HIPAA Breach News

HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle potential HIPAA violations with the HIPAA business associate, iHealth Solutions, LLC, for $75,000.

iHealth Solutions, doing business as Advantum Health, failed to secure one of its servers, which was accessed by an unauthorized individual who exfiltrated files that contained the electronic protected health information (ePHI) of 267 individuals. The HIPAA enforcement action shows that even relatively small data breaches can be investigated by OCR and result in a financial penalty. The last three penalties imposed by OCR to resolve HIPAA violations were all related to data breaches that affected fewer than 500 individuals.

Like many HIPAA-regulated entities that have been investigated by OCR after reporting data breaches, iHealth Solutions was discovered to have failed to comply with one of the most fundamental provisions of the HIPAA Rules – the risk analysis. All HIPAA-regulated entities must conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. §164.502(a).

OCR was notified about the data breach on August 22, 2017, and was informed that the ePHI of 267 individuals had been exfiltrated from the unsecured server. The fine was imposed for the impermissible disclosure of ePHI and the risk analysis failure.

In addition to the financial penalty, iHealth Solutions has agreed to implement a corrective action plan which includes the requirement to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s ePHI, develop a risk management plan to address and mitigate all security risks identified in the risk analysis, develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI, and develop, maintain, and revise, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules. OCR will monitor iHealth Solutions for two years to ensure compliance with the HIPAA Rules.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

This is the 7th OCR enforcement action of 2023 to result in a financial penalty, and the third enforcement action to be announced by OCR this month. So far this year, OCR has fined HIPAA-regulated entities a total of $1,976,500 to resolve violations of the HIPAA Rules.  See HIPAA Violation Fines.

The post HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server appeared first on HIPAA Journal.

Great Valley Cardiology Sued over 181,000-Record Data Breach

Posted by Steve Alder

A lawsuit has been filed against the Commonwealth Health cardiology group, Great Valley Cardiology (GVC), over a recently disclosed security incident in which hackers gained access to GVC’s computer network and the protected health information (PHI) of 181,764 individuals.

The data breach was discovered on April 13, 2023; however, the forensic investigation confirmed that hackers first gained access to its network 2 months previously on February 2, 2023. The review of the files potentially accessed or stolen confirmed they contained PHI such as names, medical information, Social Security numbers, credit/debit card information, and banking information. Individuals started to be notified about the data breach on June 12, 2023, as time was required to identify all affected individuals and verify contact information to allow notification letters to be mailed. Affected individuals were offered 24 months of complimentary credit monitoring and identity theft protection services.

A lawsuit was filed in Lackawanna County Court by attorney Andrew W. Ferich of the law firm Ahdoot & Wolfson, PC, against Commonwealth Health Physician Network, doing business as Great Valley Cardiology and Scranton Cardiovascular Physician Services LLC on behalf of plaintiff Michele Jarrow and similarly situated individuals who had their PHI compromised in the incident.

The defendants have not detected any misuse of patient information as a result of the breach; however, the lawsuit claims that patient information has been exposed and there is no way to ensure that the exposed information will not be misused. Consequently, the plaintiff and class members will need to spend time and money protecting themselves against fraud and identity theft for many years, and potentially for life. The plaintiff claims that she was informed by her security software that her personal information has been posted on the dark web, making it available to cybercriminals such as identity thieves.

In addition to failing to prevent the data breach, the lawsuit takes issue with the time taken to notify affected individuals that their data has been exposed. Notification letters were issued two months after the breach was detected and four months after the breach occurred, which the lawsuit alleges compounded the potential injury. The lawsuit alleges negligence, breach of fiduciary duty breach of contract, and unjust enrichment and seeks class action status, a jury trial, damages, and attorneys’ fees.

Lawsuits are often filed in response to healthcare data breaches, but Article III standing is often only granted if the plaintiffs can prove they have suffered a concrete injury. Lawsuits that only allege a future risk of injury or harm as a result of a security breach often fail to be granted standing, even if stolen data has been published on the dark web.

The post Great Valley Cardiology Sued over 181,000-Record Data Breach appeared first on HIPAA Journal.

Good Samaritan Hospital Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Good Samaritan Hospital in San Jose, CA, has agreed to settle a class action lawsuit that was filed in response to a data breach that exposed the protected health information of up to 233,835 individuals. According to the hospital, unauthorized individuals gained access to an employee email account between October 28 and November 8, 2019, which contained sensitive patient data such as names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, tax identification numbers, financial account numbers, treatment/diagnosis information, health insurance information, billing information, doctors’ names, medical record numbers, medical histories, prescription information, Medicare/Medicaid IDs and patient account numbers.

