The personal information of lawmakers and staffers has been stolen in a cyberattack on the health insurance marketplace, DC Health Link. DC Health Link serves around 100,000 people, including 11,000 Congress members and staffers. The investigation into the data breach is still in the early stages so it is currently unclear how many Congress members and staffers have been affected. At this stage of the investigation, it appears that the hacker behind the attack did not specifically target the personally identifiable information (PII) of members of Congress or the House of Representatives.

House Chief Administrative Officer, Catherine Szpindor, issued a statement confirming there had been “a significant data breach” that potentially involved the theft of the PII of thousands of enrollees. She said the Federal Bureau of Investigation (FBI) has been assisting with the investigation and believes the PII of hundreds of Congress members and staffers has been stolen. She also confirmed that some DC Health Link Customer data has been exposed on a public forum. An investigation is currently underway to determine how access to the health insurance marketplace was gained and the extent of the data breach. She recommends credit freezes be placed with the three main credit bureaus as a precaution and to also extend those credit freezes to spouses and dependents, as their information may also have been compromised.

Senate members were notified about the data breach via email by the Senate Sergeant at Arms, who said the stolen data included full names, dates of enrolment, relationship (self, spouse, child), and email addresses, and that no other PII appeared to have been compromised.  House Speaker Kevin McCarthy (R-CA) and House Minority Leader Hakeem Jeffries (D-NY) sought further information about the data breach from DC Health Link and the actions that were being taken in response to the breach.

An established member of a hacking forum was attempting to sell the stolen data, which was claimed to include the PII of 170,000 individuals and included personal information, dates of birth, the names of spouses and dependents, Social Security numbers, and other sensitive information. A sample of the PII of 11 individuals was added to the listing as proof that the dataset was legitimate. McCarthy and Jeffries said the FBI purchased some of the data and confirmed that Social Security numbers were included along with other sensitive information. The hacker appeared not to have realized the dataset included the PII of members of Congress and staffers; however, now that the data breach has been made public that will be abundantly clear. The hacker has since updated the post to indicate the data has been sold. A spokesperson for the DC Health Benefit Exchange Authority, which runs DC Health Link, said credit monitoring services are being offered to affected individuals.

The post PII of Lawmakers and Capitol Hill Staff Stolen in DC Health Link Data Breach appeared first on HIPAA Journal.

Asante, an Oregon-based health system with three hospitals and more than 30 primary care facilities, has started notifying certain patients that their medical records have been accessed by a local doctor who had no treatment relationship with the patients.

An investigation was launched when the unauthorized access was detected which revealed the unauthorized access had been occurring over a period of 9 years, starting in 2014. The doctor – Dr. Paul Hoffman – has had his access to the electronic medical record system terminated. Asante is satisfied that the records were not accessed with any malicious intent and that the medical records were simply accessed out of curiosity and said there is no reason to suggest the affected patients are at risk of identity theft or fraud. The types of information accessed included names, demographic information, and treatment information. No financial information, driver’s license numbers, or Social Security numbers were viewed. Asante said it is now investigating how to improve the detection of unauthorized medical record access by its staff.

The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unclear at this stage how many individuals have been affected.

Patient Data Compromised in Hacking Incident at Northeast Surgical Group

Northeast Surgical Group in Macomb Township, MI, has recently notified 15,298 patients that some of their sensitive health information has been compromised in a recent hacking incident. Suspicious activity was detected within its network on January 8, 2023, and third-party cybersecurity consultants were engaged to conduct a forensic investigation.

Northeast Surgical Group explained in its notification letters that while the breach was detected in January, it took more than a month to determine the extent to which patient data was involved. The forensic investigation concluded on February 13, 2023, and confirmed that information such as names, addresses, and Social Security numbers had been compromised. Some patients also had their date of birth, medical information, and treatment information exposed. A review was conducted to assess the security of its network and additional monitoring tools have now been deployed.

Northeast Surgical Group said it had not found any evidence to suggest that any patient information has been or will be misused as a result of the breach but has provided affected individuals with complimentary credit monitoring services for 12 months. This appears to have been an attack by the BianLian threat group, which has uploaded some of the stolen data to its data leak site.

