HIPAA Breach News

Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit

Posted by Steve Alder

A $7.25 million settlement has been proposed to resolve a class action lawsuit – In re: Lincare Holdings Inc. Data Breach Litigation – filed against Lincare Holdings over a September 2021 data breach that affected 2,918,444 individuals.

Lincare Holdings is a provider of in-home respiratory care and equipment. In September 2021, unauthorized activity was detected within its network and the forensic investigation confirmed an unauthorized third party had gained access to files containing patient data. The exposed protected health information included names, addresses, Lincare account numbers, dates of birth, treatment information, provider names, dates of service, diagnosis and procedure information, account or record numbers, health insurance information, and prescription information, and for a small number of affected individuals, Social Security numbers.

Legal action was taken by the affected individuals who alleged that Lincare Holdings was negligent for failing to implement reasonable and appropriate cybersecurity measures, and had those measures been implemented, the data breach could have been avoided. Lincare has not admitted any wrongdoing but has proposed a settlement to end the litigation.

Class members will be permitted to submit claims for up to $5,000 as reimbursement for out-of-pocket losses fairly traceable to the data breach, including up to 4 hours of lost time at $20 per hour. Recoverable losses include bank fees, credit fees, communication costs, unreimbursed fraudulent charges, and losses to identity theft. Individuals who were California residents at the time of the breach can also claim an additional $90.

All class members are eligible to receive a one-year membership to Medical Shield services, which includes medical record monitoring, health insurance monitoring, dark web monitoring, real-time authentication alerts, high-risk transaction monitoring, Medicare monitoring, provider monitoring HSA monitoring, ICD monitoring, credit freeze assistance, and identity theft remediation services. They will also be covered by a $1 million identity theft insurance policy.

Claims must be submitted by April 15, 2024, and any class member wishing to object to or exclude themselves from the settlement must do so by March 14, 2024. The final hearing has been scheduled for June 12, 2024.

The plaintiff and class members were represented by John A. Yanchunis of Morgan & Morgan; Stephen R. Basser of Barrack Rodos & Bacine; Raina Borrelli of Turke & Strauss LLP; Alexandra M Honeycutt of Milberg Coleman Bryson Phillips Grossman PLLC; and Carl V Malmstrom of Wolf Haldenstein Adler Freeman & Herz LLC

The post Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Meridian Behavioral Healthcare Discloses 99,000-Record Data Breach

Posted by Steve Alder

Data breaches have recently been reported by Meridian Behavioral Healthcare, Network 180, Erie VA Medical Center, and Fred Hutchinson Cancer Center.

Meridian Behavioral Healthcare

Meridian Behavioral Healthcare, Inc. in Florida has recently confirmed that protected health information was exposed in a security breach that was detected on August 11, 2023. Third-party cybersecurity specialists were engaged to investigate the breach and on December 4, 2023, confirmed that 98,808 individuals had been affected. Written notifications were mailed on December 22, 2023. The information exposed in the breach varied from individual to individual and may have included names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

Meridian Behavioral Healthcare said it is not aware of any misuse of patient data but has offered the affected individual complimentary credit monitoring services. Additional security measures have been implemented within its network, and data security policies and procedures are being reviewed and will be updated to better protect patient data.

Network 180

The Kent County Community Mental Health Authority, which does business as Network 180, has notified 59,334 individuals about unauthorized access to their protected health information. A security breach was detected on October 18, 2023, and the attack was contained by the IT department the same day. Third-party cybersecurity experts were engaged to investigate the breach and confirmed on October 25, 2023, that the unauthorized activity stemmed from a phishing attack.

An employee clicked a malicious link in an email that directed them to a website where they were prompted to enter their credentials, which were captured by the attacker and used to access the employee’s email account. Network 180 said multi-factor authentication was enabled on the employee’s account; however, the MFA controls were bypassed in the attack. The threat actor was able to access the employee’s email account between September 28, 2023, and October 18, 2023, and during that time exported data from the account, including names, addresses, dates of birth, full or partial Social Security Numbers, health insurance policy information, medical information, other demographic information (i.e., race or gender), and in a limited number of cases, financial account or payment card numbers and/or driver’s license numbers.

Network 180 said it has taken several steps to improve the security of its Office 365 email accounts and has hired cybersecurity staff to proactively monitor its systems. The affected individuals have been notified and offered complimentary credit monitoring services for 12 months. Network 180 deserves credit for being transparent about the data breach and providing detailed information in its breach notice to the affected individuals.

