HIPAA Breach News

Pension Benefit Information Confirms PHI of 371,359 Individuals Stolen in MOVEit Transfer Hack

Posted by Steve Alder

Pension Benefit Information, LLC, doing business as PBI Research Services (PBI), has recently confirmed that the protected health information of 371,359 individuals was obtained by the Clop ransomware hackers in an attack that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 31, 2023.

PBI said the breach was discovered on June 2, 2023, and the patch to fix the flaw was applied the same day. The forensic investigation confirmed that one of PBI’s MOVEit Transfer servers was accessed by the Clop hackers on May 29 and May 30, 2023. The files stolen in the attack included names, partial mailing addresses, dates of birth, and Social Security numbers. PBI said it is unaware of any actual or attempted misuse of the stolen information; however, as a precaution, affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. Notifications started to be sent to the affected individuals on June 4, 2023.

LockBit Ransomware Group Announces Attack on Panorama Eyecare

The LockBit ransomware group has recently added Panorama Eyecare to its data leak site and claims to have exfiltrated 798 GB of data from the Colorado-based physician management organization, including data from its clients Eye Center of Northern Colorado, Denver Eye Surgeons, Cheyenne Eye Clinic & Surgery Center, and 2020 Vision Center. Panorama Eyecare has yet to publicly confirm the data breach and it is currently unclear to what extent patient data was involved.

8Base Ransomware Group Adds Kansas Medical Center to its Data Leak Site

Kansas Medical Center, a physician-owned hospital in Andover, KS, has recently been added to the data leak site of the 8Base ransomware group. The threat group claims the attack occurred on June 18, 203, and sensitive patient and employee data was stolen including names, addresses, registration information, and other information. Kansas Medical Center has not publicly announced the attack and it is unclear how many patients have been affected.

The post Pension Benefit Information Confirms PHI of 371,359 Individuals Stolen in MOVEit Transfer Hack appeared first on HIPAA Journal.

Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients

Posted by Steve Alder

Phoenician Medical Center, Inc. (PMC) has recently reported a security incident that disrupted some of its IT systems. The incident was detected on March 31, 2023, although it is unclear from the breach notifications when hackers first gained access to its network. The forensic investigation confirmed that there had been unauthorized access to files containing the protected health information of patients, some of which may have been obtained by the hackers.

On April 25, 2023, PMC confirmed the affected information included names, contact information, demographic information, date of birth, state identification numbers, medical record numbers, diagnosis and treatment information, provider name(s), date(s) of service, prescription information, and/or health insurance information. Affected patients had received medical services at PMC or its affiliated companies, Phoenix Neurological & Pain Institute, and/or Laser Surgery Center between 2016 and 2023. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 162,500 current and former patients. PMC said it will be enhancing its security protocols and technical safeguards to prevent similar incidents in the future.

Public Health Management Corporation Investigating May Cyberattack

The Philadelphia, PA-based nonprofit health institute, Public Health Management Corporation (PHMC), has recently announced that unauthorized individuals gained access to its systems. Suspicious activity was detected on May 8, 2023, and the forensic investigation confirmed that an unauthorized individual may have accessed and acquired sensitive patient information on May 8, 2023.

The exposed information included full names, addresses, Social Security numbers, birth dates, medical histories, mental and physical treatment information, diagnosis information, physician names, medical record numbers, and health insurance information. PHMC said it is currently reviewing the affected files and verifying contact information and will notify the affected individuals when that process is complete. In the meantime, the breach has been reported to the HHS’ Office for Civil Rights as affecting a minimum of 501 individuals. The total will be updated when the scale of the breach has been confirmed.

The post Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients appeared first on HIPAA Journal.

Naked Patient Photos Published After Ransomware Attack on Plastic Surgery Clinic

Posted by Steve Alder

Legal counsel for the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D, recently notified patients about a cyberattack and data theft incident. According to the notification letters, Dr. Gary Motykie was recently contacted by a cyber threat actor who claimed to have accessed his IT systems and was in possession of sensitive patient information.

The notification was received on May 9, 2023, and a third-party incident response firm was engaged to investigate and determine the validity of the threat actor’s claims. A data breach was confirmed on or around June 6, 2023, with the review of the affected files confirming they contained information such as first and last name, address, driver’s license/identification card number, financial account information, payment card number and CVV code, Social Security Number, health insurance information, intake forms, which may include medical information and medical history, and images taken in connection with the services provided. The types of data varied from individual to individual and may have included only some of the above information.