A lawsuit – Young, et al. v. Good Samaritan Hospital­­ – was filed in the California Superior Court for Los Angeles County against the hospital on behalf of individuals impacted by the data breach. The lawsuit claims the hospital acted unlawfully by failing to prevent the data breach and alleged negligence, violations of the California Confidentiality of Medical Information Act (CMIA), and unlawful/unfair business practices, in violation of California Business and Professions Code.

Good Samaritan Hospital denied all of the allegations, maintains there was no wrongdoing, and claims it was fully compliant with all federal and state laws; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial. The proposed settlement has been agreed upon by all parties but has yet to receive final approval from a judge. The final approval hearing has been scheduled for Sept. 5, 2023.

The total settlement fund has not been disclosed; however, all class members are entitled to claim up to $1,500 as reimbursement for ordinary expenses, which are documented expenses that were incurred as a result of the data breach. Ordinary expenses include credit monitoring costs, phone calls, interest on loans, communication charges, card re-issuance fees, and unreimbursed bank fees. Individuals that have suffered identity theft, medical fraud, tax fraud, other forms of fraud, and other actual misuses of their personal information, can submit claims for documented, unreimbursed extraordinary losses that are reasonably traceable to the data breach of up to a maximum of $5,000.

The deadline for exclusion from and objection to the settlement is July 18, 2023, and all claims must be submitted by July 18, 2023. The class members were represented by Joshua B Swigart of Swigart Law Group AFC and Gayle M Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP.

The post Good Samaritan Hospital Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

15-Year Employee Privacy Breach Discovered by Metro Health System

Posted by Steve Alder

Metro Health System in Cleveland, OH, has discovered an employee has accessed patient records without a valid work reason. The unauthorized access was discovered on April 27, 2023, and the subsequent investigation confirmed that patient records had been accessed without authorization at various times over the past 15 years. The earliest incident occurred in 2008.

The information viewed included patient names, dates of birth, and clinical information. No Social Security numbers or financial information were accessed. A spokesperson for Metro Health said the employee has been disciplined per its sanctions policy and no evidence has been found to indicate redisclosure of patient data or any misuse of that information. Affected individuals are being notified by mail, steps are being taken to improve its privacy practices, and further training has been provided to the workforce.

COX Health Affected by Hacking of Fortra GoAnywhere File Transfer Solution

Springfield, MO-based CoxHealth has recently confirmed that patient data was compromised in a January 2023 cyberattack on its billing vendor, Intellihartx. The Clop ransomware group exploited a vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution, stole sensitive data, and demanded a ransom to prevent the release of that information.

CoxHealth says up to 203,000 patients had their protected health information stolen in the attack, including names, addresses, birth dates, Social Security numbers, diagnoses, and billing and insurance information. The 203K figure is the maximum number of patients that could have been affected. It was not possible to determine with any degree of certainty exactly how many individuals had been affected. Intellihartx has offered complimentary credit monitoring and identity theft protection services to affected individuals.

SoutheastHealth Issues Statement About Potential Vendor Breach

SoutheastHealth in Cape Girardeau, MO, has issued a statement about a potential data breach at a vendor, ITX (Intellihartx).  SoutheastHealth said it learned about a potential breach when one of its patients said they had received a letter from Intellihartx saying their protected health information had been exposed and potentially stolen.

SoutheastHealth said names, addresses, dates of birth, billing information, insurance information, diagnoses, medications, and Social Security numbers were potentially stolen in the attack on the file transfer solution and confirmed that its own systems were not affected. SoutheastHealth said it does not currently have a business relationship with Intellihartx and no formal notification was received from Intellihartx confirming SoutheastHealth was one of the companies affected.

The post 15-Year Employee Privacy Breach Discovered by Metro Health System appeared first on HIPAA Journal.

Atlantic General Hospital Increases Ransomware Victim Count to Almost 140,000 Individuals

Posted by Steve Alder

In March 2023, Atlantic General Hospital notified the Maine Attorney General that it had fallen victim to a ransomware attack in which the protected health information of 30,704 individuals was exposed; however, the ransomware attack was far more extensive than was previously thought and the total has been upwardly revised to 136,981 individuals.

