HIPAA Breach News

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.

Maxim HealthCare Services Proposes Settlement to Resolve Email Breach Lawsuit

Posted by HIPAA Journal

A settlement has been proposed by Maxim HealthCare Services to resolve all claims related to a 2020 cyberattack and data breach involving unauthorized access to multiple employee email accounts. The email accounts were compromised between October 1, 2020, and December 4, 2020, but the unauthorized access was not discovered until November 2021.

The review of the email accounts confirmed they contained protected health information such as names, addresses, dates of birth, phone numbers, provider names, medical histories, medical conditions, treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid numbers, usernames/passwords, and some Social Security numbers. The breach was reported to the HHS’ Office for Civil Rights as affecting 65,267 patients.

A lawsuit – Wilson, et al. v. Maxim Healthcare Services Inc. – was filed in response to the data breach in the Superior Court of the State of California County of San Diego that alleged Maxim HealthCare Services failed to implement appropriate security measures to prevent unauthorized access to patient data. Maxim HealthCare Services chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Maxim HealthCare Services denies all claims made in the lawsuit and maintains there was no wrongdoing. The proposed settlement applies to all individuals who were notified that they had been affected by the breach and had their protected health information exposed.

Under the terms of the settlement, claims will be accepted up to a maximum of $5,000 for each class member for reimbursement of extraordinary expenses incurred as a result of the data breach, including up to three hours of lost time at $20 per hour. Individuals who were California Residents between October 1, 2020, and December 4, 2020, are entitled to receive a flat monetary benefit of approximately $100 which can be combined with claims for reimbursement of extraordinary expenses. All class members will be entitled to receive 12 months of free identity theft protection services, regardless of whether they submit a claim.

The deadline for exclusion from and objection to the proposed settlement is June 23, 2023. The deadline for submitting claims is July 24, 2023. The final approval hearing has been scheduled for July 28, 2023. Maxim HealthCare Services has implemented or will implement additional security measures to prevent similar incidents in the future.

The post Maxim HealthCare Services Proposes Settlement to Resolve Email Breach Lawsuit appeared first on HIPAA Journal.

SuperCare Proposes $2.25 Million Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

The Californian home care service provider, SuperCare, has proposed a $2.25 million settlement to resolve a class action lawsuit filed in response to a 2021 hacking incident in which the protected health information of 318,379 patients was compromised.

SuperCare detected a network intrusion on July 27, 2021, and the subsequent forensic investigation determined hackers had access to its network from July 23, 2021, to July 27, 2021; however, it took until February 4, 2022, to determine that patient information had been compromised. Files on the compromised parts of the network contained names, addresses, dates of birth, hospital or medical group, patient account numbers, medical record numbers, health insurance information, test results, diagnoses, treatment information, other health-related information, and claims information, and, for some individuals, Social Security numbers and driver’s license numbers. Affected individuals were notified on March 25, 2022, 8 months after the breach was detected.

A lawsuit was filed against SuperCare shortly after the data breach was announced that accused SuperCare of violations of California’s Confidentiality of Medical Information Act, the Federal Trade Commission (FTC) Act, and the Health Insurance Portability and Accountability Act (HIPAA) due to the failure to implement reasonable and appropriate cybersecurity measures to protect against a known risk of cyberattacks and data breaches, and the failure to issue timely notifications about the data breach. Further, when notifications were finally sent, the content of those notifications was lacking key information about the data breach, and no explanation was provided as to why it took so long for the notifications to be issued. The lawsuit also claimed affected individuals were not provided with adequate credit monitoring services or other remedies to reduce the risk of misuse of their sensitive data.

Under the terms of the proposed settlement, two tiers of benefits are being offered. Claims can be submitted for tier 1 benefits which include a cash payment of $100. The second tier allows claims up to a maximum of $2,500 to cover out-of-pocket expenses incurred as a result of the data breach, along with up to 4 hours of lost time at $25 per hour. All class members are entitled to claim one year of three-bureau credit monitoring services, which includes a $1 million identity theft insurance policy.

The deadline for exclusion from or objection to the settlement is June 5, 2023. Claims must be submitted by July 5, 2023, and the final approval hearing for the settlement has been scheduled for August 28, 2023.

The post SuperCare Proposes $2.25 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Data Breaches Reported by University Urology and McPherson Hospital

Posted by HIPAA Journal

University Urology – Hacking Incident

University Urology in New York City has started notifying 56,816 individuals that unauthorized individuals gained access to some of its systems and potentially obtained their personal and health information. Suspicious activity was detected within its computer systems on February 1, 2023, and third-party cybersecurity experts were engaged to conduct a forensic analysis of the incident to determine the nature and scope of the attack. The investigation concluded on March 3, 2023, that files within its network were accessed. A manual review of those files was conducted and concluded on March 30, 2023. Contact information was then verified, and notification letters were sent on May 1, 2023.

