HIPAA Breach News

US Wellness Inc & Blue Shield of California Victims of GoAnywhere Hack

Posted by HIPAA Journal

Data breaches have recently been reported by Blue Shield of California, US Wellness Inc., Health Plan of San Mateo, and the California Department of Health Care Services.

Blue Shield of California – GoAnywhere Hack

Blue Shield of California (BSC) has confirmed that the protected health information of 63,341 individuals has been stolen in a hacking incident that exploited a zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer-as-a-service (MFTaaS) application.

BSC said it was notified on February 5, 2023, about the data breach by its provider, Brightline Medical Associates, which provides virtual behavioral health coaching and therapy for families and children, and confirmed that the file transfer application was compromised between January 28, 2023, and January 31, 2023. During that time, the threat actor responsible downloaded files that contained sensitive information. The following types of information were present in the files: name, address, birth date, gender, Blue Shield subscriber ID number, phone number, e-mail address, plan name, and plan group number.

When Fortra detected the breach, unauthorized access to the system was immediately terminated and the application was taken offline. It has since been patched and the application and gateway have been rebuilt. BSC has offered all affected individuals a complimentary 12-month membership to the Experian IdentityWorks credit monitoring and identity theft protection service.

The Clop ransomware gang claimed responsibility for these attacks, which resulted in data theft from 130+ organizations, including Community Health Systems.

US Wellness Inc. – GoAnywhere Hack

Maryland-based US Wellness Inc. has also recently confirmed that it has been affected by the GoAnywhere cyberattack, resulting in the theft of the protected health information of 11,459 Blue Cross Blue Shield of Arizona members.

US Wellness said it discovered on February 9, 2023, that sensitive data was involved, including names, addresses, birth dates, member ID numbers, where the services originated, and the addresses of the service locations. No misuse of the stolen data has been detected. US Wellness said steps have been taken to improve security processes to prevent similar incidents in the future. Affected individuals were notified about the breach on March 22, 2023.

Health Plan of San Mateo – Email Account Breach

The San Francisco, CA-based Health Plan of San Mateo has recently confirmed a breach of its email environment and the exposure and potential theft of the protected health information of 4,032 plan members. Suspicious activity was detected in its email environment on January 17, 2023, and it was confirmed that an unauthorized individual had accessed a single employee email account.

The attacker is believed to have accessed the account with a view to changing the employee’s direct deposit information rather than to access plan member data; however, unauthorized access to protected health information could not be ruled out. The email account contained a spreadsheet that included names, birth dates, member identification numbers, and limited information regarding calls made to the nurse advice line. Additional security measures have been implemented to prevent similar incidents in the future and employees have received further training to help them identify phishing attempts.

California Department of Health Care Services – Mismailing Incident

The California Department of Health Care Services (DHCS) has recently notified 6,460 Medi-Cal members about a mismailing incident at its subcontractor, Advanced Image Direct, which was performing duties for DHCS and the Office of State Publishing.

DHCS discovered on January 12, 2023, that IRS Form 1095-B mailings were sent that included a form that contained information unrelated to the intended recipient, such as other members’ names, addresses, zip codes, county case numbers, birth dates, and the last four digits of their Social Security numbers. When the incident was detected, all printing and mailing operations were immediately halted and attempts were made to retrieve the misdirected mailings from unintended recipients.

Replacement forms are now being sent and affected individuals have been notified by mail. More stringent quality control checks will now be performed, and employees have been retrained. 12 months of credit monitoring and identity theft protection services have been offered to affected individuals.

The post US Wellness Inc & Blue Shield of California Victims of GoAnywhere Hack appeared first on HIPAA Journal.

Hacking Incidents Reported by Atlantic General and Lawrence General Hospitals

Posted by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights, state Attorneys General, and the media.

Atlantic General Hospital – Ransomware Attack

Atlantic General Hospital (AGH) in Berlin, MD, has recently reported a ransomware attack to the Maine Attorney General that has affected up to 30,704 individuals. The attack was detected on January 29, 2023, when files were discovered to have been encrypted. A third-party computer forensics firm was engaged to assist with the investigation and determined that there was unauthorized access to files containing patient information from January 20, 2023.

The review of those files was completed on March 6, 2023, and confirmed they contained names, Social Security numbers, financial account information, and one or more of the following data types: medical record number, treating/referring physician, health insurance information, subscriber number, medical history information, or diagnosis/treatment information.

