A round-up of data breaches that have recently been reported by HIPAA-covered entities.

South Suburban Surgical Suites Reports Email Account Breach

South Suburban Surgical Suites, a Munster, IN-based surgical center, has reported a breach of a legacy Microsoft Office 365-hosted business email account. The breach was detected on April 3, 2023, with the investigation confirming the account was accessed following a response to a phishing email. The response was on February 20, 2023, and the unauthorized access was blocked on April 3, 2023. The review of the email account was completed on June 5, 2023, and confirmed that the protected health information of 5,340 patients was stored in the account.

That information varied from individual to individual and may have included full names in combination with addresses, dates of birth, Social Security numbers, driver’s license/state ID numbers, passport numbers, credit card information and/or financial account information, medical record numbers, dates of service, provider names, diagnoses/procedure information, prescriptions/medications, health insurance information, and/or billing and claims information.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were involved.

edgeMED Healthcare Reports Computer System Compromise

The Boca Raton, FL-based revenue cycle management and billing vendor, edgeMED Healthcare, LLC, has recently announced that an unauthorized individual accessed its computer systems between May 20, 2023, and May 26, 2023, and may have viewed or obtained information such as names, treatment codes, rendering provider names, and some additional encounter information.

The intrusion was detected on May 26, 2023, and access was immediately blocked. Affected individuals have now been notified about the breach and, at the time of issuing notifications, no evidence of misuse of the compromised data had been identified. edgeMED Healthcare said its security protocols have been enhanced by implementing additional security measures.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Partnership Health Center Reports Email Error

The Missoula, MT healthcare clinic, Partnership Health Center (PHC), says a limited amount of patient information has been impermissibly disclosed due to an email error. A patient survey was sent via email to find out about patient experiences; however, emails were inadvertently sent to incorrect individuals.

An email intended for one individual was accidentally sent to another individual, who was also a Partnership Health Center patient. The only information that was impermissibly disclosed was an individual’s first and last name, and in some cases, their middle initial. The email identified a patient as having received a medical service from Partnership Health Center between July 2022 and December 2022. The nature of that service was not disclosed.

The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 8,331 individuals.

Limbach Facility Services Reports of Employee Benefit Plan Data

The Warrendale, PA-based construction and engineering company, Limbach Facility Services LLC, fell victim to a cyberattack that affected the availability and functionality of its computer network. The security breach was detected on April 23, 2023, with the forensic investigation determining that an unauthorized individual had access to its network between April 19, 2023, and April 22, 2023. During that time, certain files on the network were accessed and exfiltrated. Those files included the protected health information of 1,392 current and former members of its Group Benefit Plan. The compromised information included names, Social Security numbers, and limited health insurance plan enrolment information.

Additional security measures have been implemented to enhance the security of the network and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Healthcare Providers and Vendors Confirm Recent PHI Disclosure Incidents appeared first on HIPAA Journal.

Nashville, TN-based HCA Healthcare, the largest health system in the United States with more than 180 hospitals and 2,300 healthcare sites, has announced that an unauthorized individual had obtained the protected health information of patients. While the total number of affected individuals has not yet been confirmed, the breach is understood to have affected 11 million+ patients, which would make this the joint third-largest healthcare data breach to be reported by a HIPAA-regulated entity.

Largest Healthcare Data Breaches

On July 10, 2023, HCA Healthcare announced that hackers had gained access to an external storage location that was used to automatically format emails such as patient appointment reminders and emails alerting patients about HCA Healthcare programs and services. While the investigation into the data breach has not yet concluded, the compromised data lists contained 27 million rows of data, which included the protected health information of approximately 11 million patients who received care at HCA hospitals and doctors’ offices in 20 U.S. states.

The information in the data lists included name, address (city, state, zip code), email address, phone number, date of birth, gender, date(s) of service, location of service(s), and next appointment date. No clinical information, financial information, or Social Security numbers are believed to have been compromised. The data related to individuals who received healthcare services in Alaska, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Missouri, Mississippi, Nevada, New Hampshire, North Carolina, South Carolina, Tennessee, Texas, Utah, or Virginia. The full list of affected facilities has been published by HCA Healthcare here.

HCA Healthcare said the storage location was immediately disabled when the breach was discovered and an investigation was launched into the attack, with assistance provided by third-party cybersecurity and digital forensics experts. HCA Healthcare said the incident had no impact on patient care and that it is not expected to have any impact on its business, operations, or financial results. HCA Healthcare will issue notification letters when the affected individuals have been identified and contact information has been confirmed. Complimentary credit monitoring services are being offered to the affected individuals.

