HIPAA Breach News

Great Valley Cardiology Notifies 181,700+ Individuals About PHI Exposure

Posted by Steve Alder

Commonwealth Health Physician Network-Cardiology, aka Great Valley Cardiology in Scranton, PA, has notified 181,764 current and former patients about a cyberattack and data breach that was discovered on April 13, 2023. The forensic investigation confirmed that the information potentially compromised in the attack included names in combination with addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, bank account and credit/debit card information, diagnosis, medications, lab test results, and health insurance/claims information.

Hackers first gained access to Great Valley Cardiology’s systems on February 2, 2023, and access remained possible until its systems were secured on April 14, 2023. The healthcare provider was reportedly notified about the attack by the Department of Homeland Security, with access to its systems gained as a result of a successful brute force attack.

Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months as a precaution, although there are no indications that there has been any misuse of patient data as a result of the security breach.

EpiSource Confirms Breach of its AWS Environment

The Gardena, CA-based medical coding vendor, EpiSource, has confirmed that the protected health information of patients of its healthcare clients has been exposed and potentially compromised in a February 2023 cyberattack on its Amazon Web Services (AWS) environment.

The cyberattack was detected by its threat detection system on February 20, 2023. The investigation confirmed its AWS environment had been accessed by an unauthorized individual between February 19 and 21, 2023. The forensic investigation confirmed on April 20, 2023, that health and personal information had potentially been accessed or obtained such as names, dates of birth, addresses, phone numbers, medical record numbers, health plan ID numbers, provider information, diagnoses, and medications. EpiSource said security controls and monitoring practices have been enhanced following the attack and affected individuals have been offered one year of complimentary identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many people have been affected.

Business Associate Data Breach Impacts 25K UPMC Patients

University of Pittsburg Medical Center (UPMC) has confirmed that approximately 25,000 patients have been affected by a data breach at a business associate that provides billing and collection services. The data breach occurred at Intellihartx LLC, which is issuing notifications to the affected UPMC patients. The breach involved names, addresses, Social Security numbers, and other personal information. Complimentary credit monitoring services have been offered to affected individuals. Intellihartx reported the breach to the Maine Attorney General as affecting 489,830 individuals. Further information on the data breach has been covered by The HIPAA Journal here.

Idaho Medicaid Recipients Affected by Data Breach at Claims Processor

The Idaho Department of Health and Welfare has confirmed that the personal information of 2,501 Medicaid recipients has potentially been accessed and/or obtained in a data breach at its claims processor, Gainwell Technologies. An unauthorized individual obtained credentials that allowed access to be gained to the Gainwell portal, which allowed access to information such as names ID numbers, billing codes, and treatment information.

The breach was discovered on May 12, 2023, and following an investigation and review, affected individuals were notified on June 9, 2023. Credit monitoring and identity theft protection services have been offered to affected individuals.

Utah Department of Health and Human Services Notifies 5,800 Health Plan About Mailing Error

The Utah Department of Health and Human Services (DHHS) has confirmed that the protected health information of 5,800 Medicaid recipients has been impermissibly disclosed due to a mailing error. As a result of the error, benefit letters were accidentally grouped together and sent to incorrect individuals. The error was discovered on May 8, 2023, and the mailing process was halted to prevent further impermissible disclosures.

The letters included Medicaid benefit information, although only around 200 of the 5,800 individuals affected had either their Medicare health insurance claim number (HICN) or Social Security number disclosed. Those individuals have been offered complimentary credit monitoring services. The DHHS said it has worked with its business associate, Client Network Services (CNSI), to ensure the error is corrected and system testing and quality protocols have been enhanced.

The post Great Valley Cardiology Notifies 181,700+ Individuals About PHI Exposure appeared first on HIPAA Journal.

Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) investigates all reported breaches of the protected health information of 500 or more individuals and some smaller breaches to determine if the breach was caused by the failure to comply with the HIPAA Rules. OCR’s latest HIPAA enforcement action confirms that it is not the scale of a data breach that determines if a financial penalty must be paid but the severity of the underlying HIPAA violations.