Erie VA Medical Center

Erie VA Medical Center has apologized for an impermissible disclosure of patient data in mid-November. A printing error was made when sending appointment scheduling and appointment reminders to patients, which resulted in the reminders being sent to incorrect patients. The postcards only included information concerning the appointment and did not include sensitive or other identifying information. 2,380 veterans in Delaware, Kentucky, Maryland, New Jersey, New York, Ohio, Pennsylvania, Virginia, & West Virginia were affected. The postcards were sent to the correct recipients on November 16, 2023.

Fred Hutchinson Cancer Center

Fred Hutchinson Cancer Center has notified 544 patients that some of their sensitive data has potentially been exposed. Fred Hutch was notified on October 27, 2023, by a provider that their laptop computer had been lost while traveling. The laptop was used to access a Microsoft Outlook application through which patient information could be accessed. The provider said the laptop was password protected and has now been configured to initiate a remote wipe of the hard drive if it comes online. Fred Hutch conducted a review to find out what types of data were accessible through the laptop and determined that names, addresses, phone numbers, dates of birth, medical record numbers, patient account numbers, dates of service, and certain clinical information had been exposed, and for a limited number of patients, also Social Security numbers.

Notification letters were sent on December 26, 2023, and complimentary credit monitoring services have been made available to individuals who had their Social Security numbers exposed. Fred Hutch has provided additional education to the workforce on safeguarding mobile devices. This is the second data breach to be reported by Fred Hutchinson Cancer Center in the past few weeks. A much more serious breach occurred between November 19 and November 25, 2023, when a cybercriminal group breached its network and stole patient data. Fred Hutch has not yet confirmed how many patients have been affected but the hackers claimed to have infiltrated the data of around 800,000 patients. When the ransom was not paid, the threat actors started threatening patients directly.

The post Meridian Behavioral Healthcare Discloses 99,000-Record Data Breach appeared first on HIPAA Journal.

December 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was no letup in healthcare data breaches as the year drew to a close, with December seeing the second-highest number of data breaches of the year. The Department of Health and Human Services (HHS) Office for Civil Rights received 74 reports of healthcare data breaches of 500 or more records in December, which helped make 2023 a record-breaking year for healthcare data breaches. While there may still be some late additions to the list, as of January 18, 2023, 725 data breaches of 500 or more healthcare records have been reported to OCR in 2023 – The highest number since OCR started publishing records of data breaches on its “Wall of Shame.” To add some perspective, that is more than twice the number of data breaches that were reported in 2017.

It is not just the number of data breaches that is concerning. Healthcare data breaches have been increasing in severity and there have been ransomware attacks that have seen patients contacted and threatened directly with the exposure of their sensitive health data. Many of the data breaches reported in 2023 have been on a colossal scale, with December no exception with two multi-million-record data breaches reported.

Since 2009, when OCR created its Wall of Shame, the number of breached records has been trending upwards, but even the most pessimistic of security professionals would not have predicted at the start of 2023 that there would be such a massive rise in breached records. 2021 was a bad year with 45.9 million records breached, and 2022 was worse with 51.9 million breached records, but in 2023, an astonishing 133 million records were exposed or stolen. On January 18, 2023, the OCR breach portal showed 133,068,542 individuals had their protected health information exposed or stolen in 2023.

We will explore the year’s data breaches in greater detail and make predictions for the coming year in posts over the next few days but first, let’s take a dive into December’s data breaches to see where and how 11,306,411 healthcare records were breached.

The Biggest Healthcare Data Breaches in December 2023

Two of the largest data breaches of 2023 were reported in December, the largest of which occurred at the New Jersey-based analytics software vendor, HealthEC. Hackers gained access to a system used by more than 1 million healthcare professionals to improve patient outcomes. The platform contained the protected health information of 4,452,782 individuals. The data breach was the second in as many months to result in the exposure of the health data of more than 1 million Michigan residents, prompting the Michigan Attorney General to call for new legislation to hold companies accountable for breaches of healthcare data.

A 2.7 million-record data breach was reported by another business associate, ESO Solutions. ESO Solutions is a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, and had its network breached and files encrypted with ransomware. At least 12 health systems and hospitals are known to have been affected.

More than 900,000 records were obtained by hackers who gained access to an archive of data from the now defunct Fallon Ambulance Services, which was being stored to meet data retention requirements by Transformative Healthcare, and a cyberattack on Electrostim Medical Services exposed the data of almost 543,000 patients.