The types of information that were exposed varied from individual to individual and may have included first and last name, date of birth, address, medical condition, medical treatment, test results, prescription information, health insurance information, subscriber ID number, health plan beneficiary number, billing/invoice information, and username/email address plus passwords/security questions and answers that would allow account access.

University Urology said Sentinel One agents were deployed for 30 days, which allowed the cybersecurity firm to monitor its environment for malicious activity and indicators of compromise. It has now been confirmed that all methods of persistence, unauthorized remote access tools, and malicious files have been removed from its systems, and additional security measures have now been implemented.

While there have been no reported cases of actual or attempted misuse of the exposed data, complimentary credit monitoring and identity theft protection services have been offered to affected individuals for 12 or 24 months.

McPherson Hospital – Ransomware Attack

McPherson Hospital in Kansas has recently issued notification letters to 19,020 patients to alert them about a July 2022 ransomware attack. According to the breach notifications, third-party cybersecurity experts were engaged to investigate the data breach to determine the extent of the unauthorized activity and help with securing its systems. The internal investigation concluded on March 15, 2023, that patient data may have been acquired, including names, dates of birth, Social Security numbers, medical treatment information, billing information, and health insurance information. Notification letters were sent in early May, almost 10 months after the attack.

Affected individuals have been offered complimentary single-bureau credit monitoring services. McPherson Hospital said its technical safeguards have been reviewed and enhanced to prevent similar incidents in the future.

Catholic Health – Unauthorized Access by Employee of Business Associate

Catholic Health in New York has recently announced that the protected health information of some of its long-term care residents has been exposed in a security breach at one of its business associates, Minimum Data Set Consultants (MDS). MDS launched an investigation into a potential data breach in March 2023 after discovering suspicious system activity.

The investigation confirmed that an unauthorized individual accessed patient data on or around August 27, 2022, such as names, birthdates, Social Security and Medicare numbers, and diagnosis information. The unauthorized access was traced to a former employee. MDS has confirmed that that individual no longer has access to the system and that the matter has been reported to law enforcement, which has launched an investigation. While patient data is not believed to have been accessed with a view to committing identity theft or fraud, affected individuals have been told to monitor their accounts for suspicious activity.

It is currently unclear how many patients have been affected.

The post Data Breaches Reported by University Urology and McPherson Hospital appeared first on HIPAA Journal.

University of Iowa Hospitals and Clinics Sued for Unlawful Disclosures of PHI to Facebook

Posted by HIPAA Journal

A lawsuit has been filed in the U.S. District Court for the Southern District of Iowa that alleges University of Iowa Hospitals and Clinics (UIHC) unlawfully, negligently, and recklessly disclosed patients’ private information to Facebook, without obtaining patient consent.

HIPAA_regulated entities are facing increased scrutiny of their website practices following the discovery of widespread use of website tracking code, often referred to as pixels, for monitoring website visitor activity. The snippets of code record information about website and app activity that is tied to individual users. The information gathered can be used to improve the user experience, but the information collected is often transferred to the providers of the code. A study that was recently published in Health Affairs found 98.6% of nonfederal acute care hospital websites in the United States had tracking pixels on their websites, which collected and transferred sensitive data to Meta (Facebook), Google, and other third parties. The information transmitted could be used for a variety of purposes, such as serving targeted advertisements based on specific medical conditions researched or disclosed on healthcare providers’ websites.

The extent to which patient privacy was being violated prompted the HHS’ Office for Civil Rights to issue guidance in 2022 on the use of website tracking code, and this year OCR Director Melanie Fontes Rainer confirmed that these unauthorized disclosures of PHI are now an enforcement priority for OCR. Lawyers have also been quick to take action, with more than 50 lawsuits already filed against healthcare entities over the use of these tracking tools.

The UIHC lawsuit – Yeisley v. University of Iowa Hospitals & Clinics – was filed on behalf of plaintiff Eileen Yeisley and similarly situated individuals. The lawsuit claims UIHC manages or controls two websites that are used for booking appointments, locating treatment facilities and physicians, and registering patients for events and classes. The lawsuit alleges UIHC intentionally included a Facebook pixel on both of those websites that shared visitor activity with Facebook and linked that information to individuals’ personal Facebook accounts. The lawsuit also alleges UIHC installed a Facebook conversion application programming interface (API) on the websites, which works independently of the pixel and allows additional disclosures of protected health information (PHI) to Facebook.

The use of these code snippets results in the sensitive data of patients and prospective patients being sent to Facebook without their consent or knowledge and that information can then be sold by Facebook to third parties to allow individuals to be targeted with advertisements specific to medical conditions disclosed or researched on the websites. The lawsuit claims that the code was added by UIHC to boost profits and includes evidence – screenshots – that shows the source code of UIHC websites includes the Facebook code snippets.

