HIPAA Breach News

Intellihartx Facing Class Action Lawsuit Over 490K-Record Data Breach

Posted by Steve Alder

A lawsuit has been filed against Intellihartx, LLC, (aka ITx Companies), over a cyberattack by the Clop ransomware group that exploited a vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution. The protected health information of 490,000 patients of its healthcare clients was compromised in the attack in late January. Intellihartx was one of 130 GoAnywhere users to be affected.

Intellihartx, a revenue cycle management company, said protected health information was compromised in the January 30, 2023 cyberattack, including names, contact information, insurance information, diagnoses, medications, dates of birth, and Social Security numbers. Affected individuals were notified about the data breach on June 9, 2023, more than 4 months after the discovery of the attack.

The lawsuit, Laren Perrone v. Intellihartx, LLC, was filed in the U.S. District Court of the Northern District of Ohio Western Division and alleges the defendant failed to properly secure and safeguard the protected health information of the plaintiff and class members, did not adequately supervise its business associates, vendors, and suppliers, and did not detect the data breach in a timely manner.

The lawsuit claims the defendant was aware of the vulnerability on January 29, 2023, so could have prevented the data breach, and also prevented or limited the severity of the breach if it had limited the patient information it shared with its business associates and employed reasonable supervisory measures to ensure that adequate data security practices, procedures, and protocols were being implemented and maintained by its business associates.

The lawsuit claims the plaintiff and class members face an imminent, immediate, and continuing increased risk of suffering ascertainable losses from the data breach, including identity theft and other fraudulent misuses of their data, and have and will continue to incur out-of-pocket expenses mitigating the effects of the data breach. The lawsuit does not allege that protected health information has already been misused or that identity theft or other fraud has been experienced.

The lawsuit claims the defendant failed to comply with the standards of the Health Insurance Portability and Accountability Act (HIPAA) and FTC guidelines, citing security failures such as a lack of adequate data security systems, practices, and protocols to protect against reasonably anticipated threats or hazards and a failure to mitigate the risks of a data breach.

While monetary relief is being sought to cure some of the plaintiff’s and class members’ injuries, injunctive relief is also sought to ensure the alleged information security issues are corrected to prevent further data breaches in the future. In addition to monetary relief, the lawsuit seeks an order from the court requiring the defendant to fully and accurately disclose the nature of the information that was compromised and to adopt sufficient security practices and safeguards to prevent similar incidents in the future.

The plaintiff and class members are represented by Christopher Wiest, Atty at Law PLLC, and Mason Barney ad Tyler Bean of SIRI & GLIMSTAD LLP.

The post Intellihartx Facing Class Action Lawsuit Over 490K-Record Data Breach appeared first on HIPAA Journal.

Kannact & Vincera Institute Fall Victim to Cyberattacks

Posted by Steve Alder

Kannact Inc., an Albany, OR-based home care service, says it detected unauthorized access to its computer network on March 13, 2023. A third-party cybersecurity firm was engaged to investigate the incident and confirmed that the parts of the network that were accessed contained patients’ protected health information, although, at this stage of the investigation, it is unclear if patient data was viewed or copied from its systems. Kannact has received no reports at the time of providing notice to indicate any misuse of patient data.

The review of the files that could potentially have been accessed revealed they contained a range of information, which varied from individual to individual. Information potentially compromised included names in combination with one or more of the following data elements: date of birth, address, phone number, Social Security Number, driver’s license number, and health information such as medical diagnosis, treatment information, and pharmaceutical records.

Kannact said that it disabled its third-party managed file transfer software, deactivated all related API keys, and is improving its patient data ingestion process. Individuals whose Social Security and driver’s license numbers were impacted have been offered complimentary credit monitoring and identity theft protection services.

The incident was reported to the HHS’ Office for Civil Rights on June 20, 2023, as affecting up to 103,547 individuals.

