Four more entities have confirmed they were affected by the mass hacks of the MOVEit Transfer file transfer solution and had protected health information stolen.

Missouri Department of Social Services

The Missouri Department of Social Services (DSS) has confirmed that the data of Medicaid recipients was compromised in the recent mass MOVEit hacks by the Clop threat group. Clop conducted hundreds of attacks starting on May 27, 2023, that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution – CVE-2023-34362. More than 610 companies, organizations, and other entities were attacked and had data stolen.

According to the Missouri DSS, the attack occurred at IBM Consulting. The Missouri DSS said that when it was made aware of the incident it disconnected the MOVEit servers from internal IT systems and launched an investigation into the breach. The DSS confirmed that no DSS systems were breached, only the MOVEit server, which contained data such as names, department client numbers, birth dates, benefit eligibility status/coverage, and medical claims information. It is currently unclear exactly how many Medicaid recipients were affected. The DSS said all Missouri Medicaid recipients are being notified about the breach as a precaution.

Omaha Health Insurance Company

The Omaha Health Insurance Company (OHIC), part of Mutual of Omaha, has reported a security breach at a third-party vendor that exposed the records of individuals who were enrolled in the Medicare Part D Prescription Drug Plan, which was issued by Mutual of Omaha Rx.

The vendor discovered the security breach on June 21, 2023, and notified OHIC about the breach on June 22, 2023. The OHIC investigation confirmed that sensitive data was downloaded by the threat group between May 30, 2023, and June 2, 2023. The exposed data included names, dates of birth, Social Security numbers, claims information, banking information, billing information, and treatment information. Affected individuals have been offered complimentary credit monitoring services. The vendor was not named in the notification sent to the state attorney general.

IU Health

IU Health in Indianapolis has confirmed that patient data was compromised in the mass MOVEit Transfer hacks. The incident occurred at a third-party claims processor, TMG Health. IU Health was notified about the breach on June 22, 2023, and was informed that IU Health Plan data was compromised, including names, member ID numbers, plan effective dates, and for some individuals, bank account information. IU Health Plans notified the affected members on August 4, 2023, and offered complimentary credit monitoring services.  It is currently unclear how many plan members were affected.

Hillsborough County, IA

Hillsborough County in Florida has reported a breach of the protected health information of 70,636 patients to the HHS’ Office for Civil Rights. The county learned about the MOVEit Transfer incident on breach on June 1, 2023, and determined on June 22, 2023, that the compromised data included individuals who received care through Hillsborough County Health Care Services. That information included names, Social Security numbers, dates of birth, home addresses, medical conditions, diagnoses, and disability codes. Certain vendors were notified that some employee data may have been compromised. The affected vendors will notify their employees directly.

The post Missouri Department of Social Services Confirms Medicaid Recipients’ Data Compromised in MOVEit Hacks appeared first on HIPAA Journal.

The LockBit ransomware group has added Varian Medical Systems to its data leak site and has threatened to publish the data of cancer patients if the ransom is not paid. Varian Medical Systems is a Palo Alto, CA-based provider of radiation oncology treatments and software for oncology departments and a subsidiary of Siemens Healthineers. Varian Medical Systems has not yet confirmed the data breach, and the LockBit group has not yet disclosed how much data was stolen in the attack but said Varian has been given until August 17, 2023, to enter into negotiations otherwise all stolen databases and patient data will be released on its dark web data leak site.

Karakurt Threat Group Says Data Stolen from McAlester Regional Health Center

The KaraKurt ransomware group has recently added McAlester Regional Health Center to its data leak site and claims to have stolen more than 1,175 GB of data from the Oklahoma hospital, including 5 GB of SQL data on medical staff and medical reports containing sensitive patient information, including DNA data. According to the listing, the stolen employee data includes Social Security numbers and bank account information. The group has threatened to sell the data if the ransom is not paid. McAlester Regional Health Center has not verified the claim and has yet to announce a data breach on its website or report the incident to the HHS’ Office for Civil Rights.

