HIPAA Breach News

City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack

Posted by Steve Alder

Multiple class action lawsuits have been filed against the city of Oakland in California over a ransomware attack and data breach that involved the theft of the personal and protected health information of 13,000 current and former employees. The ransomware attack was detected on February 8, 2023, and forced the city to shut down its systems to contain the attack, resulting in a state of emergency being declared in the city. Systems remained offline for weeks due to the attack, with the recovery process taking months.

The Play ransomware group took credit for the attack and started leaking some of the stolen data to pressure the city into paying the ransom. Initially, 10 gigabytes of stolen data was released on the group’s dark web data leak site, followed by a massive data dump of 600 gigabytes when the city continued to refuse to pay the ransom. The leaked data included the personal information of individuals employed by the city between July 2010 and January 2022. The ransomware attack is understood to have started with phishing emails.

Multiple class action lawsuits have been filed against the city on behalf of victims of the data breach that allege the city failed to implement appropriate security measures to keep employees’ private information confidential, with several victims of the breach claiming they have had their identities stolen and have experienced credit card fraud. The city has offered complimentary credit monitoring services to affected employees and has started to improve security, including implementing a training program for the workforce to improve resilience to phishing attempts.

A lawsuit was filed by the Oakland police officers’ union that alleges the city failed to provide important information about the extent of the incident and the types of data stolen in the attack and seeks monetary compensation and extended credit monitoring and identity theft protection and restoration services. Another lawsuit names Hada Gonzalez as lead plaintiff, a police services technician, who alleges the city was negligent for failing to protect against the attack. The lawsuit alleges data breach notification failures and violations of the HIPAA Security Rule. As a result of the negligence, the plaintiffs and class members claim they have suffered ongoing, imminent, and impending threats of fraud, identity theft, and abuse of their data, resulting in monetary losses and economic harm. The lawsuit seeks an award of damages and injunctive relief, including the requirement for the city to maintain a comprehensive information security program, encrypt sensitive data, undergo third-party security audits, establish an information security training program, and implement other security measures.

The post City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack appeared first on HIPAA Journal.

Clinical Test Data of 2.5 Million Individuals Stolen in Enzo-Biochem Ransomware Attack

Posted by Steve Alder

The Farmingdale, NY-based biotech and diagnostics company, Enzo Biochem, has recently confirmed in an 8-K filing with the Securities and Exchange Commission that the clinical test information of 2.470,000 patients was compromised in an April 6, 2023, ransomware attack. Enzo Biochem said prompt action was taken to contain the attack when the breach was detected, and while the incident caused disruption to business operations, all of its facilities continued to provide services to patients and partners.

Enzo Biochem provides treatments for cancer, metabolic, and infectious diseases as well as testing services for a variety of transmissible diseases such as COVID-19 and STDs. On April 11, 2023, Enzo Biochem determined that data related to the provision of those services was accessed, and in some cases exfiltrated, from its systems. The stolen data included names, test information, and for approximately 600,000 individuals, Social Security numbers.  Enzo Biochem is still investigating to determine if employee information was also compromised.

Enzo Biochem said it has incurred and may continue to incur expenses related to the incident and is in the process of evaluating the full financial impact of the ransomware attack. Enzo Biochem has confirmed that affected individuals will be notified by mail if their information has been deleted and the incident will be reported to appropriate regulatory authorities.

Medford Radiology Group Investigating Memorial Day Weekend Cyberattack

Medford Radiology Group in Oregon is recovering from a cyberattack that occurred over the Memorial Day weekend. The attack occurred in the early hours of Friday morning and prevented access to medical images. The attack is still being investigated to determine the nature and scope of the breach and the extent to which patient data may have been compromised.  Medford Radiology Group said this was a “significant cybersecurity incident.

Third-party cybersecurity experts are investigating the breach and are assisting with the response and all available resources are being used to ensure radiology services and patient care continues to be provided. While the investigation is still in the early stages, Medford Radiology believes the incident was limited to its internal systems and its outside partners have not been affected.

The post Clinical Test Data of 2.5 Million Individuals Stolen in Enzo-Biochem Ransomware Attack appeared first on HIPAA Journal.