A relatively small data breach was reported to OCR on February 28, 2018, by Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial), a 222-bed non-profit community hospital in Washington state. The hospital discovered security guards had been accessing the medical records of patients when there was no legitimate work reason for the medical record access, and 419 medical records had been impermissibly viewed.

OCR launched an investigation into the snooping incident in May 2018 and discovered widespread snooping on medical records by security guards in the hospital’s emergency department. 23 security guards had used their login credentials to access medical records in the hospital’s electronic medical record system when there was no legitimate reason for the access. The security guards were able to view protected health information such as names, addresses, dates of birth, medical record numbers, certain notes related to treatment, and insurance information. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule – 45 C.F.R. § 164.316.

Yakima Valley Memorial Hospital chose to settle the case with OCR and agreed to pay a financial penalty of $240,000 with no admission of liability. A corrective action plan has been adopted to ensure full compliance with the HIPAA Rules, which includes an accurate and comprehensive risk analysis, the development and implementation of a risk management plan to address the risks identified by the risk analysis, updates to its HIPAA policies and procedures, the enhancement of its current HIPAA security training program, and a review of its relationships with vendors and third-party service providers to identify business associates, and to obtain business associate agreements if they are not already in place.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

This is the 6th OCR HIPAA enforcement action of 2023 that has resulted in a financial penalty, and the second to be announced by OCR this month. So far this year, penalties totaling $1,901,500 have been imposed by OCR to resolve violations of the HIPAA Rules.

The post Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records appeared first on HIPAA Journal.

Johns Hopkins Investigating Cyberattack and Data Breach

Posted by Steve Alder

Johns Hopkins University and Johns Hopkins Health System are investigating a May 31, 2023, cyberattack and data breach that targeted a widely used software tool. While the tool that was targeted was not mentioned in the attack, the breach date coincides with the Clop/FIN11 attacks on the MOVEit Transfer managed file transfer solution.

While the investigation into the data breach is ongoing, the initial findings indicate that sensitive personal and financial information was impacted, including names, contact information, and health billing records. Notifications will be sent to all affected individuals in the coming weeks once the full scope and breadth of the breach are determined. Johns Hopkins has confirmed that credit monitoring services will be offered to affected individuals. In the meantime, Johns Hopkins urges all students, faculty staff, and their dependents to take immediate action to protect their personal information, including conducting reviews of their statements, credit reports, and accounts for unusual activity, and should consider placing a fraud alert and credit freeze with a national credit bureau.

At this stage, it is unclear how many individuals have been affected.

PHI of 33,000 Patients Exposed in Maimonides Medical Center Cyberattack

Maimonides Medical Center in Brooklyn, NY, has confirmed that the protected health information of approximately 33,000 patients was stored on systems that were accessed by an unauthorized individual. The security breach was discovered on April 4, 2023, and unauthorized access was immediately blocked. The forensic investigation confirmed the initial access occurred on March 18, 2023.

The review of affected files revealed the majority of individuals only had their names, addresses, and limited clinical information exposed, such as diagnoses and treatment information; however, some individuals also had their Social Security numbers exposed. Affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. Third-party cybersecurity experts were hired to assess system security and ensure that adequate safeguards were in place, and additional authentication measures have now been implemented.

iSpace Inc. Notifies 24,400 Individuals About Data Breach

iSpace, Inc., a provider of insurance eligibility services, has recently started notifying 24,382 individuals about a cyberattack that was discovered on February 5, 2023. In a May 31, 2023, notification to the California Attorney General, iSpace explained that the forensic investigation confirmed a system compromise had occurred and that there was file exfiltration between January 30 and February 5, 2023.

The analysis of the impacted files confirmed that they contained names, Social Security numbers, dates of birth, diagnosis information, health insurance group/policy numbers, health insurance information, subscriber numbers, and prescription information. At the time of issuing notifications, no actual or attempted misuse of the affected individuals’ information had been detected. iSpace said it engaged the services of security specialists to assist in examining its privacy and security policies and practices and will update them accordingly. The delay in issuing notifications was due to the lengthy investigation and data review process, which was completed on March 3, 2023, and the subsequent verification of contact information.

