HIPAA Breach News

Morris Hospital & Healthcare Centers Notifies Almost 249,000 Patients About April Cyberattack

Posted by Steve Alder

Morris Hospital & Healthcare Centers in Illinois has started notifying 248,943 individuals about a cyberattack that was detected on April 4, 2023. When the breach was detected, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident and confirmed that files containing protected health information had been exfiltrated from its systems by unauthorized individuals.

The stolen files included the protected health information of current and former patients, employees, and their dependents and beneficiaries, including names, addresses, dates of birth, Social Security numbers, medical record numbers, account numbers, and diagnostic/treatment codes. While there has been no detected misuse of the stolen data, affected individuals have been advised to be cautious and take advantage of the complimentary identity theft resolution services that have been offered.

Morris Hospital & Healthcare Centers did not state the identity of the attackers in the notification letters, nor mention the nature of the attack. The HIPAA Journal can confirm that the Royal Ransomware group has claimed responsibility for the attack and added Morris Hospital to its dark web data leak site on May 22, 2023, along with some of the data that was compromised in the attack.

Jefferson Health DEXA Scan Backup Drive Lost or Stolen

Jefferson Health has recently started notifying patients of its Cherry Hill Hospital in New Jersey that some of their protected health information may have been compromised. Data was stored on a backup drive that was connected to its DEXA scan device. During routine maintenance, its vendor discovered the backup drive to be missing. An investigation was launched; however, it was not possible to determine what happened to the drive and it has been presumed lost or stolen.

The backup drive contained names, dates of birth, medical record numbers, study dates, and, for some individuals, mailing addresses. The device also included other information, but it could not be accessed without valid credentials and the appropriate software and technology. That information included diagnoses, phone numbers, Social Security numbers, insurance information, driver’s license numbers, and scans. Jefferson Health said it is reviewing and enhancing its security protocols to prevent similar incidents in the future.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pathways to Wellness Medication Clinics Reports Ransomware Attack

Patients of Pathways to Wellness Medication Clinics in Oakland, Union City, and Pleasanton in California have been notified that some of their protected health information was exposed in a cyberattack that was detected on March 28, 2023. An unauthorized individual gained access to and disabled its network. Third-party cybersecurity experts were engaged to investigate the breach and secure its systems and technical safeguards have been reviewed and are being updated to better protect patient data.

While no reports of misuse of patient data had been received up to July 5, 2023, data theft may have occurred. The exposed information included: first name, last name, address, health insurance information, provider name, Social Security number, date of birth, and gender. Affected individuals have been offered complimentary single bureau credit monitoring services. The incident has not yet been added to the Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Morris Hospital & Healthcare Centers Notifies Almost 249,000 Patients About April Cyberattack appeared first on HIPAA Journal.

CentroMed Notifies 350,000 Individuals About PHI Exposure

Posted by Steve Alder

El Centro Del Barrio, doing business as CentroMed in San Antonio, TX, has alerted 350,000 patients that some of their protected health information was potentially compromised in a hacking incident that was detected on June 12, 2023. The forensic investigation confirmed that some of its IT systems were accessed by unauthorized individuals on June 9, 2023, and access to files containing protected health information was confirmed and data theft could not be ruled out. The affected files contained the information of current and former patients, employees, and employee and provider spouses, partners, and dependents.

The affected patient data included names, addresses, dates of birth, Social Security numbers, financial account information, medical records numbers, health insurance plan member IDs, and claims data (including any diagnoses listed on claims). Employee and spouse/partner/dependent information data included names, Social Security numbers, financial account information, health insurance plan member IDs, and claims data. The affected individuals started to be notified by mail on August 11, 2023. CentroMed said additional safeguards and technical security measures have been implemented to prevent similar breaches in the future.

MOVEit Transfer Hacking Victims

Several more organizations have confirmed that they had data stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution.

