The risk and financial advisory solution provider Kroll reports that healthcare has overtaken finance as the most breached industry, based on the number of data breaches the firm has been called upon to assist with. In 2022, 22% of the data breaches investigated by Kroll occurred at healthcare organizations, up from 16% in 2021 – a year-over-year increase of 38%.

While the percentage of healthcare data breaches Kroll investigated increased in 2022, consumers appear to be much less concerned about breaches of their healthcare data than they are about breaches of their financial information. 32% of the calls Kroll received from individuals impacted by data breaches were in response to data breaches at healthcare organizations, compared to 49% of calls in response to data breaches at financial institutions. There was a 127% year-over-year increase in the number of calls Kroll received from consumers affected by breaches at financial institutions, yet despite the increase in healthcare data breaches, there was only a 19% increase in calls from consumers about those breaches.

Individuals impacted by data breaches at healthcare organizations are also much less likely to take advantage of the complimentary credit monitoring and identity theft protection services that they are offered. 69% of individuals who were offered these complimentary services following a data breach at a financial institution took advantage of those services, compared to just 20% of individuals who were affected by healthcare data breaches.

While financial data is valuable to cybercriminals and is often misused, data breaches at healthcare organizations also put victims at risk. When personal information is stolen along with Social Security numbers and/or driver’s license numbers, victims are put at risk of identity theft and fraud, so it is surprising that so few victims of healthcare data breaches avail themselves of these services.

It is also surprising considering the number of lawsuits that are now being filed in response to healthcare data breaches. It is common for multiple lawsuits to be filed following a healthcare data breach, often within days or weeks of notification letters being sent. These lawsuits allege victims face an imminent and increased risk of identity theft and fraud as a result of the theft of their personal and protected health information. The lawsuits often also take issue with the short duration of credit monitoring and identity theft services provided to victims.

It is worthwhile noting that there is a growing breach notification trend in healthcare of providing as little information as possible in breach notifications, to the point where victims of the data breaches are unable to accurately assess the level of risk they face. For instance, breach victims are not always told that their data has been stolen in a hacking incident, only that their data has potentially been stolen, or they are not informed that a ransomware gang has published the stolen data on its leak site. This could well be a factor in why so few victims of healthcare data breaches take advantage of these services.

While the data from Kroll appears to suggest that consumers are not nearly as concerned about breaches of their healthcare data as financial information, concern does appear to be growing. There was a 66% year-over-year increase in the number of consumers signing up for credit monitoring and identity theft services following a healthcare data breach, although not nearly as big an increase as finance, which saw a 126% year-over-year increase in people signing up for credit monitoring and identity theft services.

“Understanding the drivers behind the Data Breach Outlook figures is subjective, and it is important that businesses combine this data with their own insight from talking to customers and market research,” suggests Kroll. “It is also true that while an industry may make up less of the overall number of data breach cases, it is not immune from the impact of a data breach and should similarly have playbooks if an incident was to occur.”

The post Few Victims of Healthcare Data Breaches Take Advantage of Free Credit Monitoring Services appeared first on HIPAA Journal.

Sharp HealthCare in San Diego has recently notified almost 63,000 patients that some of their personal and protected health information has potentially been stolen in a recent cyberattack on its web server. Sharp HealthCare detected the cyberattack on January 12, 2023, and immediately shut down the web server while the incident was investigated. A third-party digital forensics company was engaged to investigate and determine the nature and scope of the incident and confirmed that an unauthorized third party successfully compromised the web server that powered the sharp.com website for a few hours on January 12. During that time the third party downloaded a file that contained patient data.

Sharp HealthCare stressed that the FollowMyHealth patient portal was not accessed, and no highly sensitive information was exposed or stolen. Financial information, contact information, dates of birth, Social Security numbers, health insurance information, or medical information were not accessed or stolen in the attack. The affected individuals had previously visited the website and paid medical bills online between August 12, 2021, and January 12, 2023. Sharp HealthCare said the information in the stolen file varied from patient to patient and included names, internal identification numbers, invoice numbers, payment amounts, and the names of the Sharp HealthCare facilities that received those payments.