28,000 Clarke County Hospital Patients Affected by April Cyberattack

Posted by Steve Alder

Clarke County Hospital in Osceola, IA, has recently started notifying 28,003 current and former patients about a security breach that exposed some of their protected health information. Suspicious activity was detected within its IT environment and the network was immediately isolated. A third-party digital forensics firm was engaged to investigate the security breach to determine the nature and scope of the incident and confirmed there had been unauthorized access on April 14, 2023, and the parts of the network that were accessed contained patient information.

The electronic medical record system was not compromised, and highly sensitive information such as Social Security numbers, banking information, credit card information, and/or financial information was not accessed. The files potentially viewed or stolen included names, addresses, dates of birth, health insurance information, medical record numbers, and some health information. At the time of issuing notifications, no reports had been received to indicate there had been any actual or attempted misuse of patient data.

Clarke County Hospital said enhancements were immediately made to improve system security and experts have been engaged to conduct a comprehensive review of system security. Security protocols will be further enhanced based on the findings of the review. Complimentary credit monitoring services and identity theft protection services have been offered to all potentially impacted individuals for 12 months and the hospital recommends that all individuals take advantage of those services.

Health Benefit Plan Data Stored on Stolen Laptop

A laptop computer has been stolen from the vehicle of an employee of the Anchorage School District, potentially exposing the protected health information of employees covered by its health benefit plan. The theft occurred on March 15, 2023, and the incident was immediately reported to law enforcement, but the laptop computer has not been recovered.

The school district immediately investigated and confirmed that the laptop computer has not been reconnected to the Internet. A review was conducted to determine if any files had potentially been downloaded to the laptop that could have been accessed. The review identified some files that were maintained for human resources and benefits purposes, which contained names, Social Security numbers, and information related to enrollment in the employee health plan.

Complimentary credit monitoring and identity theft protection services have been offered to the 4,598 employees potentially affected. Further training has been provided to the workforce on the importance of safeguarding sensitive information and portable device security measures are being enhanced.

Henry Mayo Newhall Hospital Discovers Employee Snooped on Medical Records

Henry Mayo Newhall Hospital (Henry Mayo) in Valencia, CA, has discovered an employee has accessed the protected health information of certain patients without a valid business reason for doing so. The privacy breach was detected on May 8, 2023, and notification letters were sent to affected individuals on May 26, 2023.

The investigation confirmed that the employee was able to view patient information such as names, birth dates, medical record numbers, visit numbers, and clinical data such as diagnoses, vital signs, and narrative clinical notes. The employee was interviewed about the unauthorized access and Henry Mayo believes the records were accessed out of curiosity and that no patient information has been further disclosed or misused. The hospital has taken action per its sanctions policy and has taken steps to prevent further privacy breaches in the future, including continuing to counsel and educate staff members.

It is currently unclear how many patients have been affected.

The post 28,000 Clarke County Hospital Patients Affected by April Cyberattack appeared first on HIPAA Journal.

Idaho Hospitals Divert Ambulances and Clinic Temporarily Closes Due to Cyberattack

Posted by Steve Alder

Mountain View Hospital, Idaho Falls Community Hospital, and several clinics in rural Idaho run by the same operator have been affected by a recent cyberattack. The decision was taken to temporarily close one of the clinics – Mountain View RediCare – while the attack is remediated.  All other clinics have remained open but are offering reduced services.

The cyberattack was detected on Memorial Day, and ambulances were diverted to other hospitals as a precaution. The diversion has remained in place through Wednesday and the facilities are still experiencing network issues due to the attack. The hospitals have remained open with staff manually recording patient information while the network is down. A spokesperson for Idaho Falls Community Hospital said patient safety has been the priority and work is continuing around the clock to restore access to computer systems and its systems are cleaned. At this stage, it is not possible to tell how long the recovery process will take and when systems will return to normal operation.

Details about the nature of the attack, such as if ransomware was used, have not been released at this stage, and it is too early to tell the extent to which patient information was involved. The hospital confirmed that the swift action of the IT department to contain the attack has limited the impact and has helped to keep patient data secure.

UI Community Home Care Suffers Ransomware Attack

UI Community Home Care, a subsidiary of the University of Iowa Health System, has recently reported a security incident to the HHS’ Office for Civil Rights that resulted in the exposure and possible theft of the protected health information of 67,897 patients.

The security breach was detected on March 23, 2023, when files were discovered to have been encrypted, preventing access. The forensic investigation confirmed there had been unauthorized access to files on its servers that started on or around March 23, 2023, and some of those files contained patient information. The electronic medical record system is separate from the affected servers and was not accessed in the attack.