Normal Operations Resume After Richmond University Medical Center Ransomware Attack

Richmond University Medical Center (RUMC) in West Brighton, NY, has confirmed that it has fully recovered from a ransomware attack that was detected in the first week of May. The attack forced the medical center to shut down systems and activate its emergency protocols, and the staff recorded patient information manually while systems were restored. The investigation into the ransomware attack is ongoing to determine the extent to which patient information was involved, and notification letters will be sent to affected individuals when that process has been completed.

The post Johns Hopkins Investigating Cyberattack and Data Breach appeared first on HIPAA Journal.

21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit

Posted by Steve Alder

A class action lawsuit has been filed in the U.S. District Court for the Southern District of Iowa against Trinity Health, Mercy Health Network, and Mercy Medical Center – Clinton over a cyberattack and data breach that affected 21,000 patients.

Livonia, MI-based Trinity Health, which operates Mercy Health Network and Mercy Medical Center – Clinton in Iowa, discovered a cyberattack on April 4, 2023, the forensic investigation of which confirmed hackers had gained access to systems containing patients’ protected health information on March 7, 2023, and maintained access to those systems until April 7, when its systems were secured. The data exposed and potentially stolen in the attack included names, addresses, birth dates, Social Security numbers, diagnosis codes, treatment information, prescription information, and service/discharge. Trinity Health offered affected individuals complimentary credit monitoring services for 12 months.

On June 12, 2023, a lawsuit was filed on behalf of plaintiff Jennifer Medenblik that alleges the defendants failed to protect the sensitive data of patients and monitor its systems for intrusions, which allowed hackers to gain access to its network and the protected health information of 21,000 patients and remain undetected within its systems for a month. The lawsuit alleges violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and a failure to follow healthcare industry best practices for protecting sensitive data and Federal Trade Commission (FTC) guidelines.

Trinity Health notified affected patients about the attack; however, the lawsuit claims those notifications were inadequate, and failed to provide the necessary support. The lawsuit also claims that the defendants have not provided satisfactory assurances to patients that the impacted data has been recovered or deleted nor that adequate cybersecurity measures have been implemented post-data breach to prevent further security breaches in the future.

The 8-count lawsuit – Medenblik v. Trinity Health Corporation et al, includes allegations of negligence, breach of contract, and breach of confidence, and claims the plaintiff and class members have suffered and are at an imminent, immediate, and continuing increased risk of suffering ascertainable losses. The lawsuit seeks class action status, a jury trial, an award of damages, and funds to cover a lifetime of credit monitoring services and identity theft insurance for the plaintiff and class members.

The post 21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit appeared first on HIPAA Journal.

Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital

Posted by Steve Alder

Ransomware attacks can cause healthcare facilities to temporarily close and small healthcare practices have made the decision not to reopen after a ransomware attack, but hospitals and health systems are usually financially resilient enough to remediate the attacks and recover, but not St. Margaret’s Health. Like many rural hospitals and health systems, St. Margaret’s Health has been struggling to maintain operations in the face of increasing financial pressures, then fell victim to a ransomware attack that sent it into a downward financial spiral. The attack, in combination with several other factors, resulted in the decision to permanently close its 44-bed Spring Valley location in Illinois. St Margaret’s Health also operates a 49-bed hospital in Peru, IL, which was under a temporary suspension that was announced in January this year. All operations at the two hospitals will permanently end on Friday, June 16, 2023.