White Bird Clinic Says Email Error Resulted in a Disclosure of Patients’ PHI

White Bird Clinic in Oregon has recently notified 584 dental patients that some of their personal and protected health information has been impermissibly disclosed due to an email error. A report containing patient names, dates of birth, medical record numbers, and demographic information was accidentally sent to a patient. The patient confirmed that the attached file had not been opened or further disclosed and said the email and attachment had been deleted.

The post Asante Discovers 9 Years of Unauthorized Medical Record Access by a Physician appeared first on HIPAA Journal.

Asante, an Oregon-based health system with three hospitals and more than 30 primary care facilities, has started notifying certain patients that their medical records have been accessed by a local doctor who had no treatment relationship with the patients.

An investigation was launched when the unauthorized access was detected which revealed the unauthorized access had been occurring over a period of 9 years, starting in 2014. The doctor – Dr. Paul Hoffman – has had his access to the electronic medical record system terminated. Asante is satisfied that the records were not accessed with any malicious intent and that the medical records were simply accessed out of curiosity and said there is no reason to suggest the affected patients are at risk of identity theft or fraud. The types of information accessed included names, demographic information, and treatment information. No financial information, driver’s license numbers, or Social Security numbers were viewed. Asante said it is now investigating how to improve the detection of unauthorized medical record access by its staff.

The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unclear at this stage how many individuals have been affected.

Patient Data Compromised in Hacking Incident at Northeast Surgical Group

Northeast Surgical Group in Macomb Township, MI, has recently notified 15,298 patients that some of their sensitive health information has been compromised in a recent hacking incident. Suspicious activity was detected within its network on January 8, 2023, and third-party cybersecurity consultants were engaged to conduct a forensic investigation.

Northeast Surgical Group explained in its notification letters that while the breach was detected in January, it took more than a month to determine the extent to which patient data was involved. The forensic investigation concluded on February 13, 2023, and confirmed that information such as names, addresses, and Social Security numbers had been compromised. Some patients also had their date of birth, medical information, and treatment information exposed. A review was conducted to assess the security of its network and additional monitoring tools have now been deployed.

Northeast Surgical Group said it had not found any evidence to suggest that any patient information has been or will be misused as a result of the breach but has provided affected individuals with complimentary credit monitoring services for 12 months. This appears to have been an attack by the BianLian threat group, which has uploaded some of the stolen data to its data leak site.

White Bird Clinic Says Email Error Resulted in a Disclosure of Patients’ PHI

White Bird Clinic in Oregon has recently notified 584 dental patients that some of their personal and protected health information has been impermissibly disclosed due to an email error. A report containing patient names, dates of birth, medical record numbers, and demographic information was accidentally sent to a patient. The patient confirmed that the attached file had not been opened or further disclosed and said the email and attachment had been deleted.

The post Asante Discovers 9 Years of Unauthorized Medical Record Access by a Physician appeared first on HIPAA Journal.

Cedar Park, TX-based Dental Health Management Solutions (DHMS), a provider of dental services to the government/military and private patients has recently announced – via its legal counsel – that the protected health information of certain patients was exposed in a 2021 hacking incident. In a February 2023 notification to the Maine Attorney General, DHMS said it detected a network intrusion on or around August 20, 2021, with the forensic investigation confirming its network was compromised on July 17, 2021.

A comprehensive review was conducted of all files that were potentially accessed or acquired in the attack and confirmed that 3,205 individuals have been affected. The types of information exposed varied from individual to individual and may have included names, addresses, medical information, health insurance information, Medicaid identification numbers, driver’s licenses, account and routing numbers, and Social Security numbers.

DHMS said it has changed passwords and implemented multifactor authentication and offered affected individuals complimentary credit monitoring and identity protection services. The notification letter lacks an explanation of why it took 18 months from the date of discovery of the breach for notification letters to be sent when the HIPAA breach notification rule requires notifications to be issued within 60 days or when the breach occurred.

Aloha Nursing Rehab Centre Breach Affects 20,000 Patients

Aloha Nursing Rehab Centre in Kaneohe, Hawaii, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 20,216 patients. According to the notification sent to the Maine Attorney General, its IT systems were accessed by an unauthorized individual on or around July 8, 2022. That individual accessed a limited number of electronic records in its systems.

