HIPAA Breach News

98,000 UT Southwestern Medical Center Patients Affected by MOVEit Cyberattack

Posted by Steve Alder

UT Southwestern Medical Center (UTSW) has recently confirmed that the protected health information of 98,437 patients was stolen in a cyberattack on May 28, 2023. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer solution, gained access to UTSW’s MOVEit server, and exfiltrated files that contained names, medical record numbers, dates of birth, medication names, medication dosages, prescribing provider names. A subset of the affected individuals also had their Social Security numbers stolen. UTSW was notified about the attack by Progress Software on May 30, 2023, and the exploited vulnerability was immediately patched.

The German cybersecurity firm KonBriefing has recently announced that its data shows at least 455 organizations were attacked in this campaign, and at least 23 million individuals were affected. The Clop group has recently started posting victim data on its clear web data leak site.

Family Vision of Anderson Suffers Ransomware Attack

Family Vision of Anderson in South Carolina was the victim of a May 2023 ransomware attack. A ransom note was detected on its computer system on May 28, 2023, indicating files had been encrypted. Computer systems were immediately taken offline to prevent further unauthorized access, and law enforcement was notified. The US Secret Service assisted with the investigation and determined ransomware was used to encrypt files on May 21.

The attackers may have obtained files containing the information of patients and their family members, including names, dates of birth, Social Security numbers, driver’s license numbers, telephone numbers, email addresses, gender, medical record numbers, health insurance information, allergies and other medical history information, appointment dates, scheduled optometrist names, optometry prescriptions, and optometry eye scans. Security has been enhanced, and employees have been provided with further training. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 62,631 individuals. Notification letters have been sent and affected individuals have been offered complimentary identity theft protection services.

17,000 Individuals Affected by LifeWorks Wellness Center Hacking Incident

LifeWorks Wellness Center in Clearwater, FL, has recently reported a data breach to the Maine Attorney General that has affected 17,000 patients. Hackers gained access to its internal file system on or around May 20, 2023, and the forensic investigation confirmed that files containing patient data had been viewed, and may have been stolen. LifeWorks said the hackers did not gain access to its patient database, which includes medical and treatment records. The compromised servers included the information of current and former patients and employees such as names, Social Security numbers, credit card numbers, health identification codes, and medical conditions and diagnoses. LifeWorks said it has implemented additional security measures to prevent similar breaches in the future.

UC Davis Health Reports Breach of Employee Email Account

On May 24, 2023, UC Davis Health in Sacramento, CA, confirmed that the email account of an employee had been accessed by an unauthorized individual. The employee used their work email account to coordinate follow-up care for patients and the account included limited protected health information. The forensic investigation confirmed that only one email account had been compromised, and the breach was detected quickly by its IT security systems; however, it is possible that sensitive data was copied. Affected individuals have been offered complimentary credit monitoring services for 12 months and the employee concerned has received additional training on email security. The incident has yet to appear on the HHS’ Office for Civil Rights Breach portal, so it is currently unclear how many individuals have been affected.

Paramedic Billing Services Confirms Hackers Had Access to Patient Data

Elmhurst, IL-based Paramedic Billing Services has recently announced that it fell victim to a cyberattack in late May 2023. Suspicious activity was identified in its computer network and systems were immediately secured to prevent further unauthorized access. On June 23, 2023, Paramedic Billing Services determined that an unauthorized third party had access to systems containing protected health information and may have copied certain files from its systems. Those files included names, contact information, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license/state identification numbers, financial account information, and payment card information.

The file review is ongoing, so the total number of affected individuals has yet to be established. The incident has been reported to the HHS’ Office for Civil Rights as involving at least 501 individuals. Notification letters will be sent to affected individuals when the review is completed. Paramedic Billing Services said its existing policies, processes, and procedures relating to data protection and security are being reviewed and will be enhanced.

Cardiac Monitoring Software Company Suffers Cyberattack

The Canadian cardiac monitoring software company, CardioComm Solutions Inc., has announced that it has suffered a cyberattack that has taken some of its IT systems out of operation. According to a statement released by the company, the attack has caused downtime to its services: Global Cardio 3, GEMS Flex 12, GEMS Home Flex (upload), and HeartCheck CardiBeat/GEMS Mobile ECG/RPM (record/upload). The disruption is expected to continue for several days, and potentially longer. Third-party cybersecurity experts have been engaged to investigate the attack and determine the extent to which sensitive data was involved. Customer data is not believed to have been involved, as CardioComm does not collect customer data, and its software runs on each customer’s server environment; however, employee data may have been compromised. Identity theft protection services will be offered to affected employees as a precaution.

