HIPAA Breach News

Multiple Data Breaches Reported by Iowa Medicaid and South Jersey Behavioral Health Resources

Posted by Steve Alder

The Iowa Department of Health and Human Services has announced there have been three separate breaches of the protected health information of Iowa Medicaid recipients in the past two months – two hacking incidents and an impermissible disclosure, all three of which involved third-party contractors.

The largest breach was at the Medicaid contractor, MCNA Dental, which resulted in the exposure and potential theft of 233,834 Iowa Medicaid recipients. The MCNA Dental data breach impacted more than 8.9 million individuals across the country. An unauthorized third party gained access to MCNA Dental’s systems on February 26, 2023, the breach was detected on March 6, 2023, and the unauthorized access was blocked the following day. The LockBit ransomware gang claimed responsibility for the attack and potentially obtained names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information, Medicare/Medicaid ID numbers, group plan names and numbers, and information related to the dental and orthodontic care provided. MCNA Dental has offered affected individuals complimentary credit monitoring services.

The Iowa Department of Health and Human Services has also confirmed a breach of the protected health information of Iowa Medicaid recipients due to an error at Amerigroup. Explanation of payment notices containing the information of 833 Iowa Medicaid recipients were sent to 20 providers in error. Names, addresses, Social Security numbers, and health insurance were impermissibly disclosed. Amerigroup is sending notification letters to those individuals.

Another breach was confirmed in April at one of its contractors, Telligen, Inc., which performs annual assessments for Medicaid members to ensure they are receiving the correct level of care. Telligen subcontracted part of that work to Independent Living Systems (ILS), where the data breach occurred in June and July 2022. The protected health information of approximately 20,800 Medicaid members was compromised in the attack. In total, more than 4 million individuals were affected by the ILS data breach.

South Jersey Behavioral Health Resources Victim of Two Security Breaches

South Jersey Behavioral Health Resources (SJBHR) in Camden, NJ, an Inperium affiliate that provides residential, outpatient, adult partial care, telehealth/telecounseling, and homeless services, has recently announced two breaches of the protected health information of patients in quick succession.

The first incident was a business email compromise/phishing attack. An employee received a request for an Accounts Receivable Report from what appeared to be the legitimate account of a member of the SJBHR fiscal office. An email was sent in response that included patient names, dates of service, types of service, and billing codes. The breach was detected the following day. Additional training was provided to all staff members in response to the incident to help them identify and avoid email scams in the future.

A few days later, on April 5, 2023, SJBHR was the victim of a ransomware attack that resulted in files being encrypted on certain computer systems. The forensic investigation confirmed the attackers gained access to its systems on April 3, 2023. No evidence was found to indicate access to or the theft of patient data, but the systems compromised in the attack included files containing names, contact information, Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, treating/referring physician names, health insurance information, subscriber numbers, medical history information, and diagnosis/treatment information.

In response to the ransomware attack, policies and procedures have been reviewed and additional data security measures have been implemented. SJBHR does not believe the two incidents are related. Neither incident is showing on the HHS’ Office for Civil Rights data breach portal at present, so it is unclear how many individuals have been affected.

The post Multiple Data Breaches Reported by Iowa Medicaid and South Jersey Behavioral Health Resources appeared first on HIPAA Journal.

Alvaria Confirms November 2022 Hive Ransomware Attack

Posted by Steve Alder

Alvaria Inc. (formerly Aspect Software, Inc.), a provider of call center and customer experience software technology to large enterprises, has recently confirmed that it fell victim to a ransomware attack on a limited portion of its network.

There is a trend for breach notification letters to only contain the bare minimum information to meet regulatory requirements; however, Alvaria breach notifications include comprehensive details about the attack including the name of the ransomware group responsible. The company has also confirmed that sensitive information was stolen, some of which was released on the Hive group’s dark web data leak site, which helps victims of the breach accurately assess the level of risk they face.

