HIPAA Breach News

Delta Dental of California Data Breach: 7 Million Individuals Affected

Posted by Steve Alder

Delta Dental of California Says 6,928,932 Individuals Affected by MOVEit Hack

Delta Dental of California has recently confirmed that it was one of the victims of Clop hacking group’s mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution.  Delta Dental of California, part of the Delta Dental Plans Association, provides dental insurance to 45 million people. According to the breach notification sent to the Maine Attorney General, the information of almost 7 million individuals was stolen in the attack, including members of Delta Dental of California plans and those of its affiliates.

Delta Dental discovered on June 1, 2023, that the SQL injection vulnerability – CVE-2023-34362 – in the MOVEit Transfer solution had been exploited. Progress Software had released an emergency patch to fix the flaw on May 31, 2023; however, the Russia-linked Clop group exploited the flaw between May 27 and May 30, 2023, before the patch was applied and exfiltrated data from Delta Dental’s MOVEit server.

On July 6, 2023, Delta Dental confirmed that plan members’ data had been accessed and acquired without authorization, and third-party computer forensics experts were engaged to help with analytics and data mining to determine exactly what data had been stolen. Due to the extent of the data involved, the analysis has only just been completed, with the final list of the affected individuals and types of data involved finalized on November 27, 2023. Notification letters started to be sent to those individuals on December 14, 2023.

Delta Dental said the stolen data includes names in combination with one or more of the following: address, Social Security number, driver’s license number, other state identification number, passport number, financial account information, tax identification number, individual health insurance policy number, and/or health information. The affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services.

Delta Dental stressed in its notification letters that this was a mass exploitation incident that affected thousands of companies; however, the Delta Dental of California data breach stands out due to the number of individuals affected. With 6,928,932 dental plan members affected, this is the third largest healthcare MOVEit-related breach to have been reported, behind Maximus Inc. (11 million) and Welltok (8.5 million).

The HIPAA Breach Notification Rule requires notification letters to be issued within 60 days of the discovery of a breach. The Delta Dental of California data breach was reported to the HHS’ Office for Civil Rights on September 6, 2023, within 60 days of discovering that PHI was involved. It was unclear at the time how many individuals were affected so an interim figure of 501 was used. “The delay between detecting the incident, responding to it, and identifying what data has been accessed and by whom, along with which individuals are impacted is not surprising. To determine this typically relies on specialist digital forensic and incident response providers who need to forensically comb through logs and individual data objects using a combination of forensic tools and deep cybersecurity expertise to piece together what happened down to the individual data objects,” Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, told The HIPAA Journal. “Modern data security tools can speed up the identification of what data is impacted, particularly at scale, so hopefully we will see these timeframes reduce as these tools get adopted. However, it will still take time to map those data objects to the individuals impacted at scale with forensic quality that can stand up in court.”

The post Delta Dental of California Data Breach: 7 Million Individuals Affected appeared first on HIPAA Journal.

November 14, 2023, Healthcare Data Breach Round Up

Posted by Steve Alder

A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights and State Attorneys General.

PHI Compromised in Cyberattack on Regional Family Medicine

Regional Family Medicine in Mountain Home, AR, has recently notified the Maine Attorney General about a data breach that involved the personal and protected health information of 80,166 individuals. An IT outage was experienced on June 26, 2023, which prevented access to certain local systems. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there had been unauthorized access to its network between June 8 and June 26, 2023.

The parts of the network that were compromised contained files that included information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, account numbers, and workplace evaluations. Following the attack, Regional Family Medicine enhanced its security measures to prevent similar breaches from occurring in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Florida Community Care Affected by MOVEit Hack at ILS

Florida Community Care, LLC, a Miami-Dade County, FL-based health plan has recently confirmed that information of 30,891 of its members was compromised when a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution was exploited. Progress Software released a patch for the flaw on May 31, 2023, however, the flaw had already been exploited.

The MOVEit Transfer tool was used by its business associate, Independent Living Systems. No Florida Community Care systems were compromised. The compromised information included names, subscriber numbers, and policy numbers. Independent Living Systems is notifying the affected individuals and is offering complimentary credit monitoring and remediation services.

