HIPAA Breach News

$30 Million Settlement Agreed to Resolve Integris Health Class Action Data Breach Lawsuit

Posted by Steve Alder

Integris Health has agreed to pay $30 million to settle class action data breach litigation. The settlement resolves claims stemming from a major data breach in 2023 that saw hackers gain access to systems containing the electronic protected health information of more than 2.38 million individuals.

Integris Health, one of the largest health systems in Oklahoma, first announced the cyberattack and data breach in December 2023. Hackers gained access to its computer network on November 28, 2023, and exfiltrated files containing patient data. The threat actor did not encrypt files but demanded payment to prevent the release of the stolen data. On December 24, 2025, Integris Health started to be contacted by patients who had been contacted directly by the threat actor, who was demanding $50 per patient to delete their stolen data.

The HHS’ Office for Civil Rights was notified about the data breach in February 2024 and was told that the protected health information of 2,385,646 individuals was compromised in the attack. The stolen data included names, contact information, birth dates, demographic information, and Social Security numbers. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Bointy, et al. v. Integris Health, Inc. – as the lawsuits had overlapping claims and were based on the same facts.  In total, ten class action lawsuits were filed in the District Court of Oklahoma County, and a further eleven were filed in the U.S. District Court for the Western District of Oklahoma.

The consolidated lawsuit was filed in the District Court of Oklahoma County and alleged that Integris Health had failed to implement reasonable and appropriate safeguards to protect the data stored on its network. In contrast to the OCR breach portal, the lawsuit claimed the protected health information of 2,426,868 individuals was compromised in the incident, including 255,647 minors.

Integris Health claimed that business associate Tech Mahindra, LLC, was to blame for the breach, as it was caused by its failure to maintain reasonable and appropriate cybersecurity measures. Tech Mahindra filed a motion to compel arbitration and dismiss the lawsuit, and Integris Health voluntarily dismissed Tech Mahindra from the litigation. Integris Health maintains there was no wrongdoing and is no liability and denies all material allegations made by the plaintiffs; however, the decision was taken to settle the lawsuit to avoid the cost, risk, and uncertainty of continuing with the litigation. Following settlement discussions between Integris Health and legal counsel for the plaintiffs, a suitable settlement was agreed upon, which has now received preliminary approval from the court.

The settlement provides substantial benefits for the class members. Integris Health has agreed to establish a $30 million settlement fund to cover attorneys’ fees and expenses, service awards for class representatives, settlement administration costs, and benefits for the class members. Benefits will be paid from the remainder of the settlement fund after all costs have been deducted.

All class members are entitled to claim three years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition, class members may claim one of two cash payments. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $25,000 per class member. Alternatively, a claim may be submitted for a cash payment, which is estimated to be $100 per class member, but will be adjusted pro rata upward or downward depending on the number of valid claims received. The cash payments will exhaust the settlement fund.

Individuals wishing to object to or exclude themselves from the settlement must do so by December 21, 2025. Claims must be submitted by December 22, 2025, and the final approval hearing has been scheduled for December 16, 2025.

February 13, 2025: Integris Health Confirms 2.39 Million Individuals Affected by Cyberattack

Integris Health has completed the review of the files that were accessed/stolen in its November 2023 cyberattack and has reported the incident to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting 2,385,646 individuals. The HIPAA breach notices explain that the information stolen in the cyberattack varies from individual to individual and includes names in combination with one or more of the following: date of birth, contact information, demographic information, and/or Social Security number. Integris Health’s investigation confirmed that employment information, driver’s licenses, financial/payment information, and usernames/passwords were not accessed or stolen. Integris Health said it has reviewed and enhanced existing policies and procedures to reduce the likelihood of a similar future incident.

The lawsuits against Integris Health are mounting. One of the latest, Johnston v. Integris Health Inc., was filed in the U.S. District Court for the Western District of Oklahoma and names Teresa Johnson as lead plaintiff. The lawsuit alleges negligence for failing to implement reasonable and appropriate safeguards and seeks compensatory damages, punitive damages, nominal damages, restitution, injunctive and declaratory relief, and attorney fees and costs. The class action lawsuits make similar claims and and are based on the same facts, so they are likely to be consolidated into a single lawsuit.

Jan 4, 2024: Integris Health Facing Multiple Class Action Lawsuits Over Cyberattack & Data Breach

Several class action lawsuits have been filed against Integris Health over its recent cyberattack and data breach. While Integris Health has yet to confirm how many individuals have been affected, the threat actor behind the attack claims to have obtained the data of around 2 million patients and emailed those patients directly on December 24, 2023, demanding payment after Integris Health refused to pay the ransom.

One of the lawsuits – Zinck et al v. Integris Health Inc. – was filed by William Federman of the law firm Federman & Sherman in the U.S. District Court for the Western District of Oklahoma on behalf of plaintiff Aaron Zinck and similarly situated individuals. The lawsuit alleges that Integris Health failed to implement reasonable and appropriate security measures to protect patient data, despite being aware of a high risk of ransomware and other cyberattacks on hospitals.

Federman criticized Integris Health for the lack of transparency about the cyberattack and data breach, claiming Integris Health did not make any announcement about the attack until after patients were contacted directly by the hackers. Integris Health explained in its notification to patients that the threat actor gained access to its systems on November 28, 2023. Federman alleges Integris Health withheld important information that could have allowed the plaintiff and class members to take action to secure their identities and protect against fraud. While it is typical for healthcare organizations to offer complimentary credit monitoring and identity theft protection services when sensitive data is known to have been stolen, those services do not appear to have been offered.

