HIPAA Breach News

Ransomware Attack Results in 2 Week Shutdown of Operations at TN Medical Clinic

Posted by HIPAA Journal

A cyberattack on Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee forced the healthcare provider to completely shut down operations for around two weeks to contain to attack and restore its IT systems. It is common for healthcare organizations to perform an emergency shutdown of the network to contain a cyberattack and limit the harm caused, and to operate under emergency procedures with staff recording patient information manually while systems are out of action. Some attacks see ambulances diverted and some appointments canceled for patient safety reasons, but the disruption caused by this attack was much more extensive.

The cyberattack occurred on April 22, 2023, and the network was rapidly shut down to contain the attack. Third-party cybersecurity experts were engaged to assist with the investigation and recovery from the attack. MMC said the rapid action taken in response to the security breach limited the damage caused, and work has continued round the clock to safely bring systems back online and enhance security controls. MMC has been working with cybersecurity experts and law enforcement to investigate the incident and determine the extent of the attack, and while those processes were completed, the decision was taken to close all operations. MMC planned to reopen on a limited basis on May 3, 2023, then restore full operations shortly thereafter; however, the recovery process took longer than planned.

The MMC Pediatric and Internal & Family Walk-In Clinics at its Garrison Drive location reopened on May 4, 2023, but all other locations remained closed. On May 5, 2023, all surgeries in its SurgiCenter, Gastroenterology procedures, Laboratory and Radiology services were canceled, MMC Now locations remained closed, although phone lines were restored. Over the weekend of May 6th and 7th, MMC Pediatrics resumed normal weekend operations, but MMC Now Family Walk-In Clinics and Laboratory and Radiology services remained closed for the weekend. On Monday, May 8, 2023, operations remained limited, although some scheduled appointments went ahead as planned, although laboratory and radiology services and MMC Now Family Walk-In locations remained closed.

“Preserving sensitive patient and employee information is of the utmost importance to MMC, but like so many other organizations around the country and despite its best efforts, MMC has found itself as the target of criminals attempting to steal personal or company data. I want to thank our patients and employees for their understanding and patience while we work to make sure our computer infrastructure is secure and free of any harmful software,” said Joey Peay, CEO of MMC. “We have worked diligently to communicate closures with all patients in a timely manner using all methods of communication at our disposal… we apologize for the vagueness of our recent communications, but we did not want to do anything that would impede law enforcement’s investigative efforts.”

While the exact nature of the cyberattack has not been disclosed, this is understood to be a ransomware attack involving data theft. The extent to which patient data has been affected is being investigated and MMC will make further announcements and issue notifications as necessary when the investigation concludes.

The post Ransomware Attack Results in 2 Week Shutdown of Operations at TN Medical Clinic appeared first on HIPAA Journal.

Patient No Longer Seeking Injunction to Force Healthcare Provider to Pay Ransom

Posted by HIPAA Journal

There has been an update to a lawsuit filed against Lehigh Valley Health Network over a ransomware attack that involved the theft of sensitive patient data and the publication of naked images of patients on the Internet.

Lehigh Valley Health Network detected the ransomware attack on February 6, 2023, and was issued with a ransom demand. The BlackCat group threatened to release the stolen data online if the ransom was not paid. While it is common for ransomware gangs to steal sensitive data and publish files if the victim fails to cooperate, the BlackCat ransomware group took the extortion a step further and published naked images of patients to pressure Lehigh Valley Health Network into paying the ransom. The images in question were clinically appropriate for radiation oncology treatment and showed patients naked from the waist up. The ransomware group was seeking payment of approximately $5 million. Lehigh Valley Health Network chose not to pay the ransom.

A lawsuit was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania, which alleged Lehigh Valley Health Network failed to adequately protect patient data and failed to meet its obligations under the Health Insurance Portability and Accountability Act (HIPAA). The lead plaintiff, Jane Doe, had her naked images posted by the group. She maintains that she was not aware that the photographs had been taken.

The lawsuit sought class action status, a jury trial, and remedies including damages, reimbursement of out-of-pocket costs, and equitable and injunctive relief, including an order from the court compelling Lehigh Valley Health Network to improve its data security systems and provide identity theft protection services for the plaintiff and class.

