HIPAA Breach News

October 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

October was the worst month of the year to date for healthcare data breaches, with 71 breaches reported and more than 6 million records breached. The first half of the year was looking like 2022 would see a reduction in healthcare data breaches; however, that is looking increasingly unlikely. In 2021, 714 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 594 data breaches were reported between January 1 and October 31, and with an average of 60 data breaches being reported each month, 2022 looks set to end with a similarly high number.

Across the 71 reported breaches, the protected health information of 6,242,589 individuals was exposed or impermissibly disclosed, with around half of that total coming from a single breach. So far this year, the records of 37,948,207 individuals have been exposed or impermissibly disclosed.

Largest Healthcare Data Breaches Reported in October

In October, 28 data breaches of 10,000 or more records were reported by HIPAA-regulated entities. The largest healthcare data breach reported in October – by some distance – was due to the use of Meta Pixel code on the website and patient portal of Advocate Aurora Health, which resulted in the impermissible disclosure of the PHI of up to 3 million patients to Meta/Facebook. Advocate Aurora Health was not alone. WakeMed Health and Hospitals reported a similar breach involving the PHI of 495,808 patients. Dozens of other healthcare providers have also used the code on their websites and lawsuits are mounting. Attorneys for Meta claim the company does not collect healthcare data without consent; however, U.S. District Judge William Orrick, who is presiding over a consolidated class action lawsuit against Meta over these impermissible disclosures, has expressed skepticism about those claims.

The data breach at SightCare Inc was due to a hacking incident at business associate USV Optical, a subsidiary of U.S. Vision, which also affected Nationwide Optometry. More than 700,000 records were compromised in the incident.  The third largest breach of the month occurred at CorrectCare Integrated Health, Inc, which provides administrative services to healthcare providers that serve correctional facilities. A database was exposed over the Internet as a result of a misconfiguration that resulted in the exposure of the PHI of at least 612,490 inmates at correctional facilities across the country.

Two more eye care providers confirmed in October that they had been affected by the ransomware attack on their EHR vendor, Eye Care Leaders. The records of at least 3,649,470 patients are now known to have been compromised in that attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Description
Advocate Aurora Health WI Healthcare Provider 3,000,000 Unauthorized Access/Disclosure Website Code Passed Patient Information to Meta/Facebook
SightCare, Inc. AZ Health Plan 637,999 Hacking/IT Incident Hacking incident at business associate (USV Optical)
OakBend Medical Center / OakBend Medical Group TX Healthcare Provider 500,000 Hacking/IT Incident Ransomware attack
WakeMed Health and Hospitals NC Healthcare Provider 495,808 Unauthorized Access/Disclosure Website Code Passed Patient Information to Meta/Facebook
CorrectCare Integrated Health, Inc. KY Business Associate 438,713 Unauthorized Access/Disclosure Exposure of PHI over the Internet
Keystone Health PA Healthcare Provider 235,237 Hacking/IT Incident Hacked network server
Louisiana Department of Public Safety and Corrections LA Healthcare Provider 85,466 Unauthorized Access/Disclosure Exposure of PHI over the Internet (CorrectCare Integrated Health)
Urology of Greater Atlanta, LLC GA Healthcare Provider 79,795 Hacking/IT Incident Hacking Incident (No information)
Nationwide Optometry, PC AZ Healthcare Provider 73,073 Hacking/IT Incident Hacking incident at business associate (USV Optical)
Ascension St. Vincent’s Coastal Cardiology GA Healthcare Provider 71,227 Hacking/IT Incident Ransomware attack
Valle del Sol, Inc. AZ Healthcare Provider 70,268 Hacking/IT Incident Hacked network server
CorrectCare Integrated Health, Inc. KY Business Associate 53,496 Unauthorized Access/Disclosure Exposure of PHI over the Internet
FOREFRONT DERMATOLOGY, SC WI Healthcare Provider 45,580 Theft Theft of an unencrypted portable electronic device at a business associate
VisionWeb Holdings, LLC TX Business Associate 35,900 Hacking/IT Incident Compromised email accounts
University of Michigan/Michigan Medicine MI Healthcare Provider 33,857 Hacking/IT Incident Compromised email accounts (phishing)
Aesthetic Dermatology Associates, PC PA Healthcare Provider 33,793 Hacking/IT Incident Hacked network server
Choice Health Insurance LLC SC Business Associate 32,064 Hacking/IT Incident Database exposed over the Internet (data theft confirmed)
PrimeCare Medical, Inc. PA Healthcare Provider 22,254 Unauthorized Access/Disclosure Exposure of PHI over the Internet (CorrectCare Integrated Health)
Administrative Fund of the Detectives’ Endowment Association, Inc., Police Department City of New York NY Health Plan 21,544 Hacking/IT Incident Compromised email accounts (Phishing)
Wenco Management, LLC Health and Welfare Benefit Plan OH Health Plan 20,526 Hacking/IT Incident Compromised email accounts
Gateway Ambulatory Surgery Center NC Healthcare Provider 18,479 Hacking/IT Incident Compromised email accounts (Phishing)
Alain A. Montiel, DDS CA Healthcare Provider 17,157 Theft Theft of an unencrypted laptop
St Luke’s Health – Texas TX Healthcare Provider 16,906 Hacking/IT Incident Compromised email accounts at business associate (Adelanto Healthcare Ventures)
Lifespire Services, Inc. NY Healthcare Provider 15,375 Hacking/IT Incident Hacked network server
HH/Killeen Health System, LLC doing business as Seton Medical Center Harker Heights TX Healthcare Provider 15,056 Hacking/IT Incident Compromised email accounts at an unspecified business associate
Massengale Eye Care OK Healthcare Provider 15,000 Hacking/IT Incident Ransomware attack on a business associate (Eye Care Leaders)
Wisconsin Department of Health Services WI Health Plan 12,358 Unauthorized Access/Disclosure Compromised email accounts
Somnia Pain Mgt of Kentucky NY Healthcare Provider 10,848 Hacking/IT Incident Hacked network server