Notification letters were sent to the 62,777 affected individuals on February 3, 2023. Credit monitoring services are not being offered due to the limited nature of the stolen information. Sharp HealthCare said no reports of actual or attempted misuse of patient data have been received and that, as a precaution, affected individuals should review the statements they receive from their healthcare providers and should report any charges for healthcare services that have not been received. Sharp HealthCare said it has upgraded the security tools on its website to prevent similar breaches in the future and constantly monitors its IT systems for suspicious activity.

The post Hackers Compromised Sharp HealthCare Web Server and Stole Patient Data appeared first on HIPAA Journal.

Regal Medical Group, a San Bernardino, CA-based affiliate of the Heritage Provider Network, recently announced that it was attacked with ransomware. On December 2, 2022, employees experienced difficulty accessing data. Third-party cybersecurity experts were engaged to investigate the attack and assist with the breach response and confirmed that malware had been used to encrypt files on some of its servers.

The forensic investigation confirmed that the attackers gained access to the servers on or around December 1 and exfiltrated files before the ransomware was deployed. The review of those files confirmed they contained the protected health information of patients of Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical. The files contained information such as names, phone numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and Social Security numbers.

Regal Medical Group said additional security measures have been implemented to protect against further attacks, and affected individuals have been offered complimentary memberships to the Norton LifeLock credit monitoring service for 12 months. The incident has been reported to the HHS’ Office for Civil Rights, but it is not yet showing on the HHS breach portal, so it is currently unclear how many patients have been affected.

Southeast Colorado Hospital District Announces Email Account Breach

Southeast Colorado Hospital District has discovered a breach of a single email account. The security breach was detected on December 6, 2022, with the forensic investigation determining that the account was accessed by an unauthorized third party on multiple occasions between November 23 and December 5.

Southeast Colorado Hospital District reviewed all emails and attachments in the account and confirmed that the protected health information of 1,435 patients had been exposed. Affected individuals had one or more of the following types of information exposed: Name, Social Security number, driver’s license number, date of birth, medical treatment or diagnosis information, and/or health insurance information.

Notification letters were sent to the affected individuals on February 3, 2023. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers or driver’s license numbers were exposed.

The post Regal Medical Group Ransomware Attack & Southeast Colorado Hospital District Email Breach appeared first on HIPAA Journal.

Pittsburg, PA-based Highmark Health, the second largest integrated delivery and financing system in the U.S., has recently announced that an unauthorized individual has accessed the email account of one of its employees following a response to a phishing email. After the employee clicked the link in the email and disclosed their credentials, the account was accessed remotely by an unauthorized third party who potentially viewed and exfiltrated emails and attachments from the account.

The unauthorized account activity was detected by Highmark Health on December 15, 2022, with the initial compromise occurring on December 13, 2022. A review of the emails and attachments revealed they contained the protected health information of health plan members, such as group name, identification numbers, claim numbers, dates of service, procedures, prescription information, addresses, phone numbers, email addresses, and financial information. The Social Security numbers of a subset of individuals were also exposed.

When the breach was detected, the affected mailbox was immediately deactivated, network blocking was implemented, and passwords were reset. Email security controls have also been enhanced and further training has been provided to employees on how to identify phishing attempts and other cyber threats. While no evidence of misuse of the affected data has been identified, affected individuals are being offered complimentary credit monitoring and identity theft protection services, irrespective of whether their Social Security numbers were involved.

According to the data breach notice sent to the Maine Attorney General, up to 300,000 individuals have been affected, including 2,774 Maine residents. Notification letters are being mailed on February 13, 2023.

Cardiovascular Associates Reports Cyberattack Involving Data Theft

On December 5, 2022, Cardiovascular Associates (CVA) in Birmingham, AL discovered suspicious activity within its computer systems. The systems were isolated while the potential intrusion was investigated, with the forensic analysis confirming hackers first gained access to its IT environment on November 28, 2022. Between that date and December 5, files containing patient data were exfiltrated from its systems.