The attack was detected on January 29, 2023, and the forensic investigation confirmed hackers had access to its network between January 20 and January 29, 2023. The initial review of files that were potentially compromised in the breach was completed on March 6, 2023, and confirmed that names, medical record numbers, treating/referring physician names, health insurance information, subscriber numbers, medical history information, and diagnosis/treatment information may have been accessed or acquired. Notification letters were sent on March 24, 2023, and complimentary credit and identity monitoring services were offered to affected individuals.

The investigation into the attack continued, and additional files were discovered to have been compromised. The review of those files was completed on May 15, 2023, and after obtaining up-to-date contact information, additional notification letters were sent to affected individuals on June 22, 2023. The compromised information included names in combination with one or more of the following: Social Security number, date of birth, financial account information, medical/treatment information, and health insurance information. Those individuals have also been offered complimentary credit and identity monitoring services. Atlantic General Hospital says it is working on implementing additional safeguards to improve data security and has provided further training to its workforce.

Palomar Health Patients Impacted by PharMerica Ransomware Attack

Palomar Health in San Diego, CA, has recently confirmed that patient data was exposed in a ransomware attack on its business associate, PharMerica, a nationwide provider of pharmacy services. The ransomware attack was detected on or around March 14, 2023, and the forensic investigation confirmed that at least 5,815,591 individuals had been affected. The attack was conducted by the Money Message ransomware group, which added the stolen data to its leak site in late March. The attack has been covered in more detail here.

Palomar Health has confirmed that the following data was potentially compromised in the attack: name, address, date of birth, Social Security number, medications, and health insurance information. Individuals affected received care at Palomar Continuing Care Center in Escondido or The Villas at Poway (Villa Pomerado) between 2001 and 2020. PharMerica is offering complimentary credit and identity theft monitoring services to the affected individuals and is issuing notification letters to patients directly. It is currently unclear how many Palomar Health patients have been affected.

Desert Physicians Management Cyberattack Affects Patients of its Healthcare Provider Clients

Desert Physicians Management in Apple Valley, CA, a provider of administrative support services to physicians’ groups, including Choice Physicians Network/Choice Medical Group, Choice Healthcare Associates, and Horizon Valley Medical Group, has recently announced that unauthorized individuals gained access to its computer systems and copied certain files from its network.

The security breach was detected on April 23, 2023, and the forensic investigation confirmed on or around May 18, 2023, that some of the files acquired by the attackers included protected health information provided by its healthcare provider clients. The compromised information was limited to names, addresses, dates of birth, health insurance information, and clinical information, including diagnosis, treatment information, and/or medication information. Desert Physicians Management said additional security measures have been implemented to help prevent similar incidents from occurring in the future.

The post Atlantic General Hospital Increases Ransomware Victim Count to Almost 140,000 Individuals appeared first on HIPAA Journal.

Intellihartx Facing Class Action Lawsuit Over 490K-Record Data Breach

Posted by Steve Alder

A lawsuit has been filed against Intellihartx, LLC, (aka ITx Companies), over a cyberattack by the Clop ransomware group that exploited a vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution. The protected health information of 490,000 patients of its healthcare clients was compromised in the attack in late January. Intellihartx was one of 130 GoAnywhere users to be affected.

Intellihartx, a revenue cycle management company, said protected health information was compromised in the January 30, 2023 cyberattack, including names, contact information, insurance information, diagnoses, medications, dates of birth, and Social Security numbers. Affected individuals were notified about the data breach on June 9, 2023, more than 4 months after the discovery of the attack.

The lawsuit, Laren Perrone v. Intellihartx, LLC, was filed in the U.S. District Court of the Northern District of Ohio Western Division and alleges the defendant failed to properly secure and safeguard the protected health information of the plaintiff and class members, did not adequately supervise its business associates, vendors, and suppliers, and did not detect the data breach in a timely manner.

The lawsuit claims the defendant was aware of the vulnerability on January 29, 2023, so could have prevented the data breach, and also prevented or limited the severity of the breach if it had limited the patient information it shared with its business associates and employed reasonable supervisory measures to ensure that adequate data security practices, procedures, and protocols were being implemented and maintained by its business associates.

The lawsuit claims the plaintiff and class members face an imminent, immediate, and continuing increased risk of suffering ascertainable losses from the data breach, including identity theft and other fraudulent misuses of their data, and have and will continue to incur out-of-pocket expenses mitigating the effects of the data breach. The lawsuit does not allege that protected health information has already been misused or that identity theft or other fraud has been experienced.

