HIPAA Breach News

Managed Care of North America Hacking Incident Impacts 8.9 Million Individuals

Posted by Steve Alder

Managed Care of North America, Inc. (MCNA), which also does business as MCNA Dental –  a provider of dental benefits and services for state Medicaid and Children’s Health Insurance Programs – has recently reported a major data breach to the Maine Attorney General that has affected 8,923,662 individuals. This is the largest healthcare data breach to be reported by a single covered entity so far this year, and the second 5 million record+ healthcare data breach to be reported this month.

On March 6, 2023, MCNA discovered an unauthorized third party was able to access certain systems within its IT network. The threat was immediately contained and a third-party cybersecurity firm was engaged to investigate the intrusion and determine the nature and scope of the incident. The forensic investigation determined that the network had been compromised and infected with malicious code and that the attackers removed some copies of personal and protected health information from its systems between February 26, 2023, and March 7, 2023.

The review of the files that were copied or potentially accessed confirmed that they contained protected health information such as names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information, Medicare/Medicaid ID numbers, group plan names and numbers, and information related to the dental and orthodontic care provided. The types of compromised information varied from individual to individual. MCNA said it is unaware of any attempted or actual misuse of the affected data. MCNA said it has enhanced its security controls and monitoring practices to minimize the risk of further incidents of this nature in the future.

The LockBit ransomware group claimed responsibility for the attack and leaked some of the stolen data on its dark web data leak site as proof of data theft, and demanded a $10 million ransom to prevent the publication of all of the stolen data. It appears that the ransom was not paid, as the group published the stolen files on April 7, 2023.

Affected individuals are now being notified and are being offered complimentary credit monitoring services for 1 or 2 years, dictated by the minimum terms required by state laws. MCNA sent notifications on behalf of Florida Healthy Kids Corporation, the Florida Agency for Health Care Administration, and the following 112 insurance plans:

Aetna Better Health of New York EverCare Choice, Inc. Local 342 Health Care Fund Teamsters Local 237 Babylon Welfare Fund
African American Planning Excavators Union Local 731 Welfare Fund Local 342 Welfare Fund Teamsters Local 237 Brentwood Welfare Fund
AgeWell New York, LLC Excellus Health Plan, Inc. (Excellus BlueCross BlueShield, Univera Healthcare, Premier Health Plan). Local 522 – C/O United Teamster Fund Teamsters Local 237 Islip Welfare Fund
Albest Metal Stamping Corporation Extended MLTC, LLC Local 808, I.B. of T. Health and Welfare Fund Teamsters Local 237 New York City Welfare Fund
Amerigroup Community Care Florida Agency for Health Care Administration Louisiana Department of Health Teamsters Local 237 North Babylon Welfare Fund
Amida Care, Inc. Florida Healthy Kids Corporation Magnacare, LLC Teamsters Local 237 Plainview Welfare Fund
Arkansas Department of Human Services Graphic Art International Union Local 119B MCS Healthcare Holdings, LLC Teamsters Local 237 Retiree Fund
Assistant Deputy Wardens Association/Deputy Wardens Association Guildnet, Inc. Metroplus Health Plan, Inc. Teamsters Local 237 West Islip Welfare Fund
ATU Local 1056 Health Fund 917 Metropolitan Transit Authority Teamsters Local 72 Welfare Fund
Bridge & Tunnel Officers Benevolent Association Healthplex Dental Services, Inc. MVP Health Plan Texas Health and Human Services Commission
Brighton Health Plan Solutions LLC Healthplex Insurance Company MVP Health Services Corp. Town Of Hempstead
CareConnect Insurance Company Healthplex, Inc. Nascentia Health, Inc. UFCW Local 2013 Health and Welfare Fund
Catholic Managed Long Term Care, Inc Hicksville UFSD Nassau County Uniformed Fire Alarm Dispatchers Benevolent Association
Centerlight Healthcare, Inc. Highmark Blue Cross Blue Shield of Western New York Nebraska Department of Health and Human Services Uniformed Fire Officers Association
Centers Plan for Healthy Living iCircle New York City District Council of Carpenters Uniformed Firefighters Association Security Benefit Fund
City of New York Management Benefit Fund Idaho Department of Health and Welfare New York City Service Employees International Union Local 246 Welfare Fund Uniformed Sanitationmen’s Association Local 831
Correction Officers Benevolent Association Incorporated Village of Garden City NYC Association of Surrogate and Supreme Court reporting United Federation of Teachers
Court Officers Benevolent Association of Nassau County Independent Health Association, Inc. Oscar Insurance Corporation United Federation of Teachers Health Care Chapter Benefit fund
Crystal Run Health Plans Independent Health Benefits Corporation Patchogue-Medford UFSD United Food and Commercial Workers Local 888 Health and Pension Funds
Dentcare Delivery Systems, Inc. Integra MLTC, Inc. Prime Choice MLTCP United Public Service Employees Union Benefit Plan
Detectives’ Endowment Association International Healthcare Services, Inc. Quality Health Plans of New York, Inc. United Teamsters Fund
District Council 1707 Local 95 Head Start Employees Welfare Fund International Union of Operating Engineers Local 138 Welfare Fund Saint Vincents Catholic Medical Center of New York Utah Department of Health and Human Services
Elderplan Homefirst International Union of Operating Engineers Local 30 Benefits Fund Sergeant Benevolent Association VillageCareMAX
ElderServe Health Inc. dba RiverSpring at Home International Union of Operating Engineers Local 30 Welfare Trust Staffco of Brooklyn, LLC VNS CHOICE doing business as VNS Health Health Plans.
ElderServe Health Inc. dba RiverSpring FIDA Iowa Department of Human Services Suffolk County PBA Benefit Fund Wellcare
Elderwood Health Plan Kentucky Cabinet for Health and Family Services Suffolk County Superior Officers Association Benefit Fund Wyandanch Union Free School District
Empire BlueCross BlueShield HealthPlus Local 1199 National Benefit Fund Superior Officers Council York MG/York Home Care
Employee Administrative Corporation Local 1964 ILA Health & Insurance Teachers College at Columbia University YourCare Health