Alvaria explained that the ransomware attack occurred on November 28, 2022, and steps were immediately taken to contain the attack and prevent further unauthorized access to its network. An investigation was launched and a third-party digital forensics company was engaged to investigate the scope of the attack and determine if protected health information had been exposed or compromised. On December 21, 2022, while the incident was still being investigated, Alvaria learned that the Hive group had published sensitive corporate files on its dark web data leak site. Alvaria confirmed that the files released by the group did not contain any personal data but it was not possible to determine if employment-related files were accessed or acquired in the attack.

Alvaria explained in the notification letters that the Department of Justice confirmed on January 26, 2023, that a coordinated law enforcement operation had successfully dismantled the Hive Ransomware operation, resulting in the group’s infrastructure being seized. Alvaria said, “Law enforcement has not indicated whether these employment-related files had been acquired,” and no evidence has been found to indicate any actual or attempted misuse of the information contained in the employment-related files.

Those files contained names, government-issued identification numbers such as Social Security numbers and passport numbers, financial account information, health insurance information, and/or tax-related information. Individuals potentially affected have been notified, and Alvaria has confirmed that employees are already provided with credit monitoring, dark web monitoring, and fraud remediation services through Allstate Identity Protection as part of their employment.

The incident has been reported to the HHS’ Office for Civil Rights in 13 individual reports, involving a total of 12,404 records.

The post Alvaria Confirms November 2022 Hive Ransomware Attack appeared first on HIPAA Journal.

Settlement Agreed to Resolve Comprehensive Health Services Data Breach Lawsuit

Posted by Steve Alder

Acuity International (formerly known as Comprehensive Health Services, LLC / CHS, LLC), a provider of medical management support services, has agreed to a settlement to resolve a class action lawsuit that was filed in response to a 2020 cyberattack and data breach that impacted 106,910 individuals.

Suspicious activity was detected within the systems of Comprehensive Health Services on September 30, 2020, following the discovery of fraudulent wire transfers; however, it took until November 3, 2022, to determine that personal and protected health information had been compromised in the incident, including names, dates of birth, and Social Security numbers. Affected individuals were notified about the breach on January 20, 2022, and February 14, 2022.

On April 4, 2022, a lawsuit – Arbuthnot v. CHS, LLC – was filed in the US District Court for the Middle District of Florida in response to the breach that alleged a failure to protect sensitive data against unauthorized access, violations of the HIPAA Security Rule, and unreasonable delay of more than 16 months to inform individuals that their personal and protected health information had been compromised. As a result of the alleged negligence, plaintiff Shannon Arbuthnot and the class members claim they suffered harm and incurred out-of-pocket expenses dealing with the breach and protecting themselves against misuse of their information.

A settlement was proposed in February 2023 to resolve the lawsuit that has now been finalized, pending final approval by a judge. Acuity maintains there was no wrongdoing and proposed the settlement to avoid the cost, disruption, and distraction of further litigation. The settlement has been approved by Acuity, the class representative, and their legal teams, and is believed to be fair, reasonable, and adequate.

Under the terms of the settlement, individuals who were notified that they had been impacted by the data breach can submit a claim for compensation for ordinary out-of-pocket losses and lost time up to a maximum of $500 per class member, which can include up to 3 hours of lost time at $20 per hour. The claim can include documented losses due to bank fees, phone charges, data charges, postage, costs of credit reports, and any credit monitoring or identity theft protection services purchased between September 30, 2020, and the date of the settlement.

Individuals who were victims of documented identity theft that is reasonably traceable to the data breach are entitled to submit a claim for compensation for extraordinary losses up to a maximum of $3,500 per class member. Extraordinary losses include actual, documented, and unreimbursed monetary losses incurred between September 30, 2020, and the date of the settlement that were more likely than not due to the data breach. In addition, Acuity will cover the cost of two years of credit monitoring services for all class members.

In addition to reimbursing class members for expenses and losses, Acuity has agreed to make security improvements to reduce the risk of future data breaches, many of which have already been implemented. The deadline for exclusion from or objection to the settlement is July 5, 2023, the deadline for submitting a claim is August 3, 2023, and the final approval hearing has been scheduled for August 11, 2023.