Email Account Breach Reported by Neuromusculoskeletal Center of the Cascades

The protected health information of 22,328 patients of the Neuromusculoskeletal Center of the Cascades and the Cascade Surgicenter in Oregon has been exposed and potentially obtained by unauthorized individuals. Suspicious activity was identified in an employee’s email account on October 3, 2023. The investigation revealed multiple email accounts had been compromised between October 2, 2023, and October 3, 2023.

The review of the email accounts was completed on November 21, 2023, and confirmed they contained patient names along with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number, financial account number, routing number, financial institution name, credit/debit card information, treatment/diagnosis information, prescription information, provider name, medical record number, Medicare/Medicaid ID number, health insurance information, treatment cost, and/or digital signature. Email security policies and procedures have been reviewed and updated and credit monitoring and identity theft protection services have been offered to the affected patients.

PHI Exposed in Phishing Attack on The Amani Center

Columbia County Child Abuse Assessment Center, which does business as The Amani Center in Oregon, identified suspicious activity in an employee email account on August 18, 2023. The investigation revealed several email accounts had been compromised in the attack, which affected several businesses and organizations in its community and resulted in unauthorized access to accounts between August 7, 2023, and August 18, 2023.

The review of the accounts was completed on October 19, 2023, and confirmed the following information had been exposed: names, medical information, medical record numbers, health insurance information, Social Security numbers, driver’s license numbers, financial account information, treatment/diagnosis information, prescription information, medical record/patient ID numbers, health insurance information, treatment cost information, or other information provided to The Amani Center.

No evidence of misuse of patient data has been found, and while the risk of data misuse is believed to be low, complimentary credit monitoring and identity protection services have been offered to the affected individuals. The breach was reported to the Office for Civil Rights as affecting 2,374 individuals.

The Children’s Home of Wyoming Conference Email Breach

The Children’s Home of Wyoming Conference in Binghamton, NY, a provider of community services to children and families, identified suspicious activity in two employee email accounts on June 13, 2023. After securing the accounts, the affected mailboxes were reviewed, and on September 12, 2023, it was confirmed that one of those accounts contained protected health information.

The affected individuals had previously received medical treatment from the Children’s Home of Wyoming Conference. The exposed information included names, dates of birth, Social Security numbers, addresses, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information. Notification letters were sent on November 10, 2023, along with information to help those people prevent any misuse of their data. The breach was reported to the Office for Civil Rights as affecting 1,111 individuals.

The post November 14, 2023, Healthcare Data Breach Round Up appeared first on HIPAA Journal.

Harrisburg Medical Center Data Breach: PHI of 148,000 Individuals Compromised in 2022

Posted by Steve Alder

Harrisburg Medical Center, which is part of the Southern Illinois Healthcare network, has recently started notifying 147,826 individuals that some of their personal and protected health information has been compromised. Notification letters about the Harrisburg Medical Center data breach started to be sent to the affected individuals on December 12, 2023; however, the cyberattack was detected a year previously on December 23, 2022.

According to the notification letter sent to the Maine Attorney General, Harrisburg Medical Center discovered and blocked the attack on December 23, 2022, and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and extent of the attack. The investigation confirmed that protected health information had been exposed between December 19, 2022, and December 23, 2023, and during that time, files were removed from its systems.

Harrisburg Medical Center said it conducted a review of the documents involved and confirmed on August 24, 2023 – 8 months after the attack was detected – that the files contained names and Social Security numbers, along with some or all of the following information: date of birth, diagnosis/conditions, lab results, and prescription information. Some individuals may also have had their health insurance information, driver’s license/state ID number, digital/electronic signature, and/or financial account number exposed or stolen. No explanation was given about why it took a further four months to issue individual notifications to the affected individuals.

Despite the data breach occurring in December 2022 and PHI being confirmed as involved on August 24, 2023, the incident is still not showing on the HHS’ Office for Civil Rights breach portal. The HIPAA Breach Notification Rule states that breaches must be reported within 60 months of discovery of the breach.

Unsurprisingly, given the length of time taken to notify the affected individuals and the lack of transparency, patients have been looking to take legal action over the breach and theft of their data. Several law firms have opened investigations with a view to filing class action lawsuits.

The post Harrisburg Medical Center Data Breach: PHI of 148,000 Individuals Compromised in 2022 appeared first on HIPAA Journal.