The lawsuit seeks a jury trial, an award of damages, and attorney’s fees. Several other lawsuits have also been filed in the past few days that make similar claims, including Joseph E Bointy v. Integris Health, Gregory Leeb v. Integris Health, and Civi et al v. Integris Health Inc.

December 27, 2023 – Integris Health Patients Contacted Directly by Threat Actors After Cyberattack

Integris Health, the largest not-for-profit Oklahoma-owned health system in the state, has confirmed that its internal systems have been compromised in a cyberattack and an unauthorized third party obtained patient data. Integris Health operates 15 hospitals in Oklahoma and many specialty clinics, family care practices, and centers of excellence. Integris Health uploaded a notice to its website on December 24, 2023, about a data privacy incident. According to Integris Health, suspicious activity was detected within its IT systems, and immediate action was taken to prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach, which revealed that the unauthorized access started on November 28, 2023. The unauthorized actor exfiltrated sensitive data from Integris Health’s systems but did not encrypt files.

Integris Health has conducted a review of the affected files and has confirmed that the compromised information includes names, dates of birth, contact information, demographic information, and Social Security numbers. Integris Health said health information, financial information, driver’s licenses, and usernames/passwords were not stolen. On December 24, 2023, Integris Health started to be contacted by some of its patients after they received communications from a group that claimed responsibility for the cyberattack. The threat group explained in the communications with patients that they had obtained names, dates of birth, SSNs, addresses, phone numbers, insurance information, and employer information, and that they would be selling the data on the dark web to be used for fraud and identity theft. Patients were told they could prevent the sale of their data by making a payment before January 5, 2024; otherwise, the entire database will be sold to a data broker. The communications with patients include a sample of the stolen data as proof, which some patients have confirmed is genuine.

The threat actor claims to have obtained the protected health information of more than 2 million Integris Health patients, and that the reason for demanding payment from patients is that Integris Health has refused to pay to have the information deleted. The patients have been provided with a Tor link to make payment and the threat actor is charging individuals $3 to view their stolen data or $50 to have the data deleted. According to Bleeping Computer, the Tor extortion site lists 4,674,000 records, although it is unclear if all of those records are unique. Integris Health has yet to confirm how many individuals have been affected.

There have been several recent cyberattacks where individual patients have been contacted directly by the threat actors behind the attack after the breached organization refused to pay a ransom demand. Earlier this year, patients of a plastic surgery clinic were contacted directly and were told that sensitive photographs and other information had been put in the public domain and payment was required to have the information taken down. Recently, the Hunters International threat group contacted patients of the Fred Hutchinson Cancer Center when the ransom was not paid and told the patients they had to pay $50 to have their information deleted, otherwise it would be sold. The data was stolen in a cyberattack over the Thanksgiving Day weekend.

While paying the $50 may result in the stolen data being deleted, there is no guarantee. Individuals who pay up could be subjected to further extortion attempts, and/or their sensitive data may still be sold.  “We encourage anyone receiving such communications to NOT respond or contact the sender, or follow any of the instructions, including accessing any links,” said Integris Health in its website notification.

The post $30 Million Settlement Agreed to Resolve Integris Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Another Corewell Health Business Associate Suffers Million-Record Data Breach

Posted by Steve Alder

The Michigan Attorney General’s Office announced on Tuesday that the protected health information of more than one million Corewell Health patients had been compromised in a cyberattack on one of Corewell Health’s vendors. HealthEC provides Corewell Health with a population health management platform that is used to identify high-risk patients in southeastern Michigan to close gaps in care and identify barriers to optimal care.

HealthEC explained in its breach notification letters that suspicious activity was identified within its network and the forensic investigation determined that an unknown, unauthorized actor had access to some internal systems between July 14, 2023, and July 23, 2023. During that time, files containing protected health information were removed from its systems. HealthEC conducted a review of all files on the compromised part of the network and notified its affected clients on October 26, 2023. HealthEC then worked with those clients to issue notifications. According to the notification sent to the Maine Attorney General, HealthEC started mailing notification letters to 112,005 individuals on December 22, 2023. Some of HealthEC’s covered entity clients have opted to send notification letters themselves.

According to HealthEC, the following types of information were compromised: names, addresses, dates of birth, Social Security numbers, medical record numbers, diagnoses and diagnosis codes, mental/physical condition, prescription information, providers’ names, beneficiary numbers, subscriber numbers, Medicaid/Medicare identification numbers, patient account numbers, patient identification numbers, and treatment cost information. HealthEC has offered complimentary credit monitoring and identity theft protection services to the affected individuals for 12 months.

Data breaches at business associates of HIPAA-covered entities often affect many of their clients. Another HealthEC client known to have been affected is Beaumont ACO in Michigan. It is possible that individuals may receive two notification letters related to this incident if they have previously received services from Corewell Health and Beaumont ACO.

This is the second major data breach to affect Corewell Health patients this year. In November, Welltok Inc., which provides patient communication services, started notifying around one million Corewell Health patients that some of their protected health information had been stolen when a zero-day vulnerability was exploited in Progress Software’s MOVEit Transfer file transfer solution. The two incidents are unrelated and were conducted by separate threat actors. Corewell Health patients had their names, dates of birth, email addresses, phone numbers, diagnoses, health insurance information, and Social Security numbers stolen by the Clop hacking group. The same breach also affected Priority Health, which is Corewell Health’s insurance plan.