OCR confirmed in its guidance that these disclosures of PHI are generally not permitted by the HIPAA Privacy Rule, and warrant notifications under the HIPAA Breach Notification Rule. Several healthcare providers have reported breaches of PHI due to tracking code to OCR, but UIHC has yet to issue breach notifications. University of Iowa Health has issued a statement in response to the allegations, “University of Iowa Health Care is committed to protecting patient privacy. We do not share protected health information of our patients with Meta or Facebook. We will review the lawsuit once received.”

The lawsuit alleges negligence, invasion of privacy, unjust enrichment breach of confidence, and violations of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act and seeks class action status, equitable and injunctive relief, and an order from the court to prevent UIHC from engaging in this activity in the future. The lawsuit also seeks an award of damages, including actual, consequential, punitive, and nominal damages.

The post University of Iowa Hospitals and Clinics Sued for Unlawful Disclosures of PHI to Facebook appeared first on HIPAA Journal.

NetGen Healthcare Reports Breach Affecting More than 1 Million Patients

Posted by HIPAA Journal

NextGen Healthcare has started notifying more than 1 million individuals across the United States about a hacking incident that exposed their protected health information. NextGen Healthcare is an Atlanta, GA-based provider of electronic health records and practice management solutions to doctors and ambulatory care providers. On March 30, 2023, suspicious activity was detected in its NextGen Office system and third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the security breach. The investigation revealed unauthorized individuals had access to the system between March 29, 2023, and April 14, 2023.

The attackers had access to a limited dataset during that period that included names, addresses, dates of birth, and Social Security numbers. No evidence was found to indicate the attackers accessed patient medical records or any health or medical data and there have been no reports of any actual or attempted misuse of patient data. Passwords were reset when the breach was discovered, and additional security measures have now been implemented to strengthen security. Notification letters have already started to be sent to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months.

The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal, but is showing on the websites of several state Attorneys General. The breach notification issued to the Maine Attorney General indicates 1,049,375 individuals were affected in total, including 3,913 Maine residents. The breach was reported to the Texas Attorney General as involving the PHI of 131,815 Texas residents.

This is the second cyberattack to affect NextGen Healthcare in recent months. In January 2023, NextGen was added to the data leak site of the BlackCat ransomware group, although the listing was later taken down. The incident was investigated and a spokesman for NextGen said no patient data had been exposed or downloaded, and consequently this was not a reportable data breach.

Ransomware Gangs Leak Albany ENT & Allergy Services Data

The BianLian and RansomHouse ransomware groups have recently added Albany ENT and Allergy Services to their data leak sites, with the latter claiming to have stolen 1 TB of data before encrypting files. According to the listings, files were encrypted on March 27, 2023; however, Albany ENT and Allergy Services has yet to announce a cyberattack on its website. The dual listings suggest that both groups have conducted an attack; although only RansomHouse has posed evidence on its data leak site to back up its claims.

The post NetGen Healthcare Reports Breach Affecting More than 1 Million Patients appeared first on HIPAA Journal.

NationsBenefits Holdings Confirms 3 Million Record Data Breach

Posted by HIPAA Journal

NationsBenefits Holdings, LLC, a provider of supplemental benefits, flex cards, and member engagement solutions to health plans and managed care organizations, has confirmed that it has been affected by a security breach involving Fortra’s GoAnywhere MFT file transfer solution. The hackers behind the attack – the Clop ransomware group – gained access to NationsBenefits data on January 30, 2023, and exfiltrated that information from the GoAnywhere MFT solution. A ransom demand was issued, payment of which was required to prevent the publication of the stolen data. NationsBenefits was on of 130 organizations to have data stolen in the attacks.

The Clop group exploited a previously unknown (zero-day) vulnerability in the GoAnywhere MFT solution, which allowed them to access and steal data from vulnerable on-premises MFT servers. NationsBenefits Holdings said the Clop group was only able to access two MFT servers; however, a review of the files on those servers revealed they contained the protected health information of 3,037,303 health plan members, including, but not limited to, Aetna ACE, Elevance Health Flexible Benefit Plan, and UAW Retiree Medical Benefits Trust. The compromised information included: first and last name, address, phone number, date of birth, gender, health plan subscriber ID number, Social Security number, and/or Medicare number.

Other healthcare organizations known to have been affected include Community Health Systems (1 million individuals) and Brightline (at least 964,300 individuals); however, NationsBenefits is currently the worst affected healthcare entity. Overall, more than 4 million individuals had their protected health information stolen in these attacks. NationsBenefits said it learned about the security breach when its security monitoring team received an alert from one of its MFT servers at 16:02 on February 7, 2023, indicating unauthorized access. Fortra was contacted and asked to assist with the investigation, with the initial review confirming that the MFT server had been accessed and data had been stolen. The subsequent internal investigation confirmed that the threat actor did not move laterally to other NationsBenefits systems or applications.