The breach was recently reported to the Maine Attorney General as affecting a total of 3,461 individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to affected individuals and the practice has taken steps to improve data security. The incident has been reported to law enforcement, appropriate authorities, and the American Board of Plastic Surgery, which is also investigating the breach. The threat actor behind the attack was not named.

Attacks that involve the theft of naked images offer threat actors an easy way to increase pressure on the victim to make payment, as was the case with a ransomware attack on Lehigh Valley Health Network earlier this year by the ALPHV/BlackCat ransomware group. ALPHV also conducted a similar attack on another Californian plastic surgery clinic, Beverly Hills Plastic Surgery, according to recent media reports, where naked photographs were also published online when the ransom was not paid. Beverly Hills Plastic Surgery has yet to publicly confirm the data breach.

While not mentioned in the notification letters, Dr. Gary Motykie was allegedly issued with a ransom demand of $2.5 million. When payment was not received, the threat actor started publishing the stolen data, including topless images of patients along with personal information such as names, birthdates, email addresses, phone numbers, and financial information. Patients were contacted by the threat actor via email and links were shared to the Internet site where the stolen information and images were published.

Elaina Shaffy was one of the affected patients and had her photographs published online. She told NBC Los Angeles that she discovered her information had been leaked after being contacted by another patient who was in a similar position. She later discovered she had been emailed by the threat actor but had failed to see the message in her junk folder. She made contact with the threat actor and was informed that a third party had made a payment on her behalf and that her information and photographs had been removed. She has since filed a lawsuit against Dr. Gary Motykie over the theft of her information.

At least 70 individuals have had their photographs and personal information published online following the attack. Private images of Dr. Gary Motykie were also published online. Dr. Gary Motykie reportedly did not pay the ransom as there was no guarantee that the stolen data would be deleted.

The post Naked Patient Photos Published After Ransomware Attack on Plastic Surgery Clinic appeared first on HIPAA Journal.

First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach

Posted by Steve Alder

Lawsuits against HCA Healthcare were an inevitability following a data breach that affected approximately 11 million individuals and saw the stolen data listed for sale on a dark web forum. The breach was announced by HCA Healthcare on July 10, 2023, and while the total number of affected individuals affected has yet to be confirmed, 27 million lines of data were compromised, which equates to around 11 million individuals.

Since the investigation is still in the early stages, little information has been released so far about the nature of the cyberattack, other than an unauthorized individual gaining access to an external storage location used for formatting emails. HCA Healthcare said highly sensitive information such as Social Security numbers, financial information, and clinical information does not appear to have been compromised, only information such as names, dates of birth, email addresses, phone numbers, and next appointment dates.

The first lawsuit in relation to the breach was filed in the Tennessee Middle District Court on Wednesday by the law firms Shamis & Gentile and Kopelowitz Ostrow Ferguson Wieselberg Gilbert, naming Gary Silvers and Richard Marous as plaintiffs. The lawsuit, Silvers et al v. HCA Healthcare, Inc., alleges a failure to comply with the HIPAA Rules and FTC guidelines, and HCA Healthcare was negligent by failing to safeguard the personal and protected health information of patients. As a result of that negligence, patient data is now in the hands of cybercriminals and the plaintiffs and class members are likely to have their sensitive data misused in a variety of fraudulent ways and face a lifetime risk of identity theft and fraud.

This lawsuit claims injuries have been suffered in a number of ways, including the lost or diminished value of private information, costs associated with the prevention, detection, and recovery from identity theft and fraud, lost opportunity costs to mitigate the data breach’s consequences and lost time, and emotional distress from the loss and control of “highly sensitive private information.”

The lawsuit seeks monetary damages, legal fees, a jury trial, and injunctive relief, requiring HCA Healthcare to implement a variety of safeguards to better protect patient data. The injunctive relief requested includes data protection through encryption, the deletion of private information unless there is a legitimate reason for retaining that information, prohibiting the storage of data in a cloud-based database, independent third-party security audits, data segmentation, the implementation and maintenance of threat management and monitoring programs, and audits, tests, and training of security personnel.

