HIPAA Breach News

Employee of Beacon Health System Impermissibly Accessed 3,100 Patients Records

Posted by HIPAA Journal

South Bend, IN-based Beacon Health System (BHS) says the medical records of 3,117 patients have been accessed by an employee when there was no legitimate work reason for viewing the records. The unauthorized activity was detected on or around January 10, 2023, prompting an investigation to determine the extent of the privacy violation.

BHS said the employee’s work duties were related to patient registrations, verification of benefits, and patient placements within the hospital. As such, security privileges allowed access to clinical documentation in medical records, as access to clinical information was occasionally necessary. The investigation confirmed on February 20, 2023, that the medical record access was unrelated to the employee’s work duties, with the period of access spanning from November 18, 2018, to February 24, 2023.

The information accessed included names, addresses, birth dates, Social Security numbers, and clinical information such as diagnoses, emergency care treatment information, labs and diagnostic testing, operative and anesthesia documentation, ancillary clinical documentation, and medical histories. BHS said notification letters are being sent to affected individuals and confirmed that the employee no longer works at BHS.

California Secretary of State Confirmed Impermissible Disclosure of Historical Health Records

The California Secretary of State has recently confirmed there has been an impermissible disclosure of historic records. A researcher has requested records from the state’s sterilization program, which are public when they are older than 75 years; however, the records provided to the researcher included data from 1948 to 1952. The records were provided on December 19 and December 22, with the former provided on-site and the latter by secure digital transfer.

The researcher notified the California Secretary of State about the error on December 23, 2022. The disclosure was due to a mislabeled data range. The researcher confirmed the records had not been viewed in detail and have since been deleted from the researcher’s computer. The records included personally identifiable information such as names, family member names, dates of birth, familial medical histories, and medical information such as diagnoses, operation dates, sterilization dates, and other medical information. The California Secretary of State arranged a review of the records and redacted the records from the microfilm.

Sensitive PHI Exposed at Baltimore Occupational Health Service Provider

Boxes of files containing sensitive patient information have been discovered outside Occupational Medical Services in Baltimore, MD. Occupational Medical Services provides drug and alcohol testing and care in worker compensation cases. The boxes had been opened by some members of the public and were found to contain names, contact information, health information, and Social Security numbers.

According to FOX45 reporters, who contacted company owner Joyce Phillips, the files came from a medical facility that had closed down and were due to be collected and shredded. 200 boxes of files had been moved outside where they had remained for a day awaiting collection.

The post Employee of Beacon Health System Impermissibly Accessed 3,100 Patients Records appeared first on HIPAA Journal.

Three Healthcare Providers Report Phishing Attacks

Posted by HIPAA Journal

Livonia, MI-based Trinity Health has confirmed that an unauthorized individual gained access to an employee email account and potentially viewed or obtained patient information. Suspicious account activity was detected in the employee’s email account on January 5, 2023. The investigation confirmed unauthorized access to the email account occurred between December 16, 2022, and December 18, 2022.

A review of the contents of the account was completed on February 14, 2023. The types of information in the account varied from patient to patient and may have included names, medical record numbers, patient ID numbers, encounter numbers, location(s) of service, provider names and specialties, procedure name(s), insurance name/type, billing balances, and dates of birth. A limited number of individuals had their address, phone number, email address, and prescription information exposed.

Trinity Health changed the account password to prevent further unauthorized access and has reviewed its policies and procedures. Due to the nature of the exposed information, Trinity Health believes the potential for misuse is low; however, affected individuals have been offered a complimentary 12-month membership to a credit monitoring and identity theft protection service.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

Beaver Medical Group Patients Affected by Email-Related Breach

Beaver Medical Group and Epic Management in California, part of the Optum Group, have started notifying certain patients that an employee’s workstation has been compromised as a result of a response to a phishing email. The email account was accessed for a limited period of time, but during that window of opportunity, emails may have been viewed or copied. The forensic investigation concluded on February 3, 2023, that the exposed information included names, member ID numbers, health plan information, and premium payment amounts.

Beaver and Epic have confirmed that security controls have been enhanced on their servers to prevent similar breaches in the future and monitoring has been enhanced. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

AllCare Plus Pharmacy Reports Summer 2022 Phishing Attack

AllCare Plus Pharmacy in Northborough, MA, has recently reported a phishing attack to the Maine Attorney General that has affected 5,971 patients. On June 21, 2022, AllCare Plus Pharmacy identified a phishing campaign targeting multiple employees. Prompt action was taken to remove the phishing emails from its email systems and prevent unauthorized account access; however, several employee accounts were accessed by unauthorized individuals.

