The Amazon-owned online pharmacy, PillPack, has recently started notifying 19,000 customers that some of their protected health information was compromised in a cyberattack in April. Unauthorized customer account activity was detected by PillPack on April 3, 2023, and the investigation revealed customer accounts had been accessed by an unauthorized third party between April 2 and April 6, 2023. The compromised accounts contained names, addresses, phone numbers, and email addresses. Approximately 3,600 of the accounts also included prescription information.

The forensic investigation confirmed that the usernames and passwords used to access the accounts were not stolen from PillPack and had most likely been obtained in a breach at another platform where the same usernames and passwords were used. These credential-stuffing attacks can only occur when usernames and passwords have been used on multiple platforms. PillPack has not identified any misuse of customer data, and the types of information in the accounts are not sufficient to be used for identity theft. However, victims of the breach could be subject to phishing attempts to obtain further information. PillPack confirmed that the breach was limited to PillPack and notification letters have been mailed to affected individuals.

Fertility Specialists Medical Group Cyberattack Impacts 9,400 Patients

Carlsbad, CA-based Fertility Specialists Medical Group (FSMG) has recently discovered unauthorized individuals gained access to its network and potentially obtained the protected health information of 9,437 current and former patients. The network intrusion was detected on March 20, 2023, and a third-party forensic investigation was initiated to determine the nature and scope of the incident. The investigation concluded on April 21, 2023, that an unauthorized individual had access to the network and potentially acquired files containing first and last names, dates of birth, and medical information. Some of the affected individuals also had their Social Security numbers exposed. No reports of misuse of the exposed data had been received at the time of issuing notifications.

FSMG said IT specialists confirmed the security of its systems, and data security measures will be regularly reviewed to prevent similar incidents in the future. Complimentary credit monitoring services and identity theft protection services have been offered to all affected individuals.

Northwest Health – La Porte Impacted by Fortra GoAnywhere Hack

Northwest Health – La Porte in Indiana has recently confirmed that the protected health information of 10,256 patients was compromised in the Clop ransomware group’s series of attacks between January 28, 2023, and January 30, 2023. The threat actors exploited a zero-day vulnerability in Fortra’s GoAnywhewre file transfer software and exfiltrated data, which was used in attempts to extort money from victims.

Fortra has confirmed that unauthorized access is no longer possible, and its file transfer platform has been rebuilt with the vulnerability patched. Affected individuals have been offered ID restoration and credit monitoring services for the period stipulated by state law.

PHI Potentially Compromised in Cyberattack on IMA Financial Group, Inc.

The Wichita, KS-based integrated financial services company, IMA Financial Group, Inc., has confirmed that the protected health information of 2,937 individuals associated with IMA or its clients has potentially been obtained by unauthorized individuals.

Suspicious network activity was detected by IMA on October 19, 2022. Steps were immediately taken to secure its systems and a third-party cybersecurity firm was engaged to investigate the incident. The investigation confirmed that access to IMA data had been gained and information was potentially acquired by unauthorized individuals on October 19, 2023.

The data review concluded on March 10, 2023, that the files potentially obtained in the attack included protected health information such as names, dates of birth, Social Security numbers, driver’s license information, other government identification numbers, health information, and/or claim-related information. Up-to-date contact information then needed to be obtained, and notification letters started to be sent on April 19, 2023.

MU Health Care Discovers Employee HIPAA Violation

Columbia, MU-based MU Health Care has discovered an employee accessed the medical records of 736 patients without any legitimate work reason for doing so. The unauthorized access was discovered in March 2023 and the internal investigation confirmed that patient records were accessed by the employee between July 2021 and March 2023.

The types of information that could have been viewed included names, dates of birth, medical record numbers, and clinical and treatment information, such as diagnoses and procedure information. A spokesperson for MU Health Care said the individual concerned was subject to internal disciplinary procedures and there are no indications that any of the information accessed has been misused or further disclosed. Notification letters are being sent to all affected individuals.

