HIPAA Breach News

Ransomware Attacks Reported by Foursquare Healthcare and Hi-School Pharmacy

Posted by Steve Alder

Foursquare Healthcare Ltd, a Rockwall, TX-based operator of short-term rehabilitation, skilled nursing, and long-term nursing care facilities has recently confirmed it experienced a ransomware attack in September. The ransomware attack was detected on September 27, 2023, and the forensic investigation confirmed the attackers accessed its network between September 27, 2023, and September 29, 2023, and acquired certain files that contained employee and patient information. The information in the files varied from individual to individual and included names along with one or more of the following: address, billing information, Social Security number, banking information, and clinical information regarding care received at its clinics.

The attack did not cause any material disruption to Foursquare care or services and no evidence has been found to indicate that any of the stolen data has been misused for identity theft or fraud. Foursquare said it has received assurances that all of the stolen data has been deleted. That usually, but not always, means the ransom was paid. Foursquare said it believes the incident has been contained and it will continue to monitor its systems for unauthorized activity.

The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of 10,890 patients. Foursquare has offered the affected individuals two years of complimentary credit monitoring and identity theft protection services and while assurances were provided that the stolen data has been deleted, Foursquare encourages the affected patients and employees to be vigilant against identity theft and fraud.

Hi-School Pharmacy Suffers Ransomware Attack

The Vancouver, WA-based drug store chain, Hi-School Pharmacy, has recently notified the Maine Attorney General about a data breach that has affected 17,676 individuals. On November 3, 2023, Hi-School Pharmacy experienced a cyberattack that caused network disruption. The forensic investigation confirmed on November 21, 2023, that the attackers had access to parts of the network that contained protected health information including names and Social Security numbers. Notification letters were sent to the affected individuals on November 5, 2023. Credit monitoring and identity theft protection services have been offered to the affected individuals.

The post Ransomware Attacks Reported by Foursquare Healthcare and Hi-School Pharmacy appeared first on HIPAA Journal.

9 Prime Healthcare Hospitals Affected by MOVEit Data Breach

Posted by Steve Alder

Ontario, CA-based Prime Healthcare has been affected by a data breach at its revenue cycle management vendor, CBIZ KA. The vendor used Progress Software’s MOVEit Transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group in late May 2023. Prime Healthcare received a copy of the stolen files from CBIZ KA on September 20, 2023, and has confirmed that they contained names in combination with one or more of the following: date of birth, address, medical record number, Social Security Number, admission date, and discharge date.

Prime Healthcare operates 45 hospitals, although only 9 were affected: Saint Clare’s Hospital, Saint Michael’s Medical Center, and St. Mary’s General Hospital in New Jersey, Roxborough Memorial Hospital, Lower Bucks Hospital, and Suburban Community Hospital in Pennsylvania, Garden City Hospital and Lake Huron Medical Center in Michigan, and Landmark Medical Center in Rhode Island. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity protection services.

PHI Compromised in Cyberattack on Sierra County, CA

Sierra County in California experienced a “sophisticated cyberattack” on or around February 21, 2023. Sierra County detected the breach on March 5, 2023, secured its systems to prevent further unauthorized access, and engaged third-party cybersecurity experts to investigate the breach. The investigation revealed the attackers had access to parts of the network that contained information such as names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, driver’s license or government ID numbers, medical/prescription or health insurance related information, drug or alcohol screening results, credit or debit card numbers, biometric data, or financial account/routing numbers. No evidence has been found that indicates actual or attempted misuse of the impacted data. The Department of Public Health and Department of Behavioral Health confirmed that the protected health information of 2,463 individuals was exposed and potentially stolen in the attack.

Email Account Breach Reported by Advarra, Inc.

Advarra, Inc., a Columbia, MD-based provider of integrated research compliance solutions, has discovered unauthorized access to an employee email account. The email account breach was detected on October 26, 2023, and the account was immediately disabled. The forensic investigation confirmed that the breach was limited to a single account, with the unauthorized access commencing on October 25, 2023. The attacker copied information from the account that included names and Social Security numbers. The breach was recently reported to the Maine Attorney General as affecting 1,782 individuals. No evidence of misuse of the stolen data has been identified; however, as a precaution, affected individuals have been offered complimentary credit monitoring services for 24 months and those individuals are being encouraged to take advantage of those services.

The post 9 Prime Healthcare Hospitals Affected by MOVEit Data Breach appeared first on HIPAA Journal.

OCR Imposes First HIPAA Penalty for a Phishing Attack

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) has agreed to settle a landmark cyber investigation and has imposed its first financial penalty under the Health Insurance Portability and Accountability Act (HIPAA) for a phishing attack. Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, reported a data breach to OCR on May 28, 2021, involving the protected health information (PHI) of up to 34,862 individuals.