The individual behind the attack listed the data for sale on a dark net marketplace and gave HCA Healthcare until July 10, 2023, to meet its demands. HCA Healthcare’s announcement coincided with that data, but it is unclear whether the hacker’s demands were met, or what those demands were. HCA Healthcare confirmed in its initial breach notice that, “a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum,” and said the information was posted online on July 5, 2023. HCA Healthcare said it is unaware of any misuse of patient data at this time.

Since highly sensitive information does not appear to have been compromised, individuals affected may not face an immediate risk of identity theft or fraud; however, they could be subject to phishing attacks and email/telephone/SMS scams so should exercise caution, especially with email attachments, hyperlinks in emails and SMS messages, and phone calls where sensitive information is requested.

HCA Healthcare said it has “several robust security strategies, systems, and protocols in place to help protect data,” and has an ongoing education program for its colleagues, physicians, vendors, and others to maintain awareness of safe practices to help ensure compliance and the security of patient data.

The post 11 Million+ HCA Healthcare Patients Affected by Recent Cyberattack appeared first on HIPAA Journal.

Advanced Medical Management LLC, a provider of operational, administrative, and technical healthcare management services to large physician organizations, government agencies, and health plans, has recently announced that it was the victim of a cyberattack in which the protected health information of 319,485 individuals was exposed and potentially stolen.

The forensic investigation confirmed that unauthorized individuals gained access to parts of its network that were designed and maintained by third-party vendors. The security breach was detected on May 11, 2023, with unauthorized access occurring between May 10, 2023, and May 13, 2023.

A review was conducted of all files on the compromised systems and confirmed they contained information such as names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, and health insurance information. Notification letters started to be mailed to affected individuals on June 29, 2023.

Californian Law Firm Confirms Data Breach Affecting Almost 41,000 Individuals

The San Francisco, CA-based law firm, Orrick, Herrington & Sutcliffe LLP, has recently confirmed a breach of its IT environment and the exposure of the protected health information of up to 40,823 individuals. In a breach report submitted to the Montana Attorney General, the law firm said a potential system intrusion was detected on March 13, 2023, and the forensic investigation confirmed that unauthorized individuals had gained access to a portion of its network where client files were stored. Those files contained names, dates of birth, addresses, and Social Security numbers. The investigation also confirmed that files had been exfiltrated from its network on March 7, 2023.

Individuals affected by the attack include members of an unnamed vision health plan, which had engaged the law firm following a security breach in 2020. The law firm started sending notification letters to affected individuals on June 30, 2023 and has offered two years of complimentary identity theft monitoring services to affected individuals. Since data was stolen in the attack, anyone receiving a letter should take advantage of the services being offered through Kroll. The law firm has confirmed that additional security measures have been implemented to prevent similar attacks in the future.

The post Advanced Medical Management Reports Data Breach Affecting 319,485 Individuals appeared first on HIPAA Journal.

Imagine360, a Wayne, PA-based provider of a self-funded health plan solution for employers, was the victim of two cyberattacks this year involving its file-sharing solutions. The first attack was detected on or around January 30, when suspicious activity was detected within its Citrix file-sharing solution, which Imagine 360 uses to securely exchange files related to self-insured health plans. Steps were immediately taken to secure the platform by taking it offline, passwords were reset, and an investigation was launched into the attack.

A few days later, while Imagine360 was investigating the Citrix breach, a vulnerability was exploited in another file-sharing platform – Fortra’s GoAnywhere Transfer solution. Fortra determined that an unauthorized actor – now known to be the Clop ransomware group – exploited a zero-day vulnerability and stole sensitive data.

Imagine360 independently investigated both security incidents and confirmed that its own systems were unaffected and remained secure at all times; however, files were stolen in both attacks between January 28 and January 30, 2023. The stolen files included names, medical information, health insurance information, and Social Security numbers, with the impacted data varying from individual to individual.

The review of the affected files took until June 1, 2023, after which contact information was verified to allow notification letters to be sent. Imagine360 said the decision was taken to suspend the use of the Fortra file transfer solution, and additional safeguards have been added to its policies, processes, and security measures to prevent similar breaches in the future.

The notification letter to the California Attorney General and the version uploaded to the Imagine360 website make no mention of credit monitoring and identity theft protection services being offered to the affected individuals. It is also unclear at this stage how many individuals have been affected as the incident has yet to appear on the HHS’ Office for Civil Rights breach portal.