The post Managed Care of North America Hacking Incident Impacts 8.9 Million Individuals appeared first on HIPAA Journal.

Ransomware Gangs Claim Three Healthcare Victims

Posted by Steve Alder

There has been a growing breach notification trend where the exact nature of a cyberattack is not disclosed in breach notification letters, including whether there has been confirmed theft of patient data. The failure to provide this information makes it difficult for victims of data breaches to assess the level of risk they face. That appears to be the case with two recent cyberattacks, neither of which mention ransomware or confirm that data theft occurred.

Albany ENT & Allergy Services

Earlier this month, two ransomware groups – BianLian and RansomHouse – added Albany ENT & Allergy Services (AENT) to their data leak sites, along with claims that 1TB of data was stolen from its network before files were encrypted. Evidence of data theft was published on the RansomHouse data leak site.

Albany ENT & Allergy Services has now confirmed in a notification to the Maine Attorney General that unauthorized individuals gained access to its network, which contained the protected health information of 224,486 individuals, including 61 Maine residents. AENT explained in the letters that suspicious activity was detected within its computer network on March 27, 2023, and a third-party forensic investigation was conducted to determine the nature and scope of the incident. AENT said it was able to determine that “an unauthorized actor may have had access to certain systems that stored personal and protected health information,” between March 23, 2023, and April 4, 2023. A review of those files confirmed they contained employee and patient information such as names and Social Security numbers.

Notifications started to be sent to affected individuals on March 25, 2023, and 12 months of complimentary credit monitoring services have been offered. Since it appears from the claims of the ransomware groups that data has been stolen, affected individuals should ensure they take advantage of those complimentary services. AENT said it is reviewing its policies and procedures, will provide additional training to employees, and will be implementing additional safeguards to further secure information in its systems.

Vascular Center of Intervention, Inc.

The Vascular Center of Intervention, Inc. (VCI) a surgical center in Fresno, CA, has recently notified patients about a security breach detected on March 29, 2023. The notification letters state that the forensic investigation of unusual network activity “determined that certain documents stored within VCI’s environment may have been copied from or viewed on the system by an unauthorized person(s) between February 25, 2023, and March 29, 2023.”

The review of the files was completed on May 17, 2023, and confirmed that names were compromised along with one or more of the following: medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, date of birth, health insurance information, Social Security Number and/or Driver’s license information.  VCI said existing safeguards have been strengthened to further enhance security, and the notification to the California Attorney General indicates California residents at least will be provided with 12 months of complimentary credit monitoring and identity theft protection services.

No mention was made in the notification letters that the BianLian group claimed responsibility for the attack. The group claimed on its data leak site that 200 GB of data was exfiltrated from its systems. The BianLian group conducts ransomware attacks, although this year has largely switched to extortion-only attacks.

It is currently unclear how many individuals have been affected

Ohio Business Associate Suffers Ransomware Attack

In contrast, the notification letters from Marshall Information Services (doing business as Primary Solutions Inc.) provide more information. Primary Solutions, an Ohio-based provider of billing solutions to healthcare organizations, recently notified 7,456 individuals about an August 2022 ransomware attack that prevented access to its systems. The forensic investigation confirmed that the attackers had access to parts of the network that contained documents that included the protected health information of some of its covered entity clients, and those documents may have been accessed or acquired in the attack.

