat group. Clop conducted hundreds of attacks starting on May 27, 2023, that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution – CVE-2023-34362. More than 610 companies, organizations, and other entities were attacked and had data stolen.

According to the Missouri DSS, the attack occurred at IBM Consulting. The Missouri DSS said that when it was made aware of the incident it disconnected the MOVEit servers from internal IT systems and launched an investigation into the breach. The DSS confirmed that no DSS systems were breached, only the MOVEit server, which contained data such as names, department client numbers, birth dates, benefit eligibility status/coverage, and medical claims information. It is currently unclear exactly how many Medicaid recipients were affected. The DSS said all Missouri Medicaid recipients are being notified about the breach as a precaution.

Omaha Health Insurance Company

The Omaha Health Insurance Company (OHIC), part of Mutual of Omaha, has reported a security breach at a third-party vendor that exposed the records of individuals who were enrolled in the Medicare Part D Prescription Drug Plan, which was issued by Mutual of Omaha Rx.

The vendor discovered the security breach on June 21, 2023, and notified OHIC about the breach on June 22, 2023. The OHIC investigation confirmed that sensitive data was downloaded by the threat group between May 30, 2023, and June 2, 2023. The exposed data included names, dates of birth, Social Security numbers, claims information, banking information, billing information, and treatment information. Affected individuals have been offered complimentary credit monitoring services. The vendor was not named in the notification sent to the state attorney general.

IU Health

IU Health in Indianapolis has confirmed that patient data was compromised in the mass MOVEit Transfer hacks. The incident occurred at a third-party claims processor, TMG Health. IU Health was notified about the breach on June 22, 2023, and was informed that IU Health Plan data was compromised, including names, member ID numbers, plan effective dates, and for some individuals, bank account information. IU Health Plans notified the affected members on August 4, 2023, and offered complimentary credit monitoring services. It is currently unclear how many plan members were affected.

Hillsborough County, IA

Hillsborough County in Florida has reported a breach of the protected health information of 70,636 patients to the HHS’ Office for Civil Rights. The county learned about the MOVEit Transfer incident on breach on June 1, 2023, and determined on June 22, 2023, that the compromised data included individuals who received care through Hillsborough County Health Care Services. That information included names, Social Security numbers, dates of birth, home addresses, medical conditions, diagnoses, and disability codes. Certain vendors were notified that some employee data may have been compromised. The affected vendors will notify their employees directly.

The post Missouri Department of Social Services Confirms Medicaid Recipients’ Data Compromised in MOVEit Hacks appeared first on HIPAA Journal.

LockBit Ransomware Group Threatens to Publish Stolen Cancer Patient Data

Posted August 8, 2023 by Steve Alder

The LockBit ransomware group has added Varian Medical Systems to its data leak site and has threatened to publish the data of cancer patients if the ransom is not paid. Varian Medical Systems is a Palo Alto, CA-based provider of radiation oncology treatments and software for oncology departments and a subsidiary of Siemens Healthineers. Varian Medical Systems has not yet confirmed the data breach, and the LockBit group has not yet disclosed how much data was stolen in the attack but said Varian has been given until August 17, 2023, to enter into negotiations otherwise all stolen databases and patient data will be released on its dark web data leak site.

Karakurt Threat Group Says Data Stolen from McAlester Regional Health Center

The KaraKurt ransomware group has recently added McAlester Regional Health Center to its data leak site and claims to have stolen more than 1,175 GB of data from the Oklahoma hospital, including 5 GB of SQL data on medical staff and medical reports containing sensitive patient information, including DNA data. According to the listing, the stolen employee data includes Social Security numbers and bank account information. The group has threatened to sell the data if the ransom is not paid. McAlester Regional Health Center has not verified the claim and has yet to announce a data breach on its website or report the incident to the HHS’ Office for Civil Rights.

Precision Anesthesia Billing LLC Reports Breach of the PHI of 209,200 Individuals

The Tampa, FL-based HIPAA business associate, Precision Anesthesia Billing LLC (PAB), reported a breach of the protected health information of 209,200 individuals to the HHS’ Office for Civil Rights on July 7, 2023. While no public notice about the data breach appears to have been published to date, the medical group, Athens Anesthesia Associates (AAA), has confirmed that it was one of the entities affected by the breach.

AAA said it was informed by PAB on May 11, 2023, that the data of some of its patients had potentially been compromised. PAB said a well-known cyber threat actor that has conducted many successful cyberattacks was responsible but did not name the group. PAB was able to successfully stop the attack and secure its systems but said it was likely that files containing patient data were accessed and exfiltrated from its systems between May 4 and May 7, 2023. The information compromised in the incident included names, addresses, phone numbers, email addresses, dates of birth, ages, Social Security numbers, bank account numbers, insurance policy numbers, diagnoses, treatment information and dates, ultrasound images, medical record numbers, and hospital account numbers. AAA said it has offered affected patients two years of complimentary credit monitoring services.

Life Management Center of Northwest Florida Cyberattack Impacts 19,107 Individuals

Life Management Center of Northwest Florida, a provider of mental health, behavioral health, and family counseling services, discovered a security breach on March 31, 2023. Steps were immediately taken to secure its network and third-party forensics experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor accessed files that contained patient data. A comprehensive review of the affected files concluded on May 26, 2023, that the protected health information of 19,107 individuals had been compromised, including names, Social Security numbers, driver’s license numbers, medical treatment and/or diagnosis information, and health insurance information. Affected individuals were notified on July 25, 2023, and have been offered complimentary credit monitoring services.

Discovery at Home Falls Victim to Phishing Attack

Discovery at Home, a provider of home healthcare services to seniors in Florida and Texas, fell victim to a phishing attack on or around June 1, 2023, that saw the email account of an employee accessed by an unauthorized individual. Discovery at Home said the incident, “resulted in the inadvertent transmittal of personal health information via unencrypted e-mail to an unauthorized third-party sender.”

The compromised information included names, addresses, dates of birth, dates of service, treatment-related information, and health insurance information, including insurance beneficiary number, claim number, and policy number. At the time of issuing notification letters, Discovery at Home was unaware of any misuse of the compromised data. Discovery at Home said the email account was immediately secured when the breach was detected, steps have been taken to improve email security, and the employee in question has received further security awareness training. Affected individuals were notified by mail on July 31, 2023.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bi-Bett Corporation Suffers Email Account Breach

Bi-Bett Corporation, a Californian provider of substance use disorder treatment services, has recently notified 4,722 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized third party. Suspicious activity was identified in the email account on February 17, 2023, and the email account was immediately secured and a third-party cybersecurity firm was engaged to investigate. On April 14, 2023, the cybersecurity firm confirmed that patient information may have been accessed or acquired.

The email account was reviewed to identify the affected individuals and the information that had been compromised, and that process was completed on May 22, 2023. The information compromised included first and last names, addresses, Social Security Numbers, driver’s license numbers, Medicaid numbers, and/or medical reference numbers. Bi-Bett said it is working with third-party security experts to strengthen its security posture further. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post LockBit Ransomware Group Threatens to Publish Stolen Cancer Patient Data appeared first on HIPAA Journal.