While no evidence of misuse of patient data has been identified, it should be assumed that protected health information was accessed or obtained. The review of the affected accounts confirmed they contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions.

AllCare Plus Pharmacy said additional security measures, internal controls, and safeguards have been implemented, and affected individuals have been offered 24 months of credit monitoring services.

The post Three Healthcare Providers Report Phishing Attacks appeared first on HIPAA Journal.

Protected Health Information Exposed in 5 Recent Hacking Incidents

Posted by HIPAA Journal

Florida Medical Clinic, NorthStar Emergency Medical Services, Denver Public Schools, Wichita Urology Group, and The Bone & Joint Clinic have recently reported hacking incidents and the exposure and potential theft of protected health information.

Florida Medical Clinic

Florida Medical Clinic has recently announced that it was the victim of a ransomware attack. The attack was detected on January 9, 2023, and prompt action was taken to contain the attack, which limited data exposure, although files were encrypted. The third-party forensic investigation confirmed the attacker accessed files that contained patients’ protected health information; however, its electronic medical record system was not affected.

In a refreshingly detailed breach notice, Florida Medical Clinic explained that 94,132 files had been exposed, each of which only contained limited patient information. 95% of the compromised files only included an individual’s name. The remaining files included names, phone numbers, email addresses, birth dates, and addresses. No financial information was compromised, and only 115 Social Security numbers were exposed.

Florida Medical Clinic said evidence was obtained of all stolen files being permanently deleted, which indicates the ransom was paid. No evidence of misuse of patient data has been uncovered. All affected patients have been notified and additional cybersecurity measures have been implemented to prevent further attacks, including replacing certain system components and changing remote access protocols.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

NorthStar Emergency Medical Services

Tuscaloosa, AL-based NorthStar Emergency Medical Services has recently reported a data breach that has affected up to 82,450 patients. According to the notice sent to the Maine Attorney General, suspicious activity was detected within its computer network on September 16, 2022; however, it took until March 8, 2023, to determine that patient data had been exposed. The breach notice did not state when the attackers first gained access to its network.

The affected files contained information such as names, Social Security numbers, birth dates, patient ID numbers, treatment information, Medicare/Medicaid numbers, and health insurance information. Notification letters were sent to affected individuals on March 14, 2023. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals and steps have been taken to harden security.

Denver Public Schools

Denver Public Schools has recently announced that unauthorized individuals gained access to some of its servers and exfiltrated files that contained sensitive employee data. Data theft was discovered on January 4, 2023, and the forensic investigation confirmed unauthorized individuals had access to its network between December 13, 2022, and January 13, 2023.

The document review revealed the affected files included names, Social Security numbers, fingerprints (if on file), bank account numbers/pay card numbers, student ID numbers, driver’s license numbers, passport numbers, and some health plan enrollment information. The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 35,068 current and former participants in its employer-sponsored health plan. It is unclear how many students were affected by the data breach. Denver Public Schools said additional security measures have been implemented to prevent similar breaches in the future. Credit monitoring and identity theft protection services are being offered to affected individuals.

The Bone & Joint Clinic in Wisconsin

The Bone & Joint Clinic, which operates 7 clinics in Wisconsin, has recently notified current and former employees and patients about a cyberattack that was detected on January 16, 2023, which caused network disruption. According to the notification letters, unauthorized individuals potentially accessed and acquired files containing information such as names, addresses, phone numbers, birth dates, Social Security numbers, health insurance information, and diagnosis and treatment information.

Affected individuals were notified on March 7, 2023, and offered 12 months of complimentary credit monitoring and identity theft protection services. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

Wichita Urology Group

Wichita Urology Group in Kansas has recently notified 1,493 individuals that unauthorized individuals gained access to its network and potentially viewed or obtained files containing names, prescription information, billing information, and health insurance information.

Suspicious activity was detected within its network on January 3, 2023, with the forensic investigation confirming the intrusion occurred on January 2. The forensic investigation confirmed on January 26, 2023, that protected health information had been exposed; however, there has been no detected misuse of patient data. Technical security measures have been enhanced to prevent further attacks.

The post Protected Health Information Exposed in 5 Recent Hacking Incidents appeared first on HIPAA Journal.

Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations

Posted by HIPAA Journal

The United States Department of Justice has agreed to settle alleged False Claims Act violations with Jelly Bean Communications Design LLC and manager Jeremy Spinks related to the failure to protect HIPAA-covered data.