The notices explain that the documents contained first and last names combined with some or all of the following data elements: address, date of birth, Social Security number, health information such as diagnosis, condition, or treatment, medical record number, Medicare or Medicaid number, individual health insurance policy number, and in very limited cases, payment card information.

A third-party vendor was used to review all the affected files to identify the impacted individuals and that review determined on February 22, 2023, that protected health information had been exposed. It is unclear why that process took so long. Each covered entity was then notified, and Primary Solutions said it then worked with those clients to notify the affected individuals. Primary Solutions said complimentary credit monitoring and identity restoration services are being offered through IDX, and it encourages impacted individuals to enroll in these services.

In response to the incident, Primary Solutions has ensured multifactor authentication is implemented for remote access, configurations have been updated to ensure employees must access systems through a virtual private network (VPN) with multifactor authentication, and a new endpoint detection and response (EDR) solution has been implemented.

The post Ransomware Gangs Claim Three Healthcare Victims appeared first on HIPAA Journal.

Doctor Fined for Privacy Violations Following Abortion on 10-Year-Old Rape Victim

Posted by Steve Alder

Dr. Caitlin Bernard, an Indianapolis, IN-based obstetrician-gynecologist has been fined $3,000 by the Medical Licensing Board of Indiana and issued with a letter of reprimand for violating HIPAA and state privacy law after talking to the media about an abortion she provided to a 10-year-old rape victim on July 1, 2022.

Within hours of the Supreme Court’s decision that overturned Roe v Wade and removed the federal right to an abortion, Ohio banned abortions after 6 weeks of pregnancy. Three days later, on June 27, 2022, Dr. Bernard received a call from a child abuse doctor in Ohio about a 10-year-old patient who could not legally have an abortion in Ohio as she was three days past the legal cutoff. The victim then traveled from her home state of Ohio to Indiana to have the procedure performed by Dr. Bernard.

A reporter for the IndyStar overheard a conversation between Dr. Bernard and another doctor at an anti-abortion rally and approached Dr. Bernard and asked for comment. The IndyStar ran a story about the girl and the reduction of access to abortions following the Supreme Court’s decision, and the story rapidly became national news. The case was also referenced on multiple occasions by President Biden. Following the publication of the story, Dr. Bernard provided further statements to the media, was interviewed on national TV networks, and was featured in various media articles, in which Dr. Bernard highlighted the real-world impact of the change to federal law on abortions. In those media interviews, Dr. Bernard confirmed that she had performed an abortion procedure on a 10-year-old patient, but did not disclose the name of the patient.

Shortly after the publication of the IndyStar story, Indiana Attorney General Todd Rokita confirmed in a Fox News interview that Dr. Bernard would be investigated. Rokita filed an administrative complaint with the Medical Licensing Board of Indiana alleging Dr. Bernard had violated HIPAA and state law by failing to get written authorization to release patient information, and that Dr. Bernard had failed to immediately report suspected child abuse to local law enforcement in Indianapolis or the Indiana Department of Children Services. Rokita claimed that Dr. Bernard learned about possible child abuse on June 27, 2022, in a telephone call, yet failed to report it until July 2, 2022, the day after the procedure was performed. As such, the child was returned to the custody of the alleged rapist, where she remained until July 6, 2022. Law enforcement later confirmed, with a 99.99% probability, that the rapist was the child’s biological father, who was charged with two counts of rape in July 2022.

In a Medical Licencing Board hearing on Thursday, Dr. Bernard’s attorney explained that Dr. Bernard told an IU Health social worker about the case on the same day she received the initial call about the patient, and that discussion was in line with IU Health’s policies. She also confirmed that the abuse was reported on an Indiana state form and that the abuse had already been reported in Ohio where the abuse took place. The IU Health social worker testified that she reported the abuse in Ohio per IU Health policies, as that was where the abuse occurred. Dr. Bernard also confirmed with child protection staffers in Ohio that it was safe for the child to leave with her mother and testified that she did not violate state or federal privacy laws as she did not disclose any identifying information about the patient.

At the hearing, Deputy Attorney General Cory Voight asked Dr. Bernard why she had disclosed information about a real patient, rather than providing a hypothetical situation in her media interviews. “I think that it’s incredibly important for people to understand the real-world impacts of the laws of this country about abortion,” said Dr. Bernard in response. “I think it’s important for people to know what patients will have to go through because of legislation that is being passed, and a hypothetical does not make that impact.”