The lawsuit claims the defendant failed to comply with the standards of the Health Insurance Portability and Accountability Act (HIPAA) and FTC guidelines, citing security failures such as a lack of adequate data security systems, practices, and protocols to protect against reasonably anticipated threats or hazards and a failure to mitigate the risks of a data breach.

While monetary relief is being sought to cure some of the plaintiff’s and class members’ injuries, injunctive relief is also sought to ensure the alleged information security issues are corrected to prevent further data breaches in the future. In addition to monetary relief, the lawsuit seeks an order from the court requiring the defendant to fully and accurately disclose the nature of the information that was compromised and to adopt sufficient security practices and safeguards to prevent similar incidents in the future.

The plaintiff and class members are represented by Christopher Wiest, Atty at Law PLLC, and Mason Barney ad Tyler Bean of SIRI & GLIMSTAD LLP.

The post Intellihartx Facing Class Action Lawsuit Over 490K-Record Data Breach appeared first on HIPAA Journal.

Kannact & Vincera Institute Fall Victim to Cyberattacks

Posted by Steve Alder

Kannact Inc., an Albany, OR-based home care service, says it detected unauthorized access to its computer network on March 13, 2023. A third-party cybersecurity firm was engaged to investigate the incident and confirmed that the parts of the network that were accessed contained patients’ protected health information, although, at this stage of the investigation, it is unclear if patient data was viewed or copied from its systems. Kannact has received no reports at the time of providing notice to indicate any misuse of patient data.

The review of the files that could potentially have been accessed revealed they contained a range of information, which varied from individual to individual. Information potentially compromised included names in combination with one or more of the following data elements: date of birth, address, phone number, Social Security Number, driver’s license number, and health information such as medical diagnosis, treatment information, and pharmaceutical records.

Kannact said that it disabled its third-party managed file transfer software, deactivated all related API keys, and is improving its patient data ingestion process. Individuals whose Social Security and driver’s license numbers were impacted have been offered complimentary credit monitoring and identity theft protection services.

The incident was reported to the HHS’ Office for Civil Rights on June 20, 2023, as affecting up to 103,547 individuals.

Vincera Institute Falls Victim to Ransomware Attack

Vincera Institute in Philadelphia, PA, has confirmed that it fell victim to a ransomware attack on April 29, 2023. Immediate action was taken to secure its systems to prevent further unauthorized access to its network and patient information, and cybersecurity professionals were engaged to investigate the incident. In a June 20, 2023, press release, Vincera Institute said the investigation into the data breach is ongoing, but it has been determined that the threat actors behind the attack had access to parts of its network that contained patient information; however, unauthorized access to and misuse of patient data has not been detected.

The files potentially accessed in the attack included full names, addresses, phone numbers, email addresses, Social Security numbers, date of birth, medical histories and treatment records, insurance information, and other information provided by patients. Security safeguards have been enhanced in response to the incident, and monitoring processes have been improved.

The incident was reported to the HHS’ Office for Civil Rights on June 20, 2023, in four breach reports, covering Vincera Imaging LLC (5,000 individuals), Vincera Rehab LLC (5,000 individuals), Vincera Surgery Center (5,000 individuals), and Core Performance Physicians, dba Vincera Core Physicians (10,000 individuals).

The post Kannact & Vincera Institute Fall Victim to Cyberattacks appeared first on HIPAA Journal.

Atlanta Women’s Health Group Data Breach Impacts 33,800 Patients

Posted by Steve Alder

Atlanta Women’s Health Group, P.C., has recently confirmed that the protected health information of up to 33,839 current and former patients has been exposed and potentially stolen in an April 2023 cyberattack. A security breach was detected on April 12, 2023, and third-party cybersecurity experts were engaged to determine the nature and scope of the incident. The investigation confirmed there had been access to patient information, but the breach report did not state whether that information was copied from its systems. Atlanta Women’s Health Group said that at the time of issuing notification letters, no evidence had been found to indicate any misuse of patient data.

For the majority of patients, the information exposed in the attack was limited to names, birth dates, patient ID numbers, and other information that may have been included in medical records. Third-party cybersecurity experts have been engaged to implement additional cybersecurity measures to prevent further data breaches. Affected patients are being encouraged to monitor their credit reports, health account statements, and explanation of benefit forms for suspicious activity.

Blue Cross Vermont Says 16,000 Individuals Affected by January Cyberattack

Approximately 16,000 members of Blue Cross Vermont health plans have had their protected health information compromised in a January 2023 cyberattack. Hackers exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution and accessed and stole sensitive data such as names, birth dates, addresses, medical information, and insurance information. Around 5% of the affected individuals also had their financial information stolen.

