HIPAA Breach News

Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks

Posted by Steve Alder

Notification letters have been sent to more than 34,500 individuals about ransomware attacks that occurred more than 9 months ago. Kisco Senior Living experienced its attack in June 2023, and Island Ambulatory Surgery Center suffered an attack in July.

Kisco Senior Living

Kisco Senior Living is a Carlsbad, CA-based operator of 20 senior living communities in 6 U.S. States. According to the notification letters mailed to the affected individuals in April 2024, a cyberattack was detected on June 6, 2023, when its network was disrupted. A cybersecurity firm was engaged to investigate the disruption and confirmed that unauthorized individuals accessed its network and exfiltrated files containing the personal information of residents. It took more than 10 months (April 10, 2024) to determine the types of information involved and the number of individuals affected.

According to the notification sent to the Maine Attorney General, the breach included names and Social Security numbers and affected 26,663 individuals. Kisco Senior Living said additional security features have been implemented to prevent similar breaches in the future and the affected individuals have been offered 12 months of complimentary credit monitoring services, which include a $1 million identity fraud loss reimbursement policy.

Island Ambulatory Surgery Center

Island Ambulatory Surgery Center in Brooklyn, NY, has recently notified 7,900 individuals about a cyberattack that was detected on or around July 31, 2023. Cybersecurity experts were engaged to investigate the breach and determined that an unauthorized actor had access to its network and acquired certain files, some of which contained patients’ personal and health information.

The review of the affected files was completed on February 7, 2024, and confirmed some or all of the following information was compromised: name, date of birth, Social Security number, driver’s license number, medical information, and/or health insurance information. Notification letters were mailed to the affected individuals on April 5, 2024. Island Ambulatory Surgery Center said it takes privacy and security seriously and has implemented measures to prevent similar incidents in the future.

The post Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks appeared first on HIPAA Journal.

Email Accounts Compromised at UW Health and Medical Home Network

Posted by Steve Alder

Email accounts have been compromised at the University of Wisconsin Hospitals and Clinics Authority and the Medical Home Network in Illinois.

University of Wisconsin Hospitals and Clinics Authority Email Account Breach

The University of Wisconsin Hospitals and Clinics Authority (UW Health) recently provided an update on a security incident that was detected in late 2023. Suspicious activity was detected in an employee’s email account and the password was immediately changed to prevent further unauthorized access. A third-party cybersecurity firm was engaged to investigate the breach and it was determined on January 5, 2024, that the email account had been accessed by an unauthorized individual at various times between Sep. 20, 2023, and Dec. 5, 2023. Some of the emails in the account were viewed, and data may have been stolen.

The account was reviewed to determine the individuals affected and the types of information that had been exposed. The review was completed on February 9, 2024, and confirmed that the account contained names, dates of birth, medical record numbers, and clinical information, such as dates of service, provider names, and diagnoses. The emails did not contain any Social Security numbers, health insurance ID numbers, or financial information. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 85,902 individuals.

The affected individuals have now been notified and while UW Health has not found any evidence of misuse of patient data, patients have been advised to exercise caution regarding any emails they receive that claim to be from UW Health or other healthcare providers, and to monitor their billing statements and to report any charges for services that have not been received. UW Health also said users of the UW Health MyChart portal have been targeted in the past with scams through the use of fraudulent websites and has urged all patients to be vigilant when callers or emails request personal information. Scammers may claim to be UW Health employees when contacting people by phone, may send phishing emails using stolen UW Health logos, or may send phishing text messages requesting login credentials or linking to malicious URLs.

Medical Home Network Email Environment Compromised

MHNU Corporation, which does business as Medical Home Network (MHN) in Illinois, has recently notified 681 individuals about the exposure of some of their protected health information. Suspicious activity was identified in MHN’s email environment on or around October 11, 2023. After securing its email accounts, independent cybersecurity experts were engaged to investigate and determine the cause of the activity. The forensic investigation confirmed that an unauthorized actor gained access to the email accounts of two employees between October 4, 2023, and October 12, 2023, and emails and attached files may have been viewed or acquired.

