HIPAA Breach News

Daviess Community Hospital Investigating Potential Cyberattack

Posted by Steve Alder

Daviess Community Hospital, an Ascension St. Vincent affiliated hospital in Washington, IN, has recently announced that it has launched an investigation after being notified by the U.S. Department of Homeland Security (DHS) about a possible security breach. According to the DHS, a security issue was identified during routine monitoring which may have been exploited by cyber actors.

Hospital CEO, Tracy Conway, said all internal systems have been shut down while the incident is investigated by a third-party digital forensics firm. Conway said no evidence has been found to date to indicate unauthorized access to its network or patient data, and no ransom demand has been received by the hospital. Disruption has been caused due to IT systems being taken offline, including phone lines to outpatient clinics and email, and the hospital has effectively been temporarily non-computerized. As a result, services have been limited until systems are restored and some appointments have been cancelled and will have to be rescheduled. The biggest impact is on radiology, as it is not possible to send images to be read. Conway said they are working around the clock to bring IT systems back online and are prioritizing the radiology and pharmacy interfaces.

Wyoming County Community Health System Reports March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has recently notified 24,016 patients about a security incident that was detected on March 28, 2023. While not referred to as a ransomware attack, legal counsel for the health system said the attack disrupted its network. The forensic investigation revealed files containing patient information had been exposed and may have been viewed or acquired by unauthorized individuals in the attack.

A review of the files was completed on November 8, 2023, and confirmed they contained information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, and account numbers. The health system has implemented additional security measures to prevent similar breaches in the future and has offered affected individuals complimentary credit monitoring and identity theft protection services.

Southland Integrated Services Notifies Patients About October 2023 Cyberattack

Southland Integrated Services (SIS), a Californian community-based non-profit organization that operates a Federally Qualified Health Center, has recently notified certain individuals about the exposure of some of their protected health information. SIS explained in its November 10, 2023, breach notification letters that suspicious activity was detected within its computer systems on October 18, 2023.

The forensic investigation confirmed its systems had been accessed by an unauthorized third party between October 16 and October 18, 2023, and during that time, documents were viewed that contained patient data such as names, addresses, dates of birth, vaccination statuses, Social Security numbers, driver’s license numbers, and/or financial account information. Additional safeguards have been implemented to prevent similar breaches in the future and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Daviess Community Hospital Investigating Potential Cyberattack appeared first on HIPAA Journal.

St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures. St. Joseph’s Medical Center will also be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

The post St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter appeared first on HIPAA Journal.

October 2023 Healthcare Data Breach Report

Posted by Steve Alder

For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).

October 2023 healthcare data breach report - 12 month breaches

For the third consecutive month, the number of breached healthcare records has fallen, from more than 18 million records in July 2023 to 3,569,881 records in October – a month-over-month percentage decrease of 52.76%. October’s total is well below the 12-month average of 7,644,509 breached records a month (median: 5,951,455 records). While this is certainly good news, it should noted that 2023 has been a particularly bad year for healthcare data breaches. Between January 1, 2023, to October 31, 2023, more than 82.6 million healthcare records have been exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2023. As of November 17, 2023, more than 100 million records have been breached.

October 2023 healthcare data breach report - 12 month breached records

Largest Healthcare Data Breaches Reported in October 2023

14 breaches of 10,000 or more records were reported in October, the largest of which occurred at Postmeds Inc., the parent company of Truepill, a provider of a business-to-business pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer brands. While victims of the breach do not face an immediate risk of identity theft since no Social Security numbers were compromised, they do face an increased risk of phishing and social engineering attacks. As is now common in breach notifications, little information about the incident has been disclosed, other than it being a hacking incident involving unauthorized access to its network between August 30 and September 1, 2023.  The Postmeds data breach was the 21st data breach of 1 million or more records to be reported this year.

Even though the Clop hacking group’s mass exploitation of the zero-day vulnerability in Progress Software’s MOVEIt Transfer solution occurred in late May, healthcare organizations are still reporting MOVEit data breaches. More than 2,300 organizations are now known to have been affected and more than 60 million records were stolen in the attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of breach
Postmeds, Inc. (TruePill) CA Healthcare Provider 2,364,359 Hacking incident (details not disclosed)
Western Washington Medical Group MS Healthcare Provider 350,863 Hacking incident (details not disclosed)
Greater Rochester Independent Practice Association, Inc. NY Healthcare Provider 279,156 Hacking incident (details not disclosed)
Radius Global Solutions PA Business Associate 135,742 Hacking incident – MoveIT Transfer vulnerability exploited
Dakota Eye Institute ND Healthcare Provider 107,143 Hacking incident (details not disclosed)
Walmart, Inc. Associates Health and Welfare Plan AR Health Plan 85,952 Hacking incident (details not disclosed)
Westat, Inc. MD Business Associate 50,065 Hacking incident – MoveIT Transfer vulnerability exploited
Brooklyn Premier Orthopedics NY Healthcare Provider 48,459 Hacking incident (details not disclosed)
PeakMed CO Healthcare Provider 27,800 Hacking incident (Compromised credentials)
Hospital & Medical Foundation of Paris, Inc IL Healthcare Provider 16,598 Hacking incident (details not disclosed)
Fredericksburg Foot & Ankle Center, PLC VA Healthcare Provider 14,912 Hacking incident (details not disclosed)
Cadence Bank MS Business Associate 13,862 Hacking incident – MoveIT Transfer vulnerability exploited
Peerstar LLC PA Healthcare Provider 11,438 Hacking incident (details not disclosed)
Atlas Healthcare CT CT Healthcare Provider 10,831 Hacking incident (details not disclosed)

October 2023 Data Breach Causes and Data Locations

As has been the case throughout 2023, hacking was the most common cause of data breaches in October, accounting for 77.5% of the month’s data breaches (31 incidents) and 99.13% of the breached records (3,538,726 records). The average data breach size in hacking incidents was 114,152 records and the median data breach size was 4,049 records.