Pan-American Life Insurance Group Data Breach Affects 200,000 Individuals

Posted by Steve Alder

Pan-American Life Insurance Group MoveIT Data Breach

The Pan-American Life Insurance Group in Louisiana has confirmed that it was one of the victims of the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in late May 2023 by the Clop hacking group. Progress Software released a patch to fix the previously unknown vulnerability on May 31, 2023; however, by that time the Clop hacking group had already mass exploited the flaw to gain access MOVEit servers. More than 2,600 organizations worldwide are now known to have been affected and between 78 and 83 million individuals have had their data stolen in the attacks.

The Pan-American Life Insurance Group said it immediately stopped using the MOVEit Transfer tool for file transfers when it was notified about the vulnerability and hired a cybersecurity firm to determine if the flaw had been exploited. The investigation confirmed that files had indeed been stolen. A review of those files was initiated, and on October 5, 2023, it was confirmed that they contained personal and protected health information, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

The Pan-American Life Insurance Group has arranged for the affected individuals to be provided with 24 months of complimentary credit monitoring and identity theft protection services. The breach was reported to the HHS’ Office for Civil Rights in two separate breach reports that affected 105,387 and 94,807 individuals.

Dameron Hospital Investigating Cyberattack

Dameron Hospital in Stockton, CA, has confirmed that it recently suffered a cyberattack that has affected some of its network systems. The lack of critical systems has caused disruption and some procedures have been rescheduled until all systems are brought back online; however, a spokesperson for the hospital confirmed that its patient care operations and emergency department are continuing to function as normal. An investigation has been launched to determine the nature and scope of the incident and to whether any patient data has been exposed or stolen. Further information will be released as the investigation progresses.

Hunters International Claim Responsibility for Cyberattack on Covenant Care

Covenant Care, a provider of skilled nursing, residential care, and home healthcare in California and Nevada, appears to have experienced a cyberattack involving data theft. The Hunters International hacking group has added Covenant Care to its data leak site has been adding patient data to that site, indicating Covenant Care has refused to pay the ransom. Covenant Care has not confirmed whether the hacking group’s claims are genuine.

Covenant Care is no stranger to data breaches, having fallen victim to multiple phishing attacks in the past 5 years, including one in 2019 that affected 7,858 patients and another in 2022 that involved the PHI of 23,093 patients. In response to the 2019 attack, the HHS’ Office for Civil Rights issued technical assistance to help Covenant Care with its security management process.

The post Pan-American Life Insurance Group Data Breach Affects 200,000 Individuals appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

Michigan Increases Penalties for Violence Against Healthcare Workers

Posted by Steve Alder

In the absence of federal legislation to protect healthcare workers, Michigan has introduced a new law that expands the definition of protected workers to include healthcare workers and has increased the financial penalties in an attempt to curb the growing problem of workplace violence.

Workplace Violence in Healthcare Continues to Increase

The number of reported instances of nonfatal workplace violence has been increasing year-over-year, especially in healthcare. According to data from the Bureau of Labor Statistics (BLS), workplace violence incidents that required workers to take time off work were five times higher in privately operated healthcare and social assistance establishments than in private industry overall. Since the BLS started tracking workplace violence incidents in 2011, cases have continued to increase almost every year. These incidents can result in serious injuries or worse. On average, between 2016 and 2020, BLS data show an average of 44 homicides of private healthcare workers every year.

There have been repeated calls from industry associations for federal protections to help tackle the problem. In, 2022, Sen. Tammy Baldwin, (D-WI) introduced the Workplace Violence Prevention for Health Care and Social Service Workers Act, which called for OSHA to create violence prevention measure requirements for healthcare and social services workplaces. The legislation failed to advance and was reintroduced in April this year. In September 2023, Sens. Joe Manchin, (D-WV) and Marco Rubio, (R-FL) introduced the Safety from Violence in Healthcare Act, which sought to make assaults on healthcare staff a federal crime. The Act also calls for penalties to be increased for assaults that result in bodily injury; however, the legislation has failed to advance in Congress.

In March 2023, the Occupational Safety and Health Administration (OSHA) announced that it is in the process of developing an enforceable Prevention of Workplace Violence in Healthcare and Social Assistance standard in an attempt to address this growing problem.