Causes of October 2022 Data Breaches

Across all industry sectors, ransomware attacks have decreased slightly this year; however, the healthcare industry continues to be a target for ransomware gangs, with Hive, LockBit 2.0, Lorenz, and the Venus ransomware gangs among those that are attacking healthcare organizations. According to Check Point Research, healthcare was the most targeted industry sector in Q3, 2022, and saw the second-highest percentage increase in attacks out of all industry sectors, with 60% more attacks than in Q3, 2021. The largest confirmed ransomware attack was on OakBend Medical Center, which saw half a million records compromised.

As has been the case for several months, hacking incidents outnumber all other types of data breaches. In October, 47 hacking incidents were reported – 66% of the month’s data breaches – and 2,025,704 records were exposed in those incidents. The average breach size was 43,100 records and the median breach size was 6,594 records. October saw an increase in unauthorized access/disclosure incidents, due in part to the data breach that occurred at CorrectCare Integrated Health that exposed the PHI of inmates of correctional facilities. 7 of the 17 reported unauthorized access/disclosure incidents were due to this incident. Unsurprisingly, given the 3 million-record data breach reported by Advocate Aurora Health, 66% of the breached records were due to unauthorized access/disclosure incidents. 4,145,396 records were compromised in these incidents. The average breach size was 243,847 records and the median breach size was 7,000 records.

There were 6 loss/theft incidents reported in October (4 theft, 2 loss), all but one of which involved portable electronic devices that had not been encrypted. 67,244 records were exposed or stolen across these incidents. The average breach size was 11,207 records and the median breach size was 1,396 records. There was also one incident involving the improper disposal of paperwork that contained the PHI of 4,245 patients.

The most common location of breached PHI was network servers due to the high number of hacking incidents. Email accounts are also commonly targeted, with 15 incidents reported in October that involved compromised email accounts. Good password management and multifactor authentication can significantly improve defenses against these attacks, although phishing attacks that bypass MFA are increasing. The increase in these attacks prompted CISA to issue guidance on implementing phishing-resistant MFA this month.

Healthcare Data Breaches by HIPAA-Regulated Entity Type

55 breaches were reported by healthcare providers in October; however, 11 of those data breaches occurred at business associates. 10 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 6 breaches. The chart below shows the breaches broken down by where they occurred rather than the entity that reported the data breach.

Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 30 states, with New York the worst affected state with 11 reported breaches. This was due to a data breach at a New York-based management company that affected multiple anesthesiology service providers.

