The October 2022 ransomware attack on CommonSpirit Health has cost the health system more than $150 million to date according to its recent quarterly filing, and the costs are continuing to increase as the investigation into the attack and data breach are ongoing. Healthcare data breaches are the costliest data breaches to resolve. The IBM Security Annual Cost of a Data Breach Report for 2022 suggests healthcare data breaches cost an average of $10.1 million, and across all industries cost an average of $164 per record.

The ransomware attack on CommonSpirit Health exposed a considerable amount of patient information – 623,700 individuals were affected by the breach – but it could have been far worse. More than 20 million patients are served across CommonSpirit Health, Catholic Health Initiatives, and Dignity Health. The cost of the CommonSpirit Health ransomware attack and data breach is far higher than IBM Security’s figures suggest because of the continued disruption caused by the attack. CommonSpirit Health suffered a month-long outage due to the attack, and that extended disruption to operations is why the costs have spiraled. The average data breach costs do not account for extended disruption to business operations, which is the costliest element of a cyberattack. Large health systems can incur losses of between $1 million and $2 million per day due to business disruption.

The Catholic health system suffered operating losses of $1.3 billion in the full fiscal year ending June 30, 2022, and $1.85 billion in net losses, with $474 million of reported operating losses for Q4, 2022, which is almost six times the operating losses for the corresponding quarter in 2021 ($81 million). The health system says its cash reserves have fallen $741 million from the previous fiscal year to $1.85 billion as of December 31, 2022, giving it 160 days of cash left to fund its operations.

While the health system is operating at a loss, CommonSpirit Health enjoyed volume growth in the final quarter of the year, although the quarterly report stated operating revenues were down from $8.88 billion in 2021 to $8.30 billion this year. The health system says it is continuing to be affected by the pandemic, labor shortages, and inflation, as well as having to cover the cost of the ransomware attack and data breach.

CommonSpirit said it is taking a number of steps to bolster its financial sustainability, including focusing on reducing costs, operating more efficiently, and scaling programs across the organization to create a better experience for patients and consumers. The health system has also implemented initiatives to help promote staff and clinician wellness and improve employee retention.

The post CommonSpirit Health Reports $150 Million Loss Due to Ransomware Attack appeared first on HIPAA Journal.

The mobile pharmacy solution provider, mscripts, has recently announced that a misconfiguration of its cloud storage environment has exposed client data online for the past 6 years. The misconfiguration was detected and remediated on November 18, 2022, with the third-party forensics investigation confirming the cloud storage environment had been unsecured since September 30, 2016.

A review of the files stored in that environment confirmed they contained the protected health information of 66,372 patients of participating pharmacies. The information related to locker pickups at pharmacy locations, and also included images of prescription bottles and insurance cards, which had been submitted via the mscripts web or mobile app. The information potentially accessed during that time includes names, dates of birth, phone numbers, addresses, prescription numbers, medication names, originating pharmacy information, health insurance company names, member IDs, group numbers, and, in certain cases, dependents’ names.

mscripts said the issue has now been resolved and security procedures have been enhanced to ensure similar data exposure incidents do not occur in the future. Affected individuals have been notified and advised to monitor their billing statements and notifications of prescriptions for any unauthorized activity.

Care Dimensions Says Website Compromised to Steal Payment Card Information

Danvers, MA-based Care Dimensions, a provider of hospice, palliative, and home primary care services, has recently reported a data breach to the Maine Attorney General that has affected up to 1,713 patients. Care Dimensions recently discovered that the donation page of its website had been altered, and malicious code was added to capture the payment card details of donors.

The forensic investigation confirmed on or around January 6, 2023, that the malicious code was added on February 18, 2022, and allowed an unknown threat actor to capture payment card information when donations were made, including cardholder name, contact information, credit and debit card numbers, expiration dates, and CVV codes. The malicious code was removed on December 8, 2022.

