HIPAA Breach News

ILS Data Breach Affects Almost 21K Iowan Medicaid Recipients

Posted by HIPAA Journal

The Iowa Department of Health and Human Services (DHHS) has confirmed that the personal information of 20,800 Iowans who receive Medicaid was exposed in a cyberattack at a subcontractor of one of its business associates between June 30, 2022, and July 5, 2022.

Telligen performs annual assessments on Medicaid recipients for the Iowa DHSS. Telligen subcontracted part of the work to Independent Living Systems (ILS), and it was the systems of ILS that were breached. While ILS discovered the breach in July 2022, it took until February 14, 2023, for Telligen to be notified about the breach. Telligen notified the Iowa DHSS three days later on February 17, 2023. The DHSS will be sending notification letters to the affected individuals over the next few days.

Independent Living Systems reported the breach to the HHS’ Office for Civil Rights using a 501 placeholder until the number of affected individuals is determined; however, the breach was reported to the Maine Attorney General as affecting more than 4 million individuals. You can read more about the Independent Living Systems data breach here.

Hacking Incident Reported by Retina & Vitreous of Texas

The Houston ophthalmology clinic, Retina & Vitreous of Texas, has reported a hacking incident that has affected 35,766 current and former patients. Suspicious activity was detected within its network on February 1, 2023, and it was confirmed on February 15, 2023, that unauthorized individuals had access to parts of its network containing patient data, which many have been viewed or acquired by the attacker.

The review of the affected files was completed on March 21, 2023, and confirmed they contained names, addresses, diagnoses and treatment information, insurance carrier information, and insurance subscriber identification numbers. Notifications were mailed to affected individuals on April 10, 2023.

Southwest Healthcare Services Hacking Incident Affects 16,000 Individuals

Bowman, ND-based Southwest Healthcare Services says hackers had access to its network between October 22 and October 29, 2022, and viewed or obtained files that included patient information. The review of the affected files was completed on January 31, 2023, and notification letters were sent to affected individuals on March 31, 2023.

Southwest Healthcare Services said the compromised information included names, addresses, birth dates, medical record numbers, internal identification numbers, driver’s license numbers, state identification numbers, clinical and treatment information, and health insurance information. Social Security numbers, financial information, and/or payment card information were involved for a limited number of individuals.

Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The breach was reported to the HHS’ Office for Civil Rights as affecting 15,996 individuals.

Stanford University Employee Data Compromised in Brightline Medical Associates Breach

Stanford University has confirmed that the personal information of certain employees was stolen in a hacking and data theft incident at Brightline Medical Associates. Brightline is a provider of virtual behavioral and mental health services and provides those services to the children of benefits-eligible employees and postdoctoral students across Stanford’s health plans.

Brightline used Fortra’s GoAnywhere Managed File Transfer (MFT) solution, which was hacked on January 30, 2023, by the Clop ransomware group. Ransomware was not used in the attack, but files were stolen. The Stanford University data was limited to covered individuals with dependents under 18 years and was mostly limited to demographic information such as subscriber and dependent names, contact information, member IDs, dates of birth, and coverage start and end dates. No information related to medical services, conditions, diagnoses, or claims was involved. Affected individuals are being notified and have been offered 2 years of complimentary identity theft and credit monitoring services. It is currently unclear how many individuals have been affected.

The post ILS Data Breach Affects Almost 21K Iowan Medicaid Recipients appeared first on HIPAA Journal.

Unlimited Care and Nonstop Administration and Insurance Services Confirm PHI Exposure

Posted by HIPAA Journal

The White Plains, NY-based home healthcare provider, Unlimited Care Inc., was the victim of a cyberattack that caused disruption to its network on February 16, 2023. Unlimited Care engaged a third-party cybersecurity firm to assist with the investigation and determine the nature and scope of the incident. The investigation is ongoing, but around March 21, 2023, it was determined that unauthorized individuals had access to parts of its network that contained sensitive data, and that information may have been viewed or acquired by the attackers.

The information confirmed as exposed includes employee names, addresses, birth dates, and Social Security numbers. The breach was reported to the Maine Attorney General as affecting up to 29,066 individuals. Complimentary identity theft protection services have been offered to those individuals.

