The Colorado Department of Health Care Policy and Financing (HCPF), which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, has recently confirmed that the protected health information of 4,091,794 individuals was compromised. The attack occurred at IBM, one of its vendors, and involved the MOVEit Transfer application that was used by IBM for file transfers. HCPF said its own systems were not affected.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and the records of 46 million individuals are known to have been compromised.

HCPF said the breach involved the data of Health First Colorado and CHP+ users and included names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, addresses and other contact information, demographic/income information, health insurance information and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEIt server from May 27 to May 31, 2023.

Florida Healthy Kids, a provider of health and dental insurance to children in Florida was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Last month, Johns Hopkins Health System confirmed that it was investigating a cyberattack that impacted systems used by Johns Hopkins University and Johns Hopkins Health System, and the data breach was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System as affecting 2584 individuals and by Howard County General Hospital as affecting 2975 individuals. Johns Hopkins has now confirmed that its MOVEit server was attacked, and Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals and will be offering complimentary credit monitoring and identity theft protection services to those individuals.

The post Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack appeared first on HIPAA Journal.

Last month, Johns Hopkins Health System announced it was investigating a cyberattack and data breach, which was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System and Howard County General Hospital as affecting more than 5,500 individuals.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and more than 41 million records are now confirmed as having been compromised. Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The Colorado Department of Health Care Policy and Financing, which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, was also affected. The protected health information of Health First Colorado and CHP+ users was compromised in the attack, including names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, contact information, demographic/income information, health insurance information, and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident was reported to the Maine Attorney General as affecting up to 4,091,794 individuals.

The Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEit server from May 27 to May 31, 2023. Florida Healthy Kids, a provider of health and dental insurance to children in Florida, was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

The Ottumwa Fire Department in Iowa has recently fired employees for alleged violations of the HIPAA Rules and other misconduct. The City of Ottumwa launched an investigation of three members of the fire department, two of whom have been terminated and one left the department in lieu of termination for “behaviors that violated department rules, safe practices, and the values and standards of the City of Ottumwa”.

The city engaged the law firm, Dentons Davis Brown, to investigate allegations of misconduct, which included sexual activity while on duty, disclosures of sensitive information to unauthorized individuals, and allowing unauthorized individuals to ride in fire vehicles.

Firefighters Derek Fye and Dillon McPherson were discovered to have violated the HIPAA rules by divulging patient information obtained by the fire department when responding to incidents, which included medical histories, conditions, and other information. Captain Bill Keith was similarly fired for HIPAA violations, allowing unauthorized individuals to ride in fire vehicles, failing to report instances of employee misconduct, and failing to adequately lead those under his command. Kye and Keith are entitled to request a hearing.

Brigham and Women’s Hospital Exposed Patient Data Over the Internet

Brigham and Women’s Hospital in Boston, MA, has alerted 987 patients about the impermissible disclosure of some of their protected health information. According to the notification letters, the data of patients who participated in a research study/quality improvement project has been exposed online. Graphs had been created as part of the study/project to share with others within the healthcare community using a data analytics tool called Tableau.

The graphs, which only included high-level and summary information, were accidentally posted to the public version of the Tableau tool; however, a link was included that, if clicked, allowed access to sensitive information including names, addresses, medical record numbers, dates of birth, email addresses, and phone numbers. Clinical information that could have been accessed included diagnoses, lab results, medications, and procedures. The exposed data varied from individual to individual. Affected individuals were notified on August 4, 2023.

For the research study, the data was published on the tool on February 25, 2018, and for the quality improvement project, on January 14, 2023. The publicly accessible link was discovered on June 8, 2023, and was removed on June 13. The research study data was accessible between February 25, 2018 – June 13, 2023, and the quality improvement project data was exposed between January 14, 2023 – June 13, 2023.

IVF Michigan Notifies Patients About February 2023 Ransomware Attack

IVF Michigan has recently notified 9,383 patients that some of their protected health information was compromised in a February 25, 2023, ransomware attack. IVF Michigan, which includes Ohio Fertility Centers, said its security software detected the attack almost immediately and disconnected systems from the internet and shut them down. IVF Michigan learned of the breach on February 28.  The incident was investigated by its security services vendor and it was determined that files had been accessed and were likely exfiltrated; however, no evidence has been found to indicate any misuse of patient data.