According to the breach notification, a hacker gained access to the email account of one of its owners on March 30, 2021, following a response to a phishing email that spoofed one of the medical group’s owners. The threat actor gained access to the Microsoft 365 environment, which contained patient data. Lafourche Medical Group said that because of the size of the email system, it was not possible to determine all patient information that had been exposed so notification letters were mailed to all patients. The exposed data included names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.

OCR launched an investigation into the incident to determine whether a failure to comply with the HIPAA Rules led to or contributed to the security breach. OCR’s investigators discovered Lafourche Medical Group had not conducted a security risk analysis prior to the phishing attack. The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information. OCR also determined that Lafourche Medical Group had not implemented procedures to regularly review records of information system activity prior to the phishing attack. This is also a required implementation specification of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(D).

Lafourche Medical Group agreed to settle the investigation with no admission of liability or wrongdoing. In addition to paying a sizeable financial penalty, Lafourche Medical Group has agreed to implement a robust corrective action plan (CAP) which includes establishing and implementing security measures to reduce security risks and vulnerabilities to ePHI, developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules, and providing HIPAA training to all staff members who have access to PHI. OCR will also monitor Lafourche Medical Group for two years to ensure compliance with the HIPAA Rules.

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

This is the 12th HIPAA violation penalty imposed by OCR in 2023 and the second-largest of the year. So far this year, OCR has imposed HIPAA penalties totaling $4,016,500

 

The post OCR Imposes First HIPAA Penalty for a Phishing Attack appeared first on HIPAA Journal.

CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General

Posted by Steve Alder

In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.

CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.

AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.

CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.

AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.

The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,

The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.

Proliance Surgeons Sued Over Ransomware Attack and Data Breach

Posted by Steve Alder

A class action lawsuit has been filed against Proliance Surgeons, a Seattle, Washington-based surgery group over a recently disclosed ransomware attack and data breach that has affected almost 437,400 individuals.

The group operates around 100 surgery centers in the state and treats more than 800,000 patients each year. On May 24, 2023, a third-party forensic investigation into a cyberattack confirmed that hackers had access to files containing patient data and that they had removed “a limited number of files” from its network on February 11, 2023.  The data compromised in the attack included names, contact information, Social Security numbers, financial information, treatment information, driver’s license numbers, and usernames and passwords. Notifications were issued on November 21, 2023.

A lawsuit has been filed in federal court in Seattle by plaintiff and former patient, Alicia Berend, and similarly situated individuals whose sensitive information was compromised in the cyberattack. The lawsuit alleges Proliance Surgeons failed to adequately protect patient data as required by federal and state law and in accordance with its internal security policies, and that the data security failures constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit also references an earlier security breach where unauthorized individuals had access to its online payment system for seven months between November 2019 and June 2020, allowing access to be gained to names, zip codes, and payment card information. Following that incident Proliance Surgeons said it would be enhancing its security measures to prevent similar incidents in the future. The earlier security breach is not shown on the HHS’ Office for Civil Rights (OCR) website, which indicates either the breach was not reported to OCR, that Proliance Surgeons determined protected health information had not been compromised, or the breach affected fewer than 500 individuals. The lawsuit claims that two major security breaches in a little over 3 years demonstrates a pattern of negligence with respect to data security.

The lawsuit also takes issue with the length of time taken to discover that patient data was involved, which occurred 102 days after the security breach was detected, and Proliance Surgeons then failed to issue notification letters to the affected individuals until November 21, 2023 – 283 days after the data breach occurred. The lawsuit claims that the plaintiff and class were kept in the dark about the breach, thus depriving them of the opportunity to mitigate their injuries in a timely manner.

The lawsuit claims the plaintiff and class have suffered widespread injury and monetary damages, and that the plaintiff has already suffered from identity theft and fraud. She has received emails indicating someone has used her identity for various out-of-state activities, including inquiries into properties in Florida, and has also received an increased number of spam messages and phone calls and now fears for her personal and financial security. The plaintiff claims that she has suffered anxiety, sleep disruption, stress, fear, and frustration and that these injuries go far beyond mere worry or inconvenience.

The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and violations of the Washington Consumer Protection Act, Washington Data Breach Disclosure Law, and Washington Uniform Health Care Information Act (UHCIA). The lawsuit seeks class action certification, a jury trial, compensatory, exemplary, punitive, and statutory damages, and attorneys’ fees and legal costs.

The plaintiff and class are represented by Samuel J. Strauss of the law firm, Turke & Strauss LLP.