Aloha Nursing Rehab Centre said the investigation and document review revealed on or around December 28, 2022, that the files accessed in the attack included patient information. The types of information involved included names, dates of birth, Social Security numbers, financial account information, driver’s license numbers, and state identification numbers. Affected individuals were notified by mail in February 2023 and were offered complimentary credit monitoring and identity theft protection services and will be protected by a $1,000,000 identity theft insurance policy.

The Chautauqua Center Identifies Limited Exposure of Patient Information

The Chautauqua Center (TCC) in Jamestown New York has recently announced that the protected health information of 747 individuals has been exposed in a data breach involving its business associate, WebPT, which provides electronic medical record services for Chautauqua Physical and Occupational Therapy.

The incident exposed the information of Chautauqua Physical and Occupational Therapy patients to other healthcare facilities during an upgrade to the EMR system on December 22, 2022. The referral report that was accessible to other healthcare clinics included names, case name/creation date, clinical notes from the initial evaluation, last seen/referral dates, insurance provider, treatment clinic, referring physician/physician group name, secondary insurance information, and total visit count for each case.

Due to the limited nature of the data involved, and the fact that the information was only exposed to HIPAA-covered entities, the risks to patients are believed to be minimal; however, all individuals were notified about the exposure in January. Access to the report was disabled within 19 hours of discovery of the exposure, an analysis was performed to identify the cause of the breach, the staff was retrained, and statements were obtained from all affected clinics confirming that there had been no use or further disclosure of the report.

The post Dental Health Management Solutions Notified Patients About Historic Data Breach appeared first on HIPAA Journal.

Evergreen Treatment Services, a Washington-based provider of addiction treatment services, announced on February 13, 2023, that unauthorized individuals gained access to its IT systems and potentially accessed patient information, including names, addresses, birth dates, Social Security numbers, and treatment information.

A third-party cybersecurity firm assisted with the investigation but found no instances of fraud or identity theft; however, as a precaution, the 21,325 affected patients have been offered complimentary credit monitoring and identity theft protection services. Evergreen Treatment Services did not state in its breach notice when the incident was detected, for how long the hackers had access to its network, or any information about the nature of the attack. Data security policies have been enhanced in response to the breach to prevent similar incidents in the future.

Data Stolen in Cyberattack on Texas Orthopaedics and Sports Medicine

Tomball, TX-based Texas Orthopaedics and Sports Medicine (TOSM) has confirmed that an unauthorized third party gained access to its network and removed files from its systems which included names, driver’s license numbers, and medical information. The attack was detected on November 28, 2022, when suspicious activity was identified within its network. The forensic investigation revealed the hackers had access to the network between November 22 and November 29. TOSM said it learned that patient information was compromised on February 10, 2023, and notifications were sent to the 1,023 affected individuals on February 23. TOSM said steps are being taken to improve security and further training has been provided to employees. Affected individuals have been offered one year of credit monitoring services.

Sentara Healthcare Patient Data Exposed Online

Norfolk, VA-based Sentara Healthcare, a not-for-profit healthcare provider serving patients in Virginia and northeastern North Carolina, has recently notified 741 patients that some of their protected health information has been exposed online. Sentara Healthcare was tipped off about the exposed data by an anonymous individual who stumbled across a PDF file online while searching for information on how to convert PDF files to a different format. An individual had uploaded a Medicare remittance document to an Adobe Acrobat website that contained the data of Sentara Healthcare patients.

Sentara Healthcare confirmed that the PDF file was still online and had been uploaded on October 17, 2022. The name of the individual who uploaded the file was found, and Sentara Healthcare confirmed it was an employee of Coronis Health, a business associate that provides billing-related services for lab services. Coronis Health was notified about the exposed data on December 19, 2022, and removed the file on December 20. Coronis Health provided further training to its entire team in response to the error. The file contained patient names, Medicare ID numbers, dates of service, CPT codes, location of service, the last 4 digits of account numbers, and outstanding balances. Credit monitoring services have been offered to affected individuals.

Email Account Compromised at Compass Behavioral Health

On February 28, 2023, Garden City, KS-based Compass Behavioral Health notified 537 patients about a security breach that exposed a limited amount of their personal and health information. On or around December 13, 2022, Compass learned that an employee email account and associated OneDrive account had been compromised. The forensic investigation determined the account contained a spreadsheet that included a list of incident reports maintained by Compass for recording breaches of procedure, injuries, accidents, and unusual occurrences. The spreadsheet included information such as names, addresses, dates of birth, dates of death, location of treatment, medical record numbers, information related to medical incidents, limited medical information, and medication information. Credentials were changed in response to the breach and multi-factor authentication was implemented. There have been no reports of actual or attempted misuse of the exposed information.