The review of the affected files confirmed they contained names, dates of birth, addresses, Social Security numbers, health insurance information, medical and treatment information, billings and claims information, passport numbers, driver’s license numbers, credit/ debit card information, and financial account information and, for a limited number of individuals, usernames and passwords. CVA said its systems were secured as soon as the unauthorized activity was detected and its security and monitoring capabilities have been improved to prevent similar breaches in the future. Affected individuals have been offered complimentary credit monitoring and identity restoration services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Patient Data Potentially Stolen in Cyberattack on Aspire Surgical

UT Specialty Dental Services, PLLC, which operates several oral and maxillofacial surgery centers in Utah under the name, Aspire Surgical, has recently confirmed it was the victim of a cyberattack in December 2022, which may have involved unauthorized access to and the theft of sensitive patient data.

The cyberattack was detected on December 7, 2022, and third-party cybersecurity experts were immediately engaged to contain, assess, and remediate the attack. The investigation confirmed the attackers had access to parts of its IT environment that contained patient data such as names, patient account numbers, dates of service, and amounts paid. Medical treatment records, Social Security numbers, and financial information were not exposed.

While no evidence has been found to indicate any misuse of patient data, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Aspire Surgical has reviewed and enhanced its data security policies and procedures to protect against similar security breaches in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Highmark Health Phishing Attack Affects 300,000 Patients appeared first on HIPAA Journal.

Last Thursday, Tallahassee Memorial HealthCare (TMH) in Florida was forced to take its IT systems online, divert ambulances, and suspend all non-emergency medical procedures due to a cyberattack. The hospital issued a statement confirming that it would only be accepting patients with Level 1 traumas from its immediate service area while the cyberattack is investigated and systems are restored.

The hospital said the attack only affected specific systems, but other, unaffected systems were taken offline to contain the attack. Systems are being prioritized and will be brought back online one by one when it is safe to do so. On Thursday, the hospital could not provide any information on the likely timeframe for recovery but said updates will continue to be provided on its website. On Sunday, a statement was issued confirming progress is being made restoring systems, that TMH Physician Partners are still operational, and they will start seeing patients as scheduled from Monday, February 6, 2023; however, all non-emergency surgeries and outpatient procedures scheduled for Monday had been canceled and rescheduled. TMH also confirmed in the Sunday update that downtime procedures are still in place and patient information is being recorded on paper. The ambulance diversion remains in place for certain patients.

“Our teams are working around the clock in collaboration with outside consultants to investigate the cause of the event and safely restore all computer systems as quickly as possible. IT security events take time to investigate and resolve,” explained TMH in its Sunday statement. “Our investigation is ongoing and, as is typical in such situations, we expect it will take some time to determine exactly what happened.” A TMH spokesperson said, “Patient safety remains our number one priority, and protocols for system downtime are being followed to minimize disruption.” The nature of the cyberattack was not disclosed.

The announcement comes just a few days after Atlantic General Hospital in Maryland confirmed that had suffered a ransomware attack, which similarly forced a shutdown of its IT systems. While some ransomware groups have policies that prohibit their affiliates from conducting attacks on the healthcare sector, several groups actively target health systems, hospitals, and other healthcare organizations. In December, an affiliate of the LockBit ransomware group conducted an attack on Hospital for Sick Children (SickKids). The group later issued a statement that the affiliate responsible had violated its terms and conditions and provided the keys to SickKids to allow data to be decrypted for free. However, LockBit recently published data on its data leak site allegedly stolen in cyberattacks on Juva Skin & Laser Center in New York and Arizona Liver Health. Those healthcare providers have yet to issue public statements about any cyberattacks.

The health sector is also coming under attack from Russian hacktivists in response to the U.S. policy of providing military hardware to assist Ukraine. The pro-Russian hacktivist group Killnet is conducting a campaign of distributed denial of service (DDoS) attacks on hospitals, although these attacks appear to be aimed at causing disruption and are not believed to involve data theft. The group has also called on the wider cybercrime community to support its efforts, which could potentially see even more healthcare providers in the U.S. come under attack.

The post Tallahassee Memorial HealthCare Diverts Ambulances Due to Cyberattack appeared first on HIPAA Journal.