The breach affects all individuals who made donations through the website between February 18, 2022, and December 8, 2022. Those individuals have been advised to regularly review their financial account statements for fraudulent or irregular activity and to immediately report any unauthorized purchases. Fraud alerts and security freezes with credit agencies have also been recommended. Care Dimension said third-party cybersecurity experts have conducted a full review of its website code and penetration tests to ensure that the exploited vulnerability has been fully remediated.

Brooks Rehabilitation Reports Website Tracking Technology-Related Impermissible PHI Disclosure

Brooks Rehabilitation, a Florida-based network of medical rehabilitation services, has recently notified 1,554 patients about an impermissible disclosure of some of their protected health information to third parties due to the use of pixels and cookies on its website.

The pixels and cookies were used on its website for tracking user activity to enhance its website and improve the user experience. Brooks Rehabilitation recently learned that those technologies captured and transmitted user information to the technology companies that provided the code. The investigation confirmed that the following types of information may have been impermissibly disclosed to technology companies: name, phone number, email address, computer IP address, other information provided in the comments section of the website, and any Brooks sites visited while visiting its website. Brooks Rehabilitation said it was unable to determine whether any of that information has been further disclosed or used by the technology companies, such as for targeted advertising.

Brooks Rehabilitation said the tracking technologies were disabled in December 2022 and there are no plans to use them again unless it can be confirmed that they will not transmit any user information.

Email Account Compromised at Minuteman Senior Services

The Bedford, MA-based senior care provider, Minuteman Senior Services, has confirmed that an unauthorized individual gained access to the email account of an employee between November 21 and November 30, 2022. Third-party data review specialists are currently conducting a programmatic and manual review of all emails and attachments in the account to determine the extent of the privacy breach.

The information potentially accessed includes full name, address, date of birth, gender, health insurance information, diagnosis, and service utilization. The information exposed varies from patient to patient. Since it is not yet known how many individuals have been affected, the incident was reported to the HHS’ Office for Civil Rights with a placeholder of 500 individuals. Notification letters will be issued when the review is complete and the total will be updated with OCR when the extent of the incident is confirmed.

This is the second email account compromise incident to be reported by Minuteman Senior Services in the past year. A similar breach occurred on June 1, 2022, although in that case the unauthorized access was detected and blocked within 24 hours. That breach affected up to 4,000 individuals.

The Center for Autism and Related Disorders

The Center for Autism and Related Disorders (CARD) in Portland, OR, has notified certain patients about an impermissible disclosure of a limited amount of their personal information due to an error by a third-party billing vendor. When the software for the system for generating patient invoices was updated, a computer error occurred that resulted in certain caregivers being sent invoices for unrelated patients.

The invoices included HIPAA-protected information such as patient names, CARD internal reference numbers, and payment histories, which included insurance payments, patient payments, adjustments, and account balances. No other information was involved. The error was rapidly identified, detected, and fixed, and only affected its January 2023 billing statements for patient cost-sharing amounts. Processes have now been strengthened for detecting errors such as this to prevent any further mailing errors.

The incident has yet to appear on the HHS’ breach portal so it is currently unclear how many individuals have been affected.

The post mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years appeared first on HIPAA Journal.

The mobile pharmacy solution provider, mscripts, has recently announced that a misconfiguration of its cloud storage environment has exposed client data online for the past 6 years. The misconfiguration was detected and remediated on November 18, 2022, with the third-party forensics investigation confirming the cloud storage environment had been unsecured since September 30, 2016.

A review of the files stored in that environment confirmed they contained the protected health information of 66,372 patients of participating pharmacies. The information related to locker pickups at pharmacy locations, and also included images of prescription bottles and insurance cards, which had been submitted via the mscripts web or mobile app. The information potentially accessed during that time includes names, dates of birth, phone numbers, addresses, prescription numbers, medication names, originating pharmacy information, health insurance company names, member IDs, group numbers, and, in certain cases, dependents’ names.

mscripts said the issue has now been resolved and security procedures have been enhanced to ensure similar data exposure incidents do not occur in the future. Affected individuals have been notified and advised to monitor their billing statements and notifications of prescriptions for any unauthorized activity.

