HIPAA Breach News

700,000 Highly Sensitive School Records Exposed Online

Posted by Steve Alder

Highly sensitive information on 682,438 teachers and students at independent schools has been left exposed to the Internet and could be accessed by anyone without a password. The exposed 572.8 GB database was discovered by security researcher Jeremiah Fowler who traced documents in the database to the Southern Association of Independent Schools, Inc (SAIS).

“In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered,” said Fowler. The database contained highly sensitive teacher and student records. Each student record included a photograph of the student, along with their home address, date of birth, age, Social Security number, and health information. Fowler said he discovered third-party security reports that included details of weaknesses in school security, the locations of cameras, access and entry points, active shooter and lockdown notifications, school maps, financial budgets, teacher background checks, and much more. Fowler quickly notified SAIS and the database was rapidly secured.

Fowler was unable to determine how long the database had been exposed and if it was accessed by unauthorized individuals. He said the database was a goldmine for criminals on many levels. The database was hosted in a cloud storage repository and had been mistakenly configured to be non-password protected. The database appeared to be on SAIS’s primary server, and the exposure did not appear to be due to a vendor configuration issue.

Harris Health Systems Confirms Breach of Almost 225,000 Patient Records

Harris County Hospital District, doing business as Harris Health System, has recently reported a data breach affecting 224,703 individuals. On June 2, 2023, Harris Health System was notified about a zero-day vulnerability in the MOVEit Transfer file transfer solution. The vulnerability was immediately addressed; however, the forensic investigation revealed hackers had exploited the vulnerability on May 28, 2023, and downloaded files from the system.

The review of the affected files revealed they contained information such as names, addresses, birth dates, Social Security numbers, medical record numbers, immigration status, driver’s license numbers/ other government-issued identification numbers, health insurance information, procedure information, treatment costs, diagnoses, medications, provider names, and dates of service.

Harris Health System said the vulnerability has been patched and additional steps have been taken to improve the security of its MOVEit server. Affected individuals were notified about the breach on July 21, 2023, and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.

New England Life Care Reports 51,854-Record Data Breach

New England Life Care in Portland, ME, says it detected a security breach on May 24, 2023, that disrupted its IT systems. The incident was rapidly contained a third-party cybersecurity firm was engaged to conduct a forensic investigation. The analysis confirmed that the exposed files contained patient data such as names, addresses, service/equipment information, and patient status (active/discharged).

The 51,854 affected individuals were notified by mail on July 21, 2023. New England Life Care said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Park Royal Hospital Discovers Unauthorized Email Account Access

Park Royal Hospital in Fort Myers, FL, has discovered unauthorized access to an employee email account. The security breach was detected on May 15, 2023, and the forensic investigation confirmed that the email account was compromised on May 8, 2023. The email account contained protected health information such as patient names, provider names, dates of treatment, and diagnosis and treatment information. The hospital said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

The incident is still being investigated and notification letters will be mailed when that process is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals.

Email Accounts Compromised at Unified Pain Management

Konen & Associates, doing business as Unified Pain Management in Texas, has recently notified the HHS’ Office for Civil Rights about an email account breach involving at least 500 records. Suspicious activity was detected within its corporate email accounts on March 21, 2023. Steps were immediately taken to prevent further unauthorized access and a third-party digital forensic firm was engaged to conduct an investigation; however, it was not possible to determine if any information within the email accounts had been accessed or downloaded.

The review of the emails confirmed that they contained information such as patient names, addresses, health insurance policy numbers, Social Security numbers, payment information, and health information such as treatment and diagnosis information.  Steps have been taken to improve email security and affected individuals have been offered credit monitoring and identity theft restoration services at no cost.

The post 700,000 Highly Sensitive School Records Exposed Online appeared first on HIPAA Journal.

