HIPAA Breach News

Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center

Posted by Steve Alder

Cyberattacks have been reported by the University of Tennessee Health Science Center, SysInformation Healthcare Services (EqualizeRCM/1st Credentialing), and Jackson Medical Center. Moveable Feast has discovered the improper disposal of documents containing PHI.

University of Tennessee Health Science Center – Ransomware Attack

The University of Tennessee Health Science Center (UT-HSC) said a cyberattack on one of its vendors has resulted in the exposure and possible theft of the protected health information of 19,353 patients who received obstetrics and gynecology (OB/GYN) services at Regional One Health (ROH).

UT-HSC contracted with a company called KMJ Health Solutions which provided patient handoff software that is used to support OB/GYN patients and ensure they receive the appropriate care when they are transferred to another healthcare provider. UT-HSC was notified by KMJ on or around November 29, 2023, about a security incident discovered while investigating a server outage. KMJ erased and reformatted the server and hired a cybersecurity firm to investigate the incident but was unable to make a definitive determination about whether there had been unauthorized access. On January 18, 2024, KMJ’s hosting provider, Liquid Web, found evidence of a ransomware attack but could not determine whether the attackers downloaded a copy of the data stored in the eDocList.

The potentially affected individuals had received OB/GYN services at ROH between November 2014 and November 2023. The information potentially compromised included first and last name, medical record number, age, date of admission, allergies, service, resident assigned, parity, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, type of infant feeding, and information regarding follow up care.

KMJ has implemented new technical safeguards including vulnerability scans, penetration testing, and configuration reviews. Due to the nature of the exposed data, UT-HSC does not believe there is any significant risk of identity theft or harm to credit; however, the affected individuals have been advised to be on the lookout for any letters, emails, or phone calls, and other communications from unknown individuals wanting to discuss any of the services received from ROH.

SysInformation Healthcare Services (EqualizeRCM/1st Credentialing) – Cyberattack

SysInformation Healthcare Services (SysInformation), an Austin, TX-based provider of revenue cycle support to medical billing companies and hospitals that does business as EqualizeRCM and 1st Credentialing, has experienced a cyberattack that caused a network outage. SysInformation said suspicious activity was detected within its network in June 2023. IT systems were secured, and third-party forensics experts were engaged to investigate the incident. The investigation revealed unauthorized access to its network between June 3, 2023, and June 18, 2023, and certain files had been exfiltrated.

SysInformation said an extensive review was conducted to determine the types of information involved and the individuals affected and notification letters were mailed to the affected individuals on April 17, 2024. The types of data involved varied from individual to individual and may have included one or more of the following: name, government identification number, date of birth, Driver’s license number, employer identification number, electronic signature, financial account information, health insurance information, medical history/treatment information, login information, mother’s maiden name, government-issued identification number, passport information, Social Security number, and/or tax identification number.

Complimentary credit monitoring services have been offered to the affected individuals, security policies and procedures have been reviewed, and additional safeguards have been implemented to prevent similar incidents in the future. The breach has been reported to regulators; however, it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jackson Medical Center – Cyberattack

Jackson Medical Center in Alabama has notified 509 patients about the exposure of some of their protected health information in a cyberattack that disrupted some of its IT systems. The attack was detected on February 22, 2024, and third-party forensics experts were engaged to investigate the incident and confirmed that an unauthorized third party had access to its network between February 17, 2024, and February 22, 2024. During that time, files were accessed or removed from its network.

A review of the affected files confirmed on March 8, 2024, that they contained patients’ protected health information including names and one or more of the following: contact information, dates of birth, driver’s license or state identification numbers, diagnoses, treatment information, and/or health insurance information. Notification letters have been mailed to the affected individuals and complimentary identity monitoring services have been offered to patients whose Social Security numbers, driver’s license numbers, or state identification numbers were potentially involved. Jackson Medical Center said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

Moveable Feast – Improper Disposal of Documents

Moveable Feast, a Baltimore, MD-based non-profit that provides care to individuals living with HIV/AIDS and other life-threatening illnesses, has discovered that documents containing sensitive data were disposed of incorrectly. Moveable Feast’s policies require sensitive documents to be placed in shredding bins, but some were inadvertently disposed of in regular recycling bins. The HIPAA violation was discovered when a recycling bin awaiting curb pickup was blown over, scattering its contents.

