HIPAA Breach News

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

Posted by Steve Alder

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.

June 2023 Healthcare Data Breach Report

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients

Posted by Steve Alder

Tampa General Hospital has recently confirmed that hackers gained access to its network and stole files containing the protected health information of up to 1.2 million patients.  A security breach was detected on May 31, 2023, when suspicious activity was identified within its network. The affected systems were immediately taken offline to prevent further unauthorized access and a third-party digital forensics firm was engaged to investigate the incident and determine the nature and scope of the attack.

The investigation confirmed that unauthorized individuals had access to its network for three weeks between May 12, and May 30, 2023, during which time they exfiltrated files containing patient information. The information compromised in the incident varied from individual to individual and may have included names, phone numbers, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, dates of service, health insurance information, and limited treatment information. Tampa General Hospital confirmed that the hackers did not gain access to its electronic medical record system.

Tampa General Hospital said this was an attempted ransomware attack and while data theft occurred, its security systems prevented files from being encrypted. Additional technical security measures have now been implemented to harden its systems and prevent further data breaches and network monitoring has been enhanced to ensure that any future security breaches are detected rapidly.

Notification letters will be mailed to affected individuals when contact information has been verified.  Tampa General Hospital said affected individuals will be offered complimentary credit monitoring and identity theft protection services.

The post Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients appeared first on HIPAA Journal.

168,000 Patients Have PHI Exposed in Phishing Attack on Henry Ford Health

Posted by Steve Alder

Detroit, MI-based Henry Ford Health has recently notified 168,000 patients that an unauthorized individual gained access to employee email accounts that contained some of their protected health information. A spokesperson for Henry Ford Health said the unauthorized access occurred on March 30, 2023, after employees responded to phishing emails. The attack was discovered quickly and the accounts were secured; however, access to patient data was possible. A review of the email accounts confirmed on May 16, 2023, that they contained the following patient information: name, date of birth, age, gender, telephone number, medical record number/ internal tracking number, lab results, procedure type, diagnosis, and date(s) of service. Henry Ford Health is implementing additional security measures to protect against future email account breaches and additional training has been provided to employees.

IMX Medical Management Services Announces 2022 Malware Incident

The Malvern, PA-based medical consulting company, IMX Medical Management Services, has recently confirmed that malware was found on a laptop computer that potentially allowed unauthorized individuals to access the protected health information of 7,594 individuals. According to the notification letters, the malware was detected on September 1, 2022, and the forensic investigation revealed the malware had been present since as early as June 2022. Additional malware indicators were also found on its network in October 2022.

IMX said the malware has been removed and no further indicators of malware have been detected since October 2022. The delay in issuing notifications was due to the “extensive and complex analysis of the affected data.” IMX said the malware provided access to the bodies of email messages but attachments were not exfiltrated. The compromised information included names or other personal identifiers along with driver’s license numbers and other ID cards. Identity theft protection services have been offered to affected individuals.

Storage Unit Purchased at Auction Contained Dozens of Boxes of Patient Files

A storage unit was recently sold at auction that contained more than 200 boxes of patient files. The unit went up for sale when the unit rental payments stopped. The purchaser submitted a blind bid for the unit and discovered the boxes of patient files after purchasing the unit. The records related to patients of East Houston Medicine and Pediatric Center who received treatment between 2009 to 2019. The files included information such as names, Social Security numbers, driver’s license images, medical histories, and insurance information. The purchaser is currently trying to arrange for the files to be collected.

PHI Exposed in Charles George VA Medical Center Mismailing Incident

Charles George VA Medical Center in Asheville, NC, has confirmed that the personal information of 1,541 veterans has been exposed in an email mismailing incident. The data exposure was detected on May 12, 2023, and immediate steps were taken to delete the emails that had not been opened; however, the messages were opened by three veterans. The emails included an attachment that contained limited protected health information. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post 168,000 Patients Have PHI Exposed in Phishing Attack on Henry Ford Health appeared first on HIPAA Journal.

