HIPAA Breach News

Email Breach at CSI Laboratories Impacts Almost 245,000 Patients

Posted by HIPAA Journal

Cytometry Specialists, Inc., doing business as CSI Laboratories in Alpharetta, GA, has recently announced that the email account of an employee has been accessed by an unauthorized individual, who may have viewed or obtained the protected health information of 244,850 patients. CSI Laboratories is a leading cancer testing and diagnostics laboratory that serves pathologists, oncologists, and community hospitals throughout the U.S.

The email account breach was detected on July 8, 2022, and the account was immediately secured. The investigation into the incident indicates the purpose of the attack was to use the email account in a business email compromise (BEC) attack to redirect CSI customer health care provider payments to an account under the control of the attacker by posing as CSI using a fictitious email address, rather than to obtain patient information; however, the breach investigation confirmed on July 15, 2022, that certain files had been copied from the employee’s mailbox that contained patient information.

The files related to invoices sent to CSI Health Care provider customers which were most likely obtained to support the BEC scam. The files typically only contained patient names and identifiers (patient numbers), although some files contained further information such as dates of birth and health insurance information. As such, the potential for misuse of patient data is believed to be very low.

In response to the breach, CSI Laboratories has taken steps to enhance the security of its email environment, has provided further training to employees on how to recognize phishing attempts, and has enhanced monitoring of its network and email systems.

CSI Laboratories announced earlier this year that it had suffered a ransomware attack, for which the Conti ransomware gang took credit. The PHI of 312,000 patients was compromised in that attack.

Trillium Health Email Account Breach Exposes PHI of 3,200 Patients

The Rochester, NY-based healthcare provider, Trillium Health, has reported a data security incident that exposed the protected health information of 3,191 patients. On or around August 1, 2022, Trillium Health discovered suspicious activity in the email account of one of its employees. Steps were immediately taken to secure the email account and an investigation was launched to determine the nature and scope of the incident.

Trillium Health confirmed that only one email account was affected and that an unauthorized individual had access to the employee’s mailbox for a short period of time on July 26, 2022. During that period of access, it is possible that the entire contents of the mailbox may have been copied. A review of the emails and attachments confirmed they contained patient information such as names, birth dates, treatment information, medications, diagnoses, and provider information. In very limited instances, more extensive information was potentially compromised.

Trillium Health said it has implemented additional safeguards to prevent further email account breaches, including multi-factor authentication, and has modified its internal email settings.

Keck Medicine of USC Affected by Breach at Business Associate

Keck Medicine of USC has recently announced that it has been affected by a data breach at one of its business associates, Conifer Revenue Cycle Solutions. Conifer provides revenue cycle management and other administrative services, which requires access to patient information. On April 14, 2022, Conifer determined an unauthorized individual gained access to its Office 365 email environment, which contained the information of patients of its healthcare provider clients.

The information potentially compromised included names, dates of birth, addresses, Social Security numbers, driver’s license numbers, state ID numbers, financial account information, medical and/or treatment information such as medical record numbers, provider names, diagnoses and symptoms, and prescription/medication information, and health insurance information. The data exposed varied from patient to patient.

Keck Medicine said its business associate has enhanced its security controls and monitoring practices and has accelerated the implementation of multi-factor authentication. Complimentary credit monitoring services have been offered to affected individuals.

The post Email Breach at CSI Laboratories Impacts Almost 245,000 Patients appeared first on HIPAA Journal.

PHI Exposed in Data Incidents at Anthem, WellMed Medical Management and CareOregon

Posted by HIPAA Journal

Anthem has confirmed that the protected health information of certain plan members has been compromised in a data breach at its vendor, Choice Health. Choice Health was provided with the data of plan members to perform its contracted duties. On August 5, 2022, Anthem discovered that an unauthorized individual had gained access to a database and downloaded files containing plan members’ protected health information, including names, addresses, dates of birth, phone numbers, email addresses, Medicare ID numbers, and Medicaid ID numbers.

The database was accessible over the Internet due to a misconfiguration by a third-party service provider and was accessed and downloaded on May 7, 2022. Choice Health confirmed that the database has now been secured and that steps have been taken to improve its data security measures to prevent similar incidents in the future, including implementing multi-factor authentication for access to database files. Affected individuals have been offered complimentary credit monitoring services.

The breach affected several Choice Health clients, including Humana. Anthem notified the Maine Attorney General about the breach and said 13,406 AnthemMainHealth members had been affected. The breach also affected certain Anthem Blue Cross members. HIPAA Journal has not yet been able to establish exactly how many Anthem Blue Cross members have been affected.