It has now been 7 months since the Clop hacking group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution and data breach reports continue to be issued. More than 2,600 organizations worldwide had data stolen in the attacks, with the healthcare industry among the worst affected.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HealthEC LLC NJ Business Associate 4,452,782 Hacking incident (Data theft confirmed)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack
Transformative Healthcare (Fallon Ambulance Services) MA Healthcare Provider 911,757 Hacking incident (Data theft confirmed)
Electrostim Medical Services, Inc. dba EMSI FL Healthcare Provider 542,990 Hacking incident
Cardiovascular Consultants Ltd. AZ Healthcare Provider 484,000 Ransomware attack (Data theft confirmed)
Retina Group of Washington, PLLC MD Healthcare Provider 455,935 Ransomware attack
CompleteCare Health Network NJ Healthcare Provider 313,973 Ransomware attack (Data theft confirmed)
Health Alliance Hospital Mary’s Avenue Campus NY Healthcare Provider 264,197 Hacking incident (Data theft confirmed)
Independent Living Systems, LLC FL Business Associate 123,651 Hacking incident (MOVEit)
Pan-American Life Insurance Group, Inc. LA Health Plan 105,387 Hacking incident (MOVEit)
Meridian Behavioral Healthcare, Inc. FL Healthcare Provider 98,808 Hacking incident
Mercy Medical Center IA Healthcare Provider 97,132 Hacking incident at business associate (PJ&A)
Pan-American Life Insurance Group, Inc. LA Business Associate 94,807 Hacking incident (MOVEit)
Regional Family Medicine AR Healthcare Provider 80,166 Hacking incident
HMG Healthcare, LLC TX Healthcare Provider 80,000 Hacking Incident (Data theft confirmed)
Heart of Texas Behavioral Health Network TX Healthcare Provider 63,776 Hacking incident
Kent County Community Mental Health Authority d/b/a Network180 MI Healthcare Provider 59,334 Unauthorized email account access
Highlands Oncology Group PA AR Healthcare Provider 55,297 Ransomware attack
Southeastern Orthopaedic Specialists, PA NC Healthcare Provider 35,533 Ransomware attack (Data theft confirmed)
Eye Physicians of Central Florida, PLLC, a division of Florida Pediatric Associates, LLC FL Healthcare Provider 31,189 Hacking incident (Data theft confirmed)
Clay County Social Services MN Business Associate 22,005 Ransomware attack (Data theft confirmed)
Bellin Health WI Healthcare Provider 20,790 Hacking incident
Neuromusculoskeletal Center of the Cascades, PC OR Healthcare Provider 19,373 Unauthorized email account access
Independent Living Systems, LLC FL Healthcare Provider 19,303 Hacking incident (MOVEit)
Community Memorial Healthcare, Inc. KS Healthcare Provider 14,798 Hacking incident
VNS Choice dba VNS Health Health Plans NY Health Plan 13,584 Unauthorized email account access
Hi-School Pharmacy WA Healthcare Provider 12,779 Ransomware attack

Many HIPAA-regulated entities keep information to the bare minimum in their breach reports, which allows them to meet legal requirements for breach reporting while minimizing the risk of disclosing information that could be used against them in class action lawsuits. The problem with this minimalistic breach reporting is the victims of the breach are not given enough information to accurately assess the risk they face, and the lack of transparency in data breach reporting makes it difficult to accurately assess how hackers are gaining access to healthcare networks and the nature of the attacks.

This is especially true for ransomware attacks and data theft/extortion attacks. Several breaches have been reported as hacking incidents where a possibility of unauthorized access to or theft of patient data, when the threat actors behind the attacks have claimed responsibility and have added the breached entity to their data leak sites. This trend has grown throughout the year.

December 2023 Data Breach Causes and Data Locations

All of December’s data breaches of 10,000 or more records were hacking incidents, which accounted for 83.78% of the month’s 74 data breaches (62 incidents) and 99.79% of the month’s breached healthcare records (11,283,128 records). The average breach size was 181,986 records and the median breach size was 6,728 records. In 2009, hacking incidents accounted for 49% of all data breaches of 500 or more records. In 2023, hacking incidents accounted for 79.72% of all large data breaches. Something clearly needs to be done to improve resiliency to hacking and there are signs of action being taken at the state and federal level.

In December 2023, OCR published its Healthcare Sector Cybersecurity Strategy which details several steps that OCR plans to take to improve cyber resiliency in the healthcare sector and patient safety. The extent to which these plans will be made a reality will depend on Congress making the necessary funding available. OCR is planning a much-needed update to the HIPAA Security Rule in 2024 and has stated that it will establish voluntary cybersecurity goals for the healthcare sector. OCR will be working with Congress to provide financial assistance for domestic investments in cybersecurity to help cover the initial cost. The New York Attorney General has also announced that there will be new cybersecurity requirements for hospitals in the state after a significant increase in cyberattacks, and that funds have been made available to help low-resource hospitals make the necessary improvements.

