The Pennsylvania-based business administration service provider, Onix Group, was the victim of a ransomware attack on March 27, 2023. When the incident was detected, its network was immediately taken offline to prevent any further unauthorized access; however, the attackers were able to encrypt files on certain systems. The forensic investigation confirmed that access to its systems was gained 7 days before ransomware was deployed and files were encrypted, and during those 7 days the cyber actors exfiltrated files containing sensitive data.

The review of the files confirmed they contained the data of patients of healthcare clients Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray, and Onix Hospitality Group. The protected health information in the stolen files varied from individual to individual and may have included names, Social Security numbers, dates of birth, and scheduling, billing, and clinical information. Some of the files contained client information that was stored for HR purposes, including employees’ names, Social Security numbers, direct deposit information, and health plan enrollment information.

Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 319,500 individuals.

Ascension Says Breach at Vendor Exposed Patient Data

Ascension has recently started notifying 148,606 patients about a security breach at the third-party vendor, Vertex, which was used to manage its legacy websites, two of which – Seton.net and DellChildren’s.net – were breached on March 1 and 2, 2023.

Vertex engaged a forensic investigator to determine the nature and scope of the breach. The investigation is ongoing but, at this stage, it does not appear that any patient data was stolen. If data theft did occur, the information at risk includes names, addresses, Social Security numbers, credit card numbers, and insurance information. Affected individuals have been offered complimentary credit monitoring and identity theft protection services as a precaution.

Ascension has confirmed that the websites have been replaced by new websites which Ascension hosts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 17,191 Ascension Seton and 1,415 Ascension Providence patients.

Daixin Team Attempts Extortion of Columbus Regional Healthcare System

The ransomware and extortion group, Daixin Team, has claimed responsibility for a ransomware attack on the non-profit Indiana health system, Columbus Regional Healthcare System, and claims to have exfiltrated 70 gigabytes of data from the 154-bed hospital. The group says it initially demanded payment of $2 million but after negotiating with the hospital or a third party, reduced the demand to $1 million; however, negotiations appear to have broken down.

Columbus Regional Healthcare System has yet to confirm the attack and it is currently unclear to what extent patient data is involved. Daixin Team is expected to start releasing the stolen data in the next few days if ransom negotiations do not resume.

The post 320,000 Patients Affected by Ransomware Attack on Onix Group appeared first on HIPAA Journal.

The Tennessee-based payment and collections service provider, Intellihartx, has recently confirmed that the personal and health information of 489,830 individuals was stolen in a recent hacking and extortion attack. In late January and early February 2023, the Clop ransomware group exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT to gain access to the data of approximately 130 companies. While Clop often uses ransomware to encrypt files, these attacks only involved data theft and extortion, with demands for payment issued to prevent the public release of the stolen data.

Intellihartx learned that it had been affected on February 2, 2023, and launched an investigation to determine the scope of the breach. Preliminary results were obtained on March 24 that indicated sensitive data had potentially been stolen, and data owners started to be notified on April 11, 2023. The comprehensive review of the affected files confirmed on May 10, 2023, that protected health information had been compromised. The review was completed on May 19, 2023.

Intellihartx’s analysis of the files exfiltrated by Clop confirmed they contained information such as patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, insurance information, and billing information. Intellihartx said it rebuilt the file transfer platform and incorporated additional security measures to prevent similar breaches in the future and has now notified affected individuals and offered them complimentary access to credit monitoring services.

Cyberattack Impacts Petaluma Health Center Patients

Petaluma Health Center in California has sent notifications to current and former patients alerting them to the potential theft of some of their protected health information. A network security incident was detected and promptly blocked on March 14, 2023, and while the forensic investigation found no evidence to indicate theft and misuse of patient data, data theft could not be ruled out.

The files potentially accessed in the attack included first names, last names, addresses, dates of birth, Social Security numbers, medical information, and health information, with the affected data varying from individual to individual. Security has been enhanced to prevent similar breaches in the future and affected individuals have been offered complimentary single-bureau credit monitoring services.

It is currently unclear how many individuals have been affected.

North Shore Medical Labs Notifies Patients About Cyberattack and Data Theft Incident

The Williston Park, NY-based clinical reference laboratory, North Shore Medical Labs, has started notifying individuals that some of their protected health information was exposed in a data security incident detected on March 29, 2023. The investigation revealed on May 12, 2023, that files were potentially accessed and stolen that contained names, birth dates, and medical laboratory information.

