Montgomery General Hospital in West Virginia has suffered a cyberattack that saw unauthorized individuals gain access to its IT systems on or around February 28, 2023, and deploy ransomware on or around March 1, 2023. The attackers gained access to certain servers, exfiltrated files, and encrypted data. Montgomery General Hospital engaged a third-party security firm to assist with the investigation to determine the extent of the breach and has confirmed that its cloud-based electronic medical record system was not affected. The exfiltrated files mostly contained historical data, including budget documents, cost reports, and vendor payments; however, some of the files contained patient information.

At this stage of the investigation, the extent to which patient information has been compromised is still being determined. The hospital has confirmed that notifications will be sent to affected patients ahead of the 60-day reporting deadline of the Breach Notification Rule and credit monitoring services will be offered to individuals whose Social Security numbers were involved. Montgomery General Hospital said it temporarily took its electronic medical record system offline as a precaution, but access was promptly restored and patient care was unaffected by the attack. A hospital spokesperson confirmed that a ransom demand was received for $750,000 but the ransom was not paid on the advice of law enforcement and due to the historical nature of the compromised data. The hospital’s investigation indicates the incident started with a phishing attack and the hospital is aware that some of the stolen files have been publicly released on the ransomware group’s data leak site.

The D#nut ransomware gang has claimed responsibility for the cyberattack and said it had entered into negotiations with the hospital, but lost patience and started to release some of the stolen data on its data leak site. A member of the group contacted DataBreaches and shared a link to the published data and the site confirmed the published files included employee data. When questioned, the group said access was gained by exploiting a Microsoft Exchange vulnerability.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear to what extent patient data has been exposed or compromised.

The post Montgomery General Hospital Suffers Ransomware Attack and Data Leak appeared first on HIPAA Journal.

Several hospitals have started notifying patients about a data breach at the consulting company, Adelanto HealthCare Ventures (AHCV).  AHCV has offices in Washington D.C., Nashville, Tennessee, and Austin and Laredo in Texas, and provides transactional advisory support and other services. AHCV provided services to an unnamed business associate of the affected hospitals. According to the breach notifications recently issued by the hospitals, their business associate provided AHCV with claim information on their patients to allow AHCV to perform its contracted services.

On November 5, 2021, AHCV determined that the email accounts of two of its employees had been accessed by unauthorized individuals after the employees responded to phishing emails. AHCV launched an investigation into the data breach but initially concluded that the email accounts did not contain any protected health information. On December 21, 2021, AHCV determined that one of the email accounts did contain patient information, which may have been accessed in the attack. It took until August 19, 2022, for AHCV to confirm to its business associate that some protected health information had likely been compromised.

The business associate launched an investigation and worked with AHCV to obtain further information on the PHI involved and the individuals affected but was not provided with sufficient information to conduct its analysis until December 27, 2022. The business associate then informed the hospitals that had been affected on January 28, 2023, then the hospitals started issuing breach notifications two months later at the end of March – 16 months after the breach occurred. The compromised information included the following data elements:  Name, facility name, Medicaid claim ID, Medicaid client ID, care plan name, Medicaid program, gender, date of birth, admission and discharge date, medical and diagnosis information, and mental health comorbidity.

AHCV has augmented its security measures and has provided further security awareness training to its employees. There has been no detected misuse of patient data as a result of the incident; however, as a precaution, affected individuals are being offered complimentary credit monitoring and identity theft restoration services for 12 months.

It is currently unclear exactly how many hospitals/healthcare providers have been affected, and the number of affected individuals is not yet known. The hospitals that have reported the data breach so far are listed below:

The post Hospitals Notify Patients About 2021 Phishing Attack on Adelanto HealthCare Ventures appeared first on HIPAA Journal.

New York Presbyterian Hospital has reported a 54K-record data breach due to website tracking tools, ransomware attacks have been reported by Atlantic Dialysis Management Services and American Pain & Wellness, and there has been an impermissible disclosure of PHI by a former New Medical Health Care employee.

New York Presbyterian Hospital – Website Analytics and Tracking Tools

New York Presbyterian Hospital (NYP) has confirmed that tracking and analytics tools have been used on its website, nyp.org, which may have resulted in patient information being impermissibly disclosed to third-party service providers that developed the tools.