Vincera Institute Falls Victim to Ransomware Attack

Vincera Institute in Philadelphia, PA, has confirmed that it fell victim to a ransomware attack on April 29, 2023. Immediate action was taken to secure its systems to prevent further unauthorized access to its network and patient information, and cybersecurity professionals were engaged to investigate the incident. In a June 20, 2023, press release, Vincera Institute said the investigation into the data breach is ongoing, but it has been determined that the threat actors behind the attack had access to parts of its network that contained patient information; however, unauthorized access to and misuse of patient data has not been detected.

The files potentially accessed in the attack included full names, addresses, phone numbers, email addresses, Social Security numbers, date of birth, medical histories and treatment records, insurance information, and other information provided by patients. Security safeguards have been enhanced in response to the incident, and monitoring processes have been improved.

The incident was reported to the HHS’ Office for Civil Rights on June 20, 2023, in four breach reports, covering Vincera Imaging LLC (5,000 individuals), Vincera Rehab LLC (5,000 individuals), Vincera Surgery Center (5,000 individuals), and Core Performance Physicians, dba Vincera Core Physicians (10,000 individuals).

The post Kannact & Vincera Institute Fall Victim to Cyberattacks appeared first on HIPAA Journal.

Atlanta Women’s Health Group Data Breach Impacts 33,800 Patients

Posted by Steve Alder

Atlanta Women’s Health Group, P.C., has recently confirmed that the protected health information of up to 33,839 current and former patients has been exposed and potentially stolen in an April 2023 cyberattack. A security breach was detected on April 12, 2023, and third-party cybersecurity experts were engaged to determine the nature and scope of the incident. The investigation confirmed there had been access to patient information, but the breach report did not state whether that information was copied from its systems. Atlanta Women’s Health Group said that at the time of issuing notification letters, no evidence had been found to indicate any misuse of patient data.

For the majority of patients, the information exposed in the attack was limited to names, birth dates, patient ID numbers, and other information that may have been included in medical records. Third-party cybersecurity experts have been engaged to implement additional cybersecurity measures to prevent further data breaches. Affected patients are being encouraged to monitor their credit reports, health account statements, and explanation of benefit forms for suspicious activity.

Blue Cross Vermont Says 16,000 Individuals Affected by January Cyberattack

Approximately 16,000 members of Blue Cross Vermont health plans have had their protected health information compromised in a January 2023 cyberattack. Hackers exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution and accessed and stole sensitive data such as names, birth dates, addresses, medical information, and insurance information. Around 5% of the affected individuals also had their financial information stolen.

Approximately 13,700 of the affected individuals were members of Vermont Blue Advantage Health Insurance Plans, around 2,250 individuals were members of Vermont Blue Advantage Plans, and the remainder of the affected individuals were members of other insurance plans. Notification letters were sent to affected individuals by NationsBenefits, which was the business associate that used GoAnywhere MFT solution that was compromised. NationsBenefits has offered affected individuals 24 months of complimentary credit monitoring services.

New Horizons Medical Breach Impacts 12,317 Patients

New Horizons Medical, Inc., a Massachusetts-based provider of mental health, psychiatry, and substance use treatment services, has recently reported a data breach to the Maine Attorney General that has affected up to 12,317 patients. Unauthorized network access was detected on April 19, 2023, and a third-party forensic investigation was launched to determine the nature of the incident and the extent to which patient data was involved. The investigation revealed unauthorized individuals had access to its network between February 12, 2023, and April 23, 2023, and during that time may have viewed or copied patient information.

The analysis of the affected files confirmed they contained names along with one or more of the following types of information: address, date of birth, Social Security number, driver’s license number, financial account information, medical records number, health insurance plan member ID, claims data, diagnosis, and prescription information. Notification letters were sent to affected individuals on June 16, 2023. Complimentary credit monitoring and identity protection services have been offered to eligible individuals. New Horizons Medical has also confirmed that additional safeguards and technical security measures have been put in place to further protect and monitor its information systems.