There were 8 data breaches classified as unauthorized access/disclosure incidents, involving 14,998 healthcare records. The average breach size was 1,875 records and the median breach size was 1,427 records. There were four loss/theft incidents reported in December, two of which involved stolen paperwork and two involved the loss of electronic devices, with the latter preventable if encryption had been used. 8,285 records were lost across these incidents.

The most common location of breached healthcare data was network services, which is unsurprising given the large number of hacking incidents. 14 data breaches involved protected health information stored in email accounts, three of which resulted in the exposure of more than 10,000 records.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in December with 49 reported breaches of 500 or more records, followed by business associates with 13 breaches, health pans with 11, and a single breach at a healthcare clearinghouse. While healthcare providers suffered the most breaches, it was data breaches at business associates that exposed the most records. Across the 13 business associate-reported breaches, 7,416,567 records were breached, compared to 3,730,791 records in the 49 breaches at healthcare providers. The health plan breaches exposed 156,479 records and 2,574 records were exposed in the healthcare clearinghouse data breach.

These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. A deeper dive into the data to determine where the breach actually occurred reveals there were 24 data breaches at business associates (7,544,504 records), 43 data breaches at healthcare providers (3,616,078 records), 6 data breaches at health plans (143,255 records), and one breach at a healthcare clearinghouse (2,574 records).

The average size of a business associate data breach was 314,354 records (median: 2,749 records), the average size of a healthcare provider data breach was 84,095 records (median: 5,809 records), and the average health plan data breach was 23,876 records (median: 7,695 records). The chart below shows where the data breaches occurred rather than the reporting entity.

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 32 states reported data breaches of 500 or more records in December. California was the worst affected state with 85 large data breaches followed by New York and Texas with 7 reported breaches.

State Number of Breaches
California 8
New York & Texas 7
Florida 6
Massachusetts 4
New Jersey, Tennessee & Wisconsin 3
Arkansas, Connecticut, Illinois, Kansas, Kentucky, Louisiana, Maryland, North Carolina & Washington 2
Alaska, Arizona, Colorado, Iowa, Michigan, Minnesota, Mississippi, Missouri, Montana, New Mexico, North Dakota, Oregon, South Carolina, Virginia & West Virginia 1

HIPAA Enforcement in December 2023

OCR announced two enforcement actions against healthcare providers in December to resolve alleged violations of the HIPAA Rules. OCR continued its enforcement initiative targeting noncompliance with the HIPAA Right of Access with its 46th enforcement action over the failure to provide individuals with timely access to their medical records. Optum Medical Care of New Jersey settled its investigation and agreed to pay a financial penalty of $160,000 to resolve allegations that patients had to wait between 84 days and 231 days to receive their requested records when they should have been provided within 30 days.

OCR also announced its first-ever settlement resulting from an investigation of a phishing attack. Lafourche Medical Group in Louisiana suffered a phishing attack that resulted in the exposure of the protected health information of almost 35,000 individuals. While phishing attacks are not HIPAA violations, OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, including no risk analyses prior to the 2021 phishing attack, and no procedures to regularly review logs of system activity before the attack. Lafourche Medical Group chose to settle the investigation and paid a $480,000 penalty.

These two enforcement actions bring the total number of OCR enforcement actions involving financial penalties up to 13, the lowest annual total since 2019, although there was a slight increase in funds raised from these enforcement actions with $4,176,500 collected in fines. OCR is pushing Congress to increase the penalties for HIPAA violations to make penalties more of a deterrent and also to provide much-needed funding to allow OCR to clear the backlog of HIPAA compliance investigations, in particular investigations of hacking incidents. Currently, OCR’s hands are tied, as the department’s budget has remained the same for years, aside from annual increases for inflation, yet its caseload of breach investigations has soared.

HIPAA Enforcement by State Attorneys General

State attorneys general have the authority to enforce HIPAA compliance and 2023 saw an increase in enforcement actions. The HIPAA Journal has tracked 16 enforcement actions by state attorneys general in 2023 that resolved violations of HIPAA or equivalent state consumer protection and data breach notification laws. In December, three enforcement actions were announced, two by New York Attorney General Letitia James and one by Indiana Attorney General Todd Rokita. New York has been particularly active this year having announced 4 settlements to resolve HIPAA violations in 2023 and the state also participated in two multi-state actions.

In December, AG James announced a settlement had been reached with Healthplex to resolve alleged violations of New York’s data security and consumer protection laws with respect to data retention, logging, MFA, and data security assessments which contributed to a cyberattack and data breach that affected 89,955 individuals. The case was settled for $400,000. AG James also investigated New York Presbyterian Hospital over a reported breach of the health information of 54,396 individuals related to its use of tracking technologies on its website, which sent patient data to third parties such as Meta and Google in violation of the HIPAA Privacy Rule and New York Executive Law. The case was settled for $300,000.