On April 12, 2024, MHN learned that the protected health information of current and former members of CountyCare, Wellness West, and NeueHealth were stored in the compromised accounts. Those companies were notified about the incident on February 16, 2024, and MHN coordinated with the companies to effectuate notification to the affected individuals. MHN said the breached information included first and last names, patient IDs, phone numbers, dates of birth, and medical information; however, no evidence of misuse of that information had been identified at the time of issuing notifications. MHN said it takes privacy and security seriously and has taken steps to prevent similar incidents in the future.

The post Email Accounts Compromised at UW Health and Medical Home Network appeared first on HIPAA Journal.

Cyberattacks Reported by Healthcare Providers in North Carolina, Rhode Island, & California

Posted by Steve Alder

Knowles Smith & Associates, which does business as Village Family Dental and operates 7 dentistry offices in North Carolina, recently notified 240,214 current and former patients that some of their protected health information was exposed in a November 2023 cyberattack.

Village Family Dental said anomalous activity was detected within its network on November 17, 2023. The affected systems were immediately taken offline and third-party cybersecurity experts were engaged to investigate the activity. The forensic investigation confirmed that there had been unauthorized access to its network, and on February 8, 2024, it was confirmed that files containing patient data were potentially viewed or acquired.

Dental records and other health information were not exposed, with the compromised data limited to names, patient ID numbers, provider names, addresses, dates of birth, chart numbers, telephone numbers, and email addresses. Village Family Dental said no evidence has been found to indicate any attempted or actual misuse of patient data. Notification letters were mailed to the affected individuals on April 8, 2024.

Village Family Dental said it has been working with third-party cybersecurity experts to evaluate and enhance its security practices to prevent similar incidents in the future and confirmed that “significant steps” have been taken to mitigate the risk to persons impacted by the cyberattack.

Valley Mountain Regional Center

On April 19, 2024, Valley Mountain Regional Center in California announced a data security incident that was detected on August 1, 2023. Unusual activity was detected within its network and immediate action was taken to secure its systems. The forensic investigation confirmed that unauthorized individuals had access to its network and exfiltrated files containing patient information on or around July 29, 2023.

A third-party vendor was engaged to review the affected files, and on February 20, 2024, confirmed that personal and protected health information was involved. The types of data involved varied from individual to individual and may have included names, Social Security numbers, taxpayer identification numbers, dates of birth, driver’s license numbers, username and password, biometric data, medical treatment and/or diagnosis information, and/or health insurance information. Valley Mountain Regional Center said it is unaware of any misuse of patient data. The affected individuals have been offered complimentary identity protection services through Cyberscout.

The breach has been reported to the HHS’ Office for Civil Rights, but it is not yet displayed on OCR’s breach portal, so it is currently unclear how many individuals have been affected.

Blackstone Valley Community Health Center

Blackstone Valley Community Health Center in Pawtucket, RI, has announced a cyberattack that occurred on November 11, 2023, which disrupted its computer network. After securing its network, third-party cybersecurity experts were engaged to investigate the cause of the disruption and determined that an unauthorized third party had access to its network.

The review of the exposed files was concluded on March 11, 2024, and confirmed that they contained patient data including names, Social Security numbers, and medical information. Notification letters were mailed to the affected individuals on April 18, 2024. The affected individuals have been offered single bureau monitoring, credit reporting, and credit score services at no charge, and network security has been enhanced to prevent similar breaches in the future. The breach was recently reported to the Maine Attorney General as affecting up to 34,416 individuals.

The post Cyberattacks Reported by Healthcare Providers in North Carolina, Rhode Island, & California appeared first on HIPAA Journal.

Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center

Posted by Steve Alder

Cyberattacks have been reported by the University of Tennessee Health Science Center, SysInformation Healthcare Services (EqualizeRCM/1st Credentialing), and Jackson Medical Center. Moveable Feast has discovered the improper disposal of documents containing PHI.

University of Tennessee Health Science Center – Ransomware Attack

The University of Tennessee Health Science Center (UT-HSC) said a cyberattack on one of its vendors has resulted in the exposure and possible theft of the protected health information of 19,353 patients who received obstetrics and gynecology (OB/GYN) services at Regional One Health (ROH).

UT-HSC contracted with a company called KMJ Health Solutions which provided patient handoff software that is used to support OB/GYN patients and ensure they receive the appropriate care when they are transferred to another healthcare provider. UT-HSC was notified by KMJ on or around November 29, 2023, about a security incident discovered while investigating a server outage. KMJ erased and reformatted the server and hired a cybersecurity firm to investigate the incident but was unable to make a definitive determination about whether there had been unauthorized access. On January 18, 2024, KMJ’s hosting provider, Liquid Web, found evidence of a ransomware attack but could not determine whether the attackers downloaded a copy of the data stored in the eDocList.

