HIPAA Breach News

RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data

The Florida Department of Health has confirmed to FOX 35 in Orlando that it is investigating a cyberattack. The attack has affected its Vital Statistics System, which is used to process birth and death certificates. The disruption to the system has been causing problems for funeral homes across the state for the past two weeks. Some funeral homes have postponed their services or have been forced to physically visit healthcare providers to get signed copies of death certificates.

The Department of Health has released few details about the attack but this appears to have been a ransomware attack involving the exfiltration of a large volume of data. The RansomHub group claimed responsibility for the attack and said it had stolen around 100 gigabytes of data from the Department and started to leak the stolen data when the ransom was not paid by its deadline of July 1, 2024. The Department of Health has not commented on the validity of the group’s claims nor the extent of any data breach.

The failure to pay the ransom should not have come as a surprise, as Florida amended its State Cybersecurity Act to prohibit state agencies, counties, and municipalities that experience a ransomware attack from paying or otherwise complying with a ransom demand. The ban on ransom payments took effect on July 1, 2022.

There are no reasons to believe that the hacking group’s data theft claims are not genuine. RansomHub has conducted many attacks in the United States, including attacks on healthcare organizations and government departments. The group was also indirectly involved in the February ransomware attack on Change Healthcare, having obtained the data stolen in the attack from a BlackCat ransomware group affiliate after BlackCat performed an exit scam, pocketed the $22 million ransom, and refused to pay the affiliate.

The post RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data appeared first on The HIPAA Journal.

Patient Data Compromised in Palomar Health Medical Group Cyberattack

Palomar Health Medical Group has warned patients that they may have been affected by an April 2024 cyberattack, and DaVita has learned that tracking tools on its website and mobile app may have sent user data to third-party vendors.

Palomar Health Medical Group Announces April 2024 Cyberattack

Palomar Health Medical Group, a provider of primary and specialty care to communities in North San Diego County, has informed patients about a recent cyberattack that exposed some of their protected health information. A security breach was detected on or around May 5, 2024, and immediate action was taken to prevent further unauthorized access to its systems. An investigation was launched to determine the nature and scope of the incident, which confirmed that hackers had access to its network from April 23, 2024, to May 5, 2024.

Palomar Health Medical Group said the attack “may have caused certain files to files to become unrecoverable,” which suggests that ransomware was used. Palomar Health Medical Group has confirmed that certain files were exfiltrated from its network and the review of those files is ongoing, as is the process of restoring the affected files. A full recovery of the affected systems was expected by July 1, 2024; however, the recovery process is taking longer than anticipated.

It is still not possible to tell exactly how many patients have been affected or the specific types of data that have been exposed or obtained in the attack; however, Palomar Health Medical Group has identified the categories of data involved. The compromised data varies from individual to individual and, based on the initial findings of the investigation, will include patient names in combination with one or more of the following: address, date of birth, Social Security number, medical history information, disability information, diagnostic information, treatment information, prescription information, physician information, medical record number, health insurance information, subscriber number, health insurance group/plan number, credit/debit card number, security code/PIN number, expiration date, email address and password, and username and password.

The breach has affected current and former patients of Palomar Health Medical Group and its affiliates Graybill Medical Group and Pacific Accountable Care. Individual notification letters will be mailed to the affected individuals when the file review is completed.

DaVita Notifies Patients About Tracking Technology Privacy Incident

DaVita Inc., a Denver, CO-based provider of kidney dialysis services, notified 67,443 patients on July 2, 2024, about a pixel-related data breach.  Pixels are online tracking technologies that are used on websites and mobile applications for recording visitor activity. DaVita explained that it learned on June 17, 2024, that tracking tools had been installed on its website health portal and Care Connect mobile application that they may have transmitted data to third-party vendors.

The types of information disclosed varied from individual to individual based on their interactions on the website and use of the mobile application. That information may have included usernames and third-party identifiers/cookies, employment status, patient classification/reference, information about the use of the app or pages visited on the website, and information indicating whether the user was signed into a DaVita account, but not the account password. For certain users, limited demographic information may also have been disclosed and, potentially, lab test names or lab test resources viewed on the website but no lab test results. The above types of information could be tied to an individual via their IP address and third-party identifiers, such as if a user was logged into their Google or Facebook account at the time. First and last names would only have been disclosed if they were used to create a username.

DaVita said it has removed all third-party tracking technologies that are not part of a HIPAA-compliant service and has implemented new policies and procedures and provided additional training to members of its workforce to prevent similar privacy breaches in the future. DaVita said it is not aware of any misuse of the disclosed information that is likely to result in financial or similar harm.

