HIPAA Breach News

Another Corewell Health Business Associate Suffers Million-Record Data Breach

Posted by Steve Alder

The Michigan Attorney General’s Office announced on Tuesday that the protected health information of more than one million Corewell Health patients had been compromised in a cyberattack on one of Corewell Health’s vendors. HealthEC provides Corewell Health with a population health management platform that is used to identify high-risk patients in southeastern Michigan to close gaps in care and identify barriers to optimal care.

HealthEC explained in its breach notification letters that suspicious activity was identified within its network and the forensic investigation determined that an unknown, unauthorized actor had access to some internal systems between July 14, 2023, and July 23, 2023. During that time, files containing protected health information were removed from its systems. HealthEC conducted a review of all files on the compromised part of the network and notified its affected clients on October 26, 2023. HealthEC then worked with those clients to issue notifications. According to the notification sent to the Maine Attorney General, HealthEC started mailing notification letters to 112,005 individuals on December 22, 2023. Some of HealthEC’s covered entity clients have opted to send notification letters themselves.

According to HealthEC, the following types of information were compromised: names, addresses, dates of birth, Social Security numbers, medical record numbers, diagnoses and diagnosis codes, mental/physical condition, prescription information, providers’ names, beneficiary numbers, subscriber numbers, Medicaid/Medicare identification numbers, patient account numbers, patient identification numbers, and treatment cost information. HealthEC has offered complimentary credit monitoring and identity theft protection services to the affected individuals for 12 months.

Data breaches at business associates of HIPAA-covered entities often affect many of their clients. Another HealthEC client known to have been affected is Beaumont ACO in Michigan. It is possible that individuals may receive two notification letters related to this incident if they have previously received services from Corewell Health and Beaumont ACO.

This is the second major data breach to affect Corewell Health patients this year. In November, Welltok Inc., which provides patient communication services, started notifying around one million Corewell Health patients that some of their protected health information had been stolen when a zero-day vulnerability was exploited in Progress Software’s MOVEit Transfer file transfer solution. The two incidents are unrelated and were conducted by separate threat actors. Corewell Health patients had their names, dates of birth, email addresses, phone numbers, diagnoses, health insurance information, and Social Security numbers stolen by the Clop hacking group. The same breach also affected Priority Health, which is Corewell Health’s insurance plan.

“Health information is some of the most personal information we have,” said Michigan Attorney General Dana Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

The post Another Corewell Health Business Associate Suffers Million-Record Data Breach appeared first on HIPAA Journal.

December Healthcare Data Breach Round-Up

Posted by Steve Alder

Data breaches have been reported by Cardiothoracic and Vascular Surgeons, ZOLL Medical Corporation, Erie Family Health Centers, Health Diagnostic Management, BlueCross BlueShield of Tennessee, and Rush System for Health.

Cardiothoracic and Vascular Surgeons Investigating Cyberattack

Cardiothoracic and Vascular Surgeons in Texas discovered on October 13, 2023, that its systems had been accessed by an unauthorized individual. The forensic investigation confirmed there had been unauthorized access to its IT systems between October 12 and October 13, 2023, and during that time, an unauthorized third party may have viewed or obtained files containing patient information.

The review of the affected files is still ongoing, but the following types of information are anticipated to have been exposed:  individuals’ names, Social Security Numbers, credit card information, account numbers and passwords, financial account information, driver’s licenses, dates of birth, medical record numbers, health insurance information, patient account numbers, doctors’ or medical professionals’ names, treatment information, procedure codes, diagnosis codes, Medicaid/Medicare numbers, dates of treatment, prescription information, diagnosis and symptoms information.

Cardiothoracic and Vascular Surgeons said they are reviewing their policies, procedures, and processes related to the storage and access of sensitive information to reduce the likelihood of a similar future incident. Since the number of individuals affected has yet to be established, the breach has been reported to the HHS’ Office for Civil Rights with an interim figure of 500 individuals and will be updated when the file review is completed.

PHI Compromised in Phishing Attack on ZOLL Medical Corporation

ZOLL Medical Corporation has recently announced that it was the victim of a sophisticated phishing attack. An employee responded to a phishing email and disclosed credentials that allowed the email account to be accessed. According to the breach notice provided to the Maine Attorney General, the attack occurred on August 2, 2023, and it was detected on November 1, 2023.

The review of the account confirmed it contained names, addresses, and Social Security numbers. The breach was reported to the Maine Attorney General as affecting 15,276 individuals in total. The HHS’ Office for Civil Rights breach portal indicates the PHI of 8,898 individuals was compromised.  ZOLL Medical has offered the affected individuals 36 months of credit monitoring and identity theft protection services.

