The medical device manufacturer Medtronic – dba Medtronic MiniMed and MiniMed Distribution Corp (Medtronic Diabetes) – has recently confirmed that the personal information of users of its InPen Diabetes Management App on iOS and Android have had some of their personal information disclosed to Google due to the use of tracking and authentication code within the InPen App.

The app utilized Google Analytics for Firebase, Crashlytics for Firebase, and Firebase Authentication. These tools disclosed certain information about app users to Google, especially when users were logged into their Google accounts at the same time that they used the InPen App. As a result, their identities and information about online activities were shared with Google. The tools were used by Medtronic Diabetes to gather information about the use of the app, identify technical issues, assess app performance, and understand user needs to provide care to customers and improve services.

Medtronic Diabetes said the data collected by these tools is analyzed at a consolidated rather than individual level and does not directly identify individual patient information, but it was determined that certain information was transmitted to Google when users were logged into their Google accounts. Medtronic Diabetes said an internal investigation was launched into the use of these tracking technologies when the potential for unauthorized disclosure of user data was discovered to determine exactly what information was potentially shared with Google.

The decision was taken to notify all users who registered for or used an InPen account since September 2020, as they may have been affected. The data disclosed to Google was dependent on user interactions with the app, and other factors, such as the browser used, whether cookies had been cleared, and if they were logged into Google when using the app.

Medtronic Diabetes said that information disclosed may have included: email address, IP address, phone number, InPen App user name and password, timestamp information related to specific InPen App events, and certain unique identifiers tied to the InPen account or mobile device. The latter includes a unique Medtronic Diabetes user identifier, unique numbers attributed to each instance the InPen App is downloaded to a particular device, and identifiers tied to a mobile device such as a MAID, IDFA, AAID, and/or IDFV.

Medtronic Diabetes said Google Analytics has been removed from the latest version of the InPen app, and plans have been made to transition from Crashlytics and Firebase Authentication to other crash reporting and authentication systems.

La Clínica de La Raza Reports Email Breach

La Clínica de La Raza in Oakland, CA, has reported a breach of the protected health information of 15,316 individuals. Suspicious activity was detected within certain employee email accounts on February 8, 2023, and steps were immediately taken to secure the accounts. Assisted by a third-party computer forensics firm, La Clínica was able to confirm that a limited number of employee email accounts had been accessed by unauthorized individuals at various times between January 24, 2023, and February 8, 2023.

A review of all affected email accounts and La Clínica confirmed on April 4, 2023, that they contained patient information such as names, addresses, dates of birth, financial account or payment card information, online credentials, Social Security numbers, medical treatment information, and/or health insurance information.

Affected individuals are being notified by mail and complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

The John Muir Health Says Walnut Creek Medical Center Patient Data Has Been Exposed

John Muir Health is notifying certain Walnut Creek Medical Center patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals. The Californian healthcare provider was notified about the exposure on March 22, 2023. A member of staff at the medical center created a website in order to communicate with other staff members more efficiently about the use of medical devices and centralize information such as vendor sites, order forms, and equipment information. The website included a link to an Excel spreadsheet that contained patient information. The information in the spreadsheet was intended to be accessed internally by authorized individuals; however, it could also be accessed by individuals outside of John Muir Health. The spreadsheet contained information such as names, facility, room, diagnosis, condition, and dates.

John Muir Health said the link to the Excel file was disabled on March 23, 2023, and the website was decommissioned on March 24, 2023. The investigation confirmed that the spreadsheet had not been accessed by any unauthorized third party between September 28, 2022, and March 23, 2023, but due to limited audit records, it was not possible to determine if there had been unauthorized access between July 1, 2021, and September 27, 2022

Affected individuals have been notified by mail. The incident has been reported to the California Attorney General but is not yet appearing on the HHS’; Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google appeared first on HIPAA Journal.

Further information has been released on the data breach at the Washington DC health insurance exchange, DC Health Link, ahead of a House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation hearing today.

The data breach was detected by DC Health Link on March 6, 2023, Mandiant was engaged to investigate the data breach, and by March 8 the source of the breach had been identified, and it was immediately shut down; however, files were stolen and some of the compromised information was listed for sale on an online hacking forum. DC Health Link has offered complimentary credit monitoring and identity theft protection services to affected individuals. Mila Kofman, executive director of DC Health Link, said the internal investigation into the data breach is ongoing; however, she was able to share further information about the security incident and data breach and will be discussing the findings of Mandiant’s investigation at today’s hearing.