Notification letters were mailed to the affected individuals on March 24, 2023. Affected individuals are entitled to enroll in credit and identity monitoring services for 12 months at no cost. AGH has provided additional training to employees and is working on implementing additional safeguards to prevent similar attacks in the future.

Lawrence General Hospital – Hacking Incident

Lawrence General Hospital in Massachusetts recently reported a data breach to the HHS’ Office for Civil Rights that has affected 76,571 individuals. Little is known about the breach, which was reported to OCR on February 23, 2023, as a hacking/IT incident. As of March 29, 2023, a notice has not been added to the hospital website and the breach has not been listed on the Massachusetts Attorney General breach portal.

OU Health – Stolen Laptop Computer

OU Medicine Inc. in Oklahoma has reported a breach of the protected health information of 3,013 OU Health patients. On December 26, 2022, an employee’s laptop computer was stolen. A review was conducted of the data believed to be present on the laptop, and on January 17, 2023, OU Health determined that emails may have been accessible that included patient data such as names, birth dates, Social Security numbers, driver’s license numbers, account numbers, medical record numbers, provider names, dates of service, health insurance information, and diagnosis and treatment information.

While there have been no reported instances of misuse of patient data, OU Health could not rule out unauthorized access to patient data. All affected individuals have been notified and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Majestic Care – Hacking incident

Majestic Care, a provider of community-based skilled nursing throughout Indiana, Ohio, and Michigan, has confirmed that it was the victim of a hacking incident in December 2022 that disrupted access to its information systems. The security breach was detected on December 13, 2022, and resulted in access to its information systems being prevented until December 16, 2022.

The forensic investigation confirmed the disruption was caused by malicious software on its systems which was installed by an unauthorized individual who first gained access to the network on December 9, 2022. On February 3, 2023, it was confirmed that there may also have been unauthorized access to and exfiltration of files containing personal and protected health information, including names, mailing addresses, birth dates, telephone numbers, Social Security numbers, driver’s license numbers, and information related to treatment and payment for healthcare.

The breach affected 2,636 individuals who received services through Majestic Care Middletown Assisted Living LLC in Indiana.

The post Hacking Incidents Reported by Atlantic General and Lawrence General Hospitals appeared first on HIPAA Journal.

New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations

Posted by HIPAA Journal

A New York law firm that suffered a LockBit ransomware attack has agreed to pay a financial penalty of $200,000 to the New York Attorney General to resolve alleged violations of New York General Business Law and the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Heidell, Pittoni, Murphy & Bach LLP (HPMB) is a New York City-based medical malpractice law firm. On or around Christmas Day 2021, the LockBit ransomware gang gained access to its network and encrypted files. The investigation confirmed that files were exfiltrated in the attack, including legal documents, patient lists, and medical records. The patient information included names, birthdates, medical histories, treatment information, Social Security numbers, and health insurance information. The incident was reported to the HHS’ Office for Civil Rights on May 16, 2022, as affecting 114,979 individuals. HPMB engaged a third-party ransomware remediation firm to negotiate with the threat actor and ended up paying $100,000 for the keys to decrypt files and to prevent the release of the stolen data. The investigation confirmed the LockBit gang gained access to its network in November 2021 by exploiting unpatched Microsoft Exchange vulnerabilities.

The incident was investigated by the Office of the New York Attorney General to determine whether the law firm had violated state laws and the HIPAA Rules. The NY AG determined the vulnerabilities exploited by the LockBit gang had been identified by Microsoft in April and May 2021 and patches had been released shortly thereafter to fix those vulnerabilities. Despite the vulnerabilities being well known, they remained unpatched for more than 6 months, which left firm’s email server vulnerable to attack.

The NY AG determined 17 provisions of the HIPAA Privacy and Security Rules had been violated and there were also violations of New York General Business law by failing to implement reasonable security practices to protect private information and the failure to issue timely notifications to 61,438 New York residents.