WellMed Medical Management Warns Patients About Physician Soliciting Business

The San Antionio, TX-based healthcare delivery company, WellMed Medical Management, has warned 10,506 patients that one of its former physicians obtained their records prior to leaving employment with the intention of making contact with those individuals to encourage them to become patients of his new clinic.

The records were obtained between February 6, 2022, and May 17, 2022, and contained demographic information such as names, dates of birth, mailing addresses, phone numbers, and email addresses; health insurance information including payer name and health plan identifier; and medical information such as medical record numbers, providers, diagnoses, treatments, medications, and laboratory results. No financial information, Social Security numbers, or driver’s license numbers were taken.

WellMed said it took steps to prevent any further outreach to the patients and notified the appropriate authorities about the HIPAA violation. WellMed has also confirmed that the records taken by the physician have now been recovered. The incident prompted WellMed to reinforce its existing policies and practices and implement additional safeguards to prevent similar incidents in the future.

CareOregon Reports August 2022 Mailing Error

The Portland, OR-based health insurance agency, CareOregon, has recently announced that there has been an impermissible disclosure of a limited amount of the protected health information of 8,022 of its members due to a mailing error.

The incident occurred on August 9, 2022, and saw marketing letters intended for one CareOregon member sent to another member. The only information disclosed was the name and Medicaid ID number of one CareOregon member to another member. CareOregon said it has implemented additional policies and procedures and has provided further training to its employees to ensure similar breaches are avoided in the future.

The post PHI Exposed in Data Incidents at Anthem, WellMed Medical Management and CareOregon appeared first on HIPAA Journal.

Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail

Posted by HIPAA Journal

An affiliate of the infamous Netwalker ransomware gang has been sentenced to serve 20 years in jail for his role in ransomware attacks on entities in the United States.

Netwalker is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks and deploy ransomware in exchange for a cut of the ransom payments they generate, typically receiving up to 75% of any ransoms paid. After gaining access to a victim’s network, sensitive data would be identified and exfiltrated and used as leverage to pressure victims into paying. Threats were then issued to publish or sell the data if the ransom is not paid. Ransom demands ranged from hundreds of thousands to millions of dollars.

While some RaaS operations ban their affiliates from conducting attacks on healthcare organizations, that was not the case with Netwalker, which actively targeted healthcare organizations around the world. The gang also stepped up attacks on the sector during the COVID-19 pandemic.  Victims included the Champaign-Urbana Public Health District and the University of California San Francisco, which had files encrypted on the servers used by its School of Medicine. A ransom of $1.14 million was paid by UCSF for the decryptor to recover essential files.

Sebastien Vachon-Desjardins, 34, from Quebec, a former IT consultant who worked for the Public Works and Government Services in Canada, was arrested in Canada in January 2021 on suspicious of conducting ransomware attacks as part of a law enforcement crackdown on the Netwalker ransomware gang. Law enforcement searched his home and found 719 Bitcoin with a value of more than $28 million, CAD $640.040 in cash, and seized CAD $420,941 from his bank account.

Vachon-Desjardins pleaded guilty to breaching companies and conducting attacks and also admitted to training other individuals on how to conduct attacks. During the 9 months from May 2020 to January 2021, Vachon-Desjardins is alleged to have earned more than 2,000 Bitcoin for the gang and is estimated to have earned more than CAD $30 million in just 9 months. Vachon-Desjardins was charged for the attacks conducted in Canada, was sentenced to serve 6 years and 8 months in jail, and was ordered to pay restitution to 8 victims of his attacks, ranging from $2,500 to $999,239. While awaiting sentencing, Vachon-Desjardins was also sentenced to serve 4.5 years in jail for a separate drug trafficking case.

A law enforcement investigation into the ransomware attacks conducted by Vachon-Desjardins on U.S. firms was also underway and earlier this year, Vachon-Desjardins was extradited to the United States to face charges in Florida, including conducting a ransomware attack on a Tampa-based firm. Vachon-Desjardins entered into a plea deal and pled guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, causing intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

Federal sentencing guidelines were in the range of 12-15 years; however, U.S. District Court Judge, William F. Jung, opted for a much harsher sentence to serve as a deterrent to other would-be ransomware affiliates. Vachon-Desjardins was sentenced to serve 60 months in jail for conspiracy to commit computer fraud and transmitting a demand in relation to damaging a protected computer, 120 months for causing intentional damage to a protected computer, and 240 months for conspiracy to commit wire fraud, with the sentences to run concurrently. Vachon-Desjardins also agreed to forfeit $21.5 million and will have to serve 3 years of supervised release.