New Michigan Law Doubles Penalties to Deter Workplace Violence

In the absence of federal protections, many states have introduced their own laws in an attempt to deter violence against healthcare workers. Almost 40 states have now passed legislation to increase penalties for violence against healthcare workers, with Michigan the latest state to do so.

Michigan already had laws in place concerning violence against protected workers, which include police officers, firefighters, and EMS personnel. In response to the rise in bullying, violence, and the viciousness of attacks on healthcare workers, the classification has been extended to include healthcare professionals and medical volunteers. Any assault on a protected worker could result in a felony charge, and while the potential jail time has remained unchanged, the financial penalties have doubled. Medical facilities in the state must now post signs in areas visible to the public that warn of the increased fines.

The new law (House Bill 4520-21) was led by Rep. Mike Mueller (R-MI) and was signed into law on December 6, 2023. “This new law is a step toward providing a secure working environment for hospital personnel, discouraging acts of violence, and ensuring that anyone who targets them with violence is held responsible.,” said Rep. Muller. “I am proud to see this bipartisan plan come to fruition after working on it for more than a year.”

The post Michigan Increases Penalties for Violence Against Healthcare Workers appeared first on HIPAA Journal.

Norton Healthcare Data Breach: Second Class Action Lawsuit Filed

Posted by Steve Alder

Second Class Action Lawsuit Filed Over North Healthcare Data Breach

A second class action lawsuit has been filed against Norton Healthcare in response to its May 2023 ransomware attack in which the protected health information of up to 2.5 million patients was exposed and potentially stolen.

The first lawsuit was filed in the summer on behalf of plaintiff Lanisha Malone in U.S. District Court after her personal information was misused. She was contacted by her bank to inform her about a suspicious $1,5000 charge to her account which had been blocked. The lawsuit alleged the Louisville, KY-based health system had failed to implement appropriate security measures to safeguard the sensitive data of patients and that Norton Healthcare had failed to issue timely notification letters to allow the affected patients to take steps to protect themselves against identity theft and fraud.

Norton Healthcare announced in May 2023 that an investigation had been launched into a cyberattack; however, at the time the extent of the breach had yet to be established and it was unclear how many individuals had been affected and it was therefore not possible to issue individual notification letters. Norton Healthcare provided an update on the attack in December and confirmed that the cyberattack involved ransomware and that the ransom was not paid. Notification letters started to be mailed on December 8, 2023.

On December 14, 2023, a second class action lawsuit was filed against Norton Healthcare over the ransomware attack on behalf of Margaret Garrett of Crestwood, KY, and similarly situated individuals. The latest lawsuit alleges Norton Healthcare violated the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately protect patient information and also takes issue with the alleged lack of transparency about the ransomware attack and data breach. Norton Healthcare has now confirmed the types of data potentially compromised in the attack but has been unable to say exactly how many individuals were affected or the specific types of data that were compromised in the attack.

The lawsuit claims that the sensitive data of patients and employees is now in the hands of cybercriminals and could be used for identity theft and fraud and that now that sensitive data has been sold or posted in public forums, patients and employees could be contacted directly by the ALPHV/BlackCat ransomware group and threatened with further exposure of their sensitive data, especially patients with sexually transmitted diseases or terminal illnesses. Recently, a cyberattack on the Fred Hutchinson Cancer Center has resulted in patients being extorted directly by hackers after the decision was taken by Fred Hutchinson Cancer Center not to pay the ransom.

The lawsuit – Gerrett v. Norton Healthcare Inc. was filed in U.S. District Court for the Western District of Kentucky and seeks class action status, a jury trial, damages, and legal fees. The plaintiff and class are represented by Andrew W. Ferich and Carlynne A. Wagner of Ahdoot & Wolfson, PC, and John C Whitfield of Whitfield Coleman Montoya, PLLC.

Norton Healthcare said it takes the privacy and security of patient and employee data very seriously and plans to vigorously defend itself in any litigation over the ransomware attack and data breach.

December 11, 2023: Norton Healthcare Notifies 2.5 Million Individuals About May 2023 Ransomware Attack

The Kentucky-based health system, Norton Healthcare, has recently confirmed that the personal and protected health information of patients and employees was exposed, and potentially stolen, in a May 2023 ransomware attack. According to the breach report submitted to the Maine Attorney General, the Norton Healthcare data breach has affected up to 2.5 million individuals.