The alleged HIPAA violations were:

  • The failure to safeguard electronic protected health information (ePHI).
  • The failure to protect against reasonably anticipated threats to ePHI.
  • The failure to review and modify data protection practices.
  • The failure to conduct an accurate and thorough risk assessment.
  • The failure to implement appropriate security measures to reduce risks to ePHI.
  • The failure to regularly review records of information system activity.
  • The failure to implement procedures sufficient to guard against, detect, and report malicious software.
  • The failure to implement procedures sufficient for periodic testing and revision of contingency plans.
  • The failure to perform a periodic technical and nontechnical evaluation.
  • The failure to sufficiently implement technical policies and procedures for ePHI to limit access by unauthorized individuals.
  • The failure to encrypt ePHI.
  • The failure to implement a centralized logging system for information systems to allow unauthorized system activity to be detected.
  • The failure to implement a system for detecting the alteration or destruction of ePHI.
  • The failure to implement procedures sufficient to verify that a person or entity seeking access to ePHI is the one claimed.
  • The failure to implement reasonable and appropriate policies and procedures to comply with the standards of 45 C.F.R. Part 164, Subpart C.
  • The failure to prevent unauthorized access to ePHI.
  • The failure to adhere to the minimum necessary standard.

In addition to paying a financial penalty, HPMB has agreed to implement a comprehensive information security program that includes risk analyses at least annually, implement appropriate administrative, technical, and physical safeguards, and conduct regular tests of those safeguards. HPMB will appoint a Chief Information Security Officer (CISO), encrypt all ePHI at rest and in transit, implement a centralized logging system, conduct system activity reviews, establish a patch management program, and develop a penetration testing program.

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General Letitia James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

The post New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations appeared first on HIPAA Journal.

Associates in Dermatology Patients Affected by Business Associate Ransomware Attack

Posted by HIPAA Journal

Associates in Dermatology, a network of dermatology clinics in Indiana, Kentucky, and New York, has started notifying patients that some of their protected health information has been exposed in a ransomware attack on one of its business associates.

Virtual Private Network (VPN) Solutions provides electronic medical record management services to healthcare providers and Associates in Dermatology used its TouchChart software to host patient data. The ransomware attack was detected by VPN Solutions on or around October 31, 2021, and Associates in Dermatology was notified on December 22, 2021, that none of its data was accessed or stolen in the attack, but was told the forensic investigation into the attack was ongoing.

Associates in Dermatology said VPN Solutions was contacted on multiple occasions to ask how the forensic investigation was progressing and to obtain a formal report about the attack, but it took until January 17, 2023, to discover patient data had been exposed – 15 months after the breach was detected, and 2 months after VPN Solutions determined that files had been exposed.

According to the breach notice, electronic medical records were not exposed, but tag image files from a data warehouse may have been obtained in the attack. Most of those files did not contain patient data, but VPN Solutions said some of the files could be linked to patient names. Associates in Dermatology said VPN Solutions did not confirm if individually identifiable information or protected health information was contained in the files and did not provide a list of patient names.

Associates in Dermatology said its own analysis determined on March 10, 2023, that the compromised files may have contained personally identifiable information. The types of information varied from patient to patient and may have included one or more of the following data elements: first and last name, address, Social Security number, date of birth, medical condition(s)/diagnosis, treatment information, test results, health insurance policy number, subscriber identification number, health plan beneficiary number, and unique AID patient identifiers.

Associates in Dermatology said VPN Solutions has taken steps to improve security and has rebuilt its entire environment and restored all data. Associates in Dermatology performed a review of its contracts with third-party vendors and assessed their cybersecurity measures and has offered affected individuals complimentary credit monitoring and identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

47,000 Special Needs Student Records Exposed Online

A non-password-protected database containing the records of more than 47,000 special needs students has been exposed to the Internet and could be accessed by anyone without any authentication. The database was found by security researcher Jeremiah Fowler in mid-February, who traced the database to a company called Encore Support Services. Encore Support Services is a Brooklyn, NY-based provider of special education, behavioral health, and related services. Fowler notified Encore Support Services about the data exposure and the database has now been secured.

According to Fowler, the 6.74 GB database stored records going back to 2018 and included invoices containing student names, addresses, parent names, Open Student Information System (OSIS) numbers, service provider names, vendor information, EIN/SSN tax identification, and billing hours. The invoices also included codes for services that indicated a disability.

The data could be used for a range of nefarious purposes. For instance, Encore Support Services could be impersonated and parents contacted and asked to reveal sensitive information or pay a small charge on their credit card. Since a threat actor would have access to students’ unique OSIS numbers, case numbers, and therapy histories, the requests would be convincing.

Fowler was unable to determine how long the database had been exposed and whether it had been accessed by unauthorized individuals but suggests that the database most likely has not been exposed for long as it had not been encrypted using ransomware or deleted for extortion purposes.

