One Brooklyn Health System, which operates three hospitals in Brooklyn, NY, has started notifying patients affected by a November 19, 2022, cyberattack. One Brooklyn Health made a public announcement in late November confirming that it was dealing with a cyberattack, and said it had shut down IT systems to contain the incident and had launched an investigation into the breach. Those systems remained offline for more than a week.

In late January, One Brooklyn Health confirmed that patient data had been compromised, and the attackers had access to information such as names, dates of birth, billing and claims data, treatment details, medical record numbers, prescriptions, health insurance information, and Social Security numbers. The review of the affected files was a time-consuming process, which took until March 21, 2023, to complete. Contact information then needed to be verified to allow breach notification letters to be mailed. One Brooklyn Health said it started mailing notification letters to affected patients on April 20, 2023.

One Brooklyn Health said the investigation revealed hackers had access to parts of its network between July 9, 2022, and November 19, 2022, and accessed data intermittently over that period. The incident is still showing the 500-record placeholder on the HHS’ Office for Civil Rights breach portal but has now been reported to the Maine Attorney General as affecting 235,251 individuals. One Brooklyn Health said it has reviewed and updated its policies and training protocols relating to data protection in response to the attack.

16,000 Patients Affected by Southwest Healthcare Services Cyberattack

Southwest Healthcare Services in North Dakota has recently started notifying 15,996 individuals about a recent cyberattack and data breach. Southwest Healthcare Services did not state when the breach was detected in its notification letters but explained that prompt action was taken when the incident was detected and third-party cybersecurity professionals were engaged to analyze the incident. On January 31, 2023, Southwest Healthcare Services learned that an unauthorized third party accessed and acquired files between October 28 and 29, 2022, and those files contained patient data.

A review of those files confirmed they contained names, addresses, dates of birth, medical record numbers, other internal identification numbers, driver’s license numbers, state ID numbers, clinical and treatment information, and health insurance information. A limited number of patients also had their Social Security numbers, financial account information, and/or payment card information compromised. Notification letters were mailed to affected individuals on March 31, 2023. Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.

The post One Brooklyn Health Notifies Patients About November 2022 Cyberattack appeared first on HIPAA Journal.

Point32 Health, the second-largest health insurer in the state of Massachusetts, has announced it has experienced a ransomware attack that has resulted in system outages, including systems that are used to service its members, accounts, brokers, and providers.

Point32 Health is the parent company of Tufts Health Plan and Harvard Pilgrim Health Care and serves more than 2 million individuals in New England. Point32 Health said the outages have mainly affected Harvard Pilgrim Health Care customers, in particular, those with commercial or New Hampshire Medicare plans. Tufts Health Plan members are not understood to have been affected.

Point32 Health said it detected the presence of a malicious actor within its network on April 17, 2023, and took immediate action to contain the threat, which involved taking multiple systems offline while the attack was investigated and remediated. Efforts are underway to restore systems as soon as possible, and the staff and third-party cybersecurity experts are working around the close to bring systems back online.

The attack has caused disruption to providers and members, with some reportedly having experienced problems getting prior authorizations for medical procedures. Point32 Health said any members that require urgent assistance should call the member services number on their ID cards.

No ransomware gang appears to have claimed responsibility for the attack at this stage; however, ransomware gangs typically provide victims with a few days to pay the ransom before issuing public announcements. If the ransom is not paid, pressure is increased by publishing the stolen data.

At this stage of the investigation, it is unclear to what extent, if any, plan member data is involved. Point32 Health said that if the investigation confirmed that if personal or protected health information has been exposed or stolen, individual notifications will be mailed to those individuals as soon as possible.

The post Major Massachusetts Health Insurer Suffers Ransomware Attack appeared first on HIPAA Journal.

The medical device manufacturer Medtronic – dba Medtronic MiniMed and MiniMed Distribution Corp (Medtronic Diabetes) – has recently confirmed that the personal information of users of its InPen Diabetes Management App on iOS and Android have had some of their personal information disclosed to Google due to the use of tracking and authentication code within the InPen App.