The information potentially compromised varied from patient to patient and may have included name in combination with one or more of the following: date of birth, address, phone number, medical record number, referring physician, dates of service, health insurance information, billing and claims information, medical history information, and diagnosis/treatment information. At the time of issuing notifications, UI Community Home Care was unaware of any misuse of patient data. Security oversight efforts have been strengthened in response to the incident to prevent similar events from occurring in the future.

Grant Regional Health Center Notifies Patients About Email Account Compromise

Grant Regional Health Center in Lancaster, WI, has notified 4,135 patients about a breach of an employee email account. The notification letters do not state when the breach was detected but explain that the forensic investigation confirmed that the email account was subjected to unauthorized access between March 20, 2023, and March 24, 2023.

The review of the emails and attachments in the account was completed on May 9, 2023, and confirmed that patient names had been exposed along with one or more of the following data elements: date of birth, financial account information, medical information, health insurance information, Taxpayer ID number, and Social Security number. Grant Regional Health Center said no actual or attempted misuse of patient data has been detected. Email security has been enhanced to prevent similar breaches in the future.

The post Idaho Hospitals Divert Ambulances and Clinic Temporarily Closes Due to Cyberattack appeared first on HIPAA Journal.

IL, KY, and TN Healthcare Orgs Recovering from Recent Cyberattacks

Posted by Steve Alder

Morris Hospital & Healthcare Centers Investigating Royal Ransomware Attack

Morris Hospital & Healthcare Centers in Illinois has launched an investigation into a cyberattack that the Royal ransomware group has claimed responsibility for. Third-party forensics experts have been engaged to investigate the breach and determine the extent to which patient information was involved. While the investigation is still in the early stages, Morris Hospital & Healthcare Centers has confirmed that its electronic medical record system was unaffected; however, patient data was stored in the network that was compromised in the attack.

Morris Hospital & Healthcare Centers said it had implemented multiple security measures prior to the attack and that these were instrumental in limiting the severity of the incident. Further information will be released as the investigation progresses, and notification letters will be issued if it is determined that patient data has been compromised. On May 22, 2023, the Royal ransomware group added Morris Hospital & Healthcare Centers to its data leak site along with a sample of files allegedly stolen in the attack.

Norton Healthcare Recovering from Cyberattack

Norton Healthcare, a Kentucky-based operator of more than 140 clinics and hospitals in the Louisville area of Kentucky and Southern Indiana, has confirmed that it suffered a cybersecurity incident on May 9, 2023. Norton confirmed that its network is operational and that systems were proactively taken offline as a precaution and confirmed that at no point did the attackers have control of its network.

With IT systems offline, the staff switched to manual processes for recording patient information but said all of its facilities remained open and were able to continue to provide care to patients, although there have been delays to some services due to IT systems being offline, including medical imaging, lab test results, and prescription refills, and that there was a backlog of messages from its online patient portal which are taking time to work through and has caused delays to responses.

The threat actor behind the attack issued threats and demands via fax, but it is unclear at this stage to what extent, if any, patient data has been stolen. Norton did not state whether ransomware was used in the attack. Notifications will be issued to patients if it is determined that their information has been exposed or compromised.

Tennessee Orthopaedic Clinics Confirms March 2023 Cyberattack

Tennessee Orthopaedic Clinics is investigating a security breach that has caused disruption to some of its IT systems. The third-party forensic investigation determined that an unauthorized individual gained access to some of its IT systems between March 20, 2023, and March 24, 2023, and may have accessed or acquired files that contained patient information.

By May 2, 2023, it had been confirmed that patient data had been compromised, including names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information, but the extent to which patients have been affected has not yet been disclosed.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals – a common placeholder that is used until the full extent of a breach is known. Notification letters will be issued to affected individuals when the review of the affected files has been completed. Tennessee Orthopaedic Clinics said additional safeguards and technical security measures have been implemented to prevent similar security breaches in the future.

Paramount Health Care Affected by NationBenefits Data Breach

The Maumee, OH-based insurance company, Paramount Health Care, has confirmed that it was affected by the recently reported 3 million-record cyberattack that affected the healthcare management solution provider, NationBenefits, on or around January 30, 2023. Paramount said hackers accessed and removed a database that contained patient information that included names, addresses, phone numbers, health insurance information, and Social Security numbers.

The cyberattack was conducted by the Clop threat group and exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution. Notification letters are being sent to patients by NationBenefits. It is currently unclear how many Paramount members have been affected by the incident.