The post Associates in Dermatology Patients Affected by Business Associate Ransomware Attack appeared first on HIPAA Journal.

SundaySky Cyberattack Impacts 37,000 Health Plan Members

Posted by HIPAA Journal

SundaySky, a New York-based provider of software solutions to businesses for creating marketing videos, has recently announced that unauthorized individuals gained access to servers in its cloud environment and may have obtained customer data. Unauthorized access was detected on January 8, 2023, and the forensic investigation confirmed that files were exfiltrated between January 6 and January 8, 2023. Those files contained customer-provided health plan information from December 2018 to January 2019.

SundaySky worked with the health plan provider to determine the compromised information, and the review was completed on February 20, 2023. Notifications have now been sent to the 37,095 affected individuals. The types of data compromised included first names, personal email addresses, Healthcare Savings Account (HSA) effective date and deductible, and information related to copay. SundaySky said additional technical safeguards have now been implemented for its cloud environment to prevent similar breaches in the future.

Postal Prescription Service Impermissibly Disclosed Patient Names to Kroger

Healthy Options Inc., which does business as Postal Prescription Service (PPS), has announced an impermissible disclosure of limited patient information to its affiliated grocery business. On January 10, 2023, PPS discovered that the names and email addresses of 82,466 patients had been shared with the Kroger Co. and were used to create grocery accounts for those individuals. The affected individuals had created an online PPS account between July 2014 and January 13, 2023.

PPS said the impermissible disclosure was due to an internal error and its website has since been updated to address the problem. Affected individuals have been notified by mail.

Texas Medical Liability Trust Alerts Policyholders About PHI Breach

Texas Medical Liability Trust has recently notified 625 medical insurance policyholders that some of their personally identifiable information has been exposed. Suspicious network activity was detected on or around October 12, 2022, and the investigation confirmed that unauthorized individuals had access to parts of its network between October 2, 2022, and October 13, 2022.

The review of the affected files was completed on December 12, 2022, and affected individuals were notified on January 13, 2023, by Texas Medical Liability Trust on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group.

The exposed information included names, Social Security numbers, driver’s license numbers, and financial account information. Texas Medical Liability Trust said additional safeguards have been implemented and employees have received further training. Affected individuals have been offered complimentary credit monitoring services for 12 months.

The post SundaySky Cyberattack Impacts 37,000 Health Plan Members appeared first on HIPAA Journal.

FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has published its 2022 Internet Crime Report, which shows at least $10.3 billion was lost to cybercrime in 2022, up 49% ($3.4 billion) from 2021, despite a 5% reduction in complaints (800,944). Over the past 5 years, the FBI Internet Crime Complaint Center (IC3) has received reports of losses of more than $27.6 billion across 3.26 million complaints to IC3.

FBI data show a 36% year-over-year decrease in ransomware attacks, which fell from 3,729 complaints in 2021 to 2,385 complaints in 2022. Despite this decrease, the FBI says ransomware still poses a significant threat, especially to the healthcare sector which ranked top out of 16 critical infrastructure sectors for ransomware attacks in 2022 and actually saw an increase in complaints. 210 ransomware complaints were filed with IC3 in 2022 by healthcare organizations compared to 148 in 2021. The FBI has observed an increase in double extortion tactics in ransomware attacks, where data are stolen in addition to file encryption and payment is required to obtain the decryption keys and to prevent the publication or sale of stolen data. LockBit was the most prolific ransomware actor with 149 reported attacks, ALPHV/BlackCat was second with 114 attacks, and Hive was 3rd with 87 attacks.

Several cybercriminal groups that have historically used ransomware in their attacks have switched to extortion-only attacks, involving data theft and ransom demands but no file encryption. The FBI’s data shows extortion attacks have remained flat, increasing only slightly from 39,360 complaints in 2021 to 39,416 complaints in 2022.

Phishing remains one of the most common attack vectors, although reported phishing attacks fell by 7% year over year to 300,497 incidents. Even with that decrease, phishing is still the most common crime type in terms of victim count ahead of personal data breaches with 58,859 complaints and non-payment/non-delivery with 51,679 complaints.