Up to 11 Million Health Records Compromised in Cyberattack on Government Contractor

Posted by Steve Alder

Reston, VA-based Maximus Inc., a government services contracting company, has announced in a Securities and Exchange Commission (SEC) filing that hackers exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in May 2023 and accessed the protected health information (PHI) of between 8 and 11 million individuals. The Clop ransomware group was responsible for the attack and Maximus was one of hundreds of entities to be affected by the Clop group’s mass exploitation of the zero-day vulnerability.

According to the filing, Maximus used MOVEit Transfer for internal and external file sharing, including for sharing data with government customers that participate in various government programs. After being notified about the vulnerability and data breach by Progress Software, Maximus launched a forensic investigation and review of the affected files and while that process is still ongoing, Maximus confirmed that the impacted files contained protected health information. Maximus said it cannot confirm precisely how many individuals have been affected until the review process is completed, and that it anticipates that the process will take several more weeks.

Maximus has notified the affected customers and will provide notice to all affected individuals when the review concludes. Affected individuals will be offered complimentary credit monitoring and identity theft protection services for 24 months. Maximus has recorded expenses of $15 million for the quarter to June 30, 2023, in relation to the data breach.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has confirmed that the PHI of approximately 612,000 current Medicare recipients was exposed in this incident and up to 645,000 individuals in total. The CMS said it is working with Maximus to provide notice to the affected individuals. The CMS said the stolen data includes names, dates of birth, mailing addresses, telephone numbers, email addresses, Social Security numbers/taxpayer identification numbers, Medicare beneficiary numbers, driver’s license numbers, state identification numbers, health insurance information, claims information, health benefits and enrollment information, and medical histories, which include notes, medical records/account numbers, conditions, diagnoses, images, treatment information, and dates of service.

The post Up to 11 Million Health Records Compromised in Cyberattack on Government Contractor appeared first on HIPAA Journal.

Florida Senator Urges FBI to Prioritize Investigation of Tampa General Hospital Cyberattack

Posted by Steve Alder

Senator Rick Scott (R-FL) has written to FBI Director Christopher Wray requesting the law enforcement agency prioritize the investigation of a major cyberattack on Tampa General Hospital (TGH) that involved the medical records of more than 1.2 million people and bring the perpetrators behind the cyberattack to justice.

The attack in question was discovered by TGH administrators on May 31, 2023, with the forensic investigation determining that hackers had access to its network for 18 days, having gained initial access to its network on May 12, 2023. The attackers attempted to encrypt files; however, TGH was able to prevent encryption but could not prevent the exposure of patient data. The compromised systems contained names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, and more.

While the cyberattack is significant due to the amount of exposed data, it is far from the only such attack on a U.S. healthcare provider in recent years. Senator Scott cites a ransomware attack on Scripps Health in California in 2021 in which hackers stole 150,000 patient records, the attack on CommonSpirit Health in 2022 that affected many critical healthcare services across the United States, and the attack on St. Margaret’s Health in Illinois which disrupted the hospital’s billing systems and contributed to the permanent closure of the hospital. In addition to causing financial harm to healthcare providers and threatening patient safety, the data stolen in these attacks can be used for further criminal activity causing financial harm to patients.

If the threat actors behind these attacks are not identified, arrested, and prosecuted, they will continue to conduct attacks that threaten patient safety, cause considerable financial harm, and it is inevitable that other healthcare facilities will be forced to close. “I urge you to assign all necessary resources at your disposal to prioritize the investigation of this incident and ask that you keep my office apprised of your progress,” said Senator Scott.

Many of these attacks are conducted by threat groups operating out of China, Russia, and North Korea, which do not have extradition treaties with the United States and that makes it difficult to bring the perpetrators to justice. Senator Scott said these attacks pose a clear and present threat to critical health systems and has requested answers from Wray on the actions being taken to counter these threats, such as how the FBI is coordinating with health systems to prevent cyberattacks, what the FBI is doing to coordinate investigations of healthcare cyberattacks, whether the FBI believes that the majority of the threat actors behind these attacks are operating from outside the United States, and if so, the countries where these cyberattacks are originating.  Senator Scott also asked whether the FBI has sufficient resources to fully investigate these attacks and pursue the perpetrators and whether additional resources and authorities are needed.