The Indiana Attorney General investigated CarePointe ENT over a breach of the health information of 48,742 individuals. AG Rokita alleged that CarePointe ENT was aware of security issues several months before they were exploited by cybercriminals but did not address them in a timely manner. There was also no business associate agreement with its IT services provider. The investigation was settled for $125,000.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on January 18, 2023.

The post December 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients

Posted by Steve Alder

Singing River Health System has confirmed that the PHI of 253,000 patients was compromised in an August 2023 ransomware attack.  Data breaches have also been reported by Highlands Oncology Group, Fincantieri Marine Group, Senior Scripts, and Family Healthcare.

Singing River Health System

Singing River Health System in Mississippi experienced a ransomware attack in August 2023 that took its IT systems out of action for several days, including its electronic medical record system. Without access to patient data and essential IT systems, operations were disrupted, although care continued to be provided to patients throughout. The Rhysida ransomware group claimed responsibility for the attack.

The attack was detected on August 19, 2023, and the forensic investigation confirmed there had been unauthorized network access between August 16 and August 18, 2023. When the initial announcement about the attack was made, it was unclear if any patient data had been compromised and as the deadline for reporting the breach to the HHS’ Office for Civil Rights approached it was still unclear exactly how many patients had been affected, so the breach was reported with an interim figure of 501 individuals.

On September 13, 2023, Singing River Health System confirmed that data had been exfiltrated from its systems, and an update was provided on October 18, 2023; although the extent of the breach had still not been confirmed. On December 18, 2023, Singing River Health System confirmed that the protected health information of 252,890 patients had been compromised. The data involved included names, dates of birth, addresses, Social Security numbers, medical information, and health information.

Notification letters were mailed to the affected individuals on January 12, 2023, and the affected patients have been offered complimentary credit monitoring and identity theft protection services.

Highlands Oncology Group

Highlands Oncology Group in Arkansas experienced a ransomware attack in September 2023. The attackers gained access to parts of its network that contained the protected health information of 55,297 patients. The attack was detected on September 26, 2023, and immediate action was taken to isolate its network to prevent further unauthorized access. The forensic investigation confirmed the attackers had access to its network between September 25, 2023, and September 26, 2023, and that files may have been acquired before ransomware was used to encrypt files.

The review confirmed on November 27, 2023, that the following types of information may have been accessed or acquired in the attack: name, date of birth, Social Security number, driver’s license/state ID number, passport number, military ID number, financial account number, credit/debit card number with and without expiration date and security code, health insurance information, and clinical information, such as diagnosis/conditions, lab results, and prescription information.

While no cases of identity theft or fraud have been tied to the incident, as a precaution, individuals whose Social Security numbers and/or driver’s license/state ID numbers were involved have been offered complimentary identity theft protection services.

Fincantieri Marine Group

Fincantieri Marine Group, LLC, the U.S. arm of the Italian shipbuilder, has confirmed that the protected health information of 11,535 members of its group health plan had their data compromised in an April 2023 ransomware attack. Fincantieri said the attack was detected on April 12, 2023, and the outage caused significant production disruption, as it affected servers that fed information to machines used for welding, cutting, and other manufacturing processes, which were taken out of action for several days.

Fincantieri announced the attack in April 2023; however, the extent of the attack was unclear at the time. It was since confirmed that the attackers had access to its network between April 6, 2023, and April 12, 2023, and during that period, files were exfiltrated from its network. Fincantieri’s review of the files on the affected part of its network confirmed on November 6, 2023, that the data of 16,769 individuals had been exposed and potentially stolen, including 11,535 members of its group health plan. The affected individuals were notified about the incident on January 5, 2023, and 2 years of complimentary credit monitoring services have been offered.

Senior Scripts

Midwest Long Term Care Services, which does business as Senior Scripts, recently confirmed that the protected health information of 10,566 patients was compromised in a security incident that disrupted some of its IT systems. The cyberattack was detected and blocked on October 20, 2023, and the forensic investigation confirmed that the attackers first accessed its system on October 8, 2023. Files containing patient data were potentially removed from its network that included information such as names, contact information, insurance information, dates of birth, prescription information, and Social Security numbers. Network monitoring capabilities have been enhanced and security measures will continue to be reviewed and improved to prevent similar incidents in the future.

Family Healthcare

Family Healthcare in North Dakota has recently announced that it has been affected by a data breach at its business associate Brady Martz & Associates. Brady Martz & Associates is a North Dakota-based provider of tax-related services, audit and financial guidance, and bookkeeping and payroll assistance.