The Sisters of Mary of the Presentation founded St. Margaret’s Health in 1903, and in 2021, St. Margaret’s Hospital – Spring Valley and Illinois Valley Community Hospital (IVCH) in Peru consolidated their operations and formed a regional health network run by the SMP Health ministry, with IVCH changing its name to St. Margaret’s Hospital – Peru. St. Margaret’s Health tried to integrate the new hospital into St. Margaret’s Health so that the two hospitals and their associated clinics could continue to provide catholic healthcare in the Illinois valley, but the challenges proved too great. Like many rural hospitals, St. Margaret’s Health has faced increasing financial pressures in recent years, and the COVID-19 pandemic, continuing staff shortages, and the ransomware attack on St. Margaret’s Hospital – Spring Valley’s computer systems in February 2021 proved too much and made it impossible to sustain its ministry. The ransomware attack itself did not trigger the closure, but it did play a key part in the decision to close. The ransomware attack prevented the hospital from submitting claims to insurers, Medicare, and Medicaid for months, piling even more financial pressure on the already struggling St. Margaret’s Health.

Suzanne Stahl, chair of SMP Health, said St. Margaret’s Health has signed a non-binding letter of intent with OSF Healthcare to acquire the Peru campus and related ambulatory facilities, and the proceeds of the sale will be used to pay off a portion of St. Margaret’s debts and will help to ensure that catholic-based healthcare will continue to be provided in the Illinois valley and the surrounding areas. The transition will take some time, and while OSF Healthcare is working to accomplish the purchase as quickly as possible, it is not able to provide a time frame for when care will resume. “The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare,” said Melanie Malooley-Thompson, Mayor of Spring Valley. The closure will mean that patients will be forced to travel much further for emergency room and obstetrics services.

Longstanding pressures on rural hospitals resulted in 136 rural hospital closures between 2010 and 2021, according to a 2022 report from the American Hospital Association, including 19 closures in 2020 alone. Rural hospitals typically have low reimbursement, staff shortages, and low patient volumes, and also had to deal with the COVID-19 pandemic. Cyberattacks are enough to send them over the edge.

Tragically, this is unlikely to be the last ransomware attack that proves too much for a rural hospital. Increasing financial pressure limits the ability of rural hospitals to invest in cybersecurity and they also struggle to attract and retain skilled cybersecurity staff. That makes rural hospitals an easy target for ransomware gangs, which are increasingly targeting these healthcare facilities. Even when rural hospitals are not specifically targeted, they can still fall victim to non-targeted attacks due to the lack of appropriate cybersecurity.

The post Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital appeared first on HIPAA Journal.

320,000 Patients Affected by Ransomware Attack on Onix Group

Posted by Steve Alder

The Pennsylvania-based business administration service provider, Onix Group, was the victim of a ransomware attack on March 27, 2023. When the incident was detected, its network was immediately taken offline to prevent any further unauthorized access; however, the attackers were able to encrypt files on certain systems. The forensic investigation confirmed that access to its systems was gained 7 days before ransomware was deployed and files were encrypted, and during those 7 days the cyber actors exfiltrated files containing sensitive data.

The review of the files confirmed they contained the data of patients of healthcare clients Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray, and Onix Hospitality Group. The protected health information in the stolen files varied from individual to individual and may have included names, Social Security numbers, dates of birth, and scheduling, billing, and clinical information. Some of the files contained client information that was stored for HR purposes, including employees’ names, Social Security numbers, direct deposit information, and health plan enrollment information.

Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 319,500 individuals.

Ascension Says Breach at Vendor Exposed Patient Data

Ascension has recently started notifying 148,606 patients about a security breach at the third-party vendor, Vertex, which was used to manage its legacy websites, two of which – Seton.net and DellChildren’s.net – were breached on March 1 and 2, 2023.

Vertex engaged a forensic investigator to determine the nature and scope of the breach. The investigation is ongoing but, at this stage, it does not appear that any patient data was stolen. If data theft did occur, the information at risk includes names, addresses, Social Security numbers, credit card numbers, and insurance information. Affected individuals have been offered complimentary credit monitoring and identity theft protection services as a precaution.

Ascension has confirmed that the websites have been replaced by new websites which Ascension hosts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 17,191 Ascension Seton and 1,415 Ascension Providence patients.