Andrew Mahler, a former official at the HHS’ Office for Civil Rights was an expert witness for the state and testified that the disclosures made by Dr. Bernard violated HIPAA, as it was certainly possible that the information disclosed by Dr. Bernard – age, state, and gender – would allow the girl to be identified. Paige Jayner, a privacy compliance officer and former OCR auditor, was a witness for the defense and disagreed with Mahler’s view, testifying that the information Dr. Bernard disclosed was not protected health information and that the disclosure was not a HIPAA violation. IU Health agreed and did not believe the HIPAA Rules had been violated. At the hearing, Dr. Bernard defended her right to speak to the media about medical issues when it is in the public interest and her attorney confirmed that there are no laws that prohibit physicians from speaking with the media.

Dr. John Strobel, President of the Medical Licensing Board believed Dr. Bernard disclosed too much information to the IndyStar reporter about the pending abortion and said consent should have been obtained before any information was disclosed. The majority decision of the Medical Licensing Board was the disclosures violated state and federal privacy laws and Dr. Bernard received a $1,000 fine for each of the three privacy violation counts. The Medical Licensing Board found the state had failed to meet the burden for the other two counts on reporting the child abuse and Dr. Bernard being unfit to practice, and therefore did not suspend Dr. Bernard or put her on probation so she is able to continue to practice in Indiana. Dr. Bernard will be given the right to appeal the decision.

The post Doctor Fined for Privacy Violations Following Abortion on 10-Year-Old Rape Victim appeared first on HIPAA Journal.

Point32Health Confirms Harvard Pilgrim Health Care Member Data Stolen in Ransomware Attack

Posted by HIPAA Journal

In April 2023, Point32Health, the second-largest health insurer in Massachusetts and the parent company of Tufts Health Plan and Harvard Pilgrim Health Care, announced it suffered a ransomware attack that resulted in system outages, including the systems that serviced members, accounts, brokers, and providers. The attack was detected on April 17, and systems were rapidly taken offline to contain the breach, although at the time of the announcement it was unclear to what extent, if any, protected health information had been compromised.

Point32Health has provided an update on the incident and said it is likely that the protected health information of current and former members of Harvard Pilgrim Health Care plans was stolen in the attack. Point32Health said the forensic investigation confirmed that systems were breached on March 28, 2023, and the attackers maintained access to its systems until April 17, 2023, when the security breach was discovered. During that time the attackers exfiltrated files from its systems that contained personal and protected health information such as names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information.

Point32Health said some of the affected systems, including those used to service members, brokers, and providers remain offline, including the systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). Point32Health is working with third-party cybersecurity experts and expects to bring those systems back online in the coming weeks. “We are currently going through the internal IT and business validations. Once this process is complete, alongside our thorough security screenings, some of our processes will become available in a phased fashion,” said Point32Health Director of Public Relations, Kathleen Makela.

Point32Health said it has reviewed and enhanced its user access protocols, enhanced vulnerability scanning, identified prioritized IT security improvements, implemented a new Endpoint Detection and Response (EDR) security solution, and performed a password reset for all administrative accounts.

Evidence has been found to indicate the protected health information of current and former health plan subscribers and their dependents has been compromised, but no reports have been received to date to indicate any misuse of the affected data; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services.

Point32Health and its subsidiaries serve more than 2 million individuals in New England, but it is unclear how many of those individuals have been affected.

The post Point32Health Confirms Harvard Pilgrim Health Care Member Data Stolen in Ransomware Attack appeared first on HIPAA Journal.

19,000 Amazon PillPack Customer Accounts Compromised

Posted by HIPAA Journal

The Amazon-owned online pharmacy, PillPack, has recently started notifying 19,000 customers that some of their protected health information was compromised in a cyberattack in April. Unauthorized customer account activity was detected by PillPack on April 3, 2023, and the investigation revealed customer accounts had been accessed by an unauthorized third party between April 2 and April 6, 2023. The compromised accounts contained names, addresses, phone numbers, and email addresses. Approximately 3,600 of the accounts also included prescription information.

The forensic investigation confirmed that the usernames and passwords used to access the accounts were not stolen from PillPack and had most likely been obtained in a breach at another platform where the same usernames and passwords were used. These credential-stuffing attacks can only occur when usernames and passwords have been used on multiple platforms. PillPack has not identified any misuse of customer data, and the types of information in the accounts are not sufficient to be used for identity theft. However, victims of the breach could be subject to phishing attempts to obtain further information. PillPack confirmed that the breach was limited to PillPack and notification letters have been mailed to affected individuals.

Fertility Specialists Medical Group Cyberattack Impacts 9,400 Patients

Carlsbad, CA-based Fertility Specialists Medical Group (FSMG) has recently discovered unauthorized individuals gained access to its network and potentially obtained the protected health information of 9,437 current and former patients. The network intrusion was detected on March 20, 2023, and a third-party forensic investigation was initiated to determine the nature and scope of the incident. The investigation concluded on April 21, 2023, that an unauthorized individual had access to the network and potentially acquired files containing first and last names, dates of birth, and medical information. Some of the affected individuals also had their Social Security numbers exposed. No reports of misuse of the exposed data had been received at the time of issuing notifications.

