The parent company of the Mom’s Meals home delivery meal service – PurFood LLC – has published a Notice of Data Event on its website and filed a Data Breach Notification with the Maine Attorney General following a cyberattack earlier this year in which personal information relating to 1,237,681 customers, employees, and contractors is believed to have been stolen.

PurFood LLC – trading as Mom’s Meals – delivers refrigerated ready-to-eat meals nationwide to customers with special nutritional requirements. As well as supplying private customers, the company works with more than five hundred health plans, managed care organizations, and other agencies to provide access to meals for people covered by Medicare and Medicare.

According to a Notice of Data Event on the company’s website, Mom’s Meals experienced a cyberattack between January 16, 2023, and February 22, 2023, that resulted in customer, employee, and contractor data being encrypted. An investigation into the cyberattack revealed the presence of data exfiltration software that may have been used to transfer data from PurFood’s servers.

The investigation determined that the encrypted files included personal and protected health information related to certain individuals. However, there is no guaranteed data was exfiltrated, and the Notice of Data Event notes the company has not seen any evidence of personal information being misused or further disclosed as a result of the Mom’s Meals data breach.

Nonetheless, the company has filed a Data Breach Notification with the Maine Attorney General and is in the process of notifying potentially affected individuals via U.S. Mail. At the time of publication, the company’s name does not appear on the HIPAA Breach Report. However, according to the Data Breach Notification, the date the breach was “discovered” is recorded as July 10, 2023.

What Data is Believed Stolen in the Mom’s Meal Data Breach?

The data believed stolen in the Mom’s Meal data breach includes dates of birth, driver’s license numbers, account information, payment card information, health information, medical record numbers, Medicare and Medicaid identifiers, treatment information, diagnosis codes, meal categories and costs, health insurance information, Social Security numbers, and patient ID numbers.

In order to prevent a repeat of the incident, PurFood states in its breach notification letter that the company has taken a number of steps to strengthen its security network and is reviewing its existing policies and procedures to identify any additional measures and safeguards that may be necessary. It is also providing credit monitoring, fraud consultation, and identity theft restoration services for a year.

Individuals who receive a breach notification letter relating to the Mom’s Meals data breach are advised to register for the credit monitoring services provided by the company, examine any correspondence from Medicare, Medicaid, or an insurer to ensure the services mentioned have been received (and report any discrepancies), and monitor their credit report – placing a freeze on the credit report if they are concerned about being a victim of identity theft.

The post PHI Included in Mom’s Meals Data Breach appeared first on HIPAA Journal.

Medical records extracted during the recent Prospect Medical Holdings ransomware attack are being allegedly offered for sale on the dark web according to social media sources. The notification of the sale has been interpreted as a signal to Prospect Medical Holdings to quickly respond to the hackers’ ransom demands.

On August 3, the Prospect Medical Holdings health system was hit by a ransomware attack that crippled operations at the health system’s 17 hospitals and 166 outpatient clinics. At the time, the perpetrators of the attack were unknown. However, last week, a notice appeared on the Rhysida dark leak site, claiming responsibility for the attack.

The notice also announced an auction of data hacked in the attack – the data consisting of more than 500,000 Social Security Numbers, passports of clients and employees, drivers’ licenses, patient files (profiles and medical histories), financial and legal documents. In all, it is claimed, the sale consists of 1TB of unique files and a 1.3TB SQL database.

The notice was accompanied by several snapshots of the stolen data – some of which has been independently verified as genuine by comparing the snapshots to publicly available records – and a price tag of 50 Bitcoin ($1,298,340). The addition of the price tag has led some sources to comment that the notice is intended to accelerate a ransom payment.

It is not known at this time whether the sale will proceed or whether Prospect Medical Holdings will give in to the ransom demands. As of this past weekend, some services continue to be suspended and staff in some medical units are still having to rely on paper records. A spokesperson for Prospect Medical Holdings also issued the following statement:

“We have become aware that Prospect Medical data was taken by unauthorized actors, the nature of which is being actively examined. If the investigation determines that any protected health or personal information is involved, we will provide the appropriate notifications in accordance with applicable laws. Because our investigation is ongoing, we do not have additional information to share at this time. We are taking all appropriate measures to address this incident.”