Daixin Team Attempts Extortion of Columbus Regional Healthcare System

The ransomware and extortion group, Daixin Team, has claimed responsibility for a ransomware attack on the non-profit Indiana health system, Columbus Regional Healthcare System, and claims to have exfiltrated 70 gigabytes of data from the 154-bed hospital. The group says it initially demanded payment of $2 million but after negotiating with the hospital or a third party, reduced the demand to $1 million; however, negotiations appear to have broken down.

Columbus Regional Healthcare System has yet to confirm the attack and it is currently unclear to what extent patient data is involved. Daixin Team is expected to start releasing the stolen data in the next few days if ransom negotiations do not resume.

The post 320,000 Patients Affected by Ransomware Attack on Onix Group appeared first on HIPAA Journal.

Intellihartx Victim of Fortra GoAnywhere Hack: 490,000 Individuals Affected

Posted by Steve Alder

The Tennessee-based payment and collections service provider, Intellihartx, has recently confirmed that the personal and health information of 489,830 individuals was stolen in a recent hacking and extortion attack. In late January and early February 2023, the Clop ransomware group exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT to gain access to the data of approximately 130 companies. While Clop often uses ransomware to encrypt files, these attacks only involved data theft and extortion, with demands for payment issued to prevent the public release of the stolen data.

Intellihartx learned that it had been affected on February 2, 2023, and launched an investigation to determine the scope of the breach. Preliminary results were obtained on March 24 that indicated sensitive data had potentially been stolen, and data owners started to be notified on April 11, 2023. The comprehensive review of the affected files confirmed on May 10, 2023, that protected health information had been compromised. The review was completed on May 19, 2023.

Intellihartx’s analysis of the files exfiltrated by Clop confirmed they contained information such as patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, insurance information, and billing information. Intellihartx said it rebuilt the file transfer platform and incorporated additional security measures to prevent similar breaches in the future and has now notified affected individuals and offered them complimentary access to credit monitoring services.

Cyberattack Impacts Petaluma Health Center Patients

Petaluma Health Center in California has sent notifications to current and former patients alerting them to the potential theft of some of their protected health information. A network security incident was detected and promptly blocked on March 14, 2023, and while the forensic investigation found no evidence to indicate theft and misuse of patient data, data theft could not be ruled out.

The files potentially accessed in the attack included first names, last names, addresses, dates of birth, Social Security numbers, medical information, and health information, with the affected data varying from individual to individual. Security has been enhanced to prevent similar breaches in the future and affected individuals have been offered complimentary single-bureau credit monitoring services.

It is currently unclear how many individuals have been affected.

North Shore Medical Labs Notifies Patients About Cyberattack and Data Theft Incident

The Williston Park, NY-based clinical reference laboratory, North Shore Medical Labs, has started notifying individuals that some of their protected health information was exposed in a data security incident detected on March 29, 2023. The investigation revealed on May 12, 2023, that files were potentially accessed and stolen that contained names, birth dates, and medical laboratory information.

A malicious actor first gained access to its systems on December 22, 2022, and access was blocked on March 31, 2023. The forensic investigation confirmed that files were exfiltrated from its systems between March 17 and March 31. North Shore Medical Labs said it is unaware of any misuse of patient data as a result of the incident. Data protection policies and training protocols have been reviewed and security measures and monitoring tools enhanced to mitigate any risk associated with the incident and to prevent further security incidents in the future.

The breach was reported to the HHS’ Office for Civil Rights as affecting 500 individuals – a placeholder often used to meet reporting requirements until the full extent of the breach is known.

The post Intellihartx Victim of Fortra GoAnywhere Hack: 490,000 Individuals Affected appeared first on HIPAA Journal.

Peachtree Orthopedics Suffers Data Theft and Extortion Incident

Posted by Steve Alder

Peachtree Orthopedics in Atlanta, GA, has announced that it was the victim of a cyberattack on April 20, 2023. The forensic investigation confirmed that an unauthorized third party gained access to parts of its network that contained patient information such as names, addresses, birth dates, driver’s license numbers, Social Security numbers, medical treatment/diagnosis information, treatment costs, financial account information, and health insurance claims/provider information.

