HIPAA Breach News

VisionWeb Data Breach Affects Up to 35,900 Individuals

Posted by HIPAA Journal

Austin, TX-based VisionWeb Holdings, a provider of Internet-delivered software solutions for the eye care industry for improving practice efficiency, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected up to 35,900 patients.

According to the breach report sent to the HHS on October 3, 2022, unauthorized individuals gained access to its email environment which contained patient information. The breach was also reported to the Texas Attorney General, with that report stating that names, Social Security numbers, government-issued identification numbers, medical information, and health insurance information had potentially been compromised. Individual notifications started to be sent to affected individuals on October 3, 2022, along with information on the steps they can take to protect against identity theft and fraud.

This post will be updated when further information about the breach becomes available.

Eventus WholeHealth Announces Email Account Breach

Durham, NC-based Eventus WholeHealth has recently confirmed that the email account of an employee has been accessed by an unauthorized individual. Suspicious email account activity was detected on June 1, 2022, and immediate action was taken to secure the account. The investigation into the breach confirmed on August 17, 2022, that an unauthorized third party had accessed the account and may have viewed or copied sensitive patient data, although no specific evidence of unauthorized data access or data theft was discovered.

Eventus said the breach was confined to a single email account and explained that the account had multifactor authentication in place, but that it failed to prevent unauthorized access. Individual notifications are being sent to affected individuals, who will be told the exact types of information that have been exposed. Those data types were not detailed in the breach notification sent to the Montana Attorney General. Affected individuals are being offered complimentary credit monitoring and identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

The post VisionWeb Data Breach Affects Up to 35,900 Individuals appeared first on HIPAA Journal.

Radiology Associates of Albuquerque Notifies Patients About Security Breach That Started in December 2020

Posted by HIPAA Journal

Radiology Associates of Albuquerque (aka RAA Imaging/Advanced Imaging, LLC) has recently notified patients that some of their protected health information was stolen in a cyberattack that was detected more than 12 months previously. RAA said suspicious activity was detected within its environment in August 2021. Prompt action was taken to secure its systems and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the incident.

The forensic investigation confirmed that unauthorized individuals had access to certain systems between July 22, 2021, and August 3, 2021, and copied files from its network that contained patient data. The investigation also uncovered unauthorized access to email accounts, with the email accounts accessed by unauthorized individuals at various points over the preceding 8 months, between December 22, 2020, and July 15, 2021.

RAA explained in a substitute breach notice on its website that the delay in issuing notifications was due to the time taken to investigate the incident. RAA said the review and cataloging of the affected files took until July 2022 to complete, then it took until September 2022 to verify up-to-date contact information. Notification letters have now started to be sent to affected individuals – 22 months after the first email account was breached, and 14 months after files containing PHI were removed from its systems.

The types of data potentially obtained by the attackers varied from individual to individual, and may have included the following data elements: name, contact information, demographic information, diagnosis, treatment information, information regarding mental/physical condition, medical record number, patient number, health insurance information, billing/claim information, Medicaid/Medicare information, biometric data, electronic signature, email/username and password/pin, marriage certificate, mother’s maiden name, vehicle information (VIN, license plate number), financial account and/or credit/debit card information, driver’s license or state/federal identification number, and/or Social Security number.

RAA said steps have been taken to improve security and better protect patient data and affected individuals have been offered complimentary credit monitoring and identity theft protection services. RAA has not publicly disclosed how many people have been affected. This post will be updated when the scale of the breach is known.

The post Radiology Associates of Albuquerque Notifies Patients About Security Breach That Started in December 2020 appeared first on HIPAA Journal.

70,000 Valle del Sol Community Health Patients Affected by Cyberattack

Posted by HIPAA Journal

Phoenix, AZ-based Valle del Sol Community Health has notified 70,268 patients that some of their protected health information has been exposed. Valle de Sol did not state in its notification letters when hackers gained access to its network, or for how long they had access, but did confirm that the unauthorized activity was detected on January 25, 2022.

Valle del Sol immediately took steps to secure its network and prevent further unauthorized access and engaged an independent cybersecurity firm to investigate the breach to determine if patient data had been accessed. Valle de Sol said the investigation indicated unauthorized individuals had access to files containing sensitive patient data and that patient information may have been acquired. A comprehensive review was conducted of all files that may have been accessed, which was completed on July 18, 2022.