During his prison term, Vachon-Desjardins will not be permitted to use a computer capable of connecting to the Internet, including a smartphone, gaming device, or other electronic devices. U.S. District Court Judge, William F. Jung, said that were it not for the plea deal, and if the case had gone to trial, he would have sentenced Vachon-Desjardins to life in prison.

The post Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail appeared first on HIPAA Journal.

Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach

Posted by HIPAA Journal

Mon Health is facing a class action lawsuit over a hacking incident that allowed unauthorized individuals to gain access to its network for an 11-day period in December 2021. Mon Health said it detected the breach on December 30, 2021, with the forensic investigation determining hackers accessed its network between December 9 and December 19.

Mon Health announced the security breach on February 28, 2022, and confirmed that the hackers had access to the personal and protected health information of 492,861 individuals, including information about patients, employees, providers, and contractors. The information potentially accessed and stolen included names, addresses, birth dates, Social Security numbers, Medicare claim numbers, patient account numbers, health insurance information, medical record numbers, dates of service, provider names, claims information, and medical and clinical treatment information.

The lawsuit, which names Monongalia Health Systems Inc. and affiliated hospitals, Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co., and Preston Memorial Hospital Corp as defendants, was filed in Monongalia County Circuit Court in West Virginia by the Clarksburg law firm, Morgan and Morgan. The lawsuit names Rachel Silbaugh, Robin Stripling, and Michael Stripling as plaintiffs, with all other individuals affected by the breach included as class members.

The lawsuit alleges the data breach occurred as Mon Health failed to implement appropriate cybersecurity measures and was not in compliance with the security standards of the HIPAA Security Rule, alleging negligence, breach of contract, breach of confidence, and breach of implied contract. While the breach notification letters were sent within the maximum timeframe permitted by the HIPAA Breach Notification Rule, the plaintiffs allege those notification letters were untimely and were “woefully deficient” in information about the breach.

Typically, when healthcare organizations experience a breach of the types of information that are sought by identity thieves, affected individuals are offered complimentary credit monitoring services. The plaintiffs claim that these were not provided and that they have been placed with the burden of checking for misuse of their personal information. The plaintiffs claim they face an immediate and ongoing threat of identity theft and fraud as a direct result of the data breach and will continue to suffer damages, including covering the cost of ongoing credit monitoring and identity theft protection services.

The lawsuit seeks class certification, reimbursement of out-of-pocket expenses, and equitable relief, citing 20 data security measures that must be implemented to better protect patient data and prevent further data breaches.

The post Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach appeared first on HIPAA Journal.

LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims

Posted by HIPAA Journal

LifeBridge Health Inc. has agreed to settle a class action lawsuit to resolve claims from patients affected by a data breach that was discovered in 2018. The total value of the settlement is $9.475 million, which includes an $800,000 fund to cover claims from class members.

In March 2018, LifeBridge Health discovered a malware infection that provided unauthorized individuals with access to a server that hosted its electronic medical records, patient registration, and billing systems. The breach investigation determined the initial intrusion occurred 18 months previously in September 2016. The breach was disclosed by LifeBridge Health in May 2018, with the healthcare provider confirming the information of 582,174 patients had potentially been compromised, with the exposed information including names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers.

A lawsuitJohnson, et al. v. LifeBridge Health, Inc. – was filed in the Circuit Court for Baltimore City, MD, by the law firm Murphy, Falcon & Murphy on behalf of patients affected by the incident. The two patients named in the lawsuit, Jahima Scott and Darlene Johnson, claimed to have had their identities stolen as a direct result of the breach, with both claiming they were victims of credit card fraud shortly after the data breach occurred.

The lawsuit alleged class members had been exposed to serious harm and that their personal and protected health information was in the hands of identity thieves, which placed them at immediate and ongoing risk of identity theft and fraud. The named plaintiffs claimed to have suffered monetary losses, had financial transactions declined, experienced issues with their email accounts, fraudulent accounts were created in their names, and their identities had been used to file fraudulent claims for unemployment benefits and COVID-19 disaster small business loans.

The lawsuit alleged LifeBridge Health was negligent as it failed to follow basic security practices, which violated several privacy protection statutes in Maryland, including the Maryland Personal Information Protection Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.