Precision Anesthesia Billing LLC Reports Breach of the PHI of 209,200 Individuals

The Tampa, FL-based HIPAA business associate, Precision Anesthesia Billing LLC (PAB), reported a breach of the protected health information of 209,200 individuals to the HHS’ Office for Civil Rights on July 7, 2023. While no public notice about the data breach appears to have been published to date, the medical group, Athens Anesthesia Associates (AAA), has confirmed that it was one of the entities affected by the breach.

AAA said it was informed by PAB on May 11, 2023, that the data of some of its patients had potentially been compromised. PAB said a well-known cyber threat actor that has conducted many successful cyberattacks was responsible but did not name the group. PAB was able to successfully stop the attack and secure its systems but said it was likely that files containing patient data were accessed and exfiltrated from its systems between May 4 and May 7, 2023. The information compromised in the incident included names, addresses, phone numbers, email addresses, dates of birth, ages, Social Security numbers, bank account numbers, insurance policy numbers, diagnoses, treatment information and dates, ultrasound images, medical record numbers, and hospital account numbers. AAA said it has offered affected patients two years of complimentary credit monitoring services.

Life Management Center of Northwest Florida Cyberattack Impacts 19,107 Individuals

Life Management Center of Northwest Florida, a provider of mental health, behavioral health, and family counseling services, discovered a security breach on March 31, 2023. Steps were immediately taken to secure its network and third-party forensics experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor accessed files that contained patient data. A comprehensive review of the affected files concluded on May 26, 2023, that the protected health information of 19,107 individuals had been compromised, including names, Social Security numbers, driver’s license numbers, medical treatment and/or diagnosis information, and health insurance information. Affected individuals were notified on July 25, 2023, and have been offered complimentary credit monitoring services.

Discovery at Home Falls Victim to Phishing Attack

Discovery at Home, a provider of home healthcare services to seniors in Florida and Texas, fell victim to a phishing attack on or around June 1, 2023, that saw the email account of an employee accessed by an unauthorized individual. Discovery at Home said the incident, “resulted in the inadvertent transmittal of personal health information via unencrypted e-mail to an unauthorized third-party sender.”

The compromised information included names, addresses, dates of birth, dates of service, treatment-related information, and health insurance information, including insurance beneficiary number, claim number, and policy number. At the time of issuing notification letters, Discovery at Home was unaware of any misuse of the compromised data. Discovery at Home said the email account was immediately secured when the breach was detected, steps have been taken to improve email security, and the employee in question has received further security awareness training. Affected individuals were notified by mail on July 31, 2023.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bi-Bett Corporation Suffers Email Account Breach

Bi-Bett Corporation, a Californian provider of substance use disorder treatment services, has recently notified 4,722 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized third party. Suspicious activity was identified in the email account on February 17, 2023, and the email account was immediately secured and a third-party cybersecurity firm was engaged to investigate. On April 14, 2023, the cybersecurity firm confirmed that patient information may have been accessed or acquired.

The email account was reviewed to identify the affected individuals and the information that had been compromised, and that process was completed on May 22, 2023. The information compromised included first and last names, addresses, Social Security Numbers, driver’s license numbers, Medicaid numbers, and/or medical reference numbers. Bi-Bett said it is working with third-party security experts to strengthen its security posture further. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post LockBit Ransomware Group Threatens to Publish Stolen Cancer Patient Data appeared first on HIPAA Journal.

Prospect Medical Holdings, Los Angeles, CA-based health system that operates 17 hospitals and 166 outpatient clinics in California, Connecticut, Pennsylvania, Rhode Island, and New Jersey has been hit with a ransomware attack that has disrupted operations across its network, including operations at its subsidiaries Crozer Health and the Eastern Connecticut Health Network (ECHN).