Email Account Breach Reported by Erie Family Health Centers

Erie Family Health Centers has recently confirmed that the protected health information of 6,351 patients was potentially accessed or obtained by an unknown threat actor who gained access to the email account of one of its employees on October 1, 2023. The email account breach was detected on October 19, 2023, and the account was immediately secured. Erie Family Health Centers engaged a cybersecurity company to determine whether patient data had been viewed. No evidence of unauthorized access to patient data was found, nor evidence of any uploads of patient data to the dark web. The information in the account included names, dates of birth, medical record numbers, dates of service, laboratory test tracking numbers, and insurance identification numbers. Affected patients have been offered complimentary credit monitoring services.

Health Diagnostic Management Announces Patient Portal Breach

Health Diagnostic Management (HDM), a New York-based provider of non-medical management services for diagnostic imaging centers, experienced a breach of its patient portal on October 12, 2023. The vendor that operates the HDM patient portal identified suspicious activity on October 13, 2023. Its investigation revealed that valid credentials for a referring physician from Brooklyn Premiere Orthopedics were used to access the patient portal. Brooklyn Premiere Orthopedics announced it had suffered a data breach the week before the unauthorized activity was detected, leading HDM to conclude that the credentials were stolen in that breach.

The review of the affected accounts concluded on November 21, 2023, and affected individuals were notified on October 16, 2023. Affected individuals have been offered complimentary credit monitoring services. HDM is in the process of implementing additional security safeguards, and has engaged a third-party vendor to conduct penetration tests on the patient portal after the security updates are implemented. The breach was reported to the HHS’ Office for Civil Rights as affecting 1,863 individuals.

BlueCross BlueShield of Tennessee Affected by MOVEit Hack

BlueCross BlueShield of Tennessee (BCBST) has announced that the protected health information of 1,665 of its members was stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer tool. MOVEit Transfer was used by the BCBST business associate NASCO for file transfers. The vulnerability was exploited on May 30, 2023, and NASCO learned it had been affected on July 12, 2023, and notified BCBST about the breach on October 20, 2023. The information compromised in the incident was limited to health insurance numbers, group numbers and names, claim information, medical ID numbers, dates of service, procedure codes, and provider names. NASCO is notifying the affected BCBST members and is offering 24 months of identity monitoring services.

Rush System for Health Notifies Patients About Emil Error

An email error at Rush University System for Health resulted in research surveys being misdirected on October 25, 2023, resulting in the name of a patient being visible to another recipient of the survey. No other information was exposed. The error occurred due to an error in a spreadsheet that became misaligned during data sorting and resulted in the impermissible disclosure of the names of 4,961 patients.

The post December Healthcare Data Breach Round-Up appeared first on HIPAA Journal.

Ransomware Groups Attack 3 Healthcare Providers

Posted by Steve Alder

Liberty Hospital in Kansas City is recovering from a cyberattack that has disrupted its IT systems. The cyberattack was detected on the morning of December 19, 2023, and the decision was taken to divert ambulances to other facilities until access to IT systems was restored. Some appointments have been canceled and will be rescheduled. Liberty Hospital has only released limited information about the attack; however, KMBC News obtained a copy of a ransom note. The hackers claim to have downloaded all confidential data stored on its systems and gave the hospital 72 hours to make contact. The threat actor behind the attack is currently unknown.

The Qilin ransomware group has recently added the Neurology Center of Nevada to its data leak site and claims to have exfiltrated at least 198 GB of sensitive data. Neurology Center of Nevada has not publicly confirmed whether the claims of Qilin are genuine. There is no mention of a cyberattack or data breach on its website. If Qilin’s claims are genuine, this will be the second ransomware attack in a year for the Neurology Center of Nevada.

The DragonForce threat group, which was responsible for a recent attack on the Heart of Texas Behavioral Health Network, has claimed responsibility for an attack on Greater Cincinnati Behavioral Health Services and has added it to its data leak site. DragonForce claims to have exfiltrated 72.4 GB of data in the attack although the stolen data has not been uploaded to the group’s data leak site. Greater Cincinnati Behavioral Health Services has not made any announcement about a cyberattack.

4 Over, LLC Notifies Group Health Plan Members About November 2022 Cyberattack

The Glendale, CA-based printing company, 4 Over, LLC, has experienced a cyberattack in which hackers gained access to parts of its network that contained the protected health information of 6,491 members of its group health plan. Suspicious activity was detected within its network on November 19, 2022, and the forensic investigation confirmed there had been unauthorized network access between November 16, 2022, and November 19, 2022. Notification letters started to be sent to the affected individuals on December 5, 2023, more than a year after the breach was detected. 4 Over said the delay was due to undertaking “a time-intensive and thorough review” of the impacted documents.