The post 98,000 UT Southwestern Medical Center Patients Affected by MOVEit Cyberattack appeared first on HIPAA Journal.

24,400 Rite Aid Customers Had Personal Informatiion Compromised in May Cyberattack

Posted by Steve Alder

Rite Aid has confirmed that the protected health information of up to 24,400 of its customers has been stolen in a cyberattack. The stolen files contained names, birth dates, addresses, prescription information, and limited insurance information. Social Security numbers and financial information were not exposed or stolen in the attack. Rite Aid said a vulnerability was exploited by the attackers to gain access to sensitive data. Rite Aid was notified about the vulnerability by a third-party vendor and a patch has now been applied to correct the vulnerability.

The vulnerability was identified on May 31, 2023, with the forensic investigation confirming data theft occurred on May 26, 2023. While Rite Aid did not disclose the name of the vendor, the timing of the attack and the nature of unauthorized access suggest this was an attack by the Clop threat group which conducted mass attacks that exploited a zero-day vulnerability in Progress Software’s MOVEIT Transfer file transfer solution.

Wake Family Eye Care Suffers Ransomware Attack

Wake Family Eye Care in Cary, NC, recently fell victim to a ransomware attack. The attack was detected on June 2, 2023, when files were discovered to have been encrypted. Systems were immediately isolated to prevent further unauthorized access and the incident was contained the same day. A third-party forensics firm was engaged to investigate and determine the extent of the breach and while no evidence of data theft was found, it was not possible to rule out the possibility of data theft.

The review of files on the affected part of the network revealed they contained names, addresses, dates of birth, partial or full Social Security Numbers, driver’s license/passport/other government-issued ID numbers, insurance numbers, optical images, chart numbers, and related eye records. Financial information was not compromised.

Notification letters have been sent to the 14,264 individuals potentially affected by the incident.

Catholic Charities of the Archdiocese of Newark Investigating Cyberattack

Catholic Charities of the Archdiocese of Newark has confirmed that unauthorized individuals gained access to some of its computer systems. The breach was detected on May 8, 2023, and third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the breach. The investigation confirmed that hackers had access to systems where protected health information was stored between April 30, 2023, and May 8, 2023. Some of the files were acquired in the attack.

The stolen files included individuals’ names, dates of birth, driver’s license information, Social Security number, medical information, and health insurance information. The review of the files is ongoing to determine how many individuals have been affected and notification letters will be sent when that process has been completed. To meet the deadline for reporting data breaches, the HHS was notified that at least 501 individuals have likely been affected. The total will be updated when the investigation is completed.

Lancaster Orthopedic Group Notifies Patients About March Cyberattack

Lancaster Orthopedic Group in Manheim Township, PA, has discovered unauthorized access to its network. The breach was detected on March 29, 2023, with the review of the affected files confirming that names, addresses, dates of birth, Social Security numbers, medical treatment information, and insurance information was potentially compromised. The breach has been reported to the HHS’ Office for Civil Rights as affecting a minimum of 500 individuals, although up to 2,000 patients may have been affected.

The post 24,400 Rite Aid Customers Had Personal Informatiion Compromised in May Cyberattack appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

Posted by Steve Alder

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.

June 2023 Healthcare Data Breach Report

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients

Posted by Steve Alder

Tampa General Hospital has recently confirmed that hackers gained access to its network and stole files containing the protected health information of up to 1.2 million patients.  A security breach was detected on May 31, 2023, when suspicious activity was identified within its network. The affected systems were immediately taken offline to prevent further unauthorized access and a third-party digital forensics firm was engaged to investigate the incident and determine the nature and scope of the attack.

The investigation confirmed that unauthorized individuals had access to its network for three weeks between May 12, and May 30, 2023, during which time they exfiltrated files containing patient information. The information compromised in the incident varied from individual to individual and may have included names, phone numbers, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, dates of service, health insurance information, and limited treatment information. Tampa General Hospital confirmed that the hackers did not gain access to its electronic medical record system.

Tampa General Hospital said this was an attempted ransomware attack and while data theft occurred, its security systems prevented files from being encrypted. Additional technical security measures have now been implemented to harden its systems and prevent further data breaches and network monitoring has been enhanced to ensure that any future security breaches are detected rapidly.

Notification letters will be mailed to affected individuals when contact information has been verified.  Tampa General Hospital said affected individuals will be offered complimentary credit monitoring and identity theft protection services.

