The state of Maine has confirmed that it was affected by the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. The state learned of the vulnerability on May 31, 2023, when a patch was released by Progress Software to fix the flaw; however, the vulnerability had already been exploited by the Clop hacking group and files containing sensitive data were downloaded between May 28, 2023, and May 29, 2023.

The files contained the sensitive data of state residents, employees, and individuals who received services from state agencies. More than half of the employees affected worked at the state Department of Health and Human Services, and between 10% and 30% worked at the Department of Education. The breached information included names, dates of birth, driver’s license numbers, Social Security numbers, and health and medical information.

According to the notice filed with the Maine Attorney General, the data of 1,324,118 individuals was impacted, 534,194 of whom were Maine residents. Notification letters are now being issued and complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed or stolen.

Greater Rochester Independent Practice Association Affected by MOVEit Hacks

Greater Rochester Independent Practice Association (GRIPA) in New York was also affected by the MOVEit hacks. GRIPA said it learned of the breach on May 31, 2023, when the patch was provided by Progress Software. Its forensic investigation confirmed on June 5, 2023, that files had been removed from its MOVEit server that included patients’ protected health information. A third-party vendor was engaged to review the files and the review was completed on September 1, 2023.

GRIPA said medical records were not compromised and the impacted data was very limited in nature. Affected individuals are being told what information was affected in their individual notifications. The compromised information included information such as the name of their doctor, date of last visit, and prescription information. If Social Security numbers were compromised, affected individuals can sign up for complimentary credit monitoring services.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 279,156 individuals.

Tri-City Medical Center Diverts Ambulances Following Cyberattack

Tri-City Medical Center in Oceanside, CA, is currently dealing with a cyberattack that has forced it to take certain systems offline. On November 9, 2023, the hospital was diverting ambulances to other hospitals as a precaution, although the medical center said it is prepared to manage emergency cases that may arrive in private vehicles and that it is working with other healthcare providers in the community to ensure that healthcare services are provided.

A forensic investigation has been launched to determine the nature and scope of the incident and whether sensitive data was stolen. Further information will be released in the coming days and weeks as the investigation progresses.

Optum Medical Group’s Crystal Run Healthcare Investigating Potential Cyberattack

Crystal Run Healthcare in Middletown, NY, which has been acquired by Optum Medical Group, says it is experiencing system issues that are impacting some of its services, resulting in longer than usual wait times. The disruption started on or around November 3, 2023, and as of November 10, 2023, the healthcare provider had still not recovered. The cause of the outage was not stated in the notification, but it is fair to assume that it was a cyberattack.

Butler County Confirms October Cyberattack

Butler County in Pennsylvania has confirmed that it has experienced a data security incident. The attack was detected in early October, and by the end of the month, it had been confirmed that the individual responsible had gained access to personally identifiable information, mostly relating to criminal court proceedings. The review of the affected data is ongoing and, at this stage of the investigation, the county has not yet confirmed exactly what data was stolen and how many individuals were affected.

Notification letters will be mailed to the affected individuals when the review has been completed and county officials said credit monitoring services will be offered. This is the second security breach to affect the county in as many months. In September, a jail employee’s account was accessed and personally identifiable information was compromised.

The post State of Maine Says 1.3 Million Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

Mulkay Cardiology Consultants at Holy Name Medical Center has recently confirmed that it fell victim to a ransomware attack. The attack was detected on September 5, 2023, when files on its network were encrypted. According to the breach notice, Mulkay was able to rebuild its systems and recover the encrypted files from backups.

Third-party forensics experts were engaged to investigate the breach and determined that its systems were compromised between September 1, 2023, and September 5, 2023, and during that time, files were exfiltrated that contained personal and protected health information. The compromised information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers or state IDs, medical treatment information, and health insurance information. Mulkay said it has enhanced its technical safeguards to prevent similar incidents in the future. Affected individuals have been notified and offered complimentary credit monitoring services.

