HIPAA Breach News

Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack

Posted by Steve Alder

Cyberattacks have been reported by Cattaraugus-Allegany Board of Cooperative Education Services and the Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA. Highmark has discovered a database error that resulted in letters being mailed to incorrect addresses.

Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack Affects 15,203 Medical Plan Members

Cattaraugus-Allegany Board of Cooperative Education Services (CABOCES) in southwestern New York has fallen victim to “a sophisticated cyberattack… that caused some of its internal tools, software, and servers to become temporarily unavailable.” CABOCES engaged third-party cybersecurity experts who confirmed that an unauthorized third party had access to its systems between July 5, 2023, and July 20, 2023. During that time, the attacker had access to the data of current and former employees who were members of the AC Schools Medical Health Plan.

The review of the affected files confirmed that they contained names, Social Security numbers, financial account information, driver’s license numbers, passport information, medical information, and/or health insurance information. Notifications started to be mailed to the 15,203 affected individuals on April 4, 2024.

Highmark Discovers Database Error Caused Letters to be Sent to Previous Addresses

Highmark has discovered that an August 2023 database update resulted in care and case management letters to members’ previous addresses. The error was identified and corrected in February 2024, letters; however, between August 2023 and February 2024, letters were inadvertently mailed to individuals’ previous addresses. The error only affected individuals who previously had a change of address – 5,356 individuals.

The letters included the individual’s name and Highmark identification number, and depending on the type of letter sent, may also have included a reference number, employer group name and number, date of birth, a service date range, a service or procedure code and description, medication name and dosage, and the provider or facility name.  Notification letters were sent to the affected individuals on April 2, 2024.

Highmark said the error has been fixed and additional controls have been implemented to prevent similar incidents in the future, including database changes to maintain the accuracy of member addresses, flags for the current active address, and validation checks to make sure that members have only one active address loaded to the database.

North Carolina Dental Practice Suffers Ransomware Attack

The Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA, has recently announced that her practice was hit with a sophisticated ransomware attack on January 24, 2024. Upon detection, the network was immediately secured to prevent further unauthorized access, and third-party cybersecurity specialists were engaged to investigate the incident.

The investigation uncovered evidence that portions of patient files were subject to unauthorized access. While it has not yet been possible to determine exactly what information was accessed or copied from the network, the exposed files contained names and one or more of the following types of information: address, phone number, email address, date of birth, Social Security Number, driver’s license/state ID number, financial account information, treatment/diagnosis information, prescription information, provider name, medical record/case number, Medicare/Medicaid ID number, health insurance information, and treatment cost.

Notification letters will shortly be mailed to the affected individuals once up-to-date address information has been obtained. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 1,797 individuals.

The post Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack appeared first on HIPAA Journal.

Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook

Posted by Steve Alder

Children’s Healthcare of Atlanta is one of the latest healthcare providers to face a class action lawsuit over the use of website tracking technologies. According to the lawsuit, Children’s Healthcare of Atlanta added Meta pixel tracking code to its CHOA.org website and its MyChart patient portal. The tracking code was used by Children’s Healthcare of Atlanta to collect data to use for marketing purposes and transmitted the collected data to Facebook and was used to serve targeted ads.

The lawsuit was filed in the Superior Court of DeKalb County State of Georgia and alleges the tracking code was knowingly configured to collect user data from the website and patient portal, and that the code transmitted data to Facebook, including sensitive health information such as information about patients’ health concerns, appointment details, and treatments. The information was not anonymous, as it was tied to individuals via identifiers such as IP addresses, Facebook IDs, and browser and device information.

The lawsuit alleges that the addition of the tracking code to the website and patient portal, and the subsequent disclosures of protected health information to Facebook, violated the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Healthcare of Atlanta privacy policy. The plaintiff, who filed the lawsuit individually and on behalf of her two children, alleges that at no point was she told that Children’s Healthcare of Atlanta would be sharing her and her children’s data with third parties for profit, did not provide her consent, and was not made aware that the data would be provided to Facebook, which the lawsuit described as, “a company with a sordid history of violating consumer privacy in pursuit of ever-increasing advertising revenue.”