Care Dimensions Says Website Compromised to Steal Payment Card Information

Danvers, MA-based Care Dimensions, a provider of hospice, palliative, and home primary care services, has recently reported a data breach to the Maine Attorney General that has affected up to 1,713 patients. Care Dimensions recently discovered that the donation page of its website had been altered, and malicious code was added to capture the payment card details of donors.

The forensic investigation confirmed on or around January 6, 2023, that the malicious code was added on February 18, 2022, and allowed an unknown threat actor to capture payment card information when donations were made, including cardholder name, contact information, credit and debit card numbers, expiration dates, and CVV codes. The malicious code was removed on December 8, 2022.

The breach affects all individuals who made donations through the website between February 18, 2022, and December 8, 2022. Those individuals have been advised to regularly review their financial account statements for fraudulent or irregular activity and to immediately report any unauthorized purchases. Fraud alerts and security freezes with credit agencies have also been recommended. Care Dimension said third-party cybersecurity experts have conducted a full review of its website code and penetration tests to ensure that the exploited vulnerability has been fully remediated.

Brooks Rehabilitation Reports Website Tracking Technology-Related Impermissible PHI Disclosure

Brooks Rehabilitation, a Florida-based network of medical rehabilitation services, has recently notified 1,554 patients about an impermissible disclosure of some of their protected health information to third parties due to the use of pixels and cookies on its website.

The pixels and cookies were used on its website for tracking user activity to enhance its website and improve the user experience. Brooks Rehabilitation recently learned that those technologies captured and transmitted user information to the technology companies that provided the code. The investigation confirmed that the following types of information may have been impermissibly disclosed to technology companies: name, phone number, email address, computer IP address, other information provided in the comments section of the website, and any Brooks sites visited while visiting its website. Brooks Rehabilitation said it was unable to determine whether any of that information has been further disclosed or used by the technology companies, such as for targeted advertising.

Brooks Rehabilitation said the tracking technologies were disabled in December 2022 and there are no plans to use them again unless it can be confirmed that they will not transmit any user information.

Email Account Compromised at Minuteman Senior Services

The Bedford, MA-based senior care provider, Minuteman Senior Services, has confirmed that an unauthorized individual gained access to the email account of an employee between November 21 and November 30, 2022. Third-party data review specialists are currently conducting a programmatic and manual review of all emails and attachments in the account to determine the extent of the privacy breach.

The information potentially accessed includes full name, address, date of birth, gender, health insurance information, diagnosis, and service utilization. The information exposed varies from patient to patient. Since it is not yet known how many individuals have been affected, the incident was reported to the HHS’ Office for Civil Rights with a placeholder of 500 individuals. Notification letters will be issued when the review is complete and the total will be updated with OCR when the extent of the incident is confirmed.

This is the second email account compromise incident to be reported by Minuteman Senior Services in the past year. A similar breach occurred on June 1, 2022, although in that case the unauthorized access was detected and blocked within 24 hours. That breach affected up to 4,000 individuals.

The Center for Autism and Related Disorders

The Center for Autism and Related Disorders (CARD) in Portland, OR, has notified certain patients about an impermissible disclosure of a limited amount of their personal information due to an error by a third-party billing vendor. When the software for the system for generating patient invoices was updated, a computer error occurred that resulted in certain caregivers being sent invoices for unrelated patients.

The invoices included HIPAA-protected information such as patient names, CARD internal reference numbers, and payment histories, which included insurance payments, patient payments, adjustments, and account balances. No other information was involved. The error was rapidly identified, detected, and fixed, and only affected its January 2023 billing statements for patient cost-sharing amounts. Processes have now been strengthened for detecting errors such as this to prevent any further mailing errors.

The incident has yet to appear on the HHS’ breach portal so it is currently unclear how many individuals have been affected.