The exact nature of these incidents has not been publicly disclosed in many cases, so it is not possible to determine the extent to which ransomware attacks, phishing attacks, and vulnerability exploits are occurring. The exception being the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a fairly safe disclosure legally as organizations cannot be expected to patch a vulnerability that is unknown even to the company that developed the software. While the lack of information is undoubtedly intended to reduce legal risk, if victims of the breach are given insufficient information it is difficult for them to accurately gauge the level of risk they face.

There were 8 data breaches classified as unauthorized access/disclosure incidents, across which 30,555 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 3,819 records and the median breach size was 2,111 records. There was one reported incident involving the theft of a desktop computer, which contained the unencrypted protected health information of 600 individuals, and no incidents involving the loss or improper disposal of PHI.

October 2023 healthcare data breach report - causes of breaches

The most common location of breached PHI was network servers, which is unsurprising given the large number of hacking incidents. 8 data breaches involved compromised email accounts.

October 2023 healthcare data breach report - location of breached data

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in October, with 25 reported data breaches. There were 11 data breaches reported by business associates and 4 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

October 2023 healthcare data breach report - affected entities

October 2023 healthcare data breach report - breached records at HIPAA-regulated entities

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 23 states reported data breaches of 500 or more records in October. Texas was the worst affected state with 5 large data breaches followed by Mississippi with 4.

State Breaches
Texas 5
Mississippi 4
Illinois, New York & Pennsylvania 3
California, Colorado, Florida & Georgia 2
Arkansas, Connecticut, Delaware, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, North Dakota, Oklahoma, Oregon & Virginia 1

HIPAA Enforcement Activity in October 2023

In October, the HHS’ Office for Civil Rights (OCR) announced its 10th HIPAA compliance enforcement action of the year. Doctors’ Management Services, a Massachusetts-based medical management company that offers services such as medical billing and payor credentialing, opted to settle an OCR investigation of a data breach. In April 2017, a threat actor accessed its network via Remote Desktop Protocol and gained access to the protected health information of 206,695 individuals.

OCR determined there had been a risk analysis failure, a failure to review records of system activity, and a failure to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Those failures resulted in an impermissible disclosure of the PHI of 206,695 individuals. Doctors’ Management Services paid a financial penalty of $100,000 and agreed to a corrective action plan to address the HIPAA compliance issues discovered by OCR.

State Attorneys General also have the authority to investigate HIPAA-regulated entities and impose financial penalties for HIPAA violations, although they often choose to impose penalties for equivalent violations of state laws. Three settlements were agreed in October with HIPAA-regulated entities to resolve allegations of data security and breach notification failures.

Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina that provides donor relationship management software, chose to settle alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws with 49 states and the District of Columbia and paid a $49.5 million penalty and agreed to make substantial data security improvements. Blackbaud suffered a ransomware attack in May 2020, which exposed the protected health information of 5,500,000 individuals. The multi-state investigation identified a lack of appropriate safeguards to ensure data security and breach response failures.

Inmediata, a Puerto Rico-based healthcare clearinghouse settled a multi-state data breach investigation involving more than 35 state attorneys general. A server has been left unsecured, which allowed sensitive data to be indexed by search engines, allowing it to be found by anyone with Internet access. The protected health information of 1,565,338 individuals was exposed. The multi-state investigation identified a failure to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, a failure to conduct a secure code review, and violations of the HIPAA Breach Notification Rule and state breach notification rules for failing to provide timely and complete information to victims of the breach. The investigation was settled for $1.4 million and Inmediata agreed to make improvements to its information security program and strengthen its data breach notification practices.

Personal Touch Holding Corp, a home health company that does business as Personal Touch Home Care, opted to settle an investigation by the Office of the New York Attorney General into a breach of the protected health information of 753,107 individuals, including 316,845 New York residents. An employee responded to a phishing email which resulted in malware being installed. The threat actor exfiltrated data and then used ransomware to encrypt files. The New York Attorney General alleged Personal Touch only had an informal information security program, insufficient access controls, no continuous monitoring system, a lack of encryption, and inadequate staff training. Personal Touch paid a $350,000 financial penalty and agreed to make improvements to its information security and training programs.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on November 11, 2023.

The post October 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Healthcare Data Breach Round-Up: November 16, 2023

Posted by Steve Alder

Medical Eye Services (CA), Prospect Medical Services (CA), McAlester Regional Health Center (OK), PeakMed (CO), Catholic Charities of Long Island (NY), & The Endocrine and Psychiatry Center (TX) have recently notified patients that their personal and health information has been exposed.