Prospect Medical Holdings said steps were immediately taken to prevent further unauthorized access and several IT systems were taken offline to protect those systems. Third-party cybersecurity specialists were engaged to investigate and determine the scope of the breach and the ransomware attack was reported to the Federal Bureau of Investigation (FBI), which has launched an investigation. The Department of Health and Human Services has offered federal assistance and said it is able to provide support, as needed, to prevent disruption to patient care.

Without access to IT systems, ambulances were diverted to other facilities in the immediate aftermath of the attack, and employees at the affected healthcare facilities adopted their emergency downtime procedures and reverted to using paper records.  ECHN said it took the decision to temporarily close some of its facilities including diagnostic labs, elective surgery and gastroenterology centers, and halted outpatient medical imaging, blood draw, and physical therapy services and is contacting patients to reschedule appointments.

The attack began on Thursday and efforts are still underway to restore its systems and return to normal operations. A spokesperson for Prospect Medical Holdings said, “While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible.” At such an early stage of the investigation, the extent to which patient information was compromised has yet to be determined. It is currently unclear which ransomware group was behind the attack.

The post Ransomware Attack on Prospect Medical Holdings Affects Facilities in Multiple States appeared first on HIPAA Journal.

The protected health information of 1.7 million Oregon Medicaid patients has been stolen by the Clop threat group, which exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 30, 2023. The data breach occurred through a contractor used by the Oregon Health Plan – PH Tech – which was informed about the vulnerability and data breach on June 2 by Progress Software. According to PH Tech, the compromised information included names, dates of birth, Social Security numbers, mailing addresses, and email addresses, along with health information such as diagnoses, procedures, claim information, and plan ID numbers. Affected individuals are being notified by PH Tech and have been offered complimentary credit monitoring services. PH Tech said it immediately disabled the MOVEit solution when it learned about the compromise. The vulnerability was patched, and it rebuilt how the solution can be accessed to ensure that no one else is able to access files through the software.

Healthcare Victim Count Continues to Grow

The Health Plan of West Virginia, Inc. has recently confirmed that 1,292 members had data stolen. United Bank provides financial services to the health plan and recently confirmed that electronic records of recent premium payment and premium payment coupons were stolen. The stolen records related to a two-week period in May 2023, and included names, addresses, phone numbers, health plan identification numbers, group numbers, and images of premium payments.

Employees, students, and patients of Johns Hopkins Health System, Johns Hopkins All Children’s Hospital, and Johns Hopkins Howard County General Hospital had data stolen from MOVEit servers after the vulnerability was exploited, although personal health records do not appear to have been obtained. Johns Hopkins Health System has reported the breach to the Office for Civil Rights as affecting 2,584 patients and Howard County General Hospital has filed a breach report indicating 2,975 patients were affected.

The academic health system, UofLHealth, was also attacked and is still investigating the incident to determine the types of information involved and the number of individuals affected. The MOVEit tool was used by a small number of UofLHealth medical practices for transferring files to third-party vendors. Other known victims include Allegheny County in Pennsylvania (689,686 individuals), Sutter Senior Care (519 individuals), Harris Health System (224,703 individuals), UT Southwestern Medical Center (98,437 individuals), and CMS contractor Maximus (612,000 individuals).

The post 1.7 Million Oregon Health Plan Members Affected by MOVEit Hack appeared first on HIPAA Journal.

Allegheny County in Pennsylvania has recently confirmed that the protected health information of up to 689,686 individuals was compromised in a May 2023 hacking incident by the Clop threat group. Allegheny County was alerted about the breach on June 1, 2023, and it was confirmed that the group exfiltrated files containing sensitive data between May 28 and May 29, 2023. Allegheny County said it received assurances from the Clop group that the stolen data was deleted, per the group’s policy of only attacking and extorting money from businesses; however, affected individuals have been told to take steps to protect their personal information and to register for the complimentary credit monitoring and identity theft protection services that have been offered.

County officials confirmed that the compromised information included names, Social Security numbers, birth dates, driver’s license/state identification numbers, taxpayer identification numbers, student identification numbers, and for certain individuals, medical information such as diagnoses, treatment information, and admission dates, and health insurance and billing/claims information.