Business email compromise (BEC) ranked 9th out of all crime types in terms of complaints but ranked 2nd in terms of reported losses with $2,742,354,049 lost to BEC attacks in 2022. BEC attacks increased 9% year-over-year although losses to the scams were down almost 14.5%. BEC was knocked from the top spot this year by investment scams, which saw $3,311,742,206 in reported losses, up 127% from 2021. The FBI reports an unprecedented increase in crypto investment schemes in 2022 in terms of both victim count and losses.

There was a major increase in tech support scams in 2022, which rose to 3rd place in terms of losses. Tech support scam complaints increased by 36% year-over-year to 32,538 complaints and losses to these scams increased by almost 132% to $806,551,993.

The FBI stressed the importance of reporting instances of cybercrime of any type and confirmed assistance will be provided to try to recover losses. The IC3 Recovery Asset Team (RAT) has a 73% success rate in freezing funds and limiting losses and has frozen $433.30 million in funds out of $590.62 million in reported losses across 2,838 incidents.

The post FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion appeared first on HIPAA Journal.

February 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

The number of healthcare data breaches reported over the past three months has remained fairly flat, with only a small uptick in breaches in February, which saw 43 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), well below the 12-month average of 57.4 reported breaches a month. An average of 41 data breaches have been reported each month over the past 3 months, compared to an average of 50.6 breaches per month for the corresponding period last year.

February 2023 Healthcare Data Breach Report - Records breached

The downward trend in breached records did not last long. There was a sizeable month-over-month increase in breached records, jumping by 418.7% to 5,520,291 records. February was well above the monthly average of 4,472,186 breached records a month, with the high total largely due to a single breach that affected more than 3.3 million individuals.

February 2023 Healthcare Data Breach Report - Records Breached

 

Largest Healthcare Data Breaches Reported in February 2023

17 healthcare data breaches of 10,000 or more records were reported in February, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of 4 medical groups in California that are part of the Heritage Provider Network – Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; & Greater Covina Medical Group, Inc. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest data healthcare data breach of the year. That record did not stand for long, as a 4.4 million-record breach was reported this month (Independent Living Systems).

Hacking incidents were reported by CentraState Healthcare System in New York (617,901 records), Cardiovascular Associates in Alabama (441,640 records), and the Florida-based revenue cycle management company, Revenetics (250,918 records), all of which saw sensitive data exfiltrated. It is unclear whether these incidents were ransomware or extortion attacks. An email account breach at Highmark Inc. rounds out the top five. That incident was reported to the HHS’ Office for Civil Rights as two separate breaches, affecting 239,039 and 36,600 individuals -275,639 in total. The breach occurred as a result of an employee clicking a link in a phishing email.

The full list of 10,000+ record data breaches and their causes are detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Regal Medical Group, Inc., Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group, Inc. CA Healthcare Provider 3,300,638 Ransomware attack (data theft confirmed)
CentraState Healthcare System, Inc. NJ Healthcare Provider 617,901 Hacking incident (data theft confirmed)
Cardiovascular Associates AL Healthcare Provider 441,640 Hacking incident (data theft confirmed)
Reventics, LLC FL Business Associate 250,918 Hacking incident (data theft confirmed)
Highmark Inc PA Health Plan 239,039 Phishing attack
90 Degree Benefits, Inc. WI Business Associate 175,000 Hacking incident
Hutchinson Clinic, P.A. KS Healthcare Provider 100,000 Hacking incident
Lawrence General Hospital MA Healthcare Provider 76,571 Hacking incident
Sharp Healthcare CA Healthcare Provider 62,777 Hacked web server (data theft confirmed)
Rise Interactive Media & Analytics, LLC IL Business Associate 54,509 Hacking incident
Highmark Inc PA Business Associate 36,600 Phishing attack
Teijin Automotive Technologies Welfare Plan MI Health Plan 25,464 Ransomware attack – Access gained through phishing
Evergreen Treatment Services WA Healthcare Provider 21,325 Hacking incident
Aloha Nursing Rehab Centre HI Healthcare Provider 20,216 Hacking incident (data theft confirmed)
NR Pennsylvania Associates, LLC PA Healthcare Provider 14,335 Hacking incident (data theft confirmed)
Intelligent Business Solutions NC Business Associate 11,595 Ransomware attack
Arizona Health Advantage, Inc. dba Arizona Priority Care; AZPC Clinics, LLC; and health plans for which APC has executed a BAA AZ Healthcare Provider 10,978 Ransomware attack

Causes of Healthcare Data Breaches in February 2023

Hacking and other IT incidents dominated the breach reports in February with 33 such incidents reported, accounting for 76.7% of all breaches reported in February. Across those incidents, the records of 5,497,797 individuals were exposed or stolen – 99.59% of the breached records in February. The average breach size was 166,600 records and the median breach size was 10,978 records.