The information potentially removed from its systems included full names, Social Security numbers, driver’s license or state-issued identification numbers, financial account numbers or credit or debit card numbers, Passport numbers, medical information, treatment information, diagnosis information, health insurance information, and dates of birth. 4 Over said it is reviewing its existing policies and procedures regarding cybersecurity and is evaluating additional measures and safeguards to protect against this type of incident in the future.

Email Accounts Compromised at VNS Health

VNS Health Home Care, VNS Health Hospice Care, and VNS Health Personal Care in New York recently notified patients that an unauthorized third party gained access to the email accounts of some of its employees and potentially viewed or obtained some of their protected health information. Unauthorized access was detected on August 14, 2023, and the investigation revealed several employee email accounts had been accessed by an unauthorized third party between August 10, 2023, and August 14, 2023.

On September 14, 2023, VNS Health determined that emails and associated files in the accounts contained information such as names, dates of birth, addresses, phone numbers, diagnosis and treatment information, and health insurance information. VNS Health said the email accounts appeared to have been compromised to defraud individual VNS personnel rather than to obtain patient information.

VNS Health has implemented additional safeguards and measures to further protect and monitor its systems, including technical systems enhancements, updated security policies and protocols, and staff education. The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,175 VNS Health Personal Care patients and 13,584 members of VNS Health’s Health Plans.

Lake County Health Department Reports Email Account Breach

Lake County Health Department in Illinois is investigating a security incident involving unauthorized access to an employee’s email account. The account breach was detected on November 1, 2023, and the investigation confirmed that the account contained partially de-identified information relating to Lake County residents who may have been part of a disease cluster or outbreak investigated by the health department between July 2014 and October 2023.

No evidence was found that indicated any information in the email account was exfiltrated, but data theft could not be ruled out. The information in the account only included names, addresses, ZIP codes, dates of birth, phone numbers, email addresses, and diagnoses/conditions. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

PHI Potentially Obtained in Fresno Surgical Hospital Cyberattack

Fresno Surgical Hospital in California experienced a cyberattack that was detected and blocked on November 4, 2023. Third-party cybersecurity experts were engaged to investigate to determine the nature and extent of the incident and confirmed that some data had been removed from its network on November 4, 2023. All files on the compromised parts of the network were reviewed, and on December 11, 2023, Fresno Surgical Hospital confirmed that personal information may have been involved.

The types of information involved varied from patient to patient and may have included names in combination with one or more of the following: demographic/ contact information such as address and date of birth, medical and/or treatment information such as provider and facility names, medical record number or other patient identifiers, diagnosis information, procedure information, and other clinical information. Fresno Surgical Hospital said security and monitoring capabilities are being enhanced and systems are being hardened to minimize the risk of similar incidents in the future.

The post Ransomware Groups Attack 3 Healthcare Providers appeared first on HIPAA Journal.

Heart of Texas Behavioral Health Network Cyberattack Affects 63,776 Individuals

Posted by Steve Alder

The Heart of Texas Behavioral Health Network (HOTBHN), formerly the Heart of Texas Region MHMR Center, a provider of services to individuals and families with developmental and intellectual disabilities, has recently announced that an unauthorized individual may have accessed the sensitive information of 63,776 individuals in a recent cyberattack.

The attack was detected on October 22, 2023, access to the network was immediately shut down, and a third-party forensic incident response firm was engaged to investigate the breach and determine the extent of the unauthorized activity. HOTBHN said it “found no evidence that patient information had been specifically misused,” but confirmed that patient information had been exposed to a third party. The types of information exposed varied from individual to individual and may have included one or more of the following. first and last name, address, Social Security number, date of birth, medical record number, health insurance policy number, and medical and treatment information.

HOTBHN said it has reviewed and enhanced its technical safeguards to prevent a similar incident in the future and has notified the affected individuals and offered them complimentary credit monitoring services and identity theft protection services for 12 months. A threat group known as DragonForce has claimed responsibility for the attack and claims to have exfiltrated almost 56 GB of data. HOTBHN has been added to the group’s data leak site, but the data is not currently accessible.

United Healthcare Services, Inc. Notifies 4,264 Individuals About Email Account Breach

United Healthcare Services, Inc. Single Affiliated Covered Entity (UHS) has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 4,264 individuals. An unauthorized individual gained access to the email account of an employee of Equality Health, an Accountable Care Organization that serves some UHC members. The account was accessed between April 11, 2023, and April 12, 2023. Equality Health notified UHS about the breach on October 16, 2023. The review of the account confirmed that the following information was contained in the email account: names, dates of birth, genders, addresses, Social Security numbers, UHC member ID numbers, Medicare ID numbers, Medicare plan information, and primary care provider information.