Approximately 13,700 of the affected individuals were members of Vermont Blue Advantage Health Insurance Plans, around 2,250 individuals were members of Vermont Blue Advantage Plans, and the remainder of the affected individuals were members of other insurance plans. Notification letters were sent to affected individuals by NationsBenefits, which was the business associate that used GoAnywhere MFT solution that was compromised. NationsBenefits has offered affected individuals 24 months of complimentary credit monitoring services.

New Horizons Medical Breach Impacts 12,317 Patients

New Horizons Medical, Inc., a Massachusetts-based provider of mental health, psychiatry, and substance use treatment services, has recently reported a data breach to the Maine Attorney General that has affected up to 12,317 patients. Unauthorized network access was detected on April 19, 2023, and a third-party forensic investigation was launched to determine the nature of the incident and the extent to which patient data was involved. The investigation revealed unauthorized individuals had access to its network between February 12, 2023, and April 23, 2023, and during that time may have viewed or copied patient information.

The analysis of the affected files confirmed they contained names along with one or more of the following types of information: address, date of birth, Social Security number, driver’s license number, financial account information, medical records number, health insurance plan member ID, claims data, diagnosis, and prescription information. Notification letters were sent to affected individuals on June 16, 2023. Complimentary credit monitoring and identity protection services have been offered to eligible individuals. New Horizons Medical has also confirmed that additional safeguards and technical security measures have been put in place to further protect and monitor its information systems.

Data Security Incident Reported by CareNet Medical Group

CareNet Medical Group in New York has started notifying 3,359 patients that some of their protected health information has been stolen in a security incident. The breach notice does not state when the security incident was detected but the investigation revealed on April 26, 2023, that its network was accessed by an unauthorized individual between May 9, 2022, and June 4, 2022, during which time files were copied from its network.

The compromised information included full names, addresses, driver’s license numbers, bank account numbers/routing numbers, dates of birth, medical reference numbers, Medicare numbers, cell phone numbers, home phone numbers, health insurance information, email addresses, and Social Security numbers. Notification letters were sent to affected individuals on June 2, 2023, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.  No explanation was provided as to why it took almost 11 months to determine that patient data had been compromised.

The post Atlanta Women’s Health Group Data Breach Impacts 33,800 Patients appeared first on HIPAA Journal.

Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach

Posted by Steve Alder

Onix Group, a Pennsylvania-based real estate development firm and provider of business management and consulting services, is being sued for failing to prevent a ransomware attack in which the hackers stole the protected health information of 320,000 individuals.

The ransomware attack was detected by Onix Group on March 27. The forensic investigation confirmed that hackers had access to its internal network between March 20 and March 27, 2023, during which time they exfiltrated files that contained employee, affiliate, and client information. The breached information included names, dates of birth, clinical information, and the Social Security numbers of patients of its healthcare clients, and the health plan enrollment and direct deposit information of employees. Healthcare clients affected by the breach included Addiction Recovery Systems, Cadia Healthcare, and Physicians Mobile X-Ray.

The lawsuit, Eric Meyers v. Onix Group LLC, was filed in the U.S. District Court for the Eastern District of Pennsylvania and alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, and unjust enrichment. The lawsuit claims Onix group had a legal obligation to implement reasonable and appropriate safeguards to ensure the confidentiality of the data it stored, but instead stored that information in a vulnerable and dangerous condition, then unnecessarily delayed notifications to affected individuals for two months. While Onix Group offered affected individuals 12 months of complimentary credit monitoring services, the lawsuit claims the offer is wholly inadequate, as the plaintiff and class members face a lifelong risk of identity theft and fraud as a result of the theft of their sensitive data.

The lawsuit seeks class action status, a jury trial, damages, and injunctive relief, including an order from the court prohibiting Onix Group from engaging in wrongful and unlawful acts and requiring it to implement adequate cybersecurity measures. Those measures include the development, implementation, and maintenance of a comprehensive information security program, data encryption, third-party security audits and penetration tests, further information security training for all employees including tests of their security knowledge, updates to its data retention policies, and for the company to stop storing personally identifiable information and protected health information in cloud databases.

The plaintiff and class members are represented by Milberg Coleman Bryson Phillips Grossman, PLLC; Chestnut Cambronne, PA; and Sanford Law Firm, PLLC.

The post Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach appeared first on HIPAA Journal.