The post IL, KY, and TN Healthcare Orgs Recovering from Recent Cyberattacks appeared first on HIPAA Journal.

Managed Care of North America Hacking Incident Impacts 8.9 Million Individuals

Posted by Steve Alder

Managed Care of North America, Inc. (MCNA), which also does business as MCNA Dental –  a provider of dental benefits and services for state Medicaid and Children’s Health Insurance Programs – has recently reported a major data breach to the Maine Attorney General that has affected 8,923,662 individuals. This is the largest healthcare data breach to be reported by a single covered entity so far this year, and the second 5 million record+ healthcare data breach to be reported this month.

On March 6, 2023, MCNA discovered an unauthorized third party was able to access certain systems within its IT network. The threat was immediately contained and a third-party cybersecurity firm was engaged to investigate the intrusion and determine the nature and scope of the incident. The forensic investigation determined that the network had been compromised and infected with malicious code and that the attackers removed some copies of personal and protected health information from its systems between February 26, 2023, and March 7, 2023.

The review of the files that were copied or potentially accessed confirmed that they contained protected health information such as names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information, Medicare/Medicaid ID numbers, group plan names and numbers, and information related to the dental and orthodontic care provided. The types of compromised information varied from individual to individual. MCNA said it is unaware of any attempted or actual misuse of the affected data. MCNA said it has enhanced its security controls and monitoring practices to minimize the risk of further incidents of this nature in the future.

The LockBit ransomware group claimed responsibility for the attack and leaked some of the stolen data on its dark web data leak site as proof of data theft, and demanded a $10 million ransom to prevent the publication of all of the stolen data. It appears that the ransom was not paid, as the group published the stolen files on April 7, 2023.

Affected individuals are now being notified and are being offered complimentary credit monitoring services for 1 or 2 years, dictated by the minimum terms required by state laws. MCNA sent notifications on behalf of Florida Healthy Kids Corporation, the Florida Agency for Health Care Administration, and the following 112 insurance plans:

Aetna Better Health of New York EverCare Choice, Inc. Local 342 Health Care Fund Teamsters Local 237 Babylon Welfare Fund
African American Planning Excavators Union Local 731 Welfare Fund Local 342 Welfare Fund Teamsters Local 237 Brentwood Welfare Fund
AgeWell New York, LLC Excellus Health Plan, Inc. (Excellus BlueCross BlueShield, Univera Healthcare, Premier Health Plan). Local 522 – C/O United Teamster Fund Teamsters Local 237 Islip Welfare Fund
Albest Metal Stamping Corporation Extended MLTC, LLC Local 808, I.B. of T. Health and Welfare Fund Teamsters Local 237 New York City Welfare Fund
Amerigroup Community Care Florida Agency for Health Care Administration Louisiana Department of Health Teamsters Local 237 North Babylon Welfare Fund
Amida Care, Inc. Florida Healthy Kids Corporation Magnacare, LLC Teamsters Local 237 Plainview Welfare Fund
Arkansas Department of Human Services Graphic Art International Union Local 119B MCS Healthcare Holdings, LLC Teamsters Local 237 Retiree Fund
Assistant Deputy Wardens Association/Deputy Wardens Association Guildnet, Inc. Metroplus Health Plan, Inc. Teamsters Local 237 West Islip Welfare Fund
ATU Local 1056 Health Fund 917 Metropolitan Transit Authority Teamsters Local 72 Welfare Fund
Bridge & Tunnel Officers Benevolent Association Healthplex Dental Services, Inc. MVP Health Plan Texas Health and Human Services Commission
Brighton Health Plan Solutions LLC Healthplex Insurance Company MVP Health Services Corp. Town Of Hempstead
CareConnect Insurance Company Healthplex, Inc. Nascentia Health, Inc. UFCW Local 2013 Health and Welfare Fund
Catholic Managed Long Term Care, Inc Hicksville UFSD Nassau County Uniformed Fire Alarm Dispatchers Benevolent Association
Centerlight Healthcare, Inc. Highmark Blue Cross Blue Shield of Western New York Nebraska Department of Health and Human Services Uniformed Fire Officers Association
Centers Plan for Healthy Living iCircle New York City District Council of Carpenters Uniformed Firefighters Association Security Benefit Fund
City of New York Management Benefit Fund Idaho Department of Health and Welfare New York City Service Employees International Union Local 246 Welfare Fund Uniformed Sanitationmen’s Association Local 831
Correction Officers Benevolent Association Incorporated Village of Garden City NYC Association of Surrogate and Supreme Court reporting United Federation of Teachers
Court Officers Benevolent Association of Nassau County Independent Health Association, Inc. Oscar Insurance Corporation United Federation of Teachers Health Care Chapter Benefit fund
Crystal Run Health Plans Independent Health Benefits Corporation Patchogue-Medford UFSD United Food and Commercial Workers Local 888 Health and Pension Funds
Dentcare Delivery Systems, Inc. Integra MLTC, Inc. Prime Choice MLTCP United Public Service Employees Union Benefit Plan
Detectives’ Endowment Association International Healthcare Services, Inc. Quality Health Plans of New York, Inc. United Teamsters Fund
District Council 1707 Local 95 Head Start Employees Welfare Fund International Union of Operating Engineers Local 138 Welfare Fund Saint Vincents Catholic Medical Center of New York Utah Department of Health and Human Services
Elderplan Homefirst International Union of Operating Engineers Local 30 Benefits Fund Sergeant Benevolent Association VillageCareMAX
ElderServe Health Inc. dba RiverSpring at Home International Union of Operating Engineers Local 30 Welfare Trust Staffco of Brooklyn, LLC VNS CHOICE doing business as VNS Health Health Plans.
ElderServe Health Inc. dba RiverSpring FIDA Iowa Department of Human Services Suffolk County PBA Benefit Fund Wellcare
Elderwood Health Plan Kentucky Cabinet for Health and Family Services Suffolk County Superior Officers Association Benefit Fund Wyandanch Union Free School District
Empire BlueCross BlueShield HealthPlus Local 1199 National Benefit Fund Superior Officers Council York MG/York Home Care
Employee Administrative Corporation Local 1964 ILA Health & Insurance Teachers College at Columbia University YourCare Health