The files potentially obtained in the attack included names, addresses, zip codes, birth dates, driver’s license numbers, Social Security numbers, diagnoses, conditions, lab results, medications, treatment information, claims information, and credit card/bank account numbers. The information involved varied from individual to individual.

Jefferson County Health Center Reports Hacking Incident

Jefferson County Health Center in Fairfield, IA, has discovered unauthorized individuals gained access to its network between April 24, 2023, and May 30, 2023, and may have obtained files containing patients’ protected health information. The breach was detected on May 30, 2023, when suspicious activity was identified within its network.

While unauthorized network access was confirmed, evidence of data theft was not found; however, it is possible that sensitive data was stolen in the attack such as names, medical histories, diagnoses, medical treatment information, and health insurance information. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ottumwa Fire Department Fires Employees for Misconduct and HIPAA Violations appeared first on HIPAA Journal.

Four more entities have confirmed they were affected by the mass hacks of the MOVEit Transfer file transfer solution and had protected health information stolen.

Missouri Department of Social Services

The Missouri Department of Social Services (DSS) has confirmed that the data of Medicaid recipients was compromised in the recent mass MOVEit hacks by the Clop threat group. Clop conducted hundreds of attacks starting on May 27, 2023, that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution – CVE-2023-34362. More than 610 companies, organizations, and other entities were attacked and had data stolen.

According to the Missouri DSS, the attack occurred at IBM Consulting. The Missouri DSS said that when it was made aware of the incident it disconnected the MOVEit servers from internal IT systems and launched an investigation into the breach. The DSS confirmed that no DSS systems were breached, only the MOVEit server, which contained data such as names, department client numbers, birth dates, benefit eligibility status/coverage, and medical claims information. It is currently unclear exactly how many Medicaid recipients were affected. The DSS said all Missouri Medicaid recipients are being notified about the breach as a precaution.

Omaha Health Insurance Company

The Omaha Health Insurance Company (OHIC), part of Mutual of Omaha, has reported a security breach at a third-party vendor that exposed the records of individuals who were enrolled in the Medicare Part D Prescription Drug Plan, which was issued by Mutual of Omaha Rx.

The vendor discovered the security breach on June 21, 2023, and notified OHIC about the breach on June 22, 2023. The OHIC investigation confirmed that sensitive data was downloaded by the threat group between May 30, 2023, and June 2, 2023. The exposed data included names, dates of birth, Social Security numbers, claims information, banking information, billing information, and treatment information. Affected individuals have been offered complimentary credit monitoring services. The vendor was not named in the notification sent to the state attorney general.

IU Health

IU Health in Indianapolis has confirmed that patient data was compromised in the mass MOVEit Transfer hacks. The incident occurred at a third-party claims processor, TMG Health. IU Health was notified about the breach on June 22, 2023, and was informed that IU Health Plan data was compromised, including names, member ID numbers, plan effective dates, and for some individuals, bank account information. IU Health Plans notified the affected members on August 4, 2023, and offered complimentary credit monitoring services.  It is currently unclear how many plan members were affected.

Hillsborough County, IA

Hillsborough County in Florida has reported a breach of the protected health information of 70,636 patients to the HHS’ Office for Civil Rights. The county learned about the MOVEit Transfer incident on breach on June 1, 2023, and determined on June 22, 2023, that the compromised data included individuals who received care through Hillsborough County Health Care Services. That information included names, Social Security numbers, dates of birth, home addresses, medical conditions, diagnoses, and disability codes. Certain vendors were notified that some employee data may have been compromised. The affected vendors will notify their employees directly.

The post Missouri Department of Social Services Confirms Medicaid Recipients’ Data Compromised in MOVEit Hacks appeared first on HIPAA Journal.

The LockBit ransomware group has added Varian Medical Systems to its data leak site and has threatened to publish the data of cancer patients if the ransom is not paid. Varian Medical Systems is a Palo Alto, CA-based provider of radiation oncology treatments and software for oncology departments and a subsidiary of Siemens Healthineers. Varian Medical Systems has not yet confirmed the data breach, and the LockBit group has not yet disclosed how much data was stolen in the attack but said Varian has been given until August 17, 2023, to enter into negotiations otherwise all stolen databases and patient data will be released on its dark web data leak site.