State Number of Reported Data Breaches
New York 11
Texas & Wisconsin 5
Florida & New Jersey 4
Arizona, California, Georgia, Kentucky, North Carolina, Pennsylvania & Virginia 3
Delaware, Maryland & Oregon 2
Colorado, Connecticut, Illinois, Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Nebraska, New Mexico, Ohio, Oklahoma, South Carolina & Washington 1

HIPAA Enforcement Activity in October

No HIPAA enforcement actions were reported in October by the HHS Office for Civil Rights or State Attorneys general.

The post October 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Forefront Dermatology Proposes $3.75 Million Settlement to Resolve Ransomware Lawsuit

Posted by HIPAA Journal

The Wisconsin-based dermatology practice, Forefront Dermatology, has agreed to settle a class action lawsuit filed on behalf of patients whose protected health information (PHI) was compromised in a ransomware attack in late May 2021.

Forefront Dermatology has affiliated practices in 21 states and Washington D.C. In May 2021, the practice was targeted by the Cuba ransomware gang, which gained access to its network and exfiltrated files from the network before encrypting data. The gang then dumped some of the stolen data on its dark web data leak site to pressure the practice into paying the ransom. According to Forefront Dermatology’s data breach notice, the attack was detected on June 4. The forensic investigation confirmed the attackers potentially accessed and stole files containing the PHI of up to 2.4 million employees and patients. That information included names, dates of birth, account numbers, health insurance information, Social Security numbers, medical record numbers, medical and treatment information, and other sensitive data.

A class action lawsuit was filed in the U.S. District Court for the Eastern District of Wisconsin shortly after patients were notified about the breach, which alleged Forefront Dermatology had failed to implement adequate data security protocols, including permitting the use of “incredibly simplistic passwords,” and had maintained patient data “in a reckless manner”.  The lawsuit alleged the ransomware attack and data breach was made possible due to those security failures, and that Forefront Dermatology was aware of the risk of a data breach and had the resources to implement appropriate data security measures but failed to do so.

The lawsuit takes issue with the month-long delay in issuing breach notification letters, and the conflicting statements provided to patients and the Maine attorney general, with the latter informed that Social Security numbers had been stolen when patients were told that information such as Social Security numbers, driver’s license numbers, and financial account/payment card information was not accessed or stolen.

The lawsuit alleges the plaintiffs – Judith Leitermann, Lynn Anderson, And Milan E. Kunzelmann – and similarly affected individuals have been exposed to a heightened and imminent risk of fraud and identity theft, and that their PHI is now in the hands of criminals. AS a result of the alleged negligence of Forefront Dermatology, the plaintiffs and class members must closely monitor their financial accounts to guard against identity theft and have and will continue to incur out-of-pocket costs for protective measures to deter and detect identity theft.

Forefront Dermatology has not admitted any wrongdoing and accepts no liability for the data breach, but chose to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. Forefront Dermatology proposed a $3.75 million settlement to resolve all claims related to the data breach.

Under the terms of the settlement, class members are entitled to claim up to $10,000 for documented losses from identity theft, credit-related costs, bank fees, communication charges, and fraudulent charges, as well as claim up to five hours of lost time at $25 per hour, and may also sign up for one year of free credit monitoring services. Class members may opt out of receiving expense reimbursement and credit monitoring services and will instead receive a cash fund payment, the value of which will depend on the number of participating class members.

Class members have until January 24, 2023, to object to or exclude themselves from the settlement, and until February 8, 2023, to submit a claim. The final approval hearing has been scheduled for March 1, 2023

The post Forefront Dermatology Proposes $3.75 Million Settlement to Resolve Ransomware Lawsuit appeared first on HIPAA Journal.

Patient Data Compromised in 5 Hacking Incidents, Ransomware Attacks, and Break-ins

Posted by HIPAA Journal

Salud Family Health Provides Update on September 2022 Ransomware Attack

Colorado-based Salud Family Health, a Federal Qualified Health Center (FQHC), has recently provided an update on a September 2022 cyberattack and has confirmed that patient data was potentially stolen. Salud Family Health said the security breach was detected on September 5, 2022, and it has now confirmed that patient and employee data was accessed in the attack.