The post Medical Records from Prospect Ransomware Attack Appear on Dark Web appeared first on HIPAA Journal.

Point32Health has reported operating losses of $102.7 million for the first 6 months of 2023 on $4.8 million in revenue, compared to losses of $25.8 million in the first 6 months of 2022 on $4.9 billion in revenue. The $76.9 million difference has largely been attributed to the ransomware attack it detected on April 17, 2023., although details of the actual cost of the attack have not been released.

The attack saw sensitive data exfiltrated from the systems of Harvard Pilgrim Health Care between March 28, 2023, and April 17, 2023, including the protected health information of current and former subscribers, their dependents, and current contracted providers. The compromised information included names, Social Security numbers, and taxpayer identification numbers. The breach was reported to the HHS’ Office for Civil Rights as affecting 2,550,922 individuals.

The attack resulted in systems being taken offline for several weeks, including the systems that support the Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). The recovery process was slow as systems had to be restored in a specific order. It took until late July – three months after the attack was detected – to fully resume normal operations, although it took until August to clear a backlog of 1 million claims that had been delayed due to the cyberattack.

Point32Health’s Chief Financial officer, Scott Walker claims the company is still on a solid financial footing and said the losses due to the cyberattack were transient and one-time in nature; however, Point32Health is likely to continue to face costs from the data breach. Multiple class action lawsuits have been filed over the data breach.

The post Ransomware Attack Key Factor in H1 Operating Losses of $102.6 Million for Point32 Health appeared first on HIPAA Journal.

Singing River Health System in Mississippi, which operates Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital, detected unusual activity within its IT systems last week and is investigating a potential cyberattack. On Monday, the health system took its IT systems offline to preserve system integrity and downtime procedures remain in place.

Shannon Wall, SRHS Chief Marketing Officer, said “We are working diligently with third-party specialists to investigate the source of this disruption and to confirm its impact on our systems as soon as possible. We have also engaged with the appropriate law enforcement authorities.” She also confirmed that the IT security team is working around the clock to investigate the incident, ensure systems are secured, and will start bringing systems back online when it is safe to do so. A timeline has not been provided on when systems will be restored. Further details on the nature of the attack, such as if this is a ransomware incident, have not been released.

The health system is continuing to see patients but there are delays due to the lack of access to IT systems. Radiology services at its clinics have been halted, although will continue at its hospitals. At this stage of the investigation, it is unclear to what extent, if any, patient data has been compromised.

MOVEit Hacking Victims

More healthcare organizations have confirmed they have been affected by the mass exploitation of a zero day vulnerability in the MOVEit Transfer file transfer solution by the Clop hacking group. The vulnerability was identified on May 31, 2023, and a patch was released that day by Progress Software; however, the vulnerability had already been exploited and data exfiltrated by the Clop threat actors.

The Harris Center for Mental Health and IDD

The Harris Center for Mental Health and IDD in Houston, TX, has recently confirmed that the protected health information of 599,367 individuals was compromised in the attack. The Harris Center does not use the MOVEit Transfer solution; however, one of its service providers did and had data stolen. The internal investigation confirmed on August 9, 2023, that the compromised protected health information included names, addresses, dates of birth, Social Security numbers, and health insurance information. The Harris Center started sending written notifications to the affected individuals on August 17, 2023.

UofL Health

UofL Health in Louisville, KY, said its internal investigation confirmed on June 21, 2023, that the hackers gained access to files that contained patient names, addresses, dates of birth, patient account numbers, dates of service, member ID numbers, and Social Security numbers. The affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services. UofL Health has reported the breach to the appropriate authorities, but it is currently unclear how many patients have been affected.

Baesman Group, Inc.