FSMG said IT specialists confirmed the security of its systems, and data security measures will be regularly reviewed to prevent similar incidents in the future. Complimentary credit monitoring services and identity theft protection services have been offered to all affected individuals.

Northwest Health – La Porte Impacted by Fortra GoAnywhere Hack

Northwest Health – La Porte in Indiana has recently confirmed that the protected health information of 10,256 patients was compromised in the Clop ransomware group’s series of attacks between January 28, 2023, and January 30, 2023. The threat actors exploited a zero-day vulnerability in Fortra’s GoAnywhewre file transfer software and exfiltrated data, which was used in attempts to extort money from victims.

Fortra has confirmed that unauthorized access is no longer possible, and its file transfer platform has been rebuilt with the vulnerability patched. Affected individuals have been offered ID restoration and credit monitoring services for the period stipulated by state law.

PHI Potentially Compromised in Cyberattack on IMA Financial Group, Inc.

The Wichita, KS-based integrated financial services company, IMA Financial Group, Inc., has confirmed that the protected health information of 2,937 individuals associated with IMA or its clients has potentially been obtained by unauthorized individuals.

Suspicious network activity was detected by IMA on October 19, 2022. Steps were immediately taken to secure its systems and a third-party cybersecurity firm was engaged to investigate the incident. The investigation confirmed that access to IMA data had been gained and information was potentially acquired by unauthorized individuals on October 19, 2023.

The data review concluded on March 10, 2023, that the files potentially obtained in the attack included protected health information such as names, dates of birth, Social Security numbers, driver’s license information, other government identification numbers, health information, and/or claim-related information. Up-to-date contact information then needed to be obtained, and notification letters started to be sent on April 19, 2023.

MU Health Care Discovers Employee HIPAA Violation

Columbia, MU-based MU Health Care has discovered an employee accessed the medical records of 736 patients without any legitimate work reason for doing so. The unauthorized access was discovered in March 2023 and the internal investigation confirmed that patient records were accessed by the employee between July 2021 and March 2023.

The types of information that could have been viewed included names, dates of birth, medical record numbers, and clinical and treatment information, such as diagnoses and procedure information. A spokesperson for MU Health Care said the individual concerned was subject to internal disciplinary procedures and there are no indications that any of the information accessed has been misused or further disclosed. Notification letters are being sent to all affected individuals.

The post 19,000 Amazon PillPack Customer Accounts Compromised appeared first on HIPAA Journal.

NY AG Fines Medical Management Company $550,000 for Patch Management Failures

Posted by HIPAA Journal

A medical management company has been fined $550,000 by the New York Attorney General for failing to prevent a cyberattack that exposed the personal and protected health information of 1.2 million individuals, including 428,000 New Yorkers.

Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp, had its systems hacked in November 2020. The threat actor exfiltrated sensitive data from its systems and then deployed ransomware to encrypt files. As proof of data theft and to pressure Practicefirst into paying the ransom, files were uploaded to the threat actor’s dark web data leak site. The leaked data included screenshots of 13 patients’ protected health information. Practicefirst’s investigation confirmed the threat actor exfiltrated approximately 79,000 files from its systems, which contained names, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, medication information, and financial information.

The investigation conducted by the Office of the New York Attorney General determined that the hacker gained initial access to Practicefirst’s systems by exploiting a critical vulnerability in its firewall. The firewall provider released an updated version of the firewall software in January 2019, but Practicefirst failed to apply the update. Practicefirst did not conduct penetration tests or vulnerability scans, or perform other security tests that would have highlighted the vulnerability before it was exploited.  The protected health information stored on its systems was also not encrypted. The New York Attorney General determined that these failures violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).

Practicefirst agreed to settle the alleged violations of HIPAA and state law. In addition to the financial penalty, Practicefirst has agreed to strengthen its data security practices and will offer affected individuals complimentary credit monitoring services. The data security measures agreed upon as part of the settlement include the development, implementation, and maintenance of a comprehensive information security program, encryption for health information stored on its systems, implementation of a patch management system with timely patching of vulnerabilities, regular vulnerability scans and penetration tests, and updates to its data collection, retention, and disposal practices.

“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General Letitia James. “Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.

The post NY AG Fines Medical Management Company $550,000 for Patch Management Failures appeared first on HIPAA Journal.

April 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 17.5% month-over-month fall in the number of reported healthcare data breaches with 52 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR) – less than the 12-month average of 58 breaches per month, and one less than in April 2022.

April 2023 Healthcare Data Breaches

One of the largest healthcare data breaches of the year was reported in April, but there was still a significant month-over-month reduction in breached records, which fell by 30.7% to 4,425,891 records. The total is less than the 12-month average of 4.9 million records a month, although more than twice the number of records that were breached in April 2022.