NationsBenefits confirmed that prior to the attack layered security controls were already in place, but said security measures have since been strengthened. NationsBenefits has taken its MFT servers permanently offline and has transitioned to an alternative file transfer solution that does not rely on Fortra software. Notification letters started to be mailed to affected individuals on April 13, 2023. Complimentary credit monitoring services have been offered for 24 months.

The post NationsBenefits Holdings Confirms 3 Million Record Data Breach appeared first on HIPAA Journal.

Brightline: At Least 964,300 Individuals Affected by Fortra GoAnywhere Hack

Posted by HIPAA Journal

Brightline, a provider of virtual behavioral and mental services to families, has confirmed it was affected by the cyberattack on Fortra’s GoAnywhere MFT file transfer solution, which saw a zero-day vulnerability exploited in attacks on 130 organizations over a 10-day period starting on January 18, 2023. While the Clop threat group conducts ransomware attacks, ransomware was not used in these attacks. Like the attacks that exploited a vulnerability in the Accellion File Transfer Appliance (FTA) in 2021, the group opted for data theft and extortion with no file encryption.

Brightline explained in its website breach notification that the attack occurred on January 30, 2023, and said Fortra’s investigation confirmed that files had been downloaded that contained protected health information. Brightline was notified about the attack by Fortra on February 4, 2023. Brightline’s internal investigation confirmed that the attack was limited to data within the GoAnywhere solution and that its systems had not been compromised. After determining the extent of the breach and the individuals affected, Brightline started notifying the affected HIPAA-Covered Entities. The breach involved names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names. Affected individuals have been offered 24 months of complimentary credit monitoring services.

In response to the breach, Brightline deactivated the unauthorized user’s credentials used to access its data, turned off the GoAnywhere service, and rebuilt it with the zero-day vulnerability addressed. Additional data security measures were also implemented, including limiting access to verified users, removing all data in the service, and taking steps to reduce data exposure until an alternative file transfer solution can be implemented.  Affected individuals were notified starting on April 7, 2023, and notifications were issued on behalf of some affected Covered Entities. Brightline was listed on the Clop data leak site on March 16, 2023, although has since been removed. While this typically only occurs when a ransom is paid, a member of the Clop group emailed Bleeping Computer to say that Brightline’s data were deleted as the group was unaware of the nature of the business conducted by Brightline and said, “We ask for forgiveness for this incident,” which suggests no ransom was paid.

Brightline has published a list of 58 HIPAA-Covered Entities that were affected by the data breach and has – at the time of writing – submitted 9 data breach notifications to the HHS’ Office for Civil Rights. Those notifications indicate 964,300 individuals have been affected. Those notifications indicate between 4,044 and 462,241 individuals were affected. It is unclear to what extent the notifications cover the 58 affected Covered Entities. If a separate breach notification has been issued for each affected Covered Entity, 49 of the affected Covered Entities may be issuing their own notifications, which would likely take the total number of affected individuals well past 1,000,000. Some of the notifications issued to state attorneys general by the affected clients state that Brightline issued multiple requests to Fortra asking for it to issue notifications to affected individuals and regulators, but Fortra refused.

The 58 Covered Entities known to have been affected are detailed below:

  • Insitu, Inc.
  • IUOE
  • Keller Supply
  • Kodiak Island Borough School District
  • KPMG LLP
  • Legal Name: Continental Mills, Inc. Common Name: The Krusteaz Co
  • MacDonald-Miller Facility Solutions, LLC
  • Manke Lumber Company Inc.
  • MIIA
  • Municipality of Anchorage
  • Nintendo of America Inc.
  • Northwest Cascade, Inc.
  • Oberto Snacks Inc.
  • PND Engineers, Inc.
  • Pyrotek Inc
  • Rail Management Services
  • Seagen Inc.
  • Seward Association for the Advancement of Marine Science dba Alaska SeaLife Center
  • SolstenXP, Inc.
  • SOUTH SHORE HEALTH
  • Space Needle LLC & Center Art LLC
  • Spokane Teachers Credit Union
  • Stanford Health Care – ValleyCare Employee Health Care Plan
  • Stanford Health Care Employee Health and Welfare Benefit Plan
  • Stanford Medicine Partners Employee Health and Welfare Benefit Plan
  • Stanford University Post-doctoral Scholars
  • Symetra Life Insurance Company
  • Tanana Chiefs Conference
  • The Board of Directors of the Leland Stanford Junior University (Educated Choices)
  • Undead Labs
  • University of Alaska
  • VERTEX
  • Walla Walla University
  • Washington Trust Bank
  • Whitman College

The post Brightline: At Least 964,300 Individuals Affected by Fortra GoAnywhere Hack appeared first on HIPAA Journal.