The post Florida Senator Urges FBI to Prioritize Investigation of Tampa General Hospital Cyberattack appeared first on HIPAA Journal.

98,000 UT Southwestern Medical Center Patients Affected by MOVEit Cyberattack

Posted by Steve Alder

UT Southwestern Medical Center (UTSW) has recently confirmed that the protected health information of 98,437 patients was stolen in a cyberattack on May 28, 2023. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer solution, gained access to UTSW’s MOVEit server, and exfiltrated files that contained names, medical record numbers, dates of birth, medication names, medication dosages, prescribing provider names. A subset of the affected individuals also had their Social Security numbers stolen. UTSW was notified about the attack by Progress Software on May 30, 2023, and the exploited vulnerability was immediately patched.

The German cybersecurity firm KonBriefing has recently announced that its data shows at least 455 organizations were attacked in this campaign, and at least 23 million individuals were affected. The Clop group has recently started posting victim data on its clear web data leak site.

Family Vision of Anderson Suffers Ransomware Attack

Family Vision of Anderson in South Carolina was the victim of a May 2023 ransomware attack. A ransom note was detected on its computer system on May 28, 2023, indicating files had been encrypted. Computer systems were immediately taken offline to prevent further unauthorized access, and law enforcement was notified. The US Secret Service assisted with the investigation and determined ransomware was used to encrypt files on May 21.

The attackers may have obtained files containing the information of patients and their family members, including names, dates of birth, Social Security numbers, driver’s license numbers, telephone numbers, email addresses, gender, medical record numbers, health insurance information, allergies and other medical history information, appointment dates, scheduled optometrist names, optometry prescriptions, and optometry eye scans. Security has been enhanced, and employees have been provided with further training. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 62,631 individuals. Notification letters have been sent and affected individuals have been offered complimentary identity theft protection services.

17,000 Individuals Affected by LifeWorks Wellness Center Hacking Incident

LifeWorks Wellness Center in Clearwater, FL, has recently reported a data breach to the Maine Attorney General that has affected 17,000 patients. Hackers gained access to its internal file system on or around May 20, 2023, and the forensic investigation confirmed that files containing patient data had been viewed, and may have been stolen. LifeWorks said the hackers did not gain access to its patient database, which includes medical and treatment records. The compromised servers included the information of current and former patients and employees such as names, Social Security numbers, credit card numbers, health identification codes, and medical conditions and diagnoses. LifeWorks said it has implemented additional security measures to prevent similar breaches in the future.

UC Davis Health Reports Breach of Employee Email Account

On May 24, 2023, UC Davis Health in Sacramento, CA, confirmed that the email account of an employee had been accessed by an unauthorized individual. The employee used their work email account to coordinate follow-up care for patients and the account included limited protected health information. The forensic investigation confirmed that only one email account had been compromised, and the breach was detected quickly by its IT security systems; however, it is possible that sensitive data was copied. Affected individuals have been offered complimentary credit monitoring services for 12 months and the employee concerned has received additional training on email security. The incident has yet to appear on the HHS’ Office for Civil Rights Breach portal, so it is currently unclear how many individuals have been affected.

Paramedic Billing Services Confirms Hackers Had Access to Patient Data

Elmhurst, IL-based Paramedic Billing Services has recently announced that it fell victim to a cyberattack in late May 2023. Suspicious activity was identified in its computer network and systems were immediately secured to prevent further unauthorized access. On June 23, 2023, Paramedic Billing Services determined that an unauthorized third party had access to systems containing protected health information and may have copied certain files from its systems. Those files included names, contact information, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license/state identification numbers, financial account information, and payment card information.

The file review is ongoing, so the total number of affected individuals has yet to be established. The incident has been reported to the HHS’ Office for Civil Rights as involving at least 501 individuals. Notification letters will be sent to affected individuals when the review is completed. Paramedic Billing Services said its existing policies, processes, and procedures relating to data protection and security are being reviewed and will be enhanced.