Medical Eye Services Says PHI of 370,000 Patients Stolen in MOVEit Transfer Hack

California-based Medical Eye Services, Inc. has recently confirmed that the protected health information of 346,828 individuals was stolen from the MOVEIt Transfer server used by the vision benefits management provider, MESVision, between May 28, 2023, and May 31, 2023. A zero-day vulnerability was exploited by the Clop cyber threat group, as part of a series of attacks on more than 2,300 organizations globally.

MESVision discovered it had been affected on August 23, 2023, and has since rebuilt its MOVEit server and implemented additional technical safeguards to prevent further breaches. The stolen data included names, dates of birth, Social Security numbers, subscriber/member IDs, policy numbers, group numbers, and claim numbers. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.

109,728 Connecticut Residents Impacted by Ransomware Attack on Prospect Medical Services

Between July 31, 2023, and August 1, 2023, the Rhysida ransomware group gained access to the network of Los Angeles, CA-based Prospect Medical Holdings. The breach was detected by Prospect Medical on August 1, 2023, and the breach was reported to the HHS’ Office for Civil Rights on September 29, 2023, as affecting 342,376 individuals, and individual notification letters were mailed the same day.

On November 13, 2023, additional notification letters were sent to 109,728 patients of the Eastern Connecticut Health Network (ECHN) Medical Group. The affected individuals had received healthcare services at Manchester Memorial Hospital, Rockville General Hospital, or Waterbury Hospital. Prospect Medical said the compromised information included names, addresses, dates of birth, diagnosis, lab results, medications, and other treatment information, and for some individuals, Social Security numbers and/or driver’s license numbers. Individuals who had their Social Security numbers or driver’s license numbers exposed have been offered 2 years of complimentary credit monitoring and identity theft protection services.

McAlester Regional Health Center Cyberattack Affects 38,000 Patients

McAlester Regional Health Center in Oklahoma has recently notified 37,731 patients about a security incident that was detected on May 8, 2023. Immediate action was taken to secure its network and a third-party cybersecurity firm was engaged to investigate to determine the nature and scope of the incident, which confirmed that files containing patient data had been exposed. A third-party vendor was engaged to review the affected files and the process was completed on October 23, 2023. Notification letters were mailed to the affected individuals on November 15, 2023. The exposed information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and other government ID numbers.

McAlester Regional Health Center has tightened firewall restrictions, rewritten and strengthened its password policy, implemented password changes across the organization for every account, and increased restrictions on file sharing. Affected individuals have been provided with complimentary single-bureau credit monitoring services at no cost.

Compromised Credentials Used to Access PeakMed Network

PeakMed, a Colorado primary care provider, has started notifying 27,800 patients about a security breach that was detected on August 30, 2023.  An investigation of suspicious network activity confirmed that an unauthorized individual had obtained an employee’s credentials and used them to access its network between July 24, 2023, and August 30, 2023.

The documents that were accessed, and potentially acquired, were found to contain patient names along with one or more of the following: address, Social Security number, driver’s license number, date of birth, medical record number, financial account information, payment card information, electronic signature, billing/claims information, medical provider’s name, Medicare/Medicaid identification, medication information, treatment information, and health insurance information. PeakMed said all system passwords were reset when the breach was discovered, and 2-factor authentication has been implemented for all employee accounts.

Catholic Charities of Long Island Cyberattack Affects 13,000 Patients

Catholic Charities of the Diocese of Rockville Centre, doing business as Catholic Charities of Long Island in New York, has notified 13,000 patients that some of their personal information was exposed and potentially acquired by unauthorized individuals. Access appears to have been gained to its network via the Cisco AnyConnect VPN.

Unusual network activity was detected on September 3, 2023, and access to the network was immediately disconnected. A third-party cybersecurity firm was engaged to investigate the incident and determined that an unauthorized third party had accessed files that contained patient data, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, passports, and medical information.

The list of affected individuals was finalized on October 24, 2023, and notification letters were mailed on November 2, 2023. Catholic Charities has taken several steps to improve security, including installing threat hunting and endpoint detection and response solutions.

Endocrine and Psychiatry Center Discovers Theft of Historic Data

The Endocrine and Psychiatry Center in Texas has recently sent notifications to patients advising that some of their protected health information has been removed from its systems by an unauthorized individual. The theft occurred at some point prior to March 20, 2023, and involved data generated prior to 2017. A comprehensive review of the affected files was conducted and concluded on October 15, 2023, that the following information had potentially been compromised: full name, Social Security number, driver’s license number or other government identification number, date of birth, financial account information, credit or debit card information, treatment/diagnosis information, and/or health insurance information.

According to the notification sent to the Maine attorney General, 28,531 individuals were affected. The Endocrine and Psychiatry Center has offered those individuals a complimentary membership to the Equifax Credit Watch Gold service.

Bladen County, North Carolina Suffers Cyberattack

Bladen County in North Carolina is dealing with a cyberattack in which sensitive data was compromised. County officials said the attack impacted multiple server and internet-based systems, and the incident is being investigated by the North Carolina Joint Cybersecurity Task Force, which has helped to secure its servers. Rodney Hester, chairman of the Bladen County Board of Commissioners, confirmed that the county had emergency preparedness plans in place to deal with this kind of incident and confirmed that all emergency services remained operational throughout, although the county has been operating in a limited capacity since the attack.