Court Order Sought to Force Lehigh Valley Health Network to Pay the Ransom

One of those remedies sought by the plaintiff concerned the removal of her partially naked photographs from the Internet. Lehigh Valley Health Network no longer had control of those photographs, so the plaintiff sought a court order compelling Lehigh Valley Health Network to pay the ransom and obtain a pledge from the BlackCat group that the images would be removed from the Internet.

The plaintiff’s legal team said the plaintiff is worried that she may be identified by the images, that they may be viewed by her employer or people at work, and that she would be constantly worried that the images would be discovered for as long as they were available online. The patient’s attorney claimed images stolen by the group had been published online and could be found by searching using the individuals’ names, and that this was a deeply upsetting violation of patient privacy. The move to compel Lehigh Valley Health Network to pay the ransom was the only way that the plaintiff’s legal team could get the images removed from the Internet. The request was unusual, but this was not a typical ransomware and extortion attempt.

The request raised some important legal issues that U.S. District Court Judge, Judge Malachy E. Manion, moved to address. Judge Manion questioned the plaintiff’s legal team on the legality of the request and whether the court had the authority to force a defendant to commit a potentially illegal act. While U.S. law does generally not prohibit the payment of a ransom for the return of people or goods; however, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) can impose sanctions on organizations that pay ransoms to cyber actors under its sanctions program.

In response to the request, Judge Manion ordered the plaintiff’s attorneys to file a brief in support of their preliminary injunction, “specifically providing authority that the court may force a party to comply with an illegal act or pay an illegal ransom.” On April 18, 2023, the plaintiff dropped the request for the injunction to force Lehigh Valley Health Network to pay the ransom.

The post Patient No Longer Seeking Injunction to Force Healthcare Provider to Pay Ransom appeared first on HIPAA Journal.

Healthcare Data Potentially Compromised in 5 Hacking Incidents

Posted by HIPAA Journal

NYSARC Columbia County Chapter Notifies Individuals About July 2022 Ransomware Attack

NYSARC Columbia County Chapter (COARC) has started notifying certain individuals that some of their protected health information has potentially been obtained by unauthorized individuals in a July 2022 ransomware attack. According to the notifications, suspicious activity was detected within its network on July 19, 2022, that was consistent with a ransomware attack. Steps were immediately taken to contain the incident and an investigation was launched, which confirmed that the attacker had access to certain COARC systems for a limited period in July.

The attack appears to have been conducted with the sole purpose of encrypting data for extortion purposes. It is not known if data exfiltration occurred but it could not be ruled out. COARC did not say if the ransom was paid. COARC said the types of information involved included names and one or more of the following: address, social security number, financial account, credit card information, medical information, student information, driver’s license, and passport number. No evidence of misuse of that information has been detected in the 9 months from the discovery of the breach to issuing notifications on April 28, 2023. COARC said additional security protocols have been implemented to better protect its network, email environment, and other systems from future attacks.

Network Security Incident at Petaluma Health Center

Petaluma Health Center (PHC) in California has recently confirmed that an unauthorized third party gained access to its network and potentially obtained patient information. PHC said a network security incident was detected on March 14, 2023, but did not disclose any further information on the nature of the incident, such as whether this was a ransomware attack or for how long its network was compromised.

PHC said information maintained for payroll and human resources purposes was potentially accessed, although no evidence of misuse of that information has been detected. The information exposed in the attack included one or more of the following: full name, address, Social Security number, driver’s license number, passport number, date of birth, and/or health insurance plan information.

PHC said it is reviewing and enhancing technical safeguards to prevent similar incidents in the future and affected individuals have been offered complimentary single-bureau credit monitoring services. The breach has been reported to the California Attorney General but is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Health Plan Services Malware Infection Affects 9,457 Individuals

Health Plan Services Inc, a Tampa, FL-based provider of technology-based services to health plans, has found malware on its network which may have allowed unauthorized individuals to access and acquire files containing the protected health information of 9,457 individuals.

According to the notification letter sent to the California Attorney General, the malware infection was detected on June 23, 2022. It took 8 months to complete the forensic investigation, which was concluded on February 28, 2023, and the document review was completed on March 21, 2023. Notifications were issued on or around April 28, 2023.

The breach involved names, personal information, and Social Security numbers. Individual notifications state the exact types of information that were exposed/acquired. Identity theft protection services have been offered to affected individuals and security practices have been reviewed and enhanced and additional training has been provided to the workforce.