The lawsuit alleges the plaintiff and class members have been harmed by the disclosures, including but not limited to an invasion of their privacy rights, and bring causes for negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and bailment. The lawsuit seeks damages and other relief that the court deems just and proper. The plaintiff and class are represented by attorneys from the law firms Alonso Wirth; Cohen & Malad; Stranch, Jennings & Garvey; and Turke & Strauss.

A lawsuit against Seattle Children’s Hospital (SCH) that made similar allegations with respect to the use of Meta pixel was recently dismissed with prejudice by a Washington court.  Seattle Children’s Hospital successfully argued that it only transmitted anonymous data to third parties, stated disclosures of anonymous data to third parties in its privacy policy, and that it had not added tracking code to its patient portal. SCH said any identifiable information that was disclosed was due to the plaintiffs using browsers that allowed them to be identified, for which they gave their consent.

The post Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook appeared first on HIPAA Journal.

Healthcare Data Breaches Up 53% from Q1, 2023

Posted by Steve Alder

Data compromises have increased by 90% compared to Q1, 2023, according to the Q1 2024 Data Breach Report from the Identity Theft Resource Center (ITRC). In Q1, 2024, there were 841 publicly reported data compromises, up from 442 compromises in Q1, 2023. While data compromises almost doubled, there was a 72% fall in the number of victims compared to Q1, 2023, and a drop of 81% from the previous quarter, with 24,474,351 individuals known to have been affected by the 841 data breaches.

In Q1, 2023, healthcare was the most attacked industry; however, in Q1, 2024, healthcare dropped to second place (124 notices and more than 6 million records breached), behind financial services (224 notices and more than 18 million records breached). Healthcare data breaches increased by 53% from Q1, 2023 and were up 69.9% from Q1, 2022; however, the number of victims (6,071,259 individuals) in Q1, 2024, were down 57.2% from Q1, 2023 (14,199,413 individuals). Healthcare placed second in the top 10 compromises of Q1, 2024, with a 2.35 million data breach at Medical Management Resource Group (American Vision Partners), behind LoanDepot which had a breach of more than 16 million records; however, healthcare topped the list with 6 of the 10 largest data breaches in the quarter.

The number of organizations impacted by supply chain attacks more than tripled in Q1 2024 compared to Q1, 2024, with 50 new attacks that affected 243 organizations and involved the data of 7.5 million individuals. In Q1, 2023, 73 entities were affected by supply chain attacks and there were 11.4 million victims. Cyberattacks were the biggest cause of data breaches (642 compromises), followed by phishing/smishing/BEC attacks (108 compromises), and system and human error (85 compromises). It is now increasingly common for data breach notices to not provide information about the cause of the breach. In Q1, 2024, 439 compromises did not state the root cause of the breach (52.2%) compared to 166 of the 442 data compromises (37.6%) in Q1, 2023. More than two-thirds of cyberattack-related data breaches included no information about the root cause of the breach.

“The dramatic increase in data compromises continues to concern us,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “However, the decrease in victims impacted is a bit of good news, though still too high. We believe it is due to identity criminals launching more targeted attacks, which differ from tactics used five to ten years ago. With that said, it is critical that businesses and consumers continue to practice good password hygiene and transition to Passkeys when possible.”

The post Healthcare Data Breaches Up 53% from Q1, 2023 appeared first on HIPAA Journal.

Atlanta Women’s Health Group Sued Over 2023 Ransomware Attack

Posted by Steve Alder

Atlanta Women’s Health Group is facing a class action lawsuit over an April 2023 cyberattack that saw an unauthorized third party gain access to its servers and the sensitive data of tens of thousands of its patients. Atlanta Women’s Health Group discovered the attack on April 12, 2023, and its forensic investigation confirmed that patients’ protected health information had been exposed. The types of information involved included names, dates of birth, patient ID numbers, and other information that may be contained in medical records. It was not possible to determine the exact types of information that were accessed or acquired, so notifications were sent to all individuals who had potentially been affected.

A lawsuit – M.T., vs. Atlanta Women’s Health Group P.C. – was filed in the U.S. District Court for the Northern District of Georgia Atlanta Division that alleged the OB/GYN healthcare provider had implemented inadequate data security measures and breached its duties imposed by law. As a result of those failures, unauthorized individuals were able to gain access to its network and steal highly sensitive patient data. Had appropriate cybersecurity measures been implemented, the cyberattack and data breach could have been avoided.