The post Imagine360 Suffers Breaches of Two File-Sharing Platforms appeared first on HIPAA Journal.

Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee has recently confirmed that the protected health information of more than half a million patients was compromised in what it describes as “a series of attacks on our network and IT systems,” which were discovered on or around April 24, 2023.

An investigation was launched after securing its network, and it was confirmed that a “well-known cyber extortion operation” was behind the attack and gained access to the network on or around April 22, 2023.  The group was not named by MMC, but it appears to be the BianLian threat group.

MMC said it was unable to determine whether files were accessed or removed from its network; however, the parts of the network that were accessed contained files that included the protected health information of 559,000 patients. The information potentially accessed or stolen included full names, dates of birth, home addresses, phone numbers, copies of driver’s licenses, full or partial social security numbers, dependent information, dates of service, medical and diagnostic information related to those dates of service, test results, procedure notes, prescription information, medical record numbers, and insurance and enrolment information.

MMC said it rebuilt its network and has implemented advanced security features to prevent similar breaches in the future, and said the attack appeared not to have resulted in any loss of data. As a precaution against identity theft and fraud, affected individuals have been offered 24 months of complimentary credit monitoring services.

PHI of More Than 24,000 Mount Desert Island Hospital Patients Exposed

Mount Desert Island Hospital in Bar Harbor, ME, has issued a statement about a security incident that was detected on May 4, 2023. An investigation was launched when suspicious activity was detected in its computer systems, which confirmed certain parts of its network had been accessed by unauthorized individuals between April 28, 2023, and May 7, 2023.

A review of all files on the compromised parts of the network confirmed that protected health information had been exposed, including names, addresses, birth dates, driver’s license/state identification numbers, Social Security numbers, financial account information, medical record numbers, Medicare or Medicaid identification numbers, mental or physical treatment/condition information, diagnosis codes/information, dates of service, admission/discharge dates, prescription information, billing/claims information, personal representative/guardian names, and health insurance information.

Third-party security specialists were engaged to re-secure its network and implemented additional security precautions, and a review has been conducted of its data protection policies and procedures. Complimentary credit monitoring services have been offered to the 24,180 affected individuals.

ARx Patient Solutions Reports Email Account Breach from 2022

The Kansas-based healthcare provider, ARx Patient Solutions, has recently notified the Maine Attorney General about a security breach that has affected 41,116 individuals, including individuals who used the ARx Patient Solutions Pharmacy.

In March 2022, an unauthorized individual accessed the email account of an employee. A third-party cybersecurity firm was engaged to investigate the breach and determined that the following types of information had been exposed: first name, last name, prescription information, patient account number, health insurance account member number, health insurance group number, doctor’s name, and in some limited cases, Social Security number. Many of the individuals affected were minors.

The investigation, which included dark web monitoring, has not identified any evidence of misuse of the exposed data. ARx Patient Solutions said it has strengthened system security by implementing XDR threat monitoring systems, proactive vulnerability management programs, active system scanning solutions, and has made significant investments in its Security Operations department. Affected individuals were notified on June 30, 2023, and have been offered a one-year membership to an identity theft monitoring service.

City of San Luis Reports Email Breach Affecting 6,848 Individuals

The City of San Luis in Arizona has discovered unauthorized access to an employee’s email account that contained the protected health information of 6,848 individuals. Suspicious activity was detected in the email account on March 7, 2023, and the forensic investigation confirmed the account was accessed without authorization between February 1, 2023, and February 23, 2023. The review of the emails and attachments was completed on May 4, 2023, then contact information was verified to allow notification letters to be sent. Affected individuals had one or more of the following exposed: name, address, driver’s license number, health insurance information, medical information, date of birth, and Social Security number.

Arizona Medicaid Agency Reports Exposure of Medicaid Recipients’ PHI

The Arizona state Medicaid agency, Arizona Health Care Cost Containment System (AHCCCS), has confirmed that 2,632 Medicaid recipients have had some of their protected health information exposed. On May 11, 2023, a vulnerability was identified in the HEAplus system toolbar on the e-Arizona website, which allowed sensitive information to be accessed. The information exposed was limited to first and last names, addresses, and the last four digits of Social Security numbers. AHCCCS has made security updates that it says will prevent similar breaches from occurring again and notified the affected individuals by mail on July 3, 2023.