Unlimited Care said it initiated a global password reset, has deployed the Carbon Black endpoint detection and response tool, has initiated geo-fencing for non-U.S. emails, prevented all non-U.S. IP address connections, has upgraded its AV software, and will be limiting access to the VPN to essential staff.

Nonstop Administration and Insurance Services Reports Unauthorized Data Access

Nonstop Administration and Insurance Services (NAIS), an administrator of health insurance benefits for employer groups, has recently announced that the protected health information of employees of its clients has been exposed. NAIS was contacted by an unknown party on December 22, 2022, who claimed to have accessed company data. An investigation was launched to verify the authenticity of the claim and it was determined that, for a limited time on December 22, 2022, an unauthorized individual had access to a cloud services platform that contained the data of client employees.

The data accessible varied from individual to individual and may have included name, date of birth, gender, address, email address, phone number, Social Security number, medical treatment/diagnosis information, and health insurance provider, claims, and billing information. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 8,571 individuals.

Lehigh Valley Health Network Provides Further Information on February BlackCat Ransomware Attack

Lehigh Valley Health Network (LVHN) recently explained in a court filing that it was the victim of a BlackCat ransomware attack in February 2023 and the attackers gained access to patient information, including sensitive photographs of up to 2,760 patients.

LVHN confirmed that data was exfiltrated in the attack and a ransom demand of $5 million was issued, payment of which was required to prevent the publication of the stolen data. LVHN refused to pay the ransom and sensitive data was then leaked on the dark web, including patient photographs. The attack targeted the network supporting Delta Medix, which was acquired by LVHN in 2021.

The information was disclosed in a notice transferring a class action lawsuit against LVHN from the Lackawanna County Court to the U.S. District Court. The investigation into the attack is ongoing and LVHN is still trying to identify all affected individuals but has so far confirmed that the photographs of 2,760 patients have been obtained by the attackers. The photographs were clinically appropriate and included naked images of patients from the waist up.

The post Unlimited Care and Nonstop Administration and Insurance Services Confirm PHI Exposure appeared first on HIPAA Journal.

Cyberattacks Affect BrightSpring Health Services, PharMerica, & Sarah D. Culbertson Memorial Hospital

Posted by HIPAA Journal

Money Message Ransomware Group Leaks BrightSpring Health Services & PharMerica Data

The Money Message ransomware group has recently listed the Kentucky-based pharmacy network, PharMerica, and its parent company, BrightSpring Health Services, on its data leak site and claims to have stolen more than 2 million records in an attack on March 28, 2023. The stolen data includes patient names, birth dates, and Social Security numbers.

BrightSpring Health Services has confirmed that it is investigating a cybersecurity incident and has engaged third-party cybersecurity experts to assist with the investigation. BrightSpring said the attack did not affect its operations. At this stage of the investigation, it has not been determined how many individuals have been affected or the extent to which patient data was involved. The affected files are currently being reviewed and notification letters will be issued as quickly as possible.

Sarah D. Culbertson Memorial Hospital Confirms Systems Restored After Cyberattack

Sarah D. Culbertson Memorial Hospital in Rushville, IL, has confirmed that it has fully restored its IT systems following a March 2023 cyberattack.  The hospital experienced disruption to its network on March 30, 2023. Systems were shut down to contain the attack and third-party cybersecurity experts were engaged to investigate the attack and determine the extent to which patient data was involved.

While access to the majority of its IT systems was prevented during the attack and breach response, the hospital confirmed that its ED services have been operational throughout and patient care was unaffected. Notifications will be issued to affected individuals if patient data is determined to have been compromised in the attack.

Mailing Error Affects More than 15,000 St. Luke’s Health System Patients

St. Luke’s Health System has notified 15,246 patients about an accidental disclosure of some of their protected health information. A technical error with a mailing resulted in letters being sent to incorrect mailing addresses. The letters that were sent to incorrect patients included the guarantor’s name, guarantor number, patient’s name, date of service, encounter-specific account number, outstanding balance, and balance status. St. Luke’s Health System said the accounts were not in collections and are not accountable for the balances.

The error was identified and corrected, and additional safeguards have now been implemented to identify similar errors before letters are mailed. As a precaution against misuse of data, the accounts of affected individuals have been reset to provide additional time to resolve balances, and affected individuals have been offered complimentary identity theft protection services for 12 months.

The post Cyberattacks Affect BrightSpring Health Services, PharMerica, & Sarah D. Culbertson Memorial Hospital appeared first on HIPAA Journal.