In the update, Salud Family Health did not confirm the extent to which data had been stolen but said the affected information may have included patient names, Social Security numbers, driver’s license numbers, Colorado identification card numbers, financial account information/credit card numbers, passport numbers, medical treatment and diagnosis information, health insurance information, biometric data, and usernames and passwords.

The breach was reported to the HHS’ Office for Civil Rights using a placeholder of 501 and that figure has yet to be updated on the OCR breach portal; however, the threat actor behind the attack – the Lorenz ransomware group – has dumped a sample of the files online. The threat actor claims to have stolen data that includes around 400,000 Social Security numbers, although this has not been verified.

Salud Family Health said affected employees and patients have been offered free credit monitoring and identity fraud protection services, and security policies and procedures are being reviewed and will be updated to protect against future cyberattacks.

New York-Presbyterian Hospital Discovers Breach Affecting up to 12,000 Patients

New York-Presbyterian Hospital has recently announced that unauthorized individuals gained access to one of its servers and attempted to download sensitive data. The security system detected the intrusion on September 8, 2022, and successfully blocked the attempted download.

The forensic investigation of the incident revealed the attacker had used a cloud-based, remote information technology customer support program to access the laptops of several of its workforce members, and certain desktop files had been downloaded from some of those devices. The patient portal was not accessed, but one of the laptops contained the protected health information of approximately 12,000 patients of NewYork-Presbyterian/Queens and NewYork-Presbyterian/Hudson Valley.

The protected health information potentially accessed and copied included first and last names, addresses, insurance authorizations, medical records numbers, and exam results. New York-Presbyterian Hospital said accounts used for the technical assistance program were immediately suspended and the service was terminated without further incident. Credit monitoring and identity theft protection services have been offered to all affected patients.

Forest Hill Pediatrics Reports EHR Vendor Data Breach

Bel Air North, MD-based Forest Hill Pediatrics has recently confirmed that the protected health information of up to 4,958 patients has potentially been compromised in a cyberattack on one of its vendors, Connexin Software, Inc, a provider of EHRs, practice management, and business analytics software to pediatric physician practice groups. The breach was detected by Connexin on August 26, 2022, and forensic experts were engaged to determine the nature and scope of the security breach.

On September 13, 2022, Connexin learned that an unauthorized third party had accessed an offline set of patient data used for data conversion and troubleshooting, and removed some of that data from its systems. The electronic record system was unaffected. The offline data included patient names, guarantor names, parent names, addresses, email addresses, birth dates, Social Security numbers, health insurance information, dates of service, locations, services requested/procedures performed, diagnoses, prescription information, physician names, medical record numbers, and billing and claims information.

Connexin has improved its security controls and enhanced system monitoring in response to the breach. Connexin has also offered complimentary child identity monitoring services for a period of one year to individuals who had their Social Security numbers exposed.

Alta Forest Products Health and Welfare Plan Member Data Potentially Stolen

Chehalis, WA-based Alta Forest Products has experienced a cyberattack in which the protected health information of up to 2,100 members of the Alta Forest Products Health and Welfare Plan was exposed. The security breach was detected on September 1, 2022, and prompt action was taken to secure its systems and prevent further unauthorized access.

The forensic investigation confirmed the attacker had access to files on its servers between August 17, 2022, and August 31, 2022, and during that time may have downloaded files containing the information of health and wellness plan members such as names, dates of birth, Social Security numbers, financial account numbers, and the employee health plan enrollment status for certain Alta employees and their dependents.

Notification letters were sent to affected individuals on October 31, 2022. Complimentary credit and identity monitoring services have been offered to affected individuals. Alta Forest Products has also enhanced the security of its computer systems and data.

Documents Containing PHI of Patients of Hilario Marilao, M.D Stolen in Break-in

Riverside, CA-based pediatric cardiologist, Hilario Marilao, M.D, has recently confirmed that documents containing the protected health information of patients were stolen in a break-in. The documents were stored in the basement of the offices in a locked storage cabinet. The theft was identified on September 6, 2022, following a minor flood, when account ledgers in the storage cabinet were determined to be missing. It is unclear when the ledgers were stolen.