“Health information is some of the most personal information we have,” said Michigan Attorney General Dana Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

The post Another Corewell Health Business Associate Suffers Million-Record Data Breach appeared first on HIPAA Journal.

December Healthcare Data Breach Round-Up

Posted by Steve Alder

Data breaches have been reported by Cardiothoracic and Vascular Surgeons, ZOLL Medical Corporation, Erie Family Health Centers, Health Diagnostic Management, BlueCross BlueShield of Tennessee, and Rush System for Health.

Cardiothoracic and Vascular Surgeons Investigating Cyberattack

Cardiothoracic and Vascular Surgeons in Texas discovered on October 13, 2023, that its systems had been accessed by an unauthorized individual. The forensic investigation confirmed there had been unauthorized access to its IT systems between October 12 and October 13, 2023, and during that time, an unauthorized third party may have viewed or obtained files containing patient information.

The review of the affected files is still ongoing, but the following types of information are anticipated to have been exposed:  individuals’ names, Social Security Numbers, credit card information, account numbers and passwords, financial account information, driver’s licenses, dates of birth, medical record numbers, health insurance information, patient account numbers, doctors’ or medical professionals’ names, treatment information, procedure codes, diagnosis codes, Medicaid/Medicare numbers, dates of treatment, prescription information, diagnosis and symptoms information.

Cardiothoracic and Vascular Surgeons said they are reviewing their policies, procedures, and processes related to the storage and access of sensitive information to reduce the likelihood of a similar future incident. Since the number of individuals affected has yet to be established, the breach has been reported to the HHS’ Office for Civil Rights with an interim figure of 500 individuals and will be updated when the file review is completed.

PHI Compromised in Phishing Attack on ZOLL Medical Corporation

ZOLL Medical Corporation has recently announced that it was the victim of a sophisticated phishing attack. An employee responded to a phishing email and disclosed credentials that allowed the email account to be accessed. According to the breach notice provided to the Maine Attorney General, the attack occurred on August 2, 2023, and it was detected on November 1, 2023.

The review of the account confirmed it contained names, addresses, and Social Security numbers. The breach was reported to the Maine Attorney General as affecting 15,276 individuals in total. The HHS’ Office for Civil Rights breach portal indicates the PHI of 8,898 individuals was compromised.  ZOLL Medical has offered the affected individuals 36 months of credit monitoring and identity theft protection services.

Email Account Breach Reported by Erie Family Health Centers

Erie Family Health Centers has recently confirmed that the protected health information of 6,351 patients was potentially accessed or obtained by an unknown threat actor who gained access to the email account of one of its employees on October 1, 2023. The email account breach was detected on October 19, 2023, and the account was immediately secured. Erie Family Health Centers engaged a cybersecurity company to determine whether patient data had been viewed. No evidence of unauthorized access to patient data was found, nor evidence of any uploads of patient data to the dark web. The information in the account included names, dates of birth, medical record numbers, dates of service, laboratory test tracking numbers, and insurance identification numbers. Affected patients have been offered complimentary credit monitoring services.

Health Diagnostic Management Announces Patient Portal Breach

Health Diagnostic Management (HDM), a New York-based provider of non-medical management services for diagnostic imaging centers, experienced a breach of its patient portal on October 12, 2023. The vendor that operates the HDM patient portal identified suspicious activity on October 13, 2023. Its investigation revealed that valid credentials for a referring physician from Brooklyn Premiere Orthopedics were used to access the patient portal. Brooklyn Premiere Orthopedics announced it had suffered a data breach the week before the unauthorized activity was detected, leading HDM to conclude that the credentials were stolen in that breach.

The review of the affected accounts concluded on November 21, 2023, and affected individuals were notified on October 16, 2023. Affected individuals have been offered complimentary credit monitoring services. HDM is in the process of implementing additional security safeguards, and has engaged a third-party vendor to conduct penetration tests on the patient portal after the security updates are implemented. The breach was reported to the HHS’ Office for Civil Rights as affecting 1,863 individuals.

BlueCross BlueShield of Tennessee Affected by MOVEit Hack

BlueCross BlueShield of Tennessee (BCBST) has announced that the protected health information of 1,665 of its members was stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer tool. MOVEit Transfer was used by the BCBST business associate NASCO for file transfers. The vulnerability was exploited on May 30, 2023, and NASCO learned it had been affected on July 12, 2023, and notified BCBST about the breach on October 20, 2023. The information compromised in the incident was limited to health insurance numbers, group numbers and names, claim information, medical ID numbers, dates of service, procedure codes, and provider names. NASCO is notifying the affected BCBST members and is offering 24 months of identity monitoring services.

Rush System for Health Notifies Patients About Emil Error

An email error at Rush University System for Health resulted in research surveys being misdirected on October 25, 2023, resulting in the name of a patient being visible to another recipient of the survey. No other information was exposed. The error occurred due to an error in a spreadsheet that became misaligned during data sorting and resulted in the impermissible disclosure of the names of 4,961 patients.

The post December Healthcare Data Breach Round-Up appeared first on HIPAA Journal.

Ransomware Groups Attack 3 Healthcare Providers

Posted by Steve Alder

Liberty Hospital in Kansas City is recovering from a cyberattack that has disrupted its IT systems. The cyberattack was detected on the morning of December 19, 2023, and the decision was taken to divert ambulances to other facilities until access to IT systems was restored. Some appointments have been canceled and will be rescheduled. Liberty Hospital has only released limited information about the attack; however, KMBC News obtained a copy of a ransom note. The hackers claim to have downloaded all confidential data stored on its systems and gave the hospital 72 hours to make contact. The threat actor behind the attack is currently unknown.