Mars Area School District Reports 8-Month System Compromise

Mars Area School District in Pennsylvania says unauthorized individuals gained access to its network between January 27, 2022, and September 26, 2022, and potentially obtained the personal information and protected health information of up to 1,270 individuals. The breach notifications do not state when the intrusion was detected but explained that the delay in issuing notifications – almost 6 months – was due to the lengthy forensic investigation and manual document review. It was confirmed on March 30, 2023, that sensitive data had been exposed and notifications were mailed to affected individuals on April 24, 2023.

The school district said names were potentially accessed along with one or more of the following data types: Social Security number, driver’s license number, state identification number, health insurance information, medical information, username/password, and financial account information. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

“Mars continually evaluates and modifies practices and internal controls to enhance the security and privacy of personal information, including updating passwords and enhancing email access protocols”, explained the school district in its notification letters.

Network Security Breach Reported by Graceworks Lutheran Services

Graceworks Lutheran Services, a Centerville, OH-based social services organization, said unauthorized individuals gained access to its computer systems and potentially accessed and obtained the protected health information of 6,737 individuals. Suspicious activity was detected in its computer systems on or around February 18, 2023. A third-party computer forensics firm was engaged to investigate and confirmed the unauthorized access. While no evidence of misuse of the exposed data has been identified, unauthorized access and data theft could not be ruled out. The information exposed varied from individual to individual and may have included names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

The data review and verification of contact information was completed on March 31, 2023, and notification letters were mailed in April.

The post Healthcare Data Potentially Compromised in 5 Hacking Incidents appeared first on HIPAA Journal.

Credential Stuffing Attack Exposed United HealthCare Member Data

Posted by HIPAA Journal

United HealthCare (UHC) has started notifying certain members that some of their protected health information may have been disclosed to unauthorized individuals as a result of credential stuffing attacks on the UHC mobile application. Credential stuffing is a type of attack where username and password combinations obtained in a breach at one platform are used to access accounts on an unrelated platform. These attacks can only succeed if usernames and passwords have been reused on multiple platforms.

The accounts subjected to unauthorized access included information such as names, birthdates, addresses, health insurance member ID numbers, service dates, provider names, claim details, and group names and numbers. No Social Security numbers, financial information, or driver’s license numbers were exposed.

The attacks occurred between February 19 and February 25, 2023. UHC took its portal offline immediately when the attacks were detected to prevent further unauthorized access and a password reset was performed. The investigation found no evidence to suggest the credentials had been obtained in a cyberattack on UHC systems. Affected individuals have been offered complimentary credit protection services for 2 years.

Ethan Health Reports Email Account Breach

Ethan Health, a Richmond, KY-based medical laboratory, has recently confirmed that the protected health information of 4,047 individuals was contained in employee email accounts that were accessed by unauthorized individuals. Suspicious activity was detected within its email environment on August 31, 2022. The forensic investigation confirmed the accounts were accessed between May 5, 2022, and September 8, 2022. It took 7 months to investigate and complete the review of the contents of the accounts. That process was completed on March 9, 2023.

The information in the accounts varied from individual to individual and may have included names, dates of birth, driver’s license numbers, financial account information, credit or debit card information, medical information, and health insurance information. Affected individuals have been offered complimentary credit monitoring services for 24 months. Additional security measures have been implemented to prevent similar incidents in the future.

McLaren Greater Lansing Hospital Left Records ‘Unprotected’ in Decommissioned Hospital

McLaren Greater Lansing Hospital in Michigan has been accused of leaving boxes of confidential medical records in a decommissioned hospital, where the records could potentially be accessed by unauthorized individuals. The records were discovered by an individual who attended a preview of the campus on April 19, 2023, ahead of an auction. The man who found the records said the files included sensitive information such as names, addresses, phone numbers, and medical information. It is currently unclear how many individuals have had their data exposed.

McLaren Greater Lansing Hospital said the records were destined to be securely destroyed and were accessed before that process could take place. An investigation has been launched to determine how the whistleblower managed to gain access to the records and the hospital has confirmed that it is reverifying that all documents awaiting destruction are locked away to prevent unauthorized access.

The post Credential Stuffing Attack Exposed United HealthCare Member Data appeared first on HIPAA Journal.

One Brooklyn Health Suited over 235K-Record Data Breach

Posted by HIPAA Journal

One Brooklyn Health, a New York City-based network of three acute care hospitals – Brookdale Hospital Medical Center, Interfaith Medical Center, and Kingsbrook Jewish Medical Center – is facing a class action lawsuit over a data breach that was discovered in November 2022.