The post 19,000 Amazon PillPack Customer Accounts Compromised appeared first on HIPAA Journal.

The Edinburg, TX-based internal medicine specialists, ASAS Health, have recently notified 25,527 individuals about a hacking incident that exposed some of their sensitive protected health information. Suspicious network activity was detected on March 9, 2023, and immediate action was taken to secure the network. A forensic investigation confirmed that hackers had access to parts of its network that contained patient information. The breach notifications do not disclose the nature of the incident or for how long the hackers had access to its systems.

ASUS Health said it was not possible to definitively determine if patient data was accessed or stolen, but data may have been compromised. The review of the affected files confirmed they contained information such as names, date of birth, addresses, phone numbers, email addresses, driver’s license numbers, Social Security numbers, diagnoses, disability codes, Medicare ID numbers, and health plan carrier information.

The breach report that was sent to the Maine Attorney General indicates credit monitoring services have been offered. Affected individuals have also been advised to monitor their accounts and report any suspicious activity, and to be wary of phishing attempts and emails and documents allegedly sent from ASUS Health. ASUS Health said it will continue to refine its security protocols and maintain a robust information security program.

Methodist Family Health Affected by Data Breach at Business Associate

Little Rock, AR-based Methodist Family Health has confirmed that patient data was exposed in a security breach at one of its business associates. The business associate was used to provide pharmacy services and was provided with patient data to perform the contracted duties.  The business associate detected a security breach on March 6, 2023, and the investigation confirmed its systems were accessed on March 4, 2023.

Methodist Family Health has confirmed that the unauthorized access has been blocked and additional security measures have been deployed to prevent similar incidents in the future. The compromised documents contained information such as names, addresses, birth dates, admission/treatment dates, account numbers, diagnoses, service charges, and medication information.  The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 5,259 individuals.

People Incorporated of Sequoyah County Suffers Ransomware Attack

People Incorporated of Sequoyah County (People Inc), a Sallisaw, OK-based provider of behavioral health, addiction recovery, and anger management services, has discovered an unauthorized third party gained access to the sensitive data of 8,725 current and former patients in a recent ransomware attack.

The incident was detected by People Inc on March 6, 2023, and the forensic investigation confirmed that an unauthorized individual had access to certain systems between March 2, and March 6, 2023, during which time files were exfiltrated that contained patient data.  The files contained names, Social Security numbers, care plans, scheduling information, and billing information.

Notification letters have recently been mailed and affected individuals have been offered complimentary credit monitoring and identity theft protection services. People Inc said it has strengthened system security to prevent similar incidents in the future.

Email Account Breach at Lake County Health Department and Community Health Center

Lake County Health Department and Community Health Center in Illinois have notified 1,700 patients that some of their personal and health information has potentially been compromised due to an email security breach. The security incident was detected on March 6, 2023, and the investigation confirmed that an email account had been accessed by an unauthorized individual.

A third-party digital forensics firm was engaged to investigate the incident and found no evidence of data transfers from the email account; however, unauthorized access to patient information could not be ruled out. The review of the account revealed the email account contained partially de-identified PHI concerning Lake County residents who may have had a communicable disease or a disease that was part of a cluster or outbreak that was investigated by the health department between April 23, 2012, and March 6, 2023.

The exposed information included one or more of the following types of information: names, addresses, zip codes, date of birth, gender, phone number, email address, medical record number, diagnoses or conditions, lab results, and other treatment information. Additional email security safeguards have now been implemented and further cyber security training has been provided to the workforce.

Oyate Health Center Notifies Patients About Impermissible PHI Disclosure

Oyate Health Center in South Dakota has discovered an unintended impermissible disclosure of the protected health information of 575 patients. The information related to pharmacy visits between August 31, 2021, and September 8, 2021.

