HIPAA Breach News

Round Up of Recent Hacking Incidents and Email Account Breaches

Posted by HIPAA Journal

West Oaks Eyecare – Ransomware Attack

West Oaks Eyecare in Texas has notified 1,045 Texas residents that a malicious actor gained access to its network and installed malware that rendered files inaccessible. The attack was detected on November 7, 2022, and steps were taken to contain the attack and secure its systems. The affected system contained billing information that was potentially accessed and obtained in the attack. The files included patients’ names along with one or more of the following types of information: address, date of birth, email address, phone number, patient ID number, Social Security number, optical scan images, exam results, insurance information, and billing information.

Notification letters were mailed to affected individuals on January 6, 2022.  Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were involved.

The Kelberman Center – Email Account Breach

The Kelberman Center, a Utica, NY-based provider of services to individuals with autism, has notified 3,501 patients about a breach of employee email accounts. Suspicious activity was detected within its email environment on November 1, 2022, with the investigation confirming that a single email account had been accessed by an unauthorized individual between October 21 and November 3, during which time emails and attachments may have been accessed or acquired.

A third-party digital forensics expert was engaged to investigate the breach and review system security and confirmed that no other systems had been accessed. A review of the email account confirmed the following types of information had been exposed: names, dates of birth, diagnoses, treatment information, and provider information. A very limited number of individuals had other information exposed and were notified if that was the case.  Notifications were mailed to affected individuals on December 30, 2022.

Quality Behavioral Health – Hacked Network Server

Quality Behavioral Health in Washington has recently reported a hacking incident to the HHS’ Office for Civil Rights that has affected 500 individuals – a number often used as a placeholder until the full extent of a data breach is known in order to meet the HIPAA Breach Notification Rule reporting requirements.

The cyberattack was detected on November 26, 2022, and steps were immediately taken to secure its network and prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach and the extent to which patient data was involved. That investigation and file review are ongoing, but it has been confirmed that its network was subject to unauthorized access between November 24 and November 26, 2022.

The exposed information included names, contact information, demographic information, Social Security numbers, driver’s license numbers, state identification card numbers, financial account information, birth dates, student, military, or passport identification numbers, health insurance information, medical histories, mental or physical conditions, medical diagnoses, and treatment information.

St. Rose Hospital – Hacking Incident with Data Theft Confirmed

St. Rose Hospital in Hayward, CA, has recently confirmed that a malicious actor gained access to its network and exfiltrated files containing patient information. Suspicious activity was detected in its computer systems on November 29, 2022, and third-party digital forensics specialists were engaged to investigate the breach. The investigation confirmed that its network was first accessed on November 18, 2022, and data theft occurred around that time.

The review of all files potentially accessed or copied revealed they contained names, Social Security numbers, dates of birth, e-mail addresses, and home addresses. St. Rose Hospital said it is unaware of any misuse of patient information, although databreaches.net has reported that data potentially related to the attack has been included in a dataset on a hacking forum. St. Rose Hospital has offered complimentary credit monitoring services to affected individuals.

Mindpath Health – Email System Breach

Community Psychiatry Management, doing business as Mindpath Health, has recently notified certain patients about a breach of its email system. Suspicious activity was identified within its email environment during a routine security audit. Third-party forensics experts were engaged to investigate the security breach and confirmed that two employee email accounts had been compromised, one in March 2022 and the other in June 2022. The forensic investigation concluded on November 15, 2022, and confirmed that protected health information may have been accessed, including patient names, addresses, Social Security numbers, dates of birth, medical diagnoses, treatment information, health insurance information, and prescription information. Mindpath health said it is unaware of any actual or attempted misuse of patient data.

Notification letters were sent to affected individuals on December 30, 2022. It is currently unclear how many individuals were affected.

Bay Bridge Administrators – Hacking Incident

Bay Bridge Administrators, an Austin, TX-based third-party administrator of insurance products, has recently announced that unauthorized individuals gained access to its network on or before August 25, 2022, and exfiltrated files on September 3, 2022.

The security breach was detected on September 5, 2022, when network disruption was experienced. Prompt action was taken to secure its network and investigate the breach, which revealed on December 5, 2022, that the stolen files included the personal information of individuals enrolled in certain employment insurance benefits that were administered by BBA for calendar year 2022. That information included names, addresses, Social Security numbers, driver’s license numbers, state identification card numbers, medical information, health insurance information, and/or dates of birth.

Affected individuals were notified on January 10, 2022, and have been offered 24 months of complimentary credit monitoring and identity protection services.