On November 19, 2022, One Brooklyn Health identified suspicious activity within its computer network. The network was immediately secured, and the forensic investigation confirmed that an unauthorized third party had intermittently accessed its network between July 9, 2022, and November 19, 2022. The document review took until March 21, 2023, and notification letters were sent on April 20, 2023. The information exposed and potentially stolen in the attack included names, dates of birth, billing and claims data, treatment details, medical record numbers, prescriptions, health insurance information, and Social Security numbers. More than 235,000 patients were affected.

On April 26, 2023, a lawsuit was filed in the Supreme Court of the State of New York, County of Kings, on behalf of plaintiff Kiya Johnson and similarly situated individuals by the law firms Wittels McInturff Palikovic and Shub & Johns LLC. The lawsuit alleges One Brooklyn Health knew that it stored sensitive patient information and that it was a target for cybercriminals and that it was obligated under the Health Insurance Portability and Accountability Act to protect that data yet failed to implement reasonable and appropriate security measures thus allowing unauthorized individuals to access its network and steal patient data.

The lawsuit alleges the plaintiff and class members have had to spend considerable time and money protecting themselves against misuse of their protected health information and that they have and will continue to suffer harm and have been placed at an imminent, immediate, and continuing risk of identity theft and fraud. The lawsuit states 8 causes of action: negligence (plaintiff and class), negligence per se, breach of fiduciary duty, breach of confidence, intrusion upon seclusion/invasion of privacy, breach of implied contract, unjust enrichment, and violations of New York General Business Law.

The lawsuit seeks class action status, a jury trial, damages, restitution, and injunctive relief, with the latter including improvements to data security practices.

The post One Brooklyn Health Suited over 235K-Record Data Breach appeared first on HIPAA Journal.

Organizations Face Increased Scrutiny of Health Data Breaches

Posted by HIPAA Journal

Healthcare hacking incidents are increasing, there are new regulatory requirements and compliance initiatives due to Dobbs and Pixel use, and lawsuits against healthcare organizations over privacy violations are soaring. HIPAA-regulated entities and other organizations that operate in the healthcare space are now facing increased scrutiny of their data security practices and compliance programs, and the coming 12 months will likely see an increase in enforcement actions and lawsuits over privacy violations.

The recently published BakerHostetler Data Security Incident Response Report (DSIR) draws attention to these issues and provides insights into the threat landscape to help organizations determine how to prioritize their efforts and investments. The report, now in its 9th year, was based on 1,160 security incidents managed by BakerHostetler’s Digital Assets and Data Management Practice Group in 2022.

After a surge in ransomware attacks in 2021, 2022 saw a reduction in attacks; however, there was a surge in ransomware activity toward the end of the year and that surge has continued in 2023. That surge has coincided with increases in ransom demands, paid ransoms, and ransomware recovery times.  In 2022, the average ransom demand and payment increased in 6 out of the 8 industries tracked. In healthcare, the average ransom demand was $3,257,688 (median: $1,475,000) in 2022, and the average payment increased by 78% to $1,562,141 (median: $500,000). Across all industry sectors, paid ransoms increased by 15% to $600,688.

Network intrusions also increased and were the most common type of security incident, accounting for almost half of all data incidents covered in the report. BakerHostetler notes that companies have been getting better at detecting and containing these incidents, with dwell time decreasing from an average of 66 days in 2021 to 39 days in 2022. The time taken for containment fell from 4 days to 3 days, and investigation time decreased from 41 days in 2021 to 36 days in 2022.

The increase in hacking and ransomware attacks has prompted companies to invest more heavily in cybersecurity, and while security defenses have been enhanced, cybercriminals have found new ways of circumventing those defenses and attacking systems. Techniques that have proven successful in 2022 include MFA bombing, social engineering, SEO poisoning, and EDR-evading malware.

The cost of cyberattacks increased significantly in 2022, with forensic investigation costs increasing by 20% from last year in addition to increases in the cost of business disruption, data reviews, notification, and indemnity claims. Legal costs from data breaches have also increased significantly as it is now common for multiple lawsuits to be filed in response to data breaches.