The stolen ledgers contained patient names with a combination of the following types of information: address, phone number, Social Security Number, health insurance information, child’s name, date of service, and child’s date of birth. Affected individuals visited Dr. Marilao between 2010 to 2011, had a last name starting with A through M, and either the parent or child was insured under a Medi-Cal or an HMO plan. Dr. Marilao said all files have now been moved into the offices upstairs, and new security cameras and alarms have been fitted. Credit monitoring services are being offered to affected individuals.

At present, it is unclear how many individuals have been affected.

The post Patient Data Compromised in 5 Hacking Incidents, Ransomware Attacks, and Break-ins appeared first on HIPAA Journal.

6 HIPAA Regulated Entities Report Phishing Attacks and Unauthorized Email Account Access

Posted by HIPAA Journal

Police Department of the City of New York Reports 21,500-Record Data Breach

Unauthorized individuals have gained access to the email system of the Administrative Fund of the Detectives’ Endowment Association of the Police Department of the City of New York (NYCDEA) and potentially viewed or obtained the protected health information of 21,544 individuals.

Suspicious activity was detected within its email environment on December 16, 2021, passwords were changed to prevent further unauthorized access, and third-party cybersecurity experts were engaged to investigate the unauthorized activity. According to the breach report filed with the Maine Attorney General, it took until October 3, 2022, to confirm that an unauthorized third party had accessed the email system, which included sensitive information of its members. It is unclear why it took so long for the breach to be confirmed.

The review of the compromised email accounts confirmed they contain information such as names, addresses, dates of birth, driver’s license numbers, state identification card numbers, financial account numbers, usernames and passwords, payment card information, medical histories, and health insurance information. Notification letters were sent to affected individuals on October 31, 2022. Credit monitoring, fraud consultation, and identity theft protection services have been offered to affected individuals.

Two Email Accounts Compromise in Gateway Ambulatory Surgery Center Phishing Attack

Gateway Ambulatory Surgery Center in Concord, NC, has started notifying 18,479 patients that some of their protected health information was stored in email accounts that have been accessed by unauthorized individuals. An email account breach was first detected by Gateway on April 6, 2022. The third-party forensic investigation confirmed that two employee email accounts had been accessed by unauthorized individuals between February 14, 2022, and May 10, 2022, as a result of employees responding to phishing emails.

On September 1, 2022, Gateway confirmed that the email accounts contained patient information, including names, health benefit enrollment information, medical histories, health insurance information, patient account numbers, and dates of service. A limited number of patients also had their Social Security numbers and/or driver’s license numbers exposed. Notification letters were sent on October 31, 2022, and qualified patients have been offered credit monitoring, fraud consultation, and identity restoration services at no cost.

Gateway said it has implemented a new endpoint detection and response solution and has provided additional security awareness training to its workforce.

Assurance Health System Reports Breach of Two Email Accounts

Assurance Health System, an Indianapolis, IN-based provider of senior inpatient psychiatric care in central Indiana and Ohio, has recently announced that the email accounts of two employees have been accessed by unauthorized individuals. It is unclear when the unauthorized email account activity was detected but the forensic investigation confirmed that one email account was accessed by an unauthorized third party between April 8, 2022, and April 21, 2022, and another was accessed by an unauthorized individual between June 10, 2021, and March 8, 2022. The review of the email accounts was completed on September 1, 2022, and notification letters started to be sent to the 3,565 affected individuals on October 28, 2022.

The compromised email accounts contained the protected health information of patients of Assurance Health, Anew Health, and Brightwell Behavioral Health facilities, including names, contact information, Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, patient account numbers, dates of treatment, facilities of treatment, medical histories, condition and diagnosis information, provider names, prescription information, and health insurance information.

Individuals whose Social Security numbers or driver’s license numbers were exposed have been offered complimentary credit monitoring and identity protection services. Assurance Health System said additional safeguards and technical security measures have been implemented to further protect and monitor its email system.

Native American Rehabilitation Association of the Northwest Email Breach Affects 2,915 Patients

Portland, OR-based Native American Rehabilitation Association of the Northwest (NARA NW) has reported a breach of the email accounts of seven employees. Suspicious activity was detected within its email system on September 1, 2022, and immediate action was taken to prevent further unauthorized access. The review of the affected email accounts confirmed they had been accessed by unauthorized individuals between August 31 and September 1 by a third party outside the United States.