The post Round Up of Recent Hacking Incidents and Email Account Breaches appeared first on HIPAA Journal.

Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Sued Over 1.9 Million-Record Data Breach

Posted by HIPAA Journal

Multiple lawsuits have been filed against Massachusetts-based Shields Health Care Group, which suffered one of the largest healthcare data breaches of the year, affecting almost 2 million individuals. The lawsuits have recently been consolidated into a single lawsuit – Biscan v. Shields Health Care Group Inc – that was filed in a Massachusetts federal court this week.

Shields Health Care Group provides MRI, PET/CT, radiation oncology, and surgical services to healthcare practices, around 60 of which were affected by the breach. Hackers gained access to its network and stole the protected health information of patients over a two-week period in March 2022. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information. Affected individuals were offered a 2-year membership to a credit monitoring service.

The plaintiffs allege Shields Health Care Group failed to implement appropriate safeguards to prevent unauthorized access to highly sensitive patient data and then failed to issue timely notifications to patients to inform them that their data was in the hands of cybercriminals and that the notification letters did not provide adequate information to allow the affected individuals to take appropriate action to assess and mitigate risk.

The lawsuit alleges Shields Health Care Group was fully aware of the risk of hacking and ransomware attacks on healthcare organizations given the multiple security alerts issued by the FBI, CISA, and the HHS, yet failed to implement adequate measures to reduce risk, which was in violation of its obligations under the HIPAA Security Rule.

Shields Health Care Group said a security alert was triggered on March 18, 2022, which was investigated but no breach was detected, then suspicious activity was identified within its network on March 28, 2022. The investigation confirmed patient data had been compromised notifications were issued to affected individuals on June 7, 2022, outside the reporting time frame of the HIPAA Breach Notification Rule.

The lawsuit claims that the notifications were untimely, and deficient in information, failing to even provide basic information about the breach, such as whether patient data on the servers were accessed. The lawsuit also alleges the credit monitoring services offered were inadequate given that affected individuals face many years of ongoing identity theft.

While many lawsuits are filed based on future risk of harm, the plaintiffs claim to have suffered financial losses as a result of the breach and have had to spend a significant amount of time monitoring their financial accounts. One plaintiff said suspicious activity was identified in his email account and he had thousands of dollars of fraudulent charges to his Bank of America account, and another plaintiff claims to have been targeted by scammers over the phone since the data breach.

The consolidated lawsuit alleges negligence, breach of contract, invasion of privacy by intrusion, and breach of fiduciary duty, and seeks class action status, damages, and injunctive relief.

The post Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Sued Over 1.9 Million-Record Data Breach appeared first on HIPAA Journal.

Global Healthcare Cyberattacks Increased by 74% in 2022

Posted by HIPAA Journal

The latest data released by the cybersecurity firm Check Point has confirmed that 2022 was a particularly bad year for cyberattacks, which increased globally by 38% year-over-year fuelled by a sizeable increase in attacks on healthcare organizations. Globally, the healthcare industry had the highest percentage increase in weekly cyberattacks of any industry sector, with an increase of 74% from 2021 to an average of 1,463 attacks per week.

With that increase, healthcare rose to become the third most attacked industry globally behind the government/military with 1,661 attacks a week (+46%) and education/research with 2,314 attacks a week (+43%). In the United States, healthcare ranked second with 1,410 attacks per week, which is an 86% increase from 2021. Across all industry sectors, cyberattacks in the United States increased by 57% year-over-year.

The healthcare industry is an attractive target for cybercriminals due to the volume of easily monetizable data that can be stolen, and the higher-than-average probability of extortion demands being met to prevent the release of stolen data. The Check Point Research team also points out that as an added advantage, ransomware gangs gain a lot of publicity from attacks on hospitals, with the attention increasing their notoriety.

There were notable changes in the threat landscape in 2022, especially concerning ransomware attacks. While in previous years large ransomware groups dominated the threat landscape, in 2022 these larger groups evolved into much smaller, more agile cybercriminal groups that are better able to evade law enforcement. Check Point also notes a diversification in cyberattacks on businesses that now exploit a much wider range of business collaboration tools, including Slack, Microsoft Teams, Google Drive, and OneDrive, all of which are rich sources of valuable data that can be obtained through phishing attacks.

