Prospect Medical Holdings, Los Angeles, CA-based health system that operates 17 hospitals and 166 outpatient clinics in California, Connecticut, Pennsylvania, Rhode Island, and New Jersey has been hit with a ransomware attack that has disrupted operations across its network, including operations at its subsidiaries Crozer Health and the Eastern Connecticut Health Network (ECHN).

Prospect Medical Holdings said steps were immediately taken to prevent further unauthorized access and several IT systems were taken offline to protect those systems. Third-party cybersecurity specialists were engaged to investigate and determine the scope of the breach and the ransomware attack was reported to the Federal Bureau of Investigation (FBI), which has launched an investigation. The Department of Health and Human Services has offered federal assistance and said it is able to provide support, as needed, to prevent disruption to patient care.

Without access to IT systems, ambulances were diverted to other facilities in the immediate aftermath of the attack, and employees at the affected healthcare facilities adopted their emergency downtime procedures and reverted to using paper records.  ECHN said it took the decision to temporarily close some of its facilities including diagnostic labs, elective surgery and gastroenterology centers, and halted outpatient medical imaging, blood draw, and physical therapy services and is contacting patients to reschedule appointments.

The attack began on Thursday and efforts are still underway to restore its systems and return to normal operations. A spokesperson for Prospect Medical Holdings said, “While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible.” At such an early stage of the investigation, the extent to which patient information was compromised has yet to be determined. It is currently unclear which ransomware group was behind the attack.

The post Ransomware Attack on Prospect Medical Holdings Affects Facilities in Multiple States appeared first on HIPAA Journal.

The protected health information of 1.7 million Oregon Medicaid patients has been stolen by the Clop threat group, which exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 30, 2023. The data breach occurred through a contractor used by the Oregon Health Plan – PH Tech – which was informed about the vulnerability and data breach on June 2 by Progress Software. According to PH Tech, the compromised information included names, dates of birth, Social Security numbers, mailing addresses, and email addresses, along with health information such as diagnoses, procedures, claim information, and plan ID numbers. Affected individuals are being notified by PH Tech and have been offered complimentary credit monitoring services. PH Tech said it immediately disabled the MOVEit solution when it learned about the compromise. The vulnerability was patched, and it rebuilt how the solution can be accessed to ensure that no one else is able to access files through the software.

Healthcare Victim Count Continues to Grow

The Health Plan of West Virginia, Inc. has recently confirmed that 1,292 members had data stolen. United Bank provides financial services to the health plan and recently confirmed that electronic records of recent premium payment and premium payment coupons were stolen. The stolen records related to a two-week period in May 2023, and included names, addresses, phone numbers, health plan identification numbers, group numbers, and images of premium payments.

Employees, students, and patients of Johns Hopkins Health System, Johns Hopkins All Children’s Hospital, and Johns Hopkins Howard County General Hospital had data stolen from MOVEit servers after the vulnerability was exploited, although personal health records do not appear to have been obtained. Johns Hopkins Health System has reported the breach to the Office for Civil Rights as affecting 2,584 patients and Howard County General Hospital has filed a breach report indicating 2,975 patients were affected.

The academic health system, UofLHealth, was also attacked and is still investigating the incident to determine the types of information involved and the number of individuals affected. The MOVEit tool was used by a small number of UofLHealth medical practices for transferring files to third-party vendors. Other known victims include Allegheny County in Pennsylvania (689,686 individuals), Sutter Senior Care (519 individuals), Harris Health System (224,703 individuals), UT Southwestern Medical Center (98,437 individuals), and CMS contractor Maximus (612,000 individuals).

The post 1.7 Million Oregon Health Plan Members Affected by MOVEit Hack appeared first on HIPAA Journal.