When a data breach occurs and sensitive information is disclosed, the HIPAA Breach Notification Rule requires affected individuals to be notified. The FTC Health Breach Notification Rule also has breach reporting requirements, and all 50 states have enacted data breach notification laws. What is lacking in many of these regulations – at both the federal and state level – is what these notification letters must include.

Just a few years ago, the majority of breach notification letters contained reasonably detailed information about the breach, but it is now much more common for victims of data breaches to be provided with the bare minimum information to comply with federal and state regulations, which makes it difficult for the individuals affected to accurately gauge the level of risk they face.

While it was common for ransomware attacks to be reported as such, these are increasingly reported as hacking incidents with no mention of file encryption or data theft. Even when attacks involved the theft of sensitive data and the publication of that information on data leak sites, victims are often told that the attackers may have accessed or obtained their data.

The 2022 Data Breach Report from the Identity Theft Resource Center (ITRC) has confirmed this trend. In 2022, two-thirds of data breach notices lacked the necessary information to allow individuals and businesses affected by those data breaches to accurately assess potential risk. In 2022, only 34% of breach notices included victim and attack details, the lowest percentage in the past 5 years. To put that figure into perspective, in 2019, almost 100% of notices included attack details, and 72% of notices included both attack and victim details. This is a worrying trend.

According to the ITRC, for most of the past 20 years, data breach notices have included sufficient detail to allow breach victims to accurately gauge risk, but since Q4, 2021, the information included in data breach notices has been reducing and that trend accelerated throughout 2022. In 2022, 747 of the 1,802 data breaches for which ITRC had information did not specify the root cause of the event, even though 1,595 compromises were linked to cyberattacks.

“A sudden lack of transparency in the content of data breach notices created risk for victims and fueled uncertainty about the true scale and impact of data compromises,” said Eva Velasquez, CEO, ITRC. “The result is Individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic – a “scamdemic” – of identity fraud committed with stolen or compromised information.”

The reason for the sudden decline in transparency is unclear, although there are several theories. It is now far more common for lawsuits to be filed following data breaches, especially healthcare data breaches. While legal action was typically reserved for the largest data breaches, now it is common for multiple lawsuits to be filed in response to a data breach within days of the notification letters being sent, oftentimes even when there has been no misuse of stolen data.

There have been many rulings by federal courts dismissing lawsuits due to the failure to provide evidence of actual harm. In many states, it is not possible to sue for an increased risk of future harm due to the exposure of personal data. This could be one of the main reasons why breached entities are now reluctant to disclose detailed information about data breaches, as it could reveal information that could be used in a lawsuit against the company, even though the lack of information for breach victims increases the risk of actual harm being caused.

The ITRC draws attention to several data breaches at companies that made a conscious decision to withhold information about their data breaches, including Samsung, DoorDash, and LastPass. The information disclosed in the data breach notifications was sufficient to meet state requirements yet provided little in the way of information to help victims of the breaches assess risk. The LastPass data breach was a good case in point. Notifications were issued in August 2022 about a data breach involving source code and internal documentation. It took until December for it to be confirmed that the only customer information that had not been breached was the master password for password vaults and for it also to be confirmed that its parent company, GoTo, has also been breached. It is still unknown how many of its customers were affected.

ITRC also suggested that the large number of security incidents now occurring, and the sophistication of these attacks, can make it difficult to quickly determine the cause, the individuals affected, and the potential consequences of those breaches. The economic downturn has resulted in restructuring and reprioritization of budgets, so when forensic analyses of data breaches are undertaken, fewer resources can be devoted to the task, which can increase the time taken to determine what has happened. If data breach reporting requirements demand prompt notifications, those notifications could be issued before detailed information is available about the breach.

In 2022, 1,802 data breaches were tracked by ITRC, the second-highest total of any year since the ITRC started tracking and reporting on data breaches, and the records of at least 422 million individuals were compromised, which means millions of individuals have been left in the dark about the nature of the exposure of their sensitive data and are consequently unable to accurately assess the level of risk they face.

As well as helping consumers determine what actions they need to take to protect themselves against fraud, more accurate reporting would make it far easier to obtain accurate data breach statistics to determine trends. That information would help policymakers make better decisions about where to allocate resources to combat the root cause of these data breaches.