There were 8 unauthorized access/disclosure incidents reported involving a total of 13,950 records. The average breach size was 1,744 records and the median breach size was 689 records. One of the incidents – reported by Asante – involved a physician accessing the records of patients when there was no treatment relationship. The unauthorized access occurred for 9 years before it was detected, during which time the records of 8,834 patients were impermissibly viewed. Incidents such as this show why it is important to maintain logs of medical record access and to review those logs regularly, ideally automating the process using a monitoring and alerting system.

February 2023 Healthcare Data Breach Report - Causes

One theft incident was reported involving a portable electronic device containing the PHI of 986 patients and one incident involved the improper disposal of paper records that contained the PHI of 7,558 patients.

February 2023 Healthcare Data Breach Report - Location PHI

What HIPAA-Regulated Entities were Affected?

Healthcare providers were the worst affected HIPAA-regulated entity in February, with 31 data breaches of 500 or more records. Seven data breaches were reported by business associates and five were reported by health plans. When data breaches involve business associates, they are often reported by the covered entity. In February, 6 data breaches involved business associates but were reported by the affected healthcare providers and health plans. The two charts are based on where the breach occurred rather than who reported it.

February 2023 Healthcare Data Breach Report - Reporting Entities

The average healthcare provider breach exposed 178,046 records (median: 3,061 records), the average health plan data breach exposed 67,236 records (median: 3,909 records), and the average business associate data breach involved 47,859 records (median: 8,500 records).

February 2023 Healthcare Data Breach Report - records by reporting entity

Where Did the Breaches Occur?

Data breaches were reported by HIPAA-covered entities and business associates in 28 states, with California being the worst affected state with 4 breaches reported in February.

State Breaches
California 4
Pennsylvania & Texas 3
Arizona, Illinois, Kansas, Massachusetts, New Jersey, Oregon, Virginia & Washington 2
Alabama, Colorado, Connecticut, Florida, Georgia, Hawaii, Iowa, Maryland, Michigan, New Hampshire, New Mexico, North Carolina, Rhode Island, Tennessee, Utah, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in February 2023

The HHS’ Office for Civil Rights announced one enforcement action in February to resolve alleged violations of the HIPAA Rules. OCR investigated Banner Health over a 2016 breach of the protected health information of 2.81 million individuals and identified multiple potential HIPAA violations related to risk analyses, system activity reviews, verification of identity for access to PHI, and technical safeguards. Banner Health agreed to settle the case and paid a $1,125,000 financial penalty.

DNA Diagnostics Center was investigated by the Attorneys General in Pennsylvania and Ohio after a reported breach of the personal and health information of 45,600 state residents. The investigation determined there was a lack of safeguards, a failure to update its asset inventory, and a failure to disable or remove assets that were not used for business purposes. While these failures would have been HIPAA violations, the settlement resolved violations of state laws. DNA Diagnostics Center paid a financial penalty of $400,000, which was split equally between the two states.

In February, the Federal Trade Commission (FTC) announced its first-ever settlement to resolve a violation of the FTC Health Breach Notification Rule. While the Rule has been in effect for a decade, the FTC has never enforced it. That has now changed. The FTC stated last year that it would be holding non-HIPAA-covered entities accountable for impermissible disclosures of health information and breach notification failures. GoodRx Holdings Inc. was found to have used tracking technologies on its website that resulted in unauthorized disclosures of personal and health information to Facebook, Google, and other third parties and failed to issue notifications to affected individuals. The allegations were settled and GoodRx paid a $1,500,000 financial penalty.

The post February 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alabama Healthcare Provider Announces 441,000-Record Data Breach

Posted by HIPAA Journal

The Birmingham, AL, Heart Hospital, Cardiovascular Associates, has recently announced that unauthorized individuals gained access to certain parts of its network between November 28, 2022, and December 5, 2022, and removed files containing patient information. The breach was detected on December 5, 2022, and immediate action was taken to contain the breach and prevent further unauthorized access. A leading digital forensics firm was engaged to investigate the breach and confirmed data theft had occurred.