Unum Group

Unum Group has confirmed that the protected health information of 531,732 individuals was compromised. Suspicious activity was detected within its environment on June 1, 2023, and it was confirmed on July 22, 2023, that the following data types had been compromised: name, date of birth, address, Social Security number or individual tax identification number, medical, health insurance claim, and policy information. A limited number of individuals also had financial information and/or other government-issued identification numbers compromised. Credit monitoring and identity protection services have been offered.

UMass Chan Medical School

UMass Chan Medical School said the protected health information of 134,000 individuals was compromised in the attack. The breach was discovered on June 1, 2023, and it determined the individuals and compromised data types on July 27, 2023. The information involved varied from individual to individual and may have included the following data types: name, date of birth, mailing address, diagnosis/treatment information, prescription information, provider name, date(s) of service, claim information, health insurance member ID number, other health insurance-related information, Social Security number, and financial account information. Credit monitoring and identity protection services have been offered.

Sovos Compliance

Sovos Compliance, a provider of tax compliance and business-to-government reporting software, reported its breach to the Maine Attorney General as affecting a total of 18,513 individuals, although its OCR breach report indicates the PHI of 4,563 individuals was compromised in the attack. The breach was discovered on June 12, 2023, and the investigation confirmed personally identifiable information and Social Security numbers had been stolen. Credit monitoring and identity protection services have been offered.

Data Media Associates

Data Media Associates, a billing service provider to UB Dental Clinic in Buffalo, NY, said its investigation confirmed on July 20, 2023, that the data of 765 UB Dental patients was compromised. The breach was limited to patients who received billing statements between May 4 and May 26, 2023. The compromised information involved the following data elements: practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments, or adjustments.

The post CentroMed Notifies 350,000 Individuals About PHI Exposure appeared first on HIPAA Journal.

July 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.

There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.

The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.

Largest Healthcare Data Breaches Reported in July

HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.

The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident Hacking Incident – External, electronic storage facility used by a business associate
Centers for Medicare & Medicaid Services MD Health Plan 1,362,470 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (Maximus)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 1,313,636 Hacking/IT Incident Hacking incident – Ransomware attack
Pension Benefit Information, LLC MN Business Associate 1,209,825 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Allegheny County PA Healthcare Provider 689,686 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 398,319 Hacking/IT Incident Hacking incident
Johns Hopkins Medicine MD Healthcare Provider 310,405 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Harris County Hospital District d/b/a Harris Health System TX Healthcare Provider 224,703 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Precision Anesthesia Billing LLC FL Business Associate 209,200 Hacking/IT Incident Hacking incident – Ransomware attack
Fairfax Oral and Maxillofacial Surgery VA Healthcare Provider 208,194 Hacking/IT Incident Hacking incident
The Chattanooga Heart Institute TN Healthcare Provider 170,450 Hacking/IT Incident Hacking incident – Data theft confirmed
Phoenician Medical Center, Inc AZ Healthcare Provider 162,500 Hacking/IT Incident Hacking incident – Data theft confirmed
UT Southwestern Medical Center TX Healthcare Provider 98,437 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Hillsborough County, Florida (County Government) FL Healthcare Provider 70,636 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Family Vision of Anderson, P.A. SC Healthcare Provider 62,631 Hacking/IT Incident Hacking incident – Ransomware attack
Jefferson County Health Center IA Healthcare Provider 53,827 Hacking/IT Incident Hacking incident – Data theft confirmed (Karakurt threat group)
New England Life Care, Inc. ME Healthcare Provider 51,854 Hacking/IT Incident Hacking incident
Care N’ Care Insurance Company, Inc. TX Health Plan 33,032 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc)
Synergy Healthcare Services GA Business Associate 25,772 Hacking/IT Incident Hacking incident
Rite Aid Corporation PA Healthcare Provider 24,400 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Life Management Center of Northwest Florida, Inc. FL Healthcare Provider 19,107 Hacking/IT Incident Hacking incident
Saint Francis Health System OK Healthcare Provider 18,911 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Pennsylvania Department of Human Services PA Healthcare Provider 16,390 Unauthorized Access/Disclosure Hacking incident – Unauthorized access to a system test website
The Vitality Group, LLC IL Business Associate 15,569 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Wake Family Eye Care NC Healthcare Provider 14,264 Hacking/IT Incident Hacking incident – Ransomware attack
East Houston Med and Ped Clinic TX Healthcare Provider 10,000 Unauthorized Access/Disclosure Storage unit sold that contained boxes of patient records

Causes of July 2023 Data Breaches

Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.