The lawsuit also alleged that while the Department of Health and Human Services’ Office for Civil Rights was notified about the breach within 60 days of discovery, it took Atlanta Women’s Health Group 10 months to issue email notifications to the plaintiff and class members about the attack and did not explain the reason for the delay. The letters stated that all patients were notified about the attack out of an abundance of caution; however, if that is the case, there was no reason to wait 10 months to send the notifications. The lawsuit also stated that the notification letters did not explain when the attack occurred, only when it was detected, and that while Atlanta Women’s Health Group claimed to have obtained evidence that the hackers had deleted the stolen data, the practice has no proof that the data has been permanently erased and copies of that data have not been made by the attackers.

The lawsuit claims the plaintiff and class members have been “exposed to a present injury in the form of actual misuse of their PII and PHI and have further been exposed to an ongoing substantial, heightened, and imminent risk of financial fraud and identity theft for years to come,” and that they have “suffered numerous actual and concrete injuries and damages.” The lawsuit alleges breach of fiduciary duty, negligence, negligence per se, and invasion of privacy/intrusion upon seclusion and seeks class action certification, a jury trial, and declaratory and injunctive relief. The plaintiffs are represented by MaryBeth V. Gibson of the Gibson Consumer Law Group, LLC; Todd McClelland of Sterlington, PLLC; Michael Sullivan, David H. Bouchard, and Gabriel Knisely of Finch McCranie, LLP.

The post Atlanta Women’s Health Group Sued Over 2023 Ransomware Attack appeared first on HIPAA Journal.

Seattle Children’s Hospital Website Tracking Technology Lawsuit Dismissed with Prejudice

Posted by Steve Alder

A class action lawsuit against Seattle Children’s Hospital (SCH) over its use of pixels and other tracking technologies on its website has been dismissed with prejudice by a Washington court. Like many other hospitals, SCH had added pixels to its website which could track user behavior on the site. The tracking technologies were used to gather information on how the website was used to improve the site and patient engagement. Depending on a user’s interactions on the website, the pixels may have captured identifiers and health information, which was transferred to third parties.

A lawsuit was filed by parents who had used the site alleging the addition of pixels violated the Washington Privacy Act, Washington Consumer Protection Act, and Washington Uniform Health Care Information Act. They alleged an invasion of privacy, breach of implied contract, conversion, and unjust enrichment. SCH argued that the information gathered by the pixels did not amount to confidential health information and that users had accepted the terms of its privacy policy and by doing so had consented to having anonymous data shared with third parties. In cases where identifying information was disclosed to third parties, it only occurred because the plaintiffs had that information placed on their browsers by third parties such as Facebook, and not by SCH, and that the plaintiffs had consented to having that identifying information placed on their browsers.

In the lawsuit, the plaintiffs alleged that there had been sensitive interactions on the SCH website, and health information related to those interactions was transmitted to third parties. SCH maintained that the sensitive interactions that were described by the plaintiffs could only happen on its patient portal and that pixels and other tracking technologies were not present on the portal. The Washington court sided with SCH and dismissed all of the plaintiffs’ claims with prejudice.

The post Seattle Children’s Hospital Website Tracking Technology Lawsuit Dismissed with Prejudice appeared first on HIPAA Journal.

Group Health Cooperative of South Central Wisconsin Ransomware Attack Affects 533K Patients

Posted by Steve Alder

Group Health Cooperative of South Central Wisconsin (GHC-SCW) has notified 533,809 patients about a January cyberattack. In the early hours of January 25, 2024, an unauthorized third party accessed its network and attempted to use ransomware to encrypt files. GHC-SCW said the file encryption was not successful; however, while containing the attack and securing its systems, some of its systems were temporarily made unavailable. Third-party cybersecurity experts were engaged to investigate the incident and on February 9, 2024, evidence was uncovered that indicated the attacker had copied certain files from the network before attempting encryption. The attacker also made contact with GHC-SCW and claimed responsibility for the attack and confirmed that data had been exfiltrated from its network. The attacker, a foreign ransomware group, demanded payment to delete the stolen data. GHJC-SCW did not state whether the ransom was paid.

The review of the affected files confirmed that they contained the following types of patient information: Member/patient name, address, telephone number, e-mail address, date of birth and/or date of death, Social Security number, member number, and Medicare and/or Medicaid number.  The types of data involved varied from individual to individual. At the time of issuing notification letters, no evidence had been uncovered suggesting any stolen data had been misused or further disclosed.