NuLife Med Settles Class Action Data Breach Lawsuit

Posted by HIPAA Journal

The Manchester, New Hampshire-based medical equipment company, NuLife Med, has agreed to settle a class action lawsuit that was filed in response to a March 2022 data breach that affected more than 80,000 individuals.

NuLife Med identified suspicious activity within its computer network on March 11, 2022. The forensic investigation revealed hackers had access to its systems between March 9 and March 11, 2022, during which time data was viewed or exfiltrated. The compromised data included names, addresses, medical information, health insurance information, and in some cases, Social Security numbers, driver’s licenses, and financial account/credit card information.

A lawsuit was filed in the US District Court for the Southern District of Florida – Pires, et al. v. NuLife Med LLC – that alleged NuLife Med was negligent for failing to implement appropriate safeguards to keep patient data private and confidential, which allowed a data breach to occur that was entirely preventable. The lawsuit claimed that the plaintiff, Victor Pires, and similarly situated individuals, suffered an injury as a result of the negligence and incurred out-of-pocket expenses dealing with the data breach.

NuLife Med chose to settle the lawsuit to avoid the expense of ongoing litigation and the uncertainty of trial; however, admitted no wrongdoing. The total value of the settlement has not been disclosed. Individuals who received a notification letter from NuLife Med about the data breach are entitled to submit a claim if they can provide documented proof of losses and will receive a check for up to $25. Alternatively, class members can elect to receive one year of credit monitoring services instead.

The deadline for submitting a claim is June 20, 2023. The deadline for objection to or exclusion from the settlement is May 16, 2023. The final approval hearing for the settlement has been scheduled for June 5, 2023.

The post NuLife Med Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

CommonSpirit Health Issues Update Confirming 164 Facilities Affected by Ransomware Attack

Posted by HIPAA Journal

CommonSpirit Health has issued an update about its October 2022 ransomware attack and has confirmed that patients from 164 facilities were affected by the attack and had their sensitive data exposed or stolen. CommonSpirit Health detected the ransomware attack on October 2, 2022, and the forensic investigation revealed unauthorized individuals had access to its systems between September 16, 2022, and October 3, 2022.

In December 2022, CommonSpirit Health confirmed that the threat actor responsible for the attack had stolen patient data prior to encrypting files, and said patients of Franciscan Medical Group/Franciscan Health and Virginia Mason Franciscan Health facilities had been affected. Those individuals were notified about the data breach in December. In February 2023, CommonSpirit Health issued a further update confirming the attackers also obtained the data of patients of St. Luke’s Diagnostic Cath Lab, Diagnostic Heart Center in Houston, TX, and sent notifications to those individuals in February.

The latest update on the ransomware attack was issued on April 6, 2023, and confirmed that the breach affected patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne and shared a list of 164 hospitals and care sites that are known to have been affected. The investigation confirmed that the attackers had access to two file servers that contained files that included patient data such as names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing/claims information, patient facility associated account/encounter numbers, and health insurance information and, for a small number of individuals, Social Security numbers.

CommonSpirit Health said the delay in issuing the latest notifications was due to the incredibly time-consuming review of all files stored on those file servers to determine if they contained patient data, and which patients had been affected. The initial phase of that process was completed on February 21, 2023, and then accurate address information needed to be found to allow notifications to be sent.

CommonSpirit Health reported the data breach to the HHS’ Office for Civil Rights on December 1, 2022, as affecting 623,774 individuals.  That total has not been updated since, and CommonSpirit Health has not publicly confirmed at this stage exactly how many individuals have been affected. Given the number of hospitals now known to have been affected, that total is likely to increase by a substantial amount.