According to a website notification, these tools were used to gain a better understanding of how visitors interacted with the website and allowed NYP to streamline external communications, monitor community engagement, and make it easier for patients to connect with the care they need. After discovering the potential for impermissible disclosures, the tools were disabled and a third-party forensic firm was engaged to assist with the investigation and determine which individuals had been affected and the extent of any privacy violations.

In January 2023, NYP determined that the types of information disclosed via the tools included names, email addresses, mailing addresses, and/or gender and that 54,396 individuals had been affected. Those individuals had requested appointments, second opinions, or initiated a virtual urgent care visit via the website. No evidence of misuse of the disclosed information has been detected. NYP has reevaluated its data collection practices and has implemented a protocol for monitoring website engagement.

Atlantic Dialysis Management Services – Ransomware Attack

Atlantic Dialysis Management Services in New York has recently reported a cyberattack to the HHS’ Office for Civil Rights that was discovered on June 9, 2022. When suspicious activity was detected within its network, steps were immediately taken to prevent further unauthorized access, and a third-party computer forensics firm was engaged to investigate the incident. The investigation revealed files containing patient data may have been accessed or obtained, and those files included patient names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

Atlantic Dialysis Management Services did not state the nature of the attack in its breach notification nor did it confirm that patient data had been stolen; however, this was a ransomware attack by the Snatch team, which subsequently published the stolen data on its data leak site. According to the HIPAA business associate, no evidence of misuse of patient data was identified.

Additional security measures have now been implemented to improve data security and the incident has been reported to the HHS’ Office for Civil Rights. The breach is listed as 14 separate breach notices, affecting 19,972 patients in total, suggesting one breach notice has been posted for each affected client. Some clients may instead choose to report the data breach so that may not be the final total.

American Pain and Wellness – Ransomware Attack

American Pain and Wellness in Texas has recently reported a ransomware attack to the Maine Attorney General that has affected a total of 7,457 individuals. A security breach was detected on or around November 27, 2022, with the review confirming that ransomware had been used to encrypt files and backups. The investigation determined that files may have been accessed or acquired during the time that its systems were compromised, between November 10, 2022, and November 27, 2022.

The review of the affected files was completed on or around January 24, 2023, and confirmed that names and Social Security numbers may have been compromised. Additional data security safeguards have now been implemented, further training has been provided to employees, and affected individuals have been notified.

New Medical Health Care & Restoration Health – Impermissible Disclosure of Patient Data

New Medical Health Care & Restoration Health (NMHCRH) in Wichita, KS, has recently notified 1,557 patients about an impermissible disclosure of some of their data by an employee. In October 2022, an employee provided a patient list to an individual who was not authorized to receive the information.

The individual who received the list is believed to be helping a former NMHCRH physician who has set up a new practice. The list contained names, phone numbers, addresses, email addresses, birth dates, other demographic information, and potentially also the name/address of the patient’s employer, emergency contact information, guarantor name and address, preferred pharmacy, and insurance information. All patients on the list were previously seen by the physician who set up a new practice.

None of the individuals concerned are working at NMHCRH. The employee who provided the list had already left employment by the time the HIPAA violation was discovered. NMHCRH is working with all three individuals to obtain assurances that the patients concerned will not be contacted and that the information will not be further disclosed. Further training has been provided to the workforce on the importance of patient privacy and HIPAA requirements.

The post Website Tracking Technology Breach Affects 54,000 New York Presbyterian Hospital Patients appeared first on HIPAA Journal.

Data breaches have recently been reported by Blue Shield of California, US Wellness Inc., Health Plan of San Mateo, and the California Department of Health Care Services.

Blue Shield of California – GoAnywhere Hack

Blue Shield of California (BSC) has confirmed that the protected health information of 63,341 individuals has been stolen in a hacking incident that exploited a zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer-as-a-service (MFTaaS) application.

BSC said it was notified on February 5, 2023, about the data breach by its provider, Brightline Medical Associates, which provides virtual behavioral health coaching and therapy for families and children, and confirmed that the file transfer application was compromised between January 28, 2023, and January 31, 2023. During that time, the threat actor responsible downloaded files that contained sensitive information. The following types of information were present in the files: name, address, birth date, gender, Blue Shield subscriber ID number, phone number, e-mail address, plan name, and plan group number.