Lawsuits are commonly filed following healthcare data breaches and a breach of this magnitude is likely to trigger many more lawsuits over the coming days and weeks; however, while legal action can be taken, there is no guarantee of success. Healthcare data breach lawsuits often hinge on whether there has been a concrete injury that more than likely was caused by a specific data breach. Lawsuits that only allege a risk of identity theft and fraud are unlikely to be granted standing.

The post First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach appeared first on HIPAA Journal.

Healthcare Providers and Vendors Confirm Recent PHI Disclosure Incidents

Posted by Steve Alder

A round-up of data breaches that have recently been reported by HIPAA-covered entities.

South Suburban Surgical Suites Reports Email Account Breach

South Suburban Surgical Suites, a Munster, IN-based surgical center, has reported a breach of a legacy Microsoft Office 365-hosted business email account. The breach was detected on April 3, 2023, with the investigation confirming the account was accessed following a response to a phishing email. The response was on February 20, 2023, and the unauthorized access was blocked on April 3, 2023. The review of the email account was completed on June 5, 2023, and confirmed that the protected health information of 5,340 patients was stored in the account.

That information varied from individual to individual and may have included full names in combination with addresses, dates of birth, Social Security numbers, driver’s license/state ID numbers, passport numbers, credit card information and/or financial account information, medical record numbers, dates of service, provider names, diagnoses/procedure information, prescriptions/medications, health insurance information, and/or billing and claims information.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were involved.

edgeMED Healthcare Reports Computer System Compromise

The Boca Raton, FL-based revenue cycle management and billing vendor, edgeMED Healthcare, LLC, has recently announced that an unauthorized individual accessed its computer systems between May 20, 2023, and May 26, 2023, and may have viewed or obtained information such as names, treatment codes, rendering provider names, and some additional encounter information.

The intrusion was detected on May 26, 2023, and access was immediately blocked. Affected individuals have now been notified about the breach and, at the time of issuing notifications, no evidence of misuse of the compromised data had been identified. edgeMED Healthcare said its security protocols have been enhanced by implementing additional security measures.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Partnership Health Center Reports Email Error

The Missoula, MT healthcare clinic, Partnership Health Center (PHC), says a limited amount of patient information has been impermissibly disclosed due to an email error. A patient survey was sent via email to find out about patient experiences; however, emails were inadvertently sent to incorrect individuals.

An email intended for one individual was accidentally sent to another individual, who was also a Partnership Health Center patient. The only information that was impermissibly disclosed was an individual’s first and last name, and in some cases, their middle initial. The email identified a patient as having received a medical service from Partnership Health Center between July 2022 and December 2022. The nature of that service was not disclosed.

The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 8,331 individuals.

Limbach Facility Services Reports of Employee Benefit Plan Data

The Warrendale, PA-based construction and engineering company, Limbach Facility Services LLC, fell victim to a cyberattack that affected the availability and functionality of its computer network. The security breach was detected on April 23, 2023, with the forensic investigation determining that an unauthorized individual had access to its network between April 19, 2023, and April 22, 2023. During that time, certain files on the network were accessed and exfiltrated. Those files included the protected health information of 1,392 current and former members of its Group Benefit Plan. The compromised information included names, Social Security numbers, and limited health insurance plan enrolment information.

Additional security measures have been implemented to enhance the security of the network and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Healthcare Providers and Vendors Confirm Recent PHI Disclosure Incidents appeared first on HIPAA Journal.

11 Million+ HCA Healthcare Patients Affected by Recent Cyberattack

Posted by Steve Alder

Nashville, TN-based HCA Healthcare, the largest health system in the United States with more than 180 hospitals and 2,300 healthcare sites, has announced that an unauthorized individual had obtained the protected health information of patients. While the total number of affected individuals has not yet been confirmed, the breach is understood to have affected 11 million+ patients, which would make this the joint third-largest healthcare data breach to be reported by a HIPAA-regulated entity.