Pension Benefit Information Confirms PHI of 371,359 Individuals Stolen in MOVEit Transfer Hack

Posted by Steve Alder

Pension Benefit Information, LLC, doing business as PBI Research Services (PBI), has recently confirmed that the protected health information of 371,359 individuals was obtained by the Clop ransomware hackers in an attack that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 31, 2023.

PBI said the breach was discovered on June 2, 2023, and the patch to fix the flaw was applied the same day. The forensic investigation confirmed that one of PBI’s MOVEit Transfer servers was accessed by the Clop hackers on May 29 and May 30, 2023. The files stolen in the attack included names, partial mailing addresses, dates of birth, and Social Security numbers. PBI said it is unaware of any actual or attempted misuse of the stolen information; however, as a precaution, affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. Notifications started to be sent to the affected individuals on June 4, 2023.

LockBit Ransomware Group Announces Attack on Panorama Eyecare

The LockBit ransomware group has recently added Panorama Eyecare to its data leak site and claims to have exfiltrated 798 GB of data from the Colorado-based physician management organization, including data from its clients Eye Center of Northern Colorado, Denver Eye Surgeons, Cheyenne Eye Clinic & Surgery Center, and 2020 Vision Center. Panorama Eyecare has yet to publicly confirm the data breach and it is currently unclear to what extent patient data was involved.

8Base Ransomware Group Adds Kansas Medical Center to its Data Leak Site

Kansas Medical Center, a physician-owned hospital in Andover, KS, has recently been added to the data leak site of the 8Base ransomware group. The threat group claims the attack occurred on June 18, 203, and sensitive patient and employee data was stolen including names, addresses, registration information, and other information. Kansas Medical Center has not publicly announced the attack and it is unclear how many patients have been affected.

The post Pension Benefit Information Confirms PHI of 371,359 Individuals Stolen in MOVEit Transfer Hack appeared first on HIPAA Journal.

Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients

Posted by Steve Alder

Phoenician Medical Center, Inc. (PMC) has recently reported a security incident that disrupted some of its IT systems. The incident was detected on March 31, 2023, although it is unclear from the breach notifications when hackers first gained access to its network. The forensic investigation confirmed that there had been unauthorized access to files containing the protected health information of patients, some of which may have been obtained by the hackers.

On April 25, 2023, PMC confirmed the affected information included names, contact information, demographic information, date of birth, state identification numbers, medical record numbers, diagnosis and treatment information, provider name(s), date(s) of service, prescription information, and/or health insurance information. Affected patients had received medical services at PMC or its affiliated companies, Phoenix Neurological & Pain Institute, and/or Laser Surgery Center between 2016 and 2023. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 162,500 current and former patients. PMC said it will be enhancing its security protocols and technical safeguards to prevent similar incidents in the future.

Public Health Management Corporation Investigating May Cyberattack

The Philadelphia, PA-based nonprofit health institute, Public Health Management Corporation (PHMC), has recently announced that unauthorized individuals gained access to its systems. Suspicious activity was detected on May 8, 2023, and the forensic investigation confirmed that an unauthorized individual may have accessed and acquired sensitive patient information on May 8, 2023.

The exposed information included full names, addresses, Social Security numbers, birth dates, medical histories, mental and physical treatment information, diagnosis information, physician names, medical record numbers, and health insurance information. PHMC said it is currently reviewing the affected files and verifying contact information and will notify the affected individuals when that process is complete. In the meantime, the breach has been reported to the HHS’ Office for Civil Rights as affecting a minimum of 501 individuals. The total will be updated when the scale of the breach has been confirmed.

The post Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients appeared first on HIPAA Journal.

Naked Patient Photos Published After Ransomware Attack on Plastic Surgery Clinic

Posted by Steve Alder

Legal counsel for the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D, recently notified patients about a cyberattack and data theft incident. According to the notification letters, Dr. Gary Motykie was recently contacted by a cyber threat actor who claimed to have accessed his IT systems and was in possession of sensitive patient information.

