HIPAA Breach News

Debt Collection Agency Data Breach Affects Many Healthcare Providers

Posted by HIPAA Journal

R&B Corporation of Virginia, doing business as Credit Control Corporation (CCC), has recently reported a data breach to the Maine Attorney General that has affected 286,699 individuals. CCC is a debt collection agency and business associate of many hospitals and doctor’s offices. The Newport News, VA-based debt collection agency said it detected suspicious activity within its computer systems on March 7, 2023. Its IT systems were immediately isolated, and a forensic investigation was conducted to determine the nature and scope of the activity. On or around March 14, 2023, CCC determined that unauthorized individuals had accessed its systems and copied files that contained sensitive data. The intrusion was determined to have occurred from March 2, 2023, to March 7, 2023.

An initial review of the compromised files was completed on May 3, 2023, which confirmed that the files contained information such as names, addresses, and Social Security numbers. Affected individuals were notified by mail on May 15, 2023. Complimentary credit monitoring services have been offered to affected individuals. CCC said it regularly reviews its data security policies, procedures, and practices and will continue to do so, has augmented its security safeguards to better protect patient data, and has increased the frequency of employee training on the importance of safeguarding data.

Healthcare providers known to have been affected by the breach include:

  • Atlantic Orthopaedic Specialists
  • Bayview Physicians Group
  • Chesapeake Radiology
  • Chesapeake Regional Medical Center
  • Children’s Hospital of the King’s Daughters Health System and its Affiliates
  • Children’s Specialty Group
  • Dominion Pathology Laboratories
  • Emergency Physicians of Tidewater
  • Mary Washington Healthcare
  • Medical Center Radiology
  • Pariser Dermatology Specialists, Inc
  • Riverside Health System
  • Sentara Health System
  • Tidewater Physicians Multispecialty Group
  • UVA Health System
  • Valley Health System
  • VCU Health System

The post Debt Collection Agency Data Breach Affects Many Healthcare Providers appeared first on HIPAA Journal.

NextGen Healthcare Facing Multiple Class Action Data Breach Lawsuits

Posted by HIPAA Journal

A healthcare data breach of 1 million+ records is certain to result in multiple lawsuits, and the data breach experienced by NextGen Healthcare is no exception. The data breach was only disclosed by NextGen on May 5, but at least a dozen lawsuits have already been filed in federal court in Georgia over the breach.

The data breach was the result of a hacking incident involving stolen credentials, which allowed unauthorized individuals to access a database that contained sensitive patient data such as names, addresses, dates of birth, and Social Security numbers. The investigation determined that the credentials stolen by the hackers came from other sources and did not appear to have been stolen from NextGen. The breach was detected by NextGen on March 30, 2023, and the forensic investigation confirmed hackers had access to its network between March 29, 2023, and April 14, 2023.  This was the second data breach to be reported by NextGen this year, with the earlier incident being a BlackCat ransomware attack. NextGen told the Maine Attorney General that 1,049,375 individuals had been affected and complimentary credit monitoring services have been offered to affected individuals.

The lawsuits were all filed in the United States District Court for the Northern District of Georgia, Atlanta Division, and make similar allegations – That NextGen was negligent for failing to safeguard the sensitive data of patients. The lawsuits claim NextGen was or should have been aware of the high risk of data breaches as multiple warnings have been issued by federal agencies about cybersecurity threats targeting the healthcare sector and extensive media reports about healthcare data breaches. Further, NextGen had suffered a ransomware attack just a few weeks previously and should have known that security needed to be improved.

The lawsuits also take issue with the length of time it took to contain the breach – two weeks after the intrusion was detected, the length of time it took to issue notification letters to affected individuals, and the failure to disclose sufficient facts about the data breach in those notification letters to allow the victims to determine the level of risk they face. The lawsuits allege the victims of the breach have already suffered harm and will continue to do so, and face a continuing risk of identity theft and fraud for years to come. The lawsuits seek class action status, a jury trial, damages, legal costs, and injunctive relief, including an order from the court to prohibit NextGen from engaging in unlawful practices and for improvements to be made to its data security practices.