The delay in sending notification letters was due to the length of the investigation, then having to verify up-to-date contact information. The verification of addresses concluded on September 1, 2022. Valle de Sol explained in its October 5, 2022, website notification that arrangements were then made to notify affected individuals. Steps have also been taken to strengthen security to prevent similar incidents in the future. Valle De Sol said it has not received any reports from patients to suggest any misuse of their data.

The exposed information included names, dates of birth, Social Security numbers, driver’s license numbers, clinical/diagnosis information, health insurance member ID numbers, medical record numbers, and Medicare or Medicaid numbers. Complimentary credit monitoring and identity theft protection services do not appear to have been offered to affected individuals.

Legacy Post Acute Care Announces Breach of Employee Email Accounts

Martinez, CA-based Legacy Post Acute Care has recently confirmed that multiple employee email accounts have been accessed by an unauthorized individual, who may have viewed or acquired the protected health information of certain patients.

Legacy Post Acute Care explained in its breach notification letters that an investigation was launched after suspicious activity was detected in its email environment.  The investigation determined on September 12, 2022, that multiple employee email accounts were compromised between January 19, 2022, and March 3, 2022.

The review of emails and attachments confirmed the following types of information had been exposed: full names, along with one or more of the following data elements: Social Security number, date of birth, driver’s license number, state ID number, financial information, clinical/treatment Information, health insurance carrier, health insurance member ID/group number, medical provider name, medical record number, patient account number, and prescription information.

Legacy Post Acute Care said no evidence of misuse of patient data was uncovered; however, as a precaution against identity theft and fraud, affected individuals have been offered complimentary 12-month memberships to a credit monitoring and identity theft protection service. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Berkshire Farm Center & Services for Youth Confirms Server and Email Account Breaches

Canaan, NY-based Berkshire Farm Center & Services for Youth has confirmed that an unauthorized third party gained access to certain servers and potentially viewed or obtained files containing protected health information. The breach was detected on July 15, 2022, its systems were immediately secured, and an investigation was launched to determine the nature and scope of the incident. The review of the affected files is ongoing.

Berkshire also announced that on or around August 9, 2022, it was determined that an employee email account was accessed by an unauthorized individual. It is unclear if these two incidents are related. Berkshire said the review of the email account confirmed it contained the names of 951 individuals and information related to the treatment provided. No evidence of data theft or misuse of information has been detected.

The post 70,000 Valle del Sol Community Health Patients Affected by Cyberattack appeared first on HIPAA Journal.

Data Breach Impacts More Than One Dozen Anesthesia Providers

Posted by HIPAA Journal

A major data breach has occurred at the management company of multiple providers of anesthesia services to hospitals. According to a media breach notice from one of the affected providers, Anesthesia Associates of El Paso, the data breach occurred at its unnamed management company on July 15, 2022.

Unauthorized individuals gained access to the IT systems used by the management company and potentially viewed or obtained sensitive patient information, including patient names, addresses, health insurance policy numbers, payment information, Social Security numbers, and diagnosis and treatment information.

Details about the data breach are scant at present, so the exact nature of the unauthorized access and data breach is not known at present. Anesthesia Associates of El Paso said the management company has taken steps to contain the breach and has implemented additional security controls to prevent further unauthorized access and to better protect patient information.

At this stage, credit monitoring and identity theft protection services do not appear to have been offered to affected individuals, who have been advised to monitor their credit reports and financial statements and to report any suspicious activity. Individual notifications are being mailed to affected individuals.

At present, HIPAA Journal can confirm that at least 13 providers of anesthesia services have been affected, resulting in the exposure and potential theft of the protected health information of more than 380,104 individuals.

This post will be updated as further information about the security incident is obtained.

Affected Entity Individuals Affected
Providence WA Anesthesia Services PC 98,643
Palm Springs Anesthesia Services PC 58,513
Anesthesia Associates of El Paso PA 43,168
Anesthesia Services of San Joaquin PC 44,015
Resource Anesthesiology Associates PC 37,697
Resource Anesthesiology Associates of IL 18,321
Bronx Anesthesia Services PC 17,802
Resource Anesthesiology Associates of CA 16,001
Anesthesia Associates of Maryland LLC 12,403
Hazleton Anesthesia Services PC 13,607
Upstate Anesthesia Services PC 9,065
Fredericksburg Anesthesia Services LLC 7,069
Lynbrook Anesthesia Services PC 3,800
 Total 380,104

The post Data Breach Impacts More Than One Dozen Anesthesia Providers appeared first on HIPAA Journal.