The Baesman Group, Inc., a Hilliard, OH-based provider of CRM, customer loyalty, and marketing services, confirmed it had been affected by the MOVEit hacks, and had data stolen on May 29, 2023. Notification letters are being sent to the 4,000 individuals that were affected. The substitute breach notification on its website does not state what types of data were stolen in the attack.

The post Mississippi Health System Investigating Cyberattack appeared first on HIPAA Journal.

Morris Hospital & Healthcare Centers in Illinois has started notifying 248,943 individuals about a cyberattack that was detected on April 4, 2023. When the breach was detected, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident and confirmed that files containing protected health information had been exfiltrated from its systems by unauthorized individuals.

The stolen files included the protected health information of current and former patients, employees, and their dependents and beneficiaries, including names, addresses, dates of birth, Social Security numbers, medical record numbers, account numbers, and diagnostic/treatment codes. While there has been no detected misuse of the stolen data, affected individuals have been advised to be cautious and take advantage of the complimentary identity theft resolution services that have been offered.

Morris Hospital & Healthcare Centers did not state the identity of the attackers in the notification letters, nor mention the nature of the attack. The HIPAA Journal can confirm that the Royal Ransomware group has claimed responsibility for the attack and added Morris Hospital to its dark web data leak site on May 22, 2023, along with some of the data that was compromised in the attack.

Jefferson Health DEXA Scan Backup Drive Lost or Stolen

Jefferson Health has recently started notifying patients of its Cherry Hill Hospital in New Jersey that some of their protected health information may have been compromised. Data was stored on a backup drive that was connected to its DEXA scan device. During routine maintenance, its vendor discovered the backup drive to be missing. An investigation was launched; however, it was not possible to determine what happened to the drive and it has been presumed lost or stolen.

The backup drive contained names, dates of birth, medical record numbers, study dates, and, for some individuals, mailing addresses. The device also included other information, but it could not be accessed without valid credentials and the appropriate software and technology. That information included diagnoses, phone numbers, Social Security numbers, insurance information, driver’s license numbers, and scans. Jefferson Health said it is reviewing and enhancing its security protocols to prevent similar incidents in the future.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pathways to Wellness Medication Clinics Reports Ransomware Attack

Patients of Pathways to Wellness Medication Clinics in Oakland, Union City, and Pleasanton in California have been notified that some of their protected health information was exposed in a cyberattack that was detected on March 28, 2023. An unauthorized individual gained access to and disabled its network. Third-party cybersecurity experts were engaged to investigate the breach and secure its systems and technical safeguards have been reviewed and are being updated to better protect patient data.

While no reports of misuse of patient data had been received up to July 5, 2023, data theft may have occurred. The exposed information included: first name, last name, address, health insurance information, provider name, Social Security number, date of birth, and gender. Affected individuals have been offered complimentary single bureau credit monitoring services. The incident has not yet been added to the Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Morris Hospital & Healthcare Centers Notifies Almost 249,000 Patients About April Cyberattack appeared first on HIPAA Journal.

El Centro Del Barrio, doing business as CentroMed in San Antonio, TX, has alerted 350,000 patients that some of their protected health information was potentially compromised in a hacking incident that was detected on June 12, 2023. The forensic investigation confirmed that some of its IT systems were accessed by unauthorized individuals on June 9, 2023, and access to files containing protected health information was confirmed and data theft could not be ruled out. The affected files contained the information of current and former patients, employees, and employee and provider spouses, partners, and dependents.

The affected patient data included names, addresses, dates of birth, Social Security numbers, financial account information, medical records numbers, health insurance plan member IDs, and claims data (including any diagnoses listed on claims). Employee and spouse/partner/dependent information data included names, Social Security numbers, financial account information, health insurance plan member IDs, and claims data. The affected individuals started to be notified by mail on August 11, 2023. CentroMed said additional safeguards and technical security measures have been implemented to prevent similar breaches in the future.

MOVEit Transfer Hacking Victims

Several more organizations have confirmed that they had data stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution.