Last week, the two chairs of the subcommittee, Reps. Nancy Mace (R-South Carolina) and Barry Loudermilk (R-Georgia), issued a joint statement ahead of the hearing. “The breach of D.C. Health link data put thousands of individuals at risk, including Members of Congress, congressional staff, and family members. The individuals who trusted the D.C. health exchange to keep their personal health data secure are rightly concerned about the potential consequences of this breach on their personal lives. They are relying on us to investigate how it took place, how it could have been avoided, how the fallout can be mitigated, and how to prevent a recurrence.”

In a prepared statement submitted ahead of the hearing, Kofman confirmed that 56,415 current and former customers were affected, including members of Congress, their families, and Congressional aides. Two reports were stolen that included the personal data of 17 members of Congress, 43 of their dependents, 585 staffers, and 231 of their dependents. The compromised information included basic personal information, contact information, dates of birth, and Social Security numbers.

The hacker was able to gain access to data due to a security flaw, which Kofman says was introduced due to human error. A cloud server had been misconfigured, which allowed the reports to be accessed without authentication. The misconfiguration of cloud storage buckets is commonplace, with one report from Palo Alto Networks suggesting around two-thirds of exposed cloud servers contain some sensitive data. Kofman apologized for the breach and said DC Health Link rapidly investigated the incident and shut down access. “We are not shying away from this breach. We have been and remain committed to being open and transparent,” said Kofman in her prepared statement.

The post DC Health Link Data Breach Caused by Human Error appeared first on HIPAA Journal.

Monument Inc., a New York-based online alcohol addiction and treatment service provider, has recently notified almost 109,000 individuals about an impermissible disclosure of some of their personal and protected health information. The disclosure occurred due to the use of tracking code on its websites.

Monument explained in its breach notification letters that an internal review was conducted in late 2022 into the use of website tracking tools after guidance was issued by the HHS’ Office for Civil Rights on pixels and other tracking tools and how they may violate the HIPAA Rules. The internal review was completed on or around February 6, 2023, and it was determined that the tools on its websites potentially transferred identifiable protected health information to third parties who were unauthorized to receive the information, as consent to disclose that information was not obtained and there were no business associate agreements with the companies that provided the tools.

The tracking tools were provided by Google, Facebook (Meta), Pinterest, and Bing, and while present on the websites, the tools may have transferred names, birth dates, telephone numbers, email addresses, Monument IDs, insurance member IDs, unique digital IDs, photographs, uniform resource locators, assessments and survey, selected services and plans, appointment information, and associated health information. The types of information disclosed varied from individual to individual depending on their interactions on the websites.

The tracking tools were added to Monument websites in January 2020, and were present on the websites Tempest since November 2017. Monument acquired Tempest in May 2022. Monument said it fully disconnected its websites from the tools on February 23, 2023, and has terminated third-party advertising relationships with the providers of the tracking tools. In the future, Monument will only use third-party vendors that meet HIPAA requirements and other privacy laws.

The decision was taken to notify all Monument members, even if they did not create an account or did not go on to become patients of Monument or Tempest’s medical groups (Live Life Now Health Group and Purdy Medical Corp). While there is no evidence of misuse of the disclosed information, affected individuals have been offered free membership to a credit monitoring service.

Monument is the latest healthcare organization to issue notifications about tracking tool-related data breaches over the past few months since these tools were discovered to be sending sensitive data to third parties. A recent study by researchers at the University of Pennsylvania suggests 99% of hospitals in the U.S. use tracking tools on their websites, while a study by The Markup indicates these tools are extensively used by online counseling service providers.

These impermissible disclosures have sparked several lawsuits and while there has been no action taken by OCR in response to these breaches, the Federal Trade Commission has taken action against non-HIPAA-covered entities such as GoodRx and Betterhelp.

The post Online Alcohol Counseling Service Provider Reports 109K-record Tracking Tool Data Breach appeared first on HIPAA Journal.

The Iowa Department of Health and Human Services (DHHS) has confirmed that the personal information of 20,800 Iowans who receive Medicaid was exposed in a cyberattack at a subcontractor of one of its business associates between June 30, 2022, and July 5, 2022.

Telligen performs annual assessments on Medicaid recipients for the Iowa DHSS. Telligen subcontracted part of the work to Independent Living Systems (ILS), and it was the systems of ILS that were breached. While ILS discovered the breach in July 2022, it took until February 14, 2023, for Telligen to be notified about the breach. Telligen notified the Iowa DHSS three days later on February 17, 2023. The DHSS will be sending notification letters to the affected individuals over the next few days.

Independent Living Systems reported the breach to the HHS’ Office for Civil Rights using a 501 placeholder until the number of affected individuals is determined; however, the breach was reported to the Maine Attorney General as affecting more than 4 million individuals. You can read more about the Independent Living Systems data breach here.