CommonSpirit Health Confirms System Outages Caused by Ransomware Attack

Posted by HIPAA Journal

On October 3, 2022, CommonSpirit Health experienced a data security incident that forced it to take systems offline, including its electronic medical record (EHR) and other critical IT systems. These steps were taken to protect systems from damage, contain the breach, and prevent unauthorized access to sensitive data. CommonSpirit Health issued a statement on October 4, 2022, that provided a brief explanation of the incident, stating there was an IT issue that was being investigated that had resulted in system outages at some of its hospitals and care facilities. CommonSpirit Health is one of the nation’s largest health systems and is the second-largest non-profit health system in the United States, consisting of around 1,500 clinics and hospitals in 21 states. CommonSpirit Health was formed by the merger of CHI Health and Dignity Health in 2019.

Soon after the incident, hospitals and other care facilities across the United States started to confirm that they had been affected, with it clear that this incident was having an impact nationwide. Several CHI Health facilities confirmed they had been affected and were operating under emergency procedures due to the lack of access to essential IT systems. Hospitals in Iowa, Illinois, Nebraska, Tennessee, and Washington all stated that the incident has affected them.

CHI Health issued a statement confirming the incident at CommonSpirit Health was having an impact and some CHI Health facilities, and that as a precautionary step, some of its systems were taken offline. Due to patient safety concerns, the decision was taken to cancel, postpone, or reschedule some patient appointments and procedures, access to the patient portal was temporarily suspended, and offline procedures were being followed for processing and managing prescription medications.

These measures were necessary to contain the attack and prevent damage to systems; however, they are having a significant impact on patients, who face delays in receiving medical care. Many are also struggling to get the medications they need to manage their health conditions. MercyOne, the operator of 230 healthcare facilities in Iowa, said the incident took its online scheduling system offline, which has prevented the system from being used to schedule online appointments in Central Iowa.

Several individuals claiming to be employees and patients of CommonSpirit Health have taken to social media sites to voice their concerns. Patients have claimed they have been unable to obtain medical care and prescriptions, including medications for managing cancer at home. Individuals claiming to be employees have explained that it has been a nightmare for staff due to having to work with paper charts. One nurse took to Reddit to explain that staff at the hospital have been unable to access the Downtime Epic EHR system to see patient histories, with the pharmacy unable to verify orders and having to handwrite labels, with labs having to be handwritten and faxed. It has now been 11 days since the attack and the disruption is still being experienced with IT systems still offline.

Ransomware Attack Confirmed

No details were initially released about the exact nature of the incident, although security researcher Kevin Beaumont said on Twitter shortly after the attack that the incident response chatter he had heard made it clear that this was a ransomware attack. That has now been confirmed by CommonSpirit Health. HIPAA Journal has not been able to establish at this stage which group is responsible for the attack.

CommonSpirit Health said in a recent update that the incident is an ongoing situation and the response is being managed, with assistance provided by leading cybersecurity specialists. Law enforcement, the Department of Health and Human Services, and other authorities have also been notified about the attack and are providing support.

CommonSpirit Health said that throughout the response, the priority has been to continue to provide the highest quality of care to its patients and ensure patient safety. A forensic investigation is underway to determine the extent of the attack and reviews are being conducted of its systems to determine if there has been any data impact. That process could take some time and further information will be made available when conclusions have been drawn from the investigation.

CHI Health facilities have been affected and are still facing disruption. CommonSpirit Health said it is working hard to bring systems back online safely and will restore functionality as fast as possible. CommonSpirit Health has confirmed that there has been a minimal impact on the systems used by Dignity Health and Virginia Mason Medical Center.

The post CommonSpirit Health Confirms System Outages Caused by Ransomware Attack appeared first on HIPAA Journal.

United Health Centers of the San Joaquin Valley Proposes Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

United Health Centers of the San Joaquin Valley (UNC) has proposed a settlement to resolve a class action lawsuit filed on behalf of patients affected by its August 2021 Vice Society ransomware attack.