According to UHS, the breach was the result of an employee error and a previous inappropriate disclosure of patient information. In September 2020, a UHC employee sent member information to an Equality Health employee when attempting to confirm whether their primary care provider was in Equality Health’s network. The UHC employee should not have included the information in the email when doing so. Neither UHS nor Equality Health was aware of the impermissible disclosure until recently. Equality Health’s investigation uncovered no evidence of misuse of any of the exposed data.

The affected individuals have been notified and Equality Health has offered them complimentary credit monitoring services. The employee responsible for the initial impermissible disclosure has received further training.

14,040 Individuals Impacted by Coos Health and Wellness Cyberattack

The Coos, OR, Public Health Department, Coos Health & Wellness, has recently notified 14,040 individuals that some of their protected health information was exposed and potentially obtained by unauthorized individuals in an April 2023 cyberattack.

Unauthorized activity was detected within its network on November 28, 2023. The forensic investigation confirmed that an unauthorized individual gained access to the network on or around April 28, 2023, and potentially acquired certain files. The file review confirmed on November 20, 2023, that the exposed information included names, Social Security numbers, driver’s license numbers, state identification numbers, medical information, and health insurance information. Notification letters have now been issued and the affected individuals have been offered 12 months of complimentary services through IDX. Coos Health & Wellness said it has implemented additional security features to prevent similar incidents in the future.

City of Homer Reports Lost Device Containing PHI of 1,412 Individuals

The City of Homer in Alaska has recently confirmed that the protected health information of 1,412 individuals was stored on a portable storage device that has gone missing. The device was used to assist the City with its data migration efforts, and it appears to have been misplaced. A thorough search was conducted but the device could not be located.  The device contained a backup of medical information collected by the City in the course of responding to emergency medical service and transportation calls, which may have included Social Security numbers and/or dates of birth. City officials are unaware of any attempted or actual misuse of the exposed data.

The post Heart of Texas Behavioral Health Network Cyberattack Affects 63,776 Individuals appeared first on HIPAA Journal.

November 2023 Healthcare Data Breach Report

Posted by Steve Alder

After two months of declining healthcare data breaches, there was a 45% increase in reported breaches of 500 or more healthcare records. In November, 61 large data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – three more than the monthly average for 2023. From January 1, 2023, through November 30, 2023, 640 large data breaches have been reported.

In addition to an increase in data breaches, there was a massive increase in the number of breached records. 22,077,489 healthcare records were exposed or compromised across those 61 incidents – a 508% increase from October. November was the second-worst month of the year in terms of breached records behind July, when 24 million healthcare records were reported as breached. There is still a month of reporting left but 2023 is already the worst-ever year for breached healthcare records. From January 1, 2023, through November 30, 2023, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.

Largest Healthcare Data Breaches in November 2023

November was a particularly bad month for large data breaches, with 28 breaches of 10,000 or more records, including two breaches of more than 8 million records. Two of the breaches reported in November rank in the top ten breaches of all time and both occurred at business associates of HIPAA-covered entities. The largest breach occurred at Perry Johnson & Associates, Inc. (PJ&A) a provider of medical transcription services. The PJ&A data breach was reported to OCR as affecting 8,952,212 individuals, although the total is higher, as some of its clients have chosen to report the breach themselves. Hackers had access to the PJ&A network for more than a month between March and May 2023.

The second-largest breach was reported by Welltok, Inc. as affecting 8,493,379 individuals. Welltok works with health plans and manages communications with their subscribers. The Welltok data breach is one of many 2023 data breaches involving the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution by the Clop hacking group. Globally, more than 2,615 organizations had the vulnerability exploited and data stolen.