Hacking Incident Reported by Retina & Vitreous of Texas

The Houston ophthalmology clinic, Retina & Vitreous of Texas, has reported a hacking incident that has affected 35,766 current and former patients. Suspicious activity was detected within its network on February 1, 2023, and it was confirmed on February 15, 2023, that unauthorized individuals had access to parts of its network containing patient data, which many have been viewed or acquired by the attacker.

The review of the affected files was completed on March 21, 2023, and confirmed they contained names, addresses, diagnoses and treatment information, insurance carrier information, and insurance subscriber identification numbers. Notifications were mailed to affected individuals on April 10, 2023.

Southwest Healthcare Services Hacking Incident Affects 16,000 Individuals

Bowman, ND-based Southwest Healthcare Services says hackers had access to its network between October 22 and October 29, 2022, and viewed or obtained files that included patient information. The review of the affected files was completed on January 31, 2023, and notification letters were sent to affected individuals on March 31, 2023.

Southwest Healthcare Services said the compromised information included names, addresses, birth dates, medical record numbers, internal identification numbers, driver’s license numbers, state identification numbers, clinical and treatment information, and health insurance information. Social Security numbers, financial information, and/or payment card information were involved for a limited number of individuals.

Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The breach was reported to the HHS’ Office for Civil Rights as affecting 15,996 individuals.

Stanford University Employee Data Compromised in Brightline Medical Associates Breach

Stanford University has confirmed that the personal information of certain employees was stolen in a hacking and data theft incident at Brightline Medical Associates. Brightline is a provider of virtual behavioral and mental health services and provides those services to the children of benefits-eligible employees and postdoctoral students across Stanford’s health plans.

Brightline used Fortra’s GoAnywhere Managed File Transfer (MFT) solution, which was hacked on January 30, 2023, by the Clop ransomware group. Ransomware was not used in the attack, but files were stolen. The Stanford University data was limited to covered individuals with dependents under 18 years and was mostly limited to demographic information such as subscriber and dependent names, contact information, member IDs, dates of birth, and coverage start and end dates. No information related to medical services, conditions, diagnoses, or claims was involved. Affected individuals are being notified and have been offered 2 years of complimentary identity theft and credit monitoring services. It is currently unclear how many individuals have been affected.

The post ILS Data Breach Affects Almost 21K Iowan Medicaid Recipients appeared first on HIPAA Journal.

The White Plains, NY-based home healthcare provider, Unlimited Care Inc., was the victim of a cyberattack that caused disruption to its network on February 16, 2023. Unlimited Care engaged a third-party cybersecurity firm to assist with the investigation and determine the nature and scope of the incident. The investigation is ongoing, but around March 21, 2023, it was determined that unauthorized individuals had access to parts of its network that contained sensitive data, and that information may have been viewed or acquired by the attackers.

The information confirmed as exposed includes employee names, addresses, birth dates, and Social Security numbers. The breach was reported to the Maine Attorney General as affecting up to 29,066 individuals. Complimentary identity theft protection services have been offered to those individuals.

Unlimited Care said it initiated a global password reset, has deployed the Carbon Black endpoint detection and response tool, has initiated geo-fencing for non-U.S. emails, prevented all non-U.S. IP address connections, has upgraded its AV software, and will be limiting access to the VPN to essential staff.

Nonstop Administration and Insurance Services Reports Unauthorized Data Access

Nonstop Administration and Insurance Services (NAIS), an administrator of health insurance benefits for employer groups, has recently announced that the protected health information of employees of its clients has been exposed. NAIS was contacted by an unknown party on December 22, 2022, who claimed to have accessed company data. An investigation was launched to verify the authenticity of the claim and it was determined that, for a limited time on December 22, 2022, an unauthorized individual had access to a cloud services platform that contained the data of client employees.

The data accessible varied from individual to individual and may have included name, date of birth, gender, address, email address, phone number, Social Security number, medical treatment/diagnosis information, and health insurance provider, claims, and billing information. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 8,571 individuals.

Lehigh Valley Health Network Provides Further Information on February BlackCat Ransomware Attack

Lehigh Valley Health Network (LVHN) recently explained in a court filing that it was the victim of a BlackCat ransomware attack in February 2023 and the attackers gained access to patient information, including sensitive photographs of up to 2,760 patients.

LVHN confirmed that data was exfiltrated in the attack and a ransom demand of $5 million was issued, payment of which was required to prevent the publication of the stolen data. LVHN refused to pay the ransom and sensitive data was then leaked on the dark web, including patient photographs. The attack targeted the network supporting Delta Medix, which was acquired by LVHN in 2021.