A malicious actor first gained access to its systems on December 22, 2022, and access was blocked on March 31, 2023. The forensic investigation confirmed that files were exfiltrated from its systems between March 17 and March 31. North Shore Medical Labs said it is unaware of any misuse of patient data as a result of the incident. Data protection policies and training protocols have been reviewed and security measures and monitoring tools enhanced to mitigate any risk associated with the incident and to prevent further security incidents in the future.

The breach was reported to the HHS’ Office for Civil Rights as affecting 500 individuals – a placeholder often used to meet reporting requirements until the full extent of the breach is known.

The post Intellihartx Victim of Fortra GoAnywhere Hack: 490,000 Individuals Affected appeared first on HIPAA Journal.

Peachtree Orthopedics in Atlanta, GA, has announced that it was the victim of a cyberattack on April 20, 2023. The forensic investigation confirmed that an unauthorized third party gained access to parts of its network that contained patient information such as names, addresses, birth dates, driver’s license numbers, Social Security numbers, medical treatment/diagnosis information, treatment costs, financial account information, and health insurance claims/provider information.

Peachtree Orthopedics said it changed account passwords and implemented additional security measures to reduce the risk of a similar situation occurring in the future and said the investigation is ongoing to determine how many patients have been affected. Peachtree Orthopedics said it cannot rule out unauthorized access to patient information.

The Karakurt threat group has claimed responsibility for the attack and has added Peachtree Orthopedics to its data leak site. The group claims to have exfiltrated 194 gigabytes of data, including personal information and medical records and has threatened to publish the data if the ransom is not paid.

MedInform System Breach Exposed PHI of Cleveland Clinic Patients

MedInform, Inc., a provider of itemization and accident recovery solutions to hospital systems, experienced a security incident that exposed the data of 14,453 Cleveland Clinic patients. The breach was detected on December 21, 2022, when suspicious activity was identified within its network. The forensic investigation confirmed its systems had been accessed by an unauthorized individual between December 5, 2022, and December 21, 2022, and files had been downloaded.

The delay in issuing notifications was due to the time taken to review all affected files. Those files contained names, addresses, Social Security numbers, medical billing information, and financial account information. Additional administrative and technical controls have been implemented in response to the breach, and additional security training has been provided to the workforce.

Mission Community Hospital Investigating Cyberattack

Mission Community Hospital in California is investigating a cyberattack that occurred on April 29, 2023. The RansomHouse threat group has claimed responsibility for the attack on the San Fernando Valley acute care hospital and claims to have exfiltrated more than 2.5 terabytes of data, a sample of which has been uploaded to its data leak site. The leaked data includes medical imaging files, employee data, and financial reports.

The hospital detected the attack on May 1 when investigating a hardware failure and found evidence of an intrusion that exploited vulnerabilities in its network and VMware environments. It has yet to be confirmed how much data has been accessed or stolen.

Shasta Community Health Center Impacted by Alvaria Ransomware Attack

Shasta Community Health Center in Redding, CA, has recently confirmed that patient data was compromised in a ransomware attack on its business associate, Alvaria, Inc. According to the breach notice, Alvaria was the victim of a sophisticated ransomware attack on March 9, 2023, that impacted part of the network that contained customers’ workforce management and outbound dialer data.

According to the notification letter, the attack occurred on March 9, 2023, and was quickly remediated, with data restored from backups. The review confirmed that the exposed data included names, phone numbers, addresses, and associated healthcare provider names. Alvaria explained in the notification letters that after securing the network, additional security measures were implemented to further improve system security. Credit monitoring services have been provided to affected individuals.

Alvaria confirmed in February that it was the victim of a Hive ransomware attack in November 2022. It is unclear if the two incidents are linked. Alvaria has been emailed for clarification.

Summit Eye & Optical Reports 5,727-Record Data Breach

Summit Eye & Optical in Summit, NJ, has recently confirmed that an unauthorized individual gained access to its network and potentially viewed or obtained the protected health information of 5,727 patients. The breach was detected on March 4, 2023, and notifications were sent to affected individuals on May 18, 2023.

Summit Eye & Optical confirmed that the information potentially accessed in the cyberattack included full names, addresses, medical histories, treatment information, and other personal information. Internal data management and protocols have been reviewed and security has been enhanced to prevent similar incidents in the future. Complimentary identity theft protection services have been offered to affected individuals.

Sparta Community Hospital District Confirms Unauthorized Email Access

Sparta Community Hospital District in Illinois has confirmed that the protected health information of up to 900 patients has been exposed and potentially obtained by an unauthorized individual who accessed an employee email account from March 27, 2023, to March 28, 2023.