The post Managed Care of North America Hacking Incident Impacts 8.9 Million Individuals appeared first on HIPAA Journal.

Ransomware Gangs Claim Three Healthcare Victims

Posted by Steve Alder

There has been a growing breach notification trend where the exact nature of a cyberattack is not disclosed in breach notification letters, including whether there has been confirmed theft of patient data. The failure to provide this information makes it difficult for victims of data breaches to assess the level of risk they face. That appears to be the case with two recent cyberattacks, neither of which mention ransomware or confirm that data theft occurred.

Albany ENT & Allergy Services

Earlier this month, two ransomware groups – BianLian and RansomHouse – added Albany ENT & Allergy Services (AENT) to their data leak sites, along with claims that 1TB of data was stolen from its network before files were encrypted. Evidence of data theft was published on the RansomHouse data leak site.

Albany ENT & Allergy Services has now confirmed in a notification to the Maine Attorney General that unauthorized individuals gained access to its network, which contained the protected health information of 224,486 individuals, including 61 Maine residents. AENT explained in the letters that suspicious activity was detected within its computer network on March 27, 2023, and a third-party forensic investigation was conducted to determine the nature and scope of the incident. AENT said it was able to determine that “an unauthorized actor may have had access to certain systems that stored personal and protected health information,” between March 23, 2023, and April 4, 2023. A review of those files confirmed they contained employee and patient information such as names and Social Security numbers.

Notifications started to be sent to affected individuals on March 25, 2023, and 12 months of complimentary credit monitoring services have been offered. Since it appears from the claims of the ransomware groups that data has been stolen, affected individuals should ensure they take advantage of those complimentary services. AENT said it is reviewing its policies and procedures, will provide additional training to employees, and will be implementing additional safeguards to further secure information in its systems.

Vascular Center of Intervention, Inc.

The Vascular Center of Intervention, Inc. (VCI) a surgical center in Fresno, CA, has recently notified patients about a security breach detected on March 29, 2023. The notification letters state that the forensic investigation of unusual network activity “determined that certain documents stored within VCI’s environment may have been copied from or viewed on the system by an unauthorized person(s) between February 25, 2023, and March 29, 2023.”

The review of the files was completed on May 17, 2023, and confirmed that names were compromised along with one or more of the following: medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, date of birth, health insurance information, Social Security Number and/or Driver’s license information.  VCI said existing safeguards have been strengthened to further enhance security, and the notification to the California Attorney General indicates California residents at least will be provided with 12 months of complimentary credit monitoring and identity theft protection services.