The information was disclosed in a notice transferring a class action lawsuit against LVHN from the Lackawanna County Court to the U.S. District Court. The investigation into the attack is ongoing and LVHN is still trying to identify all affected individuals but has so far confirmed that the photographs of 2,760 patients have been obtained by the attackers. The photographs were clinically appropriate and included naked images of patients from the waist up.

The post Unlimited Care and Nonstop Administration and Insurance Services Confirm PHI Exposure appeared first on HIPAA Journal.

Money Message Ransomware Group Leaks BrightSpring Health Services & PharMerica Data

The Money Message ransomware group has recently listed the Kentucky-based pharmacy network, PharMerica, and its parent company, BrightSpring Health Services, on its data leak site and claims to have stolen more than 2 million records in an attack on March 28, 2023. The stolen data includes patient names, birth dates, and Social Security numbers.

BrightSpring Health Services has confirmed that it is investigating a cybersecurity incident and has engaged third-party cybersecurity experts to assist with the investigation. BrightSpring said the attack did not affect its operations. At this stage of the investigation, it has not been determined how many individuals have been affected or the extent to which patient data was involved. The affected files are currently being reviewed and notification letters will be issued as quickly as possible.

Sarah D. Culbertson Memorial Hospital Confirms Systems Restored After Cyberattack

Sarah D. Culbertson Memorial Hospital in Rushville, IL, has confirmed that it has fully restored its IT systems following a March 2023 cyberattack.  The hospital experienced disruption to its network on March 30, 2023. Systems were shut down to contain the attack and third-party cybersecurity experts were engaged to investigate the attack and determine the extent to which patient data was involved.

While access to the majority of its IT systems was prevented during the attack and breach response, the hospital confirmed that its ED services have been operational throughout and patient care was unaffected. Notifications will be issued to affected individuals if patient data is determined to have been compromised in the attack.

Mailing Error Affects More than 15,000 St. Luke’s Health System Patients

St. Luke’s Health System has notified 15,246 patients about an accidental disclosure of some of their protected health information. A technical error with a mailing resulted in letters being sent to incorrect mailing addresses. The letters that were sent to incorrect patients included the guarantor’s name, guarantor number, patient’s name, date of service, encounter-specific account number, outstanding balance, and balance status. St. Luke’s Health System said the accounts were not in collections and are not accountable for the balances.

The error was identified and corrected, and additional safeguards have now been implemented to identify similar errors before letters are mailed. As a precaution against misuse of data, the accounts of affected individuals have been reset to provide additional time to resolve balances, and affected individuals have been offered complimentary identity theft protection services for 12 months.

The post Cyberattacks Affect BrightSpring Health Services, PharMerica, & Sarah D. Culbertson Memorial Hospital appeared first on HIPAA Journal.

CommonSpirit Health has issued an update about its October 2022 ransomware attack and has confirmed that patients from 164 facilities were affected by the attack and had their sensitive data exposed or stolen. CommonSpirit Health detected the ransomware attack on October 2, 2022, and the forensic investigation revealed unauthorized individuals had access to its systems between September 16, 2022, and October 3, 2022.

In December 2022, CommonSpirit Health confirmed that the threat actor responsible for the attack had stolen patient data prior to encrypting files, and said patients of Franciscan Medical Group/Franciscan Health and Virginia Mason Franciscan Health facilities had been affected. Those individuals were notified about the data breach in December. In February 2023, CommonSpirit Health issued a further update confirming the attackers also obtained the data of patients of St. Luke’s Diagnostic Cath Lab, Diagnostic Heart Center in Houston, TX, and sent notifications to those individuals in February.

The latest update on the ransomware attack was issued on April 6, 2023, and confirmed that the breach affected patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne and shared a list of 164 hospitals and care sites that are known to have been affected. The investigation confirmed that the attackers had access to two file servers that contained files that included patient data such as names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing/claims information, patient facility associated account/encounter numbers, and health insurance information and, for a small number of individuals, Social Security numbers.

CommonSpirit Health said the delay in issuing the latest notifications was due to the incredibly time-consuming review of all files stored on those file servers to determine if they contained patient data, and which patients had been affected. The initial phase of that process was completed on February 21, 2023, and then accurate address information needed to be found to allow notifications to be sent.

CommonSpirit Health reported the data breach to the HHS’ Office for Civil Rights on December 1, 2022, as affecting 623,774 individuals.  That total has not been updated since, and CommonSpirit Health has not publicly confirmed at this stage exactly how many individuals have been affected. Given the number of hospitals now known to have been affected, that total is likely to increase by a substantial amount.

The full list of affected facilities detailed in the April 6 update is:

The breach also affected patients who received care through CHI Health at Home at the following facilities:

The post CommonSpirit Health Issues Update Confirming 164 Facilities Affected by Ransomware Attack appeared first on HIPAA Journal.