A further three data breaches were reported that involved the protected health information of more than 500,000 individuals. Sutter Health was also one of the victims of the mass hacking of the MOVEit vulnerability and had the data of 845,441 individuals stolen, as did Blue Shield of California (636,848 records). In both cases, the MOVEit tool was used by business associates of those entities. East River Medical Imaging in New York experienced a cyberattack that saw its network breached for three weeks between October and September 2023, during which time the hackers exfiltrated files containing the PHI of 605,809 individuals. All 28 of these large data breaches were hacking incidents that saw unauthorized access to network servers.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hacking and data theft incident
Welltok, Inc. CO Business Associate 8,493,379 Hacking incident (MOVEit Transfer)
Sutter Health CA Healthcare Provider 845,441 Hacking incident at business associate (MOVEit Transfer)
California Physicians’ Service d/b/a Blue Shield of California CA Health Plan 636,848 Hacking incident at business associate (MOVEit Transfer)
East River Medical Imaging, PC NY Healthcare Provider 605,809 Hacking and data theft incident
State of Maine ME Health Plan 453,894 Hacking incident (MOVEit Transfer)
Proliance Surgeons WA Healthcare Provider 437,392 Ransomware attack
Medical Eye Services, Inc. NY Business Associate 377,931 Hacking incident (MOVEit Transfer)
Medical College of Wisconsin WI Healthcare Provider 240,667 Hacking incident (MOVEit Transfer)
Warren General Hospital PA Healthcare Provider 168,921 Hacking and data theft incident
Financial Asset Management Systems (“FAMS”) GA Business Associate 164,796 Ransomware attack
Morrison Community Hospital District IL Healthcare Provider 122,488 Ransomware attack (BlackCat)
South Austin Health Imaging LLC dba Longhorn Imaging Center TX Healthcare Provider 100,643 Hacking and data theft incident (SiegedSec threat group)
Mulkay Cardiology Consultants at Holy Name Medical Center, P.C. NJ Healthcare Provider 79,582 Ransomware attack (NoEscape)
International Paper Company Group Health and Welfare Plan (the “IP Plan”) TN Health Plan 78,692 Hacking incident at business associate (MOVEit Transfer)
CBIZ KA Consulting Services, LLC NJ Business Associate 30,806 Hacking incident (MOVEit Transfer)
Endocrine and Psychiatry Center TX Healthcare Provider 28,531 Hacking and data theft incident
Blue Shield of California OR Blue Shield of California Promise Health Plan CA Business Associate 26,523 Hacking incident at business associate (MOVEit Transfer)
Wyoming County Community Health System NY Healthcare Provider 26,000 Hacking and data theft incident
Westat, Inc. MD Business Associate 20,045 Hacking incident (MOVEit Transfer)
Psychiatry Associates of Kansas City KS Healthcare Provider 18,255 Hacking and data theft incident
Southwest Behavioral Health Center UT Healthcare Provider 17,147 Hacking and data theft incident
TGI Direct, Inc. MI Business Associate 16,113 Hacking incident (MOVEit Transfer)
Pharmacy Group of Mississippi, LLC MS Healthcare Provider 13,129 Hacking and data theft incident
U.S. Drug Mart, Inc. TX Healthcare Provider 13,016 Hacking and data theft incident at business associate
Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island NY Healthcare Provider 13,000 Hacking and data theft incident
Foursquare Healthcare, Ltd. TX Healthcare Provider 10,890 Ransomware attack
Saisystems International, Inc. CT Business Associate 10,063 Hacking and data theft incident

November 2023 Data Breach Causes and Data Locations

Many of the month’s breaches involved the mass hacking of a vulnerability in the MOVEit Transfer solution by the Clop threat group. MOVEit data breaches continue to be reported, despite the attacks occurring in late May. According to the cybersecurity firm Emsisoft, at least 2,620 organizations were affected by these breaches, and 77.2 million records were stolen. 78.1% of the affected organizations are based in the United States.  Progress Software is currently being investigated by the U.S. Securities and Exchange Commission over the breach. Hacking/ransomware attacks accounted for 88.52% of the month’s data breaches (54 incidents) and 99.94% of the breached records (22,064,623 records). The average data breach size was 408,604 records and the median breach size was 10,477 records.

Ransomware gangs continue to target the healthcare industry, and in November several ransomware groups listed stolen healthcare data on their leak sites including NoEscape and BlackCat. Many hacking groups choose not to use ransomware and instead just steal data and threaten to sell or publish the data if the ransom is not paid, such as Hunter’s International and SiegedSec. Since there is little risk of ransomware actors being apprehended and brought to justice, the attacks are likely to continue. OCR is planning to make it harder for cyber actors to succeed by introducing new cybersecurity requirements for healthcare organizations. These new cybersecurity requirements will be voluntary initially but will later be enforced. New York has also announced that stricter cybersecurity requirements for hospitals will be introduced in the state, and financial assistance will be offered.

There were 6 data breaches classified as unauthorized access/disclosure incidents, across which 10,371 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 1,481 records and the median breach size was 1,481 records. There was one reported incident involving the theft of paperwork that contained the protected health information of 2,495 individuals. For the second consecutive month, there were no reported loss or improper disposal incidents. The most common location of breached PHI was network servers, which accounted for 77% of all incidents. 10 incidents involved PHI stored in email accounts.

Where did the Data Breaches Occur?