The post Patient Data Compromised in Palomar Health Medical Group Cyberattack appeared first on The HIPAA Journal.

Protected Health Information Stolen in HealthEquity SharePoint Breach

HealthEquity has confirmed a breach of its SharePoint data, which included protected health information. Data breaches have also been reported by Kairos Health Arizona and Ambulnz.

HealthEquity

HealthEquity, a Draper, UT-based financial technology and business services company, has suffered a cyberattack that has exposed protected health information. HealthEquity provides health savings account (HSA) services and other consumer-directed benefits solutions, including health reimbursement arrangements (HRAs), and manages millions of HSAs, HRAs, and other benefit accounts.

HealthEquity explained in an 8-K filing with the Securities and Exchange Commission (SEC) that it recently identified anomalous behavior in a business partner’s device, and said the initial investigation indicates that the device had been compromised and was used to access members’ information. No malware was found on its systems and business operations were unaffected, and while the company is still evaluating the financial impact of the incident, it does not believe that the incident will have any material effect on its business or financial results.

The breach was detected on March 25, 2024, and immediate action was taken to prevent further unauthorized access. A forensic investigation was launched to determine the extent of the breach, which revealed an unauthorized actor accessed and exfiltrated HealthEquity’s SharePoint data. Its transactional systems, where integrations occur, were not affected. HealthEquity has started notifying the affected partners, clients, and members and is offering complimentary credit monitoring and identity theft protection services. The extent of the breach and the types of information involved has bot yet been publicly disclosed.

Kairos Health Arizona

Kairos Health Arizona, an employee benefits pool serving public entity employers in Arizona, has discovered that there has been unauthorized access to member data by a former third-party vendor. An investigation was launched which determined that between November 2, 2023, and March 29, 2024, the vendor accessed and downloaded information from a Kairos database.

A review was conducted to determine the types of data involved and confirmed that the downloaded data included names, insurance identification numbers, claims/coverage information, and health information. No Social Security numbers, driver’s license numbers, or financial account information were accessed or downloaded. Notification letters have now been sent to the 14,364 affected individuals and steps have been taken to enhance the security of its network, internal systems, and applications to prevent similar incidents in the future.

Ambulnz

Ambulnz, a subsidiary of DocGo that provides medical transportation and ambulance services, has discovered the protected health information of 4,742 patients has been exposed and potentially stolen in a cyberattack that was detected on April 22, 2024. The forensic investigation confirmed that a threat actor first accessed its network on April 21, 2024, and access was blocked the following day; however, the attack was not detected in time to prevent the threat actor from downloading patient data from its network. The stolen files included names, plus one or more of the following: dates of birth, address, medical record number, patient account number, health insurance identification number, and/or diagnosis and treatment information. A limited number of patients also had their Social Security numbers and/or driver’s license numbers stolen.

The post Protected Health Information Stolen in HealthEquity SharePoint Breach appeared first on The HIPAA Journal.

Email Breach Affects 22,000 Ambulatory Surgery Center of Westchester Patients

The Mount Kisco Surgery Center, doing business as the Ambulatory Surgery Center of Westchester in New York, has recently notified 22,139 patients that some of their protected health information has been exposed and potentially stolen.

Suspicious activity was detected in an employee’s email account on November 3, 2023, and after securing the account, a forensic investigation was launched to determine the nature and scope of the activity. The investigation confirmed that the unauthorized third party had access to the account from October 23, 2023, to November 3, 2023, and that the account contained patient data.

A comprehensive review was then initiated to determine the individuals affected and the types of data involved. That process was completed on May 30, 2024, and then address information was verified. The affected individuals were notified by mail on June 26, 2024. The types of data involved varied from patient to patient and included names in combination with one or more of the following: Social Security number, driver’s license number, state identification number, date of birth, medical information, including diagnosis information, treatment information, and prescription information, and health insurance information, including claim information and health insurance number.

At the time of issuing notifications, no reports had been received to suggest there had been any misuse of patient data. Mount Kisco Surgery Center said it has enhanced network security to prevent similar breaches in the future.

Mobile Medical Response Warns Patients About PHI Breach

Mobile Medical Response, a Michigan-based provider of medical transportation and ambulance services, has announced that there has been an impermissible disclosure of patient information at one of its business associates. Mobile Medical Response contracted with CBM Services to provide collections services. CMB Services had issued a check to Mobile Medical Response, which an unauthorized individual attempted to cash.