Data Security Incident Reported by CareNet Medical Group

CareNet Medical Group in New York has started notifying 3,359 patients that some of their protected health information has been stolen in a security incident. The breach notice does not state when the security incident was detected but the investigation revealed on April 26, 2023, that its network was accessed by an unauthorized individual between May 9, 2022, and June 4, 2022, during which time files were copied from its network.

The compromised information included full names, addresses, driver’s license numbers, bank account numbers/routing numbers, dates of birth, medical reference numbers, Medicare numbers, cell phone numbers, home phone numbers, health insurance information, email addresses, and Social Security numbers. Notification letters were sent to affected individuals on June 2, 2023, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.  No explanation was provided as to why it took almost 11 months to determine that patient data had been compromised.

The post Atlanta Women’s Health Group Data Breach Impacts 33,800 Patients appeared first on HIPAA Journal.

Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach

Posted by Steve Alder

Onix Group, a Pennsylvania-based real estate development firm and provider of business management and consulting services, is being sued for failing to prevent a ransomware attack in which the hackers stole the protected health information of 320,000 individuals.

The ransomware attack was detected by Onix Group on March 27. The forensic investigation confirmed that hackers had access to its internal network between March 20 and March 27, 2023, during which time they exfiltrated files that contained employee, affiliate, and client information. The breached information included names, dates of birth, clinical information, and the Social Security numbers of patients of its healthcare clients, and the health plan enrollment and direct deposit information of employees. Healthcare clients affected by the breach included Addiction Recovery Systems, Cadia Healthcare, and Physicians Mobile X-Ray.

The lawsuit, Eric Meyers v. Onix Group LLC, was filed in the U.S. District Court for the Eastern District of Pennsylvania and alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, and unjust enrichment. The lawsuit claims Onix group had a legal obligation to implement reasonable and appropriate safeguards to ensure the confidentiality of the data it stored, but instead stored that information in a vulnerable and dangerous condition, then unnecessarily delayed notifications to affected individuals for two months. While Onix Group offered affected individuals 12 months of complimentary credit monitoring services, the lawsuit claims the offer is wholly inadequate, as the plaintiff and class members face a lifelong risk of identity theft and fraud as a result of the theft of their sensitive data.

The lawsuit seeks class action status, a jury trial, damages, and injunctive relief, including an order from the court prohibiting Onix Group from engaging in wrongful and unlawful acts and requiring it to implement adequate cybersecurity measures. Those measures include the development, implementation, and maintenance of a comprehensive information security program, data encryption, third-party security audits and penetration tests, further information security training for all employees including tests of their security knowledge, updates to its data retention policies, and for the company to stop storing personally identifiable information and protected health information in cloud databases.

The plaintiff and class members are represented by Milberg Coleman Bryson Phillips Grossman, PLLC; Chestnut Cambronne, PA; and Sanford Law Firm, PLLC.

The post Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach appeared first on HIPAA Journal.

May 2023 Healthcare Data Breach Report

Posted by Steve Alder

May 2023 was a particularly bad month for healthcare data breaches. 75 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in May. May – along with October 2022 – was the second-worst-ever month for healthcare data breaches, only beaten by the 95 breaches that were reported in September 2020. Month-over-month there was a 44% increase in reported data breaches and May’s total was well over the 12-month average of 58 data breaches a month.

Healthcare Data Breaches in the Past 12 Months - May 2023

May was also one of the worst-ever months in terms of the number of breached records, which increased by 330% month-over-month to an astonishing 19,044,544 breached records. Over the past 12 months, the average number of records breached each month is 6,104,761 and the median is 5,889,562 records. 46.52 of the breached records in May came from one incident, which exposed the records of almost 8.9 million individuals, and 90.45% of the breached records came from just three security incidents. More healthcare records have been breached in the first 5 months of 2023 (36,437,539 records) than in all of 2020 (29,298,012 records).