Vitality Group Suffers MOVEit Data Breach

Vitality Group, a Chicago, IL-based behavioral engagement platform provider, suffered a data breach on May 30, 2023, when hackers exploited a zero-day vulnerability in the MOVEit file transfer solution. The breach was detected by its IT security staff on June 1, 2023, and steps were immediately taken to prevent further unauthorized access; however, during a 2-hour time span, hackers had access to the server where the MOVEit application was installed and potentially stole sensitive data such as names, mailing addresses, dates of birth, email addresses, and Social Security numbers.

Vitality Group is offering two years of complimentary credit monitoring and identity theft protection services to individuals who had their Social Security numbers exposed. It is currently unclear how many of its clients were affected, but one of those is known to be the Los Angeles, CA-based AltaMed Health Services Corporation.

The post 559,000 Individuals Affected by Murfreesboro Medical Clinic & SurgiCenter Cyberattack appeared first on HIPAA Journal.

Precision Imaging Centers in Jacksonville, FL, has recently notified 31,010 patients about a security breach that occurred on or around November 2, 2022. Unauthorized individuals gained access to its network and exfiltrated files containing sensitive patient information. The compromised information varied from patient to patient and may have included first and last names, addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued identification numbers, health insurance information, medical conditions/diagnoses, and other health or medical information.

Precision Imaging Centers said the attack was conducted by a high-profile threat actor group, and shortly after the attack was confirmed, a law enforcement operation resulted in the threat group’s websites and servers being seized, which suggests the threat actor behind the attack was the Hive ransomware group. Precision Imaging Centers said no evidence of misuse of personal information has been detected.

Precision Imaging Centers isolated its network when the breach was detected, and a forensic investigation and document review were conducted. Precision Imaging Centers said that the document review concluded on June 20, 2023, and notification letters were mailed on June 22, 2023. Affected individuals have been offered credit monitoring and identity theft protection services through IDX. Precision Imaging Centers has implemented new systems and has enhanced its security protocols to prevent similar attacks in the future.

Ohio Law Firm Notifies Individuals About September 2021 Data Breach

The Toledo, OH-based law firm, Marshall & Melhorn, LLC, recently started notifying 9,412 individuals that some of their protected health information was exposed in a 2021 cyberattack. According to the notification letters, a computer network outage occurred on September 14, 2021. An investigation was immediately launched, and it was determined that an unauthorized actor had access to its network from August 20, 2021, to September 14, 2021; however, the investigation was unable to determine the exact files that had been accessed or obtained.

Marshall & Melhorn said it conducted a review of all files potentially involved, and that process was completed on May 19, 2023, 18 months after the breach was detected. Efforts were then made to contact the affected clients and obtain up-to-date contact information. That process was completed on May 19, 2023, and notification letters were mailed on June 7, 2023, including on behalf of its client, Lima Memorial Health System.

The information potentially accessed included names, addresses, Social Security numbers, financial account information, driver’s licenses and state identification information, passport information, medical information, and health insurance information. The law firm says it has implemented additional cybersecurity measures in response to the breach and has detected no misuse of the exposed information. Credit monitoring services do not appear to have been offered.

Atrium Health Wake Forest Baptist Suffers Phishing Attack

Atrium Health Wake Forest Baptist in Winston-Salem, NC, has recently announced that patient information was stored in an employee email account that was accessed by unauthorized individuals as a result of the employee being tricked by a phishing email.

The attack occurred on April 20, 2023, and the unauthorized access was detected and blocked the same day. The forensic investigation confirmed that unauthorized access had been blocked, the breach was confined to a single email account, and that the email account contained the protected health information of 3,679 individuals. While protected health information may have been viewed or obtained, the forensic investigation determined that the unauthorized access was not focused on the content of the email account.

The information in the account varied from patient to patient and likely included one or more of the following: name, date of birth, hospital account record number, health insurance information, treatment cost information, and/or clinical information, such as date(s) of service, provider name, and location(s) of service. For a limited number of individuals, Social Security numbers were also exposed.

Notification letters have been mailed and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity protection services. Security controls have been enhanced and phishing training will continue to be provided to the workforce.

The post Cyberattacks Reported by Precision Imaging Centers, Marshall & Melhorn, and Atrium Health Wake Forest Baptist appeared first on HIPAA Journal.

The Williamsport Home, a retirement village in Pennsylvania, and Senior Choice, Inc., a provider of skilled nursing care at three inpatient facilities in Pennsylvania – The Atrium in Johnstown, Beacon Ridge in Indiana, and The Patriot in Somerset – have been affected by a cyberattack that was detected on April 24, 2023.