The email accounts contained patient information that was mostly limited to names, dates of birth, and non-sensitive treatment information. Four of the 2,915 affected individuals had their Social Security numbers exposed. Those individuals have been offered complimentary credit monitoring services for 12 months.

NARA NW said it was prepared for such attacks, and that its technology allowed it to quickly pinpoint the exact emails and information that was accessed; however, further safeguards have now been implemented, including restricting the use of web-based email, preventing access from outside of the United States, and multi-factor authentication has now been implemented for email accounts.

Email Account Breach Reported by Work Health Solutions

Work Health Solutions, an occupational healthcare provider in San Jose, CA, has recently confirmed that an employee’s email account was accessed by an unauthorized third party between February 16, 2022, and March 24, 2022. The email account was immediately secured, and a forensic investigation and account review was conducted, which revealed on October 11, 2022, that protected health information had potentially been compromised, including full names, Social Security numbers, driver’s license numbers, health insurance information, and/or medical information.

Notification letters were sent to affected individuals on November 9, 2022. Individuals whose Social Security numbers were impacted have been offered complimentary credit monitoring services. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Unauthorized Email Account Activity Detected by Three Rivers Provider Network

The Las Vegas, NV-based Three Rivers Provider Network, has recently reported a breach of an employee email account that contained sensitive patient information such as names, dates of birth, addresses, Social Security numbers, passport numbers, driver’s license numbers, state-issued ID numbers, and health information.

The unauthorized activity was detected on June 3, 2022, and it was confirmed on August 17, 2022, that protected health information had been exposed. No reports of misuse of patient information had been received at the time of issuing notifications. Notification letters were sent to affected individuals on November 5, 2022, and 24 months of complimentary credit monitoring services have been offered.

The post 6 HIPAA Regulated Entities Report Phishing Attacks and Unauthorized Email Account Access appeared first on HIPAA Journal.

Former Pennsylvania Medical Assistant Charged with Stealing Patient Information for Personal Gain

Posted by HIPAA Journal

A former employee of Axia Women’s Health in Pennsylvania has been charged in a 39-count indictment for stealing patient information for personal gain. The Upper Moreland Police Department in Montgomery County, PA, uncovered an elaborate scheme involving the theft of the identities of patients, which were used to obtain credit cards and loans, rent high-end apartments, and obtain several thousand dollars worth of furniture.

The investigation centered on Gwendolyn Murray of Philadelphia. Text messages were found on Murray’s cellphone that had been sent by Ashley Latimer, 34, of Philadelphia, which appeared to be screenshots of patient records. Ashley was determined to have sent the messages while working at AFC Urgent Care in South Philadelphia. Further investigation revealed Latimer had worked at AFC Urgent Care between September 16, 2021, and December 26, 2021, but was fired when she was suspected of stealing $3,200 from the cash drawer.

Latimer then found employment as a medical assistant at Axia Women’s Health, where she was given access to patient records to complete her work duties. While employed at Axia Women’s Health, Latimer used her cellphone to take photographs of patient records containing driver’s license numbers and other information, which were sent to Murray to create fraudulent customer accounts and obtain credit in the victims’ names. The stolen identities were used to create fraudulent accounts at Wayfair, Mattress Queen, Carvana, and Bob’s Discount Furniture.

The police seized Latimer’s cell phone and found 41GB of data that included text conversations with Murray along with photographs of computer screens and paper documents containing the personal information of patients of Axia Women’s Health, where Latimer was employed in the first and second quarters of 2022. The detectives also found images of Experian Credit Reports, lease applications, and applications and approvals for credit at Wayfair and Carvana in the names of Axia Women’s Health patients.

On November 10, 2022, Pennsylvania Attorney General Josh Shapiro announced that Latimer had been arrested and charged for her role in the scam. The information stolen by Latimer was used to open credit cards and make purchases totaling more than $31,000. Latimer has been charged with 27 counts of identity theft, 7 counts of theft, 4 counts of computer theft, and one count of forgery.

“This defendant is accused of taking advantage of her position and violating her trust and responsibility as a medical professional,” said AG Shapiro. “We will not, under any circumstance, allow individuals to put patients at risk and compromise our Commonwealth’s health care systems.”

The post Former Pennsylvania Medical Assistant Charged with Stealing Patient Information for Personal Gain appeared first on HIPAA Journal.