Healthcare records breached in the last 12 months - April 2023

Largest Healthcare Data Breaches Reported in April 2023

As previously mentioned, April saw a major data breach reported that affected 3,037,303 individuals – The third largest breach to be reported by a single HIPAA-covered entity so far this year, and the 19th largest breach to be reported by a single HIPAA-regulated entity to date.  The breach occurred at the HIPAA business associate, NationsBenefits Holdings, and was a data theft and extortion attack by the Clop ransomware group involving the Fortra GoAnywhere MFT solution.  8 of the month’s 21 breaches of 10,000 or more records were due to these Clop attacks, including the top 5 breaches in April. Brightline Inc. was also hit hard by those attacks, which were reported separately for each covered entity client (9 reports). Together, the attacks on Brightline involved the PHI of more than 964,000 individuals.

18 of the 21 breaches of 10,000 or more records were hacking incidents. The remaining three breaches were unauthorized disclosures of protected health information, one due to tracking technologies and the other two due to mailing errors. While ransomware and data theft/extortion attacks dominated the breach reports, phishing, business email compromise, and other email account breaches are common, with 5 of the top 21 breaches involving hacked email accounts. End-user security awareness training is recommended to reduce susceptibility to these attacks and multifactor authentication should be implemented on all email accounts, ideally using phishing-resistant multifactor authentication.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Breach Cause
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 462,241 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 199,000 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 180,694 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
California Physicians’ Services d/b/a Blue Shield of California CA Business Associate 61,790 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
MiniMed Distribution Corp. CA Healthcare Provider 58,374 Network Server Unauthorized disclosure of PHI to Google and other third parties (Tracking code)
Brightline, Inc. CA Business Associate 49,968 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
United Steelworkers Local 286 PA Health Plan 37,965 Email Hacked email account
Retina & Vitreous of Texas, PLLC TX Healthcare Provider 35,766 Network Server Hacking incident
Brightline, Inc. CA Business Associate 31,440 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 21,830 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Iowa Department of Health and Human Services – Iowa Medicaid Enterprise (Iowa HHS-IME) IA Health Plan 20,815 Network Server Hacking incident at business associate (Independent Living Systems)_
Lake County Health Department and Community Health Center IL Healthcare Provider 17,000 Email Hacked email account
Southwest Healthcare Services ND Healthcare Provider 15,996 Network Server Hacking incident (data theft confirmed)
La Clínica de La Raza, Inc. CA Healthcare Provider 15,316 Email Hacked email accounts
St. Luke’s Health System, Ltd. ID Healthcare Provider 15,246 Paper/Films Mailing error
Two Rivers Public Health Department NE Healthcare Provider 15,168 Email Hacked email account
Robeson Health Care Corporation NC Healthcare Provider 15,045 Network Server Malware infection
Northeast Behavioral Health Care Consortium PA Health Plan 13,240 Email Hacked email account (Phishing)
Centers for Medicare & Medicaid Services MD Health Plan 10,011 Paper/Films Mailing error at business associate (Palmetto GBA)
Modern Cardiology Associates PR Healthcare Provider 10,000 Network Server Hacking incident

Causes of April 2023 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 36 of the month’s breaches (69.2%) and the vast majority of the breached records. Across those incidents, 4,077,019 healthcare records were exposed or stolen – 92.1% of the records that were breached in April. The average breach size was 119,914 records and the median breach size was 9,675 records.

April 2023 Healthcare data breach causes

Ransomware attacks continue to be conducted by there has been a notable shift in tactics, with many ransomware gangs opting for data theft and extortion without encrypting files, as was the case with the attacks conducted by the Clop ransomware group which exploited a zero-day vulnerability in the Fortra GoAnywhere MFT solution. The BianLian threat group has previously conducted attacks using ransomware, but this year has been primarily conducting extortion-only attacks, which are quieter and faster. 12 of the month’s breaches (40%) involved hacked email accounts, highlighting the importance of security awareness training and multifactor authentication.

There were 13 unauthorized access/disclosure incidents in April, including a 58K-record incident involving tracking technologies that transferred sensitive data to third parties such as Google, instances of paper records not being secured, and PHI that had been exposed over the Internet. Across those 13 breaches, 105,155 records were impermissibly disclosed. The average breach size was 8,089 records and the median breach size was 1,304 records.

There were two theft incidents involving 3,321 records in total and one improper disposal incident. The improper disposal incident was reported as involving 501 records – a placeholder commonly used to meet the Breach Notification Rule reporting deadline when the total number of individuals affected has yet to be determined.  As the chart below shows, the majority of incidents involved ePHI stored on network servers and in email accounts.