Data breaches of 10,001 to 500,000 records see an average of 12-13 lawsuits filed and lawsuits are even being filed for smaller data breaches, with breaches of less than 1,000 records typically seeing 4 lawsuits filed. According to BakerHostetler, lawsuits have doubled since last year and we are now at a stage where legal action is almost a certainty following a data breach. There have been increases in lawsuits for violations of state privacy laws, and with a further 4 states enacting new privacy legislation in 2022 and one more due to introduce a new privacy law in 2023, the compliance landscape is becoming more complicated.

In the summer of 2022, a report was published by the Markup/STAT detailing an analysis of the use of pixels (tracking technologies) on hospital websites. These code snippets are typically added to websites to track visitor activity to improve websites and services, but the code also transmits identifiable visitor information to third parties. The extent to which these tools were being used – without the knowledge of website visitors – attracted attention from the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) with both issuing guidance on the use of these tools. OCR and the FTC have confirmed that Pixel-related violations of HIPAA and the FTC Act are now an enforcement priority, with the FTC having already taken action against entities over the use of these tracking tools. Law firms have been quick to sue healthcare organizations over these privacy breaches. More than 50 lawsuits have been filed against healthcare organizations in response to Pixel-related breaches since June 2022 when the report was published.

A further study of the use of Pixels by healthcare organizations suggests almost 99% of US non-federal acute care hospital websites had pixels on their websites that could transmit sensitive data, yet only a handful of healthcare organizations have disclosed Pixel-related data breaches to OCR so far. There could well be a surge in HIPAA enforcement actions by OCR and huge numbers of lawsuits filed in response to these breaches over the coming months.

There are also likely to be enforcement actions against HIPAA-regulated entities and non-HIPAA-regulated entities in the healthcare space for privacy violations involving reproductive health information, as both the FTC and OCR have stated that reproductive health information privacy will be an enforcement priority. OCR’s HIPAA Right of Access enforcement initiative is still ongoing, and compliance remains a priority for OCR.

BakerHostetler has also issued a warning about HIPAA compliance for non-healthcare entities, stressing that HIPAA applies to employer-sponsored health plans. There was an increase in data breaches at employer health plans in 2022 and these are likely to come under increased regulatory scrutiny, not just by OCR but also the Department of Labor which is increasingly conducting follow on investigations focusing on the overall cybersecurity posture of these plans. State Attorneys general have also started taking a much more active interest in the activities of healthcare entities, with investigations by state attorneys general into violations of HIPAA and state laws increasing in 2022.

BakerHostetler also identified a major increase in snooping incidents in 2022. These incidents include healthcare employees snooping on healthcare records and attempting to divert controlled substances. The increase confirms how important it is to create and monitor logs of system activity to detect malicious insider activity quickly. BakerHostetler notes that having systems in place that monitor for system activity anomalies is also key to rapidly detecting hacking and ransomware incidents.

“Securing an enterprise is a significant challenge — there are a lot of risks and just spending more money does not automatically equate to more effective security,” said Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team. “We see a lot of incidents, including what allowed them to occur and what was done to address the issue. Because enterprises do not have unlimited budgets and staff to implement and maintain new solutions, being able to share objective data about security incidents — from causes to fixes to consequences — helps clients decide where to prioritize their efforts.”

The post Organizations Face Increased Scrutiny of Health Data Breaches appeared first on HIPAA Journal.

Mailing Error at CMS Vendor Affects 10,000 Medicare Beneficiaries

Posted by HIPAA Journal

The Centers for Medicare & Medicaid Services (CMS) has started notifying certain Medicaid beneficiaries about an impermissible disclosure of some of their protected health information due to a mailing error at one of its contractors. The incident occurred at Palmetto GBA, which the CMS uses to handle claims. Between January 8 and January 29, 2023, Palmetto GBA mailed Medicare Summary Notices (MSNs) to Medicare recipients; however, a computer programming issue with its print mail services resulted in MSNs for the final quarter of 2022 being mailed to other Medicare beneficiaries within the same zip code.

The programming error was discovered by Palmetto GBA on February 7, 2023, and reported the incident to the CMS the same day. The CMS then worked with Palmetto GBA to identify the individuals affected and determined the error had resulted in 10,011 MSNs intended for Medicare beneficiaries in Alabama, Georgia, and Tennessee being sent to incorrect individuals. The MSNs contained the Medicare beneficiary’s name, address, claim number, dates of service, the last four digits of their Medicare Beneficiary number, and service/procedure descriptions with billing codes. The CMS believes that the risk of identity theft and Medicare fraud is minimal. Palmetto GBA has fixed the programming error and has increased reviews of printed mail for quality assurance purposes to protect against similar incidents in the future.