Unum Group

Unum Group has confirmed that the protected health information of 531,732 individuals was compromised. Suspicious activity was detected within its environment on June 1, 2023, and it was confirmed on July 22, 2023, that the following data types had been compromised: name, date of birth, address, Social Security number or individual tax identification number, medical, health insurance claim, and policy information. A limited number of individuals also had financial information and/or other government-issued identification numbers compromised. Credit monitoring and identity protection services have been offered.

UMass Chan Medical School

UMass Chan Medical School said the protected health information of 134,000 individuals was compromised in the attack. The breach was discovered on June 1, 2023, and it determined the individuals and compromised data types on July 27, 2023. The information involved varied from individual to individual and may have included the following data types: name, date of birth, mailing address, diagnosis/treatment information, prescription information, provider name, date(s) of service, claim information, health insurance member ID number, other health insurance-related information, Social Security number, and financial account information. Credit monitoring and identity protection services have been offered.

Sovos Compliance

Sovos Compliance, a provider of tax compliance and business-to-government reporting software, reported its breach to the Maine Attorney General as affecting a total of 18,513 individuals, although its OCR breach report indicates the PHI of 4,563 individuals was compromised in the attack. The breach was discovered on June 12, 2023, and the investigation confirmed personally identifiable information and Social Security numbers had been stolen. Credit monitoring and identity protection services have been offered.

Data Media Associates

Data Media Associates, a billing service provider to UB Dental Clinic in Buffalo, NY, said its investigation confirmed on July 20, 2023, that the data of 765 UB Dental patients was compromised. The breach was limited to patients who received billing statements between May 4 and May 26, 2023. The compromised information involved the following data elements: practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments, or adjustments.

The post CentroMed Notifies 350,000 Individuals About PHI Exposure appeared first on HIPAA Journal.

Cummins Behavioral Health Systems Inc. in Avon, IN, has recently reported a data security incident to the Maine attorney general that has affected 157,688 patients. On March 9, 2023, a ransom note was detected within its computer environment that had been placed there by an unauthorized individual. No file encryption occurred; however, the attacker claimed to have infiltrated sensitive data.

The forensic investigation confirmed that an unauthorized individual had access to its network between February 2, 2023, and March 9, 2023. The information removed from its systems included names, addresses, dates of birth, Social Security numbers, driver’s license/State ID numbers, financial account information, payment card information, usernames/passwords, health insurance information, and medical information. System security has been strengthened to prevent similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Email Encryption Failure Exposed Client Data at Redwood Coast Regional Center

Redwood Coast Regional Center (RCRC), a provider of services to individuals with developmental disabilities in Del Norte, Humboldt, Lake, and Mendocino Counties in California, has alerted 1,345 individuals about the exposure of some of their data. On June 14, RCRC’s mail server encryption software failed due to a system outage, which resulted in public health information being shared in plain text messages, which could potentially have been intercepted by unauthorized individuals. The exposed data was limited to client names, UCI numbers, addresses, dates of birth, and/or authorized service information. No information was exposed that would put clients at risk of identity theft. RCRC said it is reviewing its procedures and practices to prevent similar data exposures in the future.

Coastal Orthopedics Alerts Patients About Cyberattack and Data Breach

Bradenton, FL-based Coastal Orthopedics & Sports Medicine of Southwest Florida has recently confirmed that hackers gained access to its network and potentially obtained patient data. The cyberattack was detected on June 11, 2023, and the subsequent forensic investigation confirmed unauthorized access to its network between June 6, 2023, and June 11, 2023, and data exfiltration.

The breach investigation is ongoing, so it is currently unclear how many individuals have been affected or the exact types of information involved; however, the compromised data is likely to include a combination of names, Social Security numbers, patient identification numbers, medical record numbers, diagnosis information, other medical information, addresses, driver’s license number, health insurance information, financial account information, and dates of birth. Policies, procedures, and processes are being reviewed to reduce the likelihood of a similar event in the future and notification letters will be sent to the affected individuals when the file review has been completed.