Cardiac Monitoring Software Company Suffers Cyberattack

The Canadian cardiac monitoring software company, CardioComm Solutions Inc., has announced that it has suffered a cyberattack that has taken some of its IT systems out of operation. According to a statement released by the company, the attack has caused downtime to its services: Global Cardio 3, GEMS Flex 12, GEMS Home Flex (upload), and HeartCheck CardiBeat/GEMS Mobile ECG/RPM (record/upload). The disruption is expected to continue for several days, and potentially longer. Third-party cybersecurity experts have been engaged to investigate the attack and determine the extent to which sensitive data was involved. Customer data is not believed to have been involved, as CardioComm does not collect customer data, and its software runs on each customer’s server environment; however, employee data may have been compromised. Identity theft protection services will be offered to affected employees as a precaution.

The post 98,000 UT Southwestern Medical Center Patients Affected by MOVEit Cyberattack appeared first on HIPAA Journal.

24,400 Rite Aid Customers Had Personal Informatiion Compromised in May Cyberattack

Posted by Steve Alder

Rite Aid has confirmed that the protected health information of up to 24,400 of its customers has been stolen in a cyberattack. The stolen files contained names, birth dates, addresses, prescription information, and limited insurance information. Social Security numbers and financial information were not exposed or stolen in the attack. Rite Aid said a vulnerability was exploited by the attackers to gain access to sensitive data. Rite Aid was notified about the vulnerability by a third-party vendor and a patch has now been applied to correct the vulnerability.

The vulnerability was identified on May 31, 2023, with the forensic investigation confirming data theft occurred on May 26, 2023. While Rite Aid did not disclose the name of the vendor, the timing of the attack and the nature of unauthorized access suggest this was an attack by the Clop threat group which conducted mass attacks that exploited a zero-day vulnerability in Progress Software’s MOVEIT Transfer file transfer solution.

Wake Family Eye Care Suffers Ransomware Attack

Wake Family Eye Care in Cary, NC, recently fell victim to a ransomware attack. The attack was detected on June 2, 2023, when files were discovered to have been encrypted. Systems were immediately isolated to prevent further unauthorized access and the incident was contained the same day. A third-party forensics firm was engaged to investigate and determine the extent of the breach and while no evidence of data theft was found, it was not possible to rule out the possibility of data theft.

The review of files on the affected part of the network revealed they contained names, addresses, dates of birth, partial or full Social Security Numbers, driver’s license/passport/other government-issued ID numbers, insurance numbers, optical images, chart numbers, and related eye records. Financial information was not compromised.

Notification letters have been sent to the 14,264 individuals potentially affected by the incident.

Catholic Charities of the Archdiocese of Newark Investigating Cyberattack

Catholic Charities of the Archdiocese of Newark has confirmed that unauthorized individuals gained access to some of its computer systems. The breach was detected on May 8, 2023, and third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the breach. The investigation confirmed that hackers had access to systems where protected health information was stored between April 30, 2023, and May 8, 2023. Some of the files were acquired in the attack.

The stolen files included individuals’ names, dates of birth, driver’s license information, Social Security number, medical information, and health insurance information. The review of the files is ongoing to determine how many individuals have been affected and notification letters will be sent when that process has been completed. To meet the deadline for reporting data breaches, the HHS was notified that at least 501 individuals have likely been affected. The total will be updated when the investigation is completed.

Lancaster Orthopedic Group Notifies Patients About March Cyberattack

Lancaster Orthopedic Group in Manheim Township, PA, has discovered unauthorized access to its network. The breach was detected on March 29, 2023, with the review of the affected files confirming that names, addresses, dates of birth, Social Security numbers, medical treatment information, and insurance information was potentially compromised. The breach has been reported to the HHS’ Office for Civil Rights as affecting a minimum of 500 individuals, although up to 2,000 patients may have been affected.

The post 24,400 Rite Aid Customers Had Personal Informatiion Compromised in May Cyberattack appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

Posted by Steve Alder

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.