Adelanto HealthCare Ventures Phishing Attack Affects Patients of UHS of Delaware

UHS of Delaware, Inc. has recently notified 40,290 individuals about a data breach at a consulting company. In November 2021, Adelanto HealthCare Ventures (AHCV) suffered a phishing attack that allowed unauthorized individuals to access employee email accounts. The phishing incident was investigated, and it was determined that no protected health information had been exposed or stolen; however, on August 19, 2022, it was confirmed that some PHI had been exposed.

AHCV has improved its security measures in response to the incident to better protect against similar incidents in the future, including providing its workforce with further training. The incident affected several of its healthcare clients. You can find further information on the incident in this post.

PHI Exposed in Northeast Behavioral Health Care Consortium Phishing Attack

Northeast Behavioral Health Care Consortium (NBHCC) in Moosic, PA, has notified 13,240 patients that some of their protected health information has been exposed and potentially stolen. On February 20, 2023, NBHCC discovered an employee email account had been accessed by an unauthorized individual as a result of a response to a phishing email.

A review of the affected email account confirmed it contained protected health information such as names, member numbers, Medicaid numbers, diagnoses, detailed incident descriptions, and levels of care. NBHCC said it hasn’t identified any misuse of patient data and believes the primary goal of the attackers was to obtain other companies’ information; however, misuse of patient data could not be ruled out. A third-party cybersecurity firm was engaged to assist with the investigation and has taken action to mitigate risk and prevent similar incidents in the future.

The post Mailing Error at CMS Vendor Affects 10,000 Medicare Beneficiaries appeared first on HIPAA Journal.

Breach Notifications Increasing Lack Actionable Information on Breach Cause

Posted by HIPAA Journal

The Identity Theft Resource Center (ITRC) has published its report on data compromises in Q1, 2023, which shows a 13% reduction in data breaches and a 64% decrease in victims from the previous quarter. In Q1 there were 445 publicly reported data compromises and 89,140,686 confirmed victims. While a fall in data breaches and victim count is good news, both figures typically fall in the first quarter of the year. The 13% reduction is far less of a fall from the corresponding period last year when there was a 28.6% quarterly reduction in data breaches. The Q1, 2023 figures show a 10% increase in data compromises compared to 2022, and a 25.7% increase from Q1, 2021.

94% of victims of data compromises in Q1, 2023, came from data breaches in just 4 sectors – Manufacturing & Utilities, Technology, Healthcare, and Transportation. Healthcare was the worst affected sector for the third consecutive quarter with 81 compromises, followed by financial services with 70 compromises, others with 59 compromises, and manufacturing & utilities with 54 compromises. Two healthcare data breaches made the top 5 list for the quarter – The data compromise at Independent Living Systems (4,226,508 victims) and the breach at Regal Medical Group (3,300,638 victims).

84.9% of the data compromises were due to cyberattacks (378 incidents) and 19.1% were due to system and human errors (58 incidents). 48 of the data compromises were due to supply chain attacks, which affected 78 entities, and there were 54 confirmed ransomware attacks. There were 106 phishing attacks in Q1, which made phishing the most common attack vector.

There is a growing trend of withholding important information from data breach notifications to the point where some breach notifications have no actionable information about the root cause of the breach, which makes it hard for individuals to determine the level of risk that they face. The lack of information also makes it difficult to obtain meaningful statistics on the causes of data breaches.

“It is troubling to see the trend of a lack of actionable information in data breaches continue from 2022,” said Eva Velasquez, ITRC President and CEO. “Among the top ten breaches we saw in Q1, 60 percent did not include information about the root cause of the event, compared to 40 percent in Q4 2022. This means individuals and businesses remain at a higher risk of cyberattacks and data compromises.”

The post Breach Notifications Increasing Lack Actionable Information on Breach Cause appeared first on HIPAA Journal.

277,000 Santa Clara Family Health Plan Members Affected by GoAnywhere Hack

Posted by HIPAA Journal

Data breaches have recently been announced by Santa Clara Family Health Plan, United Steelworkers Local 286, Robeson Health Care Corporation, Two Rivers Public Health Department, and NewBridge Services.