Staff collected most of the documents, but some pages could not be retrieved. The missing pages contained the information of 568 individuals such as their client number, name, gender, race, and age, and for a subset of Moveable Feast clients, the last 4 digits of their Social Security numbers. Notification letters have been sent to all affected individuals and 12 months of credit monitoring services have been made available at no cost. Staff members have also been retrained on handling sensitive information.

The post Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center appeared first on HIPAA Journal.

Michigan’s Largest FQHC Suffers Ransomware Attack Affecting 184,000 Patients

Posted by Steve Alder

Cherry Street Services, Inc., which operates as Cherry Health Services, fell victim to a ransomware attack in December 2023. Cherry Health is the largest federally qualified health center in Michigan, with 20 healthcare facilities in six counties in the state, and provides healthcare services to underserved communities, regardless of insurance status or their ability to pay for healthcare.

The Grand Rapids, MI-based healthcare provider said it experienced network disruption on December 21, 2024, that prevented access to some of its computer systems. Third-party cybersecurity specialists were engaged to investigate the incident and determined that unauthorized individuals had accessed certain files on its network. The review of the affected files was completed on March 25, 2024, and confirmed that protected health information was exposed in the attack, including names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID number, patient ID number, provider name, service date, diagnosis/treatment information, prescription information, financial account information and/or Social Security numbers. The types of information exposed varied from individual to individual.

While healthcare data was potentially stolen in the attack, Cherry Health said it is unaware of any instances of actual or attempted misuse of patient data; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring services, which includes monitoring of the dark web for the publication or sale of sensitive personal information, a $1 million identity theft insurance policy, and identity theft identity recovery services. Cherry Street said it has already taken steps to improve its technical safeguards to prevent similar incidents in the future. The incident has recently been reported to the Maine Attorney General as affecting 184,372 individuals.

The post Michigan’s Largest FQHC Suffers Ransomware Attack Affecting 184,000 Patients appeared first on HIPAA Journal.

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Posted by Steve Alder

The Texas health system Ernest Health is being sued by patients who had their protected health information compromised in a recent cyberattack. This is likely to be one of many lawsuits filed against Ernest Health over the theft of at least 94,747 patients’ data. Ernest Health operates hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming. On February 1, 2024, suspicious activity was detected in its networks, with the investigation confirming there had been unauthorized access to its network between January 16, 2024, and February 4, 2024. The LockBit ransomware group claimed responsibility for the attack and threatened to publish the stolen data on its leak site. Ernest Health said the compromised information included names, contact information, dates of birth, health plan IDs, health data, Social Security numbers, and driver’s license numbers.

A lawsuit has been filed by Joe Lara and Lauri Cook on behalf of themselves and similarly situated individuals who had their personal and protected health information compromised in the Ernest Health cyberattack. The lawsuit alleges that Ernest Health lost control of the data of current and former patients due to insufficient cybersecurity safeguards and a lack of cybersecurity training for its employees, which meant it had no effective means to prevent, detect, or stop the attack. The plaintiffs argue that it took 73 days from the initial compromise for Ernest Health to issue individual notifications, which denied them the opportunity to mitigate their injuries in a timely manner.

While Ernest Health said it has implemented additional safeguards in response to the breach, the plaintiffs claim the health system has done too little, too late, and that the offer of credit monitoring and identity theft protection services is wholly insufficient. The lawsuit alleges negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, declaratory and other equitable relief, injunctive relief, and compensatory, exemplary, punitive damages, and statutory damages. The plaintiffs and class are represented by Joe Kendall of the Kendall Law Group, and Samuel J. Strauss and Raina Borrelli of the law firm, Turke & Strauss.

The post Ernest Health Sued Over 2024 Ransomware Attack and Data Breach appeared first on HIPAA Journal.

MedData Settles Class Action Data Breach Lawsuit for $7 Million

Posted by Steve Alder

Last month, the Spring, TX-based revenue cycle management firm MedData agreed to a $7 million settlement to resolve a class action lawsuit filed following the exposure of the personal and health information of 136,000 individuals on a public-facing website.

MedData helps healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing, including healthcare providers and health plans such as Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. All of those HIPAA-covered entities had member and patient data exposed by MedData.