June 2023 Healthcare Data Breach Report

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients

Posted by Steve Alder

Tampa General Hospital has recently confirmed that hackers gained access to its network and stole files containing the protected health information of up to 1.2 million patients.  A security breach was detected on May 31, 2023, when suspicious activity was identified within its network. The affected systems were immediately taken offline to prevent further unauthorized access and a third-party digital forensics firm was engaged to investigate the incident and determine the nature and scope of the attack.

The investigation confirmed that unauthorized individuals had access to its network for three weeks between May 12, and May 30, 2023, during which time they exfiltrated files containing patient information. The information compromised in the incident varied from individual to individual and may have included names, phone numbers, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, dates of service, health insurance information, and limited treatment information. Tampa General Hospital confirmed that the hackers did not gain access to its electronic medical record system.

Tampa General Hospital said this was an attempted ransomware attack and while data theft occurred, its security systems prevented files from being encrypted. Additional technical security measures have now been implemented to harden its systems and prevent further data breaches and network monitoring has been enhanced to ensure that any future security breaches are detected rapidly.

Notification letters will be mailed to affected individuals when contact information has been verified.  Tampa General Hospital said affected individuals will be offered complimentary credit monitoring and identity theft protection services.

The post Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients appeared first on HIPAA Journal.

168,000 Patients Have PHI Exposed in Phishing Attack on Henry Ford Health

Posted by Steve Alder

Detroit, MI-based Henry Ford Health has recently notified 168,000 patients that an unauthorized individual gained access to employee email accounts that contained some of their protected health information. A spokesperson for Henry Ford Health said the unauthorized access occurred on March 30, 2023, after employees responded to phishing emails. The attack was discovered quickly and the accounts were secured; however, access to patient data was possible. A review of the email accounts confirmed on May 16, 2023, that they contained the following patient information: name, date of birth, age, gender, telephone number, medical record number/ internal tracking number, lab results, procedure type, diagnosis, and date(s) of service. Henry Ford Health is implementing additional security measures to protect against future email account breaches and additional training has been provided to employees.

IMX Medical Management Services Announces 2022 Malware Incident

The Malvern, PA-based medical consulting company, IMX Medical Management Services, has recently confirmed that malware was found on a laptop computer that potentially allowed unauthorized individuals to access the protected health information of 7,594 individuals. According to the notification letters, the malware was detected on September 1, 2022, and the forensic investigation revealed the malware had been present since as early as June 2022. Additional malware indicators were also found on its network in October 2022.

IMX said the malware has been removed and no further indicators of malware have been detected since October 2022. The delay in issuing notifications was due to the “extensive and complex analysis of the affected data.” IMX said the malware provided access to the bodies of email messages but attachments were not exfiltrated. The compromised information included names or other personal identifiers along with driver’s license numbers and other ID cards. Identity theft protection services have been offered to affected individuals.

Storage Unit Purchased at Auction Contained Dozens of Boxes of Patient Files

A storage unit was recently sold at auction that contained more than 200 boxes of patient files. The unit went up for sale when the unit rental payments stopped. The purchaser submitted a blind bid for the unit and discovered the boxes of patient files after purchasing the unit. The records related to patients of East Houston Medicine and Pediatric Center who received treatment between 2009 to 2019. The files included information such as names, Social Security numbers, driver’s license images, medical histories, and insurance information. The purchaser is currently trying to arrange for the files to be collected.

PHI Exposed in Charles George VA Medical Center Mismailing Incident

Charles George VA Medical Center in Asheville, NC, has confirmed that the personal information of 1,541 veterans has been exposed in an email mismailing incident. The data exposure was detected on May 12, 2023, and immediate steps were taken to delete the emails that had not been opened; however, the messages were opened by three veterans. The emails included an attachment that contained limited protected health information. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post 168,000 Patients Have PHI Exposed in Phishing Attack on Henry Ford Health appeared first on HIPAA Journal.