Allegheny County in Pennsylvania has recently confirmed that the protected health information of up to 689,686 individuals was compromised in a May 2023 hacking incident by the Clop threat group. Allegheny County was alerted about the breach on June 1, 2023, and it was confirmed that the group exfiltrated files containing sensitive data between May 28 and May 29, 2023. Allegheny County said it received assurances from the Clop group that the stolen data was deleted, per the group’s policy of only attacking and extorting money from businesses; however, affected individuals have been told to take steps to protect their personal information and to register for the complimentary credit monitoring and identity theft protection services that have been offered.

County officials confirmed that the compromised information included names, Social Security numbers, birth dates, driver’s license/state identification numbers, taxpayer identification numbers, student identification numbers, and for certain individuals, medical information such as diagnoses, treatment information, and admission dates, and health insurance and billing/claims information.

Sutter SeniorCare PACE, a nonprofit health plan based in Sacramento, CA, has also recently confirmed that it was affected and had plan member data compromised in the attacks. The file transfer solution was used by its business associate, Cognisight, LLC, which provides specialist healthcare management services. Cognisight was informed about the hacking incident on May 31, 2023, and its forensic investigation of the incident concluded on June 5, 2023. Sutter Senior Care was informed about the incident on July 12, 2023.

The information stolen in the attack included names, dates of birth, Social Security numbers, and health information such as patient identification numbers and diagnosis, treatment, and provider information. Credit monitoring and identity protection services have been offered to the affected individuals. The breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

The post Sutter Senior Care and Allegheny County Have Data Compromised in MOVEit Transfer Hacks appeared first on HIPAA Journal.

The Chattanooga Heart Institute (CHI) in Tennessee has recently announced that it identified a cyberattack on its network on April 17, 2023. Action was immediately taken to prevent further unauthorized access and a third-party forensics vendor was engaged to investigate the incident and determine the nature and scope of the attack. The forensic investigation confirmed that unauthorized individuals gained access to its network between March 8, 2023, and March 16, 2023, and on May 31, 2023, the investigation confirmed that files containing sensitive patient data had been copied by the attackers.

CHI’s electronic medical record system was not compromised; however, the files removed from its system were found to contain names, mailing addresses, email addresses, phone numbers, birth dates, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information. Notification letters will be sent to the affected individuals in the coming weeks and credit monitoring, fraud consultation, and identity theft restoration services will be offered.

The breach was recently reported to the Maine Attorney General as affecting up to 170,450 individuals. While CHI did not disclose which group was behind the attack, the Karakurt group has claimed responsibility for the attack. Karakurt is a relatively new threat group that has no qualms about attacking healthcare organizations.

58,000 Individuals Affected by Cyberattack on Synergy Healthcare Services

Synergy Healthcare Services (SHS) in Atlanta, GA, has recently reported a data breach to the Maine Attorney General that has affected up to 58,034 patients of its healthcare clients: Consulate Health Care, Raydiant Health Care, Independence Living Centers, and their affiliated care centers.

The administrative service provider said suspicious activity was detected within its network in early December 2022, and the forensic investigation confirmed on December 15, 2022, that an unauthorized third party accessed parts of its computer network where personal health information was stored. A third-party data review company was provided with the files on December 22, 2022, and provided the results of the analysis to SHS on May 16, 2023.

The files contained information such as names, birthdates, signatures, insurance details, contact information, government identification numbers including driver’s licenses and Social Security numbers, medical history/treatment information, and financial information. Complimentary credit monitoring services have been offered to the affected individuals and steps have been taken to harden security to prevent similar incidents in the future.

Cheyenne Radiology Group & MRI Reports December 2022 Ransomware Attack

Cheyenne Radiology Group & MRI, P.C. (CRG), in Wyoming, has recently issued notifications to its patients about a ransomware attack that was discovered and stopped on December 12, 2022. According to the notification letters, the attack disabled some of its computer systems, and while data theft was not confirmed, the possibility that information was removed from its systems could not be ruled out. Third-party forensics specialists investigated the incident and confirmed that the files potentially accessed included names, mailing addresses, birth dates, Social Security numbers, driver’s license numbers, and health insurance information. CRG said it wiped and rebuilt all affected systems and has hardened security to prevent similar breaches in the future. The incident was recently reported to the Maine Attorney General as affecting up to 10,420 individuals.