The Qilin ransomware group has recently added the Neurology Center of Nevada to its data leak site and claims to have exfiltrated at least 198 GB of sensitive data. Neurology Center of Nevada has not publicly confirmed whether the claims of Qilin are genuine. There is no mention of a cyberattack or data breach on its website. If Qilin’s claims are genuine, this will be the second ransomware attack in a year for the Neurology Center of Nevada.

The DragonForce threat group, which was responsible for a recent attack on the Heart of Texas Behavioral Health Network, has claimed responsibility for an attack on Greater Cincinnati Behavioral Health Services and has added it to its data leak site. DragonForce claims to have exfiltrated 72.4 GB of data in the attack although the stolen data has not been uploaded to the group’s data leak site. Greater Cincinnati Behavioral Health Services has not made any announcement about a cyberattack.

4 Over, LLC Notifies Group Health Plan Members About November 2022 Cyberattack

The Glendale, CA-based printing company, 4 Over, LLC, has experienced a cyberattack in which hackers gained access to parts of its network that contained the protected health information of 6,491 members of its group health plan. Suspicious activity was detected within its network on November 19, 2022, and the forensic investigation confirmed there had been unauthorized network access between November 16, 2022, and November 19, 2022. Notification letters started to be sent to the affected individuals on December 5, 2023, more than a year after the breach was detected. 4 Over said the delay was due to undertaking “a time-intensive and thorough review” of the impacted documents.

The information potentially removed from its systems included full names, Social Security numbers, driver’s license or state-issued identification numbers, financial account numbers or credit or debit card numbers, Passport numbers, medical information, treatment information, diagnosis information, health insurance information, and dates of birth. 4 Over said it is reviewing its existing policies and procedures regarding cybersecurity and is evaluating additional measures and safeguards to protect against this type of incident in the future.

Email Accounts Compromised at VNS Health

VNS Health Home Care, VNS Health Hospice Care, and VNS Health Personal Care in New York recently notified patients that an unauthorized third party gained access to the email accounts of some of its employees and potentially viewed or obtained some of their protected health information. Unauthorized access was detected on August 14, 2023, and the investigation revealed several employee email accounts had been accessed by an unauthorized third party between August 10, 2023, and August 14, 2023.

On September 14, 2023, VNS Health determined that emails and associated files in the accounts contained information such as names, dates of birth, addresses, phone numbers, diagnosis and treatment information, and health insurance information. VNS Health said the email accounts appeared to have been compromised to defraud individual VNS personnel rather than to obtain patient information.

VNS Health has implemented additional safeguards and measures to further protect and monitor its systems, including technical systems enhancements, updated security policies and protocols, and staff education. The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,175 VNS Health Personal Care patients and 13,584 members of VNS Health’s Health Plans.

Lake County Health Department Reports Email Account Breach

Lake County Health Department in Illinois is investigating a security incident involving unauthorized access to an employee’s email account. The account breach was detected on November 1, 2023, and the investigation confirmed that the account contained partially de-identified information relating to Lake County residents who may have been part of a disease cluster or outbreak investigated by the health department between July 2014 and October 2023.

No evidence was found that indicated any information in the email account was exfiltrated, but data theft could not be ruled out. The information in the account only included names, addresses, ZIP codes, dates of birth, phone numbers, email addresses, and diagnoses/conditions. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

PHI Potentially Obtained in Fresno Surgical Hospital Cyberattack

Fresno Surgical Hospital in California experienced a cyberattack that was detected and blocked on November 4, 2023. Third-party cybersecurity experts were engaged to investigate to determine the nature and extent of the incident and confirmed that some data had been removed from its network on November 4, 2023. All files on the compromised parts of the network were reviewed, and on December 11, 2023, Fresno Surgical Hospital confirmed that personal information may have been involved.

The types of information involved varied from patient to patient and may have included names in combination with one or more of the following: demographic/ contact information such as address and date of birth, medical and/or treatment information such as provider and facility names, medical record number or other patient identifiers, diagnosis information, procedure information, and other clinical information. Fresno Surgical Hospital said security and monitoring capabilities are being enhanced and systems are being hardened to minimize the risk of similar incidents in the future.

The post Ransomware Groups Attack 3 Healthcare Providers appeared first on HIPAA Journal.

Heart of Texas Behavioral Health Network Cyberattack Affects 63,776 Individuals

Posted by Steve Alder

The Heart of Texas Behavioral Health Network (HOTBHN), formerly the Heart of Texas Region MHMR Center, a provider of services to individuals and families with developmental and intellectual disabilities, has recently announced that an unauthorized individual may have accessed the sensitive information of 63,776 individuals in a recent cyberattack.

The attack was detected on October 22, 2023, access to the network was immediately shut down, and a third-party forensic incident response firm was engaged to investigate the breach and determine the extent of the unauthorized activity. HOTBHN said it “found no evidence that patient information had been specifically misused,” but confirmed that patient information had been exposed to a third party. The types of information exposed varied from individual to individual and may have included one or more of the following. first and last name, address, Social Security number, date of birth, medical record number, health insurance policy number, and medical and treatment information.

HOTBHN said it has reviewed and enhanced its technical safeguards to prevent a similar incident in the future and has notified the affected individuals and offered them complimentary credit monitoring services and identity theft protection services for 12 months. A threat group known as DragonForce has claimed responsibility for the attack and claims to have exfiltrated almost 56 GB of data. HOTBHN has been added to the group’s data leak site, but the data is not currently accessible.