The breach was detected on March 28, and the account was immediately secured. The review of the account confirmed on April 12, 2023, that it contained patient information such as names, addresses, phone numbers, dates of birth, medical record numbers, doctor’s names, medical diagnoses, and limited treatment information. Financial information and Social Security numbers were not exposed.

The post Peachtree Orthopedics Suffers Data Theft and Extortion Incident appeared first on HIPAA Journal.

Mercy Medical Center – Clinton has notified 20,865 patients about a security incident that disrupted its network. The security breach was detected on April 4, 2023, and the forensic investigation confirmed its network had been accessed by an unauthorized third party between March 7, 2023, and April 4, 2023.

The attack did not affect patient care but prevented access to its systems while the attack was remediated. The review of the incident is ongoing, but it has been confirmed that the following types of information have been exposed: name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, encounter number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.

Mercy Medical Center did not state whether ransomware was involved but said data had to be restored from backups and some data has likely been lost. Additional technical steps are being taken to try to recreate the lost data it was not possible to restore. Credit monitoring and identity protection services have been offered to affected individuals and additional technical safeguards have been implemented to prevent similar attacks in the future.

Pioneer Valley Ophthalmic Consultants Notifies Patients About Business Associate Data Breaches

Pioneer Valley Ophthalmic Consultants (PVOC) in Holyoke, MA, has recently notified 36,275 patients that some of their protected health information has been exposed and potentially stolen in two security incidents at third-party vendors, Alta Medical Management and ECL Group, LLC, which provide billing and accounting services.

According to the May 22, 2023, breach notice, the incidents occurred in 2021. PVOC discovered on March 3, 2022, that malware had been installed on the servers of the vendors between November 13, 2021, and November 15, 2021. On May 11, 2022, PVOC learned that Alta’s online patient portal was vulnerable to unauthorized access to payment receipts until October 26, 2021.

The information potentially compromised as a result of the malware incident included names, addresses, Social Security Numbers, payment card information, and medical records. The unsecured patient portal allowed unauthorized access to names, email addresses, transaction dates and times, transaction ID numbers, statement numbers, the last four digits of payment cards/ account numbers, and any information entered into the comments field of the portal.

PVOC said it is unaware of any actual or attempted misuse of the exposed information. Monitoring has been stepped up in response to the breaches and additional technical resources and security personnel have been onboarded. Affected individuals have been offered complimentary credit monitoring services.

Topcon Healthcare Solutions Breach Impacts 4,000 Individuals

Topcon Healthcare Solutions, a provider of imaging, diagnostic, and intelligent data technologies, has reported a security breach to the Maine Attorney General that exposed protected health information. The security breach was detected on February 5, 2023, and the forensic investigation confirmed there had been unauthorized access to documents on its systems between January 7, 2023, and February 5, 2023.

In its May 22, 2023, breach notification, Topcon said the review of the incident is ongoing to determine the specific types of information that have been exposed. Notification letters will be sent to affected individuals after that process is complemented. The breach was reported to the Maine Attorney General as affecting up to 4,209 individuals.

Canopy Children’s Solutions Investigating Ransomware Attack

Mississippi Children’s Home Society, CARES Center Inc, and Mississippi Children’s Home Services Inc, doing business as Canopy Children’s Solutions, experienced a ransomware attack in April that resulted in the encryption of files on its systems. The attack was detected on April 4, 2023, and third-party forensics experts were engaged to investigate the nature and scope of the incident.

According to Canopy Children’s Solutions’ data breach notice, the attackers accessed certain systems on its network and may have accessed and/or acquired certain files and folders from those systems.” The data breach notice – dated June 2, 2023 – states that the investigation is ongoing to determine which individuals have been affected and the types of data involved. Notification letters will be mailed to affected individuals when that process is completed. Canopy Children’s Solutions said it has reviewed its data privacy and security policies and procedures and is implementing additional safeguards to prevent further attacks in the future.

The Nokoyawa threat group has claimed responsibility for the attack and has added Canopy Children’s Solutions to its data leak site. The group says files are being prepared for publication. The group claims to have exfiltrated 150 gigabytes of data.

The post Patient Data Likely Lost Due to Cyberattack on Mercy Medical Center – Clinton appeared first on HIPAA Journal.

The Iowa Department of Health and Human Services has announced there have been three separate breaches of the protected health information of Iowa Medicaid recipients in the past two months – two hacking incidents and an impermissible disclosure, all three of which involved third-party contractors.