When checks are issued to Mobile Medical Response by CMB Services, they are accompanied by a statement of accounts that includes the names of individuals to whom the payments relate. The statements include names, identify individuals as having received transportation services from Mobile Medical Response, and potentially include other information.

Mobile Medical Response has confirmed that addresses, dates of birth, Social Security numbers, driver’s license/state identification numbers, financial account information, payment card information, patient record information, medical diagnosis/condition information, medical treatment information, and health insurance information were not impermissibly disclosed.

Mobile Medical Response is currently investigating the incident to determine the full name, scope, and impact of the event. In the meantime, the breach has been reported as affecting 500 individuals. The total will be updated when the investigation has been completed.

The post Email Breach Affects 22,000 Ambulatory Surgery Center of Westchester Patients appeared first on The HIPAA Journal.

Insider Breaches Reported by Providence Mission Heritage Endocrinology & Samaritan Health Services

Providence Mission Heritage Endocrinology and Samaritan Health Services have identified unauthorized access to patient data by former employees.

Providence Mission Heritage Endocrinology

In May 2024, Providence Mission Heritage Endocrinology in Mission Viejo, CA, discovered an insider breach that involved unauthorized access to clinical records. Providence launched an investigation into the activity and confirmed that the unauthorized access had been ongoing for more than three years. The first instance occurred on December 15, 2020, and it continued until May 15, 2024. The nature of the access was not disclosed; however, Providence said there is an active investigation by the California Department of Insurance.

The review confirmed that only names, State IDs, driver’s license numbers, and health insurance coverage information were accessed. Social Security numbers were not accessed; however, as a precaution, credit monitoring and identity protection services have been offered to the affected individuals for 12 months at no cost. Cambria Haydon, Chief Privacy Officer, Providence has advised the affected patients to take advantage of those services.

The incident has been reported to the California Attorney General; however, it is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Samaritan Health Services

Samaritan Health Services in Oregon has announced that a physician who worked at its Lebanon Community Hospital may have accessed the protected health information of patients without authorization. An investigation was launched in November 2023, when unauthorized access was suspected.

The investigation involved a review of access logs to patient records, interviews with patients and employees, and a written attestation from the physician. While many of the records accessed by the physician were for legitimate purposes, Samaritan was unable to verify the purpose of the physician’s record access for 1,296 individuals.

Samaritan is confident that if the medical records of those individuals were accessed, it was not for malicious purposes and there are no indications that any patient data will be misused; however, as a precaution, the affected individuals have been advised to monitor their account statements and credit reports closely and should immediately report any unusual activity to the appropriate financial institution.

The post Insider Breaches Reported by Providence Mission Heritage Endocrinology & Samaritan Health Services appeared first on The HIPAA Journal.

PHI Exposed in Cyberattacks on Gaia Software & Pinnacle Orthopaedics & Sports Medicine Specialists

Gaia Software has disclosed details of a February 2024 cyberattack, Pinnacle Orthopaedics & Sports Medicine Specialists are investigating an April 2024 cyberattack, and OB GYN Specialists of Lima have discovered the improper disposal of patient data.

Gaia Software

Gaia Software, a provider of electronic medical record and billing management software services to Americare Renal Center, has mailed notification letters to patients whose protected health information was compromised in a February 2024 cyberattack.

Gaia Software notified the HHS’ Office for Civil Rights about the breach on April 5, 2024, and confirmed in the breach report that the protected health information of 56,676 individuals had been compromised in the incident. The investigation into the incident concluded on April 19, 2024; however, details about the attack have only recently been made public.

According to the breach notification letters that were mailed on June 28, 2024, Gaia Software detected the cyberattack on or around February 5, 2024. The breach notification letters do not state whether ransomware was involved, only that the threat actor “attempted to infiltrate Gaia’s computer network and demand a ransom payment.”

Gaia Software said it has not detected any misuse of patient data but has confirmed that patient information was exposed and was potentially stolen in the attack. The types of data involved varied from individual to individual and may have included names, addresses, dates of birth, Social Security numbers, health insurance information, and/or health information.

Gaia Software said it is implementing additional safeguards and enhanced security measures to prevent similar incidents in the future and is reviewing information life cycle management. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary single bureau credit monitoring/single bureau credit report/single bureau credit score services.

Pinnacle Orthopaedics & Sports Medicine Specialists

On June 21, 2024, Pinnacle Orthopaedics & Sports Medicine Specialists in Marietta, GA, announced that an unauthorized third party gained access to its computer network and potentially obtained patient data. The intrusion was detected on or around April 22, 2024, and steps were immediately taken to prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the security breach.