Jelly Bean Communications Design is a Tallahassee, FL-based company co-owned by Jeremy Spinks, who is the company’s manager and sole employee. The company provides web hosting functions and services for its clients, one of which was the Florida Healthy Kids Corporation (FHKC). FHKC is a state-created entity that offers health and dental insurance to children in Florida between the ages of 5 and 18. FHKC receives Medicaid funds and state funds for providing health insurance programs for children in Florida.

On July 1, 2012, the Agency for Health Care Administration (AHCA) in Florida contracted with FHKC to provide services for the State Children’s Health Insurance Plan (SCHIP) Program, which included implementing technical safeguards to ensure the confidentiality, integrity, and availability of the electronic protected health information that was received, maintained, or transmitted on behalf of AHCA. FHKC contracted with Jelly Bean Communications Design on October 13, 2013, to provide web design, programming, and hosting services. Under that contract, Jelly Bean Communications Design was required to provide a fully functioning hosting environment that complied with the standards of the HIPAA Security Rule, thus requiring Jelly Bean Communications Design to create appropriate code to ensure the secure communication of HIPAA-protected data. The contract was renewed by FHKC through 2020, with the federal government covering 86% of the payments to Jelly Bean Communications Design.

Between 2013 and 2020, the online application system created by Jelly Bean Communications Design collected data from parents and other individuals that were provided when submitting applications for Medicaid insurance coverage for children. Jelly Bean Communications Design issued invoices to FHKC for its services, which included “HIPAA-compliant hosting” and a monthly retainer fee for hosting and other tasks.

In early December 2020, it became clear that the website had been hacked and unauthorized individuals accessed the application data of more than 500,000 individuals submitted through the HealthyKids.org website. FHKC initiated an investigation that revealed hackers had altered applications allowing data to be stolen. The review of the website found multiple outdated and vulnerable applications and the website had not been patched since November 2013. Further, the website did not maintain audit logs showing who had accessed the personal information of applicants. The types of information compromised included names, dates of birth, email addresses, telephone numbers, addresses, Social Security numbers, financial information, family relationship information, and secondary insurance information. The application portal was shut down by FHKC in December 2020 in response to the cybersecurity failures.

The civil litigation alleged that Jelly Bean Communications Design and Jeremy Spinks failed to follow cybersecurity standards resulting in the exposure of sensitive HIPAA-covered data while submitting false claims that data would be safeguarded, while knowingly failing to properly maintain, patch, and update software systems. While Jelly Bean Communications Design acted as a business associate under HIPAA, the action was taken over violations of the False Claims Act under the Department of Justice’s 2021 Civil Cyber-Fraud Initiative. The Civil Cyber-Fraud Initiative utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients, and was the result of a coordinated effort by the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida, with assistance provided by HHS-OIG.

The claims were settled by Jelly Bean Communications Design and Jeremy Spinks, who agreed to pay $293,771 to resolve the allegations, of which $130,565.00 is restitution. The settlement was agreed to avoid the delay, uncertainty, inconvenience, and expense of protracted litigation, with no admission of liability or wrongdoing and no concession by the United States that its claims were not well founded.

“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG). “HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”

The post Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations appeared first on HIPAA Journal.

More Than 4 Million Individuals Affected by Cyberattack on Independent Living Systems

Posted by HIPAA Journal

Independent Living Systems, LLC (ILS), a Miami, FL-based provider of third-party administrative services to managed care organizations, has recently informed the Maine Attorney General that it suffered a data breach that has affected up to 4,226,508 individuals – the largest healthcare data breach to be reported so far this year.

According to the breach notification, ILS identified suspicious activity within its computer systems on July 5, 2022. Assisted by third-party cybersecurity experts, ILS determined that unauthorized individuals accessed its network between June 30, 2022, and July 5, 2022, and acquired files containing sensitive data.

ILS conducted a comprehensive review of all affected files and was provided with the results of the review on January 17, 2023. ILS then worked to validate those results and obtain up-to-date contact information for the affected individuals to allow notification letters to be sent.

The information compromised included names, addresses, dates of birth, state ID numbers, Social Security numbers, taxpayer ID numbers, financial account information, Medicare/Medicaid IDs, diagnosis codes/diagnosis information, admission/discharge dates, mental/physical conditions, treatment information, food delivery information, prescription information, billing/claims information, and health insurance information.  The types of information varied from individual to individual.

The affected individuals had previously received services directly from ILS, via its covered entity subsidiaries: Florida Community Care LLC and/or HPMP of Florida Inc (dba Florida Complete Care), or from other data owner clients/health plans.