The post Evergreen Treatment Services Hacking Incident Affects 21K Patients appeared first on HIPAA Journal.

The Hutchinson Clinic Reports December 2022 Hacking Incident

The Hutchinson, KS-based healthcare provider, The Hutchinson Clinic, has recently announced that hackers accessed its network between December 19, 2022, and December 22, 2022, and during that time, files containing patient data may have been accessed and stolen. According to the clinic’s website data breach notice, the impacted information included names, contact information, birth dates, Social Security numbers, driver’s license numbers, health insurance information, medical record numbers (MRN), medical histories, diagnoses, treatment information, and physician names.

The exposed files are currently being reviewed and notifications will be mailed to affected individuals when that process is completed. The Hutchinson Clinic said it has conducted a review of its policies and procedures and will be implementing additional administrative and technical safeguards to better secure its systems and prevent further incidents of this nature.

The incident has yet to appear on the HHS’ Office for Civil Right website, so it is currently unclear how many patients have been affected.

90 Degree Benefits Reports Hacking Incident Affecting 175,000 Individuals

On February 8, 2023, the Wisconsin-based employee benefits company, 90 Degree Benefits Inc., reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 175,000 individuals. There is currently no notice on the 90 Degree Benefits website about the data breach, and currently, all that is known is that this was a hacking/IT incident involving a network server.

This is the second large-scale data breach to be reported by the firm. On June 6, 2022, 90 Degree Benefits reported a breach to the HHS’ Office for Civil Rights that affected 172,450 individuals. The breach was discovered on February 27, 2022, with the forensic investigation determining hackers had access to its network between February 24 and February 27, 2022. The hackers potentially stole information such as names, addresses, and Social Security numbers.

Bridgewater-Raritan Regional School District Announced Breach of Health Plan Data

Bridgewater-Raritan Regional School District has recently confirmed that hackers gained access to its computer network in December 2022 and potentially viewed or obtained the information of employees who were enrolled in its Health Benefit Plan. Suspicious activity was detected within its network on December 12, 2022, and a third-party cybersecurity firm was engaged to investigate. The investigation confirmed its systems were accessed by unauthorized individuals between December 10 and December 12. During that time, files containing names, Social Security numbers, and enrolment selection information may have been accessed. Affected employees were notified on January 27, 2023, and were offered complimentary memberships to an identity theft monitoring service.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 3,909 individuals.

The post Data Breaches Reported by The Hutchinson Clinic & 90 Degree Benefits appeared first on HIPAA Journal.

Freehold Township, NJ-based CentraState Healthcare System has recently confirmed that its network was compromised by unauthorized individuals in December 2022. Unusual activity was detected within its computer systems on December 29, and immediate action was taken to isolate the network and block unauthorized access. CentraState has been working with the Federal Bureau of Investigation and independent cybersecurity experts to investigate the breach and has determined that the unauthorized party exfiltrated a copy of an archived database that contained the protected health information of patients.

The database included the following information: names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and patient account numbers. Additionally, some information related to care received at CentraState, such as date(s) of service, physician names and departments, treatment plans, diagnoses, visit notes, and prescription information. CentraState said it continually enhances the security of its electronic systems and will continue to do so, and will also implement additional safeguards to prevent future attacks. Notification letters started to be sent to affected individuals on February 10, 2023, and complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security number exposed.

The incident has been reported to the HHS’ Office for Civil Rights but is not yet showing on the HHS Web Breach Portal, so it is currently unclear how many individuals have been affected.

Skin MD Reports Temporary Exposure of Paper Records

Skin MD, a Massachusetts-based provider of cosmetic and laser skin care treatments, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 7,558 patients. The breach involved paper records that were stored in a secured, off-site storage facility, which Skin MD learned had been disposed of in a non-secure manner on November 12, 2022.

Skin MD said a good Samaritan notified authorities about the improper disposal on November 14, 2022, and a law enforcement agent collected the records. Those records have been collected by Skin MD and are now secured. The records were unsecured for 2 days, during which time it is possible they were viewed by unauthorized individuals, although no evidence of theft, unauthorized access, or tampering has been discovered.