The post mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years appeared first on HIPAA Journal.

Rise Interactive Media & Analytics, LLC

The Illinois-based digital marketing agency, Rise Interactive Media & Analytics, LLC, has recently confirmed that hackers gained access to its digital environment on November 14, 2022, and potentially accessed or exfiltrated the data of some of its clients. Rise Interactive has reported the breach to the Department of Health and Human Services as affecting 54,509 individuals, but it is currently unknown how many of its healthcare clients have been affected.

RGH Enterprises, Inc., doing business as Edgepark Medical Supplies, is one of the affected Rise Interactive clients. Edgepark explained in a notification letter to the California Attorney General that it was informed about the data security incident by Rise Interactive on December 5, 2022. While the investigation into the breach is ongoing, Edgepark Medical Supplies was informed that the files potentially accessed included names, email addresses, phone numbers, provider information, diagnoses, expected delivery dates, and health insurance information. The breach was confined to Rise Interactive’s systems. Edgepark Medical Supplies said Rise Interactive is evaluating its security measures and will modify internal controls and practices to improve the privacy and security of client information.

DotHouse Health Incorporated

DotHouse Health Incorporated, a Joint Commission-accredited health center in Dorchester, MA, has announced that unauthorized individuals gained access to certain parts of its network between October 31, 2022, and November 27, 2022. Suspicious activity was detected within its network in November 2022, and a third-party computer forensics firm was engaged to investigate the breach.  On or around January 12, 2023, the investigation confirmed that the parts of the network that were accessed included files containing patient information such as full names, addresses, dates of birth, medical record numbers, diagnoses/conditions, medications, other treatment information, and claims information.

The review of the affected files is ongoing and notification letters will be sent to affected individuals when that process is completed. DotHouse Health said that while data theft has not been confirmed, it is likely that patient information was accessed and downloaded. Affected individuals have been advised to monitor their accounts statements, credit reports, and Explanation of Benefits statements for unauthorized activity and to report any suspicious activity immediately. The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 10,000 individuals.

Reventics

Revenetics, a Greenwood Village, CO-based clinical documentation improvement and revenue cycle management company, has recently confirmed that hackers gained access to its computer environment and accessed and stole patient data. The cyber intrusion was detected by Revenetics on or around December 15, 2022, when suspicious activity was identified on some of its servers. A third-party cybersecurity and digital forensics company was engaged to investigate the breach, and determined on December 27, 2022, that the files exfiltrated from its systems contained HIPAA-protected data, including names, birth dates, Social Security numbers, financial information, healthcare provider details, health plan names, clinical data, and service/procedure codes and a brief description of those codes.

Reventics said it has implemented additional safeguards to prevent further cyberattacks and data breaches, including new encryption controls. A new, comprehensive security risk analysis has also been performed and further training has been provided to the workforce. Affected individuals are now being notified and have been offered complimentary credit monitoring and identity theft protection services.

The breach has yet to appear on the HHS’ Breach portal, so it is currently unclear how many individuals have been affected.

The post Rise Interactive Media & Analytics, DotHouse Health, and Reventics Hacked appeared first on HIPAA Journal.

Teijin Automotive Technologies Says Welfare Plan Data Compromised in December Ransomware Attack

Teijin Automotive Technologies has recently confirmed the protected health information of 25,464 members of its welfare plan has potentially been accessed and stolen in a December 1, 2022, ransomware attack. Teijin Automotive Technologies has been transparent about the attack and its cause, confirming that its security systems were circumvented in a phishing attack. An employee clicked on a link in a phishing email on November 30, which allowed the threat actor to steal credentials, compromise the company’s servers, and deploy ransomware the following day.  The attack was contained by December 5, 2022.

Prompt action was taken by the IT team to prevent any further unauthorized access and law enforcement and the FBI were immediately notified and provided assistance with the investigation. The review of the compromised servers revealed they contained information related to the company’s welfare plan such as names, addresses, birth dates, Social Security numbers, health insurance policy information, and, in a limited number of cases, banking information. Teijin Automotive Technologies said medical information was not believed to have been stored on the affected servers.