Tracking specific types of cyberattacks in healthcare can be a challenge, as there is no standardized reporting. HIPAA requires data breaches to be reported, but the HHS only tracks cyberattack-related data breaches as hacking/IT incidents. Further, many breached entities choose not to disclose the exact nature of attacks, such as if ransomware was involved. Data collected by Emsisoft suggests ransomware attacks have leveled off, but the cybersecurity firm only analyzed data breaches at hospitals, not the broader healthcare ecosystem which includes healthcare industry vendors which were heavily targeted in 2022.

While the data from Check Point Research indicates an increase in healthcare cyberattacks in the United States, these attacks do not always result in data breaches. The HHS’ Office for Civil Rights breach portal currently indicates a slight reduction in reported data breaches, although data for 2022 is still being added to the breach portal. HIPAA Journal will publish its end-of-year healthcare data breach report next week when there is a clearer picture of the year’s totals but, as it stands on January 10, 2023, 701 data breaches of 500 or more records have been reported to the HHS in 2022, 13 short of the record-breaking total of 714 data breaches in 2021.

While it appears that healthcare data breaches have declined slightly, it is worth noting the increase in the number of breached healthcare records in 2022. Across the 701 data breaches, the records of 51,884,675 individuals have been breached, which is more than any year other than 2015, which included the 78.8 million-record breach at Anthem Inc. That 13.1% increase in breached records is concerning.

2022 also saw two major milestones reached. In 2009, the HHS started publishing a summary of reported healthcare data breaches of 500 or more records. In 2022, the number of reported data breaches surpassed 5,000. The second unwelcome milestone is more healthcare records have now been breached than the entire population of the United States. Since the HITECH Act required OCR to start publishing healthcare data breaches in 2009, more than 382 million healthcare records have been reported as having been exposed or impermissibly disclosed.

The post Global Healthcare Cyberattacks Increased by 74% in 2022 appeared first on HIPAA Journal.

Hive RaaS Gang Leaks Stolen Consulate Health Care Data

Posted by HIPAA Journal

The Hive ransomware-as-a-service (RaasS) operation has claimed responsibility for an attack on Consulate Health Care, a Florida-based chain of 140 U.S. nursing homes. The group claims to have stolen 550 GB of data in the attack and said files were encrypted on December 3, 2022. The group posted on its leak site about the breach on January 6, 2023, and has already leaked some of the data allegedly stolen in the attack. The information stolen in the attack allegedly includes contracts, company information, employee information, and patient information such as medical records, Social Security numbers, contact information, and insurance information.

Consulate Health Care published a substitute breach notice on its website around the same time as Hive went public about the attack. In the website breach notice, Consulate Health Care claims the attack occurred at one of its (unnamed) vendors, which is still investigating the incident to determine the extent of the breach. Consulate Health Care said it is working closely with its vendor and has confirmed that the investigation is progressing as fast as possible to determine the extent to which protected health information was involved and which individuals have been affected. Consulate Health Care said, “we are providing this notice out of an abundance of caution as we value transparency.”

The Hive ransomware gang has a different view on the attack and claims no vendor was involved. Instead, a spokesperson for the group said in a conversation with databreaches.net that Consulate Health Care was attacked directly. The timing of the breach notice suggests that it refers to the same incident.

The Hive RaaS group is one of several ransomware gangs known to target the healthcare industry, including attacks on Lake Charles Memorial Health System in Louisiana which involved the data of 270,000 patients, and an attack on the New York ambulance service, Empress EMS, which affected up to 318,558 individuals. Due to the high risk of attacks, a joint cybersecurity advisory was issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) in November, 2022, which includes technical information about the tactics, techniques, and procedures used by the group and indicators of compromise for network defenders.

The post Hive RaaS Gang Leaks Stolen Consulate Health Care Data appeared first on HIPAA Journal.

Email Account Breaches Reported by Legacy Hospice, Live Oak Surgery Center, University of Miami Health

Posted by HIPAA Journal

Email accounts have been compromised at Legacy Hospice and Live Oak Surgery Center, and a University of Miami Health employee’s personal data breach also saw their work email account compromised, highlighting the risks of employees storing their work login credentials on personal devices.

Legacy Hospice Email Account Breach Affects 21,000 Patients

Legacy Operating Company, an Alabama-based operator of Legacy Hospice facilities in Alabama, Arkansas, Louisiana, Mississippi, Missouri, Oklahoma, and Tennessee, has confirmed that an unauthorized third party gained access to a limited number of employee email accounts on February 11, 2022, and between April 7, 2022, and April 21, 2022. Third-party cybersecurity professionals were engaged to investigate the breach, with the investigation concluding on November 7, 2022, that protected health information was present in the compromised email accounts and may have been accessed or obtained.