Peachtree Orthopedics said it changed account passwords and implemented additional security measures to reduce the risk of a similar situation occurring in the future and said the investigation is ongoing to determine how many patients have been affected. Peachtree Orthopedics said it cannot rule out unauthorized access to patient information.

The Karakurt threat group has claimed responsibility for the attack and has added Peachtree Orthopedics to its data leak site. The group claims to have exfiltrated 194 gigabytes of data, including personal information and medical records and has threatened to publish the data if the ransom is not paid.

MedInform System Breach Exposed PHI of Cleveland Clinic Patients

MedInform, Inc., a provider of itemization and accident recovery solutions to hospital systems, experienced a security incident that exposed the data of 14,453 Cleveland Clinic patients. The breach was detected on December 21, 2022, when suspicious activity was identified within its network. The forensic investigation confirmed its systems had been accessed by an unauthorized individual between December 5, 2022, and December 21, 2022, and files had been downloaded.

The delay in issuing notifications was due to the time taken to review all affected files. Those files contained names, addresses, Social Security numbers, medical billing information, and financial account information. Additional administrative and technical controls have been implemented in response to the breach, and additional security training has been provided to the workforce.

Mission Community Hospital Investigating Cyberattack

Mission Community Hospital in California is investigating a cyberattack that occurred on April 29, 2023. The RansomHouse threat group has claimed responsibility for the attack on the San Fernando Valley acute care hospital and claims to have exfiltrated more than 2.5 terabytes of data, a sample of which has been uploaded to its data leak site. The leaked data includes medical imaging files, employee data, and financial reports.

The hospital detected the attack on May 1 when investigating a hardware failure and found evidence of an intrusion that exploited vulnerabilities in its network and VMware environments. It has yet to be confirmed how much data has been accessed or stolen.

Shasta Community Health Center Impacted by Alvaria Ransomware Attack

Shasta Community Health Center in Redding, CA, has recently confirmed that patient data was compromised in a ransomware attack on its business associate, Alvaria, Inc. According to the breach notice, Alvaria was the victim of a sophisticated ransomware attack on March 9, 2023, that impacted part of the network that contained customers’ workforce management and outbound dialer data.

According to the notification letter, the attack occurred on March 9, 2023, and was quickly remediated, with data restored from backups. The review confirmed that the exposed data included names, phone numbers, addresses, and associated healthcare provider names. Alvaria explained in the notification letters that after securing the network, additional security measures were implemented to further improve system security. Credit monitoring services have been provided to affected individuals.

Alvaria confirmed in February that it was the victim of a Hive ransomware attack in November 2022. It is unclear if the two incidents are linked. Alvaria has been emailed for clarification.

Summit Eye & Optical Reports 5,727-Record Data Breach

Summit Eye & Optical in Summit, NJ, has recently confirmed that an unauthorized individual gained access to its network and potentially viewed or obtained the protected health information of 5,727 patients. The breach was detected on March 4, 2023, and notifications were sent to affected individuals on May 18, 2023.

Summit Eye & Optical confirmed that the information potentially accessed in the cyberattack included full names, addresses, medical histories, treatment information, and other personal information. Internal data management and protocols have been reviewed and security has been enhanced to prevent similar incidents in the future. Complimentary identity theft protection services have been offered to affected individuals.

Sparta Community Hospital District Confirms Unauthorized Email Access

Sparta Community Hospital District in Illinois has confirmed that the protected health information of up to 900 patients has been exposed and potentially obtained by an unauthorized individual who accessed an employee email account from March 27, 2023, to March 28, 2023.

The breach was detected on March 28, and the account was immediately secured. The review of the account confirmed on April 12, 2023, that it contained patient information such as names, addresses, phone numbers, dates of birth, medical record numbers, doctor’s names, medical diagnoses, and limited treatment information. Financial information and Social Security numbers were not exposed.

The post Peachtree Orthopedics Suffers Data Theft and Extortion Incident appeared first on HIPAA Journal.