The potentially affected individuals had received OB/GYN services at ROH between November 2014 and November 2023. The information potentially compromised included first and last name, medical record number, age, date of admission, allergies, service, resident assigned, parity, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, type of infant feeding, and information regarding follow up care.

KMJ has implemented new technical safeguards including vulnerability scans, penetration testing, and configuration reviews. Due to the nature of the exposed data, UT-HSC does not believe there is any significant risk of identity theft or harm to credit; however, the affected individuals have been advised to be on the lookout for any letters, emails, or phone calls, and other communications from unknown individuals wanting to discuss any of the services received from ROH.

SysInformation Healthcare Services (EqualizeRCM/1st Credentialing) – Cyberattack

SysInformation Healthcare Services (SysInformation), an Austin, TX-based provider of revenue cycle support to medical billing companies and hospitals that does business as EqualizeRCM and 1st Credentialing, has experienced a cyberattack that caused a network outage. SysInformation said suspicious activity was detected within its network in June 2023. IT systems were secured, and third-party forensics experts were engaged to investigate the incident. The investigation revealed unauthorized access to its network between June 3, 2023, and June 18, 2023, and certain files had been exfiltrated.

SysInformation said an extensive review was conducted to determine the types of information involved and the individuals affected and notification letters were mailed to the affected individuals on April 17, 2024. The types of data involved varied from individual to individual and may have included one or more of the following: name, government identification number, date of birth, Driver’s license number, employer identification number, electronic signature, financial account information, health insurance information, medical history/treatment information, login information, mother’s maiden name, government-issued identification number, passport information, Social Security number, and/or tax identification number.

Complimentary credit monitoring services have been offered to the affected individuals, security policies and procedures have been reviewed, and additional safeguards have been implemented to prevent similar incidents in the future. The breach has been reported to regulators; however, it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jackson Medical Center – Cyberattack

Jackson Medical Center in Alabama has notified 509 patients about the exposure of some of their protected health information in a cyberattack that disrupted some of its IT systems. The attack was detected on February 22, 2024, and third-party forensics experts were engaged to investigate the incident and confirmed that an unauthorized third party had access to its network between February 17, 2024, and February 22, 2024. During that time, files were accessed or removed from its network.

A review of the affected files confirmed on March 8, 2024, that they contained patients’ protected health information including names and one or more of the following: contact information, dates of birth, driver’s license or state identification numbers, diagnoses, treatment information, and/or health insurance information. Notification letters have been mailed to the affected individuals and complimentary identity monitoring services have been offered to patients whose Social Security numbers, driver’s license numbers, or state identification numbers were potentially involved. Jackson Medical Center said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

Moveable Feast – Improper Disposal of Documents

Moveable Feast, a Baltimore, MD-based non-profit that provides care to individuals living with HIV/AIDS and other life-threatening illnesses, has discovered that documents containing sensitive data were disposed of incorrectly. Moveable Feast’s policies require sensitive documents to be placed in shredding bins, but some were inadvertently disposed of in regular recycling bins. The HIPAA violation was discovered when a recycling bin awaiting curb pickup was blown over, scattering its contents.

Staff collected most of the documents, but some pages could not be retrieved. The missing pages contained the information of 568 individuals such as their client number, name, gender, race, and age, and for a subset of Moveable Feast clients, the last 4 digits of their Social Security numbers. Notification letters have been sent to all affected individuals and 12 months of credit monitoring services have been made available at no cost. Staff members have also been retrained on handling sensitive information.

The post Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center appeared first on HIPAA Journal.

Michigan’s Largest FQHC Suffers Ransomware Attack Affecting 184,000 Patients

Posted by Steve Alder

Cherry Street Services, Inc., which operates as Cherry Health Services, fell victim to a ransomware attack in December 2023. Cherry Health is the largest federally qualified health center in Michigan, with 20 healthcare facilities in six counties in the state, and provides healthcare services to underserved communities, regardless of insurance status or their ability to pay for healthcare.