Sutter SeniorCare PACE, a nonprofit health plan based in Sacramento, CA, has also recently confirmed that it was affected and had plan member data compromised in the attacks. The file transfer solution was used by its business associate, Cognisight, LLC, which provides specialist healthcare management services. Cognisight was informed about the hacking incident on May 31, 2023, and its forensic investigation of the incident concluded on June 5, 2023. Sutter Senior Care was informed about the incident on July 12, 2023.

The information stolen in the attack included names, dates of birth, Social Security numbers, and health information such as patient identification numbers and diagnosis, treatment, and provider information. Credit monitoring and identity protection services have been offered to the affected individuals. The breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

The post Sutter Senior Care and Allegheny County Have Data Compromised in MOVEit Transfer Hacks appeared first on HIPAA Journal.

The Chattanooga Heart Institute (CHI) in Tennessee has recently announced that it identified a cyberattack on its network on April 17, 2023. Action was immediately taken to prevent further unauthorized access and a third-party forensics vendor was engaged to investigate the incident and determine the nature and scope of the attack. The forensic investigation confirmed that unauthorized individuals gained access to its network between March 8, 2023, and March 16, 2023, and on May 31, 2023, the investigation confirmed that files containing sensitive patient data had been copied by the attackers.

CHI’s electronic medical record system was not compromised; however, the files removed from its system were found to contain names, mailing addresses, email addresses, phone numbers, birth dates, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information. Notification letters will be sent to the affected individuals in the coming weeks and credit monitoring, fraud consultation, and identity theft restoration services will be offered.

The breach was recently reported to the Maine Attorney General as affecting up to 170,450 individuals. While CHI did not disclose which group was behind the attack, the Karakurt group has claimed responsibility for the attack. Karakurt is a relatively new threat group that has no qualms about attacking healthcare organizations.

58,000 Individuals Affected by Cyberattack on Synergy Healthcare Services

Synergy Healthcare Services (SHS) in Atlanta, GA, has recently reported a data breach to the Maine Attorney General that has affected up to 58,034 patients of its healthcare clients: Consulate Health Care, Raydiant Health Care, Independence Living Centers, and their affiliated care centers.

The administrative service provider said suspicious activity was detected within its network in early December 2022, and the forensic investigation confirmed on December 15, 2022, that an unauthorized third party accessed parts of its computer network where personal health information was stored. A third-party data review company was provided with the files on December 22, 2022, and provided the results of the analysis to SHS on May 16, 2023.

The files contained information such as names, birthdates, signatures, insurance details, contact information, government identification numbers including driver’s licenses and Social Security numbers, medical history/treatment information, and financial information. Complimentary credit monitoring services have been offered to the affected individuals and steps have been taken to harden security to prevent similar incidents in the future.

Cheyenne Radiology Group & MRI Reports December 2022 Ransomware Attack

Cheyenne Radiology Group & MRI, P.C. (CRG), in Wyoming, has recently issued notifications to its patients about a ransomware attack that was discovered and stopped on December 12, 2022. According to the notification letters, the attack disabled some of its computer systems, and while data theft was not confirmed, the possibility that information was removed from its systems could not be ruled out. Third-party forensics specialists investigated the incident and confirmed that the files potentially accessed included names, mailing addresses, birth dates, Social Security numbers, driver’s license numbers, and health insurance information. CRG said it wiped and rebuilt all affected systems and has hardened security to prevent similar breaches in the future. The incident was recently reported to the Maine Attorney General as affecting up to 10,420 individuals.

The post Up to 170,450 Patients Affected by Cyberattack on the Chattanooga Heart Institute appeared first on HIPAA Journal.

Reston, VA-based Maximus Inc., a government services contracting company, has announced in a Securities and Exchange Commission (SEC) filing that hackers exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in May 2023 and accessed the protected health information (PHI) of between 8 and 11 million individuals. The Clop ransomware group was responsible for the attack and Maximus was one of hundreds of entities to be affected by the Clop group’s mass exploitation of the zero-day vulnerability.