The nature of the attack has not been disclosed, such as whether ransomware was involved. If ransomware was used, the ransom will not be paid as North Carolina prohibits ransom payments to ransomware gangs. It is currently unclear how many individuals have had their information stolen in the attack.

The post Healthcare Data Breach Round-Up: November 16, 2023 appeared first on HIPAA Journal.

Sutter Health Confirms 84K Individuals Affected by Cyberattack on Business Associate

Posted by Steve Alder

Sutter Health, a healthcare provider serving Northern California, has recently confirmed that patient data was compromised in a hacking incident at one of its business associates, Virgin Pulse. Virgin Pulse was contracted to provide important notices and communications to patients and was provided with patient data to fulfill that role.

Virgin Pulse used Progress Software’s MOVEit Transfer file transfer tool, which had a vulnerability that was exploited by the Clop Group. Progress Software released a patch to fix the vulnerability on May 31, and Virgin Pulse said it moved quickly to apply the patch and recommended mitigation steps; however, the vulnerability had already been exploited. The vulnerability was exploited in attacks on more than 2,300 organizations and the data of more than 60 million individuals was stolen, including the data of 845,441 Sutter Health patients.

Sutter Health was informed by Virgin Pulse on September 22, 2023, that it had been affected by the hack, almost 4 months after the cyberattack occurred, but did not get the final report until October 24, 2023. The compromised data included names, dates of birth, health insurance information, provider names, treatment cost information, and diagnoses/treatment information. Sutter Health said the affected individuals have been offered a complimentary 1-year membership to a credit monitoring and identity theft protection service.

Northern Iowa Therapy Confirms Extent of March 2023 Security Incident

Waverly, IA-based Northern Iowa Therapy (NIT) has recently confirmed that the records of 5,100 patients have been exposed. The privacy breach was first identified on March 10, 2023, when NIT discovered a limited number of patient records in an account unaffiliated with NIT. An investigation was launched, and third-party forensic experts were engaged to investigate. NIT first announced the security incident on June 21, 2023, and conducted a review of the documents involved. On October 4, 2023, it was determined that patient data had been exposed. Contact information was then verified, and notification letters were sent on October 27, 2023.

The exposed information varied from individual to individual and may have included names, addresses, dates of birth, email addresses, phone numbers, medical information, mental/physical condition, Medicare IDs, Social Security numbers, driver’s license numbers, diagnoses, treatment information, dates of service, billing & claims information, health insurance information, and patient account numbers.

NIT said it continuously evaluates and modifies its security practices to enhance the privacy and security of the personal information it stores and will continue to do so.

West Central District Health Department Notifies Patients About May 2023 Cyberattack

The West Central District Health Department (WDCHD) in Nebraska has recently confirmed there has been unauthorized access to its network and patient data has been exposed. The forensic investigation confirmed that certain portions of its network were accessed between May 18, 2023, and May 23, 2023, and the review of the affected files was completed on September 18, 2023.

In its November 13, 2023, breach notice, WDCHD confirmed that the exposed information included names in combination with one or more of the following: Social Security number, driver’s license number, state ID number, and/or financial account number. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

NoEscape Ransomware Group Claims Responsibility for Attacks on 2 Healthcare Organizations

The NoEscape ransomware group has claimed responsibility for attacks on two healthcare organizations, Southeastern Orthopaedic Specialists in Greensboro, NC, and Carespring in Loveland, OH. NoEscape claims to have exfiltrated 3 GB of data from Southeastern Orthopaedic Specialists and 364 GB of data from Carespring and has issued threats on its data leak site to release the stolen data if the ransom demands are not met. In addition to data encryption and data theft/leaks, the NoEscape group often conducts DDoS attacks on victims who do not attempt to negotiate, and the group claims to have conducted such an attack on Southeastern Orthopaedic Specialists. At present no data has been released, and neither organization has publicly confirmed a cyberattack or data breach.

The post Sutter Health Confirms 84K Individuals Affected by Cyberattack on Business Associate appeared first on HIPAA Journal.

Concentra Confirms Almost 4 Million Patients Affected by PJ&A Data Breach

Posted by Steve Alder

Concentra, a Texas-based physical and occupational health provider, has confirmed it was affected by a cyberattack at its transcription service provider, PJ&A. PJ&A has already reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting almost 9 million patients; however, some PJ&A clients have chosen to report the breach to OCR themselves, including Concentra.

On January 9, 2024, Concentra confirmed that the protected health information of 3,998,162 patients was compromised in the PJ&A cyberattack, bringing the total number of affected individuals up to at least 14 million. That makes it the largest healthcare data breach of 2023. That total is likely to grow further, although by how much is not currently clear as PJ&A has not publicly disclosed which clients have been affected nor the total number of records that were compromised in the attack.

The Nevada-based medical transcription company and many of the affected clients are being sued over the data breach. At least 40 lawsuits have already been filed against PJ&A alleging negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard the sensitive health data it is provided by its clients. Some of the lawsuits name the affected healthcare companies as co-defendants.

Concentra said the information compromised includes full names and one or more of the following data elements: date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. Some individuals may also have had their Social Security number compromised, as well as insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers. There is no mention of credit monitoring and identity theft protection services being made available. Concentra has advised the affected individuals to monitor their accounts closely for signs of misuse of their information and to consider placing a fraud alert on their credit files.