LifeBridge Health did not admit to any wrongdoing and did not accept liability for the incident, but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, LifeBridge Health has agreed to create an $800,000 fund to cover claims from class members and will invest $7.9 million in additional security measures to prevent further data breaches, including data encryption, network monitoring, security awareness training, asset tracking, and multi-factor authentication. The remaining $775,000 of the total settlement amount will cover legal fees.

Class members are entitled to submit claims for reimbursement of ordinary and extraordinary losses, including up to 3 hours of lost time at $20 per hour, and a further 2 hours if they suffered extraordinary losses. Claims for ordinary losses of up to $250 per class member can be submitted to cover bank fees, credit monitoring, credit freeze, communication, and other costs, and a claim can be submitted for extraordinary losses up to a maximum of $5,000.

A final approval hearing has been scheduled for October 26, 2022. Claims must be submitted by February 1, 2023.

The post LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims appeared first on HIPAA Journal.

CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack

Posted by HIPAA Journal

CommonSpirit Health is experiencing a data security incident that has affected many of its healthcare facilities. According to a statement issued by the health system on October 4, 2022, IT systems have been taken offline as a precautionary step while the incident is investigated, and the exact nature and scope of the incident is determined. A brief update was issued on Wednesday, October 5, 2022, confirming the IT security incident was still impacting some of its facilities and that staff members were operating under its tried and tested emergency protocols and are using pen and paper to record patient information while IT systems are offline.

The incident was detected on October 3, 2022, but little information has been released at this stage about the exact nature of the incident.  CommonSpirit Health said it is doing everything possible to minimize the impact on its patients. Without access to certain IT systems, the decision has been taken to reschedule some appointments while the security incident is mitigated. Some patients have reported that it has not been possible to make new appointments.

Chicago, IL-based CommonSpirit Health is the largest catholic health system in the United States and the second largest non-profit U.S. health system. It was formed in 2019 by the merger of Catholic Health Initiatives (CHI Health) of Colorado and Dignity Health of California. CommonSpirit Health operates 142 hospitals and approximately 1,500 care facilities in 21 states, has around 150,000 employees including 25,000 physicians, and serves more than 21 million patients a year. CommonSpirit Health’s hospitals and healthcare facilities are accessible to around 1 in 4 Americans.

Several CHI Health facilities in Nebraska have confirmed that they are experiencing outages as a result of the incident. MercyOne Des Moines Medical Center in Iowa has also been affected, and the decision was taken to divert ambulances for a short period of time. The incident is also known to have affected hospitals in Tennessee and Washington.

Reports have been received from patients claiming the MyChart tool from Epic Systems has been affected, although a spokesperson for the EHR provider said the issues are only being experienced by CommonSpirit Health. It should be noted that the decision to take the EHR system offline is common when cyberattacks are detected and does not mean the EHR system has been subjected to unauthorized access.

At such an early stage of the investigation it is unclear to what extent, if any, patient information has been affected and the exact nature of the attack has also not been disclosed; however, security researcher Kevin Beaumont said on Twitter that the incident response chatter indicates this was a ransomware attack, which would explain the widespread impact of the incident.

Further information about the incident will be released by CommonSpirit Health as the investigation progresses, and this article will be updated as further information becomes available.

The post CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack appeared first on HIPAA Journal.

Data Breaches Reported by Neurology and Fertility Centers in Nevada and California

Posted by HIPAA Journal

Neurology Center of Nevada Cyberattack Impacts 11,700 Patients

The Neurology Center of Nevada (NCNV), in Henderson, NV, has confirmed a data security event was detected on July 17, 2022, which rendered certain computer systems inaccessible.  Prompt action was taken to secure its systems and an investigation was launched to determine the nature and scope of the security breach, with assistance provided by third-party cybersecurity experts. The investigation confirmed that the threat actors behind the attack had access to its systems for more than a month between June 12, 2022, and July 17, 2022, and during that time, files on its systems were subjected to unauthorized access.

The compromised files contained full names, addresses, dates of birth, gender, driver’s license numbers, Social Security numbers, health insurance information, and medical information, such as diagnosis/treatment information, lab results, and medications. Affected individuals have been notified by mail and advised to monitor their accounts, credit reports, and explanation of benefits statements for unusual activity. NCNV said additional administrative and technical safeguards have been implemented to protect against future security breaches.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 11,700 patients.

Northern California Fertility Medical Center Notifies Patients About Attempted Ransomware Attack

Sacramento, CA-based Northern California Fertility Medical Center (NCFMC) has recently announced that it detected and stopped an attempted ransomware attack on its network. The attack was detected on July 24, 2022, and immediate action was taken to contain the attack, secure its systems, and eject the threat actors from its network. A third-party cybersecurity company was engaged to assist with the investigation and incident response and determine the extent and scope of the breach.