The full list of affected facilities detailed in the April 6 update is:

Hospital/Care Site State
St. Vincent Infirmary Little Rock Arkansas
St. Vincent North Sherwood Arkansas
St, Vincent Hot Springs Hot Springs Arkansas
St. Vincent Morrilton Morrilton Arkansas
CHI St. Vincent Medical Group Little Rock Arkansas
CHI St. Vincent Medical Group Hot Springs Arkansas
CHI Memorial Georgia Hospital Fort Oglethorpe Georgia
CHI Memorial – Parkway Ringgold Georgia
CHI Memorial Medical Group All Locations Georgia
CHI Health Mercy Council Bluffs Council Bluffs Iowa
CHI Health Missouri Valley Missouri Valley Iowa
CHI Health Mercy Corning Corning Iowa
Flaget Memorial Hospital Bardstown Kentucky
Saint Joseph Hospital Lexington, Nicholasville Kentucky
Saint Joseph Health Community Pharmacy Lexington Kentucky
Saint Joseph – Berea Berea Kentucky
Saint Joseph East Lexington Kentucky
Saint Joseph London London Kentucky
Saint Joseph Martin Martin (sold) Kentucky
Saint Joseph Mount Sterling Mount Sterling Kentucky
Saint Joseph Mount Sterling Outpatient Rehab Mount Sterling Kentucky
Saint Joseph Mount Sterling Outpatient Rehab Flemingsburg Kentucky
Continuing Care Hospital Lexington Kentucky
CHI Saint Joseph Medical Groups Central & Eastern Kentucky Kentucky
Jewish Hospital – Louisville (Sold), formerly part of CHI Kentucky
CHI LakeWood Health Baudette Minnesota
CHI St. Francis Health Breckenridge Minnesota
CHI St. Joseph’s Health Park Rapids Minnesota
CHI St.Gabriel’s Health Little Falls Minnesota
CHI St. Francis Home Breckenridge Minnesota
CHI Health at Home All locations Minnesota
CHI Health Lakeside Omaha Nebraska
CHI Health Midlands Papillion Nebraska
CHI Health Plainview Plainview Nebraska
CHI Health Creighton University Medical Center – Bergan Mercy Omaha Nebraska
Lasting Hope Recovery Center Omaha Nebraska
CHI Health Immanuel Omaha Nebraska
CHI Health Schuyler Schuyler Nebraska
CHI Health Good Samaritan Kearney Nebraska
CHI Health Richard Young Behavioral Health Kearney Nebraska
CHI Health Nebraska Heart Lincoln Nebraska
CHI Health St. Elizabeth Lincoln Nebraska
CHI Health St. Francis Grand Island Nebraska
CHI Health St. Mary’s Nebraska City Nebraska
The Physician Network ( including Nebraska Specialty Network, and Nebraska
Lincoln Physician Network) All locations Nebraska
CHI St. Alexius Medical Center Bismarck North Dakota
CHI St. Alexius Health Carrington & Clinics (includes Foster County North Dakota
Medical Center) Carrington North Dakota
CHI St. Alexius Carrington Urgent Care Carrington North Dakota
CHI Lisbon Health Lisbon North Dakota
CHI St. Alexius Health Devils Lake & Clinics Devils Lake North Dakota
CHI Mercy Health Valley City Valley City North Dakota
CHI St. Alexius Health Williston Williston North Dakota
CHI Oakes Hospital & Clinics Oakes North Dakota
CHI St. Alexius Health Turtle Lake Turtle Lake North Dakota
CHI St. Alexius Health Garrison & Clinics Garrison North Dakota
CHI St. Alexius Health Dickenson & Clinics Dickenson North Dakota
CHI Health at Home Fargo North Dakota
CHI Friendship Fargo North Dakota
CHI St. Alexius Physician Clinics All Locations North Dakota
Trinity Medical Center East and West Steubenville Ohio
Trinity Hospital Twin City Dennison Ohio
Ross Park Pharmacy Steubenville Ohio
Trinity Professional Group All locations Ohio
Trinity Home Health All locations Ohio
CHI Mercy Health Medical Center Roseburg Oregon
CHI St. Anthony Medical Center Pendleton Oregon
Oregon Surgery Center Roseburg Oregon
Centennial Medical Group Roseburg Oregon
CHI St. Joseph Children’s Health Lancaster Pennsylvania
CHI Memorial Hospital Chattanooga Chattanooga Tennessee
CHI Memorial Hospital Chattanooga Outpatient Pharmacy Chattanooga Tennessee
CHI Memorial Hospital Hixson Hixson Tennessee
Chattanooga Heart Institute Chattanooga Tennessee
CHI Memorial Medical Group All Locations Tennessee
CHI Baylor St. Luke’s Medical Center Houston Texas
CHI St. Luke’s Health Hospital at The Vintage Houston Texas
CHI St. Luke’s Health Brazosport Hospital Lake Jackson Texas
CHI St. Luke’s Health Lakeside Hospital The Woodlands Texas
CHI St. Luke’s Health Patients Medical Center Pasadena Texas
CHI St. Luke’s Health Springwoods Village Spring Texas
CHI St. Luke’s Health Sugar Land Hospital Sugar Land Texas
CHI St. Luke’s Health The Woodlands The Woodlands Texas
CHI St. Joseph Regional Medical Center Bryan Texas
CHI St. Joseph Health Burleson Hospital Burleson Texas
CHI St. Joseph Health Grimes Hospital Navasota Texas
CHI St. Joseph Health Madison Hospital Madisonville Texas
CHI St. Joseph Health College Station Hospital College Station Texas
St. Joseph Encompass Health Rehab Bryan Texas
St. Joseph Skilled Nuring and Rehab Bryan and Caldwell Texas
CHI St Luke’s Health Memorial Lufkin Lufkin Texas
CHI St Luke’s Health Memorial Livingston Livingston Texas
CHI St Luke’s Health Memorial St. Augustine St. Augustine Texas
CHI St. Luke’s Medical Group All locations Texas
CHI St. Joseph Health Medical Group All locations Texas
CHI St. Luke’s Health Memorial Clinics All locations Texas
St. Michael Medical Center (formerly Harrison Hospital) Bremerton & Silverdale Washington
St. Anne Hospital (Formerly Highline Hospital) Burien Washington
St. Anthony Hospital Gig Harbor Washington
St. Clare Hospital Lakewood Washington
St. Elizabeth Hospital Enumclaw Washington
St. Francis Hospital Federal Way Washington
St. Joseph Hospital Tacoma Washington
The former CHI Franciscan Health System Tacoma Washington
Franciscan Health Medical Group All locations Washington
Franciscan Hospice and Palliative Care Tacoma Washington