Steps were immediately taken to secure the network when the security breach was detected and while the investigation into the cyberattack is ongoing, it has been determined that unauthorized individuals gained access to certain business operation systems between April 18 and April 24, 2023. The systems used directly for residential care do not appear to have been compromised; however, the business systems compromised in the attack contained protected health information that was potentially accessed or obtained.

The types of information that were exposed varied from individual to individual and may have included one or more of the following: Name, address, birth date, admission date, discharge date, death date, medical record number, provider or facility name, medical condition, diagnosis and/or treatment information, lab results, medications, payment amount history information, insurance payment amount information, date of service, Social Security number, financial account information, credit card number, medical information, health insurance information, driver’s license or state identification number, passport number, and any information on an individual that was created, used, or disclosed in the course of providing health care services.

Additional technical safeguards are being implemented to improve security to prevent similar breaches in the future. It has not yet been determined how many individuals have been affected so all individuals that are currently receiving services or have done in the past should therefore be vigilant against any misuse of their information. To meet the breach reporting requirements of the HIPAA Breach Notification Rule, the breach has been reported to the HHS by The Williamsport Home and Senior Choice as affecting at least 500 individuals. The totals will be updated when it has been confirmed how many individuals have been affected.

The post Cyberattack Affects Multiple Residential Care Facilities in Pennsylvania appeared first on HIPAA Journal.

The Illinois-based healthcare provider, Activate Healthcare, LLC, has recently confirmed that it suffered a security breach that resulted in the theft of patient data. Suspicious activity was detected within its IT systems on April 27, 2023, and the subsequent forensic investigation confirmed that an unauthorized third party had access to its network between April 22, 2023, and April 28, 2023.

On April 29, 2023, it was confirmed that files had been exfiltrated that included patient information such as names, dates of birth, addresses, Social Security numbers, driver’s license numbers, and clinical information, such as provider names, dates of service, and/or diagnoses. At the time of issuing notification letters, no evidence of misuse of patient data had been detected; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity protection services.  Activate Healthcare said steps will continue to be taken to enhance the security of its computer systems.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 93,761 patients.

Community Research Foundation Confirms 30,000-Record Data Breach

Community Research Foundation (CRF), a San Diego, CA-based non-profit research foundation that develops and operates programs focused on the treatment, education, and rehabilitation of individuals with mental health problems and substance use problems, has recently confirmed that sensitive health data was accessed by an unauthorized individual last year.

CRF detected a security breach on October 13, 2022, and third-party cybersecurity experts were engaged to investigate the incident. CRF said the review of the affected files concluded on April 19, 2023, when it was determined that the protected health information of individuals who sought medical services through medical and/or social service programs that CRF supports was involved. That information included names, Social Security numbers, driver’s license numbers, dates of birth, medical treatment and/or diagnosis information, and/or health insurance information.

CRF said after confirming which individuals had been affected, contact information needed to be verified to allow notification letters to be mailed, hence the delay in issuing notifications. The breach notice makes no mention of when access to its systems was gained, and credit monitoring services do not appear to have been offered to affected individuals.

The data breach was recently reported to the HHS’ Office for Civil Rights as affecting up to 30,057 individuals.

Henrietta Johnson Medical Center Patients Affected by Data Breach at Delaware Health Network

The Henrietta Johnson Medical Center (HJMC) in Wilmington, DE, has been affected by a security incident at the healthcare-controlled network provider and electronic health records management provider, Delaware Health Network (DHN). According to the HJMC notice, unauthorized individuals gained access to certain DHN systems on or around April 5, 2023, and copied files from those systems. DHN is currently investigating the incident to determine the extent of the data breach but has notified HJMC and other clients that their data may have been impacted.

HJMC has not yet been informed of the number of patients that have been affected. Based on the findings of the forensic investigation to date, the following data types may have been exposed: full name, dates of birth, ethnicity, medical record number, diagnosis code, lab information, and health insurance information. DHN has confirmed that Social Security numbers and financial account information were not viewed or stolen.

HJMC said it is reviewing its policies and procedures relating to third-party vendors and will continue to pursue information from DHN about the event. Out of an abundance of caution, notifications will be sent to all patients. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals. That number will be updated when DHN confirms how many patients have been affected.

The post Activate Healthcare Reports Security Breach Affects Up to 93,761 Patients appeared first on HIPAA Journal.