There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.

Where did the Data Breaches Occur?

The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.

The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.

Geographical Distribution of Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.

State Breaches
Texas 7
Florida 6
California 5
Maryland, Pennsylvania & Tennessee 4
Arizona & North Carolina 3
Connecticut, Illinois & Minnesota 2
Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington 1

HIPAA Enforcement Activity in July 2023

There were no enforcement actions announced by OCR or state attorneys general in July to resolve HIPAA violations.

The post July 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cummins Behavioral Health Reports 157K Record Data Breach

Posted by Steve Alder

Cummins Behavioral Health Systems Inc. in Avon, IN, has recently reported a data security incident to the Maine attorney general that has affected 157,688 patients. On March 9, 2023, a ransom note was detected within its computer environment that had been placed there by an unauthorized individual. No file encryption occurred; however, the attacker claimed to have infiltrated sensitive data.

The forensic investigation confirmed that an unauthorized individual had access to its network between February 2, 2023, and March 9, 2023. The information removed from its systems included names, addresses, dates of birth, Social Security numbers, driver’s license/State ID numbers, financial account information, payment card information, usernames/passwords, health insurance information, and medical information. System security has been strengthened to prevent similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Email Encryption Failure Exposed Client Data at Redwood Coast Regional Center

Redwood Coast Regional Center (RCRC), a provider of services to individuals with developmental disabilities in Del Norte, Humboldt, Lake, and Mendocino Counties in California, has alerted 1,345 individuals about the exposure of some of their data. On June 14, RCRC’s mail server encryption software failed due to a system outage, which resulted in public health information being shared in plain text messages, which could potentially have been intercepted by unauthorized individuals. The exposed data was limited to client names, UCI numbers, addresses, dates of birth, and/or authorized service information. No information was exposed that would put clients at risk of identity theft. RCRC said it is reviewing its procedures and practices to prevent similar data exposures in the future.

Coastal Orthopedics Alerts Patients About Cyberattack and Data Breach

Bradenton, FL-based Coastal Orthopedics & Sports Medicine of Southwest Florida has recently confirmed that hackers gained access to its network and potentially obtained patient data. The cyberattack was detected on June 11, 2023, and the subsequent forensic investigation confirmed unauthorized access to its network between June 6, 2023, and June 11, 2023, and data exfiltration.

The breach investigation is ongoing, so it is currently unclear how many individuals have been affected or the exact types of information involved; however, the compromised data is likely to include a combination of names, Social Security numbers, patient identification numbers, medical record numbers, diagnosis information, other medical information, addresses, driver’s license number, health insurance information, financial account information, and dates of birth. Policies, procedures, and processes are being reviewed to reduce the likelihood of a similar event in the future and notification letters will be sent to the affected individuals when the file review has been completed.

Capital Neurological Surgeons Reports Email Account Breach

Capital Neurological Surgeons in Sacramento, CA, has recently discovered that an unauthorized individual gained access to an employee email account and potentially obtained patient information. The email account was accessed on January 17, 2023, with the forensic investigation confirming on July 20, 2023, that the account contained protected health information.

The information potentially compromised varied from patient to patient and may have included names in combination with one or more of the following: Social Security numbers, date of birth, driver’s license numbers or state identification numbers, medical information (diagnosis/clinical information, treatment type or location, doctor name, medical procedure information, medical record number, patient account number, and/or prescription information), and/or health insurance policy information. Affected individuals were notified by mail on August 4, 2023. The delay in issuing notification letters was due to the lengthy file review. Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers compromised.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently clear how many individuals have been affected.