The attack in question saw the ransomware actors gain access to its network and exfiltrate files that contained patient information such as names, Social Security numbers, medical record numbers, dates of birth, and treatment information, with the information copied from its systems between August 24, 2021, and August 28, 2021. Notification letters about the attack and data breach were issued four months after the attack in December 2021. Affected individuals were offered complimentary 12-month memberships to a credit monitoring and identity theft protection service.

A lawsuit was filed in the Fresno County Superior Court – Avetisyan v. United Health Centers of the San Joaquin Valley – by attorney Matthew R. Wilson on behalf of UNC patient, Narek Avetisyan, and other individuals similarly affected by the data breach. The lawsuit alleged negligence, invasion of privacy, and violations of the California Confidentiality of Medical Information Act and the Consumer Records Act.

UNC said it has implemented and maintains “meritorious defenses” to prevent attacks of this nature and accepts no wrongdoing for the data breach or liability, and while UNC said it was happy to vigorously defend the lawsuit, the decision was made to try to settle the lawsuit to avoid ongoing legal costs and the uncertainty of trial.

Under the terms of the proposed settlement, affected individuals will be entitled to three years of credit monitoring and identity theft protection services, even if they choose to exclude themselves from the settlement. Individuals who accept the settlement will be entitled to submit a claim for up to $500 for non-economic losses due to the data breach and can claim up to $2,500 as reimbursement for documented losses that can be reasonably attributed to the cyberattack.

Individuals who wish to object to or exclude themselves from the settlement must do so by November 19, 2022, which is also the final date for submitting claims for reimbursement. A fairness hearing has been scheduled for February 8, 2023.

The post United Health Centers of the San Joaquin Valley Proposes Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

34K-Record Data Breach Reported by Aesthetic Dermatology Associates

Posted by HIPAA Journal

Pennsylvania-based Aesthetic Dermatology Associates has recently confirmed that its network has been accessed by unauthorized individuals who potentially viewed and/or acquired files containing the personal and protected health information of 33,793 current and former patients.

The cyberattack was detected on August 15, 2022, when suspicious activity was detected within its network. An investigation was launched to determine the nature and scope of the attack, which confirmed that unauthorized individuals had accessed its network, although the nature of the attack and length of time its network was compromised were not disclosed.

A comprehensive review of all files on the compromised parts of the network was completed on September 3, 2022, and confirmed the breach was limited to names, addresses, dates of birth, diagnosis codes, and health insurance information. Aesthetic Dermatology said a review is being conducted of its policies, procedures, and controls and updates will be made, as appropriate, to improve security. At the time of issuing notifications, no reports had been received to suggest any misuse of patient data.

Records of Almost 6,500 Patients Exposed in Ransomware Attack on Family Medicine Shady Grove

Family Medicine Shady Grove in Rockville, MD, has confirmed that it was the victim of an August 9, 2022, ransomware attack. Unauthorized individuals gained access to an internal server and encrypted files. The healthcare provider confirmed that patient medical records were not affected, as they were stored in a cloud-based system; however, the server did contain explanations of benefits and monthly billing printouts, which contained names, addresses, and dates of birth. No Social Security numbers or credit card information were exposed.

Family Medicine Shady Grove said a computer forensics team was engaged to assist with the investigation and that it was possible to recover and restore the affected files. That process was completed on September 5, 2022. No evidence of data theft was identified during the investigation and there have been no reports that suggest patient data has been misused. Steps have since been taken to improve data security to prevent further attacks in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,482 patients.

UW Medicine Affected by Ransomware Attack on Mail Service Vendor

UW Medicine in Seattle has confirmed that the protected health information of 3,800 patients was potentially compromised in a ransomware attack on its mail service vendor, Kaye-Smith. The investigation uncovered no evidence to suggest patient information has been misused; however, as a precaution, Kaye Smith has offered affected individuals complimentary credit monitoring and identity theft protection services.

Kaye-Smith notified UW Medicine about the breach on August 24, 2022, and confirmed that the attackers had access to Patient Account & Support Services statements and letters that were being sent in relation to billing services, which included information such as names, addresses, account numbers, medical record numbers, treatment provider names and descriptions of medical services.

In addition to the 3,800 UW Medicine patients, the breach affected 6,750 patients of Seattle Children’s, 2,857 Geisinger patients, and Kaye-Smith Enterprises self-reported the breach as affecting 2,857 individuals.

The post 34K-Record Data Breach Reported by Aesthetic Dermatology Associates appeared first on HIPAA Journal.