When Oyate Health Center moved to a new clinic location, boxes of surplus supplies were donated to community organizations. On March 7, 2023, one of those organizations opened one of the boxes and found a weekly pharmacy visit report, which was a list of patients with their chart number, date of visit, and a diagnosis code related to the prescription they were filling. The list was seen by two people at the non-profit organization, and the list was then locked in a secure location until it could be collected.

Under HIPAA this is classed as an impermissible disclosure. Oyate Health Center said it has no reason to believe the list was viewed by anyone else and does not believe the information has been missed. In response to the incident, new internal controls, policies, and procedures have been implemented and the affected individuals have been notified.

The post 5 Healthcare Providers Suffer PHI Breaches appeared first on HIPAA Journal.

The Oklahoma Institute of Allergy Asthma and Immunology was forced to cease trading while it recovered from a cyberattack, with patients forced to wait to receive medical care or seek treatment at other facilities. The asthma and allergy clinic has been closed for at least two weeks as a result of the attack, but the closure appears to be temporary. The clinic furloughed staff while systems were shut down and efforts are being made to restore systems. The closure was necessary as the clinic was unable to access patient records. The clinic has yet to upload a breach notification to its website or report the breach to regulators, so the extent to which patient data has been compromised is not yet known.

Larger healthcare providers may temporarily divert ambulances and cancel some appointments following a ransomware attack but do not typically halt operations, but smaller healthcare providers may be left with little alternative. Recently, Murfreesboro Medical Clinic & SurgiCenter in Tennessee halted operations for two weeks while recovering from a cyberattack, and a 2022 survey indicated 25% of healthcare organizations would be forced to temporarily halt operations in the event of a ransomware attack.

Uintah Basin Healthcare Hacking Incident Affects Almost 104,000 Patients

The Roosevelt, UT-based health system, Uintah Basin Healthcare, has discovered hackers gained access to its network and may have viewed or obtained the protected health information of 103,974 patients. Suspicious network activity was detected on November 7, 2022, and its digital environment was immediately secured. Third-party cybersecurity experts were engaged to investigate the breach and determined on or around April 7, 2023, that patient data was potentially accessed. The breach notification letter does not state when access to the network was first gained.

The review of the affected files confirmed they contained a range of PHI, which varied from individual to individual. That information related to patients who had received healthcare services between March 2012 and November 2022. The information exposed included names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses/conditions, medications, test results, and procedure information. The notification process was completed on April 10, 2023.

Complimentary credit monitoring and identity protection services have been offered to affected individuals and security has been improved to prevent similar incidents in the future, including the deployment of the SentinelOne endpoint detection and the response tool, which includes 24/7 monitoring.

Asian Health Services Reports Email Account Breach

Asian Health Services in Oakland, CA, has recently alerted patients about a recent data security incident involving an employee’s email account. Suspicious activity was detected in the account on February 13, 2023. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the extent of the incident. The email account was determined to have been compromised between February 7, 2023, and February 13, 2023, with the review of emails and attachments confirming they contained names, medical record numbers, dates of birth, phone numbers, and health information such as diagnoses.

Asian Health Services did not find any evidence to indicate patient data had been compromised but the possibility could not be ruled out. Affected individuals have been offered complimentary credit monitoring, fraud assistance, and remediation services for 12 months. Asian Health Services said a third-party cybersecurity firm has confirmed that the email account can no longer be accessed, and additional email safeguards have been implemented to provide an additional layer of protection.

New Mexico Department of Health Reports Impermissible Disclosure of PHI

The New Mexico Department of Health has recently confirmed there has been an impermissible disclosure of the protected health information of 49,000 deceased patients to a journalist. The journalist requested information subject to the Inspection of Public Records Act and was sent a spreadsheet that included all deaths in New Mexico from January 2020 to December 2021. It was later discovered that the spreadsheet contained protected health information that should not have been disclosed. The Department of Health said the spreadsheet did not contain names, birthdates, addresses, or contact information.