Business associates of HIPAA-covered entities are prime targets for hackers as they typically store large volumes of sensitive data, and it is clear from recent breach reports that hackers are targeting business associates. A breach of this scale naturally raises questions about the security measures that were implemented at PJ&A and how it was possible for hackers to gain access to so much data. Given the high risk of cyberattacks, network segmentation should have been implemented to ensure that if its defenses were breached, hackers would only be able to gain access to limited data.

January 5, 2024: PJ&A Data Breach Total Grows as Kansas City Hospital Confirms 502K-Record Breach

North Kansas City Hospital and its subsidiary Meritas Health Corporation have recently announced that they were affected by the massive data breach at Perry, Johnson, and Associates (PJ&A).

PJ&A, a provider of medical transcription services, discovered the cyberattack on July 21, 2023, and in November, reported the breach to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals; however, some of its affected clients have chosen to report the breach themselves, including North Kansas City Hospital. The Missouri hospital said the protected health information of 502,438 individuals was compromised between March 27, 2023, and May 2, 2023, when hackers had access to PJ&A’s systems. At least 9,454,650 individuals are now known to have had their data compromised in the PJ&A data breach.

North Kansas City Hospital and Meritas worked with PJ&A to determine which individuals had been affected and the types of data involved, and that process was completed on November 7, 2023. During the analysis, North Kansas City Hospital also identified data belonging to the Clay County Public Health Center. The types of data involved were limited to demographic information such as name, date of birth, gender, phone number and address; health insurance information; and some clinical information. No Social Security numbers were compromised.

After learning of the breach, North Kansas City Hospital and Meritas implemented additional safeguards, reviewed their policies and procedures for data privacy and security, and discontinued sharing data with PJ&A. North Kansas City Hospital and Meritas have now severed all ties with PJ&A. North Kansas City Hospital has advised all affected individuals to be vigilant against incidents of identity theft and fraud by reviewing their accounts, explanations of benefits, and credit reports for suspicious activity, and to report any suspicious activity to the affiliated institutions immediately.

December 29, 2023: Class Action Lawsuits Filed Over PJ&A Data Breach

After such a large data breach, it was inevitable that class action lawsuits would be filed by individuals who had their sensitive protected health information stolen. Many law firms have opened investigations into the PJ&A data breach and class action lawsuits have started to be filed against PJ&A and the healthcare providers that used the company for medical transcription services.

Class Action Lawsuit Filed Against Northwell Health and PJ&A

At least one class action lawsuit has been filed against PJ&A and Northwell Health, New York’s largest health system. Almost 4 million patients of Northwell Health had their protected health information compromised in the PJ&A data breach.

The lawsuit was filed on behalf of plaintiffs David Mayo and Madeleine E. Schwartz and similarly situated Northwell Health patients whose PHI was compromised in the data breach. The lawsuit alleges the defendants failed to implement reasonable and adequate security measures which left their sensitive data vulnerable to cyberattacks. The information compromised in the data breach included names, birthdates, Social Security numbers, addresses, medical record numbers, hospital account numbers, admission diagnoses, and times and dates of service. The lawsuit also takes issue with the length of time taken to issue notification letters. They were sent on November 3, 2023, more than 6 months after the data breach was detected.

The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, unjust enrichment, and a violation of the New York Deceptive Trade Practices Act and seeks declaratory and other equitable relief, injunctive relief, restitution, damages, attorneys’ fees, and a jury trial.

The lawsuit – David Mayo, et al. v. Northwell Health Inc., et al. – was filed in the US District Court for the Eastern District of New York. The plaintiffs are represented by Jason P. Sultzer and Philip J. Furia of The Sultzer Law Group PC; Jeffrey K. Brown and Andrew Costello of Leeds Brown Law PC; Charles E. Schaffer and Nicholas J. Elia of Levin Sedran & Berman LLP; and Jeffrey S. Goldenberg and Todd B Naylor of Goldenberg Schneider LPA.

Lawsuit Filed Against Salem Community Hospital and PJ&A

A lawsuit was filed on December 20, 2023, by Michael Stone and Leeanne Varner against Salem Community Hospital and PJ&A over the data breach, which exposed sensitive data such as names, Social Security numbers, birth dates, medical record numbers, hospital account numbers and date(s) of service.

The lawsuit alleges the PJ&A data breach was the result of the defendants failing to follow cybersecurity best practices and not adequately training their staff, despite an increased risk of cyberattacks in the healthcare sector. The lawsuit also claims the defendants unnecessarily delayed issuing notification letters, which were not sent until November 10, 2023, which left the plaintiffs and class members at risk of identity theft and fraud, when early notification would have allowed them to take steps to secure their accounts.

The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, and unjust enrichment, and seeks a jury trial, injunctive relief, damages and restitution, and attorneys’ fees.

The lawsuit – Stone et al. v. Salem Community Hospital et al – was filed in the U.S. District Court of the Northern District of Ohio. The plaintiffs are represented by Jeffrey S. Goldenberg and Todd B. Naylor of Goldenberg Schneider, LPA; Jason P. Sultzer & Philip J. Furia of The Sulzer Law Group P.C.; Jeffrey K. Brown & Andrew Costello of Leeds Brown Law, P.C; and Charles E. Schaffer & Nicholas J. Elia of Levin Sedran & Berman LLP.