Brady Martz & Associates was provided with the data of Family Healthcare employees and certain patients in order to complete its contracted duties, which included auditing patient billing documents. Brady Martz & Associates promptly detected a security breach in November 2022 and engaged cybersecurity experts to investigate to determine the extent of the breach, which was discovered to have affected more than 53,000 individuals. The breach was announced by Brady Martz & Associates on September 8, 2023.

According to Brady Martz & Associates, the information exposed and potentially compromised in the attack included patient and/or employee names, dates of birth, ages, phone numbers, financial account information, health insurance information, patient account numbers, Social Security numbers, and information regarding care received at Family HealthCare facilities. It is unclear how many Family Healthcare patients were affected and why it took until January 11, 2024, for Family Healthcare to publicly announce the breach.

The post Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients appeared first on HIPAA Journal.

Electrostim Medical Services Data Breach Impacts 543,000 Patients

Posted by Steve Alder

The Florida medical device company Electrostim Medical Services, Inc., which does business as EMSI, has recently confirmed that it suffered a cyberattack in May 2023 which involved access to parts of the network containing patient data. The Electrostim Medical Services data breach has recently been reported to the HHS’ Office for Civil Rights as affecting 542,990 patients.

Suspicious activity was detected within its network on May 13, 2023, and after securing its systems, third-party cybersecurity specialists were engaged to assess the nature and scope of the incident. The investigation confirmed that unauthorized individuals had access to its network for around two weeks between April 27, 2023, and May 13, 2023. While data theft was not confirmed, the unauthorized individuals had access to parts of the network containing patients’ protected health information and that information may have been copied. Electrostim Medical Services said it has not learned of any instances of attempted or actual misuse of patient data as a result of the security incident.

The breach notifications explained that the delay in notifications was due to an extensive review of its network to determine the individuals and data types involved, and a review of internal records to identify contact information to allow notification letters to be sent. The types of information involved varied from individual to individual and may have included the following: name, address, email address, phone number(s), diagnosis, insurance information, subscriber number, and product(s) prescribed and billed.

Electrostim Medical Services said notification letters were mailed in late December and steps have been taken to improve network security.

The post Electrostim Medical Services Data Breach Impacts 543,000 Patients appeared first on HIPAA Journal.

ConsensioHealth Ransomware Attack Affects 61,000 Patients

Posted by Steve Alder

The Wisconsin-based medical billing service, ConsensioHealth, has recently notified 60,871 individuals about a July 2023 ransomware attack. The attack was discovered on July 3, 2023, when staff were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation and to help determine whether patient data was accessed or copied from its systems. The investigation confirmed that data had been stolen, and on November 7, 2023, it was confirmed that some of those files contained the data of patients of the following covered entities:

  • Emergency Medicine Specialists, S.C.
  • Ascension Wisconsin
  • Wisconsin Urgent Care
  • Kenosha Urgicare
  • Fox Valley Emergency Medicine
  • Dr. Linda Jingle
  • Woundcare Innovations of Golf Land

The impacted data varied from individual to individual and may have included the following data types: Name, address, date of birth, driver’s license or other state identification number, Social Security number, account access credentials, health insurance information, medical treatment and diagnosis information, medical treatment cost information, patient account number, Medicare or Medicaid number, healthcare provider information, and prescription information.

ConsensioHealth said its information security practices have been reviewed and updated and additional security measures have been implemented.

Southeastern Orthopaedic Specialists Data Incident Affects 35,500 Patients

Southeastern Orthopaedic Specialists in Greensboro, NC, have identified unauthorized access to its network and the potential theft of the protected health information of 35,533 patients.

The Southeastern Orthopaedic Specialists substitute breach notice is devoid of any meaningful information about the data incident, which is described as “a cybersecurity incident that impacted its IT systems.” The breach notice does not state when the breach occurred, when it was detected, for how long hackers had access to the network, whether there was access to patient data, if data was stolen, what types of data were exposed or stolen, or the nature of the attack.

The December 19, 2023, notice only states that no evidence of fraud or identity theft was identified, which may lead the affected individuals to believe that there is little risk; however, there is insufficient information in the notice to allow the affected individuals to gauge the level of risk they face. The breach was sufficiently severe to warrant providing the affected individuals with complimentary credit monitoring and identity theft protection services, and it is strongly advisable to take advantage of those services.

Data of Healthcare Clients Exposed in Burr & Forman Cyberattack

The Birmingham, Alabama Am Law 200 firm, Burr & Forman, has recently confirmed that it fell victim to a cyberattack in October 2023 which resulted in unauthorized access to client data, including two clients that are covered by HIPAA. Suspicious activity was detected on one of its laptops in October and the laptop was immediately isolated to prevent further access.