Records Breached in Healthcare Data Breaches in the Past 12 Months - May 2023

Largest Healthcare Data Breaches in May 2023

23 data breaches of 10,000 or more records were reported to OCR in May, including the two largest healthcare data breaches of 2023. The worst data breach was a LockBit ransomware attack on the HIPAA business associate Managed Care of North America (MCNA) which affected almost 8.9 million individuals. The LockBit gang stole data, threatened to publish the information on its website if the $10 million ransom was not paid, and when it wasn’t, uploaded leaked the stolen data. Almost 6 million records were stolen in a ransomware attack on PharMerica Corporation and its subsidiary BrightSpring Health Services. The Money Message ransomware group exfiltrated 4.7 terabytes of data in the attack and proceeded to upload the stolen data to its data leak site when the ransom was not paid.

A third million+ record data breach resulted in the exposure and potential theft of the protected health information of 2,550,922 Harvard Pilgrim Health Care plan members following a cyberattack on its parent Company, Point32Health, the second largest health insurer in Massachusetts. This was also a ransomware attack with data theft confirmed. Other large data breaches include a hacking incident at the Virginia-based business associate, Credit Control Corporation (345,523 records), and ransomware attacks affecting Onix Group (319,500 records), the Iowa Department of Health and Human Services (233,834 records), and Albany ENT & Allergy Services, PC (224,486 records).

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Managed Care of North America (MCNA) GA Business Associate 8,861,076 Ransomware attack (LockBit) – Data theft confirmed
PharMerica Corporation KY Healthcare Provider 5,815,591 Hacking Incident – data theft confirmed
Harvard Pilgrim Health Care MA Health Plan 2,550,922 Ransomware attack – Data theft confirmed
R&B Corporation of Virginia d/b/a Credit Control Corporation VA Business Associate 345,523 Hacking Incident – data theft confirmed
Onix Group PA Business Associate 319,500 Ransomware attack – Data theft confirmed
Iowa Department of Health and Human Services – Iowa Medicaid (Iowa HHS-IM) IA Health Plan 233,834 Ransomware attack (LockBit) on its business associate (MCNA Dental) – Data theft confirmed
Albany ENT & Allergy Services, PC. NY Healthcare Provider 224,486 Ransomware attack (BianLian/RansomHouse) – Data theft confirmed
Uintah Basin Healthcare UT Healthcare Provider 103,974 Hacking Incident
UI Community Home Care, a subsidiary of University of Iowa Health System IA Healthcare Provider 67,897 Cyberattack on subcontractor (ILS) of its business associate (Telligen) – data theft confirmed
University Urology NY Healthcare Provider 56,816 Hacking Incident
Illinois Department of Healthcare and Family Services, Illinois Department of Human Services IL Health Plan 50,839 Hackers compromised the state Application for Benefits Eligibility (ABE) system
New Mexico Department of Health NM Healthcare Provider 49,000 Impermissible disclosure of deceased individuals’ PHI per access request by a journalist
Pioneer Valley Ophthalmic Consultants, PC MA Healthcare Provider 36,275 Malware infection at business associates (Alta Medical Management and ECL Group, LLC)
Brightline, Inc. CA Business Associate 28,975 Hacking of Fortra GoAnywhere MFT solution
Clarke County Hospital IA Healthcare Provider 28,003 Hacking Incident
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 26,561 Hacking Incident
ASAS Health, LLC TX Healthcare Provider 25,527 Hacking Incident
iSpace, Inc. CA Business Associate 24,382 Hacking Incident – data theft confirmed
PillPack LLC NH Healthcare Provider 19,032 Credential stuffing attack allowed customer account access
Solutran MN Business Associate 17,728 Hacking incident
MedInform, Inc. OH Business Associate 14,453 Hacking Incident – data theft confirmed
Catholic Health System NY Healthcare Provider 12,759 hacking incident at business associate (Minimum Data Set Consultants) – data theft confirmed
Northwest Health – La Porte IN Healthcare Provider 10,256 Paper records were removed from locked shredding bins at an old facility