“The security and confidentiality of personal employee information and the business information of our customers is critical to Teijin Automotive Technologies,” said CEO Chris Twining. “We are sorry this incident occurred and apologize to our employees, customers, and affected individuals. We have taken additional steps to strengthen the security of our data, including enhancing our security procedures, investing in new technology, and requiring additional training for our employees.” Affected individuals have been notified and credit monitoring services have been offered.

Arizona Health Advantage Reports Malware Attack

Arizona Health Advantage, a Chandler, AZ-based healthcare provider that does business as Arizona Priority Care and AZPC Clinics, LLC, has recently announced that malware has been detected on its network which prevented access to some of its servers and allowed unauthorized individuals to access and exfiltrate patient and health plan member data.

The security incident was detected on December 5, 2022, when employees were prevented from accessing files on some of its servers. A third-party computer forensics company was engaged to investigate the breach and determined the attack occurred between December 1 and December 2, during which time files were exfiltrated that contained the data of patients and members of the following health plans: Alignment Health Plan of Arizona, Inc., Alignment Health Insurance Company of Arizona, Inc., Blue Cross Blue Shield of Arizona, Health Net of Arizona, Inc. (Centene), and WellCare Health Plans of Arizona, Inc. (Centene).

The types of data involved varied from person to person and may have included name, date of birth, address, treatment dates, treatment information, service authorization numbers, health plan member number, and other personal information. Affected individuals have been notified and offered a one-year membership to a credit monitoring service. Additional security protections and protocols have now been implemented to protect against attacks in the future. According to the HHS’ Office for Civil Rights, the protected health information of 10,978 individuals was potentially compromised.

Garrison Women’s Health Says Malware Allowed Access to Patient Data

Dover, NH-based Garrison Women’s Health, a division of Wentworth-Douglass Hospital, has recently announced that the protected health information of 4,158 patients was potentially stolen in a cyberattack on one of its business associates, Global Network Systems.

Global Network Systems, a provider of technology services, detected the attack on December 12, 2022, which caused a network outage that rendered its systems unavailable. The investigation confirmed that an unauthorized third party had access to Global’s systems for 8 months, with the initial access determined to have occurred on April 29, 2022.

Garrison Women’s Health said the attack corrupted information in its electronic health records, which were hosted by Global, and that information has not been recovered. The corrupted data related to patients who received healthcare services between April 29, 2022, and December 12, 2022, and included medical and treatment information, coding, claims data, insurance information, payment information, physician notes, and scheduling information.

Garrison Women’s Health said it was unable to restore the corrupted data from backups, but said it was possible to restore access to the information contained in specific radiology and ultrasound applications, and after investigating other potential backup sources, was able to restore its electronic medical record system and recover data prior to April 28, 2022.

While the incident was not reported as a ransomware attack, it has the hallmarks of a ransomware attack. Garrison Women’s Health said it does not believe there has been any misuse of patient data, although affected individuals have been advised to monitor their accounts and Explanation of Benefits statements for unauthorized activity.

While data loss was confirmed, Garrison Women’s Health said some of the lost information may have been duplicated and may be maintained by a patient’s primary care physician, hospital, or other providers, or could have been received by a patient’s health plan.

Malware Attack on Intelligent Business Solutions Exposed Riverside Health System Data

Intelligent Business Solutions (IBS) has recently started sending notifications to cardio-thoracic patients of Riverside Health System to inform them that some of their personal and protected health information has potentially been accessed or stolen. A security breach was detected on or around November 14, 2022, when suspicious activity was identified within the IBS network. The forensic investigation identified the presence of malware, which was used to encrypt files on certain servers and systems. The breach lasted from November 10, 2022, to November 15, 2022.