On or around April 29, 2024, Pinnacle confirmed that the protected health information of fewer than 10 patients had been stolen. Those patients were notified but as the investigation continued it became clear that more patients had been affected. On or around June 7, 2024, Pinnacle determined that the protected health information of more than 500 patients had been exposed. Pinnacle is currently undertaking a detailed review of the exposed files and cannot confirm at this stage exactly how many patients have been affected. Those individuals will be notified when the investigation is completed.

Pinnacle said the types of information involved vary from individual to individual and may include names, dates of birth, medical/health information, treatment/diagnostic information, health insurance information, and/or billing/payment information. Pinnacle said it is implementing enhanced security measures to prevent similar incidents in the future.

OB GYN Specialists of Lima

OB GYN Specialists of Lima in Ohio have notified 1,100 patients that some of their personal and protected health information has been exposed in an improper disposal incident. The incident was detected on June 14, 2024, and attempts were made to retrieve the documents, but it was not possible to retrieve them all.

The documents related to visits to its office between June 5, 2024, and June 13, 2024, and included the demographic information that is printed when patients visit, which may have also included test results. Steps have since been taken to prevent similar incidents in the future.

The post PHI Exposed in Cyberattacks on Gaia Software & Pinnacle Orthopaedics & Sports Medicine Specialists appeared first on The HIPAA Journal.

Email Breaches Reported by SkinCure Oncology & the Wisconsin Department of Health Services

SkinCure Oncology has notified 13,434 patients about an email attack that occurred in June 2023, and the Wisconsin Department of Health Services has announced a breach of the personal information of 19,150 Medicaid recipients.

SkinCure Oncology

SkinCure Oncology in Burr Ridge, IL, has issued individual notifications to 13,434 patients whose protected health information was compromised in an email breach that occurred more than a year ago. According to the substitute breach notice, the investigation confirmed that multiple email accounts were accessed by an unauthorized third party between June 23 and June 25, 2023.

A comprehensive review was conducted to identify the files in the email accounts, and on December 6, 2023, it was confirmed that protected health information was present in emails and email attachments. SkinCure Oncology believes files in those email accounts were viewed and potentially obtained in the attack. The exposed information varied from individual to individual and may have included names, birth dates, medical record numbers, medical histories, and health insurance information. A limited number of patients had their Social Security numbers, driver’s license numbers, financial account information, and/or credit card information exposed.

The delay in issuing individual notifications was due to the time it took for SkinCure Oncology and its practice partners to locate up-to-date address information. The substitute breach notice makes no mention of complimentary credit monitoring and identity theft protection services, only that patients should be vigilant against identity theft and fraud. Further information can be contained by calling SkinCure Oncology’s helpline – (866) 528-8844. The helpline is manned Monday to Friday from 8:00 a.m. to  5:30 p.m. Central Time.

Wisconsin Department of Health Services

Wisconsin Department of Health Services has reported a breach of the protected health information of up to 19,150 Medicaid recipients. The breach occurred at one of its partner organizations, Disability Rights Wisconsin, which discovered an unauthorized third party had gained access to an employee email account. It is unclear from the announcement when the breach occurred and when it was discovered.

Notification letters were sent to the affected individuals on June 21, 2024, and they were advised about the data that was exposed. Complimentary credit monitoring services have been offered to the affected individuals for 12 months and a helpline – 888-733-3814 – has been set up for individuals seeking further information. The helpline is manned Monday to Friday, from 8:00 a.m. to 8 p.m. Central Time.

The post Email Breaches Reported by SkinCure Oncology & the Wisconsin Department of Health Services appeared first on The HIPAA Journal.

Texas Retina Associates Cyberattack Affects 312,000 Patients

A cyberattack on Texas Retina Associates has affected more than 312,000 patients, Human Technology Inc., has confirmed that patient data has been compromised in a cyberattack, and the Monti ransomware group has claimed responsibility for a cyberattack on Wayne Memorial Hospital.

Texas Retina Associates Cyberattack Affects 312,000 Patients

Texas Retina Associates, the largest ophthalmology practice in Texas, has announced that there has been unauthorized access to its internal systems and the potential theft of sensitive patient data. Suspicious network activity was identified on March 27, 2024, and third-party cybersecurity specialists were engaged to investigate the activity. They confirmed that an unauthorized actor gained access to its network on October 8, 2023, and maintained access until the breach was detected.