Causes of May 2023 Healthcare Data Breaches

The vast majority of the month’s data breaches were hacking/IT incidents, many of which were ransomware attacks and data theft/extortion attempts. 81.33% of the month’s data breaches (61 incidents) were hacking/IT incidents and those incidents accounted for 99.54% of all breached records. The protected health information of 18,956,101 individuals was exposed or stolen in those incidents. The average data breach size was 310,756 records and the median breach size was 3,833 records. There were 11 data breaches reported as unauthorized access/disclosure incidents, which affected 82,236 individuals. The average breach size was 7,476 records and the median breach size was 1,809 records. Two theft incidents were reported involving a total of 5,632 records and there was one incident involving the improper disposal of 575 paper records.

Causes of May 2023 Healthcare Data Breaches

Unsurprisingly given the large number of hacking incidents, 57 data breaches involved electronic protected health information stored on network servers. There were also 9 data breaches involving electronic protected health information in email accounts.

Location of Breached PHI in May 2023 Healthcare Data Breaches

Where Did the Breaches Occur?

When data breaches occur at business associates of HIPAA-regulated entities, they are either reported by the business associate, the HIPAA-regulated entity, or a combination of the two, depending on the terms of their business associate agreements. In May, 36 breaches were reported by healthcare providers, 25 by business associates, and 14 by health plans; however, those figures do not accurately reflect where the data breaches occurred. The pie charts below show where the data breaches occurred rather than the entity that reported the data breach, along with the number of records that were exposed or impermissibly disclosed in those data breaches.

May 2023 Healthcare Data Breaches - HIPAA-regulated Entities

Records Breached at HIPAA-regulated entities - May 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 30 states. While Massachusetts tops the list with 15 data breaches reported, 13 of those breaches were the same incident. Alvaria, Inc. submitted a separate breach report to OCR for each of its affected healthcare clients. As such, California and New York were the worst affected states with 7 breaches each.

State Number of Reported Data Breaches
Massachusetts 15
California & New York 7
Connecticut, Iowa & Ohio 4
Illinois, New Jersey & Philadelphia 3
Alaska, Indiana, Missouri & Texas 2
Arizona, Arkansas, Georgia, Kansas, Kentucky, Michigan, Minnesota, New Hampshire, New Mexico, Oklahoma, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia & Wisconsin 1

Click here to view more detailed healthcare data breach statistics.

HIPAA Enforcement Activity in May 2023

After two months with no HIPAA enforcement actions, there was a flurry of enforcement activity in May over HIPAA compliance failures. Two financial penalties were imposed by OCR to resolve HIPAA violations, two enforcement actions were announced by state attorneys general, and the Federal Trade Commission (FTC) announced an enforcement action against a non-HIPAA-regulated entity for the impermissible disclosure of consumer health information.

In May, OCR announced its 44th financial penalty under its HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. David Mente, MA, LPC, a Pittsburgh-based counselor, was fined $15,000 for failing to provide a father with the medical records of his minor children, despite the father making two requests for the records and OCR providing technical assistance after the first complaint was filed.

Between January 2020 and June 2023, OCR imposed 61 financial penalties on HIPAA-regulated entities to resolve potential violations of the HIPAA Rules, 69% of which were for HIPAA Right of Access violations.  We are now starting to see more financial penalties imposed for other violations. May’s other HIPAA settlement involved a financial penalty of $350,000 for MedEvolve Inc., a Little Rock, AR-based business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. MedEvolve had misconfigured an FTP server which exposed the electronic protected health information of 230,572 individuals. OCR investigated and determined that in addition to the impermissible disclosure, MedEvolve had failed to conduct a comprehensive, accurate, and organization-wide risk analysis and had not entered into a business associate agreement with a subcontractor.

The New York Attorney General agreed to a settlement to resolve violations of HIPAA and state laws that were discovered during an investigation of Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp. The medical management company was investigated after reporting a ransomware attack and data breach that impacted 1.2 million individuals. The hackers gained access to its network by exploiting a vulnerability that had not been patched, despite the patch being available for 22 months. Practicefirst was determined to have violated HIPAA and state laws through patch management failures, security testing failures, and not implementing encryption. The case was settled for $550,000.