The plaintiff was represented by Jon Kardassakis of Lewis Brisbois Bisgaard & Smith, LLP, and the class was represented by John A Yanchunis of Morgan & Morgan and David K Lietz of Milberg Coleman Bryson Phillips Grossman PLLC.

The post Settlement Agreed to Resolve Comprehensive Health Services Data Breach Lawsuit appeared first on HIPAA Journal.

$30,000 Penatly for Disclosing PHI Online in Response to Negative Reviews

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with a New Jersey provider of adult and child psychiatric services for $30,000. In April 2020, OCR received a complaint alleging Manasa Health Center had impermissibly disclosed patient information online when responding to a negative online review. The complainant alleged Manasa Health Center’s responded to a patient’s review and disclosed the patient’s mental health diagnosis and treatment information.

OCR launched an investigation into the Kendall Park, NJ-based healthcare provider and discovered the protected health information of a total of four patients had been impermissibly disclosed in responses to negative Google Reviews, and notified the practice about the HIPAA Privacy Rule investigation on November 18, 2020. In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a) of the HIPAA Privacy Rule, the practice was determined to have failed to comply with standards, implementation specifications, or other requirements of HIPAA Privacy Rule and Breach Notification Rules – 45 C.F.R. § 164.530(i).

Manasa Health Center chose to settle the case with OCR with no admission of liability or wrongdoing. In addition to the financial penalty, Manasa Health Center has agreed to adopt a corrective action plan which includes the requirement to develop, maintain, and revise its written policies and procedures to ensure compliance with the HIPAA Privacy Rule, provide training to all members of the workforce on those policies and procedures, issue breach notification letters to the individuals whose PHI was impermissibly disclosed online, and submit a breach report to OCR about those disclosures.

This is not the first time that OCR has imposed a financial penalty for disclosures of PHI on social media and online review platforms. In 2022, OCR agreed to a $23,000 settlement with New Vision Dental and imposed a civil monetary penalty of $50,000 on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. In 2019, OCR settled an online disclosure case with Elite Dental Associates for $10,000. The HIPAA Privacy Rule does not prohibit HIPAA-regulated entities from responding to online reviews or using social media; however, protected health information must not be disclosed online without written consent from the patient. You can read more about HIPAA and social media here.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

This is the 5th OCR HIPAA enforcement action in 2023 that has been resolved with a financial penalty. So far this year, $1,661,500 has been paid by HIPAA-regulated entities to resolve violations of the HIPAA Rules.

The post $30,000 Penatly for Disclosing PHI Online in Response to Negative Reviews appeared first on HIPAA Journal.

City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack

Posted by Steve Alder

Multiple class action lawsuits have been filed against the city of Oakland in California over a ransomware attack and data breach that involved the theft of the personal and protected health information of 13,000 current and former employees. The ransomware attack was detected on February 8, 2023, and forced the city to shut down its systems to contain the attack, resulting in a state of emergency being declared in the city. Systems remained offline for weeks due to the attack, with the recovery process taking months.

The Play ransomware group took credit for the attack and started leaking some of the stolen data to pressure the city into paying the ransom. Initially, 10 gigabytes of stolen data was released on the group’s dark web data leak site, followed by a massive data dump of 600 gigabytes when the city continued to refuse to pay the ransom. The leaked data included the personal information of individuals employed by the city between July 2010 and January 2022. The ransomware attack is understood to have started with phishing emails.

Multiple class action lawsuits have been filed against the city on behalf of victims of the data breach that allege the city failed to implement appropriate security measures to keep employees’ private information confidential, with several victims of the breach claiming they have had their identities stolen and have experienced credit card fraud. The city has offered complimentary credit monitoring services to affected employees and has started to improve security, including implementing a training program for the workforce to improve resilience to phishing attempts.