United Healthcare Services, Inc. Notifies 4,264 Individuals About Email Account Breach

United Healthcare Services, Inc. Single Affiliated Covered Entity (UHS) has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 4,264 individuals. An unauthorized individual gained access to the email account of an employee of Equality Health, an Accountable Care Organization that serves some UHC members. The account was accessed between April 11, 2023, and April 12, 2023. Equality Health notified UHS about the breach on October 16, 2023. The review of the account confirmed that the following information was contained in the email account: names, dates of birth, genders, addresses, Social Security numbers, UHC member ID numbers, Medicare ID numbers, Medicare plan information, and primary care provider information.

According to UHS, the breach was the result of an employee error and a previous inappropriate disclosure of patient information. In September 2020, a UHC employee sent member information to an Equality Health employee when attempting to confirm whether their primary care provider was in Equality Health’s network. The UHC employee should not have included the information in the email when doing so. Neither UHS nor Equality Health was aware of the impermissible disclosure until recently. Equality Health’s investigation uncovered no evidence of misuse of any of the exposed data.

The affected individuals have been notified and Equality Health has offered them complimentary credit monitoring services. The employee responsible for the initial impermissible disclosure has received further training.

14,040 Individuals Impacted by Coos Health and Wellness Cyberattack

The Coos, OR, Public Health Department, Coos Health & Wellness, has recently notified 14,040 individuals that some of their protected health information was exposed and potentially obtained by unauthorized individuals in an April 2023 cyberattack.

Unauthorized activity was detected within its network on November 28, 2023. The forensic investigation confirmed that an unauthorized individual gained access to the network on or around April 28, 2023, and potentially acquired certain files. The file review confirmed on November 20, 2023, that the exposed information included names, Social Security numbers, driver’s license numbers, state identification numbers, medical information, and health insurance information. Notification letters have now been issued and the affected individuals have been offered 12 months of complimentary services through IDX. Coos Health & Wellness said it has implemented additional security features to prevent similar incidents in the future.

City of Homer Reports Lost Device Containing PHI of 1,412 Individuals

The City of Homer in Alaska has recently confirmed that the protected health information of 1,412 individuals was stored on a portable storage device that has gone missing. The device was used to assist the City with its data migration efforts, and it appears to have been misplaced. A thorough search was conducted but the device could not be located.  The device contained a backup of medical information collected by the City in the course of responding to emergency medical service and transportation calls, which may have included Social Security numbers and/or dates of birth. City officials are unaware of any attempted or actual misuse of the exposed data.

The post Heart of Texas Behavioral Health Network Cyberattack Affects 63,776 Individuals appeared first on HIPAA Journal.

November 2023 Healthcare Data Breach Report

Posted by Steve Alder

After two months of declining healthcare data breaches, there was a 45% increase in reported breaches of 500 or more healthcare records. In November, 61 large data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – three more than the monthly average for 2023. From January 1, 2023, through November 30, 2023, 640 large data breaches have been reported.

In addition to an increase in data breaches, there was a massive increase in the number of breached records. 22,077,489 healthcare records were exposed or compromised across those 61 incidents – a 508% increase from October. November was the second-worst month of the year in terms of breached records behind July, when 24 million healthcare records were reported as breached. There is still a month of reporting left but 2023 is already the worst-ever year for breached healthcare records. From January 1, 2023, through November 30, 2023, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.

Largest Healthcare Data Breaches in November 2023

November was a particularly bad month for large data breaches, with 28 breaches of 10,000 or more records, including two breaches of more than 8 million records. Two of the breaches reported in November rank in the top ten breaches of all time and both occurred at business associates of HIPAA-covered entities. The largest breach occurred at Perry Johnson & Associates, Inc. (PJ&A) a provider of medical transcription services. The PJ&A data breach was reported to OCR as affecting 8,952,212 individuals, although the total is higher, as some of its clients have chosen to report the breach themselves. Hackers had access to the PJ&A network for more than a month between March and May 2023.

The second-largest breach was reported by Welltok, Inc. as affecting 8,493,379 individuals. Welltok works with health plans and manages communications with their subscribers. The Welltok data breach is one of many 2023 data breaches involving the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution by the Clop hacking group. Globally, more than 2,615 organizations had the vulnerability exploited and data stolen.