Between December 2018 and September 2019, a MedData employee inadvertently uploaded the data to personal folders on GitHub Arctic Code Vault, which is a public-facing part of the GitHub website. The data remained there unprotected and exposed for more than a year. MedData was informed about the data exposure by a security researcher on December 10, 2020, and the files were removed from GitHub on December 17, 2020.

MedData has faced 5 class action lawsuits over the data breach, four of which have been dismissed. This amended lawsuit is the last remaining action against MedData over the data breach. Under the terms of the settlement, class members can choose one of two payment tiers. The first option allows class members to claim back documented, unreimbursed out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members can claim up to $500 for “de-minimis” or minimal affirmative action in response to being notified about the data breach. Regardless of the option chosen, class members can also claim 36 months of health data and fraud monitoring services at no cost. Those services include a $1 million identity theft insurance policy.

The settlement also requires MedData to implement and maintain an enhanced cybersecurity program, which must include robust monitoring and auditing for data security issues, annual cybersecurity testing, training on data privacy for employees, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The board must also consider appropriate cybersecurity spending annually, and regularly update internal security policies and procedures.

The post MedData Settles Class Action Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

The San Francisco, CA-based law firm Orrick, Herrington & Sutcliffe has agreed to a $8 million settlement to resolve a class action lawsuit filed in response to a 2023 cyberattack and data breach.

In March 2023, the law firm that specializes in helping companies that have experienced security breaches suffered one of its own. On March 13, 2023, hackers were discovered to have gained access to its network, with the forensic investigation revealing they had access for around two weeks between February 28 and March 13, 2023, before the intrusion was detected. The personal and protected health information of 637,620 individuals was compromised; however, it took months to determine how many individuals had been affected with the last batch of notification letters mailed to affected individuals in January 2024. The affected individuals were offered 2 years of complimentary credit monitoring services.

A lawsuit was filed against Orrick, Herrington & Sutcliffe in the U.S. District Court for the Northern District of California shortly after the announcement about the breach. The lawsuit made several allegations, including the failure to secure its systems, the failure to prevent and stop the breach, the failure to detect the breach in a timely manner, and the failure to disclose material facts that adequate system security measures were not in place to prevent data breaches. The lawsuit also alleged Orrick, Herrington & Sutcliffe did not honor repeated promises and representations to protect the information of the breach victims and failed to provide timely notifications. Several other lawsuits were filed over the breach that made similar claims, and they were consolidated into a single action – In re Orrick Herrington & Sutcliffe LLP Data Breach Litig.

The plaintiffs alleged they had been harmed by the data breach, including receiving a flood of spam emails and phone calls, actual and attempted identity theft, and other misuse of their personal information. Orrick, Herrington & Sutcliffe has denied liability and wrongdoing and said it regretted the inconvenience and distraction that the malicious incident caused. The proposed settlement was deemed to be reasonable and fair by class counsel and has received preliminary approval from the court. Under the terms of the settlement, class counsel may claim up to 25% of the settlement amount and after costs of up to $50,000 and $2,500 service awards for the lead plaintiffs have been deducted, the remainder of the settlement will cover claims from individuals affected by the data breach.

The settlement includes up to 5 hours of compensation for lost time at $25 per hour, reimbursement of up to $2,500 for unreimbursed out-of-pocket expenses, reimbursement of up to $7,500 for extraordinary losses such as identity theft and fraud, and three years of three-bureau credit monitoring services. California residents are entitled to a cash payment of $150. If class members choose not to submit a claim for lost time and reimbursement for out-of-pocket expenses and extraordinary losses, a claim may instead be submitted for a cash payment of $75.

The post Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Email Incidents Reported by Randolph Health & Rutgers Robert Wood Johnson Medical School

Posted by Steve Alder

Randolph Health and Rutgers Robert Wood Johnson Medical School have recently reported email incidents involving the unauthorized access/disclosure of patient information.

Randolph Health

American Healthcare Systems LLC, doing business as Randolph Health in North Carolina, discovered a compromised employee email account on February 14, 2024. The email account was immediately secured to prevent further unauthorized access and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, and the review of the account confirmed that files were present that contained the protected health information of 899 patients.