Capital Neurological Surgeons Reports Email Account Breach

Capital Neurological Surgeons in Sacramento, CA, has recently discovered that an unauthorized individual gained access to an employee email account and potentially obtained patient information. The email account was accessed on January 17, 2023, with the forensic investigation confirming on July 20, 2023, that the account contained protected health information.

The information potentially compromised varied from patient to patient and may have included names in combination with one or more of the following: Social Security numbers, date of birth, driver’s license numbers or state identification numbers, medical information (diagnosis/clinical information, treatment type or location, doctor name, medical procedure information, medical record number, patient account number, and/or prescription information), and/or health insurance policy information. Affected individuals were notified by mail on August 4, 2023. The delay in issuing notification letters was due to the lengthy file review. Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers compromised.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently clear how many individuals have been affected.

The post Cummins Behavioral Health Reports 157K Record Data Breach appeared first on HIPAA Journal.

Tift Regional Medical Center in Georgia has started notifying 180,142 patients that their personal and protected health information was compromised in a cyberattack that was detected on or around August 16, 2022. According to the notification letters, there was no encryption of systems, access was not gained to its electronic medical record system, and the network remained available to staff and patients. The forensic investigation of the incident indicated files “were or may have been accessed or copied without authorization between August 11, 2022, and August 17, 2022.” The attack was conducted by the Hive ransomware group, which was the subject of a law enforcement takedown in January 2023. The Hive group claimed to have stolen 1TB of data in the attack, some of which was released on its data leak site.

The affected patients were informed that the files contained names, dates of birth, Social Security numbers, and medical information. Complimentary credit monitoring services have been offered for 12 months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach, and the HHS was notified on time (October 14, 2022). A provisional total of 500 records was reported as it was not known at the time how many individuals had been affected. Individual notifications are also required in that same time frame. Tift Regional Medical Center did not explain in the notification letters why there was a delay in sending the notification letters.

Health Plan Member Data Compromised in Ransomware Attack on the City of Dallas

The city of Dallas suffered a ransomware attack on May 3, 2023, that impacted several of its websites and IT systems. Online services were offline for several days with some IT systems across its network down for several weeks following the attack. The city has reportedly paid at least $8.6 million for hardware, software, incident response, and consulting services in response to the Royal ransomware attack. The city has recently notified the HHS’ Office for Civil Rights that the protected health information of 30,253 members of its self-insured group health plans had their data stolen in the attack, including names, addresses, social security numbers, and medical and health information.

Confirmed MOVEit Transfer Hacks by the Clop Hacking Group

The following HIPAA-regulated entities have recently confirmed that they were affected by the MOVEit Transfer hacks by the Clop group in late May 2023. A zero day vulnerability was exploited in Progress Software’s file transfer solution, data was stolen, and ransom demands were issued.

United Healthcare Services, Inc., MN.

Individuals affected: 398,319

Attacked entity: United Healthcare Services.

Information compromised: name, date of birth, address, phone number, email address, plan identification number, policy information, student identification number, Social Security number or national identification number, and claim information, including claim numbers, provider information, dates of service, diagnosis codes, prescription information, and financial information associated with claims.

Credit Monitoring: Norton LifeLock credit monitoring and identity theft protection for 24 months.

VNS Health Plans, NY

Individuals affected: 103,775

Attacked entity: VNS Health Plans’ claims processing vendor, TMG Health Inc.

Information compromised: name, mailing address, telephone number, email address, date of birth, social security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service.

Credit Monitoring: Personal Identity and Privacy Protection through IDX for 12 months.

Vecino Health Centers, TX

Individuals affected: No information at this stage.

Attacked entity: Harris Health.

Information compromised: name, date of birth, prescription date(s).

Credit Monitoring: Not stated in the substitute breach notice.

The post Tift Regional Medical Center Patients Notified About August 2022 Cyberattack appeared first on HIPAA Journal.