The breach was reported to the Maine Attorney General as affecting 79,582, although since the breach is not yet showing on the HHS’ Office for Civil Rights breach portal, it is unclear how many patients were affected. While Mulkay has indicated this was a ransomware attack, the group responsible was not mentioned; however, this appears to have been an attack by the NoEscape group, which was the subject of a recent analyst note from the Health Sector Cybersecurity Coordination Center (HC3). While NoEscape claimed on its data leak site to have stolen around 60GB of data, including the personal information of 30,000 patients, the listing has since been removed, which usually means a ransom has been paid, although this has not been confirmed by the HIPAA Journal.

BHS Physicians Network Reports Email Account Breach

BHS Physicians Network has recently confirmed a breach of a Microsoft Office 365-hosted business email account that was used by a medical assistant. The email account breach was detected on August 11, 2023, and the investigation confirmed that access to the account was possible between July 28, 2023, and August 15, 2023. The email account contained files that included the protected health information of patients of First California Physician Partners, Georgia Northside Ear, Nose, and Throat, and Greater Dallas Healthcare Enterprises.

BHS Physicians Network has confirmed that the email account was separate from its internal network and systems, which were not affected. On August 30, 2023, it was determined that the account contained demographic information such as full name, date of birth, and address, medical and/or treatment information such as dates of service, provider and facility names, procedure codes, and billing and claims information, such as account and/or claim status, transaction and charge identification numbers, patient account identifiers, and payor information.

BHS Physicians Network said security and monitoring capabilities have been enhanced and systems are being hardened to prevent similar breaches in the future.  The breach was reported to the HHS’ Office for Civil Rights as affecting 1,857 individuals.

Life Generations Healthcare Email Accounts Compromised

Life Generations Healthcare (LGH), a Santa Ana, CA-based medical group, has recently announced that an unauthorized third party gained access to multiple employee email accounts between May 24 to June 13, 2023. While the breach notice does not state when the breach was detected, LGH has confirmed that the breach investigation revealed on October 4, 2023, that some of the accounts contained the protected health information of patients. The information exposed in the breach varied from patient to patient and may have included names, addresses, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license numbers/state IDs, and financial account information.

Notification letters have been sent to the affected individuals and patients who had their Social Security numbers and/or driver’s license numbers exposed have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal so it is unclear how many individuals have been affected.

MOVEit Transfer Hacking Victims

Cadence Bank

Cadence Bank has confirmed that it was affected by the recent mass hacking of the zero-day vulnerability in Progress Software’s MOVEit Transfer solution. The bank said the vulnerability was patched immediately when Progress Software released the patch; however, the vulnerability had already been exploited and data was stolen. Cadence Bank provides lockbox services to North Mississippi Health Services and its affiliates, and on June 18, 2023, the bank confirmed that the data of patients was involved. The compromised data included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical and/or treatment information, and billing and claims information.

Cadence Bank said it has enhanced security and monitoring practices and strengthened system security. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers, driver’s license numbers, and/or financial account information were involved. The breach was reported to the HHS’ Office for Civil Rights as affecting 13,862 individuals.

AlohaCare

AlohaCare, a Honolulu, HI-based community-led, non-profit health plan, has confirmed that the data of 12,982 members was compromised in the recent mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution. The vulnerability was patched as soon as the patch was released by Progress Software, however, the vulnerability had already been exploited. The data stolen included names, addresses, dates of birth, and Social Security numbers. Affected individuals have been offered complimentary credit monitoring services.

Ransomware Gangs Claim Responsibility for Attacks on Healthcare Providers

The following healthcare providers have recently been added to the data leak sites of ransomware groups. On the date of this post, ransomware attacks have not been confirmed by the victims and no data has actually been leaked.

Summit Health (LockBit 3.0)

Summit Health, a Berkeley Heights, NJ, based multi-specialty medical practice with more than 340 locations, has recently been added to the LockBit 3.0 data leak site. The ransomware group gave Summit Health a deadline of November 8, 2023, to pay the ransom or the stolen data would be published. Summit Health has not confirmed the attack and has yet to report a data breach. The LockBit 3.0 data leak site does not state what data was obtained in the attack.