Five Former Tennessee Hospital Employees Charged with Criminal HIPAA Violations

Posted by HIPAA Journal

Five former employees of Methodist Hospital in Tennessee have been indicted by a federal grand jury in Memphis for criminal violations of the Health Insurance Portability and Accountability Act (HIPAA) for impermissibly accessing the protected health information of patients and providing that information to another individual for financial gain.

According to the indictment, between November 2017 and December 2020, Roderick Harvey, 40, conspired with five former hospital employees and paid them to provide him with the names and telephone numbers of patients who had been involved in motor vehicle accidents. Harvey then sold that information to third parties such as personal injury lawyers and chiropractors.

The former Methodist Hospital employees – Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 30, Melanie Russell, 41, and Adrianna Taber, 26 – and Harvey were charged with conspiracy to obtain patient information with the intent to sell, transfer or use such information for personal gain, the maximum penalty for which is five years in jail, three years of supervised release, and a financial penalty of up to $250,000. Each of the five employees was also charged with separate criminal violations of HIPAA for disclosing patient information to Harvey, with those charges carrying a maximum penalty of one year in jail, one year of supervised release, and a fine of up to $50,000.

Harvey has been charged with seven counts of obtaining patient information with the intent to sell the information for financial gain, with the offenses occurring from November 12, 2017, to September 7, 2019. Harvey faces up to 10 years in jail, a fine of up to $250,000, and three years of supervised release for each charge.

Methodist Le Bonheur Healthcare discovered the unauthorized access, terminated the employees for the HIPAA violations, and reported the employees to law enforcement. The case was investigated by the Federal Bureau of Investigation and the Tennessee Bureau of Investigation, with e case prosecuted by Assistant United States Attorney Carroll L. André III.

The post Five Former Tennessee Hospital Employees Charged with Criminal HIPAA Violations appeared first on HIPAA Journal.

New York Provider of Administrative Anesthesiology Services Facing Multiple Class Action Data Breach Lawsuits

Posted by HIPAA Journal

A New York-based physician-owned provider of administrative services to anesthesiology firms is facing several class action lawsuits over a cyberattack and data breach that has affected at least 24 entities and involved the exposure and potential theft of the protected health information of more than 450,000 patients.

Anesthesiology firms started reporting data breaches to the Department of Health and Human Services’ Office for Civil Rights in September 2022, with the notification letters to patients indicating there had been a data breach at their anesthesia management services organization. The notification letters failed to name that company.

According to the notification letters, the management services organization detected the cyberattack on or around July 11, 2022, or July 15, 2022 – two templates were used by the affected firms that had different dates. The forensic investigation determined the attackers had access to parts of its system that contained the protected health information of patients, including names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information, including diagnosis and treatment information.

At least five complaints have now been filed in the U.S. District for Southern New York against the management company – Somnia Inc. – over the data breach that allege the company was negligent for failing to implement appropriate safeguards to ensure the confidentiality, integrity, and availability of patient information, that Somnia failed to comply with FTC guidelines and the HIPAA Rules and had not followed industry standards for data security.

Some of the lawsuits also take issue with the way the breach was reported due to the failure to mention Somnia Inc. by name in the notification letters, and in some cases, to fully disclose exactly what information had been compromised. One lawsuit took issue with Somnia Inc. only disclosing the breach as affecting 1,326 patients, when the breach was known to have affected more than 400,000 individuals at the time and suggested, “Somnia is trying to completely avoid any and all responsibility for the data breach and is using its local practices to obscure the identity of the responsible entity as well as to downplay the severity of the data breach.”

The lawsuits allege individuals affected by the breach now face an immediate and elevated risk of identity theft and fraud as a result of the negligence of Somnia, and seek class action status, damages, adequate credit monitoring and identity theft protection services, injunctive relief, and a court order that requires Somnia to implement enhanced security measures to ensure patient information is appropriately protected.

The post New York Provider of Administrative Anesthesiology Services Facing Multiple Class Action Data Breach Lawsuits appeared first on HIPAA Journal.