The breached information included names in combination with one or more of the following types of data: Social Security numbers, taxpayer identification numbers, dates of birth, dates of death, driver’s license numbers, government identification numbers, financial account information, credit or debit card information, passport numbers, dates of service, provider names, medical record numbers, patient numbers, general medical information, diagnostic/treatment information, surgical information, medication information, and/or insurance information.

No reports have been received about any attempted or actual misuse of patient data. Notification letters were mailed on December 23, 2022, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were affected.

Live Oak Surgery Center Email Account Brach Affects More Than 5,000 Patients

Live Oak Surgery Center in Plano, Texas, has confirmed that the email accounts of two employees were accessed by unauthorized individuals between August 10, 2022, and September 27, 2022. The forensic investigation and review of the affected email accounts concluded on November 17, 2022, when it was confirmed that the email accounts contained names, along with one or more types of the following data: financial account information, date of birth, payment card information, medical information, health insurance information, passport number, Social Security number, driver’s license number, state identification number, and/or username/password. Live Oak Surgery Center is unaware of any misuse of patient data.

Additional email security measures have been implemented to prevent further account breaches. The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,264 patients.

Personal Data Breach Results in Impermissible Disclosure of PHI of University of Miami Health Patients

University of Miami Health System (UHealth) has recently announced that the protected health information of 973 patients has potentially been compromised as a result of an employee’s personal data breach. The employee in question was a victim of identity theft, with the third party responsible also stealing the credentials for the employee’s work email account. A review of the email account revealed it contained patient information such as names and medical record numbers. That information was found and forwarded to a third-party email account. UHealth said no evidence was found to indicate any Social Security numbers or financial information was compromised.

The post Email Account Breaches Reported by Legacy Hospice, Live Oak Surgery Center, University of Miami Health appeared first on HIPAA Journal.

Ransomware Attacks Announced by Maternal & Family Health Services and Retreat Behavioral Health

Posted by HIPAA Journal

Maternal & Family Health Services in Eastern Pennsylvania has recently notified certain patients about an April 4, 2022, ransomware attack in which sensitive patient data was exposed. When the attack was detected, systems were secured, and a third-party computer forensics firm was engaged to investigate and determine the nature and scope of the breach. The investigation confirmed that its systems were first accessed by the attackers on August 12, 2021, almost 8 months before ransomware was used to encrypt files. Its systems were secured on April 4, 2022, with the investigation, review of affected files, and the verification of contact information lasting until the end of the year. Notifications were sent to affected individuals on January 3, 2023.

Maternal & Family Health Services said the compromised files included information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account/payment card information, usernames, passwords, medical information, and health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number or financial account/payment card information was involved. No evidence of misuse of patient data had been identified at the time of issuing notifications. Maternal & Family Health Services said it is strengthening security to prevent similar incidents in the future.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear have many individuals have been affected.

Retreat Behavioral Health Ransomware Attack Affects Up to 23,620 Patients

Retreat Behavioral Health, an operator of mental health and substance use treatment centers in Florida, Pennsylvania, and Connecticut, has confirmed that ransomware was used in a cyberattack that was detected and blocked on July 1, 2022.

Retreat Behavioral Health said the forensic investigation concluded on December 9, 2022, and notifications have now been sent to affected patients. The investigation indicates a data set within its network was accessed by the third party behind the attack, with the potentially compromised data including names, addresses, and Social Security numbers. A subset of individuals also had date of birth and/or treatment information exposed. Retreat Behavioral Health said no evidence of attempted or actual misuse of patient data has been identified but as a precaution, Single Bureau Credit Monitoring Services have been offered to patients at no cost. Retreat Behavioral Health has also implemented additional monitoring tools on its network and will continue to enhance system security.

The breach was recently reported to the Maine Attorney General as affecting 23,620 patients.

Employee Benefits Plan Data Exposed in L. Knife & Son Hacking Incident

The alcoholic beverage wholesaler, L. Knife & Son, Inc., has recently announced that an unauthorized third party gained access to its network and copied files containing sensitive data. The security breach was detected on November 1, 2022, with the forensic investigation confirming unauthorized access to files and data theft occurred between October 13, 2022, and October 19, 2022. The review of the affected files was completed on December 8, 2022.

The breach was reported to the Maine Attorney General as involving the data of 14,377 individuals, and the HHS’ Office for Civil Rights as involving the protected health information of 4,082 members of its Employee Benefits Plan. Affected individuals have been offered complimentary 2-year memberships to an identity theft protection service, and additional security measures have been implemented to prevent further breaches in the future.