The app utilized Google Analytics for Firebase, Crashlytics for Firebase, and Firebase Authentication. These tools disclosed certain information about app users to Google, especially when users were logged into their Google accounts at the same time that they used the InPen App. As a result, their identities and information about online activities were shared with Google. The tools were used by Medtronic Diabetes to gather information about the use of the app, identify technical issues, assess app performance, and understand user needs to provide care to customers and improve services.

Medtronic Diabetes said the data collected by these tools is analyzed at a consolidated rather than individual level and does not directly identify individual patient information, but it was determined that certain information was transmitted to Google when users were logged into their Google accounts. Medtronic Diabetes said an internal investigation was launched into the use of these tracking technologies when the potential for unauthorized disclosure of user data was discovered to determine exactly what information was potentially shared with Google.

The decision was taken to notify all users who registered for or used an InPen account since September 2020, as they may have been affected. The data disclosed to Google was dependent on user interactions with the app, and other factors, such as the browser used, whether cookies had been cleared, and if they were logged into Google when using the app.

Medtronic Diabetes said that information disclosed may have included: email address, IP address, phone number, InPen App user name and password, timestamp information related to specific InPen App events, and certain unique identifiers tied to the InPen account or mobile device. The latter includes a unique Medtronic Diabetes user identifier, unique numbers attributed to each instance the InPen App is downloaded to a particular device, and identifiers tied to a mobile device such as a MAID, IDFA, AAID, and/or IDFV.

Medtronic Diabetes said Google Analytics has been removed from the latest version of the InPen app, and plans have been made to transition from Crashlytics and Firebase Authentication to other crash reporting and authentication systems.

La Clínica de La Raza Reports Email Breach

La Clínica de La Raza in Oakland, CA, has reported a breach of the protected health information of 15,316 individuals. Suspicious activity was detected within certain employee email accounts on February 8, 2023, and steps were immediately taken to secure the accounts. Assisted by a third-party computer forensics firm, La Clínica was able to confirm that a limited number of employee email accounts had been accessed by unauthorized individuals at various times between January 24, 2023, and February 8, 2023.

A review of all affected email accounts and La Clínica confirmed on April 4, 2023, that they contained patient information such as names, addresses, dates of birth, financial account or payment card information, online credentials, Social Security numbers, medical treatment information, and/or health insurance information.

Affected individuals are being notified by mail and complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

The John Muir Health Says Walnut Creek Medical Center Patient Data Has Been Exposed

John Muir Health is notifying certain Walnut Creek Medical Center patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals. The Californian healthcare provider was notified about the exposure on March 22, 2023. A member of staff at the medical center created a website in order to communicate with other staff members more efficiently about the use of medical devices and centralize information such as vendor sites, order forms, and equipment information. The website included a link to an Excel spreadsheet that contained patient information. The information in the spreadsheet was intended to be accessed internally by authorized individuals; however, it could also be accessed by individuals outside of John Muir Health. The spreadsheet contained information such as names, facility, room, diagnosis, condition, and dates.

John Muir Health said the link to the Excel file was disabled on March 23, 2023, and the website was decommissioned on March 24, 2023. The investigation confirmed that the spreadsheet had not been accessed by any unauthorized third party between September 28, 2022, and March 23, 2023, but due to limited audit records, it was not possible to determine if there had been unauthorized access between July 1, 2021, and September 27, 2022

Affected individuals have been notified by mail. The incident has been reported to the California Attorney General but is not yet appearing on the HHS’; Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google appeared first on HIPAA Journal.

The medical device manufacturer Medtronic – dba Medtronic MiniMed and MiniMed Distribution Corp (Medtronic Diabetes) – has recently confirmed that the personal information of users of its InPen Diabetes Management App on iOS and Android have had some of their personal information disclosed to Google due to the use of tracking and authentication code within the InPen App.