According to the law firm Constangy, Brooks, Smith & Prophete, which is representing Burr & Forman, the cyberattack was detected promptly and was rapidly contained but it was not possible to prevent unauthorized access to documents on its systems. On November 10, 2023, it was confirmed that there had been access to the data of its client Oceans Healthcare, and one other unnamed HIPAA-covered entity. In total the personal and protected health information of 19,893 individuals was exposed.

Burr & Forman was provided with personal information in connection with the legal services provided to its healthcare clients and that information included names, Social Security numbers, medical coding information, dates of service, and insurance information. In its substitute breach notification, Burr & Forman confirmed it is notifying the individuals affected and has provided resources to assist them, and has enhanced network security to prevent similar breaches in the future.

Sharp Health Plan Notifies Members About MOVEit Hack and Mismailing Incident

8,200 Sharp Health Plan members have recently been notified that some of their protected health information was compromised in a hacking incident at one of its business associates, Delta Dental. Delta Dental used the MOVEit Transfer file transfer solution, which was hacked by the Clop hacking group and data were exfiltrated between May 27 and May 30, 2023. Delta Dental’s investigation indicated in July 2023 that Sharp Health Plan member information may have been involved, and that was confirmed on November 17, 2023; however, it took until late December to determine which members had been affected. The stolen data was limited to members’ first and last names, Social Security numbers, dental provider names, health insurance, and treatment cost information. The affected individuals are being notified directly by Delta Dental.

Sharp Health Plan has also notified certain members about a mismailing incident that occurred on December 26, 2023. A system error in the software of the health plan’s mailing vendor resulted in members’ names being omitted from the envelopes. Without a name on the letters, other household members may have opened the letters. The letters listed the intended recipient’s name, address, behavioral health provider’s name, and that confirmed that the member visited the provider in 2023.

Rebekah Children’s Services Reports September 2023 Cyberattack

Rebekah Children’s Services in Gilroy, CA, identified suspicious activity on its network on September 5, 2023, and engaged a third-party forensics firm to investigate to determine the nature of the attack. The forensic investigation confirmed that hackers had gained access to parts of the network where protected health information was stored, and the file review confirmed that names, addresses, Social Security numbers, dates of birth, health information, health insurance information, treatment information, medications, and driver’s license numbers had potentially been obtained. Steps have been taken to improve security and the 2,805 affected individuals have been notified and offered complimentary access to single bureau credit monitoring services.

The post ConsensioHealth Ransomware Attack Affects 61,000 Patients appeared first on HIPAA Journal.

Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit

Posted by Steve Alder

Novant Health has agreed to settle a class action lawsuit that stemmed from its use of tracking pixels on its MyChart patient portal. The pixel code on the patient portal collected the personally identifiable information of users with the goals of “improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” however the information collected was also transferred to third-party technology companies that were not authorized to receive the data.

The North Carolina Health System was the first healthcare provider to report a pixel-related HIPAA violation to the HHS Office for Civil Rights (OCR). In the summer of 2022, Novant Health said the protected health information of up to 1,362,296 individuals had been disclosed to third parties such as Meta (Facebook) between May 1, 2020, to Aug. 12, 2022. The HIPAA breach was reported several months before OCR issued guidance on HIPAA and tracking pixels confirming that pixel-related disclosures of protected health information to third parties violated HIPAA. Novant Health was one of many health systems to use the code on its patient portal. According to one study, 99% of hospitals in the United States used pixels or other tracking technologies on their websites, apps, or patient portals that collected visitor information and transferred that data to third parties.

The lawsuit against Novant Health was filed on behalf of 10 Novant Health patients and similarly situated individuals who used the patient portal while the Meta Pixel code was present and alleged invasion of privacy, breach of contract, and violations of the Health Insurance Portability and Accountability Act. Novant Health maintains there was no wrongdoing and the decision to settle the lawsuit was taken to put an end to the litigation and avoid further legal costs and the uncertainty of trial.

“Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients’ medical information private. Novant Health will continue to be as transparent as possible and provide information to patients,” said a spokesperson for Novant Health regarding the proposed settlement. “The proposed settlement is not admission of wrongdoing, and the court did not find any wrongdoing on the part of Novant Health.”

Under the terms of the settlement, class members – individuals who used the MyChart portal between May 1, 2020, to Aug. 12, 2022 – will be eligible to submit claims for a share of the $6.6 million settlement fund. Claims will be paid pro rata once legal costs, expenses, and attorneys’ fees have been paid. Novant Health is one of several healthcare providers to have been sued over the use of pixels and other tracking technologies, including Advocate Aurora Health, which chose to settle its lawsuit for $12.225 million.