ILS said it added a preliminary notice to its website on September 2, 2022, but was not able to send notification letters until the review and validation process had been completed. Notification letters started to be mailed to affected individuals on March 14, 2023. Affected individuals have been offered complimentary credit monitoring services.

ILS said it has been working on implementing additional safeguards to prevent further cyberattacks, including fortifying its firewall, updating complexity requirements for credentials, implementing additional internal security procedures, updating its employee training protocols, and providing additional training to its workforce.

The post More Than 4 Million Individuals Affected by Cyberattack on Independent Living Systems appeared first on HIPAA Journal.

ZOLL Medical Says 1 Million Patients Affected by January Cyberattack and Data Breach

Posted by HIPAA Journal

ZOLL Medical has recently announced that it has suffered a cyberattack in which the protected health information of more than one million patients was exposed. ZOLL Medical develops and markets emergency care medical devices such as resuscitation, ventilation, oxygen therapy, and cardiac monitoring products and associated software solutions.

According to the notification letter sent to the Maine Attorney General, unusual activity was detected within its internal network on January 28, 2023. The forensic investigation revealed on February 2, 2023, that unauthorized individuals had gained access to parts of the network that included patient information such as names, addresses, dates of birth, and Social Security numbers. The individuals affected either used or were previously considered for use of the ZOLL LifeVest wearable cardioverter defibrillator (WCD).

ZOLL Medical did not provide details of the exact nature of the cyberattack, such as whether malware or ransomware was involved, nor if any data was exfiltrated, but did state that no evidence of actual or attempted misuse of patient data has been detected.

Notification letters are now being mailed to all affected individuals. While data misuse has not been detected, as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. In response to the cyberattack, ZOLL Medical is evaluating its security measures and will augment them, as appropriate, to improve security and prevent similar incidents in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal; however, the notification to the Maine Attorney General indicates the protected health information of 1,004,443 individuals has been exposed.

This isn’t the first large data breach to affect ZOLL Medical. In 2018, the protected health information of approximately 277,000 users of its medical equipment was exposed due to a breach at a third-party software vendor. A server migration error at Barracuda Networks resulted in parts of its email archive being exposed online.

The post ZOLL Medical Says 1 Million Patients Affected by January Cyberattack and Data Breach appeared first on HIPAA Journal.

Ransomware Attack Announced by Codman Square Health Center

Posted by HIPAA Journal

Codman Square Health Center in Boston, MA, has confirmed that it was the victim of a ransomware attack in November 2022 in which hackers gained access to the protected health information of 10,161 current and former patients.

The incident was detected on November 28, 2022, and third-party digital forensics experts were engaged to investigate the security breach and determine the nature and scope of the attack. The investigation confirmed that unauthorized individuals gained access to parts of its network between November 23 and November 28, and during which time they may have viewed or acquired files containing patient data.

Codman Square Health Center said it was confirmed on January 25, 2023, that a folder on the compromised part of its network contained patient data, although it was not possible to tell if that folder was accessed. The files in that folder included names, addresses, birth dates, medical record numbers, diagnoses, treatment information, and claims information.

Notifications are being sent to affected individuals and steps have been taken to improve privacy and security and prevent further incidents of this nature.

Email Exposure Reported by Community Health Center of Greater Dayton

Community Health Center of Greater Dayton in Ohio has recently announced that the protected health information of more than 500 patients has been exposed as a result of an email error. On February 2, 2023, a business associate was sent an email that included a list of patients’ dental appointments. The business associate was authorized to receive that information; however, the email was not encrypted and therefore could have been intercepted.

The list included patient names, dates of birth, medical record numbers, appointment dates/times, and a brief description of why the appointment was booked. The risk of misuse of the data is believed to be low, but notification letters have been sent alerting patients about the HIPAA breach.  Additional safeguards have been implemented and the staff has been retrained on how to send emails securely.

The post Ransomware Attack Announced by Codman Square Health Center appeared first on HIPAA Journal.

Pixel Use Results in Impermissible Disclosure of the PHI 3.1 Million Cerebral Platform Users

Posted by HIPAA Journal

The telehealth company, Cerebral Inc., has confirmed that pixels and other tracking technology on its website resulted in the impermissible disclosure of the personal and protected health information of 3,179,835 patients. Cerebral is a fully remote telehealth provider that provides access to mental health services, including online therapy, mental health assessments, and visits with clinicians to treat mental health issues such as anxiety, depression, and insomnia. On January 3, 2023, Cerebral said it discovered pixels and other tracking technologies on its platform had collected and transferred sensitive HIPAA-protected information to third parties such as Meta (Facebook), Google, TikTok, and others.