The largest breach was at the Medicaid contractor, MCNA Dental, which resulted in the exposure and potential theft of 233,834 Iowa Medicaid recipients. The MCNA Dental data breach impacted more than 8.9 million individuals across the country. An unauthorized third party gained access to MCNA Dental’s systems on February 26, 2023, the breach was detected on March 6, 2023, and the unauthorized access was blocked the following day. The LockBit ransomware gang claimed responsibility for the attack and potentially obtained names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information, Medicare/Medicaid ID numbers, group plan names and numbers, and information related to the dental and orthodontic care provided. MCNA Dental has offered affected individuals complimentary credit monitoring services.

The Iowa Department of Health and Human Services has also confirmed a breach of the protected health information of Iowa Medicaid recipients due to an error at Amerigroup. Explanation of payment notices containing the information of 833 Iowa Medicaid recipients were sent to 20 providers in error. Names, addresses, Social Security numbers, and health insurance were impermissibly disclosed. Amerigroup is sending notification letters to those individuals.

Another breach was confirmed in April at one of its contractors, Telligen, Inc., which performs annual assessments for Medicaid members to ensure they are receiving the correct level of care. Telligen subcontracted part of that work to Independent Living Systems (ILS), where the data breach occurred in June and July 2022. The protected health information of approximately 20,800 Medicaid members was compromised in the attack. In total, more than 4 million individuals were affected by the ILS data breach.

South Jersey Behavioral Health Resources Victim of Two Security Breaches

South Jersey Behavioral Health Resources (SJBHR) in Camden, NJ, an Inperium affiliate that provides residential, outpatient, adult partial care, telehealth/telecounseling, and homeless services, has recently announced two breaches of the protected health information of patients in quick succession.

The first incident was a business email compromise/phishing attack. An employee received a request for an Accounts Receivable Report from what appeared to be the legitimate account of a member of the SJBHR fiscal office. An email was sent in response that included patient names, dates of service, types of service, and billing codes. The breach was detected the following day. Additional training was provided to all staff members in response to the incident to help them identify and avoid email scams in the future.

A few days later, on April 5, 2023, SJBHR was the victim of a ransomware attack that resulted in files being encrypted on certain computer systems. The forensic investigation confirmed the attackers gained access to its systems on April 3, 2023. No evidence was found to indicate access to or the theft of patient data, but the systems compromised in the attack included files containing names, contact information, Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, treating/referring physician names, health insurance information, subscriber numbers, medical history information, and diagnosis/treatment information.

In response to the ransomware attack, policies and procedures have been reviewed and additional data security measures have been implemented. SJBHR does not believe the two incidents are related. Neither incident is showing on the HHS’ Office for Civil Rights data breach portal at present, so it is unclear how many individuals have been affected.

The post Multiple Data Breaches Reported by Iowa Medicaid and South Jersey Behavioral Health Resources appeared first on HIPAA Journal.

Alvaria Inc. (formerly Aspect Software, Inc.), a provider of call center and customer experience software technology to large enterprises, has recently confirmed that it fell victim to a ransomware attack on a limited portion of its network.

There is a trend for breach notification letters to only contain the bare minimum information to meet regulatory requirements; however, Alvaria breach notifications include comprehensive details about the attack including the name of the ransomware group responsible. The company has also confirmed that sensitive information was stolen, some of which was released on the Hive group’s dark web data leak site, which helps victims of the breach accurately assess the level of risk they face.

Alvaria explained that the ransomware attack occurred on November 28, 2022, and steps were immediately taken to contain the attack and prevent further unauthorized access to its network. An investigation was launched and a third-party digital forensics company was engaged to investigate the scope of the attack and determine if protected health information had been exposed or compromised. On December 21, 2022, while the incident was still being investigated, Alvaria learned that the Hive group had published sensitive corporate files on its dark web data leak site. Alvaria confirmed that the files released by the group did not contain any personal data but it was not possible to determine if employment-related files were accessed or acquired in the attack.

Alvaria explained in the notification letters that the Department of Justice confirmed on January 26, 2023, that a coordinated law enforcement operation had successfully dismantled the Hive Ransomware operation, resulting in the group’s infrastructure being seized. Alvaria said, “Law enforcement has not indicated whether these employment-related files had been acquired,” and no evidence has been found to indicate any actual or attempted misuse of the information contained in the employment-related files.

Those files contained names, government-issued identification numbers such as Social Security numbers and passport numbers, financial account information, health insurance information, and/or tax-related information. Individuals potentially affected have been notified, and Alvaria has confirmed that employees are already provided with credit monitoring, dark web monitoring, and fraud remediation services through Allstate Identity Protection as part of their employment.

The incident has been reported to the HHS’ Office for Civil Rights in 13 individual reports, involving a total of 12,404 records.

The post Alvaria Confirms November 2022 Hive Ransomware Attack appeared first on HIPAA Journal.