The exposed data included full names, dates of birth, medical record numbers, health insurance identification numbers, and diagnosis codes. Randolph Health said it was not possible to tell if any of those files were accessed or acquired, so notification letters were sent to all potentially affected individuals. Randolph Health said it is committed to maintaining the privacy of personal information and has taken additional steps to improve security and will continue to evaluate its security practices.

Rutgers Robert Wood Johnson Medical School

Rutgers Robert Wood Johnson Medical School in New Brunswick, NJ, has identified an email incident involving the protected health information of 543 patients. On February 1, 2024, the medical school discovered a former employee had emailed patient data from their work email account to a personal email account. Several files had been emailed that included spreadsheets containing patient data, including patient names, medical record numbers, treatment information, and prescription information. The information was sent to the personal email account on January 19, 2024.

The affected individuals were notified by mail on April 1, 2024, and the matter has been reported to law enforcement for investigation and appropriate action. The affected individuals have been advised to monitor the statements they received from their healthcare providers and health insurance plan for any services that were not received, and if they are found, to report it to the relevant provider or health plan.

The post Email Incidents Reported by Randolph Health & Rutgers Robert Wood Johnson Medical School appeared first on HIPAA Journal.

Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack

Posted by Steve Alder

Cyberattacks have been reported by Cattaraugus-Allegany Board of Cooperative Education Services and the Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA. Highmark has discovered a database error that resulted in letters being mailed to incorrect addresses.

Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack Affects 15,203 Medical Plan Members

Cattaraugus-Allegany Board of Cooperative Education Services (CABOCES) in southwestern New York has fallen victim to “a sophisticated cyberattack… that caused some of its internal tools, software, and servers to become temporarily unavailable.” CABOCES engaged third-party cybersecurity experts who confirmed that an unauthorized third party had access to its systems between July 5, 2023, and July 20, 2023. During that time, the attacker had access to the data of current and former employees who were members of the AC Schools Medical Health Plan.

The review of the affected files confirmed that they contained names, Social Security numbers, financial account information, driver’s license numbers, passport information, medical information, and/or health insurance information. Notifications started to be mailed to the 15,203 affected individuals on April 4, 2024.

Highmark Discovers Database Error Caused Letters to be Sent to Previous Addresses

Highmark has discovered that an August 2023 database update resulted in care and case management letters to members’ previous addresses. The error was identified and corrected in February 2024, letters; however, between August 2023 and February 2024, letters were inadvertently mailed to individuals’ previous addresses. The error only affected individuals who previously had a change of address – 5,356 individuals.

The letters included the individual’s name and Highmark identification number, and depending on the type of letter sent, may also have included a reference number, employer group name and number, date of birth, a service date range, a service or procedure code and description, medication name and dosage, and the provider or facility name.  Notification letters were sent to the affected individuals on April 2, 2024.

Highmark said the error has been fixed and additional controls have been implemented to prevent similar incidents in the future, including database changes to maintain the accuracy of member addresses, flags for the current active address, and validation checks to make sure that members have only one active address loaded to the database.

North Carolina Dental Practice Suffers Ransomware Attack

The Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA, has recently announced that her practice was hit with a sophisticated ransomware attack on January 24, 2024. Upon detection, the network was immediately secured to prevent further unauthorized access, and third-party cybersecurity specialists were engaged to investigate the incident.

The investigation uncovered evidence that portions of patient files were subject to unauthorized access. While it has not yet been possible to determine exactly what information was accessed or copied from the network, the exposed files contained names and one or more of the following types of information: address, phone number, email address, date of birth, Social Security Number, driver’s license/state ID number, financial account information, treatment/diagnosis information, prescription information, provider name, medical record/case number, Medicare/Medicaid ID number, health insurance information, and treatment cost.

Notification letters will shortly be mailed to the affected individuals once up-to-date address information has been obtained. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 1,797 individuals.

The post Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack appeared first on HIPAA Journal.

Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook

Posted by Steve Alder

Children’s Healthcare of Atlanta is one of the latest healthcare providers to face a class action lawsuit over the use of website tracking technologies. According to the lawsuit, Children’s Healthcare of Atlanta added Meta pixel tracking code to its CHOA.org website and its MyChart patient portal. The tracking code was used by Children’s Healthcare of Atlanta to collect data to use for marketing purposes and transmitted the collected data to Facebook and was used to serve targeted ads.