Location of PHI in April 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data on the OCR breach portal shows the reporting entity, which in some cases is a HIPAA-covered entity when the breach actually occurred at a business associate. The breach portal shows 31 data breaches were reported by healthcare providers, 8 by health plans, and 13 by business associates. The charts below are based on where the breach occurred, rather than the entity that reported the data breach, to better reflect the extent to which data breaches are occurring at business associates.

April 2023 healthcare data breaches by HIPAA-regulated entity type

While healthcare providers were the worst affected HIPAA-regulated entity, the majority of the month’s breached records were due to data breaches at business associates.

Records exposed or stolen in April 2023 healthcare data breaches by hipaa-regulated entity type

Geographical Distribution of April 2023 Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states and Puerto Rico, with California the worst affected state with 16 breaches, 9 of which were the same incident that was reported separately for each client by Brightline Inc., which is why the breach count was so high for California this month.

State Breaches
California 16
Florida 4
New York & Pennsylvania 3
Illinois, Kentucky, Ohio, & Texas 2
Alabama, Arizona, Idaho, Iowa, Indiana, Maryland, Michigan, Minnesota, Nebraska, North Carolina, North Dakota, Oregon, Utah, Virginia, Washington, West Virginia, Wisconsin & Puerto Rico 1

HIPAA Enforcement Activity in April 2023

No HIPAA enforcement actions were announced by OCR or state attorneys general in April 2023 to resolve violations of HIPAA and state laws, and no Health Breach Notification Rule enforcement actions were announced by the Federal Trade Commission.

The post April 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

5 Healthcare Providers Suffer PHI Breaches

Posted by HIPAA Journal

The Edinburg, TX-based internal medicine specialists, ASAS Health, have recently notified 25,527 individuals about a hacking incident that exposed some of their sensitive protected health information. Suspicious network activity was detected on March 9, 2023, and immediate action was taken to secure the network. A forensic investigation confirmed that hackers had access to parts of its network that contained patient information. The breach notifications do not disclose the nature of the incident or for how long the hackers had access to its systems.

ASUS Health said it was not possible to definitively determine if patient data was accessed or stolen, but data may have been compromised. The review of the affected files confirmed they contained information such as names, date of birth, addresses, phone numbers, email addresses, driver’s license numbers, Social Security numbers, diagnoses, disability codes, Medicare ID numbers, and health plan carrier information.

The breach report that was sent to the Maine Attorney General indicates credit monitoring services have been offered. Affected individuals have also been advised to monitor their accounts and report any suspicious activity, and to be wary of phishing attempts and emails and documents allegedly sent from ASUS Health. ASUS Health said it will continue to refine its security protocols and maintain a robust information security program.

Methodist Family Health Affected by Data Breach at Business Associate

Little Rock, AR-based Methodist Family Health has confirmed that patient data was exposed in a security breach at one of its business associates. The business associate was used to provide pharmacy services and was provided with patient data to perform the contracted duties.  The business associate detected a security breach on March 6, 2023, and the investigation confirmed its systems were accessed on March 4, 2023.

Methodist Family Health has confirmed that the unauthorized access has been blocked and additional security measures have been deployed to prevent similar incidents in the future. The compromised documents contained information such as names, addresses, birth dates, admission/treatment dates, account numbers, diagnoses, service charges, and medication information.  The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 5,259 individuals.

People Incorporated of Sequoyah County Suffers Ransomware Attack

People Incorporated of Sequoyah County (People Inc), a Sallisaw, OK-based provider of behavioral health, addiction recovery, and anger management services, has discovered an unauthorized third party gained access to the sensitive data of 8,725 current and former patients in a recent ransomware attack.

The incident was detected by People Inc on March 6, 2023, and the forensic investigation confirmed that an unauthorized individual had access to certain systems between March 2, and March 6, 2023, during which time files were exfiltrated that contained patient data.  The files contained names, Social Security numbers, care plans, scheduling information, and billing information.

Notification letters have recently been mailed and affected individuals have been offered complimentary credit monitoring and identity theft protection services. People Inc said it has strengthened system security to prevent similar incidents in the future.

Email Account Breach at Lake County Health Department and Community Health Center

Lake County Health Department and Community Health Center in Illinois have notified 1,700 patients that some of their personal and health information has potentially been compromised due to an email security breach. The security incident was detected on March 6, 2023, and the investigation confirmed that an email account had been accessed by an unauthorized individual.

A third-party digital forensics firm was engaged to investigate the incident and found no evidence of data transfers from the email account; however, unauthorized access to patient information could not be ruled out. The review of the account revealed the email account contained partially de-identified PHI concerning Lake County residents who may have had a communicable disease or a disease that was part of a cluster or outbreak that was investigated by the health department between April 23, 2012, and March 6, 2023.

