The Chippewa County Human Resources Division in Wisconsin has recently discovered that the laptop computer of an employee has been compromised and 25-35MB of data was stolen from the device, including information protected under HIPAA.

Access to the device was gained through a remote access application, which was downloaded to the device on February 28, 2023. An unknown individual then used the application to access the computer. The employee noticed the access on March 1, 2023, and alerted the IT department, which was able to block further access. According to Chippewa County officials, the unauthorized individual had access to the device for approximately 5 minutes, during which time files were exfiltrated. The investigation confirmed that the breach was limited to one device.

It is unclear how the remote access application was downloaded to the device, but it is suspected that this was a drive-by download after the employee inadvertently clicked a link in a phishing email or on a website, or via a website pop-up. The files were reviewed, and it was confirmed that 7 of the copied files contained protected health information such as names, medical history numbers, prescription information, and the date the prescriptions were signed, and the prescribing doctors’ initials. The breach was reported to the HHS’ Office for Civil Rights as affecting 842 individuals.

Cyberattack Affects Frideres Dental Patients

Frideres Dental in Oregon has recently confirmed that the protected health information of 1,596 patients has potentially been compromised in a cyberattack. It is unclear from the breach notice when the attack occurred and when it was detected, but the review of the affected files was completed on January 25, 2023, and a list of the affected patients was obtained. The files potentially accessed or obtained included names, dates of birth, medical treatment information, health insurance information, and, for a limited number of individuals, Social Security numbers.

No reports have been received to date to indicate misuse of any of the affected information; however, as a precaution, Frideres Dental is offering 12 months of complimentary credit monitoring services to affected individuals.

Henrico Doctors’ Hospital Reports Email Error

Henrico Doctors’ Hospital in Virginia has notified 990 individuals about an email error that exposed email addresses and identified them as having received surgery at the hospital. No other information was exposed.

On February 7, 2023, the hospital discovered that an employee had accidentally sent a group email where the email addresses were put in the To field rather than the BCC field, and could therefore be viewed by all recipients of the email. Steps have been taken by the hospital to prevent similar incidents in the future.

The post Hacking Incidents Reported by Chippewa County and Frideres Dental appeared first on HIPAA Journal.

Tallahassee Memorial Healthcare (TMH), a non-profit health system serving patients in North Florida and South Georgia, experienced a cyberattack in late January that forced it to operate under emergency downtime procedures for around two weeks. According to the TMH breach notification, unusual system activity was detected on February 3, 2023, and its systems were secured. A third-party cybersecurity firm was engaged to investigate the breach and determined that unauthorized individuals had access to its systems between January 26 and February 2, 2023, and exfiltrated files during that time. Cyberattacks such as this often involve ransomware, although it is unclear if ransomware was used in this attack. TMH did not share further information on the exact nature of the attack.

The review of the stolen files has now been completed and affected individuals started to be notified about the incident on March 31, 2023. The information that was viewed or obtained included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, and/or limited treatment information. TMH confirmed that its electronic medical record system was not accessed in the attack.

The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so the exact number of affected individuals is not known, but it is understood to be around 20,000 individuals. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were included in the breached data.

Guam Memorial Hospital Investigating Cyberattack

Guam Memorial Hospital (GMH) is investigating a cyberattack that saw unauthorized individuals gain access to its network. The security breach was detected on March 2, 2023, and steps were immediately taken to secure its systems. Efforts are underway to restore its systems and its firewalls have been replaced. GMH legal counsel Jeremiah Luther confirmed that the investigation will be completed within 60 days and notifications will be issued if it is determined that patient data was involved. Luther said no patient or employee information appears to have been compromised.

Luther said a network security flaw was identified and that flaw appears to have been exploited to gain access to its network and there is evidence that suggests multiple instances of unauthorized access. GMH has reported the breach to the FBI and Homeland Security and information has been provided on a suspect. No further information about the exact nature of the attack has been released. Once systems have been restored, Luther said Homeland Security will conduct an assessment of security and will make recommendations on any areas where security should be improved.

Top of the World Ranch Treatment Center

Top of the World Ranch Treatment Center, a Milan, IL-based provider of addiction treatment programs, has started notifying 1,980 individuals that some of their protected health information was contained in a business email account that was accessed by an unauthorized individual for several hours on November 17, 2022.