A further three data breaches were reported that involved the protected health information of more than 500,000 individuals. Sutter Health was also one of the victims of the mass hacking of the MOVEit vulnerability and had the data of 845,441 individuals stolen, as did Blue Shield of California (636,848 records). In both cases, the MOVEit tool was used by business associates of those entities. East River Medical Imaging in New York experienced a cyberattack that saw its network breached for three weeks between October and September 2023, during which time the hackers exfiltrated files containing the PHI of 605,809 individuals. All 28 of these large data breaches were hacking incidents that saw unauthorized access to network servers.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hacking and data theft incident
Welltok, Inc. CO Business Associate 8,493,379 Hacking incident (MOVEit Transfer)
Sutter Health CA Healthcare Provider 845,441 Hacking incident at business associate (MOVEit Transfer)
California Physicians’ Service d/b/a Blue Shield of California CA Health Plan 636,848 Hacking incident at business associate (MOVEit Transfer)
East River Medical Imaging, PC NY Healthcare Provider 605,809 Hacking and data theft incident
State of Maine ME Health Plan 453,894 Hacking incident (MOVEit Transfer)
Proliance Surgeons WA Healthcare Provider 437,392 Ransomware attack
Medical Eye Services, Inc. NY Business Associate 377,931 Hacking incident (MOVEit Transfer)
Medical College of Wisconsin WI Healthcare Provider 240,667 Hacking incident (MOVEit Transfer)
Warren General Hospital PA Healthcare Provider 168,921 Hacking and data theft incident
Financial Asset Management Systems (“FAMS”) GA Business Associate 164,796 Ransomware attack
Morrison Community Hospital District IL Healthcare Provider 122,488 Ransomware attack (BlackCat)
South Austin Health Imaging LLC dba Longhorn Imaging Center TX Healthcare Provider 100,643 Hacking and data theft incident (SiegedSec threat group)
Mulkay Cardiology Consultants at Holy Name Medical Center, P.C. NJ Healthcare Provider 79,582 Ransomware attack (NoEscape)
International Paper Company Group Health and Welfare Plan (the “IP Plan”) TN Health Plan 78,692 Hacking incident at business associate (MOVEit Transfer)
CBIZ KA Consulting Services, LLC NJ Business Associate 30,806 Hacking incident (MOVEit Transfer)
Endocrine and Psychiatry Center TX Healthcare Provider 28,531 Hacking and data theft incident
Blue Shield of California OR Blue Shield of California Promise Health Plan CA Business Associate 26,523 Hacking incident at business associate (MOVEit Transfer)
Wyoming County Community Health System NY Healthcare Provider 26,000 Hacking and data theft incident
Westat, Inc. MD Business Associate 20,045 Hacking incident (MOVEit Transfer)
Psychiatry Associates of Kansas City KS Healthcare Provider 18,255 Hacking and data theft incident
Southwest Behavioral Health Center UT Healthcare Provider 17,147 Hacking and data theft incident
TGI Direct, Inc. MI Business Associate 16,113 Hacking incident (MOVEit Transfer)
Pharmacy Group of Mississippi, LLC MS Healthcare Provider 13,129 Hacking and data theft incident
U.S. Drug Mart, Inc. TX Healthcare Provider 13,016 Hacking and data theft incident at business associate
Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island NY Healthcare Provider 13,000 Hacking and data theft incident
Foursquare Healthcare, Ltd. TX Healthcare Provider 10,890 Ransomware attack
Saisystems International, Inc. CT Business Associate 10,063 Hacking and data theft incident

November 2023 Data Breach Causes and Data Locations

Many of the month’s breaches involved the mass hacking of a vulnerability in the MOVEit Transfer solution by the Clop threat group. MOVEit data breaches continue to be reported, despite the attacks occurring in late May. According to the cybersecurity firm Emsisoft, at least 2,620 organizations were affected by these breaches, and 77.2 million records were stolen. 78.1% of the affected organizations are based in the United States.  Progress Software is currently being investigated by the U.S. Securities and Exchange Commission over the breach. Hacking/ransomware attacks accounted for 88.52% of the month’s data breaches (54 incidents) and 99.94% of the breached records (22,064,623 records). The average data breach size was 408,604 records and the median breach size was 10,477 records.

Ransomware gangs continue to target the healthcare industry, and in November several ransomware groups listed stolen healthcare data on their leak sites including NoEscape and BlackCat. Many hacking groups choose not to use ransomware and instead just steal data and threaten to sell or publish the data if the ransom is not paid, such as Hunter’s International and SiegedSec. Since there is little risk of ransomware actors being apprehended and brought to justice, the attacks are likely to continue. OCR is planning to make it harder for cyber actors to succeed by introducing new cybersecurity requirements for healthcare organizations. These new cybersecurity requirements will be voluntary initially but will later be enforced. New York has also announced that stricter cybersecurity requirements for hospitals will be introduced in the state, and financial assistance will be offered.

There were 6 data breaches classified as unauthorized access/disclosure incidents, across which 10,371 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 1,481 records and the median breach size was 1,481 records. There was one reported incident involving the theft of paperwork that contained the protected health information of 2,495 individuals. For the second consecutive month, there were no reported loss or improper disposal incidents. The most common location of breached PHI was network servers, which accounted for 77% of all incidents. 10 incidents involved PHI stored in email accounts.

Where did the Data Breaches Occur?

The OCR data breach portal shows healthcare providers were the worst affected HIPAA-regulated entity in November, with 42 reported data breaches. There were 13 data breaches reported by business associates and 6 data breaches reported by health plans. The problem with these figures is they do not accurately reflect where the data breaches occurred. When a business associate experiences a data breach, they may report it to OCR, the affected covered entities may report the breach or a combination of the two. As such, the raw data often does not accurately reflect the number of data breaches occurring at business associates of HIPAA-covered entities. The data used to compile the charts below has been adjusted to show where the data breach occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 28 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State Number of Breaches
California 8
New York 6
Illinois & Texas 5
Connecticut, Florida, Georgia, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, New Jersey, Oregon, South Carolina & Washington 2
Arizona, Colorado, Maryland, Massachusetts, Mississippi, Nevada, Ohio, Pennsylvania, Tennessee, Utah & Wisconsin 1

HIPAA Enforcement Activity in November 2023

OCR announced one enforcement action in November. A settlement was agreed with St. Joseph’s Medical Center to resolve allegations of an impermissible disclosure of patient information to a reporter. OCR launched an investigation following the publication of an article by an Associated Press reporter who had been allowed to observe three patients who were being treated for COVID-19. The article included photographs and information about the patients and was circulated nationally. OCR determined that the patients had not provided their consent through HIPAA authorizations, therefore the disclosures violated the HIPAA Privacy Rule. St. Joseph Medical Center settled the alleged violations and paid an $80,000 financial penalty.