The review of the affected files revealed they contained the following types of information: Full names, birth dates, addresses, Social Security numbers, health insurance information, medical record numbers, dates of service, provider/facility names, visit/procedure/diagnosis information, medical tests results and images, billing and claims information, passport numbers, driver’s license numbers, credit/ debit card information, and financial account information. The types of data compromised varied from patient to patient and the usernames and passwords of a limited number of patients were also compromised.

Cardiovascular Associates has strengthened system security to prevent similar breaches in the future and its security and monitoring capabilities have been enhanced. Individuals whose Social Security number, credit card/debit card information, financial account information, passport or driver’s license number was compromised have been offered free credit monitoring and identity restoration services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal but has been reported to the Maine Attorney General as affecting 441,640 individuals.

Great Neck/Mid Island Dental Reports Third-Party Data Breach

Richard T. Miller, DMD, PC, doing business as Great Neck/Mid Island Dental, has recently announced via his legal counsel that the protected health information of 22,933 individuals may have been accessed by unauthorized individuals. The data breach occurred at a law firm that helped Great Neck Dental acquire the assets of another dental practice in 2015. Cooperman Lester Miller Carus LLP (CLMC), assisted the seller with the acquisition and was provided with information as part of the business transaction, which included patient information. Great Neck Dental was notified on October 7, 2022, that an unauthorized individual had gained access to the email account of a CLMC partner between March 27, 2022, and June 1, 2022. The email account contained patient names, dates of birth, Social Security numbers, and dental insurance information.

Richard T. Miller said Great Neck/Mid Island Dental systems were unaffected and no reports of data misuse have been detected; however, as a precaution, affected individuals have been offered complimentary identity protection services.

Multnomah County Health Department Says Records of 2,000 Clients Potentially Accessed in Break-in

The Multnomah County Health Department in Oregon has confirmed that the personal information of approximately 2,000 individuals has potentially been accessed in a break-in at the Multnomah County Health Department headquarters. The break-in occurred over the weekend of February 17/18, 2023, and was discovered on February 21 due to the President’s Day holiday.

A county laptop computer and a new client cell phone were stolen and the perpetrator also entered an area where paper records were stored that contained client information. The suspected perpetrator was arrested last week by law enforcement. All affected clients and employees have been notified by mail if they were affected.

The post Alabama Healthcare Provider Announces 441,000-Record Data Breach appeared first on HIPAA Journal.

UC San Diego Health Announces Impermissible Disclosure of Patient Data Due to Website Analytics Code

Posted by HIPAA Journal

University of California (UC) San Diego Health is the latest healthcare organization to start notifying patients that some of their protected health information has been impermissibly disclosed to third parties due to the use of website tracking technologies. UC San Diego Health said the analytics code was added to its scheduling websites by one of its business associates, Solv Health, without authorization from UC San Diego Health. UC San Diego Health contracted with Solv Health to provide website hosting and management services.

The analytics code captured limited data of visitors to the scheduling websites who booked in-person or telehealth appointments. The captured information was then impermissibly disclosed to the third parties that provided the code. UC San Diego Health did not state in its breach notifications who the third parties were but said they received first and last names, birth dates, email addresses, IP addresses, third-party cookies, reasons for the appointments, and insurance type (e.g., PPO, HMO, Other).

UC San Diego Health confirmed that Social Security numbers, medical record numbers, financial account numbers, and debit and credit card information were not disclosed and the analytics code was not used on its electronic health record or MyUCSDChart systems, so no information within those systems was disclosed. UC San Diego Health said notification letters started to be mailed to affected individuals on March 20, 2023. Those individuals had used the scheduling websites for its Express Care (La Jolla) or Urgent Care locations (Downtown San Diego, Encinitas, Eastlake/Chula Vista, Pacific Highlands Ranch, & Rancho Bernardo).

When the analytics code was discovered in December 2022, UC San Diego Health directed Solv Health to immediately remove the code from the scheduling websites and worked with Solv Health to determine who had been affected. UC San Diego Health is now using a new online scheduling tool and has enhanced its vendor assessment and management procedures.

The incident has been reported to the HHS’ Office for Civil Rights and local media outlets; however, it is currently unclear how many individuals have been affected. This post will be updated when that information is made public.

The post UC San Diego Health Announces Impermissible Disclosure of Patient Data Due to Website Analytics Code appeared first on HIPAA Journal.