The post NextGen Healthcare Facing Multiple Class Action Data Breach Lawsuits appeared first on HIPAA Journal.

Almost 6 Million Individuals Affected by PharMerica Data Breach

Posted by HIPAA Journal

In April 2023, the Money Message ransomware group announced it had breached the systems of PharMerica and its parent company, BrightSpring Health Services, and added both to its data leak site. The group claimed to have exfiltrated databases containing 4.7 million terabytes of data which included the records of more than 2 million individuals. PharMerica has now confirmed the extent of the data breach.

PharMerica is one of the largest providers of pharmacy services in the United States, operating more than 2,500 facilities and over 3,100 pharmacy and healthcare programs. PharMerica and BrightSpring have now completed their investigation and have confirmed that there was unauthorized accessing of sensitive patient information and reported the data breach to the Maine Attorney General as affecting 5,815,591 individuals. That makes it the largest healthcare data breach to be reported by a single HIPAA-covered entity so far in 2023.

PharMerica explained in its notification letters that suspicious activity was detected within its computer network on March 14, 2023. The network was isolated, and an investigation was conducted to determine the nature and scope of the intrusion. Assisted by third-party cybersecurity experts, PharMerica determined that “an unknown third party” accessed its computer systems between March 12 and March 13, 2023, and that personal information may have been obtained from its systems during that time frame.

By March 21, 2023, PharMerica had determined that the compromised information included names, addresses, birth dates, Social Security numbers, medication information, and health insurance information. PharMerica made no mention of a ransomware attack nor any publication of data online but did state that “we have no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”

Affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services for 12 months. Patients and executors of deceased patients’ estates have been advised to contact any one of the three national credit reporting agencies and to ensure the individual’s credit file is marked as ‘deceased – do not issue credit’, or for the credit reporting agency to make a notation on the individual’s credit file to notify an individual (such as a family member/next of kin) and/or law enforcement if an application is made for credit. PharMerica says it has implemented additional technical cybersecurity safeguards to prevent similar incidents in the future.

The post Almost 6 Million Individuals Affected by PharMerica Data Breach appeared first on HIPAA Journal.

EyeMed Vision Care Settles Multistate Data Breach Investigation for $2.5 Million

Posted by HIPAA Journal

In June 2020, the Luxottica Group PIVA-owned vision insurance company, EyeMed Vision Care, experienced a data breach involving the protected health information (PHI) of 2.1 million patients. An unauthorized individual gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. The unauthorized third party then used the email account to distribute around 2,000 phishing emails.

State attorneys general have the authority to investigate data breaches and can fine organizations for HIPAA violations. A multi-state investigation was launched by state attorneys general in Oregon, New Jersey, and Florida into the EyeMed data breach, and Pennsylvania later joined the multistate action. The state attorneys general sought to establish whether the data breach was preventable and if it was the result of a failure to comply with the HIPAA Security Rule and state data protection laws.

The investigation identified data security failures that violated HIPAA and state laws. Under HIPAA and state data protection laws, entities that collect, maintain, or handle sensitive personal and medical information are required to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of that information, yet those safeguards were found to be lacking at EyeMed. The investigation revealed a failure to ensure all individuals with access to protected health information had a unique login and password. Several EyeMed employees were found to be sharing a single password for an email account that was used to communicate sensitive information, including PHI related to vision benefits enrollment and coverage.

Under the terms of the settlement, EyeMed agreed to pay a financial penalty of $2.5 million which will be shared between Oregon, New Jersey, Florida, and Pennsylvania. The settlement also requires EyeMed to ensure compliance with state consumer protection acts, state personal information protection acts, and HIPAA law, and ensure EyeMed does not misrepresent the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information.