Santa Clara Family Health Plan Confirmed as Victim of Clop GoAnywhere Hack

Santa Clara Family Health Plan has confirmed the 276,993-record data breach reported to the HHS’ Office for Civil Rights on March 30, 2023, was due to the hacking of Fortra’s GoAnywhere MFT solution by the Clop ransomware group. The group exploited a previously unknown (zero-day) vulnerability, exfiltrated data, but did not encrypt files. 130 organizations fell victim to the attacks over a 10-day period in late January/early February this year.

The incident affected NationsBenefits, which provides supplemental benefits administration services to several health plans, including Santa Clara Family Health Plan. NationsBenefits learned of the attack on February 7, 2023, and was informed by Fortra that the attack occurred on or around January 30, 2023. On February 13, 2023, NationsBenefits confirmed that the data compromised in the attack included protected health information such as name, address, phone number, gender, date of birth, health insurance number, medical ID number, Social Security number, date(s) of service, medical device or product purchased, and provider/caregiver name. NationsBenefits said it has stopped using the GoAnywhere solution and is implementing a range of additional measures to strengthen security.

United Steelworkers Local 286 Security Breach Affects Almost 38,000 Health Plan Members

United Steelworkers Local 286 has discovered an unauthorized individual gained access to an employee email account that included the protected health information of 37,965 members of its health plan. The email account breach was detected on February 13, 2023, and the forensic investigation confirmed the email account was accessed between June 16, 2022, and July 18, 2022.

A manual document review confirmed the account contained full names, Social Security numbers, dates of birth, financial account numbers, driver’s license and/or state identification numbers, passport numbers, financial account numbers, medical treatment information, medical record numbers, biometric information, and health insurance information.

No evidence of misuse of plan member data has been uncovered; however, as a precaution against identity theft and fraud, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. United Steelworkers Local 286 said security measures were in place and are continually evaluated and modified to ensure the privacy and security of employee data.

Two Rivers Public Health Department Reports Microsoft 365 Account Breach

Two Rivers Public Health Department (TRPHD) in Nebraska has recently confirmed that the protected health information of 15,168 patients was stored in an employee Office365 account that was accessed by an unauthorized third party.

TRPHD said suspicious activity was detected within its server infrastructure on November 9, 2022. The initial investigation conducted by a third-party IT firm concluded that patient data had not been compromised; however, out of an abundance of caution, an external forensic investigation firm was engaged to fully investigate the security breach and confirmed that an Office 365 account was accessed by an unauthorized individual between September 14, 2022, through November 8, 2022. The review of the account confirmed it contained protected health information, although the press release issued did not state what types of information had been exposed.

TRPHD said the document review was completed on March 15, 2023, and notifications were mailed to affected individuals on April 14, 2023. Additional security measures have been implemented to better secure its systems against unauthorized access.

Robeson Health Care Corporation Discovers Malware Infection

Robeson Health Care Corporation in Pembroke, NC, has reported a data breach to the Maine Attorney General that has affected up to 15,045 individuals. According to the notification, malware was detected within its network on February 21, 2023. The subsequent forensic investigation confirmed that an unauthorized third party had access to its systems between February 17, 2023, and February 21, 2023.

While evidence of data theft was not found, it could not be ruled out. The document review confirmed the following types of information were exposed: name, address, Social Security number, date of birth, treatment information/diagnosis, treating physician, medical record number, patient ID number, Medicare/Medicaid number, prescription information, health insurance information, and treatment costs. Notifications were mailed on April 21, 2023, and complimentary credit monitoring and identity theft protection services have been offered. Security has been enhanced to prevent similar incidents in the future, including implementing multi-factor authentication for all users.

NewBridge Services Hacking Incident Affects 1,457 Individuals

The Pequannock, NJ-based counseling service provider, NewBridge Services, said an unauthorized individual gained access to its systems and potentially accessed and obtained the protected health information of 1,457 individuals. The security breach was detected on January 26, 2023, when certain systems were disrupted. The forensic investigation confirmed on January 28, 2023, that protected health information had been exposed, although no evidence was found of actual or attempted misuse of that information.

The exposed information included names, Social Security numbers, dates of birth, treatment information, provider information, prescription information, payment information, and health insurance information. Written notifications were mailed to affected individuals on April 17, 2023, and security has been augmented to prevent similar incidents in the future.

The post 277,000 Santa Clara Family Health Plan Members Affected by GoAnywhere Hack appeared first on HIPAA Journal.