The post Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients appeared first on HIPAA Journal.

168,000 Patients Have PHI Exposed in Phishing Attack on Henry Ford Health

Posted by Steve Alder

Detroit, MI-based Henry Ford Health has recently notified 168,000 patients that an unauthorized individual gained access to employee email accounts that contained some of their protected health information. A spokesperson for Henry Ford Health said the unauthorized access occurred on March 30, 2023, after employees responded to phishing emails. The attack was discovered quickly and the accounts were secured; however, access to patient data was possible. A review of the email accounts confirmed on May 16, 2023, that they contained the following patient information: name, date of birth, age, gender, telephone number, medical record number/ internal tracking number, lab results, procedure type, diagnosis, and date(s) of service. Henry Ford Health is implementing additional security measures to protect against future email account breaches and additional training has been provided to employees.

IMX Medical Management Services Announces 2022 Malware Incident

The Malvern, PA-based medical consulting company, IMX Medical Management Services, has recently confirmed that malware was found on a laptop computer that potentially allowed unauthorized individuals to access the protected health information of 7,594 individuals. According to the notification letters, the malware was detected on September 1, 2022, and the forensic investigation revealed the malware had been present since as early as June 2022. Additional malware indicators were also found on its network in October 2022.

IMX said the malware has been removed and no further indicators of malware have been detected since October 2022. The delay in issuing notifications was due to the “extensive and complex analysis of the affected data.” IMX said the malware provided access to the bodies of email messages but attachments were not exfiltrated. The compromised information included names or other personal identifiers along with driver’s license numbers and other ID cards. Identity theft protection services have been offered to affected individuals.

Storage Unit Purchased at Auction Contained Dozens of Boxes of Patient Files

A storage unit was recently sold at auction that contained more than 200 boxes of patient files. The unit went up for sale when the unit rental payments stopped. The purchaser submitted a blind bid for the unit and discovered the boxes of patient files after purchasing the unit. The records related to patients of East Houston Medicine and Pediatric Center who received treatment between 2009 to 2019. The files included information such as names, Social Security numbers, driver’s license images, medical histories, and insurance information. The purchaser is currently trying to arrange for the files to be collected.

PHI Exposed in Charles George VA Medical Center Mismailing Incident

Charles George VA Medical Center in Asheville, NC, has confirmed that the personal information of 1,541 veterans has been exposed in an email mismailing incident. The data exposure was detected on May 12, 2023, and immediate steps were taken to delete the emails that had not been opened; however, the messages were opened by three veterans. The emails included an attachment that contained limited protected health information. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post 168,000 Patients Have PHI Exposed in Phishing Attack on Henry Ford Health appeared first on HIPAA Journal.

Pension Benefit Information Confirms PHI of 371,359 Individuals Stolen in MOVEit Transfer Hack

Posted by Steve Alder

Pension Benefit Information, LLC, doing business as PBI Research Services (PBI), has recently confirmed that the protected health information of 371,359 individuals was obtained by the Clop ransomware hackers in an attack that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 31, 2023.

PBI said the breach was discovered on June 2, 2023, and the patch to fix the flaw was applied the same day. The forensic investigation confirmed that one of PBI’s MOVEit Transfer servers was accessed by the Clop hackers on May 29 and May 30, 2023. The files stolen in the attack included names, partial mailing addresses, dates of birth, and Social Security numbers. PBI said it is unaware of any actual or attempted misuse of the stolen information; however, as a precaution, affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. Notifications started to be sent to the affected individuals on June 4, 2023.

LockBit Ransomware Group Announces Attack on Panorama Eyecare

The LockBit ransomware group has recently added Panorama Eyecare to its data leak site and claims to have exfiltrated 798 GB of data from the Colorado-based physician management organization, including data from its clients Eye Center of Northern Colorado, Denver Eye Surgeons, Cheyenne Eye Clinic & Surgery Center, and 2020 Vision Center. Panorama Eyecare has yet to publicly confirm the data breach and it is currently unclear to what extent patient data was involved.

8Base Ransomware Group Adds Kansas Medical Center to its Data Leak Site

Kansas Medical Center, a physician-owned hospital in Andover, KS, has recently been added to the data leak site of the 8Base ransomware group. The threat group claims the attack occurred on June 18, 203, and sensitive patient and employee data was stolen including names, addresses, registration information, and other information. Kansas Medical Center has not publicly announced the attack and it is unclear how many patients have been affected.

The post Pension Benefit Information Confirms PHI of 371,359 Individuals Stolen in MOVEit Transfer Hack appeared first on HIPAA Journal.

Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients

Posted by Steve Alder

Phoenician Medical Center, Inc. (PMC) has recently reported a security incident that disrupted some of its IT systems. The incident was detected on March 31, 2023, although it is unclear from the breach notifications when hackers first gained access to its network. The forensic investigation confirmed that there had been unauthorized access to files containing the protected health information of patients, some of which may have been obtained by the hackers.

On April 25, 2023, PMC confirmed the affected information included names, contact information, demographic information, date of birth, state identification numbers, medical record numbers, diagnosis and treatment information, provider name(s), date(s) of service, prescription information, and/or health insurance information. Affected patients had received medical services at PMC or its affiliated companies, Phoenix Neurological & Pain Institute, and/or Laser Surgery Center between 2016 and 2023. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 162,500 current and former patients. PMC said it will be enhancing its security protocols and technical safeguards to prevent similar incidents in the future.

Public Health Management Corporation Investigating May Cyberattack

The Philadelphia, PA-based nonprofit health institute, Public Health Management Corporation (PHMC), has recently announced that unauthorized individuals gained access to its systems. Suspicious activity was detected on May 8, 2023, and the forensic investigation confirmed that an unauthorized individual may have accessed and acquired sensitive patient information on May 8, 2023.

The exposed information included full names, addresses, Social Security numbers, birth dates, medical histories, mental and physical treatment information, diagnosis information, physician names, medical record numbers, and health insurance information. PHMC said it is currently reviewing the affected files and verifying contact information and will notify the affected individuals when that process is complete. In the meantime, the breach has been reported to the HHS’ Office for Civil Rights as affecting a minimum of 501 individuals. The total will be updated when the scale of the breach has been confirmed.

The post Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients appeared first on HIPAA Journal.

Naked Patient Photos Published After Ransomware Attack on Plastic Surgery Clinic

Posted by Steve Alder

Legal counsel for the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D, recently notified patients about a cyberattack and data theft incident. According to the notification letters, Dr. Gary Motykie was recently contacted by a cyber threat actor who claimed to have accessed his IT systems and was in possession of sensitive patient information.

The notification was received on May 9, 2023, and a third-party incident response firm was engaged to investigate and determine the validity of the threat actor’s claims. A data breach was confirmed on or around June 6, 2023, with the review of the affected files confirming they contained information such as first and last name, address, driver’s license/identification card number, financial account information, payment card number and CVV code, Social Security Number, health insurance information, intake forms, which may include medical information and medical history, and images taken in connection with the services provided. The types of data varied from individual to individual and may have included only some of the above information.

The breach was recently reported to the Maine Attorney General as affecting a total of 3,461 individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to affected individuals and the practice has taken steps to improve data security. The incident has been reported to law enforcement, appropriate authorities, and the American Board of Plastic Surgery, which is also investigating the breach. The threat actor behind the attack was not named.

Attacks that involve the theft of naked images offer threat actors an easy way to increase pressure on the victim to make payment, as was the case with a ransomware attack on Lehigh Valley Health Network earlier this year by the ALPHV/BlackCat ransomware group. ALPHV also conducted a similar attack on another Californian plastic surgery clinic, Beverly Hills Plastic Surgery, according to recent media reports, where naked photographs were also published online when the ransom was not paid. Beverly Hills Plastic Surgery has yet to publicly confirm the data breach.

While not mentioned in the notification letters, Dr. Gary Motykie was allegedly issued with a ransom demand of $2.5 million. When payment was not received, the threat actor started publishing the stolen data, including topless images of patients along with personal information such as names, birthdates, email addresses, phone numbers, and financial information. Patients were contacted by the threat actor via email and links were shared to the Internet site where the stolen information and images were published.

Elaina Shaffy was one of the affected patients and had her photographs published online. She told NBC Los Angeles that she discovered her information had been leaked after being contacted by another patient who was in a similar position. She later discovered she had been emailed by the threat actor but had failed to see the message in her junk folder. She made contact with the threat actor and was informed that a third party had made a payment on her behalf and that her information and photographs had been removed. She has since filed a lawsuit against Dr. Gary Motykie over the theft of her information.

At least 70 individuals have had their photographs and personal information published online following the attack. Private images of Dr. Gary Motykie were also published online. Dr. Gary Motykie reportedly did not pay the ransom as there was no guarantee that the stolen data would be deleted.

The post Naked Patient Photos Published After Ransomware Attack on Plastic Surgery Clinic appeared first on HIPAA Journal.