HIPAA is primarily enforced by OCR although State Attorneys General may also investigate HIPAA-regulated entities and they also have the authority to issue fines for HIPAA violations. In November, one settlement was announced by the New York Attorney General to resolve alleged violations of HIPAA and state laws. U.S. Radiology Specialists Inc. was investigated over a breach of the personal and protected health information of 198,260 individuals, including 95,540 New York Residents. The New York Attorney General’s investigation determined that U.S. Radiology Specialists was aware that vulnerabilities existed but failed to address those vulnerabilities in a timely manner. Some of those vulnerabilities were exploited by cyber actors in a ransomware attack. U.S. Radiology Specialists agreed to pay a $450,000 financial penalty and ensure full compliance with HIPAA and state laws.

The post November 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Class Action Lawsuits Filed Against ESO Solutions Over Data Breach

Posted by Steve Alder

Class action lawsuits have started to be filed against ESO Solutions over its recently disclosed cyberattack and data breach that affected almost 2.7 million individuals. The data breach involved sensitive information such as names, contact information, and Social Security numbers and affected many of the company’s healthcare clients.

Two lawsuits – Claybo v. ESO Solutions Inc. and Essie Jones f/k/a Essie McVay v. ESO Solutions Inc. – were filed in the U.S. District Court for the Western District of Texas Austin Division, that allege ESO Solutions failed to implement reasonable and appropriate industry-standard security measures to ensure the privacy and confidentiality of patient data. The lawsuits also allege ESO Solutions did not properly train staff members on data security protocols, failed to detect a breach of its systems and the theft of data in a timely manner, and then failed to issue timely notifications to the affected individuals. The lawsuits also allege that the data security failures violate the Health Insurance Portability and Accountability Act (HIPAA).

As a direct result of those failures, hackers gained access to the plaintiffs’ and class members’ sensitive data and the plaintiffs and class members now face an imminent and ongoing risk of identity theft and fraud and have suffered other injuries as a result of the breach and have incurred out-of-pocket expenses. The lawsuits seek a jury trial, class action certification, an award of damages, injunctive relief, and attorneys’ fees. The plaintiffs and class members are represented by Joe Kendall of Kendall Law Group PLLC, Bryan L. Bleichner and Philip J. Krzeski of Chestnut Cambronne PA, Alexandra M. Honeycutt of Milberg Coleman Bryson Phillips Grossman LLC.

December 21, 2023: ESO Solutions Data Breach: 2.7 Million Individuals Affected

ESO Solutions, a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, has confirmed that it fell victim to a ransomware attack in September 2023 that resulted in file encryption. ESO Solutions identified suspicious activity within its network on September 28, 2023, and took immediate action to isolate its systems and prevent further unauthorized access to its network.

Third-party digital forensics experts were engaged to investigate the attack and determine the extent of the unauthorized activity. The forensics team confirmed on October 23, 2023, that the attackers had access to parts of its network containing the personal and protected health information of 2.7 million individuals. The information compromised in the incident included names, dates of birth, injury type, injury date, treatment date, treatment type, and, in some cases, Social Security numbers. The attack was reported to the Federal Bureau of Investigation and ESO Systems has worked cooperatively with the FBI during its investigation. A ransom demand was issued by the attackers; however, ESO Systems was able to recover the encrypted files from backups.

ESO Systems notified its affected customers and has been in frequent contact with them to assist them with their response efforts and offered to issue notifications to patients of its customers. ESO Systems started mailing notification letters on December 12, 2023. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.

The following healthcare organizations are known to have been affected:

  • Ascension – Ascension Providence Hospital in Waco
  • Baptist Memorial Health Care System – Mississippi Baptist Medical Center
  • CaroMont Health
  • Community Health Systems – Merit Health Biloxi & Merit Health River Oaks
  • ESO EMS Agency
  • Forrest Health – Forrest General Hospital
  • HCA Healthcare – Alaska Regional Hospital
  • Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
  • Providence St Joseph Health (AKA Providence) – Providence Kodiak Island Medical Center & Providence Alaska Medical Center
  • Tallahassee Memorial HealthCare – Tallahassee Memorial
  • Universal Health Services (UHS) – Manatee Memorial Hospital & Desert View Hospital
  • Valley Health System  – Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital

“Given that patient safety and personal information is at risk, organizations cannot afford to put off strengthening their cybersecurity postures. On an average day, more than 55,000 physical and virtual assets are connected to organizational networks; yet an astounding 40% of these assets are left unmonitored – leaving critical, exploitable gaps. Attackers are taking advantage of these gaps; this attack proves that improper access to one machine can mean chaos for an organization,” said Mohammad Waqas, CTO, Healthcare, of the asset intelligence cybersecurity company, Armis. “This attack also highlights the importance of educating organizations that assets incorporate more than simply hardware or medical devices. Other assets that can come under attack include virtual assets, data artifacts, personal health information, user access, among others. It’s critical for healthcare organizations to not only look at cyber risk from a vulnerability perspective, but also factor in assets supporting clinical workflows or storing patient information. By having a comprehensive view of assets, organizations can prioritize compensating controls and risk reduction tactics to help contain and mitigate cyber-attacks. Being able to monitor all assets for anomalous behaviors, connection attempts, and analyze other aspects of attempted access provides the level of visibility needed to help establish preventative policies.”