No mention was made in the notification letters that the BianLian group claimed responsibility for the attack. The group claimed on its data leak site that 200 GB of data was exfiltrated from its systems. The BianLian group conducts ransomware attacks, although this year has largely switched to extortion-only attacks.

It is currently unclear how many individuals have been affected

Ohio Business Associate Suffers Ransomware Attack

In contrast, the notification letters from Marshall Information Services (doing business as Primary Solutions Inc.) provide more information. Primary Solutions, an Ohio-based provider of billing solutions to healthcare organizations, recently notified 7,456 individuals about an August 2022 ransomware attack that prevented access to its systems. The forensic investigation confirmed that the attackers had access to parts of the network that contained documents that included the protected health information of some of its covered entity clients, and those documents may have been accessed or acquired in the attack.

The notices explain that the documents contained first and last names combined with some or all of the following data elements: address, date of birth, Social Security number, health information such as diagnosis, condition, or treatment, medical record number, Medicare or Medicaid number, individual health insurance policy number, and in very limited cases, payment card information.

A third-party vendor was used to review all the affected files to identify the impacted individuals and that review determined on February 22, 2023, that protected health information had been exposed. It is unclear why that process took so long. Each covered entity was then notified, and Primary Solutions said it then worked with those clients to notify the affected individuals. Primary Solutions said complimentary credit monitoring and identity restoration services are being offered through IDX, and it encourages impacted individuals to enroll in these services.

In response to the incident, Primary Solutions has ensured multifactor authentication is implemented for remote access, configurations have been updated to ensure employees must access systems through a virtual private network (VPN) with multifactor authentication, and a new endpoint detection and response (EDR) solution has been implemented.

The post Ransomware Gangs Claim Three Healthcare Victims appeared first on HIPAA Journal.

Doctor Fined for Privacy Violations Following Abortion on 10-Year-Old Rape Victim

Posted by Steve Alder

Dr. Caitlin Bernard, an Indianapolis, IN-based obstetrician-gynecologist has been fined $3,000 by the Medical Licensing Board of Indiana and issued with a letter of reprimand for violating HIPAA and state privacy law after talking to the media about an abortion she provided to a 10-year-old rape victim on July 1, 2022.

Within hours of the Supreme Court’s decision that overturned Roe v Wade and removed the federal right to an abortion, Ohio banned abortions after 6 weeks of pregnancy. Three days later, on June 27, 2022, Dr. Bernard received a call from a child abuse doctor in Ohio about a 10-year-old patient who could not legally have an abortion in Ohio as she was three days past the legal cutoff. The victim then traveled from her home state of Ohio to Indiana to have the procedure performed by Dr. Bernard.

A reporter for the IndyStar overheard a conversation between Dr. Bernard and another doctor at an anti-abortion rally and approached Dr. Bernard and asked for comment. The IndyStar ran a story about the girl and the reduction of access to abortions following the Supreme Court’s decision, and the story rapidly became national news. The case was also referenced on multiple occasions by President Biden. Following the publication of the story, Dr. Bernard provided further statements to the media, was interviewed on national TV networks, and was featured in various media articles, in which Dr. Bernard highlighted the real-world impact of the change to federal law on abortions. In those media interviews, Dr. Bernard confirmed that she had performed an abortion procedure on a 10-year-old patient, but did not disclose the name of the patient.

Shortly after the publication of the IndyStar story, Indiana Attorney General Todd Rokita confirmed in a Fox News interview that Dr. Bernard would be investigated. Rokita filed an administrative complaint with the Medical Licensing Board of Indiana alleging Dr. Bernard had violated HIPAA and state law by failing to get written authorization to release patient information, and that Dr. Bernard had failed to immediately report suspected child abuse to local law enforcement in Indianapolis or the Indiana Department of Children Services. Rokita claimed that Dr. Bernard learned about possible child abuse on June 27, 2022, in a telephone call, yet failed to report it until July 2, 2022, the day after the procedure was performed. As such, the child was returned to the custody of the alleged rapist, where she remained until July 6, 2022. Law enforcement later confirmed, with a 99.99% probability, that the rapist was the child’s biological father, who was charged with two counts of rape in July 2022.