November 19, 2023: PJ&A Data Breach Announced: Almost 9 Million Patients Affected

Almost 9 million patients have been affected by a cyberattack on the transcription service provider, Perry Johnson & Associates. The PJ&A data breach is the second-largest healthcare data breach this year and the 6th largest healthcare data breach ever reported.

PJ&A is a Henderson, Nevada-based provider of transcription services to organizations in the medical, legal, and government sectors and the largest privately owned provider of transcription services in the United States. PJ&A detected unauthorized activity within its IT systems on May 2, 2023, and immediate action was taken to isolate its systems and prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the attack, and whether sensitive data was exfiltrated from its systems.

The forensic investigation confirmed that there had been unauthorized access to its network for more than a month between March 27, 2023, and May 2, 2023, and during that time, there had been unauthorized access to data provided by its clients. PJ&A notified its clients about the cyberattack on July 21, 2023, and in the following days confirmed there had been unauthorized access to data; however, the investigation was ongoing and it was not possible to confirm exactly what types of information had been exposed or the number of individuals affected.

The PJ&A data breach investigation was completed on September 28, 2023, and on September 29, 2023, PJ&A started providing the results of its investigation to the affected clients. PJ&A said the information accessed by the unauthorized party varied from individual to individual and may have included name, address, date of birth, medical record number, hospital account number, admission diagnosis, date/time of service, Social Security number, insurance information, and medical and clinical information. The medical and clinical information contained in the transcription files may have included, laboratory and diagnostic testing results, medications, the name of the treatment facility, and healthcare provider name. Credit card information, bank account information, and usernames/passwords were not provided to PJ&A so were not exposed.

On November 2, 2023, the breach was reported to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals. PJ&A said that after notifying the affected clients it worked with them to notify the individuals identified during its review. When data breaches occur at business associates of HIPAA-covered entities, the business associate often reports the data breach to OCR; however, depending on the terms of the business associate agreements, individual covered entities may choose to report the breach themselves. It is currently unclear whether the 8,952,212 total includes all affected individuals or if some clients are reporting the breach themselves. The total reported to OCR only includes individuals who had their protected health information exposed and will not include clients in other sectors.

PJ&A explained in its HIPAA-required breach notice that it has not detected any attempted or actual misuse of the stolen data and has already taken steps to prevent similar breaches in the future, including updating its technical security measures. PJ&A made no mention of whether credit monitoring and identity theft protection services were being offered to the affected individuals, although some affected clients have said that those services have been made available.

Clients Affected

PJ&A has not publicly disclosed how many of its clients have been affected. At this stage, the HIPAA Journal has confirmed the names of several affected clients and will update this post when further information becomes available.

Cook County Health (IL)

Cook County Health operates John H. Stroger, Jr. Hospital of Cook County and Provident Hospital of Cook County in Chicago, four pharmacies, two health services including the Cook County Department of Public Health, and 15 community health centers in Cook County, Illinois.

Individuals affected: 1.2 million

Northwell Health (NY)

Northwell Health, formerly North Shore-Long Island Jewish Health System, is the largest healthcare provider and private employer in New York State and operates 23 hospitals including its flagship North Shore University Hospital and Long Island Jewish Medical Center, as well as 700 outpatient facilities.

Individuals affected: Northwell Health Issued a draft statement saying 3,891,565 individuals had been affected, but that statement was later retracted and the final total has not yet been confirmed.

Salem Regional Medical Center (OH)

Salem Regional Medical Center in Salem, OH, has confirmed it was affected by the PJ&A data breach, which the hospital said occurred between March 2 and May 2, 2023. The breached information included names, Social Security numbers, dates of birth, addresses, phone numbers, medical records, and hospital account numbers. The hospitals said PJ&A is providing free identity theft protection.

Individuals affected: Unknown

Mercy Medical Center (IA)

Mercy Medical Center has confirmed that 97,132 patients have been affected by a data breach at the medical transcription firm, Perry Johnson and Associates (PJ&A). The Cedar Rapids, IA, 450-bed hospital explained that there was no breach of its own systems; however, data provided to PJ&A to allow the firm to perform its contracted duties had been exposed and potentially stolen.

PJ&A discovered on May 2, 2023, that unauthorized individuals had gained access to its network and third-party cybersecurity experts were engaged to investigate the incident. PJ&A determined that Mercy Medical Center data was involved on October 5, 2023, and informed Mercy Medical Center on October 10, 2023, that a backup of a database had been obtained by the hackers that included the data of its patients. The review of the data confirmed that names, dates of birth, addresses, admission/discharge dates, Social Security numbers, and medical examination information had been stolen.

PJ&A issued notifications on behalf of many of its clients and reported the data breach to the HHS’ Office for Civil Rights on November 3, 2023, as affecting 8.95 million individuals; however, Mercy Medical Center chose to report the breach to the HHS directly and sent individual notifications on December 8, 2023. It took Mercy Medical Center 2 months from being notified about the breach to perform the necessary steps to allow notifications to be issued. Mercy Medical Center has arranged complimentary credit monitoring services for the affected patients and has confirmed that it is no longer using PJ&A’s medical transcription services.