The data security requirements of the settlement include the development, implementation, and maintenance of a written information security program; maintenance of reasonable policies and procedures governing the collection, use, and retention of patient information; and maintenance of appropriate controls to manage access to all accounts that receive and transmit sensitive information. ”New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said Attorney General Platkin, who co-led the investigation. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”

The Office of the New York Attorney General also investigated EyeMed over the data breach and entered into a separate settlement agreement last year, which required EyeMed to pay a $600,000 penalty. In October 2022, a $4.5 million settlement was agreed between EyeMed and the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS (Part 500) cybersecurity regulations. The security failures included not limiting employee access privileges to email accounts for 9 employees, a partial rollout of multifactor authentication, risk assessment failures, the lack of a sufficient data minimization strategy, and inaccurate submissions of compliance with Part 500 for four years. The settlements with NYDFS and the New York Attorney General also had data security requirements, including the implementation and maintenance of a comprehensive information security program, encryption of data, multi-factor authentication for all administrative and remote access accounts, and penetration testing.

HIPAA compliance investigations by state attorneys general are independent of the HHS’ Office for Civil Rights (OCR), which may also choose to impose civil monetary penalties for HIPAA violations. No penalty has been announced by OCR as of May 2023 and the incident is marked as closed on the OCR breach portal.

The post EyeMed Vision Care Settles Multistate Data Breach Investigation for $2.5 Million appeared first on HIPAA Journal.

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.

Maxim HealthCare Services Proposes Settlement to Resolve Email Breach Lawsuit

Posted by HIPAA Journal

A settlement has been proposed by Maxim HealthCare Services to resolve all claims related to a 2020 cyberattack and data breach involving unauthorized access to multiple employee email accounts. The email accounts were compromised between October 1, 2020, and December 4, 2020, but the unauthorized access was not discovered until November 2021.

The review of the email accounts confirmed they contained protected health information such as names, addresses, dates of birth, phone numbers, provider names, medical histories, medical conditions, treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid numbers, usernames/passwords, and some Social Security numbers. The breach was reported to the HHS’ Office for Civil Rights as affecting 65,267 patients.

A lawsuit – Wilson, et al. v. Maxim Healthcare Services Inc. – was filed in response to the data breach in the Superior Court of the State of California County of San Diego that alleged Maxim HealthCare Services failed to implement appropriate security measures to prevent unauthorized access to patient data. Maxim HealthCare Services chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Maxim HealthCare Services denies all claims made in the lawsuit and maintains there was no wrongdoing. The proposed settlement applies to all individuals who were notified that they had been affected by the breach and had their protected health information exposed.

Under the terms of the settlement, claims will be accepted up to a maximum of $5,000 for each class member for reimbursement of extraordinary expenses incurred as a result of the data breach, including up to three hours of lost time at $20 per hour. Individuals who were California Residents between October 1, 2020, and December 4, 2020, are entitled to receive a flat monetary benefit of approximately $100 which can be combined with claims for reimbursement of extraordinary expenses. All class members will be entitled to receive 12 months of free identity theft protection services, regardless of whether they submit a claim.

The deadline for exclusion from and objection to the proposed settlement is June 23, 2023. The deadline for submitting claims is July 24, 2023. The final approval hearing has been scheduled for July 28, 2023. Maxim HealthCare Services has implemented or will implement additional security measures to prevent similar incidents in the future.

The post Maxim HealthCare Services Proposes Settlement to Resolve Email Breach Lawsuit appeared first on HIPAA Journal.

SuperCare Proposes $2.25 Million Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

The Californian home care service provider, SuperCare, has proposed a $2.25 million settlement to resolve a class action lawsuit filed in response to a 2021 hacking incident in which the protected health information of 318,379 patients was compromised.

SuperCare detected a network intrusion on July 27, 2021, and the subsequent forensic investigation determined hackers had access to its network from July 23, 2021, to July 27, 2021; however, it took until February 4, 2022, to determine that patient information had been compromised. Files on the compromised parts of the network contained names, addresses, dates of birth, hospital or medical group, patient account numbers, medical record numbers, health insurance information, test results, diagnoses, treatment information, other health-related information, and claims information, and, for some individuals, Social Security numbers and driver’s license numbers. Affected individuals were notified on March 25, 2022, 8 months after the breach was detected.