The OCR data breach portal shows healthcare providers were the worst affected HIPAA-regulated entity in November, with 42 reported data breaches. There were 13 data breaches reported by business associates and 6 data breaches reported by health plans. The problem with these figures is they do not accurately reflect where the data breaches occurred. When a business associate experiences a data breach, they may report it to OCR, the affected covered entities may report the breach or a combination of the two. As such, the raw data often does not accurately reflect the number of data breaches occurring at business associates of HIPAA-covered entities. The data used to compile the charts below has been adjusted to show where the data breach occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 28 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State Number of Breaches
California 8
New York 6
Illinois & Texas 5
Connecticut, Florida, Georgia, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, New Jersey, Oregon, South Carolina & Washington 2
Arizona, Colorado, Maryland, Massachusetts, Mississippi, Nevada, Ohio, Pennsylvania, Tennessee, Utah & Wisconsin 1

HIPAA Enforcement Activity in November 2023

OCR announced one enforcement action in November. A settlement was agreed with St. Joseph’s Medical Center to resolve allegations of an impermissible disclosure of patient information to a reporter. OCR launched an investigation following the publication of an article by an Associated Press reporter who had been allowed to observe three patients who were being treated for COVID-19. The article included photographs and information about the patients and was circulated nationally. OCR determined that the patients had not provided their consent through HIPAA authorizations, therefore the disclosures violated the HIPAA Privacy Rule. St. Joseph Medical Center settled the alleged violations and paid an $80,000 financial penalty.

HIPAA is primarily enforced by OCR although State Attorneys General may also investigate HIPAA-regulated entities and they also have the authority to issue fines for HIPAA violations. In November, one settlement was announced by the New York Attorney General to resolve alleged violations of HIPAA and state laws. U.S. Radiology Specialists Inc. was investigated over a breach of the personal and protected health information of 198,260 individuals, including 95,540 New York Residents. The New York Attorney General’s investigation determined that U.S. Radiology Specialists was aware that vulnerabilities existed but failed to address those vulnerabilities in a timely manner. Some of those vulnerabilities were exploited by cyber actors in a ransomware attack. U.S. Radiology Specialists agreed to pay a $450,000 financial penalty and ensure full compliance with HIPAA and state laws.

The post November 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Class Action Lawsuits Filed Against ESO Solutions Over Data Breach

Posted by Steve Alder

Class action lawsuits have started to be filed against ESO Solutions over its recently disclosed cyberattack and data breach that affected almost 2.7 million individuals. The data breach involved sensitive information such as names, contact information, and Social Security numbers and affected many of the company’s healthcare clients.

Two lawsuits – Claybo v. ESO Solutions Inc. and Essie Jones f/k/a Essie McVay v. ESO Solutions Inc. – were filed in the U.S. District Court for the Western District of Texas Austin Division, that allege ESO Solutions failed to implement reasonable and appropriate industry-standard security measures to ensure the privacy and confidentiality of patient data. The lawsuits also allege ESO Solutions did not properly train staff members on data security protocols, failed to detect a breach of its systems and the theft of data in a timely manner, and then failed to issue timely notifications to the affected individuals. The lawsuits also allege that the data security failures violate the Health Insurance Portability and Accountability Act (HIPAA).

As a direct result of those failures, hackers gained access to the plaintiffs’ and class members’ sensitive data and the plaintiffs and class members now face an imminent and ongoing risk of identity theft and fraud and have suffered other injuries as a result of the breach and have incurred out-of-pocket expenses. The lawsuits seek a jury trial, class action certification, an award of damages, injunctive relief, and attorneys’ fees. The plaintiffs and class members are represented by Joe Kendall of Kendall Law Group PLLC, Bryan L. Bleichner and Philip J. Krzeski of Chestnut Cambronne PA, Alexandra M. Honeycutt of Milberg Coleman Bryson Phillips Grossman LLC.

December 21, 2023: ESO Solutions Data Breach: 2.7 Million Individuals Affected

ESO Solutions, a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, has confirmed that it fell victim to a ransomware attack in September 2023 that resulted in file encryption. ESO Solutions identified suspicious activity within its network on September 28, 2023, and took immediate action to isolate its systems and prevent further unauthorized access to its network.

Third-party digital forensics experts were engaged to investigate the attack and determine the extent of the unauthorized activity. The forensics team confirmed on October 23, 2023, that the attackers had access to parts of its network containing the personal and protected health information of 2.7 million individuals. The information compromised in the incident included names, dates of birth, injury type, injury date, treatment date, treatment type, and, in some cases, Social Security numbers. The attack was reported to the Federal Bureau of Investigation and ESO Systems has worked cooperatively with the FBI during its investigation. A ransom demand was issued by the attackers; however, ESO Systems was able to recover the encrypted files from backups.