The post Cummins Behavioral Health Reports 157K Record Data Breach appeared first on HIPAA Journal.

Tift Regional Medical Center Patients Notified About August 2022 Cyberattack

Posted by Steve Alder

Tift Regional Medical Center in Georgia has started notifying 180,142 patients that their personal and protected health information was compromised in a cyberattack that was detected on or around August 16, 2022. According to the notification letters, there was no encryption of systems, access was not gained to its electronic medical record system, and the network remained available to staff and patients. The forensic investigation of the incident indicated files “were or may have been accessed or copied without authorization between August 11, 2022, and August 17, 2022.” The attack was conducted by the Hive ransomware group, which was the subject of a law enforcement takedown in January 2023. The Hive group claimed to have stolen 1TB of data in the attack, some of which was released on its data leak site.

The affected patients were informed that the files contained names, dates of birth, Social Security numbers, and medical information. Complimentary credit monitoring services have been offered for 12 months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach, and the HHS was notified on time (October 14, 2022). A provisional total of 500 records was reported as it was not known at the time how many individuals had been affected. Individual notifications are also required in that same time frame. Tift Regional Medical Center did not explain in the notification letters why there was a delay in sending the notification letters.

Health Plan Member Data Compromised in Ransomware Attack on the City of Dallas

The city of Dallas suffered a ransomware attack on May 3, 2023, that impacted several of its websites and IT systems. Online services were offline for several days with some IT systems across its network down for several weeks following the attack. The city has reportedly paid at least $8.6 million for hardware, software, incident response, and consulting services in response to the Royal ransomware attack. The city has recently notified the HHS’ Office for Civil Rights that the protected health information of 30,253 members of its self-insured group health plans had their data stolen in the attack, including names, addresses, social security numbers, and medical and health information.

Confirmed MOVEit Transfer Hacks by the Clop Hacking Group

The following HIPAA-regulated entities have recently confirmed that they were affected by the MOVEit Transfer hacks by the Clop group in late May 2023. A zero day vulnerability was exploited in Progress Software’s file transfer solution, data was stolen, and ransom demands were issued.

United Healthcare Services, Inc., MN.

Individuals affected: 398,319

Attacked entity: United Healthcare Services.

Information compromised: name, date of birth, address, phone number, email address, plan identification number, policy information, student identification number, Social Security number or national identification number, and claim information, including claim numbers, provider information, dates of service, diagnosis codes, prescription information, and financial information associated with claims.

Credit Monitoring: Norton LifeLock credit monitoring and identity theft protection for 24 months.

VNS Health Plans, NY

Individuals affected: 103,775

Attacked entity: VNS Health Plans’ claims processing vendor, TMG Health Inc.

Information compromised: name, mailing address, telephone number, email address, date of birth, social security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service.

Credit Monitoring: Personal Identity and Privacy Protection through IDX for 12 months.

Vecino Health Centers, TX

Individuals affected: No information at this stage.

Attacked entity: Harris Health.

Information compromised: name, date of birth, prescription date(s).

Credit Monitoring: Not stated in the substitute breach notice.

The post Tift Regional Medical Center Patients Notified About August 2022 Cyberattack appeared first on HIPAA Journal.

Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack

Posted by Steve Alder

The Colorado Department of Health Care Policy and Financing (HCPF), which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, has recently confirmed that the protected health information of 4,091,794 individuals was compromised. The attack occurred at IBM, one of its vendors, and involved the MOVEit Transfer application that was used by IBM for file transfers. HCPF said its own systems were not affected.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and the records of 46 million individuals are known to have been compromised.

HCPF said the breach involved the data of Health First Colorado and CHP+ users and included names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, addresses and other contact information, demographic/income information, health insurance information and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEIt server from May 27 to May 31, 2023.