A lawsuit was filed against SuperCare shortly after the data breach was announced that accused SuperCare of violations of California’s Confidentiality of Medical Information Act, the Federal Trade Commission (FTC) Act, and the Health Insurance Portability and Accountability Act (HIPAA) due to the failure to implement reasonable and appropriate cybersecurity measures to protect against a known risk of cyberattacks and data breaches, and the failure to issue timely notifications about the data breach. Further, when notifications were finally sent, the content of those notifications was lacking key information about the data breach, and no explanation was provided as to why it took so long for the notifications to be issued. The lawsuit also claimed affected individuals were not provided with adequate credit monitoring services or other remedies to reduce the risk of misuse of their sensitive data.

Under the terms of the proposed settlement, two tiers of benefits are being offered. Claims can be submitted for tier 1 benefits which include a cash payment of $100. The second tier allows claims up to a maximum of $2,500 to cover out-of-pocket expenses incurred as a result of the data breach, along with up to 4 hours of lost time at $25 per hour. All class members are entitled to claim one year of three-bureau credit monitoring services, which includes a $1 million identity theft insurance policy.

The deadline for exclusion from or objection to the settlement is June 5, 2023. Claims must be submitted by July 5, 2023, and the final approval hearing for the settlement has been scheduled for August 28, 2023.

The post SuperCare Proposes $2.25 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Data Breaches Reported by University Urology and McPherson Hospital

Posted by HIPAA Journal

University Urology – Hacking Incident

University Urology in New York City has started notifying 56,816 individuals that unauthorized individuals gained access to some of its systems and potentially obtained their personal and health information. Suspicious activity was detected within its computer systems on February 1, 2023, and third-party cybersecurity experts were engaged to conduct a forensic analysis of the incident to determine the nature and scope of the attack. The investigation concluded on March 3, 2023, that files within its network were accessed. A manual review of those files was conducted and concluded on March 30, 2023. Contact information was then verified, and notification letters were sent on May 1, 2023.

The types of information that were exposed varied from individual to individual and may have included first and last name, date of birth, address, medical condition, medical treatment, test results, prescription information, health insurance information, subscriber ID number, health plan beneficiary number, billing/invoice information, and username/email address plus passwords/security questions and answers that would allow account access.

University Urology said Sentinel One agents were deployed for 30 days, which allowed the cybersecurity firm to monitor its environment for malicious activity and indicators of compromise. It has now been confirmed that all methods of persistence, unauthorized remote access tools, and malicious files have been removed from its systems, and additional security measures have now been implemented.

While there have been no reported cases of actual or attempted misuse of the exposed data, complimentary credit monitoring and identity theft protection services have been offered to affected individuals for 12 or 24 months.

McPherson Hospital – Ransomware Attack

McPherson Hospital in Kansas has recently issued notification letters to 19,020 patients to alert them about a July 2022 ransomware attack. According to the breach notifications, third-party cybersecurity experts were engaged to investigate the data breach to determine the extent of the unauthorized activity and help with securing its systems. The internal investigation concluded on March 15, 2023, that patient data may have been acquired, including names, dates of birth, Social Security numbers, medical treatment information, billing information, and health insurance information. Notification letters were sent in early May, almost 10 months after the attack.

Affected individuals have been offered complimentary single-bureau credit monitoring services. McPherson Hospital said its technical safeguards have been reviewed and enhanced to prevent similar incidents in the future.

Catholic Health – Unauthorized Access by Employee of Business Associate

Catholic Health in New York has recently announced that the protected health information of some of its long-term care residents has been exposed in a security breach at one of its business associates, Minimum Data Set Consultants (MDS). MDS launched an investigation into a potential data breach in March 2023 after discovering suspicious system activity.

The investigation confirmed that an unauthorized individual accessed patient data on or around August 27, 2022, such as names, birthdates, Social Security and Medicare numbers, and diagnosis information. The unauthorized access was traced to a former employee. MDS has confirmed that that individual no longer has access to the system and that the matter has been reported to law enforcement, which has launched an investigation. While patient data is not believed to have been accessed with a view to committing identity theft or fraud, affected individuals have been told to monitor their accounts for suspicious activity.

It is currently unclear how many patients have been affected.

The post Data Breaches Reported by University Urology and McPherson Hospital appeared first on HIPAA Journal.