The lawsuit was filed in the Superior Court of DeKalb County State of Georgia and alleges the tracking code was knowingly configured to collect user data from the website and patient portal, and that the code transmitted data to Facebook, including sensitive health information such as information about patients’ health concerns, appointment details, and treatments. The information was not anonymous, as it was tied to individuals via identifiers such as IP addresses, Facebook IDs, and browser and device information.

The lawsuit alleges that the addition of the tracking code to the website and patient portal, and the subsequent disclosures of protected health information to Facebook, violated the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Healthcare of Atlanta privacy policy. The plaintiff, who filed the lawsuit individually and on behalf of her two children, alleges that at no point was she told that Children’s Healthcare of Atlanta would be sharing her and her children’s data with third parties for profit, did not provide her consent, and was not made aware that the data would be provided to Facebook, which the lawsuit described as, “a company with a sordid history of violating consumer privacy in pursuit of ever-increasing advertising revenue.”

The lawsuit alleges the plaintiff and class members have been harmed by the disclosures, including but not limited to an invasion of their privacy rights, and bring causes for negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and bailment. The lawsuit seeks damages and other relief that the court deems just and proper. The plaintiff and class are represented by attorneys from the law firms Alonso Wirth; Cohen & Malad; Stranch, Jennings & Garvey; and Turke & Strauss.

A lawsuit against Seattle Children’s Hospital (SCH) that made similar allegations with respect to the use of Meta pixel was recently dismissed with prejudice by a Washington court.  Seattle Children’s Hospital successfully argued that it only transmitted anonymous data to third parties, stated disclosures of anonymous data to third parties in its privacy policy, and that it had not added tracking code to its patient portal. SCH said any identifiable information that was disclosed was due to the plaintiffs using browsers that allowed them to be identified, for which they gave their consent.

The post Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook appeared first on HIPAA Journal.

Healthcare Data Breaches Up 53% from Q1, 2023

Posted by Steve Alder

Data compromises have increased by 90% compared to Q1, 2023, according to the Q1 2024 Data Breach Report from the Identity Theft Resource Center (ITRC). In Q1, 2024, there were 841 publicly reported data compromises, up from 442 compromises in Q1, 2023. While data compromises almost doubled, there was a 72% fall in the number of victims compared to Q1, 2023, and a drop of 81% from the previous quarter, with 24,474,351 individuals known to have been affected by the 841 data breaches.

In Q1, 2023, healthcare was the most attacked industry; however, in Q1, 2024, healthcare dropped to second place (124 notices and more than 6 million records breached), behind financial services (224 notices and more than 18 million records breached). Healthcare data breaches increased by 53% from Q1, 2023 and were up 69.9% from Q1, 2022; however, the number of victims (6,071,259 individuals) in Q1, 2024, were down 57.2% from Q1, 2023 (14,199,413 individuals). Healthcare placed second in the top 10 compromises of Q1, 2024, with a 2.35 million data breach at Medical Management Resource Group (American Vision Partners), behind LoanDepot which had a breach of more than 16 million records; however, healthcare topped the list with 6 of the 10 largest data breaches in the quarter.

The number of organizations impacted by supply chain attacks more than tripled in Q1 2024 compared to Q1, 2024, with 50 new attacks that affected 243 organizations and involved the data of 7.5 million individuals. In Q1, 2023, 73 entities were affected by supply chain attacks and there were 11.4 million victims. Cyberattacks were the biggest cause of data breaches (642 compromises), followed by phishing/smishing/BEC attacks (108 compromises), and system and human error (85 compromises). It is now increasingly common for data breach notices to not provide information about the cause of the breach. In Q1, 2024, 439 compromises did not state the root cause of the breach (52.2%) compared to 166 of the 442 data compromises (37.6%) in Q1, 2023. More than two-thirds of cyberattack-related data breaches included no information about the root cause of the breach.

“The dramatic increase in data compromises continues to concern us,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “However, the decrease in victims impacted is a bit of good news, though still too high. We believe it is due to identity criminals launching more targeted attacks, which differ from tactics used five to ten years ago. With that said, it is critical that businesses and consumers continue to practice good password hygiene and transition to Passkeys when possible.”

The post Healthcare Data Breaches Up 53% from Q1, 2023 appeared first on HIPAA Journal.