At the federal and state level, laws place the burden of assessing risk on the individuals affected by data breaches, yet compromised organizations are generally not required to provide the information that allows accurate risk assessments to be made. Updating state laws to require certain information about data breaches to be made public could help consumers make better choices about precautions to take to protect against fraud; however, it may not prove to be enough of an incentive to improve reporting, unless compliance was aggressively enforced.

There are federal laws requiring notifications about data breaches, but even these are not being actively enforced in their current form. The FTC has not enforced the Health Data Breach Notification Rule for years and it is rare for the HHS’ Office for Civil Rights (OCR) to impose financial penalties for Breach Notification Rule failures, even when notifications have been issued many months after a data breach was detected. It is difficult to imagine OCR imposing penalties due to the lack of information in breach notices.

The post Organizations Increasingly Opaque About Cause of Data Breaches appeared first on HIPAA Journal.

UCLA Health Announces Pixel-Related Data Breach

UCLA Health has recently started notifying approximately 94,000 patients about an impermissible disclosure of their protected health information to certain unnamed service providers due to the use of analytics tools on its website and mobile app.

UCLA Health said analytics tools were used to better understand how patients interacted with the website and app. The data collected by UCLA Health was aggregated and used to develop more efficient and effective communication to improve its services to patients. UCLA Health said it was made aware of the potential for these analytics tools to transmit sensitive patient information to service providers in June 2022, and immediately disabled these tools on the website and app. A third-party forensics firm was then engaged to review the data collected and potentially transmitted by these tools to establish the extent of any privacy violation.

The privacy violation occurred due to the use of these tools on the appointment scheduling forms on the website and app, which may have captured and transmitted the URL/website address (which could include provider name, specialty, or ad campaign name), page view, IP address, third-party cookies, and hashed values of certain fields on the appointment request form. The hashed value form fields potentially included first and last name, email address, mailing address, phone number, and gender. UCLA Health confirmed that the tracking tools were not added to the myUCLAhealth online patient portal.

UCLA Health said notification letters were sent on January 13, 2022. The delay was due to the time taken to conduct the forensic investigation. UCLA Health said it has since enhanced its technology evaluation procedures.

Livingston Memorial VNA Health Corporation Announces Ransomware Attack

Livingston Memorial VNA Health Corporation, which provides hospice services in Ventura, CA, has confirmed that hackers gained access to its IT systems and used ransomware to encrypt files on or around February 19, 2022. The forensic investigation confirmed the attackers had access to patient data prior to encrypting files but says no reports of misuse of data have been received to date. The breach also affected patients of its affiliates Livingston Memorial Visiting Nurse Association and Livingston Caregivers.

In the notice to the California attorney general, Livingston explained that the delay in issuing notifications was due to the length of time it took to verify which individuals had been affected. The complete list of affected individuals was finalized on November 3, 2022, and in accordance with HIPAA, a substitute breach notice was placed on its website from May 6, 2022, to August 9, 2022, confirming a security breach had occurred. Affected individuals have been offered complimentary single-bureau credit monitoring services.

Livingston said it has greatly improved its cybersecurity posture, including increasing logging and alerts, adding further internal controls and safeguards, increasing the frequency of third-party penetration tests, and reviewing all security policies and firewall rules.

Benefit Administrative Systems, LLC Confirms Security Breach Involved Data Theft

Benefit Administrative Systems, LLC, a Homewood, IL-based administrator of the Connected Care Health Plan, has notified certain individuals about the exposure of an electronic file that contained sensitive personally identifiable information. An alert was generated when the file was accessed by unauthorized individuals, and steps were immediately taken to protect its systems. The forensic investigation confirmed on November 1, 2022, that the file had been exfiltrated and contained first/last names, email addresses, health insurance member numbers, and health insurance group numbers of certain members.

Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months and steps have been taken to improve security to prevent similar breaches in the future.