The post Proliance Surgeons Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

East River Medical Imaging Cyberattack Affects 606,000 Patients

Posted by Steve Alder

East River Medical Imaging in New York has started notifying 605,809 patients that some of their protected health information has been exposed or stolen in a cyberattack that was detected on September 20, 2023. The network was immediately taken offline, and a forensic investigation was launched to determine the nature and scope of the incident. The investigation determined there had been unauthorized access to its network between August 31, 2023, and September 20, 2023, and during that time, files containing patient data had been accessed and copied from its network.

The compromised information varied from individual to individual and may have included names, contact information, insurance information, exam and/or procedure information, referring physician names, imaging results, and/or Social Security numbers. Employee data was also compromised, including names, contact information, financial account information, Social Security numbers, and/or driver’s license numbers.

East River Medical Imaging said it has enhanced its network monitoring capabilities and will continue to assess and supplement its security controls. Notification letters started to be mailed to the affected individuals on November 22, 2023. Individuals whose Social Security numbers and/or driver’s license numbers were compromised have been offered complimentary credit monitoring services.

The Fred Hutchinson Cancer Center Suffers Thanksgiving Cyberattack

The Fred Hutchinson Cancer Center in Seattle, WA, has confirmed that it detected unauthorized network activity on its clinical network during Thanksgiving week. An investigation into the unauthorized activity is ongoing and it is not yet clear if any patient data has been compromised. The network was taken offline within 72 hours of the security incident being identified and the clinical network is currently still offline. The MyChart online patient portal and its research network were unaffected. Care continued to be provided to patients and staff are working round the clock to resolve the issue and bring systems back online. No time frame could be provided on how long that process will take.

The Fred Hutchinson Cancer Center was one of several healthcare providers to be attacked at Thanksgiving. Several hospitals operated by Ardent Health Services were affected by a ransomware attack and were forced to cancel appointments and divert ambulances.

1st Source Bank Confirms MOVEit Transfer Hack

1st Source Bank has confirmed that the protected health information of 1,477 individuals was stolen in May 2023 when hackers exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution. The breach was discovered on June 1, 2023, and the review of the affected files and the collection of information required to issue notifications was completed on or around October 27, 2023. The compromised information includes names and Social Security numbers. Complimentary identity monitoring services have been provided to the affected individuals for 12 months.

The post East River Medical Imaging Cyberattack Affects 606,000 Patients appeared first on HIPAA Journal.

Almost 440,000 Individuals Affected by Cyberattack on Proliance Surgeons

Posted by Steve Alder

Proliance Surgeons, a Seattle, WA-based surgical group that has around 100 locations in Washington state, has notified 437,392 individuals that some of their protected health information may have been stolen in a ransomware attack earlier this year. The breach notice on the website of Proliance Surgeons states that a forensic investigation was conducted by third party cybersecurity experts which confirmed that some files had been removed from its network before files were encrypted.

On May 24, 2023, it was confirmed that files containing patients’ protected health information may have been accessed or acquired on February 11, 2023. At the time it was unclear exactly how many individuals had been affected. A comprehensive review was conducted of all files potentially accessed or acquired in the attack, which confirmed they contained names in combination with one or more of the following: date of birth, Social Security number, medical treatment information, health insurance information, phone number, email address, financial account number, driver license or other identification information, and usernames and passwords.

Proliance Surgeons said immediate action was taken to protect patients’ private information and cybersecurity protocols have since been enhanced. There is no mention of credit monitoring or identity theft protection services. At least one lawsuit has already been filed against Proliance Surgeons in response to the breach.

Medical College of Wisconsin Says 240,000 Individuals Affected by MOVEIt Transfer Hack

The Medical College of Wisconsin (MCW) has confirmed that the protected health information of 240,667 individuals was stolen by the Clop hacking group, which exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution.  MCW was contacted on May 31 by Progress Software and implemented the patch and recommended mitigation measures but discovered the vulnerability had already been exploited on or around May 27, 2023.

The forensic investigation and document review was completed on or around September 21, 2023, and confirmed that the stolen data included full names, dates of birth, Social Security numbers, driver’s license/government identification numbers, financial account information, medical record/patient account number(s), medical diagnosis/treatment information, medical provider name(s), lab results, prescription information, and health insurance information.

Notification letters started to be mailed to the affected individuals on November 14, 2023. Individuals who had their Social Security numbers stolen have been offered complimentary credit monitoring and identity theft protection services.