The exposed information included one or more of the following types of information: names, addresses, zip codes, date of birth, gender, phone number, email address, medical record number, diagnoses or conditions, lab results, and other treatment information. Additional email security safeguards have now been implemented and further cyber security training has been provided to the workforce.

Oyate Health Center Notifies Patients About Impermissible PHI Disclosure

Oyate Health Center in South Dakota has discovered an unintended impermissible disclosure of the protected health information of 575 patients. The information related to pharmacy visits between August 31, 2021, and September 8, 2021.

When Oyate Health Center moved to a new clinic location, boxes of surplus supplies were donated to community organizations. On March 7, 2023, one of those organizations opened one of the boxes and found a weekly pharmacy visit report, which was a list of patients with their chart number, date of visit, and a diagnosis code related to the prescription they were filling. The list was seen by two people at the non-profit organization, and the list was then locked in a secure location until it could be collected.

Under HIPAA this is classed as an impermissible disclosure. Oyate Health Center said it has no reason to believe the list was viewed by anyone else and does not believe the information has been missed. In response to the incident, new internal controls, policies, and procedures have been implemented and the affected individuals have been notified.

The post 5 Healthcare Providers Suffer PHI Breaches appeared first on HIPAA Journal.

Oklahoma Institute of Allergy Asthma and Immunology Halts Operations After Cyberattack

Posted by HIPAA Journal

The Oklahoma Institute of Allergy Asthma and Immunology was forced to cease trading while it recovered from a cyberattack, with patients forced to wait to receive medical care or seek treatment at other facilities. The asthma and allergy clinic has been closed for at least two weeks as a result of the attack, but the closure appears to be temporary. The clinic furloughed staff while systems were shut down and efforts are being made to restore systems. The closure was necessary as the clinic was unable to access patient records. The clinic has yet to upload a breach notification to its website or report the breach to regulators, so the extent to which patient data has been compromised is not yet known.

Larger healthcare providers may temporarily divert ambulances and cancel some appointments following a ransomware attack but do not typically halt operations, but smaller healthcare providers may be left with little alternative. Recently, Murfreesboro Medical Clinic & SurgiCenter in Tennessee halted operations for two weeks while recovering from a cyberattack, and a 2022 survey indicated 25% of healthcare organizations would be forced to temporarily halt operations in the event of a ransomware attack.

Uintah Basin Healthcare Hacking Incident Affects Almost 104,000 Patients

The Roosevelt, UT-based health system, Uintah Basin Healthcare, has discovered hackers gained access to its network and may have viewed or obtained the protected health information of 103,974 patients. Suspicious network activity was detected on November 7, 2022, and its digital environment was immediately secured. Third-party cybersecurity experts were engaged to investigate the breach and determined on or around April 7, 2023, that patient data was potentially accessed. The breach notification letter does not state when access to the network was first gained.

The review of the affected files confirmed they contained a range of PHI, which varied from individual to individual. That information related to patients who had received healthcare services between March 2012 and November 2022. The information exposed included names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses/conditions, medications, test results, and procedure information. The notification process was completed on April 10, 2023.

Complimentary credit monitoring and identity protection services have been offered to affected individuals and security has been improved to prevent similar incidents in the future, including the deployment of the SentinelOne endpoint detection and the response tool, which includes 24/7 monitoring.

Asian Health Services Reports Email Account Breach

Asian Health Services in Oakland, CA, has recently alerted patients about a recent data security incident involving an employee’s email account. Suspicious activity was detected in the account on February 13, 2023. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the extent of the incident. The email account was determined to have been compromised between February 7, 2023, and February 13, 2023, with the review of emails and attachments confirming they contained names, medical record numbers, dates of birth, phone numbers, and health information such as diagnoses.

Asian Health Services did not find any evidence to indicate patient data had been compromised but the possibility could not be ruled out. Affected individuals have been offered complimentary credit monitoring, fraud assistance, and remediation services for 12 months. Asian Health Services said a third-party cybersecurity firm has confirmed that the email account can no longer be accessed, and additional email safeguards have been implemented to provide an additional layer of protection.

New Mexico Department of Health Reports Impermissible Disclosure of PHI

The New Mexico Department of Health has recently confirmed there has been an impermissible disclosure of the protected health information of 49,000 deceased patients to a journalist. The journalist requested information subject to the Inspection of Public Records Act and was sent a spreadsheet that included all deaths in New Mexico from January 2020 to December 2021. It was later discovered that the spreadsheet contained protected health information that should not have been disclosed. The Department of Health said the spreadsheet did not contain names, birthdates, addresses, or contact information.

The post Oklahoma Institute of Allergy Asthma and Immunology Halts Operations After Cyberattack appeared first on HIPAA Journal.