Atlantic General Hospital Recovering from Suspected Ransomware Attack

Atlantic General Hospital in Maryland is currently investigating a security incident that resulted in a limited network outage. A spokesperson for the hospital confirmed that the ER is continuing to receive and treat patients and elective surgeries and other outpatient procedures are being performed, although the hospital website says the walk-in outpatient lab is temporarily closed until further notice and the RediScripts pharmacy, pulmonary function testing, and outpatient imaging have been disrupted. At this stage of the investigation, it is too early to tell if, and to what extent, patient data has been exposed.

The post Ransomware Attacks, Hacks, and Pixel-Related Data Breaches Reported appeared first on HIPAA Journal.

Des Plaines, IL-based Lutheran Social Services of Illinois, one of the largest providers of social services in the state, has announced that its systems were compromised and ransomware was used to encrypt files. The cyberattack was detected on January 27, 2022, and systems were taken offline to contain the attack. and third-party cybersecurity professionals were engaged to investigate the breach and determine the scope of the attack.

The forensic investigation and document review concluded on December 28, 2022, and confirmed that the attackers had access to its network between December 31, 2021, and January 27, 2022, and may have viewed or obtained files that contained protected health information. Data theft could not be ruled out, but at the time of issuing notifications, no reports had been received to suggest that sensitive information has been used for identity theft or fraud. The data potentially accessed included names, birth dates, Social Security numbers, financial information, driver’s license numbers, biometric information, diagnosis and treatment information, and health insurance information.

The HHS’ Office for Civil Rights data breach portal shows a breach reported by Lutheran Social Services of Illinois on March 25, 2022, indicating 1,000 individuals were affected. This coincides with the 60-day reporting deadline of the HIPAA Breach Notification Rule. This appears to have been a placeholder until the total number of individuals was determined. The breach notification sent to the Maine Attorney General indicates up to 184,183 individuals were affected, including 9 Maine residents. No reason was provided as to why it took 12 months from the date of discovery of the breach to issue breach notification letters to affected individuals.

Affected individuals have been offered complimentary Single Bureau credit monitoring services and Lutheran Social Services of Illinois said it has taken steps to further protect unauthorized access to individual records.

University of Colorado Hospital Authority Announced Third-Party Data Breach

University of Colorado Hospital Authority (UCHealth) has recently announced that one of its vendors has suffered a data breach that has affected 48,879 patients. UCHealth works with a software vendor called Diligent, which provides business operation tools and hosted services. Diligent recently notified UCHealth that it experienced a software incident that involved patient, provider, and employee data. The company’s software was accessed in the attack and attachments were downloaded from the hosted service that included UCHelath files. UCHealth’s email, electronic health records, and internal files were not impacted.

UCHealth said the stolen files included names, addresses, dates of birth, treatment-related information, and for a very limited number of individuals, Social Security numbers and/or financial information. UCHealth has confirmed that Diligent has implemented additional safeguards to prevent further data breaches.

PHI of PharmaCare Services and NextGen Healthcare Patients Posted on Dark Web

Cybercriminals have been attempting to extort money from the EHR and practice management solution provider, NextGen Healthcare, and Blanco, TX-based PharmaCare Services. Both healthcare organizations were recently added to the data leak site of the BlackCat ransomware group. The listing for NextGen Healthcare has since been removed but the PharmaCare Services listing is still live.

At the time of publication, no breach has been reported to the HHS’ Office for Civil Rights by either company. NextGen Healthcare has confirmed that an investigation has been launched into a security incident and that normal operations have resumed. A spokesperson for the company said client data does not appear to have been compromised and no evidence of data theft has been detected.

The BlackCat ransomware group operates under the ransomware-as-a-service model, with affiliates used to conduct attacks on behalf of the group for a percentage of any ransoms they generate. BlackCat claims that its affiliates are not permitted to attack medical institutions, hospitals, and ambulance services, although pharmaceutical firms and private clinics are not off-limits. The HHS has previously issued a warning about BlackCat ransomware, stating that while there appears to be a ban on attacks on the sector, ransomware gangs have previously violated their own bans on attacking healthcare organziations.

The post Up to 184,000 Clients of Lutheran Social Services of Illinois Impacted by Ransomware Attack appeared first on HIPAA Journal.