According to the filing, Maximus used MOVEit Transfer for internal and external file sharing, including for sharing data with government customers that participate in various government programs. After being notified about the vulnerability and data breach by Progress Software, Maximus launched a forensic investigation and review of the affected files and while that process is still ongoing, Maximus confirmed that the impacted files contained protected health information. Maximus said it cannot confirm precisely how many individuals have been affected until the review process is completed, and that it anticipates that the process will take several more weeks.

Maximus has notified the affected customers and will provide notice to all affected individuals when the review concludes. Affected individuals will be offered complimentary credit monitoring and identity theft protection services for 24 months. Maximus has recorded expenses of $15 million for the quarter to June 30, 2023, in relation to the data breach.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has confirmed that the PHI of approximately 612,000 current Medicare recipients was exposed in this incident and up to 645,000 individuals in total. The CMS said it is working with Maximus to provide notice to the affected individuals. The CMS said the stolen data includes names, dates of birth, mailing addresses, telephone numbers, email addresses, Social Security numbers/taxpayer identification numbers, Medicare beneficiary numbers, driver’s license numbers, state identification numbers, health insurance information, claims information, health benefits and enrollment information, and medical histories, which include notes, medical records/account numbers, conditions, diagnoses, images, treatment information, and dates of service.

The post Up to 11 Million Health Records Compromised in Cyberattack on Government Contractor appeared first on HIPAA Journal.

Senator Rick Scott (R-FL) has written to FBI Director Christopher Wray requesting the law enforcement agency prioritize the investigation of a major cyberattack on Tampa General Hospital (TGH) that involved the medical records of more than 1.2 million people and bring the perpetrators behind the cyberattack to justice.

The attack in question was discovered by TGH administrators on May 31, 2023, with the forensic investigation determining that hackers had access to its network for 18 days, having gained initial access to its network on May 12, 2023. The attackers attempted to encrypt files; however, TGH was able to prevent encryption but could not prevent the exposure of patient data. The compromised systems contained names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, and more.

While the cyberattack is significant due to the amount of exposed data, it is far from the only such attack on a U.S. healthcare provider in recent years. Senator Scott cites a ransomware attack on Scripps Health in California in 2021 in which hackers stole 150,000 patient records, the attack on CommonSpirit Health in 2022 that affected many critical healthcare services across the United States, and the attack on St. Margaret’s Health in Illinois which disrupted the hospital’s billing systems and contributed to the permanent closure of the hospital. In addition to causing financial harm to healthcare providers and threatening patient safety, the data stolen in these attacks can be used for further criminal activity causing financial harm to patients.

If the threat actors behind these attacks are not identified, arrested, and prosecuted, they will continue to conduct attacks that threaten patient safety, cause considerable financial harm, and it is inevitable that other healthcare facilities will be forced to close. “I urge you to assign all necessary resources at your disposal to prioritize the investigation of this incident and ask that you keep my office apprised of your progress,” said Senator Scott.

Many of these attacks are conducted by threat groups operating out of China, Russia, and North Korea, which do not have extradition treaties with the United States and that makes it difficult to bring the perpetrators to justice. Senator Scott said these attacks pose a clear and present threat to critical health systems and has requested answers from Wray on the actions being taken to counter these threats, such as how the FBI is coordinating with health systems to prevent cyberattacks, what the FBI is doing to coordinate investigations of healthcare cyberattacks, whether the FBI believes that the majority of the threat actors behind these attacks are operating from outside the United States, and if so, the countries where these cyberattacks are originating.  Senator Scott also asked whether the FBI has sufficient resources to fully investigate these attacks and pursue the perpetrators and whether additional resources and authorities are needed.

The post Florida Senator Urges FBI to Prioritize Investigation of Tampa General Hospital Cyberattack appeared first on HIPAA Journal.