ESO Systems notified its affected customers and has been in frequent contact with them to assist them with their response efforts and offered to issue notifications to patients of its customers. ESO Systems started mailing notification letters on December 12, 2023. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.

The following healthcare organizations are known to have been affected:

  • Ascension – Ascension Providence Hospital in Waco
  • Baptist Memorial Health Care System – Mississippi Baptist Medical Center
  • CaroMont Health
  • Community Health Systems – Merit Health Biloxi & Merit Health River Oaks
  • ESO EMS Agency
  • Forrest Health – Forrest General Hospital
  • HCA Healthcare – Alaska Regional Hospital
  • Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
  • Providence St Joseph Health (AKA Providence) – Providence Kodiak Island Medical Center & Providence Alaska Medical Center
  • Tallahassee Memorial HealthCare – Tallahassee Memorial
  • Universal Health Services (UHS) – Manatee Memorial Hospital & Desert View Hospital
  • Valley Health System  – Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital

“Given that patient safety and personal information is at risk, organizations cannot afford to put off strengthening their cybersecurity postures. On an average day, more than 55,000 physical and virtual assets are connected to organizational networks; yet an astounding 40% of these assets are left unmonitored – leaving critical, exploitable gaps. Attackers are taking advantage of these gaps; this attack proves that improper access to one machine can mean chaos for an organization,” said Mohammad Waqas, CTO, Healthcare, of the asset intelligence cybersecurity company, Armis. “This attack also highlights the importance of educating organizations that assets incorporate more than simply hardware or medical devices. Other assets that can come under attack include virtual assets, data artifacts, personal health information, user access, among others. It’s critical for healthcare organizations to not only look at cyber risk from a vulnerability perspective, but also factor in assets supporting clinical workflows or storing patient information. By having a comprehensive view of assets, organizations can prioritize compensating controls and risk reduction tactics to help contain and mitigate cyber-attacks. Being able to monitor all assets for anomalous behaviors, connection attempts, and analyze other aspects of attempted access provides the level of visibility needed to help establish preventative policies.”

The HIPAA Journal asked Waqas about the other steps that hospitals can take to improve their defenses against ransomware attacks. “Healthcare organizations of all types must prioritize cyber exposure management to mitigate all cyber asset risks, remediate vulnerabilities, block threats and protect the entire attack surface. Security and IT pros must also consider incorporating critical strategies into their cybersecurity programs, like network segmentation, to increase healthcare cybersecurity. Segmenting a network is a massive project that can span many years, however, it is the project that will accomplish the greatest risk reduction in a healthcare environment,” explained Waqas.

“What’s key for these projects is the proper planning and understanding that a segmentation project will have multiple phases – discovery and inventory, behavioral and communication mapping, policy creation, prioritization, testing, implementation and automation. One growing trend is a risk-based prioritization approach wherein instead of a traditional method of segment lists created by manufacturer or type, organizations can achieve a much faster ROI by identifying and prioritizing the segmentation of critical vulnerable devices first to achieve maximum risk reduction upfront. Cybersecurity pros at healthcare organizations should incorporate these types of solutions and methods right away to help in preventing these types of attacks from impacting their organizations directly, and for protecting them and their patients in the wake of an attack against one of their third-party suppliers.”

The post Class Action Lawsuits Filed Against ESO Solutions Over Data Breach appeared first on HIPAA Journal.

Cardiovascular Consultants Data Breach Affects 484,000 Individuals

Posted by Steve Alder

Cardiovascular Consultants Ltd., an Arizona-based healthcare provider with offices in Phoenix, Scottsdale, and Glendale, has recently reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 484,000 individuals.

On September 29, 2023, Cardiovascular Consultants identified suspicious activity within its computer systems and initialed its incident response and recovery procedures. An investigation was launched and a third-party cybersecurity company was engaged to assist with the investigation, which revealed unauthorized individuals had access to its systems on or before September 27, 2023.

Cardiovascular Consultants has now confirmed that the hackers exfiltrated files containing sensitive data and used ransomware to encrypt files on the network. Those files were reviewed and found to contain patient data such as names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records.

The data of account guarantors was also stored on the compromised parts of the network, including names, mailing addresses, telephone numbers, dates of birth, and email addresses, and also information about insurance policy holder/subscribers such as names, mailing addresses, telephone numbers, dates of birth, insurance policy information, and, in some cases, Social Security numbers.

Affected individuals were notified about the breach on December 2, 2023, and 24 months of complimentary credit monitoring, identity theft protection, and fraud resolution services have been offered to the affected individuals.  Cardiovascular Consultants has confirmed that additional security measures have been implemented to improve its defenses against cyberattacks in the future.