GHC-SCW said it notified the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) about the attack and has been working with those agencies to mitigate any harm that may result from the incident. GHC-SCW said cybersecurity measures have been enhanced across all systems and networks to reduce the risk of similar incidents in the future, including strengthening existing privacy and security controls, data backup processes, user training and awareness, and other measures. Affected patients have been offered a one-year membership to a credit monitoring service at no cost.

The post Group Health Cooperative of South Central Wisconsin Ransomware Attack Affects 533K Patients appeared first on HIPAA Journal.

Medusa Ransomware Group Leaks Data Stolen from American Renal Associates

Posted by Steve Alder

The Medusa ransomware group has leaked data stolen from American Renal Associates. Moffitt Cancer Center has been affected by a cyberattack on a vendor, and Family Health Center in Michigan and Zuckerberg San Francisco General Hospital have reported the exposure of patient data.

American Renal Associates

American Renal Associates (ARA), one of the largest providers of dialysis services in the United States and a provider of care for patients suffering from end-stage renal disease has experienced a Medusa ransomware attack. The ransomware attack has yet to be announced by ARA, but the Medusa ransomware group has leaked data allegedly stolen in the attack. The attack occurred on March 2, 2024, and affected hundreds of computers.

According to an analysis of the leaked data by Marco A. De Felice, around 5TB of data was stolen by the Medusa group including the protected health information of an estimated 37,700 patients. The leaked data includes patient names, dates of birth, phone numbers, email addresses, medical records, Social Security numbers, copies of passports and driver’s licenses, health insurance information, and company data.

Moffitt Cancer Center

Moffitt Cancer Center in Florida has announced that it has been affected by a security incident at one of its vendors. The law firm, Gunster, Yoakley, and Stewart, was provided with patient data in connection with legal services provided to Moffitt Cancer Center. Hackers gained access to the law firm’s network and may have obtained data such as names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, other government-issued identification numbers, financial account information, and medical information, including medical records numbers, health insurance benefit information, claims data, and diagnosis and treatment information.

The law firm started notifying affected individuals in April 2023; however, as the investigation progressed, it became clear that other individuals had been affected. Further notification letters were mailed in the following months, with Moffitt Cancer Center patients notified in April 2024. It is currently unclear how many Moffitt Cancer Center patients have been affected.

Family Health Center

Family Health Center in Kalamazoo, MI, has announced that it fell victim to a cyberattack that caused network disruption and impacted the functionality and access of certain systems. Prompt action was taken to contain the attack and prevent further unauthorized access on January 25, 2024, when the breach was detected and a third-party cybersecurity firm was engaged to conduct a forensic investigation.

The investigation uncovered evidence of unauthorized access to files that contained patient information. The review of those files confirmed that they contained employee information such as names, addresses, health insurance information, and Social Security numbers, and patient information such as first names, last names, and medical information. Family Health Center has reported the breach to the HHS’ Office for Civil Rights as affecting 3,240 individuals and said it has taken steps to improve security, including expanding multi-factor authentication and increasing monitoring of its network for suspicious activity.

Zuckerberg San Francisco General

Zuckerberg San Francisco General in California has announced that a medical logbook went missing in December 2023 that contained patient information. The logbook contained patient data from January 11, 2022, to December 12, 2023, including names, dates of birth, genders, medical record numbers, visit dates, dates of specimen collection, reason for specimen collection, whether a result was received, and other types of health information.

At the time of the announcement, no reports had been received to indicate any misuse of patient data. Zuckerberg San Francisco Hospital is reviewing its policies and procedures and is providing additional security awareness training to employees. The incident has been reported to the HHS’ Office for Civil Rights, but it is not yet shown on the OCR breach portal, so it is unclear how many individuals have been affected.

The post Medusa Ransomware Group Leaks Data Stolen from American Renal Associates appeared first on HIPAA Journal.

Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million

Posted by Steve Alder

Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuitIn re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

  • Deadline for objection/exclusion: June 6, 2024
  • Deadline for claims: June 7, 2024
  • Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.

Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million

Posted by Steve Alder

Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuitIn re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

  • Deadline for objection/exclusion: June 6, 2024
  • Deadline for claims: June 7, 2024
  • Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.