A review of the account confirmed it contained sensitive data such as names, Social Security numbers, diagnosis and treatment information, provider names, patient identification numbers, and health insurance information. The investigation was unable to confirm whether that information was viewed or acquired, but as a precaution, affected individuals have been offered complimentary identity theft protection and credit monitoring services for 12 months. Security policies have been reviewed with respect to email security and additional training has been provided to employees.

Merritt Healthcare Advisors – Email Account Breach

The Ridgefield, CT-based healthcare advisory firm, Merritt Healthcare Advisors, has recently reported a data breach to the California Attorney General that exposed the data of some of its healthcare clients. On November 30, 2022, Merritt discovered a single employee email account had been accessed by an unauthorized individual between July 30, 2022, and August 25, 2022. Notification letters were sent to affected individuals on February 28, 2023. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Tallahassee Memorial Healthcare: Patient Data Stolen in Cyberattack appeared first on HIPAA Journal.

Montgomery General Hospital in West Virginia has suffered a cyberattack that saw unauthorized individuals gain access to its IT systems on or around February 28, 2023, and deploy ransomware on or around March 1, 2023. The attackers gained access to certain servers, exfiltrated files, and encrypted data. Montgomery General Hospital engaged a third-party security firm to assist with the investigation to determine the extent of the breach and has confirmed that its cloud-based electronic medical record system was not affected. The exfiltrated files mostly contained historical data, including budget documents, cost reports, and vendor payments; however, some of the files contained patient information.

At this stage of the investigation, the extent to which patient information has been compromised is still being determined. The hospital has confirmed that notifications will be sent to affected patients ahead of the 60-day reporting deadline of the Breach Notification Rule and credit monitoring services will be offered to individuals whose Social Security numbers were involved. Montgomery General Hospital said it temporarily took its electronic medical record system offline as a precaution, but access was promptly restored and patient care was unaffected by the attack. A hospital spokesperson confirmed that a ransom demand was received for $750,000 but the ransom was not paid on the advice of law enforcement and due to the historical nature of the compromised data. The hospital’s investigation indicates the incident started with a phishing attack and the hospital is aware that some of the stolen files have been publicly released on the ransomware group’s data leak site.

The D#nut ransomware gang has claimed responsibility for the cyberattack and said it had entered into negotiations with the hospital, but lost patience and started to release some of the stolen data on its data leak site. A member of the group contacted DataBreaches and shared a link to the published data and the site confirmed the published files included employee data. When questioned, the group said access was gained by exploiting a Microsoft Exchange vulnerability.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear to what extent patient data has been exposed or compromised.

The post Montgomery General Hospital Suffers Ransomware Attack and Data Leak appeared first on HIPAA Journal.

Several hospitals have started notifying patients about a data breach at the consulting company, Adelanto HealthCare Ventures (AHCV).  AHCV has offices in Washington D.C., Nashville, Tennessee, and Austin and Laredo in Texas, and provides transactional advisory support and other services. AHCV provided services to an unnamed business associate of the affected hospitals. According to the breach notifications recently issued by the hospitals, their business associate provided AHCV with claim information on their patients to allow AHCV to perform its contracted services.

On November 5, 2021, AHCV determined that the email accounts of two of its employees had been accessed by unauthorized individuals after the employees responded to phishing emails. AHCV launched an investigation into the data breach but initially concluded that the email accounts did not contain any protected health information. On December 21, 2021, AHCV determined that one of the email accounts did contain patient information, which may have been accessed in the attack. It took until August 19, 2022, for AHCV to confirm to its business associate that some protected health information had likely been compromised.

The business associate launched an investigation and worked with AHCV to obtain further information on the PHI involved and the individuals affected but was not provided with sufficient information to conduct its analysis until December 27, 2022. The business associate then informed the hospitals that had been affected on January 28, 2023, then the hospitals started issuing breach notifications two months later at the end of March – 16 months after the breach occurred. The compromised information included the following data elements:  Name, facility name, Medicaid claim ID, Medicaid client ID, care plan name, Medicaid program, gender, date of birth, admission and discharge date, medical and diagnosis information, and mental health comorbidity.

AHCV has augmented its security measures and has provided further security awareness training to its employees. There has been no detected misuse of patient data as a result of the incident; however, as a precaution, affected individuals are being offered complimentary credit monitoring and identity theft restoration services for 12 months.