Cardiovascular Consultants (Quilin)

Cardiovascular Consultants in Arizona appears to have fallen victim to a ransomware attack by the Quilin group, which has recently uploaded a 205.93 GB compressed file to its data leak site, which the group claims includes all data stolen in the attack; however, as of November 8, 2023, the link is not working and the data cannot be downloaded. Cardiovascular Consultants has yet to confirm the validity of the group’s claim.

The post November 8, 2023, Healthcare Data Breach Round-Up appeared first on HIPAA Journal.

The BlackCat (ALPHV) ransomware group has claimed responsibility for an attack on Henry Schein, a Fortune 500 distributor of dental and medical supplies and provider of practice management software and solutions for healthcare providers.

Henry Schein confirmed on October 15, 2023, that it had experienced a cybersecurity incident, which was detected on October 14, 2023. The incident affected a portion of its manufacturing and distribution business, which caused temporary disruption to its business operations.  More than three weeks on and the company is still experiencing technical difficulties with its website and webshop.  Third-party cybersecurity consultants have been engaged to investigate the breach and the data impact, and law enforcement has been notified. The incident is still being investigated; however, it has been determined that users of its client management software were unaffected.

According to the BlackCat group’s dark web data leak site, 35 terabytes of data were stolen in the attack, including payroll and shareholder data. The group claimed to have encrypted files and was negotiating with the company, and just when the company had almost completed restoring its systems, they were encrypted again as negotiations failed. BlackCat also threatened to publish some of the company’s payroll and shareholder data. The listing has since been removed, indicating negotiations have resumed.

Ventura Orthopedics Notifies Patients About 2020 Ransomware Attack

Ventura Orthopedics in California has recently started notifying patients that some of their protected health information was compromised in a July 20, 2020, ransomware attack. According to the company’s substitute breach notice, the security breach was discovered in September 2020 when files on its network were encrypted. A ransom demand was received, but Ventura Orthopedics was able to recover the encrypted files from data backups so the ransom was not paid. At the time, the investigation indicated the attackers gained access to the information of a single patient, who was notified at the time.

Further investigation into the incident has revealed additional patients were also affected. The hackers gained access to the files of a single physician and his physician assistant. Those files included names, dates of birth, and drug and laboratory testing results from 2016, 2017, and 2018. Notification letters are now being sent to those individuals.

According to DataBreaches, the Maze ransomware group added the company to its leak site and the Conti group later leaked the data of 1,850 individuals on its data leak site. The site tried to make contact with Ventura on several occasions and also filed a complaint with OCR about the incident, which OCR investigated. On September 13, 2023, the company said it had discovered additional data was involved, following a conference call with the site’s operator.

At present, the incident is not yet showing on the HHS’ Office for Civil Rights breach portal, and Ventura Orthopedics has not yet publicly disclosed how many individuals were affected.

PHI Exposed in Cyberattack on Edward C. Taylor, PhD

Edward C. Taylor, Ph.D., a provider of counseling and psychoeducational assessment services in Jacksonville, FL, has recently completed an investigation of a cyberattack. A security breach was detected on August 19, 2023, and third-party digital forensics specialists were engaged to investigate and determine the nature and scope of the incident. On or around October 5, 2023, it was confirmed that an unauthorized individual had gained access to its network for one day and exfiltrated files containing company information.

It was not possible to determine whether the stolen files contained any patient information; however, files were present on the compromised part of the network that included the protected health information of 6,684 patients. The exposed information included names, contact information, dates of birth, insurance information, information relating to mental health including clinical information, and diagnoses. Internal settings and controls have been updated and passwords changed to prevent similar breaches in the future.

The post BlackCat Ransomware Group Claims Responsibility for Attack on Henry Schein appeared first on HIPAA Journal.

Okta, a San Francisco-based provider of cloud identity and access management solutions, has confirmed that the personal information of 4,961 current and former employees has been exposed in a third-party data breach at its vendor, Rightway Healthcare.

Rightway Healthcare provides support to Okta employees and their dependents and helps them find healthcare providers and rates. According to the breach notice provided to the Maine attorney General, Okta was notified by Rightway on October 12, 2023, that there had been unauthorized access to an eligibility census file, which was used in connection with the services provided to Okta. The file contained employee names, Social Security Numbers, and health or medical insurance plan numbers. Rightway’s investigation revealed the unauthorized activity occurred on September 23, 2023. The stolen files were from April 2019 through 2020. Okta said complementary credit monitoring, identity restoration, and fraud detection services have been offered to the affected individuals.