The breach also affected patients who received care through CHI Health at Home at the following facilities:

Hospital/Care Site
Albany Area Home Health and Hospice North Dakota – closed
American Nursing Care Columbus IN
American Nursing Care Dayton, OH
American Nursing Care Marion, OH
American Nursing Care Zanesville, OH
American-Mercy Home Care Cincinnati, OH
Amerimed Home Infusion Indianapolis, IN
Amerimed Home Infusion Lexington & Louisville, KY
Amerimed Home Infusion West Chester, OH
CHI Franciscan Health at Home University Place, WA
CHI Franciscan Hospice and Palliative Care Tacoma, WA
CHI Health at Home Breckenridge & Little Falls, MN
CHI Health at Home
Bismark, Dickinson, Valley City, &
Williston, ND
CHI Health at Home Plainview, NE
CHI Health at Home Milford Cincinnati, OH
CHI Health at Home Hospice Lincoln & Omaha, NE
CHI Health at Home Infusion Omaha, NE
CHI Health at Home, Home Care Grand Island, Lincoln, Omaha, NE
CHI Health Pharmacy Omaha, NE
CHI Memorial Health at Home Chattanooga, TN
CHI St. Joseph’s Hospice Park Rapids, MN
CHI St. Vincent Health at Home Hot Springs, Little Rock & Morrilton, ARK
Community Health at Home Indianapolis, IN
Community Mercy Home Care Springfield, OH
Community Mercy Home Care Pharmacy West Chester, OH
Cornerstone Medical Services (closed) Cincinnati, Columbus, & Akron OH
Deaconess Home Health Evansville, IN
Good Samaritan Home Care Vincennes, IN
Good Samaritan Home Care Lawrenceville, IL
Great Plains Rehabilitation Services Bismarck, Dickinson, ND
Hospice House University Place Tacoma, WA
Josie Harper Hospice House Omaha, NE
MedQuest Home Medical Equipment Williston, ND
Mercy Home Health Roseburg, OR
Reid Home Health Care Eaton, OH
Reid Home Health Care Richmond, IN
Southeastern Home Care Barnesville & Cambridge, OH
St. Elizabeth Home Care Florence, KY
St. Elizabeth Home Care Lawrenceburg, IN
St. Elizabeth Home Medical Equipment Lincoln NE
St. Vincent Heatlh at Home Arkansas
Virginia Mason Franciscan Pharmacy & Home Care Tacoma, WA
VNA Health at Home Clarksville, IN
VNA Health at Home Bardstown, Campbellsville, Elizabethtown,
Lexington, London, & Louisville, KY
VNA Health at Home Hospice Bardstown & London, KY
Associated and Former CommonSpirit/CHI Facilities
Centura Health System Colorado and Kansas
Jewish Hospital Louisville, KY
Mercy Medical Center Des Moines and Affiliates Des Moines, Iowa
Mercy Home Health Services – Iowa Iowa
Mercy Hospice Johnston-Iowa Iowa
St. Clare’s Hospital Denville, NJ
St. Joseph Medical Center, Reading Reading, PA
University of Louisville Medical Center Louisville, KY