When Fortra detected the breach, unauthorized access to the system was immediately terminated and the application was taken offline. It has since been patched and the application and gateway have been rebuilt. BSC has offered all affected individuals a complimentary 12-month membership to the Experian IdentityWorks credit monitoring and identity theft protection service.

The Clop ransomware gang claimed responsibility for these attacks, which resulted in data theft from 130+ organizations, including Community Health Systems.

US Wellness Inc. – GoAnywhere Hack

Maryland-based US Wellness Inc. has also recently confirmed that it has been affected by the GoAnywhere cyberattack, resulting in the theft of the protected health information of 11,459 Blue Cross Blue Shield of Arizona members.

US Wellness said it discovered on February 9, 2023, that sensitive data was involved, including names, addresses, birth dates, member ID numbers, where the services originated, and the addresses of the service locations. No misuse of the stolen data has been detected. US Wellness said steps have been taken to improve security processes to prevent similar incidents in the future. Affected individuals were notified about the breach on March 22, 2023.

Health Plan of San Mateo – Email Account Breach

The San Francisco, CA-based Health Plan of San Mateo has recently confirmed a breach of its email environment and the exposure and potential theft of the protected health information of 4,032 plan members. Suspicious activity was detected in its email environment on January 17, 2023, and it was confirmed that an unauthorized individual had accessed a single employee email account.

The attacker is believed to have accessed the account with a view to changing the employee’s direct deposit information rather than to access plan member data; however, unauthorized access to protected health information could not be ruled out. The email account contained a spreadsheet that included names, birth dates, member identification numbers, and limited information regarding calls made to the nurse advice line. Additional security measures have been implemented to prevent similar incidents in the future and employees have received further training to help them identify phishing attempts.

California Department of Health Care Services – Mismailing Incident

The California Department of Health Care Services (DHCS) has recently notified 6,460 Medi-Cal members about a mismailing incident at its subcontractor, Advanced Image Direct, which was performing duties for DHCS and the Office of State Publishing.

DHCS discovered on January 12, 2023, that IRS Form 1095-B mailings were sent that included a form that contained information unrelated to the intended recipient, such as other members’ names, addresses, zip codes, county case numbers, birth dates, and the last four digits of their Social Security numbers. When the incident was detected, all printing and mailing operations were immediately halted and attempts were made to retrieve the misdirected mailings from unintended recipients.

Replacement forms are now being sent and affected individuals have been notified by mail. More stringent quality control checks will now be performed, and employees have been retrained. 12 months of credit monitoring and identity theft protection services have been offered to affected individuals.

The post US Wellness Inc & Blue Shield of California Victims of GoAnywhere Hack appeared first on HIPAA Journal.

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights, state Attorneys General, and the media.

Atlantic General Hospital – Ransomware Attack

Atlantic General Hospital (AGH) in Berlin, MD, has recently reported a ransomware attack to the Maine Attorney General that has affected up to 30,704 individuals. The attack was detected on January 29, 2023, when files were discovered to have been encrypted. A third-party computer forensics firm was engaged to assist with the investigation and determined that there was unauthorized access to files containing patient information from January 20, 2023.

The review of those files was completed on March 6, 2023, and confirmed they contained names, Social Security numbers, financial account information, and one or more of the following data types: medical record number, treating/referring physician, health insurance information, subscriber number, medical history information, or diagnosis/treatment information.

Notification letters were mailed to the affected individuals on March 24, 2023. Affected individuals are entitled to enroll in credit and identity monitoring services for 12 months at no cost. AGH has provided additional training to employees and is working on implementing additional safeguards to prevent similar attacks in the future.

Lawrence General Hospital – Hacking Incident

Lawrence General Hospital in Massachusetts recently reported a data breach to the HHS’ Office for Civil Rights that has affected 76,571 individuals. Little is known about the breach, which was reported to OCR on February 23, 2023, as a hacking/IT incident. As of March 29, 2023, a notice has not been added to the hospital website and the breach has not been listed on the Massachusetts Attorney General breach portal.

OU Health – Stolen Laptop Computer

OU Medicine Inc. in Oklahoma has reported a breach of the protected health information of 3,013 OU Health patients. On December 26, 2022, an employee’s laptop computer was stolen. A review was conducted of the data believed to be present on the laptop, and on January 17, 2023, OU Health determined that emails may have been accessible that included patient data such as names, birth dates, Social Security numbers, driver’s license numbers, account numbers, medical record numbers, provider names, dates of service, health insurance information, and diagnosis and treatment information.