Customer Support System Breached

Okta has also been investigating a breach of its own customer support system and announced the breach a few days after confirming the breach at Rightway Healthcare. In this incident, an unauthorized individual gained access to the files of 134 of its customers.

Okta’s investigation into this breach revealed it was most likely caused by an employee signing into their personal Google profile using the Chrome web browser on their Okta-managed laptop. The employee had saved the credentials of their Okta service account in their personal Google account.

The employee’s Okta credentials were used to access client session cookies, which allowed the attacker to bypass login screens and multi-factor authentication. 134 Okta customers were affected, but only 5 Okta sessions were accessed. Three of the Okta customers affected have publicly disclosed the breach – 1Password, BeyondTrust, and Cloudflare. Okta said its investigation revealed the unauthorized activity occurred between September 28 to October 17, 2023.

The investigation of the breach was complicated due to the failure to identify file downloads in customer support vendor logs. When a user opens and views support files, a specific log event is generated along with a record ID that is tied to the file; however, if the user navigates away directly to the Files tab in the customer support system, different log events and record IDs are generated.

The threat actor navigated directly to the Files tab, and Okta’s initial investigation focused only on access to support cases using the initial log event and record ID. It was only when BeyondTrust identified a suspicious IP address on October 13, that Okta identified the additional file access events and linked them to the compromised employee account.

The post Okta: Third-Party Vendor Incident and Breach of Customer Support System appeared first on HIPAA Journal.

Cook County Health in Chicago, Illinois has recently confirmed that the protected health information of up to 1.2 million patients has potentially been obtained by an unauthorized individual in a cyberattack on one of its business associates.

Cook County Health operates  John H. Stroger, Jr. Hospital of Cook County and Provident Hospital of Cook County in Chicago, four pharmacies, two health services including the Cook County Department of Public Health, and 15 community health centers in Cook County, the most populous county in Illinois. Cook County Health contracted with Perry Johnson & Associates, Inc. (PJ&A), a Nevada medical transcription service provider, which was provided access to patient data to complete its contracted duties.

On July 21, 2023, PJ&A notified Cook County Health that a data security incident had been detected and was under investigation. PJ&A engaged third-party cybersecurity experts to assist with the investigation and notified law enforcement, including the Federal Bureau of Investigation, and has been assisting the FBI with its investigation. According to the PJ&A substitute breach notice, a security breach was detected on May 2, 2023, and the subsequent forensic investigation confirmed its systems were accessed by an unauthorized individual between March 27, 2023, and May 2, 2023.

On July 26, 2023, PJ&A notified Cook County Health that patient data was stored in systems that had been accessed in the attack and that its forensic investigation had confirmed that the unauthorized individual accessed and exfiltrated the data of Cook County Health patients between April 7, 2023, and April 19, 2023. Cook County Health said it stopped sharing data with PJ&A when it was notified about the data breach and has since terminated its business relationship with the firm. A final list of the affected individuals was provided to Cook County Health on October 9, 2023. Cook County Health said it was one of many organizations affected by the PJ&A data breach.

Cook County Health has confirmed that the breach only involved the systems at PJ&A. Its own IT systems were not affected. The information that was exposed or stolen included names, dates of birth, addresses, medical record numbers, encounter numbers, medical information, and dates/times of service. Approximately 2,600 patients also had their Social Security numbers exposed. PJ&A explained in its breach notice that other customers had similar data stolen, which may also have included insurance information and clinical information, as well as other information found in medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the names of healthcare providers.

Cook County Health said it will start mailing notification letters to the affected individuals this week and will provide them with information on the steps they can take to protect themselves against misuse of their personal and protected health information. Individuals who have had their Social Security numbers exposed will be offered complimentary credit monitoring and identity theft protection services. While data theft has been confirmed, Cook County Health said it is unaware of any attempted or actual misuse of patient data.