The post CommonSpirit Health Issues Update Confirming 164 Facilities Affected by Ransomware Attack appeared first on HIPAA Journal.

Hacking Incidents Reported by Chippewa County and Frideres Dental

Posted by HIPAA Journal

The Chippewa County Human Resources Division in Wisconsin has recently discovered that the laptop computer of an employee has been compromised and 25-35MB of data was stolen from the device, including information protected under HIPAA.

Access to the device was gained through a remote access application, which was downloaded to the device on February 28, 2023. An unknown individual then used the application to access the computer. The employee noticed the access on March 1, 2023, and alerted the IT department, which was able to block further access. According to Chippewa County officials, the unauthorized individual had access to the device for approximately 5 minutes, during which time files were exfiltrated. The investigation confirmed that the breach was limited to one device.

It is unclear how the remote access application was downloaded to the device, but it is suspected that this was a drive-by download after the employee inadvertently clicked a link in a phishing email or on a website, or via a website pop-up. The files were reviewed, and it was confirmed that 7 of the copied files contained protected health information such as names, medical history numbers, prescription information, and the date the prescriptions were signed, and the prescribing doctors’ initials. The breach was reported to the HHS’ Office for Civil Rights as affecting 842 individuals.

Cyberattack Affects Frideres Dental Patients

Frideres Dental in Oregon has recently confirmed that the protected health information of 1,596 patients has potentially been compromised in a cyberattack. It is unclear from the breach notice when the attack occurred and when it was detected, but the review of the affected files was completed on January 25, 2023, and a list of the affected patients was obtained. The files potentially accessed or obtained included names, dates of birth, medical treatment information, health insurance information, and, for a limited number of individuals, Social Security numbers.

No reports have been received to date to indicate misuse of any of the affected information; however, as a precaution, Frideres Dental is offering 12 months of complimentary credit monitoring services to affected individuals.

Henrico Doctors’ Hospital Reports Email Error

Henrico Doctors’ Hospital in Virginia has notified 990 individuals about an email error that exposed email addresses and identified them as having received surgery at the hospital. No other information was exposed.

On February 7, 2023, the hospital discovered that an employee had accidentally sent a group email where the email addresses were put in the To field rather than the BCC field, and could therefore be viewed by all recipients of the email. Steps have been taken by the hospital to prevent similar incidents in the future.

The post Hacking Incidents Reported by Chippewa County and Frideres Dental appeared first on HIPAA Journal.

99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties

Posted by HIPAA Journal

New research indicates virtually all U.S. hospitals have been using tracking software on their websites that captures visitor data, including health information, and transfers that information to third parties. The study – published this month in Health Affairs – was conducted by researchers at the University of Pennsylvania. They used the 2019 American Hospital Association (AHA) Annual Survey to identify hospitals and narrowed their study to nonfederal acute care hospitals with an emergency department, which were not ambulatory surgery centers or freestanding long-term care facilities – The websites of 3,747 U.S. hospitals were assessed in the study.

The researchers used an open-source tool called WebXray to identify third-party tracking code and recorded data requests on the hospital websites over a 3-day period in 2021. The researchers also recorded cookies and data stored on browsers that would allow visitors to the websites to be tracked across the Internet.  They found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties and 94.3% used cookies that allowed visitors to the websites to be tracked across the Internet. Over the three-day study period, the home pages of the websites initiated a median of 16 data transfers.

The tracking code, sometimes referred to as pixels, is provided by third parties for use on websites for tracking visitors and the code is incredibly common across the Internet. The code is used to record website interactions, such as the pages visited, how visitors arrived on the website, and the sites they visited when they left. The data collected through the code can be used by website operators to improve their websites and services, but the data collected is also transferred to the third parties that provide the code.