The post Oklahoma Institute of Allergy Asthma and Immunology Halts Operations After Cyberattack appeared first on HIPAA Journal.

R&B Corporation of Virginia, doing business as Credit Control Corporation (CCC), has recently reported a data breach to the Maine Attorney General that has affected 286,699 individuals. CCC is a debt collection agency and business associate of many hospitals and doctor’s offices. The Newport News, VA-based debt collection agency said it detected suspicious activity within its computer systems on March 7, 2023. Its IT systems were immediately isolated, and a forensic investigation was conducted to determine the nature and scope of the activity. On or around March 14, 2023, CCC determined that unauthorized individuals had accessed its systems and copied files that contained sensitive data. The intrusion was determined to have occurred from March 2, 2023, to March 7, 2023.

An initial review of the compromised files was completed on May 3, 2023, which confirmed that the files contained information such as names, addresses, and Social Security numbers. Affected individuals were notified by mail on May 15, 2023. Complimentary credit monitoring services have been offered to affected individuals. CCC said it regularly reviews its data security policies, procedures, and practices and will continue to do so, has augmented its security safeguards to better protect patient data, and has increased the frequency of employee training on the importance of safeguarding data.

Healthcare providers known to have been affected by the breach include:

• Atlantic Orthopaedic Specialists
• Bayview Physicians Group
• Chesapeake Radiology
• Chesapeake Regional Medical Center
• Children’s Hospital of the King’s Daughters Health System and its Affiliates
• Children’s Specialty Group
• Dominion Pathology Laboratories
• Emergency Physicians of Tidewater
• Mary Washington Healthcare
• Medical Center Radiology
• Pariser Dermatology Specialists, Inc
• Riverside Health System
• Sentara Health System
• Tidewater Physicians Multispecialty Group
• UVA Health System
• Valley Health System
• VCU Health System

The post Debt Collection Agency Data Breach Affects Many Healthcare Providers appeared first on HIPAA Journal.

In April 2023, the Money Message ransomware group announced it had breached the systems of PharMerica and its parent company, BrightSpring Health Services, and added both to its data leak site. The group claimed to have exfiltrated databases containing 4.7 million terabytes of data which included the records of more than 2 million individuals. PharMerica has now confirmed the extent of the data breach.

PharMerica is one of the largest providers of pharmacy services in the United States, operating more than 2,500 facilities and over 3,100 pharmacy and healthcare programs. PharMerica and BrightSpring have now completed their investigation and have confirmed that there was unauthorized accessing of sensitive patient information and reported the data breach to the Maine Attorney General as affecting 5,815,591 individuals. That makes it the largest healthcare data breach to be reported by a single HIPAA-covered entity so far in 2023.

PharMerica explained in its notification letters that suspicious activity was detected within its computer network on March 14, 2023. The network was isolated, and an investigation was conducted to determine the nature and scope of the intrusion. Assisted by third-party cybersecurity experts, PharMerica determined that “an unknown third party” accessed its computer systems between March 12 and March 13, 2023, and that personal information may have been obtained from its systems during that time frame.

By March 21, 2023, PharMerica had determined that the compromised information included names, addresses, birth dates, Social Security numbers, medication information, and health insurance information. PharMerica made no mention of a ransomware attack nor any publication of data online but did state that “we have no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”

Affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services for 12 months. Patients and executors of deceased patients’ estates have been advised to contact any one of the three national credit reporting agencies and to ensure the individual’s credit file is marked as ‘deceased – do not issue credit’, or for the credit reporting agency to make a notation on the individual’s credit file to notify an individual (such as a family member/next of kin) and/or law enforcement if an application is made for credit. PharMerica says it has implemented additional technical cybersecurity safeguards to prevent similar incidents in the future.

The post Almost 6 Million Individuals Affected by PharMerica Data Breach appeared first on HIPAA Journal.