It is currently unclear exactly how many hospitals/healthcare providers have been affected, and the number of affected individuals is not yet known. The hospitals that have reported the data breach so far are listed below:

The post Hospitals Notify Patients About 2021 Phishing Attack on Adelanto HealthCare Ventures appeared first on HIPAA Journal.

New York Presbyterian Hospital has reported a 54K-record data breach due to website tracking tools, ransomware attacks have been reported by Atlantic Dialysis Management Services and American Pain & Wellness, and there has been an impermissible disclosure of PHI by a former New Medical Health Care employee.

New York Presbyterian Hospital – Website Analytics and Tracking Tools

New York Presbyterian Hospital (NYP) has confirmed that tracking and analytics tools have been used on its website, nyp.org, which may have resulted in patient information being impermissibly disclosed to third-party service providers that developed the tools.

According to a website notification, these tools were used to gain a better understanding of how visitors interacted with the website and allowed NYP to streamline external communications, monitor community engagement, and make it easier for patients to connect with the care they need. After discovering the potential for impermissible disclosures, the tools were disabled and a third-party forensic firm was engaged to assist with the investigation and determine which individuals had been affected and the extent of any privacy violations.

In January 2023, NYP determined that the types of information disclosed via the tools included names, email addresses, mailing addresses, and/or gender and that 54,396 individuals had been affected. Those individuals had requested appointments, second opinions, or initiated a virtual urgent care visit via the website. No evidence of misuse of the disclosed information has been detected. NYP has reevaluated its data collection practices and has implemented a protocol for monitoring website engagement.

Atlantic Dialysis Management Services – Ransomware Attack

Atlantic Dialysis Management Services in New York has recently reported a cyberattack to the HHS’ Office for Civil Rights that was discovered on June 9, 2022. When suspicious activity was detected within its network, steps were immediately taken to prevent further unauthorized access, and a third-party computer forensics firm was engaged to investigate the incident. The investigation revealed files containing patient data may have been accessed or obtained, and those files included patient names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

Atlantic Dialysis Management Services did not state the nature of the attack in its breach notification nor did it confirm that patient data had been stolen; however, this was a ransomware attack by the Snatch team, which subsequently published the stolen data on its data leak site. According to the HIPAA business associate, no evidence of misuse of patient data was identified.

Additional security measures have now been implemented to improve data security and the incident has been reported to the HHS’ Office for Civil Rights. The breach is listed as 14 separate breach notices, affecting 19,972 patients in total, suggesting one breach notice has been posted for each affected client. Some clients may instead choose to report the data breach so that may not be the final total.

American Pain and Wellness – Ransomware Attack

American Pain and Wellness in Texas has recently reported a ransomware attack to the Maine Attorney General that has affected a total of 7,457 individuals. A security breach was detected on or around November 27, 2022, with the review confirming that ransomware had been used to encrypt files and backups. The investigation determined that files may have been accessed or acquired during the time that its systems were compromised, between November 10, 2022, and November 27, 2022.

The review of the affected files was completed on or around January 24, 2023, and confirmed that names and Social Security numbers may have been compromised. Additional data security safeguards have now been implemented, further training has been provided to employees, and affected individuals have been notified.

New Medical Health Care & Restoration Health – Impermissible Disclosure of Patient Data

New Medical Health Care & Restoration Health (NMHCRH) in Wichita, KS, has recently notified 1,557 patients about an impermissible disclosure of some of their data by an employee. In October 2022, an employee provided a patient list to an individual who was not authorized to receive the information.

The individual who received the list is believed to be helping a former NMHCRH physician who has set up a new practice. The list contained names, phone numbers, addresses, email addresses, birth dates, other demographic information, and potentially also the name/address of the patient’s employer, emergency contact information, guarantor name and address, preferred pharmacy, and insurance information. All patients on the list were previously seen by the physician who set up a new practice.

None of the individuals concerned are working at NMHCRH. The employee who provided the list had already left employment by the time the HIPAA violation was discovered. NMHCRH is working with all three individuals to obtain assurances that the patients concerned will not be contacted and that the information will not be further disclosed. Further training has been provided to the workforce on the importance of patient privacy and HIPAA requirements.

The post Website Tracking Technology Breach Affects 54,000 New York Presbyterian Hospital Patients appeared first on HIPAA Journal.