While these technologies can be found on virtually all websites, the Health Insurance Portability and Accountability Act (HIPAA) does not permit the use of these technologies unless certain conditions are met as the tracking code can collect individually identifiable health information, including visits to web pages about specific medical conditions such as HIV, cancer, and Alzheimer’s disease, and information entered into web forms.

The third parties receiving the information are typically not HIPAA-regulated entities, which means uses and disclosures of the transferred data are largely unregulated. The transferred information could be used for a variety of purposes, such as serving targeted advertisements related to medical conditions, health insurance, or medications. What actually happens to the transferred data is unclear.

The HHS’ Office for Civil Rights (OCR) recently issued guidance for HIPAA-regulated entities on the use of tracking technologies on websites and apps and confirmed that the use of these technologies is not permitted by the HIPAA Privacy Rule unless the third parties receiving protected health information are legitimate business associates and a business associate agreement has been signed. Alternatively, authorizations are required before protected health information is transferred.

According to the study, hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving urban patient populations had more third-party data transfers than other hospitals, which it was hypothesized could be due to the websites providing a more extensive range of services, the inclusion of third-party apps on the website – Google Maps for example – or them having a higher level of website advertising.

The third parties that most commonly received data were Alphabet (Google) – 98.5% of websites, Meta (Facebook) – 55.6% of websites, and Adobe Systems – 31.4% of websites. Other third parties commonly sent visitor data include AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote the researchers. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”

In 2021, three Boston hospitals – Massachusetts General Hospital, Brigham and Women’s Hospital, and Dana Farber Cancer Institute – agreed to pay more than $18 million to settle allegations they had shared website user data with third parties without consent, and many more lawsuits against healthcare providers are pending.

Given the recent guidance from OCR and the extent to which tracking code has been used, all hospitals should review their websites for tracking code and ensure that business associate agreements are in place, patient authorizations are obtained, or that the code is removed from the websites or is made HIPAA-compliant. If tracking code is found and protected health information has been impermissibly disclosed it is a reportable data breach and the HHS must be informed and notifications sent to affected patients.

The post 99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties appeared first on HIPAA Journal.

99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties

Posted by HIPAA Journal

New research indicates virtually all U.S. hospitals have been using tracking software on their websites that captures visitor data, including health information, and transfers that information to third parties. The study – published this month in Health Affairs – was conducted by researchers at the University of Pennsylvania. They used the 2019 American Hospital Association (AHA) Annual Survey to identify hospitals and narrowed their study to nonfederal acute care hospitals with an emergency department, which were not ambulatory surgery centers or freestanding long-term care facilities – The websites of 3,747 U.S. hospitals were assessed in the study.

The researchers used an open-source tool called WebXray to identify third-party tracking code and recorded data requests on the hospital websites over a 3-day period in 2021. The researchers also recorded cookies and data stored on browsers that would allow visitors to the websites to be tracked across the Internet.  They found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties and 94.3% used cookies that allowed visitors to the websites to be tracked across the Internet. Over the three-day study period, the home pages of the websites initiated a median of 16 data transfers.

The tracking code, sometimes referred to as pixels, is provided by third parties for use on websites for tracking visitors and the code is incredibly common across the Internet. The code is used to record website interactions, such as the pages visited, how visitors arrived on the website, and the sites they visited when they left. The data collected through the code can be used by website operators to improve their websites and services, but the data collected is also transferred to the third parties that provide the code.

While these technologies can be found on virtually all websites, the Health Insurance Portability and Accountability Act (HIPAA) does not permit the use of these technologies unless certain conditions are met as the tracking code can collect individually identifiable health information, including visits to web pages about specific medical conditions such as HIV, cancer, and Alzheimer’s disease, and information entered into web forms.

The third parties receiving the information are typically not HIPAA-regulated entities, which means uses and disclosures of the transferred data are largely unregulated. The transferred information could be used for a variety of purposes, such as serving targeted advertisements related to medical conditions, health insurance, or medications. What actually happens to the transferred data is unclear.

The HHS’ Office for Civil Rights (OCR) recently issued guidance for HIPAA-regulated entities on the use of tracking technologies on websites and apps and confirmed that the use of these technologies is not permitted by the HIPAA Privacy Rule unless the third parties receiving protected health information are legitimate business associates and a business associate agreement has been signed. Alternatively, authorizations are required before protected health information is transferred.