Karakurt Threat Group Says Data Stolen from McAlester Regional Health Center

The KaraKurt ransomware group has recently added McAlester Regional Health Center to its data leak site and claims to have stolen more than 1,175 GB of data from the Oklahoma hospital, including 5 GB of SQL data on medical staff and medical reports containing sensitive patient information, including DNA data. According to the listing, the stolen employee data includes Social Security numbers and bank account information. The group has threatened to sell the data if the ransom is not paid. McAlester Regional Health Center has not verified the claim and has yet to announce a data breach on its website or report the incident to the HHS’ Office for Civil Rights.

Precision Anesthesia Billing LLC Reports Breach of the PHI of 209,200 Individuals

The Tampa, FL-based HIPAA business associate, Precision Anesthesia Billing LLC (PAB), reported a breach of the protected health information of 209,200 individuals to the HHS’ Office for Civil Rights on July 7, 2023. While no public notice about the data breach appears to have been published to date, the medical group, Athens Anesthesia Associates (AAA), has confirmed that it was one of the entities affected by the breach.

AAA said it was informed by PAB on May 11, 2023, that the data of some of its patients had potentially been compromised. PAB said a well-known cyber threat actor that has conducted many successful cyberattacks was responsible but did not name the group. PAB was able to successfully stop the attack and secure its systems but said it was likely that files containing patient data were accessed and exfiltrated from its systems between May 4 and May 7, 2023. The information compromised in the incident included names, addresses, phone numbers, email addresses, dates of birth, ages, Social Security numbers, bank account numbers, insurance policy numbers, diagnoses, treatment information and dates, ultrasound images, medical record numbers, and hospital account numbers. AAA said it has offered affected patients two years of complimentary credit monitoring services.

Life Management Center of Northwest Florida Cyberattack Impacts 19,107 Individuals

Life Management Center of Northwest Florida, a provider of mental health, behavioral health, and family counseling services, discovered a security breach on March 31, 2023. Steps were immediately taken to secure its network and third-party forensics experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor accessed files that contained patient data. A comprehensive review of the affected files concluded on May 26, 2023, that the protected health information of 19,107 individuals had been compromised, including names, Social Security numbers, driver’s license numbers, medical treatment and/or diagnosis information, and health insurance information. Affected individuals were notified on July 25, 2023, and have been offered complimentary credit monitoring services.

Discovery at Home Falls Victim to Phishing Attack

Discovery at Home, a provider of home healthcare services to seniors in Florida and Texas, fell victim to a phishing attack on or around June 1, 2023, that saw the email account of an employee accessed by an unauthorized individual. Discovery at Home said the incident, “resulted in the inadvertent transmittal of personal health information via unencrypted e-mail to an unauthorized third-party sender.”

The compromised information included names, addresses, dates of birth, dates of service, treatment-related information, and health insurance information, including insurance beneficiary number, claim number, and policy number. At the time of issuing notification letters, Discovery at Home was unaware of any misuse of the compromised data. Discovery at Home said the email account was immediately secured when the breach was detected, steps have been taken to improve email security, and the employee in question has received further security awareness training. Affected individuals were notified by mail on July 31, 2023.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bi-Bett Corporation Suffers Email Account Breach

Bi-Bett Corporation, a Californian provider of substance use disorder treatment services, has recently notified 4,722 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized third party. Suspicious activity was identified in the email account on February 17, 2023, and the email account was immediately secured and a third-party cybersecurity firm was engaged to investigate. On April 14, 2023, the cybersecurity firm confirmed that patient information may have been accessed or acquired.

The email account was reviewed to identify the affected individuals and the information that had been compromised, and that process was completed on May 22, 2023. The information compromised included first and last names, addresses, Social Security Numbers, driver’s license numbers, Medicaid numbers, and/or medical reference numbers. Bi-Bett said it is working with third-party security experts to strengthen its security posture further. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post LockBit Ransomware Group Threatens to Publish Stolen Cancer Patient Data appeared first on HIPAA Journal.