The app utilized Google Analytics for Firebase, Crashlytics for Firebase, and Firebase Authentication. These tools disclosed certain information about app users to Google, especially when users were logged into their Google accounts at the same time that they used the InPen App. As a result, their identities and information about online activities were shared with Google. The tools were used by Medtronic Diabetes to gather information about the use of the app, identify technical issues, assess app performance, and understand user needs to provide care to customers and improve services.

Medtronic Diabetes said the data collected by these tools is analyzed at a consolidated rather than individual level and does not directly identify individual patient information, but it was determined that certain information was transmitted to Google when users were logged into their Google accounts. Medtronic Diabetes said an internal investigation was launched into the use of these tracking technologies when the potential for unauthorized disclosure of user data was discovered to determine exactly what information was potentially shared with Google.

The decision was taken to notify all users who registered for or used an InPen account since September 2020, as they may have been affected. The data disclosed to Google was dependent on user interactions with the app, and other factors, such as the browser used, whether cookies had been cleared, and if they were logged into Google when using the app.

Medtronic Diabetes said that information disclosed may have included: email address, IP address, phone number, InPen App user name and password, timestamp information related to specific InPen App events, and certain unique identifiers tied to the InPen account or mobile device. The latter includes a unique Medtronic Diabetes user identifier, unique numbers attributed to each instance the InPen App is downloaded to a particular device, and identifiers tied to a mobile device such as a MAID, IDFA, AAID, and/or IDFV.

Medtronic Diabetes said Google Analytics has been removed from the latest version of the InPen app, and plans have been made to transition from Crashlytics and Firebase Authentication to other crash reporting and authentication systems.

La Clínica de La Raza Reports Email Breach

La Clínica de La Raza in Oakland, CA, has reported a breach of the protected health information of 15,316 individuals. Suspicious activity was detected within certain employee email accounts on February 8, 2023, and steps were immediately taken to secure the accounts. Assisted by a third-party computer forensics firm, La Clínica was able to confirm that a limited number of employee email accounts had been accessed by unauthorized individuals at various times between January 24, 2023, and February 8, 2023.

A review of all affected email accounts and La Clínica confirmed on April 4, 2023, that they contained patient information such as names, addresses, dates of birth, financial account or payment card information, online credentials, Social Security numbers, medical treatment information, and/or health insurance information.

Affected individuals are being notified by mail and complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

The John Muir Health Says Walnut Creek Medical Center Patient Data Has Been Exposed

John Muir Health is notifying certain Walnut Creek Medical Center patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals. The Californian healthcare provider was notified about the exposure on March 22, 2023. A member of staff at the medical center created a website in order to communicate with other staff members more efficiently about the use of medical devices and centralize information such as vendor sites, order forms, and equipment information. The website included a link to an Excel spreadsheet that contained patient information. The information in the spreadsheet was intended to be accessed internally by authorized individuals; however, it could also be accessed by individuals outside of John Muir Health. The spreadsheet contained information such as names, facility, room, diagnosis, condition, and dates.

John Muir Health said the link to the Excel file was disabled on March 23, 2023, and the website was decommissioned on March 24, 2023. The investigation confirmed that the spreadsheet had not been accessed by any unauthorized third party between September 28, 2022, and March 23, 2023, but due to limited audit records, it was not possible to determine if there had been unauthorized access between July 1, 2021, and September 27, 2022

Affected individuals have been notified by mail. The incident has been reported to the California Attorney General but is not yet appearing on the HHS’; Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google appeared first on HIPAA Journal.

Further information has been released on the data breach at the Washington DC health insurance exchange, DC Health Link, ahead of a House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation hearing today.

The data breach was detected by DC Health Link on March 6, 2023, Mandiant was engaged to investigate the data breach, and by March 8 the source of the breach had been identified, and it was immediately shut down; however, files were stolen and some of the compromised information was listed for sale on an online hacking forum. DC Health Link has offered complimentary credit monitoring and identity theft protection services to affected individuals. Mila Kofman, executive director of DC Health Link, said the internal investigation into the data breach is ongoing; however, she was able to share further information about the security incident and data breach and will be discussing the findings of Mandiant’s investigation at today’s hearing.