A multi-state investigation of the vision care provider, EyeMed Vision Care, over a 2.1 million-record data breach was settled with the state attorneys general in Oregon, New Jersey, Florida, and Pennsylvania. A hacker gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, and Social Security numbers. The investigation revealed there had been several data security failures, including a lack of administrative, technical, and physical safeguards, in violation of HIPAA and state laws. The case was settled for $2.5 million.

The FTC has started actively policing the FTC Act and Health Breach Notification Rule and announced its third enforcement action of the year in May. Easy Healthcare, the developer and distributor of the Premom Ovulation Tracker (Premom) app, was alleged to have shared the health data of app users with third parties without user consent, in violation of the FTC Act, and failed to issue notifications, in violation of the Health Breach Notification Rule. Easy Healthcare agreed to settle the case and paid a $200,000 financial penalty.

The post May 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Great Valley Cardiology Notifies 181,700+ Individuals About PHI Exposure

Posted by Steve Alder

Commonwealth Health Physician Network-Cardiology, aka Great Valley Cardiology in Scranton, PA, has notified 181,764 current and former patients about a cyberattack and data breach that was discovered on April 13, 2023. The forensic investigation confirmed that the information potentially compromised in the attack included names in combination with addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, bank account and credit/debit card information, diagnosis, medications, lab test results, and health insurance/claims information.

Hackers first gained access to Great Valley Cardiology’s systems on February 2, 2023, and access remained possible until its systems were secured on April 14, 2023. The healthcare provider was reportedly notified about the attack by the Department of Homeland Security, with access to its systems gained as a result of a successful brute force attack.

Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months as a precaution, although there are no indications that there has been any misuse of patient data as a result of the security breach.

EpiSource Confirms Breach of its AWS Environment

The Gardena, CA-based medical coding vendor, EpiSource, has confirmed that the protected health information of patients of its healthcare clients has been exposed and potentially compromised in a February 2023 cyberattack on its Amazon Web Services (AWS) environment.

The cyberattack was detected by its threat detection system on February 20, 2023. The investigation confirmed its AWS environment had been accessed by an unauthorized individual between February 19 and 21, 2023. The forensic investigation confirmed on April 20, 2023, that health and personal information had potentially been accessed or obtained such as names, dates of birth, addresses, phone numbers, medical record numbers, health plan ID numbers, provider information, diagnoses, and medications. EpiSource said security controls and monitoring practices have been enhanced following the attack and affected individuals have been offered one year of complimentary identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many people have been affected.

Business Associate Data Breach Impacts 25K UPMC Patients

University of Pittsburg Medical Center (UPMC) has confirmed that approximately 25,000 patients have been affected by a data breach at a business associate that provides billing and collection services. The data breach occurred at Intellihartx LLC, which is issuing notifications to the affected UPMC patients. The breach involved names, addresses, Social Security numbers, and other personal information. Complimentary credit monitoring services have been offered to affected individuals. Intellihartx reported the breach to the Maine Attorney General as affecting 489,830 individuals. Further information on the data breach has been covered by The HIPAA Journal here.

Idaho Medicaid Recipients Affected by Data Breach at Claims Processor

The Idaho Department of Health and Welfare has confirmed that the personal information of 2,501 Medicaid recipients has potentially been accessed and/or obtained in a data breach at its claims processor, Gainwell Technologies. An unauthorized individual obtained credentials that allowed access to be gained to the Gainwell portal, which allowed access to information such as names ID numbers, billing codes, and treatment information.

The breach was discovered on May 12, 2023, and following an investigation and review, affected individuals were notified on June 9, 2023. Credit monitoring and identity theft protection services have been offered to affected individuals.