The HIPAA Journal asked Waqas about the other steps that hospitals can take to improve their defenses against ransomware attacks. “Healthcare organizations of all types must prioritize cyber exposure management to mitigate all cyber asset risks, remediate vulnerabilities, block threats and protect the entire attack surface. Security and IT pros must also consider incorporating critical strategies into their cybersecurity programs, like network segmentation, to increase healthcare cybersecurity. Segmenting a network is a massive project that can span many years, however, it is the project that will accomplish the greatest risk reduction in a healthcare environment,” explained Waqas.

“What’s key for these projects is the proper planning and understanding that a segmentation project will have multiple phases – discovery and inventory, behavioral and communication mapping, policy creation, prioritization, testing, implementation and automation. One growing trend is a risk-based prioritization approach wherein instead of a traditional method of segment lists created by manufacturer or type, organizations can achieve a much faster ROI by identifying and prioritizing the segmentation of critical vulnerable devices first to achieve maximum risk reduction upfront. Cybersecurity pros at healthcare organizations should incorporate these types of solutions and methods right away to help in preventing these types of attacks from impacting their organizations directly, and for protecting them and their patients in the wake of an attack against one of their third-party suppliers.”

The post Class Action Lawsuits Filed Against ESO Solutions Over Data Breach appeared first on HIPAA Journal.

Cardiovascular Consultants Data Breach Affects 484,000 Individuals

Posted by Steve Alder

Cardiovascular Consultants Ltd., an Arizona-based healthcare provider with offices in Phoenix, Scottsdale, and Glendale, has recently reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 484,000 individuals.

On September 29, 2023, Cardiovascular Consultants identified suspicious activity within its computer systems and initialed its incident response and recovery procedures. An investigation was launched and a third-party cybersecurity company was engaged to assist with the investigation, which revealed unauthorized individuals had access to its systems on or before September 27, 2023.

Cardiovascular Consultants has now confirmed that the hackers exfiltrated files containing sensitive data and used ransomware to encrypt files on the network. Those files were reviewed and found to contain patient data such as names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records.

The data of account guarantors was also stored on the compromised parts of the network, including names, mailing addresses, telephone numbers, dates of birth, and email addresses, and also information about insurance policy holder/subscribers such as names, mailing addresses, telephone numbers, dates of birth, insurance policy information, and, in some cases, Social Security numbers.

Affected individuals were notified about the breach on December 2, 2023, and 24 months of complimentary credit monitoring, identity theft protection, and fraud resolution services have been offered to the affected individuals.  Cardiovascular Consultants has confirmed that additional security measures have been implemented to improve its defenses against cyberattacks in the future.

The post Cardiovascular Consultants Data Breach Affects 484,000 Individuals appeared first on HIPAA Journal.

MedStar Mobile Health Data Breach Settlement Proposed

Posted by Steve Alder

A settlement has been proposed by the Metropolitan Area EMS Authority to resolve a class action lawsuit that was filed by individuals affected by a 2022 cyberattack and data breach. Metropolitan Area EMS Authority is a Fort Worth, TX-based operator of an emergency and non-emergency ambulance service and does business as MedStar Mobile Healthcare. On October 20, 2022, unauthorized network activity was discovered, and the forensic investigation revealed unauthorized individuals had accessed parts of its network where patient data was stored. The hackers were able to access the protected health information of 612,000 individuals, including names, contact information, dates of birth, and limited medical information. The affected individuals were notified on December 19, 2022.

A class action lawsuit – Kaether v. Metropolitan Area EMS Authority d/b/a MedStar Mobile Healthcare – was filed in Texas District Court in response to the breach that alleged negligence for failing to secure sensitive patient data. The lawsuit also alleged breach of implied contract, negligence per se, breach of fiduciary duty, public disclosure of private facts, and unjust enrichment. Metropolitan Area EMS Authority chose to settle the lawsuit with no admission of liability or wrongdoing and will make an unspecified sum available to cover claims from individuals affected by the data breach, including a subclass of individuals who had HIPAA-covered protected health information exposed.

Under the terms of the settlement, individuals who were notified about the breach who have experienced unreimbursed out-of-pocket losses that are reasonably traceable to the data breach may submit claims for up to $3,000 to cover the losses, including travel expenses, long-distance phone calls, bank fees, credit costs, and any unreimbursed expenses and monetary losses from identity theft or fraud. Members of the HIPAA subclass may also claim up to four hours of lost time at $20 per hour. Claims must be accompanied by documented evidence that losses have been experienced. All class members will be entitled to a complimentary 12-month membership to a single-bureau credit monitoring service which includes a $1 million identity theft insurance policy. Metropolitan Area EMS Authority has also agreed to implement additional cybersecurity measures to better protect the sensitive data it stores and is providing its workforce with additional security awareness training. Measures that will be implemented by the end of the year include multifactor authentication and disabling Outlook Anywhere.

Individuals wishing to object to the settlement, or exclude themselves must do so by January 24, 2024, and claims must be submitted no later than February 23, 2024. The final fairness hearing has been scheduled for April 3, 2024. The plaintiff and class members were represented by Joe Kendall of the Kendall Law Group PLLC and Gary M Klinger
and Alexander Wolf of Milberg Coleman Bryson Phillips Grossman PLLC.

The post MedStar Mobile Health Data Breach Settlement Proposed appeared first on HIPAA Journal.