The Grand Rapids, MI-based healthcare provider said it experienced network disruption on December 21, 2024, that prevented access to some of its computer systems. Third-party cybersecurity specialists were engaged to investigate the incident and determined that unauthorized individuals had accessed certain files on its network. The review of the affected files was completed on March 25, 2024, and confirmed that protected health information was exposed in the attack, including names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID number, patient ID number, provider name, service date, diagnosis/treatment information, prescription information, financial account information and/or Social Security numbers. The types of information exposed varied from individual to individual.

While healthcare data was potentially stolen in the attack, Cherry Health said it is unaware of any instances of actual or attempted misuse of patient data; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring services, which includes monitoring of the dark web for the publication or sale of sensitive personal information, a $1 million identity theft insurance policy, and identity theft identity recovery services. Cherry Street said it has already taken steps to improve its technical safeguards to prevent similar incidents in the future. The incident has recently been reported to the Maine Attorney General as affecting 184,372 individuals.

The post Michigan’s Largest FQHC Suffers Ransomware Attack Affecting 184,000 Patients appeared first on HIPAA Journal.

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Posted by Steve Alder

The Texas health system Ernest Health is being sued by patients who had their protected health information compromised in a recent cyberattack. This is likely to be one of many lawsuits filed against Ernest Health over the theft of at least 94,747 patients’ data. Ernest Health operates hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming. On February 1, 2024, suspicious activity was detected in its networks, with the investigation confirming there had been unauthorized access to its network between January 16, 2024, and February 4, 2024. The LockBit ransomware group claimed responsibility for the attack and threatened to publish the stolen data on its leak site. Ernest Health said the compromised information included names, contact information, dates of birth, health plan IDs, health data, Social Security numbers, and driver’s license numbers.

A lawsuit has been filed by Joe Lara and Lauri Cook on behalf of themselves and similarly situated individuals who had their personal and protected health information compromised in the Ernest Health cyberattack. The lawsuit alleges that Ernest Health lost control of the data of current and former patients due to insufficient cybersecurity safeguards and a lack of cybersecurity training for its employees, which meant it had no effective means to prevent, detect, or stop the attack. The plaintiffs argue that it took 73 days from the initial compromise for Ernest Health to issue individual notifications, which denied them the opportunity to mitigate their injuries in a timely manner.

While Ernest Health said it has implemented additional safeguards in response to the breach, the plaintiffs claim the health system has done too little, too late, and that the offer of credit monitoring and identity theft protection services is wholly insufficient. The lawsuit alleges negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, declaratory and other equitable relief, injunctive relief, and compensatory, exemplary, punitive damages, and statutory damages. The plaintiffs and class are represented by Joe Kendall of the Kendall Law Group, and Samuel J. Strauss and Raina Borrelli of the law firm, Turke & Strauss.

The post Ernest Health Sued Over 2024 Ransomware Attack and Data Breach appeared first on HIPAA Journal.

MedData Settles Class Action Data Breach Lawsuit for $7 Million

Posted by Steve Alder

Last month, the Spring, TX-based revenue cycle management firm MedData agreed to a $7 million settlement to resolve a class action lawsuit filed following the exposure of the personal and health information of 136,000 individuals on a public-facing website.

MedData helps healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing, including healthcare providers and health plans such as Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. All of those HIPAA-covered entities had member and patient data exposed by MedData.

Between December 2018 and September 2019, a MedData employee inadvertently uploaded the data to personal folders on GitHub Arctic Code Vault, which is a public-facing part of the GitHub website. The data remained there unprotected and exposed for more than a year. MedData was informed about the data exposure by a security researcher on December 10, 2020, and the files were removed from GitHub on December 17, 2020.

MedData has faced 5 class action lawsuits over the data breach, four of which have been dismissed. This amended lawsuit is the last remaining action against MedData over the data breach. Under the terms of the settlement, class members can choose one of two payment tiers. The first option allows class members to claim back documented, unreimbursed out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members can claim up to $500 for “de-minimis” or minimal affirmative action in response to being notified about the data breach. Regardless of the option chosen, class members can also claim 36 months of health data and fraud monitoring services at no cost. Those services include a $1 million identity theft insurance policy.

The settlement also requires MedData to implement and maintain an enhanced cybersecurity program, which must include robust monitoring and auditing for data security issues, annual cybersecurity testing, training on data privacy for employees, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The board must also consider appropriate cybersecurity spending annually, and regularly update internal security policies and procedures.