The post Up to 170,450 Patients Affected by Cyberattack on the Chattanooga Heart Institute appeared first on HIPAA Journal.

Reston, VA-based Maximus Inc., a government services contracting company, has announced in a Securities and Exchange Commission (SEC) filing that hackers exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in May 2023 and accessed the protected health information (PHI) of between 8 and 11 million individuals. The Clop ransomware group was responsible for the attack and Maximus was one of hundreds of entities to be affected by the Clop group’s mass exploitation of the zero-day vulnerability.

According to the filing, Maximus used MOVEit Transfer for internal and external file sharing, including for sharing data with government customers that participate in various government programs. After being notified about the vulnerability and data breach by Progress Software, Maximus launched a forensic investigation and review of the affected files and while that process is still ongoing, Maximus confirmed that the impacted files contained protected health information. Maximus said it cannot confirm precisely how many individuals have been affected until the review process is completed, and that it anticipates that the process will take several more weeks.

Maximus has notified the affected customers and will provide notice to all affected individuals when the review concludes. Affected individuals will be offered complimentary credit monitoring and identity theft protection services for 24 months. Maximus has recorded expenses of $15 million for the quarter to June 30, 2023, in relation to the data breach.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has confirmed that the PHI of approximately 612,000 current Medicare recipients was exposed in this incident and up to 645,000 individuals in total. The CMS said it is working with Maximus to provide notice to the affected individuals. The CMS said the stolen data includes names, dates of birth, mailing addresses, telephone numbers, email addresses, Social Security numbers/taxpayer identification numbers, Medicare beneficiary numbers, driver’s license numbers, state identification numbers, health insurance information, claims information, health benefits and enrollment information, and medical histories, which include notes, medical records/account numbers, conditions, diagnoses, images, treatment information, and dates of service.

The post Up to 11 Million Health Records Compromised in Cyberattack on Government Contractor appeared first on HIPAA Journal.

Senator Rick Scott (R-FL) has written to FBI Director Christopher Wray requesting the law enforcement agency prioritize the investigation of a major cyberattack on Tampa General Hospital (TGH) that involved the medical records of more than 1.2 million people and bring the perpetrators behind the cyberattack to justice.

The attack in question was discovered by TGH administrators on May 31, 2023, with the forensic investigation determining that hackers had access to its network for 18 days, having gained initial access to its network on May 12, 2023. The attackers attempted to encrypt files; however, TGH was able to prevent encryption but could not prevent the exposure of patient data. The compromised systems contained names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, and more.

While the cyberattack is significant due to the amount of exposed data, it is far from the only such attack on a U.S. healthcare provider in recent years. Senator Scott cites a ransomware attack on Scripps Health in California in 2021 in which hackers stole 150,000 patient records, the attack on CommonSpirit Health in 2022 that affected many critical healthcare services across the United States, and the attack on St. Margaret’s Health in Illinois which disrupted the hospital’s billing systems and contributed to the permanent closure of the hospital. In addition to causing financial harm to healthcare providers and threatening patient safety, the data stolen in these attacks can be used for further criminal activity causing financial harm to patients.

If the threat actors behind these attacks are not identified, arrested, and prosecuted, they will continue to conduct attacks that threaten patient safety, cause considerable financial harm, and it is inevitable that other healthcare facilities will be forced to close. “I urge you to assign all necessary resources at your disposal to prioritize the investigation of this incident and ask that you keep my office apprised of your progress,” said Senator Scott.

Many of these attacks are conducted by threat groups operating out of China, Russia, and North Korea, which do not have extradition treaties with the United States and that makes it difficult to bring the perpetrators to justice. Senator Scott said these attacks pose a clear and present threat to critical health systems and has requested answers from Wray on the actions being taken to counter these threats, such as how the FBI is coordinating with health systems to prevent cyberattacks, what the FBI is doing to coordinate investigations of healthcare cyberattacks, whether the FBI believes that the majority of the threat actors behind these attacks are operating from outside the United States, and if so, the countries where these cyberattacks are originating.  Senator Scott also asked whether the FBI has sufficient resources to fully investigate these attacks and pursue the perpetrators and whether additional resources and authorities are needed.