The notification was received on May 9, 2023, and a third-party incident response firm was engaged to investigate and determine the validity of the threat actor’s claims. A data breach was confirmed on or around June 6, 2023, with the review of the affected files confirming they contained information such as first and last name, address, driver’s license/identification card number, financial account information, payment card number and CVV code, Social Security Number, health insurance information, intake forms, which may include medical information and medical history, and images taken in connection with the services provided. The types of data varied from individual to individual and may have included only some of the above information.

The breach was recently reported to the Maine Attorney General as affecting a total of 3,461 individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to affected individuals and the practice has taken steps to improve data security. The incident has been reported to law enforcement, appropriate authorities, and the American Board of Plastic Surgery, which is also investigating the breach. The threat actor behind the attack was not named.

Attacks that involve the theft of naked images offer threat actors an easy way to increase pressure on the victim to make payment, as was the case with a ransomware attack on Lehigh Valley Health Network earlier this year by the ALPHV/BlackCat ransomware group. ALPHV also conducted a similar attack on another Californian plastic surgery clinic, Beverly Hills Plastic Surgery, according to recent media reports, where naked photographs were also published online when the ransom was not paid. Beverly Hills Plastic Surgery has yet to publicly confirm the data breach.

While not mentioned in the notification letters, Dr. Gary Motykie was allegedly issued with a ransom demand of $2.5 million. When payment was not received, the threat actor started publishing the stolen data, including topless images of patients along with personal information such as names, birthdates, email addresses, phone numbers, and financial information. Patients were contacted by the threat actor via email and links were shared to the Internet site where the stolen information and images were published.

Elaina Shaffy was one of the affected patients and had her photographs published online. She told NBC Los Angeles that she discovered her information had been leaked after being contacted by another patient who was in a similar position. She later discovered she had been emailed by the threat actor but had failed to see the message in her junk folder. She made contact with the threat actor and was informed that a third party had made a payment on her behalf and that her information and photographs had been removed. She has since filed a lawsuit against Dr. Gary Motykie over the theft of her information.

At least 70 individuals have had their photographs and personal information published online following the attack. Private images of Dr. Gary Motykie were also published online. Dr. Gary Motykie reportedly did not pay the ransom as there was no guarantee that the stolen data would be deleted.

The post Naked Patient Photos Published After Ransomware Attack on Plastic Surgery Clinic appeared first on HIPAA Journal.

First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach

Posted by Steve Alder

Lawsuits against HCA Healthcare were an inevitability following a data breach that affected approximately 11 million individuals and saw the stolen data listed for sale on a dark web forum. The breach was announced by HCA Healthcare on July 10, 2023, and while the total number of affected individuals affected has yet to be confirmed, 27 million lines of data were compromised, which equates to around 11 million individuals.

Since the investigation is still in the early stages, little information has been released so far about the nature of the cyberattack, other than an unauthorized individual gaining access to an external storage location used for formatting emails. HCA Healthcare said highly sensitive information such as Social Security numbers, financial information, and clinical information does not appear to have been compromised, only information such as names, dates of birth, email addresses, phone numbers, and next appointment dates.

The first lawsuit in relation to the breach was filed in the Tennessee Middle District Court on Wednesday by the law firms Shamis & Gentile and Kopelowitz Ostrow Ferguson Wieselberg Gilbert, naming Gary Silvers and Richard Marous as plaintiffs. The lawsuit, Silvers et al v. HCA Healthcare, Inc., alleges a failure to comply with the HIPAA Rules and FTC guidelines, and HCA Healthcare was negligent by failing to safeguard the personal and protected health information of patients. As a result of that negligence, patient data is now in the hands of cybercriminals and the plaintiffs and class members are likely to have their sensitive data misused in a variety of fraudulent ways and face a lifetime risk of identity theft and fraud.

This lawsuit claims injuries have been suffered in a number of ways, including the lost or diminished value of private information, costs associated with the prevention, detection, and recovery from identity theft and fraud, lost opportunity costs to mitigate the data breach’s consequences and lost time, and emotional distress from the loss and control of “highly sensitive private information.”