The post MedData Settles Class Action Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

The San Francisco, CA-based law firm Orrick, Herrington & Sutcliffe has agreed to a $8 million settlement to resolve a class action lawsuit filed in response to a 2023 cyberattack and data breach.

In March 2023, the law firm that specializes in helping companies that have experienced security breaches suffered one of its own. On March 13, 2023, hackers were discovered to have gained access to its network, with the forensic investigation revealing they had access for around two weeks between February 28 and March 13, 2023, before the intrusion was detected. The personal and protected health information of 637,620 individuals was compromised; however, it took months to determine how many individuals had been affected with the last batch of notification letters mailed to affected individuals in January 2024. The affected individuals were offered 2 years of complimentary credit monitoring services.

A lawsuit was filed against Orrick, Herrington & Sutcliffe in the U.S. District Court for the Northern District of California shortly after the announcement about the breach. The lawsuit made several allegations, including the failure to secure its systems, the failure to prevent and stop the breach, the failure to detect the breach in a timely manner, and the failure to disclose material facts that adequate system security measures were not in place to prevent data breaches. The lawsuit also alleged Orrick, Herrington & Sutcliffe did not honor repeated promises and representations to protect the information of the breach victims and failed to provide timely notifications. Several other lawsuits were filed over the breach that made similar claims, and they were consolidated into a single action – In re Orrick Herrington & Sutcliffe LLP Data Breach Litig.

The plaintiffs alleged they had been harmed by the data breach, including receiving a flood of spam emails and phone calls, actual and attempted identity theft, and other misuse of their personal information. Orrick, Herrington & Sutcliffe has denied liability and wrongdoing and said it regretted the inconvenience and distraction that the malicious incident caused. The proposed settlement was deemed to be reasonable and fair by class counsel and has received preliminary approval from the court. Under the terms of the settlement, class counsel may claim up to 25% of the settlement amount and after costs of up to $50,000 and $2,500 service awards for the lead plaintiffs have been deducted, the remainder of the settlement will cover claims from individuals affected by the data breach.

The settlement includes up to 5 hours of compensation for lost time at $25 per hour, reimbursement of up to $2,500 for unreimbursed out-of-pocket expenses, reimbursement of up to $7,500 for extraordinary losses such as identity theft and fraud, and three years of three-bureau credit monitoring services. California residents are entitled to a cash payment of $150. If class members choose not to submit a claim for lost time and reimbursement for out-of-pocket expenses and extraordinary losses, a claim may instead be submitted for a cash payment of $75.

The post Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Email Incidents Reported by Randolph Health & Rutgers Robert Wood Johnson Medical School

Posted by Steve Alder

Randolph Health and Rutgers Robert Wood Johnson Medical School have recently reported email incidents involving the unauthorized access/disclosure of patient information.

Randolph Health

American Healthcare Systems LLC, doing business as Randolph Health in North Carolina, discovered a compromised employee email account on February 14, 2024. The email account was immediately secured to prevent further unauthorized access and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, and the review of the account confirmed that files were present that contained the protected health information of 899 patients.

The exposed data included full names, dates of birth, medical record numbers, health insurance identification numbers, and diagnosis codes. Randolph Health said it was not possible to tell if any of those files were accessed or acquired, so notification letters were sent to all potentially affected individuals. Randolph Health said it is committed to maintaining the privacy of personal information and has taken additional steps to improve security and will continue to evaluate its security practices.

Rutgers Robert Wood Johnson Medical School

Rutgers Robert Wood Johnson Medical School in New Brunswick, NJ, has identified an email incident involving the protected health information of 543 patients. On February 1, 2024, the medical school discovered a former employee had emailed patient data from their work email account to a personal email account. Several files had been emailed that included spreadsheets containing patient data, including patient names, medical record numbers, treatment information, and prescription information. The information was sent to the personal email account on January 19, 2024.

The affected individuals were notified by mail on April 1, 2024, and the matter has been reported to law enforcement for investigation and appropriate action. The affected individuals have been advised to monitor the statements they received from their healthcare providers and health insurance plan for any services that were not received, and if they are found, to report it to the relevant provider or health plan.

The post Email Incidents Reported by Randolph Health & Rutgers Robert Wood Johnson Medical School appeared first on HIPAA Journal.