Individuals Affected: 97,132

Crouse Health (NY)

Syracuse, NY-based Crouse Health has confirmed that it was affected by the PJ&A data breach and that patients had the following types of information exposed: first and last name, date of birth, address, sex, phone number, medical record number, health insurance information, dates of admission and discharge, attending physician identifiers, hospital room number, and visit type. Fewer than 10% also had a transcript of care dictated by the patient’s physician, and/or the patient’s Social Security number. PJ&A has notified the affected patients.

Individuals Affected: Undisclosed

PJ&A Data Breach Investigations and Lawsuits

All data breaches affecting 500 or more individuals are investigated by the HHS’ Office for Civil Rights to determine if there have been failures to comply with the HIPAA Rules. State Attorneys General also investigate data breaches and can impose civil monetary penalties for violations of HIPAA and state laws. PJ&A has only disclosed limited information about the nature of the breach so far and, based on the information available, there are no indications that any federal or state data security regulations have been violated.

Class action lawsuits are commonly filed after healthcare data breaches and a breach of this magnitude is likely to see many class action lawsuits filed. As of December 20, 2023, more than two dozen lawsuits have been filed against PJ&A over the data breach, all of which make similar claims – That PJ&A was negligent for failing to implement appropriate safeguards to protect patient data. A motion has been filed to consolidate the lawsuits which is due to be heard by the U.S. Judicial Panel on Multidistrict Litigation on January 25, 2023.

While the data breach occurred at PJ&A, several lawsuits have also been filed against the healthcare providers that used PJ&A for medical transcription, including Northwell Health.

One of Many Large Data Breaches in 2023

This year is on track to be another bad year for healthcare data breaches. As of November 15, 2023, 583 data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights, but it is the size of the data breaches that is most alarming. So far this year, the protected health information of 102,407,662 individuals has been confirmed as exposed or stolen, which is almost double the 51,903,629 records that were breached in 2023. If large data breaches continue to be reported at current rates, 2023 looks set to become the worst-ever year in terms of the number of breached records.

OCR recently confirmed that hacking incidents now account for 77% of healthcare data breaches, and there has been a 239% increase in large data breaches in the past 4 years and a 278% increase in ransomware attacks. The number of data breaches being reported indicates healthcare providers are struggling with cybersecurity in the face of increasingly sophisticated and numerous attacks.

New York recently announced that it is taking steps to address the problem by introducing stricter cybersecurity regulations for hospitals after a series of cyberattacks that affected patient care. New York Governor Kathy Hochul also confirmed that $500 million has been made available to help hospitals make the necessary improvements to cybersecurity. New York is leading the way by taking steps to improve healthcare cybersecurity but given the seriousness of the problem, this should not be a matter for individual states to try to resolve. More needs to be done by Congress to combat the problem, such as updates to HIPAA and/or financial incentives and assistance for improving cybersecurity.

The post Concentra Confirms Almost 4 Million Patients Affected by PJ&A Data Breach appeared first on HIPAA Journal.

Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach

Posted by Steve Alder

Postmeds, Inc., a company that does business as Truepill and fulfills mail order prescriptions for pharmacies, has recently announced that it has suffered a massive data breach that has affected 2,364,359 individuals. According to the company’s breach notice, an unauthorized third party gained access to files used for pharmacy management and fulfillment services. The forensic investigation confirmed the unauthorized access occurred between August 30, 2023, and September 1, 2023, and the exposed files were found to contain information such as names, medication types, and, for certain patients, demographic information and prescribing physician names. Highly sensitive information such as Social Security numbers were not compromised, as Postmeds does not receive that information.

Postmeds said it has enhanced its security protocols and technical safeguards in response to the incident and has provided its workforce with additional cybersecurity training to raise awareness of cybersecurity threats. Affected individuals started to be notified about the breach by mail on October 30, 2023.

A breach of this magnitude was certain to result in class action lawsuits, the first of which has already been filed in the U.S. District Court for the Northern District of California. The lawsuit, Rossi, et al. v. Postmeds Inc. d/b/a Truepill, names John Rossi, Michael Thomas, and Marissa Porter as plaintiffs, who are represented by attorneys Kyle McLean, Mason Barney, and Tyler Bean of Siri and Glimstad LLP. The lawsuit alleges Truepill failed to implement appropriate systems to prevent unauthorized access to patient data. The lawsuit claims the plaintiffs and class members have been placed at significant risk of identity theft and other forms of personal, social, and financial harm, and that the elevated risks will be present for a lifetime.

Class action lawsuits are commonly filed after healthcare data breaches and seek damages due to negligence, breach of contract, and invasion of privacy. It is not sufficient to allege violations of federal or state laws, as a concrete injury must have been caused as a result of those violations for the lawsuit to be granted standing.

The post Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach appeared first on HIPAA Journal.

Ransomware Gangs Hit Debt Collection Firm and Mental Healthcare Provider

Posted by Steve Alder

Ransomware attacks have been announced by Financial Asset Management Systems and The Harris Center for Mental Health. Munsen Healthcare is investigating a cyberattack on Munsen Healthcare Otsego Hospital, and St. Bernards Healthcare has confirmed that patient information was compromised in a MOVEit Transfer hack.