Patient Data Likely Lost Due to Cyberattack on Mercy Medical Center – Clinton

Posted by Steve Alder

Mercy Medical Center – Clinton has notified 20,865 patients about a security incident that disrupted its network. The security breach was detected on April 4, 2023, and the forensic investigation confirmed its network had been accessed by an unauthorized third party between March 7, 2023, and April 4, 2023.

The attack did not affect patient care but prevented access to its systems while the attack was remediated. The review of the incident is ongoing, but it has been confirmed that the following types of information have been exposed: name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, encounter number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.

Mercy Medical Center did not state whether ransomware was involved but said data had to be restored from backups and some data has likely been lost. Additional technical steps are being taken to try to recreate the lost data it was not possible to restore. Credit monitoring and identity protection services have been offered to affected individuals and additional technical safeguards have been implemented to prevent similar attacks in the future.

Pioneer Valley Ophthalmic Consultants Notifies Patients About Business Associate Data Breaches

Pioneer Valley Ophthalmic Consultants (PVOC) in Holyoke, MA, has recently notified 36,275 patients that some of their protected health information has been exposed and potentially stolen in two security incidents at third-party vendors, Alta Medical Management and ECL Group, LLC, which provide billing and accounting services.

According to the May 22, 2023, breach notice, the incidents occurred in 2021. PVOC discovered on March 3, 2022, that malware had been installed on the servers of the vendors between November 13, 2021, and November 15, 2021. On May 11, 2022, PVOC learned that Alta’s online patient portal was vulnerable to unauthorized access to payment receipts until October 26, 2021.

The information potentially compromised as a result of the malware incident included names, addresses, Social Security Numbers, payment card information, and medical records. The unsecured patient portal allowed unauthorized access to names, email addresses, transaction dates and times, transaction ID numbers, statement numbers, the last four digits of payment cards/ account numbers, and any information entered into the comments field of the portal.

PVOC said it is unaware of any actual or attempted misuse of the exposed information. Monitoring has been stepped up in response to the breaches and additional technical resources and security personnel have been onboarded. Affected individuals have been offered complimentary credit monitoring services.

Topcon Healthcare Solutions Breach Impacts 4,000 Individuals

Topcon Healthcare Solutions, a provider of imaging, diagnostic, and intelligent data technologies, has reported a security breach to the Maine Attorney General that exposed protected health information. The security breach was detected on February 5, 2023, and the forensic investigation confirmed there had been unauthorized access to documents on its systems between January 7, 2023, and February 5, 2023.

In its May 22, 2023, breach notification, Topcon said the review of the incident is ongoing to determine the specific types of information that have been exposed. Notification letters will be sent to affected individuals after that process is complemented. The breach was reported to the Maine Attorney General as affecting up to 4,209 individuals.

Canopy Children’s Solutions Investigating Ransomware Attack

Mississippi Children’s Home Society, CARES Center Inc, and Mississippi Children’s Home Services Inc, doing business as Canopy Children’s Solutions, experienced a ransomware attack in April that resulted in the encryption of files on its systems. The attack was detected on April 4, 2023, and third-party forensics experts were engaged to investigate the nature and scope of the incident.

According to Canopy Children’s Solutions’ data breach notice, the attackers accessed certain systems on its network and may have accessed and/or acquired certain files and folders from those systems.” The data breach notice – dated June 2, 2023 – states that the investigation is ongoing to determine which individuals have been affected and the types of data involved. Notification letters will be mailed to affected individuals when that process is completed. Canopy Children’s Solutions said it has reviewed its data privacy and security policies and procedures and is implementing additional safeguards to prevent further attacks in the future.

The Nokoyawa threat group has claimed responsibility for the attack and has added Canopy Children’s Solutions to its data leak site. The group says files are being prepared for publication. The group claims to have exfiltrated 150 gigabytes of data.

The post Patient Data Likely Lost Due to Cyberattack on Mercy Medical Center – Clinton appeared first on HIPAA Journal.