Florida Healthy Kids, a provider of health and dental insurance to children in Florida was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Last month, Johns Hopkins Health System confirmed that it was investigating a cyberattack that impacted systems used by Johns Hopkins University and Johns Hopkins Health System, and the data breach was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System as affecting 2584 individuals and by Howard County General Hospital as affecting 2975 individuals. Johns Hopkins has now confirmed that its MOVEit server was attacked, and Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals and will be offering complimentary credit monitoring and identity theft protection services to those individuals.

The post Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack appeared first on HIPAA Journal.

Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack

Posted by Steve Alder

Last month, Johns Hopkins Health System announced it was investigating a cyberattack and data breach, which was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System and Howard County General Hospital as affecting more than 5,500 individuals.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and more than 41 million records are now confirmed as having been compromised. Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The Colorado Department of Health Care Policy and Financing, which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, was also affected. The protected health information of Health First Colorado and CHP+ users was compromised in the attack, including names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, contact information, demographic/income information, health insurance information, and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident was reported to the Maine Attorney General as affecting up to 4,091,794 individuals.

The Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEit server from May 27 to May 31, 2023. Florida Healthy Kids, a provider of health and dental insurance to children in Florida, was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

Ottumwa Fire Department Fires Employees for Misconduct and HIPAA Violations

Posted by Steve Alder

The Ottumwa Fire Department in Iowa has recently fired employees for alleged violations of the HIPAA Rules and other misconduct. The City of Ottumwa launched an investigation of three members of the fire department, two of whom have been terminated and one left the department in lieu of termination for “behaviors that violated department rules, safe practices, and the values and standards of the City of Ottumwa”.

The city engaged the law firm, Dentons Davis Brown, to investigate allegations of misconduct, which included sexual activity while on duty, disclosures of sensitive information to unauthorized individuals, and allowing unauthorized individuals to ride in fire vehicles.

Firefighters Derek Fye and Dillon McPherson were discovered to have violated the HIPAA rules by divulging patient information obtained by the fire department when responding to incidents, which included medical histories, conditions, and other information. Captain Bill Keith was similarly fired for HIPAA violations, allowing unauthorized individuals to ride in fire vehicles, failing to report instances of employee misconduct, and failing to adequately lead those under his command. Kye and Keith are entitled to request a hearing.

Brigham and Women’s Hospital Exposed Patient Data Over the Internet

Brigham and Women’s Hospital in Boston, MA, has alerted 987 patients about the impermissible disclosure of some of their protected health information. According to the notification letters, the data of patients who participated in a research study/quality improvement project has been exposed online. Graphs had been created as part of the study/project to share with others within the healthcare community using a data analytics tool called Tableau.

The graphs, which only included high-level and summary information, were accidentally posted to the public version of the Tableau tool; however, a link was included that, if clicked, allowed access to sensitive information including names, addresses, medical record numbers, dates of birth, email addresses, and phone numbers. Clinical information that could have been accessed included diagnoses, lab results, medications, and procedures. The exposed data varied from individual to individual. Affected individuals were notified on August 4, 2023.

For the research study, the data was published on the tool on February 25, 2018, and for the quality improvement project, on January 14, 2023. The publicly accessible link was discovered on June 8, 2023, and was removed on June 13. The research study data was accessible between February 25, 2018 – June 13, 2023, and the quality improvement project data was exposed between January 14, 2023 – June 13, 2023.

IVF Michigan Notifies Patients About February 2023 Ransomware Attack

IVF Michigan has recently notified 9,383 patients that some of their protected health information was compromised in a February 25, 2023, ransomware attack. IVF Michigan, which includes Ohio Fertility Centers, said its security software detected the attack almost immediately and disconnected systems from the internet and shut them down. IVF Michigan learned of the breach on February 28.  The incident was investigated by its security services vendor and it was determined that files had been accessed and were likely exfiltrated; however, no evidence has been found to indicate any misuse of patient data.