The post Cardiovascular Consultants Data Breach Affects 484,000 Individuals appeared first on HIPAA Journal.

MedStar Mobile Health Data Breach Settlement Proposed

Posted by Steve Alder

A settlement has been proposed by the Metropolitan Area EMS Authority to resolve a class action lawsuit that was filed by individuals affected by a 2022 cyberattack and data breach. Metropolitan Area EMS Authority is a Fort Worth, TX-based operator of an emergency and non-emergency ambulance service and does business as MedStar Mobile Healthcare. On October 20, 2022, unauthorized network activity was discovered, and the forensic investigation revealed unauthorized individuals had accessed parts of its network where patient data was stored. The hackers were able to access the protected health information of 612,000 individuals, including names, contact information, dates of birth, and limited medical information. The affected individuals were notified on December 19, 2022.

A class action lawsuit – Kaether v. Metropolitan Area EMS Authority d/b/a MedStar Mobile Healthcare – was filed in Texas District Court in response to the breach that alleged negligence for failing to secure sensitive patient data. The lawsuit also alleged breach of implied contract, negligence per se, breach of fiduciary duty, public disclosure of private facts, and unjust enrichment. Metropolitan Area EMS Authority chose to settle the lawsuit with no admission of liability or wrongdoing and will make an unspecified sum available to cover claims from individuals affected by the data breach, including a subclass of individuals who had HIPAA-covered protected health information exposed.

Under the terms of the settlement, individuals who were notified about the breach who have experienced unreimbursed out-of-pocket losses that are reasonably traceable to the data breach may submit claims for up to $3,000 to cover the losses, including travel expenses, long-distance phone calls, bank fees, credit costs, and any unreimbursed expenses and monetary losses from identity theft or fraud. Members of the HIPAA subclass may also claim up to four hours of lost time at $20 per hour. Claims must be accompanied by documented evidence that losses have been experienced. All class members will be entitled to a complimentary 12-month membership to a single-bureau credit monitoring service which includes a $1 million identity theft insurance policy. Metropolitan Area EMS Authority has also agreed to implement additional cybersecurity measures to better protect the sensitive data it stores and is providing its workforce with additional security awareness training. Measures that will be implemented by the end of the year include multifactor authentication and disabling Outlook Anywhere.

Individuals wishing to object to the settlement, or exclude themselves must do so by January 24, 2024, and claims must be submitted no later than February 23, 2024. The final fairness hearing has been scheduled for April 3, 2024. The plaintiff and class members were represented by Joe Kendall of the Kendall Law Group PLLC and Gary M Klinger
and Alexander Wolf of Milberg Coleman Bryson Phillips Grossman PLLC.

The post MedStar Mobile Health Data Breach Settlement Proposed appeared first on HIPAA Journal.

Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

Horizon Actuarial Services has proposed a $8.73 million settlement to resolve all claims related to a hacking incident and data breach in 2022 that affected 227,953 individuals. Horizon Actuarial Services was contacted by a cyber actor in November 2022 who claimed to have stolen sensitive data in a cyberattack. The investigation confirmed there had been unauthorized access to two servers between November 10 and 11, 2021. The data stolen in the attack included names, dates of birth, Social Security numbers, and health plan information. Horizon Actuarial Services negotiated with the cyber actor and made a payment to prevent the stolen data from being sold, published, or misused.

A lawsuit – Sherwood, et al. v. Horizon Actuarial Services LLC – was filed in the U.S. District Court for the Northern District of Georgia on behalf of individuals affected by the data breach that alleged Horizon Actuarial Services had failed to implement reasonable and appropriate measures to protect the sensitive data stored on its servers. Horizon Actuarial Services has not admitted to any wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, a $8,733,446.36 fund will be established to cover claims from individuals who have experienced unreimbursed losses as a result of the data breach.

Class members may submit claims for reimbursement for up to $5,000 to cover out-of-pocket expenses reasonably traceable to the data breach and up to 5 hours of lost time at $25 per hour. All claimants can submit a claim for a $50 payment, and individuals who were California residents at the time of the data breach will be able to claim an additional $50 ($100 in total). The payments may be lower depending on the number of claims and will be paid pro rata.

Individuals wishing to object to or exclude themselves from the settlement must do so by January 22, 2024. Individuals wishing to submit a claim must do so by February 21, 2024. A final approval hearing has been scheduled for March 25, 2024. The plaintiffs and class members were represented by Terence R Coates of Markovits Stock & Demarco LLC, Gary M Klinger of Milberg Coleman Bryson Phillips Grossman PLLC, and Kenya J Ready of Morgan & Morgan.

The post Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.