The review of the affected files confirmed they contained the following data types: name, Social Security number, date of birth, health insurance information, medical treatment information, and procedure information. While data theft may have occurred, IBS said it is unaware of any actual or attempted misuse of the impacted data. IBS said it had extensive policies, procedures, and cybersecurity protections in place, but they were unable to prevent the attack. Those cybersecurity measures are being reviewed and will be updated, as appropriate, to reduce the likelihood of further attacks. Affected individuals have been offered complimentary memberships to credit monitoring and identity theft protection services for 24 months.

The post PHI Compromised in 4 Recent Ransomware and Malware Attacks appeared first on HIPAA Journal.

Franklin, TN-based Community Health Systems has recently confirmed that it has been affected by a security incident at a cybersecurity firm that has seen unauthorized individuals gain access to the protected health information of up to 1 million patients. Community Health Systems is one of the largest health systems in the United States, and operates 79 hospitals and more than 1,000 sites of care in 16 U.S. states. On February 13, 2023, Community Health Systems confirmed in a Securities and Exchange Commission 8-k filing that it was recently notified by one of its cybersecurity vendors – Fortra – about a security incident affecting some of its data.

Community Health Systems said the breach appears to be limited to Fortra’s GoAnywhere MFT platform, its own systems have not been compromised, and the security incident did not have any impact on the care provided to patients. It is too early to tell exactly what information has been exposed, the extent of any data theft, and how many individuals have been affected, but Community Health Systems believes up to 1 million individuals have most likely been affected.

Community Health Systems confirmed that it is covered by a cyber insurance policy that provides some degree of protection against losses due to cyberattacks and it will be offering identity theft protection services to affected individuals. Further information will be released as the investigation progresses.

Zero-Day Flaw Exploited in More Than 130 Attacks

Fortra is a cybersecurity company that provides a secure file transfer platform called GoAnywhere MFT. Fortra recently confirmed that a zero-day vulnerability has been identified that was being exploited in the wild. At the time of issuing the security alert, a patch was not available to fix the vulnerability. Fortra notified all customers and provided mitigations to prevent exploitation of the flaw, then released an emergency patch the following day.

The vulnerability – tracked as CVE-2023-0669 – can be exploited remotely on GoAnywhere MFT instances that have their admin consoles exposed to the Internet. Successful exploitation of the flaw will allow a malicious actor to remotely execute code. A proof-of-concept (PoC) exploit for the flaw was publicly released this week. The flaw cannot be exploited if the admin console is only available within a private network or through a VPN, nor if allow-lists have been created to restrict access to trusted IP addresses.

Bleeping Computer has reported that it was contacted by a hacker who claimed to be a member of the Clop ransomware gang who said the vulnerability had been exploited by the group at more than 130 organizations. The exploit allowed them to gain access to the platform and move laterally, and while it would have been possible to deploy ransomware, the decision was made to only exfiltrate data in an extortion-only attack.

Similar tactics were used in December 2020 in a wave of attacks that exploited a zero-day vulnerability in the Accellion File Transfer Appliance (FTA). Approximately 100 companies were affected, had data stolen, and were subject to extortion attempts. Data was subsequently leaked on the Clop data leak site when the ransoms were not paid. The attacks were attributed to a group called FIN11, which has ties to the Clop ransomware group.

While the claims by the Clop ransomware group member have not been verified, Joe Slowik, Threat Intelligence Manager at the cybersecurity firm Huntress, has linked the attacks to the threat actor tracked as TA505, which has previously conducted ransomware attacks using Locky, Philadelphia, Globelmposter, and Clop ransomware variants. Bleeping Computer reports that Shodan scans show there are more than 1,000 GoAnywhere MFT instances exposed to the Internet, but only 136 are vulnerable to the flaw, as they can be accessed via ports 8000 and 8001, which are used by the vulnerable admin console.

The post Up to 1 Million Community Health Systems’ Patients Affected by GoAnywhere MFT Hack appeared first on HIPAA Journal.