A lawsuit was filed by the Oakland police officers’ union that alleges the city failed to provide important information about the extent of the incident and the types of data stolen in the attack and seeks monetary compensation and extended credit monitoring and identity theft protection and restoration services. Another lawsuit names Hada Gonzalez as lead plaintiff, a police services technician, who alleges the city was negligent for failing to protect against the attack. The lawsuit alleges data breach notification failures and violations of the HIPAA Security Rule. As a result of the negligence, the plaintiffs and class members claim they have suffered ongoing, imminent, and impending threats of fraud, identity theft, and abuse of their data, resulting in monetary losses and economic harm. The lawsuit seeks an award of damages and injunctive relief, including the requirement for the city to maintain a comprehensive information security program, encrypt sensitive data, undergo third-party security audits, establish an information security training program, and implement other security measures.

The post City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack appeared first on HIPAA Journal.

Clinical Test Data of 2.5 Million Individuals Stolen in Enzo-Biochem Ransomware Attack

Posted by Steve Alder

The Farmingdale, NY-based biotech and diagnostics company, Enzo Biochem, has recently confirmed in an 8-K filing with the Securities and Exchange Commission that the clinical test information of 2.470,000 patients was compromised in an April 6, 2023, ransomware attack. Enzo Biochem said prompt action was taken to contain the attack when the breach was detected, and while the incident caused disruption to business operations, all of its facilities continued to provide services to patients and partners.

Enzo Biochem provides treatments for cancer, metabolic, and infectious diseases as well as testing services for a variety of transmissible diseases such as COVID-19 and STDs. On April 11, 2023, Enzo Biochem determined that data related to the provision of those services was accessed, and in some cases exfiltrated, from its systems. The stolen data included names, test information, and for approximately 600,000 individuals, Social Security numbers.  Enzo Biochem is still investigating to determine if employee information was also compromised.

Enzo Biochem said it has incurred and may continue to incur expenses related to the incident and is in the process of evaluating the full financial impact of the ransomware attack. Enzo Biochem has confirmed that affected individuals will be notified by mail if their information has been deleted and the incident will be reported to appropriate regulatory authorities.

Medford Radiology Group Investigating Memorial Day Weekend Cyberattack

Medford Radiology Group in Oregon is recovering from a cyberattack that occurred over the Memorial Day weekend. The attack occurred in the early hours of Friday morning and prevented access to medical images. The attack is still being investigated to determine the nature and scope of the breach and the extent to which patient data may have been compromised.  Medford Radiology Group said this was a “significant cybersecurity incident.

Third-party cybersecurity experts are investigating the breach and are assisting with the response and all available resources are being used to ensure radiology services and patient care continues to be provided. While the investigation is still in the early stages, Medford Radiology believes the incident was limited to its internal systems and its outside partners have not been affected.

The post Clinical Test Data of 2.5 Million Individuals Stolen in Enzo-Biochem Ransomware Attack appeared first on HIPAA Journal.

28,000 Clarke County Hospital Patients Affected by April Cyberattack

Posted by Steve Alder

Clarke County Hospital in Osceola, IA, has recently started notifying 28,003 current and former patients about a security breach that exposed some of their protected health information. Suspicious activity was detected within its IT environment and the network was immediately isolated. A third-party digital forensics firm was engaged to investigate the security breach to determine the nature and scope of the incident and confirmed there had been unauthorized access on April 14, 2023, and the parts of the network that were accessed contained patient information.

The electronic medical record system was not compromised, and highly sensitive information such as Social Security numbers, banking information, credit card information, and/or financial information was not accessed. The files potentially viewed or stolen included names, addresses, dates of birth, health insurance information, medical record numbers, and some health information. At the time of issuing notifications, no reports had been received to indicate there had been any actual or attempted misuse of patient data.

Clarke County Hospital said enhancements were immediately made to improve system security and experts have been engaged to conduct a comprehensive review of system security. Security protocols will be further enhanced based on the findings of the review. Complimentary credit monitoring services and identity theft protection services have been offered to all potentially impacted individuals for 12 months and the hospital recommends that all individuals take advantage of those services.