According to the study, hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving urban patient populations had more third-party data transfers than other hospitals, which it was hypothesized could be due to the websites providing a more extensive range of services, the inclusion of third-party apps on the website – Google Maps for example – or them having a higher level of website advertising.

The third parties that most commonly received data were Alphabet (Google) – 98.5% of websites, Meta (Facebook) – 55.6% of websites, and Adobe Systems – 31.4% of websites. Other third parties commonly sent visitor data include AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote the researchers. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”

In 2021, three Boston hospitals – Massachusetts General Hospital, Brigham and Women’s Hospital, and Dana Farber Cancer Institute – agreed to pay more than $18 million to settle allegations they had shared website user data with third parties without consent, and many more lawsuits against healthcare providers are pending.

Given the recent guidance from OCR and the extent to which tracking code has been used, all hospitals should review their websites for tracking code and ensure that business associate agreements are in place, patient authorizations are obtained, or that the code is removed from the websites or is made HIPAA-compliant. If tracking code is found and protected health information has been impermissibly disclosed it is a reportable data breach and the HHS must be informed and notifications sent to affected patients.

The post 99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties appeared first on HIPAA Journal.

Tallahassee Memorial Healthcare: Patient Data Stolen in Cyberattack

Posted by HIPAA Journal

Tallahassee Memorial Healthcare (TMH), a non-profit health system serving patients in North Florida and South Georgia, experienced a cyberattack in late January that forced it to operate under emergency downtime procedures for around two weeks. According to the TMH breach notification, unusual system activity was detected on February 3, 2023, and its systems were secured. A third-party cybersecurity firm was engaged to investigate the breach and determined that unauthorized individuals had access to its systems between January 26 and February 2, 2023, and exfiltrated files during that time. Cyberattacks such as this often involve ransomware, although it is unclear if ransomware was used in this attack. TMH did not share further information on the exact nature of the attack.

The review of the stolen files has now been completed and affected individuals started to be notified about the incident on March 31, 2023. The information that was viewed or obtained included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, and/or limited treatment information. TMH confirmed that its electronic medical record system was not accessed in the attack.

The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so the exact number of affected individuals is not known, but it is understood to be around 20,000 individuals. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were included in the breached data.

Guam Memorial Hospital Investigating Cyberattack

Guam Memorial Hospital (GMH) is investigating a cyberattack that saw unauthorized individuals gain access to its network. The security breach was detected on March 2, 2023, and steps were immediately taken to secure its systems. Efforts are underway to restore its systems and its firewalls have been replaced. GMH legal counsel Jeremiah Luther confirmed that the investigation will be completed within 60 days and notifications will be issued if it is determined that patient data was involved. Luther said no patient or employee information appears to have been compromised.

Luther said a network security flaw was identified and that flaw appears to have been exploited to gain access to its network and there is evidence that suggests multiple instances of unauthorized access. GMH has reported the breach to the FBI and Homeland Security and information has been provided on a suspect. No further information about the exact nature of the attack has been released. Once systems have been restored, Luther said Homeland Security will conduct an assessment of security and will make recommendations on any areas where security should be improved.

Top of the World Ranch Treatment Center

Top of the World Ranch Treatment Center, a Milan, IL-based provider of addiction treatment programs, has started notifying 1,980 individuals that some of their protected health information was contained in a business email account that was accessed by an unauthorized individual for several hours on November 17, 2022.

A review of the account confirmed it contained sensitive data such as names, Social Security numbers, diagnosis and treatment information, provider names, patient identification numbers, and health insurance information. The investigation was unable to confirm whether that information was viewed or acquired, but as a precaution, affected individuals have been offered complimentary identity theft protection and credit monitoring services for 12 months. Security policies have been reviewed with respect to email security and additional training has been provided to employees.

Merritt Healthcare Advisors – Email Account Breach

The Ridgefield, CT-based healthcare advisory firm, Merritt Healthcare Advisors, has recently reported a data breach to the California Attorney General that exposed the data of some of its healthcare clients. On November 30, 2022, Merritt discovered a single employee email account had been accessed by an unauthorized individual between July 30, 2022, and August 25, 2022. Notification letters were sent to affected individuals on February 28, 2023. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Tallahassee Memorial Healthcare: Patient Data Stolen in Cyberattack appeared first on HIPAA Journal.