Cook County Health reported to the Department of Health and Human Services’ Office for Civil Rights on September 24, 2023, as affecting at least 500 individuals. The HIPAA Breach Notification Rule requires data breaches to be promoted no later than 60 days from the discovery of the breach, so 500 was used as a placeholder until PJ&A provided the final list of affected individuals.

PJ&A said it has implemented additional technical restrictions in its systems and has deployed an endpoint detection and response system to monitor for any unauthorized access. Cook County Health was not the only client to have been affected by the incident, although at this stage it is unclear how many of its clients have had data stolen and how many individuals in total have been affected.

Vendors that provide services to the healthcare industry that require access to patient data are attractive targets for cybercriminals. They often store large amounts of healthcare data and work with many different hospitals and health systems. Oftentimes, they have privileged access to the networks of their healthcare provider clients, so an attack on a business associate could provide a threat actor with access to the networks of many organizations. Cybercriminal gangs are constantly looking for ways to maximize the return on their efforts, so attacking a business associate makes perfect sense.

While there are more attacks on healthcare providers than business associates, attacks on business associates allow cybercriminals to obtain large quantities of data. An analysis of healthcare data breaches in the first half of 2023 by Critical Insight found that almost 50% of the healthcare records exposed or stolen in the first half of the year were due to cyberattacks on the third-party business associates of healthcare providers and health plans. Data breaches at business associates of healthcare providers and health plans involved an average of 304,000 healthcare records, compared to an average of 86,000 records for attacks on healthcare providers and health plans.

“Hackers are increasingly targeting the weakest links and vulnerable points in the supply chain, specifically business associates or third-party companies that offer services to healthcare organizations,” John Delano, healthcare cybersecurity strategist at Critical Insight. “Now more than ever, healthcare organizations must remain vigilant of their security and exposures within their supply chain as attackers constantly adapt new strategies.”

The post Cook County Health Says Information of 1.2 Million Patients Has Potentially Been Compromised appeared first on HIPAA Journal.

Deer Oaks Behavioral Health, a mental health service in San Antonio, TX, fell victim to a ransomware attack on September 1, 2023. According to its breach notice, its antivirus software immediately detected and contained the threat, and encryption was limited to a single segment of its network.

A third-party cybersecurity firm was engaged to investigate the security breach determine the root cause of the attack and identify the extent to which its network had been breached. The forensic investigation confirmed that files stored on the compromised network server included patients’ protected health information. The review of the files was completed on September 29, 2023, and confirmed they contained information such as names, addresses, dates of birth, Social Security numbers, diagnosis codes, insurance information, and treatment service types. Deer Oaks then verified contact information and notification letters started to be mailed to the affected individuals on October 31, 2023.

The breach has been reported to the Maine Attorney General as affecting up to 171,871 individuals, including 460 Maine residents. The affected individuals have been offered identity theft protection and credit monitoring services through IDX. Deer Oaks said data privacy and security are among its highest priorities, and it moved quickly to secure its systems, investigate the breach, notify the affected individuals, and implement additional measures to further improve security. The investigation into the attack is ongoing but notifying the infected individuals was a priority.

Healthcare organizations continue to be targeted by ransomware groups. While there are growing numbers of attacks involving data theft and extortion without file encryption, around three-quarters of attacks on healthcare organizations see data encrypted, according to Sophos. NCC Group recently reported an 86% month-over-month increase in healthcare ransomware attacks in September. While some of the large ransomware groups have a policy of not attacking healthcare providers, there has been an alarming increase in active ransomware groups. NCC Group tracked 86% more active ransomware groups in September 2023 than the same time last year, and several of these groups have conducted large numbers of attacks and have no issue with attacking healthcare organizations.

The post Ransomware Attack on Texas Mental Health Service Provider Impacts 172K Patients appeared first on HIPAA Journal.

Western Washington Medical Group, a team of more than 100 providers serving patients in Snohomish, Skagit, Island, and Whatcom counties in Washington state, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that has affected up to 350,863 patients.

At this stage, little is known about the Western Washington Medical Group data breach. The breach was reported to OCR on October 26, 2023, but there is no notice on the medical group’s website or the Washington Attorney General’s website at this stage. All that is currently known is this was a hacking/IT incident involving one or more network servers. Based on the HHS breach summary, the breach occurred at Western Washington Medical Group and did not involve any business associates.