The post Ransomware Attacks Announced by Maternal & Family Health Services and Retreat Behavioral Health appeared first on HIPAA Journal.

Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings

Posted by HIPAA Journal

Washington Attorney General Bob Ferguson is suing a plastic surgery provider for falsely inflating online ratings, bribing, and threatening patients, and alleges the actions of the practice violated the Health Insurance Portability and Accountability Act (HIPAA) Rules.

The lawsuit was filed in the U.S. District Court for the Western District of Washington against the Seattle plastic surgery clinic Allure Esthetic and its owner Dr. Javad Sajan after receiving multiple complaints from patients and former employees. The complaints alleged the practice was bribing and threatening patients to prevent them from posting negative reviews on platforms such as Yelp and Google, and that patients were made to sign non-disclosure agreements (NDAs) before receiving treatment prohibiting them from publishing online reviews that could in any way harm the practice. The practice considered any review under 4 stars to be a negative review. Attorney General Ferguson said these practices falsely inflated its online reviews.

According to the lawsuit, more than 10,000 patients were made to sign the NDAs stating legal action would be taken in response to negative reviews. Patients who posted negative reviews were allegedly intimidated into removing the reviews and were told they would be sued for monetary damages if the reviews were not deleted. In some cases, patients were offered bribes for removing negative reviews, including cash and free services. Patients that accepted the payments or free services were required to sign a second NDA that stipulated they would be liable for $250,000 in damages if they posted any further negative reviews. Patients were required to pay a $100 consultation fee before being told they would be required to sign an NDA.

The lawsuit also alleges employees were ordered to post fake positive reviews online that included altered before and after photographs that made it appear the treatments were more successful than they actually were. A VPN was used for posting fake reviews to conceal the IP addresses of the office computers. The practice is also alleged to also applied for rebates on behalf of its patients without obtaining their consent, then kept the rebates. Hundreds of fake email accounts were created to register for rebate programs intended for real patients, which resulted in thousands of dollars of fraudulent rebates being paid to the practice each month.

The lawsuit alleges that between 2017 and 2019, the NDAs required patients to contact the practice prior to publishing any online review under 4 stars, with the NDAs stating patients would be liable to “pay monetary damages to the practice for any losses” if negative reviews were not removed. The NDAs also stated that patients must waive their HIPAA privacy rights, stating consumers must “allow a response [to the review] from the practice with any personal health information” if they post a negative review. The HIPAA Privacy Rule prohibits covered entities from conditioning treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization to disclose protected health information. That wording was changed in 2019, but the NDAs continued to be required until March 2022.

In addition to the alleged HIPAA violations, the practice and owner are alleged to have violated the Washington State Consumer Protection Act (CPA) and the Consumer Review Fairness Act (CRFA). The lawsuit asks the court to invalidate the NDAs,  require the practice to write to all patients to inform them that the NDAs are invalid, and block the practice from using NDAs in the future. Monetary damages of up to $7,500 are sought per violation and the court has been asked to order the practice to pay restitution to patients for the $100 consultation fees and return any rebates that are owed to customers.

“Patients rely on reviews to determine if a healthcare provider is right for them and using legal threats and bribes to manipulate those reviews is deceptive and harms Washingtonians. We are taking action to stop these unethical and illegal practices,” said AG Ferguson. “Threatening and bribing customers to prevent them from sharing the truth about their experience isn’t just wrong — it’s illegal.”

The post Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings appeared first on HIPAA Journal.

CommonSpirit Health Facing Class Action Lawsuit over Ransomware Attack and Data Breach

Posted by HIPAA Journal

The Chicago, IL-based health system, CommonSpirit Health, is facing a class action lawsuit over its October 2022 ransomware attack. Malicious actors gained access to its IT systems on September 16, 2022, and deployed ransomware on October 2, 2022. The attack forced the shutdown of its electronic medical record system and caused considerable disruption over several weeks, with the catholic health system having to cancel many appointments. The forensic investigation determined the protected health information of patients of Virginia Mason Franciscan Health was potentially compromised in the attack. Virginia Mason Franciscan Health operates St. Anne Hospital, St. Elizabeth Hospital, St. Anthony Hospital, St. Clare Hospital, St. Francis Hospital, St. Joseph Hospital, and St. Michael Medical Center. CommonSpirit Health said the information compromised in the attack was limited to names, addresses, phone numbers, dates of birth, and unique ID numbers, and reported the data breach to the HHS’ Office for Civil Rights as affecting 623,774 individuals.