Utah Department of Health and Human Services Notifies 5,800 Health Plan About Mailing Error

The Utah Department of Health and Human Services (DHHS) has confirmed that the protected health information of 5,800 Medicaid recipients has been impermissibly disclosed due to a mailing error. As a result of the error, benefit letters were accidentally grouped together and sent to incorrect individuals. The error was discovered on May 8, 2023, and the mailing process was halted to prevent further impermissible disclosures.

The letters included Medicaid benefit information, although only around 200 of the 5,800 individuals affected had either their Medicare health insurance claim number (HICN) or Social Security number disclosed. Those individuals have been offered complimentary credit monitoring services. The DHHS said it has worked with its business associate, Client Network Services (CNSI), to ensure the error is corrected and system testing and quality protocols have been enhanced.

The post Great Valley Cardiology Notifies 181,700+ Individuals About PHI Exposure appeared first on HIPAA Journal.

Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) investigates all reported breaches of the protected health information of 500 or more individuals and some smaller breaches to determine if the breach was caused by the failure to comply with the HIPAA Rules. OCR’s latest HIPAA enforcement action confirms that it is not the scale of a data breach that determines if a financial penalty must be paid but the severity of the underlying HIPAA violations.

A relatively small data breach was reported to OCR on February 28, 2018, by Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial), a 222-bed non-profit community hospital in Washington state. The hospital discovered security guards had been accessing the medical records of patients when there was no legitimate work reason for the medical record access, and 419 medical records had been impermissibly viewed.

OCR launched an investigation into the snooping incident in May 2018 and discovered widespread snooping on medical records by security guards in the hospital’s emergency department. 23 security guards had used their login credentials to access medical records in the hospital’s electronic medical record system when there was no legitimate reason for the access. The security guards were able to view protected health information such as names, addresses, dates of birth, medical record numbers, certain notes related to treatment, and insurance information. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule – 45 C.F.R. § 164.316.

Yakima Valley Memorial Hospital chose to settle the case with OCR and agreed to pay a financial penalty of $240,000 with no admission of liability. A corrective action plan has been adopted to ensure full compliance with the HIPAA Rules, which includes an accurate and comprehensive risk analysis, the development and implementation of a risk management plan to address the risks identified by the risk analysis, updates to its HIPAA policies and procedures, the enhancement of its current HIPAA security training program, and a review of its relationships with vendors and third-party service providers to identify business associates, and to obtain business associate agreements if they are not already in place.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

This is the 6th OCR HIPAA enforcement action of 2023 that has resulted in a financial penalty, and the second to be announced by OCR this month. So far this year, penalties totaling $1,901,500 have been imposed by OCR to resolve violations of the HIPAA Rules.

The post Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records appeared first on HIPAA Journal.

Johns Hopkins Investigating Cyberattack and Data Breach

Posted by Steve Alder

Johns Hopkins University and Johns Hopkins Health System are investigating a May 31, 2023, cyberattack and data breach that targeted a widely used software tool. While the tool that was targeted was not mentioned in the attack, the breach date coincides with the Clop/FIN11 attacks on the MOVEit Transfer managed file transfer solution.

While the investigation into the data breach is ongoing, the initial findings indicate that sensitive personal and financial information was impacted, including names, contact information, and health billing records. Notifications will be sent to all affected individuals in the coming weeks once the full scope and breadth of the breach are determined. Johns Hopkins has confirmed that credit monitoring services will be offered to affected individuals. In the meantime, Johns Hopkins urges all students, faculty staff, and their dependents to take immediate action to protect their personal information, including conducting reviews of their statements, credit reports, and accounts for unusual activity, and should consider placing a fraud alert and credit freeze with a national credit bureau.

At this stage, it is unclear how many individuals have been affected.

PHI of 33,000 Patients Exposed in Maimonides Medical Center Cyberattack

Maimonides Medical Center in Brooklyn, NY, has confirmed that the protected health information of approximately 33,000 patients was stored on systems that were accessed by an unauthorized individual. The security breach was discovered on April 4, 2023, and unauthorized access was immediately blocked. The forensic investigation confirmed the initial access occurred on March 18, 2023.