Largest Healthcare Data Breaches

Name of Covered Entity Year Covered Entity Type Individuals Affected Type of Breach
Anthem Inc. 2015 Health Plan 78,800,000 Hacking/IT Incident
American Medical Collection Agency 2019 Business Associate 26,059,725 Hacking/IT Incident
HCA Healthcare 2023 Healthcare Provider 11,000,000+ Hacking/IT Incident
Premera Blue Cross 2015 Health Plan 11,000,000 Hacking/IT Incident
Excellus Health Plan, Inc. 2015 Health Plan 9,358,891 Hacking/IT Incident

On July 10, 2023, HCA Healthcare announced that hackers had gained access to an external storage location that was used to automatically format emails such as patient appointment reminders and emails alerting patients about HCA Healthcare programs and services. While the investigation into the data breach has not yet concluded, the compromised data lists contained 27 million rows of data, which included the protected health information of approximately 11 million patients who received care at HCA hospitals and doctors’ offices in 20 U.S. states.

The information in the data lists included name, address (city, state, zip code), email address, phone number, date of birth, gender, date(s) of service, location of service(s), and next appointment date. No clinical information, financial information, or Social Security numbers are believed to have been compromised. The data related to individuals who received healthcare services in Alaska, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Missouri, Mississippi, Nevada, New Hampshire, North Carolina, South Carolina, Tennessee, Texas, Utah, or Virginia. The full list of affected facilities has been published by HCA Healthcare here.

HCA Healthcare said the storage location was immediately disabled when the breach was discovered and an investigation was launched into the attack, with assistance provided by third-party cybersecurity and digital forensics experts. HCA Healthcare said the incident had no impact on patient care and that it is not expected to have any impact on its business, operations, or financial results. HCA Healthcare will issue notification letters when the affected individuals have been identified and contact information has been confirmed. Complimentary credit monitoring services are being offered to the affected individuals.

The individual behind the attack listed the data for sale on a dark net marketplace and gave HCA Healthcare until July 10, 2023, to meet its demands. HCA Healthcare’s announcement coincided with that data, but it is unclear whether the hacker’s demands were met, or what those demands were. HCA Healthcare confirmed in its initial breach notice that, “a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum,” and said the information was posted online on July 5, 2023. HCA Healthcare said it is unaware of any misuse of patient data at this time.

Since highly sensitive information does not appear to have been compromised, individuals affected may not face an immediate risk of identity theft or fraud; however, they could be subject to phishing attacks and email/telephone/SMS scams so should exercise caution, especially with email attachments, hyperlinks in emails and SMS messages, and phone calls where sensitive information is requested.

HCA Healthcare said it has “several robust security strategies, systems, and protocols in place to help protect data,” and has an ongoing education program for its colleagues, physicians, vendors, and others to maintain awareness of safe practices to help ensure compliance and the security of patient data.

The post 11 Million+ HCA Healthcare Patients Affected by Recent Cyberattack appeared first on HIPAA Journal.

Advanced Medical Management Reports Data Breach Affecting 319,485 Individuals

Posted by Steve Alder

Advanced Medical Management LLC, a provider of operational, administrative, and technical healthcare management services to large physician organizations, government agencies, and health plans, has recently announced that it was the victim of a cyberattack in which the protected health information of 319,485 individuals was exposed and potentially stolen.

The forensic investigation confirmed that unauthorized individuals gained access to parts of its network that were designed and maintained by third-party vendors. The security breach was detected on May 11, 2023, with unauthorized access occurring between May 10, 2023, and May 13, 2023.

A review was conducted of all files on the compromised systems and confirmed they contained information such as names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, and health insurance information. Notification letters started to be mailed to affected individuals on June 29, 2023.

Californian Law Firm Confirms Data Breach Affecting Almost 41,000 Individuals

The San Francisco, CA-based law firm, Orrick, Herrington & Sutcliffe LLP, has recently confirmed a breach of its IT environment and the exposure of the protected health information of up to 40,823 individuals. In a breach report submitted to the Montana Attorney General, the law firm said a potential system intrusion was detected on March 13, 2023, and the forensic investigation confirmed that unauthorized individuals had gained access to a portion of its network where client files were stored. Those files contained names, dates of birth, addresses, and Social Security numbers. The investigation also confirmed that files had been exfiltrated from its network on March 7, 2023.

Individuals affected by the attack include members of an unnamed vision health plan, which had engaged the law firm following a security breach in 2020. The law firm started sending notification letters to affected individuals on June 30, 2023 and has offered two years of complimentary identity theft monitoring services to affected individuals. Since data was stolen in the attack, anyone receiving a letter should take advantage of the services being offered through Kroll. The law firm has confirmed that additional security measures have been implemented to prevent similar attacks in the future.