Norton Healthcare operates eight hospitals in Kentucky and Indiana. On May 9, 2023, suspicious activity was identified within its network and it was later determined that ransomware had been used. Immediate action was taken to secure its network and a forensic investigation was conducted to determine the extent of the breach. The investigation confirmed that an unauthorized third party had access to its network between May 7, 2023, and May 9, 2023, including network storage devices that contained sensitive patient and employee data. Norton Healthcare’s medical record system and Norton MyChart were not accessed and remained secure.

Throughout the investigation, Norton Healthcare provided updates on its website, with the first announcement made on May 11, 2023. Norton Healthcare previously confirmed that it was able to recover the affected files from backups, and started to do so on May 10, 2023; however, the investigation and file review have taken several months. Those processes have now concluded and notification letters started to be sent to the affected individuals on December 8, 2023.

The Norton Healthcare data breach was reported to the HHS’ Office for Civil Rights on July 7, 2023, to meet the breach reporting requirements of the HIPAA Breach Notification Rule, but an interim figure of 501 individuals was provided as it had yet to be determined how many individuals had been affected. In mid-November, Norton Healthcare determined that “based on the data available to it, and out of an abundance of caution,” the most efficient approach was to notify all current (as of May 10, 2023) and former patients, employees, employee dependents and beneficiaries about the ransomware attack. If a notification letter is received it does not necessarily mean that personal and protected health information has been stolen, only that sensitive information may have been exposed.

The types of data involved may have included names in combination with one or more of the following: contact information, Social Security Number, date of birth, health information, insurance information, and medical identification number, and for certain individuals, driver’s license number, other government ID numbers, financial account numbers, and digital signatures. Norton Healthcare said it has enhanced its security safeguards since the attack and has not found any additional indicators of compromise as its networks were restored. As a precaution against misuse of data, Norton Healthcare has arranged for the affected individuals to be provided with complimentary credit monitoring and identity theft protection services for up to 24 months.

Norton Healthcare did not confirm the name of the ransomware group behind the attack, but the BlackCat ransomware group claimed responsibility. Norton Healthcare is facing legal action over the attack, with one lawsuit alleging Norton Healthcare failed to implement appropriate safeguards to prevent attacks and did not issue timely notifications to the affected individuals.

The post Norton Healthcare Data Breach: Second Class Action Lawsuit Filed appeared first on HIPAA Journal.

Ransomware Attacks Reported by Foursquare Healthcare and Hi-School Pharmacy

Posted by Steve Alder

Foursquare Healthcare Ltd, a Rockwall, TX-based operator of short-term rehabilitation, skilled nursing, and long-term nursing care facilities has recently confirmed it experienced a ransomware attack in September. The ransomware attack was detected on September 27, 2023, and the forensic investigation confirmed the attackers accessed its network between September 27, 2023, and September 29, 2023, and acquired certain files that contained employee and patient information. The information in the files varied from individual to individual and included names along with one or more of the following: address, billing information, Social Security number, banking information, and clinical information regarding care received at its clinics.

The attack did not cause any material disruption to Foursquare care or services and no evidence has been found to indicate that any of the stolen data has been misused for identity theft or fraud. Foursquare said it has received assurances that all of the stolen data has been deleted. That usually, but not always, means the ransom was paid. Foursquare said it believes the incident has been contained and it will continue to monitor its systems for unauthorized activity.

The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of 10,890 patients. Foursquare has offered the affected individuals two years of complimentary credit monitoring and identity theft protection services and while assurances were provided that the stolen data has been deleted, Foursquare encourages the affected patients and employees to be vigilant against identity theft and fraud.

Hi-School Pharmacy Suffers Ransomware Attack

The Vancouver, WA-based drug store chain, Hi-School Pharmacy, has recently notified the Maine Attorney General about a data breach that has affected 17,676 individuals. On November 3, 2023, Hi-School Pharmacy experienced a cyberattack that caused network disruption. The forensic investigation confirmed on November 21, 2023, that the attackers had access to parts of the network that contained protected health information including names and Social Security numbers. Notification letters were sent to the affected individuals on November 5, 2023. Credit monitoring and identity theft protection services have been offered to the affected individuals.

The post Ransomware Attacks Reported by Foursquare Healthcare and Hi-School Pharmacy appeared first on HIPAA Journal.