The post Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit appeared first on HIPAA Journal.

LockBit Ransomware Group Behind Capital Health Cyberattack

Posted by Steve Alder

Capital Health Systems in New Jersey has recently announced that it fell victim to a cyberattack in late November that temporarily disrupted its IT systems. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell – and an outpatient facility in Hamilton Township. While the attack caused a network outage, care continued to be provided to patients at its hospitals and their emergency rooms continued to receive patients.

Capital Health has confirmed that all systems have now been restored and all services are available at Capital Health facilities; however, the investigation into the cyberattack is ongoing and it has yet to be determined to what extent patient and employee data was involved. Capital Health said law enforcement was immediately notified about the attack and third-party forensic and information technology experts were engaged to assist with the investigation and breach response.

Capital Health has yet to confirm the extent of any data breach but the hacking group behind the attack claims to have stolen more than 10 million files, including 7 TB of medical confidentiality data, and threatened to publish the stolen data if the ransom is not paid. The LockBit ransomware group usually engages in double extortion tactics, where sensitive data are stolen and files are encrypted using ransomware. A ransom demand is issued, and payment is required to obtain the keys to decrypt files and to prevent the publication of the stolen data. In this attack, the group said it deliberately did not encrypt files and only stole patient data as it was not its intention to cause any disruption to patient care. While ransomware was not used, these attacks can still cause network outages as part of incident response processes and therefore still have the potential to disrupt patient care.

Capital Health was given a deadline of January 9, 2024, to prevent the release of the stolen data. While Capital Health was added to the LockBit 3.0 data leak site, the listing has since been removed. Further information on the extent of the data breach will be released as the investigation progresses and notification letters will be issued if data theft is confirmed.

Lawsuit Filed Over Capital Health Cyberattack

The extent of the data breach has yet to be confirmed and notification letters have not yet been mailed by Capital Health but a lawsuit has already been filed against Capital Health over an alleged data breach. The lawsuit was filed on behalf of Capital Health patient Bruce Graycar and similarly situated individuals by attorney Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.

The lawsuit alleges the plaintiff has suffered injuries as a result of the attack and that the failure of Capital Health to issue prompt notifications to the affected individuals has exacerbated the injuries, as the plaintiff and class were unaware that it was necessary to take steps to protect themselves against misuse of their private healthcare information. The lawsuit alleges injuries have been suffered including damage to and the diminution in the value of private information, invasion of privacy, and a present, imminent, and impending injury due to an increased risk of identity theft and fraud.

The post LockBit Ransomware Group Behind Capital Health Cyberattack appeared first on HIPAA Journal.

ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement

Posted by Steve Alder

ReproSource Fertility Diagnostics has proposed a settlement to resolve litigation stemming from a 2021 ransomware attack that potentially resulted in the theft of the sensitive health data of up to 350,000 patients. The Marlborough, MA-based fertility testing laboratory, which is owned by Quest Diagnostics, had its network breached on August 8, 2021. The intrusion was detected on August 10 when ransomware was deployed. The forensic investigation confirmed that the parts of the network that the threat actors could access included files that contained sensitive health information.

The data exposed included names, addresses, phone numbers, email addresses, dates of birth, billing, and health information, such as CPT codes, diagnosis codes, test requisitions, and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians, and for a limited number of individuals, Social Security numbers, financial account numbers, driver’s license numbers, passport numbers, and/or credit card numbers.

While no evidence of data exfiltration was found, data theft could not be ruled out, so ReproSource notified approximately 350,000 individuals on October 21, 2023, and was promptly sued. Two class action lawsuits were consolidated into a single lawsuit as they made similar allegations – that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. The lawsuits alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.

The decision was taken to settle the litigation with no admission of wrongdoing. Under the terms of the settlement, class members may submit claims for up to $3,000 to cover out-of-pocket, unreimbursed losses that are reasonably traceable to the data breach, including up to 8 hours of lost time, three years of credit monitoring services, and a $1 million identity theft insurance policy. Alternatively, class members can claim a cash payment of $50. $1.25 million has been set aside to cover claims, which will be paid pro rata if that total is reached. Class members who were California residents at the time of the breach will be entitled to an additional $50 payment.

The consolidated lawsuit also sought injunctive relief, which included major upgrades to data security to prevent similar cyberattacks and data breaches in the future. The settlement also includes the requirement for ReproSource to make significant improvements to its information security program, including enhancing its monitoring and detection tools. The settlement will need to receive final approval from a Massachusetts judge.

The post ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement appeared first on HIPAA Journal.