The post Advanced Medical Management Reports Data Breach Affecting 319,485 Individuals appeared first on HIPAA Journal.

$6 Million Settlement Proposed to Resolve UKG/Kronos Data Breach Lawsuit

Posted by Steve Alder

UKG (Ultimate Kronos Group), a multinational provider of workforce management and human resources (HR) management services, has proposed a $6 million settlement to resolve claims related to a ransomware attack and data breach that was discovered in 2021. The breach affected several of its healthcare clients, including Allegheny Health Network, Highmark Health, Baptist Health, UF Health, Ascension, Shannon Medical Center, and Franciscan Missionaries of Our Lady Health System.

UKG was formed in 2020 when Ultimate Software acquired Kronos, a Lowell, MA-based workforce management and human capital management cloud provider. On December 11, 2021, suspicious activity was detected in the Kronos private cloud where UKG solutions were deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling. Those solutions were disrupted at a time when its healthcare provider clients were experiencing patient surges due to COVID-19 and flu, which left them unable to process employee paychecks for weeks. UKG also confirmed that the hackers exfiltrated sensitive data from the private cloud. The attack reportedly affected around 2,000 of its clients.

Legal action – In re: UKG Inc. Cybersecurity Litigation – was taken by the victims of the breach who alleged UKG had failed to implement reasonable and appropriate safeguards to protect against ransomware attacks, and if those measures had been taken, the ransomware attack would not have succeeded and millions of individuals would not have had their sensitive data compromised and had their paychecks delayed.

UKG chose to settle the lawsuit with no admission of wrongdoing. Under the terms of the proposed settlement, class members are entitled to submit claims of up to $1,000 for unreimbursed ordinary expenses, which include losses traceable to the data breach such as communication charges and bank fees but not lost wages, along with up to 4 hours of lost time at $25 per hour. Any individual that experienced identity theft or fraud can submit a claim for up to $7,500 to recover documented, unreimbursed extraordinary losses.

Members of two subclasses are entitled to additional payments. Individuals who were notified that their sensitive data was exfiltrated and were offered credit monitoring services are entitled to receive a payment of $100 in addition to any claims for ordinary and extraordinary losses. Individuals who were residents of California at the time of the attack will be entitled to receive an additional payment of $30 in addition to any claims submitted.

The deadline for exclusion from and objection to the settlement is September 18, 2023. The deadline for submitting claims is October 3, 2023. The final fairness hearing has been scheduled for November 17, 2023.

The post $6 Million Settlement Proposed to Resolve UKG/Kronos Data Breach Lawsuit appeared first on HIPAA Journal.

Imagine360 Suffers Breaches of Two File-Sharing Platforms

Posted by Steve Alder

Imagine360, a Wayne, PA-based provider of a self-funded health plan solution for employers, was the victim of two cyberattacks this year involving its file-sharing solutions. The first attack was detected on or around January 30, when suspicious activity was detected within its Citrix file-sharing solution, which Imagine 360 uses to securely exchange files related to self-insured health plans. Steps were immediately taken to secure the platform by taking it offline, passwords were reset, and an investigation was launched into the attack.

A few days later, while Imagine360 was investigating the Citrix breach, a vulnerability was exploited in another file-sharing platform – Fortra’s GoAnywhere Transfer solution. Fortra determined that an unauthorized actor – now known to be the Clop ransomware group – exploited a zero-day vulnerability and stole sensitive data.

Imagine360 independently investigated both security incidents and confirmed that its own systems were unaffected and remained secure at all times; however, files were stolen in both attacks between January 28 and January 30, 2023. The stolen files included names, medical information, health insurance information, and Social Security numbers, with the impacted data varying from individual to individual.

The review of the affected files took until June 1, 2023, after which contact information was verified to allow notification letters to be sent. Imagine360 said the decision was taken to suspend the use of the Fortra file transfer solution, and additional safeguards have been added to its policies, processes, and security measures to prevent similar breaches in the future.

The notification letter to the California Attorney General and the version uploaded to the Imagine360 website make no mention of credit monitoring and identity theft protection services being offered to the affected individuals. It is also unclear at this stage how many individuals have been affected as the incident has yet to appear on the HHS’ Office for Civil Rights breach portal.

The post Imagine360 Suffers Breaches of Two File-Sharing Platforms appeared first on HIPAA Journal.