Cerebral said in its breach notice that tracking technologies have been used by many bricks and mortar healthcare providers, telehealth companies, and other businesses on their websites, but was made aware that these technologies could potentially capture and impermissibly disclose sensitive data to the companies that provided those tracking technologies. An investigation was launched into the use of these tools, which confirmed that the tracking technologies had been added to Cerebral’s platforms on October 12, 2019. The review confirmed that protected health information had been impermissibly disclosed to certain third parties and some subcontractors, without first obtaining patient consent or business associate agreements that included HIPAA-required assurances about uses and disclosures of any transferred protected health information.

Cerebral confirmed that the pixels and tracking technologies were disabled when the issue was detected, and were either removed or reconfigured to prevent any further unauthorized data sharing with any third party or subcontractor that was unable or unwilling to meet HIPAA requirements. Security practices and technology vetting procedures have also been enhanced to mitigate the risk of similar impermissible disclosures in the future.

Cerebral said it is unaware of any misuse of the transferred data, which may have included an individual’s name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information if they created a Cerebral account. If they completed or partially completed a mental health self-assessment, information such as the service the individual selected, assessment responses, and certain associated health information may also have been disclosed. If a subscription plan was purchased, the information disclosed may also have included the plan type, appointment dates/booking information, treatment and other clinical information, health insurance/pharmacy benefit information, and insurance co-pay amounts.

Notification letters were sent to all individuals who fell into one of those categories, even if they did not become Cerebral patients or if they provided information beyond what was required to create a Cerebral account. Cerebral confirmed that Social Security numbers, credit card information, and bank account information were not disclosed; however, out of an abundance of caution, free credit monitoring services have been offered to affected individuals. Cerebral also provided information in the notification letters on how privacy can be protected against tracking technologies, including blocking/deleting cookies, using browsers that have privacy features such as an incognito mode, and setting privacy protections in social media and Google accounts.

The post Pixel Use Results in Impermissible Disclosure of the PHI 3.1 Million Cerebral Platform Users appeared first on HIPAA Journal.

Community Health Systems to Notify Up to 1 Million Individuals About GoAnywhere Data Breach

Posted by HIPAA Journal

In mid-February, Community Health Systems filed a report with the U.S. Security and Exchange Commission (SEC) confirming it had been affected by a security incident involving its secure file transfer software, Fortra’s GoAnywhere MFT. The Clop ransomware gang claimed responsibility for the attack and claimed to have exfiltrated data from around 130 users of the software. As per the group’s modus operandi, ransom demands were issued along with threats to publish the stolen data; however, somewhat atypically, ransomware was not used to encrypt files. In the SEC filing, Community Health Systems explained that the protected health information of up to 1 million individuals was potentially compromised and stated that the investigation into the incident was ongoing.

Community Health Systems has now released further information on the data breach and said it will start sending notification letters to all affected individuals in mid-March. Community Health Systems confirmed that Fortra contracts with CHSPSC, LLC, which is a professional services company that provides services to hospitals and clinics affiliated with Community Health Systems Inc. Fortra notified CHSPSC that a security incident was detected on the evening of January 30, 2023, and took the system offline on January 31, 2023. The investigation confirmed that an unauthorized individual had gained access to the system between January 28, 2023, and January 30, 2023, by exploiting a previously unknown vulnerability – a pre-authentication command injection issue – and compromised a set of files throughout the GoAnywhere platform. CHSPSC was notified about the breach on February 2, 2023, and initiated its own investigation to determine the extent to which patient data had been affected.

Community Health Systems has now confirmed that the personal and protected health information of patients of CHSPSC affiliates has been compromised, along with the personal information of a limited number of employees and other individuals.  That information includes full names, addresses, medical billing information, insurance information, medical information such as diagnoses and medications, and demographic information, such as birth dates and Social Security numbers.

Fortra said it terminated access when the breach was detected by taking the platform offline. The GoAnywhere platform has now been rebuilt with additional system limitations and restrictions, and a patch for the exploited vulnerability was released on February 6, 2023. CHSPSC has confirmed that it has implemented further security measures to harden the security of the GoAnywhere platform.

All affected individuals will be offered complimentary identity restoration and credit monitoring services for 24 months. Community Health Systems has also confirmed that it has been assisting law enforcement, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) with their investigations.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear exactly how many individuals have been affected.

The post Community Health Systems to Notify Up to 1 Million Individuals About GoAnywhere Data Breach appeared first on HIPAA Journal.