The records contained demographic information, medical information, Social Security numbers, and financial information. Affected individuals are now being notified and have been offered 24 months of complimentary credit monitoring and identity theft protection services.

Phishing Attack on Vitra Health Affects 1,600 Patients

The Braintree, MA-based home health service provider, Vitra Health, has notified 1,618 patients that some of their protected health information has been exposed and potentially stolen. On December 8, 2022, Vitra Health discovered an employee email account had been accessed by an unauthorized individual. The investigation revealed access was gained following a response to a phishing email on December 6.  The account was immediately secured, and the forensic investigation confirmed only one email account was compromised.

A third-party review of the account confirmed it contained information such as names, addresses, dates of birth, phone numbers, referral information, diagnoses, and Health Plan ID numbers. Vitra Health has implemented additional email security measures, provided further workforce training, and engaged a third-party firm to conduct a HIPAA Risk assessment.

California Department of Social Services Discovers Insider Breach

The California Department of Social Services (CDSS) has recently notified certain individuals about an insider wrongdoing incident involving their Social Security numbers. On January 6, 2023, the CDSS discovered an employee had emailed a document to a personal email account that contained individuals’ first and last names, Social Security numbers, and bargaining unit numbers. The employee in question was immediately contacted and told to delete the email and the employee complied with that request.

The CDSS said it is in the process of implementing additional security controls to prevent similar incidents in the future. No reason was provided as to why the document was emailed, nor details of the sanctions in relation to the incident. It is currently unclear how many individuals have been affected.

The post Hacking and Data Theft Incident Reported by CentraState Healthcare System appeared first on HIPAA Journal.

Lehigh Valley Health Network (LVHN) in Pennsylvania has confirmed that it is dealing with a ransomware attack that was detected on February 6, 2023. An announcement was made on Monday confirming the Russian-speaking ransomware gang, BlackCat, was behind the attack and demanded a ransom, but no payment was made.

Brian A. Nester, LVHN President and CEO, said the attack has not affected its operations and care continues to be provided to patients. While the attack is still being investigated, Nester has confirmed that the attack was conducted on a network supporting an unnamed physician practice in Lackawanna County and that the network housed a system that was used to store “clinically appropriate patient images for radiation oncology treatment,” and other sensitive information. That practice appears to be Delta Medix in Scranton, PA. It is currently unclear if other physician practices have been affected.

The LVHN technology team launched an investigation when suspicious network activity was detected, its network was immediately secured, and third-party cybersecurity experts were engaged to conduct a forensic analysis to determine the nature and scope of the attack. “We are continuing to work closely with our cybersecurity experts to evaluate the information involved and will provide notices to individuals as required as soon as possible. Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” said Nester in a media statement.

This post will be updated when more information is released.

MKS Instruments Affected by Ransomware Attack

MKS Instruments, an Andover, MA-based manufacturer of measuring and control devices, has confirmed that it has been attacked with ransomware. According to the breach notification letters – dated February 16, 2023 – the parent company of MKS and the Atotech group of companies discovered the attack on February 13, 2023 – three days before notifications were sent.

The notice sent to the Attorneys General in California and Montana explains that immediate action was taken in response to the attack and that the investigation into the breach is ongoing. MKS confirmed that the attack affected certain business systems, such as production-related systems, which forced a temporary suspension of certain operations. Systems are being restored as quickly as possible, as it is determined that it is safe to do so.

MKS confirmed that it is currently unaware of any concrete risks or threats to individual data subjects, but says data theft cannot be ruled out. The types of information potentially stolen include names, contact information, addresses, government ID numbers (including SSNs), work login credentials/passwords, marital status, veteran status, nationality, immigration status, race, gender, sexual orientation, bank account information, payment card information, information about compensation status and equity, job positions, time/hours worked, information about disabilities, health and medical conditions, employer union information, health insurance information, and basic information about partners, children, and emergency contact information. Affected individuals have been offered complimentary identity theft monitoring and protection services for 2 years.

It is currently unclear how many individuals have been affected.

The post Lehigh Valley Health Network and MKS Instruments Recovering from Ransomware Attacks appeared first on HIPAA Journal.