Prospect Medical Holdings, Los Angeles, CA-based health system that operates 17 hospitals and 166 outpatient clinics in California, Connecticut, Pennsylvania, Rhode Island, and New Jersey has been hit with a ransomware attack that has disrupted operations across its network, including operations at its subsidiaries Crozer Health and the Eastern Connecticut Health Network (ECHN).

Prospect Medical Holdings said steps were immediately taken to prevent further unauthorized access and several IT systems were taken offline to protect those systems. Third-party cybersecurity specialists were engaged to investigate and determine the scope of the breach and the ransomware attack was reported to the Federal Bureau of Investigation (FBI), which has launched an investigation. The Department of Health and Human Services has offered federal assistance and said it is able to provide support, as needed, to prevent disruption to patient care.

Without access to IT systems, ambulances were diverted to other facilities in the immediate aftermath of the attack, and employees at the affected healthcare facilities adopted their emergency downtime procedures and reverted to using paper records.  ECHN said it took the decision to temporarily close some of its facilities including diagnostic labs, elective surgery and gastroenterology centers, and halted outpatient medical imaging, blood draw, and physical therapy services and is contacting patients to reschedule appointments.

The attack began on Thursday and efforts are still underway to restore its systems and return to normal operations. A spokesperson for Prospect Medical Holdings said, “While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible.” At such an early stage of the investigation, the extent to which patient information was compromised has yet to be determined. It is currently unclear which ransomware group was behind the attack.

The post Ransomware Attack on Prospect Medical Holdings Affects Facilities in Multiple States appeared first on HIPAA Journal.

The protected health information of 1.7 million Oregon Medicaid patients has been stolen by the Clop threat group, which exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 30, 2023. The data breach occurred through a contractor used by the Oregon Health Plan – PH Tech – which was informed about the vulnerability and data breach on June 2 by Progress Software. According to PH Tech, the compromised information included names, dates of birth, Social Security numbers, mailing addresses, and email addresses, along with health information such as diagnoses, procedures, claim information, and plan ID numbers. Affected individuals are being notified by PH Tech and have been offered complimentary credit monitoring services. PH Tech said it immediately disabled the MOVEit solution when it learned about the compromise. The vulnerability was patched, and it rebuilt how the solution can be accessed to ensure that no one else is able to access files through the software.

Healthcare Victim Count Continues to Grow

The Health Plan of West Virginia, Inc. has recently confirmed that 1,292 members had data stolen. United Bank provides financial services to the health plan and recently confirmed that electronic records of recent premium payment and premium payment coupons were stolen. The stolen records related to a two-week period in May 2023, and included names, addresses, phone numbers, health plan identification numbers, group numbers, and images of premium payments.

Employees, students, and patients of Johns Hopkins Health System, Johns Hopkins All Children’s Hospital, and Johns Hopkins Howard County General Hospital had data stolen from MOVEit servers after the vulnerability was exploited, although personal health records do not appear to have been obtained. Johns Hopkins Health System has reported the breach to the Office for Civil Rights as affecting 2,584 patients and Howard County General Hospital has filed a breach report indicating 2,975 patients were affected.

The academic health system, UofLHealth, was also attacked and is still investigating the incident to determine the types of information involved and the number of individuals affected. The MOVEit tool was used by a small number of UofLHealth medical practices for transferring files to third-party vendors. Other known victims include Allegheny County in Pennsylvania (689,686 individuals), Sutter Senior Care (519 individuals), Harris Health System (224,703 individuals), UT Southwestern Medical Center (98,437 individuals), and CMS contractor Maximus (612,000 individuals).

The post 1.7 Million Oregon Health Plan Members Affected by MOVEit Hack appeared first on HIPAA Journal.

Allegheny County in Pennsylvania has recently confirmed that the protected health information of up to 689,686 individuals was compromised in a May 2023 hacking incident by the Clop threat group. Allegheny County was alerted about the breach on June 1, 2023, and it was confirmed that the group exfiltrated files containing sensitive data between May 28 and May 29, 2023. Allegheny County said it received assurances from the Clop group that the stolen data was deleted, per the group’s policy of only attacking and extorting money from businesses; however, affected individuals have been told to take steps to protect their personal information and to register for the complimentary credit monitoring and identity theft protection services that have been offered.