Health Benefit Plan Data Stored on Stolen Laptop

A laptop computer has been stolen from the vehicle of an employee of the Anchorage School District, potentially exposing the protected health information of employees covered by its health benefit plan. The theft occurred on March 15, 2023, and the incident was immediately reported to law enforcement, but the laptop computer has not been recovered.

The school district immediately investigated and confirmed that the laptop computer has not been reconnected to the Internet. A review was conducted to determine if any files had potentially been downloaded to the laptop that could have been accessed. The review identified some files that were maintained for human resources and benefits purposes, which contained names, Social Security numbers, and information related to enrollment in the employee health plan.

Complimentary credit monitoring and identity theft protection services have been offered to the 4,598 employees potentially affected. Further training has been provided to the workforce on the importance of safeguarding sensitive information and portable device security measures are being enhanced.

Henry Mayo Newhall Hospital Discovers Employee Snooped on Medical Records

Henry Mayo Newhall Hospital (Henry Mayo) in Valencia, CA, has discovered an employee has accessed the protected health information of certain patients without a valid business reason for doing so. The privacy breach was detected on May 8, 2023, and notification letters were sent to affected individuals on May 26, 2023.

The investigation confirmed that the employee was able to view patient information such as names, birth dates, medical record numbers, visit numbers, and clinical data such as diagnoses, vital signs, and narrative clinical notes. The employee was interviewed about the unauthorized access and Henry Mayo believes the records were accessed out of curiosity and that no patient information has been further disclosed or misused. The hospital has taken action per its sanctions policy and has taken steps to prevent further privacy breaches in the future, including continuing to counsel and educate staff members.

It is currently unclear how many patients have been affected.

The post 28,000 Clarke County Hospital Patients Affected by April Cyberattack appeared first on HIPAA Journal.

Idaho Hospitals Divert Ambulances and Clinic Temporarily Closes Due to Cyberattack

Posted by Steve Alder

Mountain View Hospital, Idaho Falls Community Hospital, and several clinics in rural Idaho run by the same operator have been affected by a recent cyberattack. The decision was taken to temporarily close one of the clinics – Mountain View RediCare – while the attack is remediated.  All other clinics have remained open but are offering reduced services.

The cyberattack was detected on Memorial Day, and ambulances were diverted to other hospitals as a precaution. The diversion has remained in place through Wednesday and the facilities are still experiencing network issues due to the attack. The hospitals have remained open with staff manually recording patient information while the network is down. A spokesperson for Idaho Falls Community Hospital said patient safety has been the priority and work is continuing around the clock to restore access to computer systems and its systems are cleaned. At this stage, it is not possible to tell how long the recovery process will take and when systems will return to normal operation.

Details about the nature of the attack, such as if ransomware was used, have not been released at this stage, and it is too early to tell the extent to which patient information was involved. The hospital confirmed that the swift action of the IT department to contain the attack has limited the impact and has helped to keep patient data secure.

UI Community Home Care Suffers Ransomware Attack

UI Community Home Care, a subsidiary of the University of Iowa Health System, has recently reported a security incident to the HHS’ Office for Civil Rights that resulted in the exposure and possible theft of the protected health information of 67,897 patients.

The security breach was detected on March 23, 2023, when files were discovered to have been encrypted, preventing access. The forensic investigation confirmed there had been unauthorized access to files on its servers that started on or around March 23, 2023, and some of those files contained patient information. The electronic medical record system is separate from the affected servers and was not accessed in the attack.

The information potentially compromised varied from patient to patient and may have included name in combination with one or more of the following: date of birth, address, phone number, medical record number, referring physician, dates of service, health insurance information, billing and claims information, medical history information, and diagnosis/treatment information. At the time of issuing notifications, UI Community Home Care was unaware of any misuse of patient data. Security oversight efforts have been strengthened in response to the incident to prevent similar events from occurring in the future.

Grant Regional Health Center Notifies Patients About Email Account Compromise

Grant Regional Health Center in Lancaster, WI, has notified 4,135 patients about a breach of an employee email account. The notification letters do not state when the breach was detected but explain that the forensic investigation confirmed that the email account was subjected to unauthorized access between March 20, 2023, and March 24, 2023.