The Harris Center for Mental Health Recovering from a Ransomware Attack

The Harris Center for Mental Health in Texas has recently fallen victim to a ransomware attack. The incident was detected on November 7, 2023, when staff members were prevented from accessing files. The network was immediately shut down to limit the harm caused, and cybersecurity consultants were engaged to assist with the recovery and investigation.

The Harris Center for Mental Health said it is continuing to provide care to patients; however, the lack of access to electronic systems has inevitably led to delays. At this stage of the investigation, it is unclear whether patient data has been compromised.

This is the second major incident to affect The Harris Center for Mental Health this year. A service provider used the MOVEit Transfer tool, a vulnerability in which was exploited to provide unauthorized access to sensitive data in May 2023. The protected health information of 599,367 individuals was stolen in the attack.

Ransomware Attack on Financial Asset Management Systems Affects 165,000 Patients

Financial Asset Management Systems (FAMS), a business management consultancy and debt collection firm, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 164,796 patients. In its substitute breach notice, FAMS said it experienced a “network disruption” incident, which prevented access to certain files on its network. The forensic investigation and review of the exposed files was completed on August 31, 2023, and confirmed that the exposed information included names, billing account numbers, costs paid, balances due, and the name of the affected FAMS client. The affected individuals started to be notified on October 20, 2023, and credit monitoring and identity theft protection services have been offered to the affected individuals.

Munsen Healthcare Otsego Hospital Investigating Cyberattack

Munsen Healthcare has confirmed that it is investigating a cyberattack on Munsen Healthcare Otsego Hospital in Gaylord, MI. Munsen Healthcare said computer systems were shut down in response to the security incident and a third-party cybersecurity company has been engaged to conduct a forensic investigation to determine the nature and scope of the attack.

Details about the nature of the attack, such as if this was a ransomware/extortion incident, have not been publicly disclosed, and it has yet to be determined if patient data has been exposed or obtained.

Business Associate Data Breach Affects 89,500 St. Bernards Healthcare Patients

Jonesboro, AR-based St. Bernards Healthcare, Inc., a health system serving northeast Arkansas and southeast Missouri, has recently announced that the protected health information of 89,556 patients has been exposed in a data breach at one of its third-party vendors.

St. Bernards Healthcare contracted with Welltok Inc. to provide an online contact management platform. The platform was used to communicate important notices and communications through its subsidiary, Tea Leaves Health LLC. Welltok used Progress Software’s MOVEit Transfer product, a zero-day vulnerability in which was patched on May 31, 2023; however, the vulnerability had already been exploited on May 30. Welltok discovered it had been affected by the mass exploitation of the vulnerability on July 26, 2023, and its investigation revealed on August 11, 2023, that sensitive data was exfiltrated in the attack.

St. Bernards Healthcare was notified about the breach by Welltok on September 14, 2023, and was told about the full scope of the breach on October 18, 2023. The information stolen in the attack included names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, patient identification numbers, health insurance information, providers’ names, and medical treatment/diagnosis information. Welltok started to notify the affected individuals on November 13, 2023.

The post Ransomware Gangs Hit Debt Collection Firm and Mental Healthcare Provider appeared first on HIPAA Journal.

New York’s Largest Health System Affected by PJ&A Data Breach

Posted by Steve Alder

Another client of the medical transcription firm Perry Johnson & Associates (PJ&A) has confirmed it has also been affected by the recent PJ&A data breach. New Hyde Park, NY-based Northwell Health, the largest health system in New York, has confirmed that it was notified on July 21, 2023, by PJ&A about the cyberattack that occurred between April 7 and April 19, 2023.

On September 28, 2023, PJ&A completed its initial investigation and was able to confirm the extent of the breach. According to News12 Long Island, Northwell Health initially released a draft statement indicating 3,891,565 individuals had been affected, although the statement was later recalled and Northwell Health said it was unable to confirm exactly how many individuals had been affected.

Northwell Health said the breach involved names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician and healthcare provider names. Some patients also had their Social Security numbers exposed. Northwell Health said the breach occurred at PJ&A and no Northwell Health systems were affected. Affected individuals will be offered complimentary credit monitoring services, although no evidence has been uncovered to indicate any patient data has been misused.

This is the second major vendor data breach to affect Northwell Health patients this year. Northwell Health was also affected by a hacking incident at vendor Nuance Communications. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023. Nuance Communications reported the breach to the HHS as affecting 1,225,054 individuals, although it is unclear how many, if any, Northwell Health patients are included in that total.

Northwell Health is the second PJ&A client to confirm it has been affected by the cyberattack and data breach. Last week, Cook County Health in Chicago said 1.2 million patients had their PHI exposed and that it was one of several PJ&A clients to be affected. Cook County Health said it terminated its relationship with PJ&A when it was informed about the data breach and had difficulty confirming exactly how many individuals had been affected. It did not receive the final list of affected patients until October 9, 2023.

The latest confirmation suggests almost 5 million patients may have been affected by the breach and had their protected health information exposed or stolen in the attack. That number could well rise over the coming days and weeks as further clients confirm they have been affected. At present there is no breach notice on the HHS’ Office for Civil Rights website from PJ&A, although the breach is now shown on the website of the California Attorney General. Since the California Attorney General only posts breach notification letters, which do not usually state how many individuals have been affected, the scale of the breach cannot yet be determined.

The post New York’s Largest Health System Affected by PJ&A Data Breach appeared first on HIPAA Journal.