The review of affected files revealed the majority of individuals only had their names, addresses, and limited clinical information exposed, such as diagnoses and treatment information; however, some individuals also had their Social Security numbers exposed. Affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. Third-party cybersecurity experts were hired to assess system security and ensure that adequate safeguards were in place, and additional authentication measures have now been implemented.

iSpace Inc. Notifies 24,400 Individuals About Data Breach

iSpace, Inc., a provider of insurance eligibility services, has recently started notifying 24,382 individuals about a cyberattack that was discovered on February 5, 2023. In a May 31, 2023, notification to the California Attorney General, iSpace explained that the forensic investigation confirmed a system compromise had occurred and that there was file exfiltration between January 30 and February 5, 2023.

The analysis of the impacted files confirmed that they contained names, Social Security numbers, dates of birth, diagnosis information, health insurance group/policy numbers, health insurance information, subscriber numbers, and prescription information. At the time of issuing notifications, no actual or attempted misuse of the affected individuals’ information had been detected. iSpace said it engaged the services of security specialists to assist in examining its privacy and security policies and practices and will update them accordingly. The delay in issuing notifications was due to the lengthy investigation and data review process, which was completed on March 3, 2023, and the subsequent verification of contact information.

Normal Operations Resume After Richmond University Medical Center Ransomware Attack

Richmond University Medical Center (RUMC) in West Brighton, NY, has confirmed that it has fully recovered from a ransomware attack that was detected in the first week of May. The attack forced the medical center to shut down systems and activate its emergency protocols, and the staff recorded patient information manually while systems were restored. The investigation into the ransomware attack is ongoing to determine the extent to which patient information was involved, and notification letters will be sent to affected individuals when that process has been completed.

The post Johns Hopkins Investigating Cyberattack and Data Breach appeared first on HIPAA Journal.

21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit

Posted by Steve Alder

A class action lawsuit has been filed in the U.S. District Court for the Southern District of Iowa against Trinity Health, Mercy Health Network, and Mercy Medical Center – Clinton over a cyberattack and data breach that affected 21,000 patients.

Livonia, MI-based Trinity Health, which operates Mercy Health Network and Mercy Medical Center – Clinton in Iowa, discovered a cyberattack on April 4, 2023, the forensic investigation of which confirmed hackers had gained access to systems containing patients’ protected health information on March 7, 2023, and maintained access to those systems until April 7, when its systems were secured. The data exposed and potentially stolen in the attack included names, addresses, birth dates, Social Security numbers, diagnosis codes, treatment information, prescription information, and service/discharge. Trinity Health offered affected individuals complimentary credit monitoring services for 12 months.

On June 12, 2023, a lawsuit was filed on behalf of plaintiff Jennifer Medenblik that alleges the defendants failed to protect the sensitive data of patients and monitor its systems for intrusions, which allowed hackers to gain access to its network and the protected health information of 21,000 patients and remain undetected within its systems for a month. The lawsuit alleges violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and a failure to follow healthcare industry best practices for protecting sensitive data and Federal Trade Commission (FTC) guidelines.

Trinity Health notified affected patients about the attack; however, the lawsuit claims those notifications were inadequate, and failed to provide the necessary support. The lawsuit also claims that the defendants have not provided satisfactory assurances to patients that the impacted data has been recovered or deleted nor that adequate cybersecurity measures have been implemented post-data breach to prevent further security breaches in the future.

The 8-count lawsuit – Medenblik v. Trinity Health Corporation et al, includes allegations of negligence, breach of contract, and breach of confidence, and claims the plaintiff and class members have suffered and are at an imminent, immediate, and continuing increased risk of suffering ascertainable losses. The lawsuit seeks class action status, a jury trial, an award of damages, and funds to cover a lifetime of credit monitoring services and identity theft insurance for the plaintiff and class members.

The post 21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit appeared first on HIPAA Journal.