Data Stolen in Ransomware Attack on Rock County, Wisconsin

Legal Counsel for Rock County in Wisconsin has issued notification letters about a cyberattack and data breach that affected 25,823 individuals. According to the notification letters, suspicious activity was detected within its computer systems on or around September 29, 2023. The forensic investigation confirmed that unauthorized individuals had access to its network between September 22, 2023, to September 30, 2023, and during that time, acquired certain files from its network.

A review of the affected files was initiated to determine the individuals affected and the types of data stolen in the attack. That review is ongoing, but it has been confirmed that the data impacted included names and Social Security numbers. Complimentary credit monitoring services have been offered to the affected individuals.

The nature of the attack was not disclosed, other than the attack involving data theft. The HIPAA Journal has confirmed that this was a ransomware attack by the Cuba ransomware group, which has listed Rock County on its data leak site. Victims are therefore strongly advised to take advantage of the credit monitoring services being offered.

The post Almost 440,000 Individuals Affected by Cyberattack on Proliance Surgeons appeared first on HIPAA Journal.

State of Maine Reports 450,000-Record Data Breach

Posted by Steve Alder

The State of Maine has confirmed that the protected health information of 453,894 individuals was stolen in the recent mass hacking of a zero-day vulnerability in Progress Software’s MoveIT Transfer solution. Progress Software released a patch to fix the vulnerability on May 31, 2023; however, the vulnerability had already been exploited. The State of Maine’s investigation confirmed that the vulnerability had been exploited between May 28, 2023, and May 29, 2023, and sensitive data had been stolen by the Clop hacking group.

The breach was limited to its MOVEit server, and no other systems were compromised. The Clop hacking group claimed they were only interested in hacking businesses and said they would delete all data stolen from governments; however, the State of Maine is urging all affected individuals to ignore those claims and take steps to protect themselves against fraud. The individuals affected may have been Maine residents, employees, or could have received services from or interacted with a state agency. Maine also participates in data sharing agreements with other organizations to enhance the services it offers to residents and the public.

The data exposed would depend on the interactions with state agencies. All affected individuals who had their Social Security numbers or taxpayer identification numbers stolen have been offered two years of complimentary credit monitoring and identity protection services.

Affinity Legacy Inc. Affected by MOVEit Hack

Affinity Legacy Inc., formerly known as Affinity Health Plan, Inc., has confirmed that it was affected by the recent MOVEit Transfer hacks. The breach occurred at one of its business associates, which provided claims processing services, and used the software solution for file transfers.

The vulnerability was exploited between May 30 and June 2, 2023, and on June 21, 2023, the vendor determined that certain files had been downloaded by the attackers that contained the protected health information of 5,538 individuals who were either Affinity Health Plan members prior to 2019, or EmblemHealth Medicare Advantage Plan members after 2019. The stolen data included names, mailing addresses, dates of birth, Social Security numbers, Medicare numbers and/or medical diagnosis codes. Complimentary personal identity and privacy protection services have been offered to the affected individuals.

The Charles Lea Center Suffers Ransomware Attack

The Charles Lea Center, a non-profit organization in Spartanburg County, SC, has recently notified 1,250 individuals that some of their personal information was compromised in a June 2023 ransomware attack. The incident was detected on June 19, 2023, when a portion of its network was encrypted. A ransom demand was issued, and the threat actor claimed to have exfiltrated a limited number of files from its systems.

While the forensic investigation could not determine the specific types of information that had been compromised, the file review confirmed on October 2, 2023, that the exposed files contained names, Social Security numbers, dates of birth, and some medical treatment information. The Charles Lea Center has offered the affected individuals complimentary credit monitoring services and has advised them to monitor their financial account statements regularly for signs of fraud. The Charles Lea Center said it had taken steps to ensure the privacy of data before the attack and will be augmenting those measures to further enhance security.

Detroit Chassis Health Plan Member Data Exposed

Detroit Chassis in Michigan, a provider of niche vehicle manufacturing solutions, was the victim of a sophisticated cyberattack that occurred on or around March 12, 2023. When the attack was detected, immediate action was taken to secure its systems and third-party cybersecurity experts were engaged to investigate. The investigation confirmed that the attackers had access to parts of its network that contained the data of 958 members of its health plan which was stored on an email server that was in the process of being decommissioned.

Detroit Chassis said, “While we believe there is a reasonable basis to conclude this information was not subject to unauthorized acquisition, we were unable to rule it out.” The server contained information such as names, addresses, dates of birth, Social Security numbers, driver’s licenses, financial account information, passport numbers, credit card numbers, state identification numbers, usernames and access information for non-financial accounts, medical information, health insurance numbers and information related to its employee prescription benefits plan.