The lawsuit seeks monetary damages, legal fees, a jury trial, and injunctive relief, requiring HCA Healthcare to implement a variety of safeguards to better protect patient data. The injunctive relief requested includes data protection through encryption, the deletion of private information unless there is a legitimate reason for retaining that information, prohibiting the storage of data in a cloud-based database, independent third-party security audits, data segmentation, the implementation and maintenance of threat management and monitoring programs, and audits, tests, and training of security personnel.

Lawsuits are commonly filed following healthcare data breaches and a breach of this magnitude is likely to trigger many more lawsuits over the coming days and weeks; however, while legal action can be taken, there is no guarantee of success. Healthcare data breach lawsuits often hinge on whether there has been a concrete injury that more than likely was caused by a specific data breach. Lawsuits that only allege a risk of identity theft and fraud are unlikely to be granted standing.

The post First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach appeared first on HIPAA Journal.

Healthcare Providers and Vendors Confirm Recent PHI Disclosure Incidents

Posted by Steve Alder

A round-up of data breaches that have recently been reported by HIPAA-covered entities.

South Suburban Surgical Suites Reports Email Account Breach

South Suburban Surgical Suites, a Munster, IN-based surgical center, has reported a breach of a legacy Microsoft Office 365-hosted business email account. The breach was detected on April 3, 2023, with the investigation confirming the account was accessed following a response to a phishing email. The response was on February 20, 2023, and the unauthorized access was blocked on April 3, 2023. The review of the email account was completed on June 5, 2023, and confirmed that the protected health information of 5,340 patients was stored in the account.

That information varied from individual to individual and may have included full names in combination with addresses, dates of birth, Social Security numbers, driver’s license/state ID numbers, passport numbers, credit card information and/or financial account information, medical record numbers, dates of service, provider names, diagnoses/procedure information, prescriptions/medications, health insurance information, and/or billing and claims information.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were involved.

edgeMED Healthcare Reports Computer System Compromise

The Boca Raton, FL-based revenue cycle management and billing vendor, edgeMED Healthcare, LLC, has recently announced that an unauthorized individual accessed its computer systems between May 20, 2023, and May 26, 2023, and may have viewed or obtained information such as names, treatment codes, rendering provider names, and some additional encounter information.

The intrusion was detected on May 26, 2023, and access was immediately blocked. Affected individuals have now been notified about the breach and, at the time of issuing notifications, no evidence of misuse of the compromised data had been identified. edgeMED Healthcare said its security protocols have been enhanced by implementing additional security measures.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Partnership Health Center Reports Email Error

The Missoula, MT healthcare clinic, Partnership Health Center (PHC), says a limited amount of patient information has been impermissibly disclosed due to an email error. A patient survey was sent via email to find out about patient experiences; however, emails were inadvertently sent to incorrect individuals.

An email intended for one individual was accidentally sent to another individual, who was also a Partnership Health Center patient. The only information that was impermissibly disclosed was an individual’s first and last name, and in some cases, their middle initial. The email identified a patient as having received a medical service from Partnership Health Center between July 2022 and December 2022. The nature of that service was not disclosed.

The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 8,331 individuals.

Limbach Facility Services Reports of Employee Benefit Plan Data

The Warrendale, PA-based construction and engineering company, Limbach Facility Services LLC, fell victim to a cyberattack that affected the availability and functionality of its computer network. The security breach was detected on April 23, 2023, with the forensic investigation determining that an unauthorized individual had access to its network between April 19, 2023, and April 22, 2023. During that time, certain files on the network were accessed and exfiltrated. Those files included the protected health information of 1,392 current and former members of its Group Benefit Plan. The compromised information included names, Social Security numbers, and limited health insurance plan enrolment information.

Additional security measures have been implemented to enhance the security of the network and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Healthcare Providers and Vendors Confirm Recent PHI Disclosure Incidents appeared first on HIPAA Journal.