In a Medical Licencing Board hearing on Thursday, Dr. Bernard’s attorney explained that Dr. Bernard told an IU Health social worker about the case on the same day she received the initial call about the patient, and that discussion was in line with IU Health’s policies. She also confirmed that the abuse was reported on an Indiana state form and that the abuse had already been reported in Ohio where the abuse took place. The IU Health social worker testified that she reported the abuse in Ohio per IU Health policies, as that was where the abuse occurred. Dr. Bernard also confirmed with child protection staffers in Ohio that it was safe for the child to leave with her mother and testified that she did not violate state or federal privacy laws as she did not disclose any identifying information about the patient.

At the hearing, Deputy Attorney General Cory Voight asked Dr. Bernard why she had disclosed information about a real patient, rather than providing a hypothetical situation in her media interviews. “I think that it’s incredibly important for people to understand the real-world impacts of the laws of this country about abortion,” said Dr. Bernard in response. “I think it’s important for people to know what patients will have to go through because of legislation that is being passed, and a hypothetical does not make that impact.”

Andrew Mahler, a former official at the HHS’ Office for Civil Rights was an expert witness for the state and testified that the disclosures made by Dr. Bernard violated HIPAA, as it was certainly possible that the information disclosed by Dr. Bernard – age, state, and gender – would allow the girl to be identified. Paige Jayner, a privacy compliance officer and former OCR auditor, was a witness for the defense and disagreed with Mahler’s view, testifying that the information Dr. Bernard disclosed was not protected health information and that the disclosure was not a HIPAA violation. IU Health agreed and did not believe the HIPAA Rules had been violated. At the hearing, Dr. Bernard defended her right to speak to the media about medical issues when it is in the public interest and her attorney confirmed that there are no laws that prohibit physicians from speaking with the media.

Dr. John Strobel, President of the Medical Licensing Board believed Dr. Bernard disclosed too much information to the IndyStar reporter about the pending abortion and said consent should have been obtained before any information was disclosed. The majority decision of the Medical Licensing Board was the disclosures violated state and federal privacy laws and Dr. Bernard received a $1,000 fine for each of the three privacy violation counts. The Medical Licensing Board found the state had failed to meet the burden for the other two counts on reporting the child abuse and Dr. Bernard being unfit to practice, and therefore did not suspend Dr. Bernard or put her on probation so she is able to continue to practice in Indiana. Dr. Bernard will be given the right to appeal the decision.

The post Doctor Fined for Privacy Violations Following Abortion on 10-Year-Old Rape Victim appeared first on HIPAA Journal.

Point32Health Confirms Harvard Pilgrim Health Care Member Data Stolen in Ransomware Attack

Posted by HIPAA Journal

In April 2023, Point32Health, the second-largest health insurer in Massachusetts and the parent company of Tufts Health Plan and Harvard Pilgrim Health Care, announced it suffered a ransomware attack that resulted in system outages, including the systems that serviced members, accounts, brokers, and providers. The attack was detected on April 17, and systems were rapidly taken offline to contain the breach, although at the time of the announcement it was unclear to what extent, if any, protected health information had been compromised.

Point32Health has provided an update on the incident and said it is likely that the protected health information of current and former members of Harvard Pilgrim Health Care plans was stolen in the attack. Point32Health said the forensic investigation confirmed that systems were breached on March 28, 2023, and the attackers maintained access to its systems until April 17, 2023, when the security breach was discovered. During that time the attackers exfiltrated files from its systems that contained personal and protected health information such as names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information.

Point32Health said some of the affected systems, including those used to service members, brokers, and providers remain offline, including the systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). Point32Health is working with third-party cybersecurity experts and expects to bring those systems back online in the coming weeks. “We are currently going through the internal IT and business validations. Once this process is complete, alongside our thorough security screenings, some of our processes will become available in a phased fashion,” said Point32Health Director of Public Relations, Kathleen Makela.

Point32Health said it has reviewed and enhanced its user access protocols, enhanced vulnerability scanning, identified prioritized IT security improvements, implemented a new Endpoint Detection and Response (EDR) security solution, and performed a password reset for all administrative accounts.

Evidence has been found to indicate the protected health information of current and former health plan subscribers and their dependents has been compromised, but no reports have been received to date to indicate any misuse of the affected data; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services.

Point32Health and its subsidiaries serve more than 2 million individuals in New England, but it is unclear how many of those individuals have been affected.

The post Point32Health Confirms Harvard Pilgrim Health Care Member Data Stolen in Ransomware Attack appeared first on HIPAA Journal.