While there have been no reported instances of misuse of patient data, OU Health could not rule out unauthorized access to patient data. All affected individuals have been notified and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Majestic Care – Hacking incident

Majestic Care, a provider of community-based skilled nursing throughout Indiana, Ohio, and Michigan, has confirmed that it was the victim of a hacking incident in December 2022 that disrupted access to its information systems. The security breach was detected on December 13, 2022, and resulted in access to its information systems being prevented until December 16, 2022.

The forensic investigation confirmed the disruption was caused by malicious software on its systems which was installed by an unauthorized individual who first gained access to the network on December 9, 2022. On February 3, 2023, it was confirmed that there may also have been unauthorized access to and exfiltration of files containing personal and protected health information, including names, mailing addresses, birth dates, telephone numbers, Social Security numbers, driver’s license numbers, and information related to treatment and payment for healthcare.

The breach affected 2,636 individuals who received services through Majestic Care Middletown Assisted Living LLC in Indiana.

The post Hacking Incidents Reported by Atlantic General and Lawrence General Hospitals appeared first on HIPAA Journal.

Associates in Dermatology, a network of dermatology clinics in Indiana, Kentucky, and New York, has started notifying patients that some of their protected health information has been exposed in a ransomware attack on one of its business associates.

Virtual Private Network (VPN) Solutions provides electronic medical record management services to healthcare providers and Associates in Dermatology used its TouchChart software to host patient data. The ransomware attack was detected by VPN Solutions on or around October 31, 2021, and Associates in Dermatology was notified on December 22, 2021, that none of its data was accessed or stolen in the attack, but was told the forensic investigation into the attack was ongoing.

Associates in Dermatology said VPN Solutions was contacted on multiple occasions to ask how the forensic investigation was progressing and to obtain a formal report about the attack, but it took until January 17, 2023, to discover patient data had been exposed – 15 months after the breach was detected, and 2 months after VPN Solutions determined that files had been exposed.

According to the breach notice, electronic medical records were not exposed, but tag image files from a data warehouse may have been obtained in the attack. Most of those files did not contain patient data, but VPN Solutions said some of the files could be linked to patient names. Associates in Dermatology said VPN Solutions did not confirm if individually identifiable information or protected health information was contained in the files and did not provide a list of patient names.

Associates in Dermatology said its own analysis determined on March 10, 2023, that the compromised files may have contained personally identifiable information. The types of information varied from patient to patient and may have included one or more of the following data elements: first and last name, address, Social Security number, date of birth, medical condition(s)/diagnosis, treatment information, test results, health insurance policy number, subscriber identification number, health plan beneficiary number, and unique AID patient identifiers.

Associates in Dermatology said VPN Solutions has taken steps to improve security and has rebuilt its entire environment and restored all data. Associates in Dermatology performed a review of its contracts with third-party vendors and assessed their cybersecurity measures and has offered affected individuals complimentary credit monitoring and identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

47,000 Special Needs Student Records Exposed Online

A non-password-protected database containing the records of more than 47,000 special needs students has been exposed to the Internet and could be accessed by anyone without any authentication. The database was found by security researcher Jeremiah Fowler in mid-February, who traced the database to a company called Encore Support Services. Encore Support Services is a Brooklyn, NY-based provider of special education, behavioral health, and related services. Fowler notified Encore Support Services about the data exposure and the database has now been secured.

According to Fowler, the 6.74 GB database stored records going back to 2018 and included invoices containing student names, addresses, parent names, Open Student Information System (OSIS) numbers, service provider names, vendor information, EIN/SSN tax identification, and billing hours. The invoices also included codes for services that indicated a disability.

The data could be used for a range of nefarious purposes. For instance, Encore Support Services could be impersonated and parents contacted and asked to reveal sensitive information or pay a small charge on their credit card. Since a threat actor would have access to students’ unique OSIS numbers, case numbers, and therapy histories, the requests would be convincing.

Fowler was unable to determine how long the database had been exposed and whether it had been accessed by unauthorized individuals but suggests that the database most likely has not been exposed for long as it had not been encrypted using ransomware or deleted for extortion purposes.

The post Associates in Dermatology Patients Affected by Business Associate Ransomware Attack appeared first on HIPAA Journal.