CommonSpirit Health Says EHRs Mostly Back Online Following Ransomware Attack

Posted by HIPAA Journal

CommonSpirit Health has recently provided an update on the progress that has been made in recovering from an October 2022 ransomware attack that affected many facilities across its network. The attack was detected on October 3, which forced the health system to take its IT systems offline, including its MyChart electronic health records (EHRs). CommonSpirit Health, Catholic Health Initiatives (CHI Health), MercyOne, and St. Luke’s Health facilities were affected and have been operating under emergency procedures since the attack. CommonSpirit Health had previously stated that there was no impact on patient care and associated systems at Dignity Health, TriHealth, and Centura Health.

It has now been more than a month since the attack and business operations have yet to return to normal; however, CommonSpirit Health has recently confirmed that the majority of impacted locations now have access to their EHR systems again and patients of those facilities should now be able to access patient portals to view their medical records. Appointment scheduling systems are still affected, so patients have been advised to contact their provider’s office directly to arrange appointments.

A forensic investigation into the attack was launched; however, the priority has been patient safety and bringing affected systems back online as quickly and safely as possible. The forensic investigation is trying to establish the methods used by the attackers to gain initial access to its network to allow security updates to be performed, and to determine the extent, if any, that patient data has been compromised. CommonSpirit Health will provide further updates pending the outcome of the investigation. The incident has been reported to law enforcement and third-party cybersecurity consultants have been engaged to assist with the recovery.

While some healthcare organizations have been able to recover from ransomware attacks relatively quickly within 1 or 2 weeks following an attack, longer disruptions are common, with the average recovery time being 22 days. There are several factors that can affect the recovery time, including the extent of the attack, the complexity of the IT environment, and whether a practiced incident response plan was in place. The importance of planning for security incidents and having a practiced incident response plan was recently emphasized by the HHS’ Office for Civil Rights in its October 2022 Cybersecurity Newsletter.

The post CommonSpirit Health Says EHRs Mostly Back Online Following Ransomware Attack appeared first on HIPAA Journal.

Lurie Children’s Hospital Proposes Settlement to End Insider Breach Lawsuit

Posted by HIPAA Journal

Ann & Robert H. Lurie Children’s Hospital has proposed a settlement to resolve a class action lawsuit filed in response to two privacy breaches involving unauthorized medical record access by employees.

On November 15, 2019, the Chicago hospital discovered an employee had been impermissibly accessing patient records. The investigation determined the unauthorized access occurred between Sept. 10, 2018, and Sept. 22, 2019. The employee, a nursing assistant, viewed patient records that included names, addresses, dates of birth, and medical information, including diagnoses, medications, appointments, and procedures. Once the unauthorized access was confirmed, the employee was terminated. Lurie Children’s Hospital notified affected patients in December 2019 and said there was no reason to suggest the information had been further discovered or misused.

A similar breach was detected by the hospital in 2020. A nursing assistant was discovered to have accessed patient records without authorization between November 1, 2018, and February 29, 2020, and was also terminated. Patients were notified about the breach in May 2020. A mother took legal action against the hospital on behalf of her 4-year-old daughter, whose medical records and been impermissibly accessed by the two nursing assistants. Her daughter’s records included details of an examination to investigate suspected sexual abuse.

The lawsuit – Doe v. Lurie Children’s Hospital of Chicago – alleged the hospital had been negligent for failing to protect patient records, the hospital breached its implied contract, and failed to monitor employees’ access to patients’ medical records. Lurie Children’s Hospital denied liability for the breach and did not admit any wrongdoing and maintained the plaintiff failed to state a claim in the lawsuit upon which relief can be granted, as the plaintiff failed to assert any basis that the actions of the hospital caused any harm.

Lurie Children’s Hospital proposed a settlement to put an end to the allegations of wrongdoing. The proposed settlement does not include any monetary benefits, but the hospital has agreed to make changes to policies and procedures and implement additional safeguards to better protect patient data. Those measures include increased monitoring of employee access logs, which include twice weekly reviews of audit alerts, and a commitment to provide employees with additional training on medical record access. The hospital has also stated that it will be applying “break the glass” protocols for highly sensitive medical information related to certain treatments, including evaluations for sexual abuse and sexual assault.

The deadline for objection and exclusion is January 4, 2023. The final approval hearing has been scheduled for January 25, 2023.

The post Lurie Children’s Hospital Proposes Settlement to End Insider Breach Lawsuit appeared first on HIPAA Journal.