Texas Retina Associates said it is unaware of any misuse of patient data and is issuing notifications “out of an abundance of caution” as files have been exposed that contained patient data. The file review confirmed that the exposed data included first and last name, address, phone number, email address, birth date, gender, Social Security number, medical record number, clinical information, prescription information, medical information, health information, and health insurance information.

The breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 312,867 current and former patients. Texas Retina Associates has confirmed that its systems have been secured, additional cybersecurity safeguards have been implemented, cybersecurity policies and procedures have been enhanced, and additional cybersecurity training has been provided to its workforce. A helpline has been established for individuals to obtain further information about the breach (888-498-3901) The helpline is manned from 8 a.m. to 8 p.m. Central Time.  The substitute breach notice on the Texas Retina Associates website makes no mention of complimentary credit monitoring or identity protection services being offered.

Human Technology Inc.

The Jackson, TN-based prosthetics and orthotics company, Human Technology Inc., and its affiliates Greer Orthotics & Prosthetics, Murphy’s Orthopedic & Footcare, and Hi-Tech Prosthetics & Orthotics have been affected by a data security incident that was detected on March 15, 2024.

An internal investigation was launched to identify the source of anomalous network activity and a digital forensics firm was engaged to assist with the investigation. The investigation was completed on or around May 31, 2024, and confirmed that an unauthorized actor gained access to a computer system used by Human Technology and its affiliates and potentially viewed or obtained patient data. The exposed data included names, addresses, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license numbers, passport numbers, payment card numbers/expiry dates, account numbers, routing numbers, and tax IDs.

Notification letters were mailed to the affected individuals on June 28, 2024, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Human Technology said it is unaware of any misuse of the affected data. To improve security and reduce the risk of similar incidents in the future, Human Technology has implemented additional safeguards, including EDR monitoring. A helpline has been established for individuals seeking further information on the breach ((866)-528-4805). The helpline is manned from 8.00 a.m. to 5.30 p.m. Central Time.

The incident is not yet shown on the HHS’ Office for Civil Rights website so it is currently unclear how many individuals have been affected.

Ransomware Group Claims Responsibility for Attack on Wayne Memorial Hospital

The Monti ransomware group has claimed responsibility for a cyberattack on Wayne Memorial Hospital, an 11-bed non-profit hospital in Honesdale, PA. The hospital has yet to announce any cyberattack or data breach. The hospital has been added to the Monti group’s data leak site, but no data is currently listed for download. The group says it has given the hospital until July 8, 2024, to pay the ransom demand and will leak the stolen data if payment is not made.

The post Texas Retina Associates Cyberattack Affects 312,000 Patients appeared first on The HIPAA Journal.

Continuum Health Alliance Data Breach Affects 377,000 Consensus Medical Group Patients

Marlton, NJ-based Continuum Health Alliance has recently confirmed that it has experienced a security incident that exposed the data of 377,119 patients of its client, Consensus Medical Group, a physician-owned medical group in Evesham, NJ. Continuum identified unauthorized activity within its network on October 19, 2023, and after taking steps to secure its systems, third-party cybersecurity specialists were engaged to identify the suspicious activity. The forensic investigation confirmed that an unauthorized third party had gained access to some of its systems between October 18 and October 19, and acquired certain files.

On February 16, 2024, Continuum announced on its website that it was investigating the incident while the investigation was ongoing. The file review was completed on March 8, 2024, when it was confirmed that the exposed data included patients’ names and Social Security numbers. Continuum then worked to verify the information and obtain up-to-date address information, and notification letters were mailed on April 29, 2024.

Continuum has implemented additional safeguards to prevent further security incidents and has provided additional training to its workforce. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Guardant Health Discovers Online Exposure of Patient Data

Guardant Health, a medical laboratory in Redwood City, CA, that performs cancer screening tests on samples provided by physicians and hospitals, has recently notified patients of some of its clients that their protected health information has been exposed online. Guardant Health did not state in its notification letters when it discovered the data exposure, only that an employee inadvertently uploaded a file containing patient data to an online platform in October 2020. Guardant Health immediately removed the file when the error was discovered, and on March 4, 2024, it was confirmed that unidentified third parties downloaded the file between September 8, 2023, and February 28, 2024.

The protected health information in the file varied from patient to patient and included some or all of the following: name, age, medical record and identification numbers, and medical information such as treatment information, dates of treatment, and test results. No financial information or Social Security numbers were present in the file. Guardant Health said it has enhanced its technical controls and has provided further employee training to prevent similar incidents in the future. The breach has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Continuum Health Alliance Data Breach Affects 377,000 Consensus Medical Group Patients appeared first on HIPAA Journal.