The files potentially obtained in the attack included names, addresses, zip codes, birth dates, driver’s license numbers, Social Security numbers, diagnoses, conditions, lab results, medications, treatment information, claims information, and credit card/bank account numbers. The information involved varied from individual to individual.

Jefferson County Health Center Reports Hacking Incident

Jefferson County Health Center in Fairfield, IA, has discovered unauthorized individuals gained access to its network between April 24, 2023, and May 30, 2023, and may have obtained files containing patients’ protected health information. The breach was detected on May 30, 2023, when suspicious activity was identified within its network.

While unauthorized network access was confirmed, evidence of data theft was not found; however, it is possible that sensitive data was stolen in the attack such as names, medical histories, diagnoses, medical treatment information, and health insurance information. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ottumwa Fire Department Fires Employees for Misconduct and HIPAA Violations appeared first on HIPAA Journal.

Missouri Department of Social Services Confirms Medicaid Recipients’ Data Compromised in MOVEit Hacks

Posted by Steve Alder

Four more entities have confirmed they were affected by the mass hacks of the MOVEit Transfer file transfer solution and had protected health information stolen.

Missouri Department of Social Services

The Missouri Department of Social Services (DSS) has confirmed that the data of Medicaid recipients was compromised in the recent mass MOVEit hacks by the Clop threat group. Clop conducted hundreds of attacks starting on May 27, 2023, that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution – CVE-2023-34362. More than 610 companies, organizations, and other entities were attacked and had data stolen.

According to the Missouri DSS, the attack occurred at IBM Consulting. The Missouri DSS said that when it was made aware of the incident it disconnected the MOVEit servers from internal IT systems and launched an investigation into the breach. The DSS confirmed that no DSS systems were breached, only the MOVEit server, which contained data such as names, department client numbers, birth dates, benefit eligibility status/coverage, and medical claims information. It is currently unclear exactly how many Medicaid recipients were affected. The DSS said all Missouri Medicaid recipients are being notified about the breach as a precaution.

Omaha Health Insurance Company

The Omaha Health Insurance Company (OHIC), part of Mutual of Omaha, has reported a security breach at a third-party vendor that exposed the records of individuals who were enrolled in the Medicare Part D Prescription Drug Plan, which was issued by Mutual of Omaha Rx.

The vendor discovered the security breach on June 21, 2023, and notified OHIC about the breach on June 22, 2023. The OHIC investigation confirmed that sensitive data was downloaded by the threat group between May 30, 2023, and June 2, 2023. The exposed data included names, dates of birth, Social Security numbers, claims information, banking information, billing information, and treatment information. Affected individuals have been offered complimentary credit monitoring services. The vendor was not named in the notification sent to the state attorney general.

IU Health

IU Health in Indianapolis has confirmed that patient data was compromised in the mass MOVEit Transfer hacks. The incident occurred at a third-party claims processor, TMG Health. IU Health was notified about the breach on June 22, 2023, and was informed that IU Health Plan data was compromised, including names, member ID numbers, plan effective dates, and for some individuals, bank account information. IU Health Plans notified the affected members on August 4, 2023, and offered complimentary credit monitoring services.  It is currently unclear how many plan members were affected.

Hillsborough County, IA

Hillsborough County in Florida has reported a breach of the protected health information of 70,636 patients to the HHS’ Office for Civil Rights. The county learned about the MOVEit Transfer incident on breach on June 1, 2023, and determined on June 22, 2023, that the compromised data included individuals who received care through Hillsborough County Health Care Services. That information included names, Social Security numbers, dates of birth, home addresses, medical conditions, diagnoses, and disability codes. Certain vendors were notified that some employee data may have been compromised. The affected vendors will notify their employees directly.

The post Missouri Department of Social Services Confirms Medicaid Recipients’ Data Compromised in MOVEit Hacks appeared first on HIPAA Journal.