Email Breaches Reported by Cardiac Imaging Associates & Centerstone of Tennessee

Posted by HIPAA Journal

Cardiac Imaging Associates in Los Angeles, CA, has discovered an unauthorized individual has accessed an employee’s email account. The incident was detected in April 2022, and immediate action was taken to secure its email environment to prevent further unauthorized access. The forensic investigation confirmed the incident was confined to a single employee email account, which was accessed between March 30, 2022, and April 6, 2022. It was not possible to determine if any emails or file attachments were opened or acquired by the attacker.

A review of all emails and file attachments confirmed they contained protected health information such as names, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical diagnosis, and condition information, medical laboratory results information, medication and prescription information, and medical treatment information.

The review of emails was completed on August 17, 2022, and notification letters started to be sent to affected patients on October 7, 2022. Steps have since been taken to improve the security of its email system. It is currently unclear how many individuals have been affected.

Email Breach Affects 3,675 Patients of Centerstone of Tennessee

Centerstone, a Nashville, TN-based provider of behavioral health and addiction services, has reported a breach of its email environment. Unusual activity was detected in the email account of a Centerstone employee on February 14, 2022. The investigation confirmed that several employee email accounts had been accessed by an unknown actor between November 4, 2021, and February 14, 2022.

Those email accounts were discovered to contain the personal and protected health information of current and former Centerstone clients. The review of the affected email accounts concluded on July 12, 2022, and then a search was conducted to identify the up-to-date mailing information for those individuals. Centerstone announced the breach publicly on August 15, 2022.

The breached information varied from individual to individual and may have included the following data types: Name, address, Social Security number, driver’s license or other government ID number, passport number, alien registration number, date of birth, financial account information, biometric information, username and password, medical record number, Medicare and/or Medicaid number, medical diagnosis/treatment information, and/or health insurance information.

Additional safeguards have been implemented to improve the security of its email environment. The breach has been reported to the HHS’ Office for Civil Rights as affecting 3,675 current and former patients of Centerstone of Tennessee.

The post Email Breaches Reported by Cardiac Imaging Associates & Centerstone of Tennessee appeared first on HIPAA Journal.

Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA

Posted by HIPAA Journal

A former physician with practices in New Jersey, New York, and Florida has pleaded guilty to criminal violations of HIPAA for disclosing patients’ protected health information to a sales representative of a pharmaceutical firm, according to the U.S. Attorney’s Office of the District of New Jersey.

The Frank Alario, 65, of Delray Beach, Florida, pleaded guilty to disclosing patient information to sales rep, Keith Ritson, who promoted compound prescription medications and other medications to the patients. Compound prescription medications are medications mixed specifically for individual patients when standard FDA-approved medications are determined to not be appropriate, due to an allergy for example. Compound prescription medications are not approved by the FDA but can be legally prescribed by physicians.

The HIPAA Privacy Rule permits disclosures of patients’ protected health information for the purposes of treatment, payment, or healthcare operations; however, other disclosures are only permitted if consent to share information is provided by each patient. Ritson was an outside pharmaceutical representative who was not associated with Alario’s practices, and as such Ritson was not permitted to access the protected health information of Alario’s patients. Permission to disclose the information was not provided by patients.

Alario allowed Ritson to have significant access to his office, patients’ medical files, and other patient information, both inside and outside normal business hours. Ritson was given access to areas of Alario’s office that were restricted to staff members, such as areas with patient files and computers. In addition to allowing access to these areas, Ritson was allowed to look up patient information in files and on computers to identify patients who had insurance coverage that would pay for the compound medications. Ritson would then mark the files of patients whose insurance would pay for the medications so Alario would know which patients to prescribe the medications to.

In some cases, Ritson was allowed to be present during appointments. Alario gave patients the impression that Ritson was a member of staff or was affiliated with the medical practice and during those appointments sensitive health information would be directly disclosed to Ritson. The information obtained was then used to fill out prescription forms for medications, which would then be authorized by Alario, with Ritson receiving a commission on the prescribed prescriptions.

Alario and Ritson were both charged in an indictment for conspiring to violate HIPAA. Ritson’s charges are still pending, with his trial scheduled for November 7, 2022. Alario pleaded guilty and sentencing is scheduled for February 7, 2023. Alario faces a maximum of one year in jail and a $50,000 fine.

The post Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA appeared first on HIPAA Journal.