Last week, the two chairs of the subcommittee, Reps. Nancy Mace (R-South Carolina) and Barry Loudermilk (R-Georgia), issued a joint statement ahead of the hearing. “The breach of D.C. Health link data put thousands of individuals at risk, including Members of Congress, congressional staff, and family members. The individuals who trusted the D.C. health exchange to keep their personal health data secure are rightly concerned about the potential consequences of this breach on their personal lives. They are relying on us to investigate how it took place, how it could have been avoided, how the fallout can be mitigated, and how to prevent a recurrence.”

In a prepared statement submitted ahead of the hearing, Kofman confirmed that 56,415 current and former customers were affected, including members of Congress, their families, and Congressional aides. Two reports were stolen that included the personal data of 17 members of Congress, 43 of their dependents, 585 staffers, and 231 of their dependents. The compromised information included basic personal information, contact information, dates of birth, and Social Security numbers.

The hacker was able to gain access to data due to a security flaw, which Kofman says was introduced due to human error. A cloud server had been misconfigured, which allowed the reports to be accessed without authentication. The misconfiguration of cloud storage buckets is commonplace, with one report from Palo Alto Networks suggesting around two-thirds of exposed cloud servers contain some sensitive data. Kofman apologized for the breach and said DC Health Link rapidly investigated the incident and shut down access. “We are not shying away from this breach. We have been and remain committed to being open and transparent,” said Kofman in her prepared statement.

The post DC Health Link Data Breach Caused by Human Error appeared first on HIPAA Journal.

Monument Inc., a New York-based online alcohol addiction and treatment service provider, has recently notified almost 109,000 individuals about an impermissible disclosure of some of their personal and protected health information. The disclosure occurred due to the use of tracking code on its websites.

Monument explained in its breach notification letters that an internal review was conducted in late 2022 into the use of website tracking tools after guidance was issued by the HHS’ Office for Civil Rights on pixels and other tracking tools and how they may violate the HIPAA Rules. The internal review was completed on or around February 6, 2023, and it was determined that the tools on its websites potentially transferred identifiable protected health information to third parties who were unauthorized to receive the information, as consent to disclose that information was not obtained and there were no business associate agreements with the companies that provided the tools.

The tracking tools were provided by Google, Facebook (Meta), Pinterest, and Bing, and while present on the websites, the tools may have transferred names, birth dates, telephone numbers, email addresses, Monument IDs, insurance member IDs, unique digital IDs, photographs, uniform resource locators, assessments and survey, selected services and plans, appointment information, and associated health information. The types of information disclosed varied from individual to individual depending on their interactions on the websites.

The tracking tools were added to Monument websites in January 2020, and were present on the websites Tempest since November 2017. Monument acquired Tempest in May 2022. Monument said it fully disconnected its websites from the tools on February 23, 2023, and has terminated third-party advertising relationships with the providers of the tracking tools. In the future, Monument will only use third-party vendors that meet HIPAA requirements and other privacy laws.

The decision was taken to notify all Monument members, even if they did not create an account or did not go on to become patients of Monument or Tempest’s medical groups (Live Life Now Health Group and Purdy Medical Corp). While there is no evidence of misuse of the disclosed information, affected individuals have been offered free membership to a credit monitoring service.

Monument is the latest healthcare organization to issue notifications about tracking tool-related data breaches over the past few months since these tools were discovered to be sending sensitive data to third parties. A recent study by researchers at the University of Pennsylvania suggests 99% of hospitals in the U.S. use tracking tools on their websites, while a study by The Markup indicates these tools are extensively used by online counseling service providers.

These impermissible disclosures have sparked several lawsuits and while there has been no action taken by OCR in response to these breaches, the Federal Trade Commission has taken action against non-HIPAA-covered entities such as GoodRx and Betterhelp.

The post Online Alcohol Counseling Service Provider Reports 109K-record Tracking Tool Data Breach appeared first on HIPAA Journal.