The review of the emails and attachments in the account was completed on May 9, 2023, and confirmed that patient names had been exposed along with one or more of the following data elements: date of birth, financial account information, medical information, health insurance information, Taxpayer ID number, and Social Security number. Grant Regional Health Center said no actual or attempted misuse of patient data has been detected. Email security has been enhanced to prevent similar breaches in the future.

The post Idaho Hospitals Divert Ambulances and Clinic Temporarily Closes Due to Cyberattack appeared first on HIPAA Journal.

IL, KY, and TN Healthcare Orgs Recovering from Recent Cyberattacks

Posted by Steve Alder

Morris Hospital & Healthcare Centers Investigating Royal Ransomware Attack

Morris Hospital & Healthcare Centers in Illinois has launched an investigation into a cyberattack that the Royal ransomware group has claimed responsibility for. Third-party forensics experts have been engaged to investigate the breach and determine the extent to which patient information was involved. While the investigation is still in the early stages, Morris Hospital & Healthcare Centers has confirmed that its electronic medical record system was unaffected; however, patient data was stored in the network that was compromised in the attack.

Morris Hospital & Healthcare Centers said it had implemented multiple security measures prior to the attack and that these were instrumental in limiting the severity of the incident. Further information will be released as the investigation progresses, and notification letters will be issued if it is determined that patient data has been compromised. On May 22, 2023, the Royal ransomware group added Morris Hospital & Healthcare Centers to its data leak site along with a sample of files allegedly stolen in the attack.

Norton Healthcare Recovering from Cyberattack

Norton Healthcare, a Kentucky-based operator of more than 140 clinics and hospitals in the Louisville area of Kentucky and Southern Indiana, has confirmed that it suffered a cybersecurity incident on May 9, 2023. Norton confirmed that its network is operational and that systems were proactively taken offline as a precaution and confirmed that at no point did the attackers have control of its network.

With IT systems offline, the staff switched to manual processes for recording patient information but said all of its facilities remained open and were able to continue to provide care to patients, although there have been delays to some services due to IT systems being offline, including medical imaging, lab test results, and prescription refills, and that there was a backlog of messages from its online patient portal which are taking time to work through and has caused delays to responses.

The threat actor behind the attack issued threats and demands via fax, but it is unclear at this stage to what extent, if any, patient data has been stolen. Norton did not state whether ransomware was used in the attack. Notifications will be issued to patients if it is determined that their information has been exposed or compromised.

Tennessee Orthopaedic Clinics Confirms March 2023 Cyberattack

Tennessee Orthopaedic Clinics is investigating a security breach that has caused disruption to some of its IT systems. The third-party forensic investigation determined that an unauthorized individual gained access to some of its IT systems between March 20, 2023, and March 24, 2023, and may have accessed or acquired files that contained patient information.

By May 2, 2023, it had been confirmed that patient data had been compromised, including names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information, but the extent to which patients have been affected has not yet been disclosed.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals – a common placeholder that is used until the full extent of a breach is known. Notification letters will be issued to affected individuals when the review of the affected files has been completed. Tennessee Orthopaedic Clinics said additional safeguards and technical security measures have been implemented to prevent similar security breaches in the future.

Paramount Health Care Affected by NationBenefits Data Breach

The Maumee, OH-based insurance company, Paramount Health Care, has confirmed that it was affected by the recently reported 3 million-record cyberattack that affected the healthcare management solution provider, NationBenefits, on or around January 30, 2023. Paramount said hackers accessed and removed a database that contained patient information that included names, addresses, phone numbers, health insurance information, and Social Security numbers.

The cyberattack was conducted by the Clop threat group and exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution. Notification letters are being sent to patients by NationBenefits. It is currently unclear how many Paramount members have been affected by the incident.

The post IL, KY, and TN Healthcare Orgs Recovering from Recent Cyberattacks appeared first on HIPAA Journal.