The post Florida Senator Urges FBI to Prioritize Investigation of Tampa General Hospital Cyberattack appeared first on HIPAA Journal.

UT Southwestern Medical Center (UTSW) has recently confirmed that the protected health information of 98,437 patients was stolen in a cyberattack on May 28, 2023. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer solution, gained access to UTSW’s MOVEit server, and exfiltrated files that contained names, medical record numbers, dates of birth, medication names, medication dosages, prescribing provider names. A subset of the affected individuals also had their Social Security numbers stolen. UTSW was notified about the attack by Progress Software on May 30, 2023, and the exploited vulnerability was immediately patched.

The German cybersecurity firm KonBriefing has recently announced that its data shows at least 455 organizations were attacked in this campaign, and at least 23 million individuals were affected. The Clop group has recently started posting victim data on its clear web data leak site.

Family Vision of Anderson Suffers Ransomware Attack

Family Vision of Anderson in South Carolina was the victim of a May 2023 ransomware attack. A ransom note was detected on its computer system on May 28, 2023, indicating files had been encrypted. Computer systems were immediately taken offline to prevent further unauthorized access, and law enforcement was notified. The US Secret Service assisted with the investigation and determined ransomware was used to encrypt files on May 21.

The attackers may have obtained files containing the information of patients and their family members, including names, dates of birth, Social Security numbers, driver’s license numbers, telephone numbers, email addresses, gender, medical record numbers, health insurance information, allergies and other medical history information, appointment dates, scheduled optometrist names, optometry prescriptions, and optometry eye scans. Security has been enhanced, and employees have been provided with further training. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 62,631 individuals. Notification letters have been sent and affected individuals have been offered complimentary identity theft protection services.

17,000 Individuals Affected by LifeWorks Wellness Center Hacking Incident

LifeWorks Wellness Center in Clearwater, FL, has recently reported a data breach to the Maine Attorney General that has affected 17,000 patients. Hackers gained access to its internal file system on or around May 20, 2023, and the forensic investigation confirmed that files containing patient data had been viewed, and may have been stolen. LifeWorks said the hackers did not gain access to its patient database, which includes medical and treatment records. The compromised servers included the information of current and former patients and employees such as names, Social Security numbers, credit card numbers, health identification codes, and medical conditions and diagnoses. LifeWorks said it has implemented additional security measures to prevent similar breaches in the future.

UC Davis Health Reports Breach of Employee Email Account

On May 24, 2023, UC Davis Health in Sacramento, CA, confirmed that the email account of an employee had been accessed by an unauthorized individual. The employee used their work email account to coordinate follow-up care for patients and the account included limited protected health information. The forensic investigation confirmed that only one email account had been compromised, and the breach was detected quickly by its IT security systems; however, it is possible that sensitive data was copied. Affected individuals have been offered complimentary credit monitoring services for 12 months and the employee concerned has received additional training on email security. The incident has yet to appear on the HHS’ Office for Civil Rights Breach portal, so it is currently unclear how many individuals have been affected.

Paramedic Billing Services Confirms Hackers Had Access to Patient Data

Elmhurst, IL-based Paramedic Billing Services has recently announced that it fell victim to a cyberattack in late May 2023. Suspicious activity was identified in its computer network and systems were immediately secured to prevent further unauthorized access. On June 23, 2023, Paramedic Billing Services determined that an unauthorized third party had access to systems containing protected health information and may have copied certain files from its systems. Those files included names, contact information, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license/state identification numbers, financial account information, and payment card information.

The file review is ongoing, so the total number of affected individuals has yet to be established. The incident has been reported to the HHS’ Office for Civil Rights as involving at least 501 individuals. Notification letters will be sent to affected individuals when the review is completed. Paramedic Billing Services said its existing policies, processes, and procedures relating to data protection and security are being reviewed and will be enhanced.