Medical Records Stolen in Lakeview Healthcare System Break-in

Lakeview Healthcare System, a central Florida health system, had a break-in at its Fern Drive location in Leesburg on September 29, 2023.  The break-in occurred around 5 a.m. and the intruder stole three password-protected mobile devices and medical records that contained the protected health information of patients. The paper records included information such as names, addresses, diagnosis and treatment information, and billing information.

Lakeview Healthcare System said it has engaged in extensive remediation efforts to minimize the risk of similar incidents in the future, has reviewed its security policies and procedures, and has re-educated the workforce on data security and secure document storage. Physical security measures are being assessed at each location, including using more shred bins, upgrading physical locks, and implementing additional access controls to allow for faster and more precise termination of access.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,495 individuals.

The post State of Maine Reports 450,000-Record Data Breach appeared first on HIPAA Journal.

Hundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack

Posted by Steve Alder

California Physicians’ Service, which does business as Blue Shield of California, has confirmed that it has been affected by the mass exploitation of a vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The breach has been reported to the HHS’ Office for Civil Rights in two separate breach reports, one involving the data of 636,848 Blue Shield of California plan members and another that has affected 26,523 Blue Shield of California or Blue Shield of California Promise Health Plan members.

The breach occurred at an unnamed vendor of Blue Shield of California that managed vision benefits. The vendor used the MOVEit Transfer solution to transfer large files as part of its contracted duties. A zero-day vulnerability in the MOVEIt Transfer solution was exploited between May 28, and May 31, 2023, and files were exfiltrated that included members’ names, birthdates, addresses, subscriber ID numbers, subscribers’ names, birthdates, Social Security numbers, group ID numbers, vision providers’ names, patient ID numbers, vision claims numbers, vision-related treatment and diagnosis information, and vision-related treatment cost information. The Clop hacking group claimed responsibility for the hacks.

Blue Shield of California said its own systems were not compromised. The breach was limited to the MOVEit Transfer server. Credit monitoring and identity restoration services have been offered to the affected individuals.

Wyoming County Community Health System Confirms March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has experienced a cybersecurity incident that has caused network disruption. The security breach was detected on March 28, 2023, and the subsequent forensic investigation determined that files had been exposed on that date and may have been accessed or acquired by unauthorized individuals. A review was then conducted of the files to determine the individuals and types of data involved, and that process was completed on November 8, 2023. The review confirmed up to 26,000 individuals had been affected and had some or all of the following information exposed: name, Social Security number, driver’s license/state identification number, date of birth, biometric data, medical information, health insurance information, and account number.

Notification letters were sent to the affected individuals on November 16, 2023. Wyoming County Community Health System said it has implemented additional measures to enhance network security and minimize the risk of a similar incident occurring in the future.

Westside Community Services Confirms Cyberattack and Data Theft

The San Francisco, CA-based social services organization, Westside Community Services, has notified 2,484 individuals about a security breach involving unauthorized access to its network between April 25, 2023, and May 1, 2023. Third-party cybersecurity professionals were engaged to conduct a forensic investigation and confirmed that files had been exfiltrated from its network. The document review was completed on October 16, 2023.

The stolen files included full names along with one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, passport numbers, other government identification numbers, financial account information, credit or debit card information, usernames and passwords associated with one or more online accounts, medical information (date of service, provider name, medical record number, patient number, medical history, surgical information, medication, and/or treatment information), and/or health insurance policy information. Westside Community Services said it continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information and will continue to do so.

Unauthorized Email Access Reported by Molina Healthcare of Iowa

Molina Healthcare of Iowa, Inc. says it discovered on November 22, 2023, that there had been unauthorized access to an employee email account between September 25 and 26, 2023. It was not possible to determine if any information in the email account was copied, but the review of the emails confirmed that they contained the protected health information of 1,647 Medicaid recipients. Those individuals have been notified about the breach by mail. Molina Healthcare of Iowa said the breach did not affect any members covered by other managed care organizations.

This is the third incident to affect Molina Healthcare of Iowa members this year. On May 31, 2023, Amerigroup inadvertently disclosed personal health information for 833 Iowa Medicaid members to 20 providers in explanation of payment notices; and on May 26, 2023, a Medicaid contractor confirmed there had been unauthorized access to its systems on March 6, 2023, which affected 233,000 Medicaid members.

Robeson Health Care Corporation Updates Data Breach Notice

Robeson Health Care Corporation has provided an update on a breach that was previously reported to the Maine Attorney General as affecting 15,045 individuals. The investigation has confirmed that a further 62,627 individuals have been affected. The incident has been previously covered by The HIPAA Journal in this post.

The post Hundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack appeared first on HIPAA Journal.