In late December, a lawsuit was filed in the District Court for the Northern District of Illinois on behalf of Virginia Mason Franciscan Health patient, Leeroy Perkins, and other similarly affected patients. The lawsuit alleges CommonSpirit Health was negligent for failing to implement and follow basic cybersecurity procedures and industry cybersecurity best practices which allowed unauthorized individuals to gain access to patients’ sensitive data, placing affected patients at risk of identity theft and fraud.

Perkins claims to have had to spend valuable time monitoring his accounts and changing passwords, and now faces an increased risk of identity theft and fraud as a result of the data breach. He also claims costs will be incurred paying for credit monitoring and identity theft protection for years to come, and his credit score is likely to be lowered. The lawsuit seeks class action status, damages exceeding $5 million, and injunctive relief, including CommonSpirit Health implementing more robust cybersecurity measures to protect patient data.

It is now common for lawsuits to be filed against healthcare providers that have suffered ransomware and other cyberattacks, especially when the data breaches affect many thousands of patients; however, in order for the lawsuits to succeed, the plaintiffs must demonstrate they have been harmed as a result of a data breach. Lawsuits often fail when they are based solely on an elevated risk of identity theft and fraud.

In 2021, a lawsuit filed against Brandywine Urology Consultants was dismissed by a Delaware Superior Court judge when the plaintiffs failed to provide sufficient evidence that they had been harmed by the breach. “A plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are certainly impending,” and must demonstrate “a likelihood that the injury will be redressed by a favorable decision,” said the Honorable Mary M. Johnston in the ruling dismissing the lawsuit. The plaintiffs claimed to have incurred expenses as a result of the breach, but the judge ruled that costs incurred in response to a speculative threat are not sufficient to confer standing.

The post CommonSpirit Health Facing Class Action Lawsuit over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Cyberattacks Reported by Heartland Alliance and CentraState Medical Center

Posted by HIPAA Journal

The Chicago, IL-based social justice and human rights organization, Heartland Alliance, announced on December 15, 2022, that it was the victim of a cyberattack. The security breach was discovered on January 26, 2022, and prompt action was taken to secure its systems to prevent further unauthorized access. A leading third-party cybersecurity firm was engaged to investigate the incident.

On April 27, 2022, Heartland Alliance confirmed that an unauthorized individual had gained access to its network and potentially accessed or obtained files containing sensitive personal information. A lengthy review process was then initiated to determine the extent of the data breach and to obtain up-to-date contact information for the affected individuals. That process was completed in December 2022.

Heartland Alliance has confirmed that the protected health information of individuals who sought health care or participated in other Heartland programs was potentially compromised, along with the personal information of employees, directors, and independent contractors. The data involved varied from individual to individual and may have included one or more of the following data types: names, dates of birth, Social Security numbers, driver’s license numbers, bank account numbers, and medical/health information. Heartland Alliance said it is unaware of any actual or attempted misuse of that information.

Notification letters were sent to affected individuals on December 15, 2022, and a one-year membership to an identity and credit monitoring service has been offered. Heartland Alliance has also confirmed that it has upgraded its IT security systems to prevent similar security breaches in the future.

CentraState Medical Center Facing Ongoing Disruption Following Late December Cyberattack

CentraState Medical Center in Freehold, NJ, has been dealing with a cyberattack that occurred on or around December 30, 2022. The cyberattack was detected during a shift change around 7 am when computer systems started to malfunction. As a precaution, the medical center went on full diversion, with ambulances directed to alternative facilities while the cause of the IT system outage was investigated.

Tom Scott, President, and CEO of CentraState Medical Center, has confirmed that the disruption was due to a cyberattack that affected certain IT systems. Systems were promptly isolated to contain the attack and an investigation was launched to determine the nature and scope of the breach. Employees have been recording patient data manually while IT systems are out of action, and extra staff has been brought in to deal with the increased workload.

CentraState Medical Center issued an update on January 3, 2023, confirming that the usual high standards of patient care are being maintained, but some services at the medical center continue to be affected, including outpatient radiology, radiation treatment, mammography, labs, and catheterization lab services. Scheduled inpatient procedures are continuing as normal, but some outpatient appointments have been postponed or rescheduled.

No timescale has been provided on when systems will be fully restored, and no information has been disclosed on the exact nature of the attack. It is also unclear at this early stage of the investigation if, and to what extent, patient data was involved.

The post Cyberattacks Reported by Heartland Alliance and CentraState Medical Center appeared first on HIPAA Journal.