This post will be updated when further information becomes available.

Dakota Eye Institute Reports Hacking.IT Incident Impacting 107,143 Patients

Bismarck, ND-based Dakota Eye Institute (DEI), has recently reported a data breach to OCR that involved the protected health information of up to 107,143 patients. DEI explained in its website substitute data breach notification that it experienced a cybersecurity incident and engaged third-party cybersecurity experts to assess, contain, and remediate the incident.

No information was provided about the nature of the breach when it was detected, for how long its systems were accessed or data was exposed, nor the types of information involved. The OCR breach report indicates no business associate involvement. Affected individuals are being notified by mail and have been offered complimentary credit monitoring services. DEI said it has reviewed and enhanced its data security policies and procedures to help reduce the likelihood of a similar event in the future.

Dallas County Investigating Attempted Ransomware Attack

Dallas County officials have confirmed that they detected a cybersecurity incident on October 19, 2023, which appears to have been an attempted ransomware attack. The cybersecurity experts engaged to assist with containing the incident were able to prevent any files from being encrypted. Access is thought to have been gained via a phishing email. The investigation into the breach is ongoing and little information has been released at this stage, such as whether sensitive data was exfiltrated in the attack. Further information will be released as the forensic investigation advances.

On October 28, 2023, the Play hacking group claimed responsibility for the attack and added Dallas County to its data leak site. Currently, no stolen data has been leaked on the dark web site; however, the threat group has given county officials until Friday, November 3, 2023, to make contact and pay the ransom, otherwise the stolen data will be published. The group does not state how much data was stolen, only that the data obtained includes private documents of Dallas County departments.

The Play hacking group is known to target government entities and was behind an earlier attack on the City of Oakland in California. The group published stolen data when the ransom was not paid. In that attack, they stole the personal data of city employees, including financial information, IDs, passports, and human rights violation information.

The post Western Washington Medical Group Reports 350,000-Record Data Breach appeared first on HIPAA Journal.

Hospital Sisters Health System (HSHS) in Springfield, IL, and Prevea Health in Green Bay, WI, were affected by a cyberattack in late August which caused an outage on August 27, 2023, that affected its computer systems, phone lines, and websites. The outage lasted for several days, during which time HSHS and Prevea operated under downtime procedures. The attack took its websites and certain applications offline, including the MyChart and MyPrevea applications. HSHS was also unable to process online payments as its computer system was offline, but care continued to be provided to patients.

HSHS decided to suspend collecting payments for outstanding bills while it was recovering from the attack, although some of its partners in Illinois and Wisconsin continued to send bills to patients. In early September, HSHS published an open letter to patients warning them about the potential misuse of their information, as reports had been received from some patients who had been contacted by email, SMS, and phone by an unidentified third party that claimed to be a HSHS representative who was attempting to obtain payment for services. In the letter, HSHS advised patients not to respond to suspicious requests via email, SMS, and phone for payment and to carefully check bills before making any payment. HSHS said if a message or SMS is received, to save it and email it to questions@hshs.org to allow it to be investigated and HSHS and Prevea Health would determine if such a request was legitimate or fraudulent.

HSHS has now confirmed that an unauthorized third party had accessed its systems that contained the personal and protected health information of patients and HSHS employees and said it has been investigating the breach and reviewing the data potentially compromised in the incident. While the open letter suggests that there was attempted misuse of stolen data, HSHS said it is unaware of any cases of fraud or identity theft. On October 26, 2023, notification letters started to be sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. HSHS said it takes time to fully investigate incidents and notify the affected individuals, and more time is required for the data review process; however, notifications are being issued on a rolling basis.

HSHS said the appropriate authorities have been informed about the breach; however, the incident has yet to appear on the HHS’ Office for Civil Rights breach portal and neither HSHS nor Previa have publicly confirmed how many individuals have potentially been affected.

The post Hospital Sisters Health System Starts Notifying Individuals About August Cyberattack appeared first on HIPAA Journal.