County officials confirmed that the compromised information included names, Social Security numbers, birth dates, driver’s license/state identification numbers, taxpayer identification numbers, student identification numbers, and for certain individuals, medical information such as diagnoses, treatment information, and admission dates, and health insurance and billing/claims information.

Sutter SeniorCare PACE, a nonprofit health plan based in Sacramento, CA, has also recently confirmed that it was affected and had plan member data compromised in the attacks. The file transfer solution was used by its business associate, Cognisight, LLC, which provides specialist healthcare management services. Cognisight was informed about the hacking incident on May 31, 2023, and its forensic investigation of the incident concluded on June 5, 2023. Sutter Senior Care was informed about the incident on July 12, 2023.

The information stolen in the attack included names, dates of birth, Social Security numbers, and health information such as patient identification numbers and diagnosis, treatment, and provider information. Credit monitoring and identity protection services have been offered to the affected individuals. The breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

The post Sutter Senior Care and Allegheny County Have Data Compromised in MOVEit Transfer Hacks appeared first on HIPAA Journal.

The Chattanooga Heart Institute (CHI) in Tennessee has recently announced that it identified a cyberattack on its network on April 17, 2023. Action was immediately taken to prevent further unauthorized access and a third-party forensics vendor was engaged to investigate the incident and determine the nature and scope of the attack. The forensic investigation confirmed that unauthorized individuals gained access to its network between March 8, 2023, and March 16, 2023, and on May 31, 2023, the investigation confirmed that files containing sensitive patient data had been copied by the attackers.

CHI’s electronic medical record system was not compromised; however, the files removed from its system were found to contain names, mailing addresses, email addresses, phone numbers, birth dates, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information. Notification letters will be sent to the affected individuals in the coming weeks and credit monitoring, fraud consultation, and identity theft restoration services will be offered.

The breach was recently reported to the Maine Attorney General as affecting up to 170,450 individuals. While CHI did not disclose which group was behind the attack, the Karakurt group has claimed responsibility for the attack. Karakurt is a relatively new threat group that has no qualms about attacking healthcare organizations.

58,000 Individuals Affected by Cyberattack on Synergy Healthcare Services

Synergy Healthcare Services (SHS) in Atlanta, GA, has recently reported a data breach to the Maine Attorney General that has affected up to 58,034 patients of its healthcare clients: Consulate Health Care, Raydiant Health Care, Independence Living Centers, and their affiliated care centers.

The administrative service provider said suspicious activity was detected within its network in early December 2022, and the forensic investigation confirmed on December 15, 2022, that an unauthorized third party accessed parts of its computer network where personal health information was stored. A third-party data review company was provided with the files on December 22, 2022, and provided the results of the analysis to SHS on May 16, 2023.

The files contained information such as names, birthdates, signatures, insurance details, contact information, government identification numbers including driver’s licenses and Social Security numbers, medical history/treatment information, and financial information. Complimentary credit monitoring services have been offered to the affected individuals and steps have been taken to harden security to prevent similar incidents in the future.

Cheyenne Radiology Group & MRI Reports December 2022 Ransomware Attack

Cheyenne Radiology Group & MRI, P.C. (CRG), in Wyoming, has recently issued notifications to its patients about a ransomware attack that was discovered and stopped on December 12, 2022. According to the notification letters, the attack disabled some of its computer systems, and while data theft was not confirmed, the possibility that information was removed from its systems could not be ruled out. Third-party forensics specialists investigated the incident and confirmed that the files potentially accessed included names, mailing addresses, birth dates, Social Security numbers, driver’s license numbers, and health insurance information. CRG said it wiped and rebuilt all affected systems and has hardened security to prevent similar breaches in the future. The incident was recently reported to the Maine Attorney General as affecting up to 10,420 individuals.

The post Up to 170,450 Patients Affected by Cyberattack on the Chattanooga Heart Institute appeared first on HIPAA Journal.