Cardiac Monitoring Software Company Suffers Cyberattack

The Canadian cardiac monitoring software company, CardioComm Solutions Inc., has announced that it has suffered a cyberattack that has taken some of its IT systems out of operation. According to a statement released by the company, the attack has caused downtime to its services: Global Cardio 3, GEMS Flex 12, GEMS Home Flex (upload), and HeartCheck CardiBeat/GEMS Mobile ECG/RPM (record/upload). The disruption is expected to continue for several days, and potentially longer. Third-party cybersecurity experts have been engaged to investigate the attack and determine the extent to which sensitive data was involved. Customer data is not believed to have been involved, as CardioComm does not collect customer data, and its software runs on each customer’s server environment; however, employee data may have been compromised. Identity theft protection services will be offered to affected employees as a precaution.

The post 98,000 UT Southwestern Medical Center Patients Affected by MOVEit Cyberattack appeared first on HIPAA Journal.

Rite Aid has confirmed that the protected health information of up to 24,400 of its customers has been stolen in a cyberattack. The stolen files contained names, birth dates, addresses, prescription information, and limited insurance information. Social Security numbers and financial information were not exposed or stolen in the attack. Rite Aid said a vulnerability was exploited by the attackers to gain access to sensitive data. Rite Aid was notified about the vulnerability by a third-party vendor and a patch has now been applied to correct the vulnerability.

The vulnerability was identified on May 31, 2023, with the forensic investigation confirming data theft occurred on May 26, 2023. While Rite Aid did not disclose the name of the vendor, the timing of the attack and the nature of unauthorized access suggest this was an attack by the Clop threat group which conducted mass attacks that exploited a zero-day vulnerability in Progress Software’s MOVEIT Transfer file transfer solution.

Wake Family Eye Care Suffers Ransomware Attack

Wake Family Eye Care in Cary, NC, recently fell victim to a ransomware attack. The attack was detected on June 2, 2023, when files were discovered to have been encrypted. Systems were immediately isolated to prevent further unauthorized access and the incident was contained the same day. A third-party forensics firm was engaged to investigate and determine the extent of the breach and while no evidence of data theft was found, it was not possible to rule out the possibility of data theft.

The review of files on the affected part of the network revealed they contained names, addresses, dates of birth, partial or full Social Security Numbers, driver’s license/passport/other government-issued ID numbers, insurance numbers, optical images, chart numbers, and related eye records. Financial information was not compromised.

Notification letters have been sent to the 14,264 individuals potentially affected by the incident.

Catholic Charities of the Archdiocese of Newark Investigating Cyberattack

Catholic Charities of the Archdiocese of Newark has confirmed that unauthorized individuals gained access to some of its computer systems. The breach was detected on May 8, 2023, and third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the breach. The investigation confirmed that hackers had access to systems where protected health information was stored between April 30, 2023, and May 8, 2023. Some of the files were acquired in the attack.

The stolen files included individuals’ names, dates of birth, driver’s license information, Social Security number, medical information, and health insurance information. The review of the files is ongoing to determine how many individuals have been affected and notification letters will be sent when that process has been completed. To meet the deadline for reporting data breaches, the HHS was notified that at least 501 individuals have likely been affected. The total will be updated when the investigation is completed.

Lancaster Orthopedic Group Notifies Patients About March Cyberattack

Lancaster Orthopedic Group in Manheim Township, PA, has discovered unauthorized access to its network. The breach was detected on March 29, 2023, with the review of the affected files confirming that names, addresses, dates of birth, Social Security numbers, medical treatment information, and insurance information was potentially compromised. The breach has been reported to the HHS’ Office for Civil Rights as affecting a minimum of 500 individuals, although up to 2,000 patients may have been affected.

The post 24,400 Rite Aid Customers Had Personal Informatiion Compromised in May Cyberattack appeared first on HIPAA Journal.