NCFMC said no evidence was found to indicate there had been any misuse of patient data, but during the time of unauthorized access to its systems, some sensitive data was exposed, including names and the statuses of ultrasounds performed at NCFMC, and/or cryopreserved tissue stored at NCFMC. No Social Security numbers or financial information were stored on the systems accessed in the attack.

NCFMC said it has altered its tools, policies, and procedures relating to the security of its systems and servers. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals through CyberScout.

It is currently unclear how many individuals have been affected by the incident.

2,000-Record Data Breach Reported by The Coeur Group

Cynthia Paul, M.D., LLC, a psychiatrist doing business as The Coeur Group, in Omaha, NE, has notified 2,020 patients that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account. The unauthorized access was detected on July 26, 2022, with the investigation confirming the breach occurred between June 7, 2022, and July 12, 2022.

A comprehensive review of the affected email account confirmed it contained patient information such as names, addresses, dates of birth, and other demographic information, health insurance information, and limited clinical information, such as provider names, diagnoses/conditions, and medication information. A limited number of individuals also had their Social Security numbers and credit card information exposed.

In response to the breach, new authentication requirements have been implemented, including multifactor authentication, network procedures have been strengthened, firewalls have been enhanced, and additional alerts have been set up to warn about potential unauthorized access. Affected individuals have been offered a one-year membership to a credit monitoring service.

The post Data Breaches Reported by Neurology and Fertility Centers in Nevada and California appeared first on HIPAA Journal.

Data Breaches Reported by Neurology and Fertility Centers in Nevada and California

Posted by HIPAA Journal

Neurology Center of Nevada Cyberattack Impacts 11,700 Patients

The Neurology Center of Nevada (NCNV), in Henderson, NV, has confirmed a data security event was detected on July 17, 2022, which rendered certain computer systems inaccessible.  Prompt action was taken to secure its systems and an investigation was launched to determine the nature and scope of the security breach, with assistance provided by third-party cybersecurity experts. The investigation confirmed that the threat actors behind the attack had access to its systems for more than a month between June 12, 2022, and July 17, 2022, and during that time, files on its systems were subjected to unauthorized access.

The compromised files contained full names, addresses, dates of birth, gender, driver’s license numbers, Social Security numbers, health insurance information, and medical information, such as diagnosis/treatment information, lab results, and medications. Affected individuals have been notified by mail and advised to monitor their accounts, credit reports, and explanation of benefits statements for unusual activity. NCNV said additional administrative and technical safeguards have been implemented to protect against future security breaches.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 11,700 patients.

Northern California Fertility Medical Center Notifies Patients About Attempted Ransomware Attack

Sacramento, CA-based Northern California Fertility Medical Center (NCFMC) has recently announced that it detected and stopped an attempted ransomware attack on its network. The attack was detected on July 24, 2022, and immediate action was taken to contain the attack, secure its systems, and eject the threat actors from its network. A third-party cybersecurity company was engaged to assist with the investigation and incident response and determine the extent and scope of the breach.

NCFMC said no evidence was found to indicate there had been any misuse of patient data, but during the time of unauthorized access to its systems, some sensitive data was exposed, including names and the statuses of ultrasounds performed at NCFMC, and/or cryopreserved tissue stored at NCFMC. No Social Security numbers or financial information were stored on the systems accessed in the attack.

NCFMC said it has altered its tools, policies, and procedures relating to the security of its systems and servers. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals through CyberScout.

It is currently unclear how many individuals have been affected by the incident.

2,000-Record Data Breach Reported by The Coeur Group

Cynthia Paul, M.D., LLC, a psychiatrist doing business as The Coeur Group, in Omaha, NE, has notified 2,020 patients that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account. The unauthorized access was detected on July 26, 2022, with the investigation confirming the breach occurred between June 7, 2022, and July 12, 2022.

A comprehensive review of the affected email account confirmed it contained patient information such as names, addresses, dates of birth, and other demographic information, health insurance information, and limited clinical information, such as provider names, diagnoses/conditions, and medication information. A limited number of individuals also had their Social Security numbers and credit card information exposed.

In response to the breach, new authentication requirements have been implemented, including multifactor authentication, network procedures have been strengthened, firewalls have been enhanced, and additional alerts have been set up to warn about potential unauthorized access. Affected individuals have been offered a one-year membership to a credit monitoring service.

The post Data Breaches Reported by Neurology and Fertility Centers in Nevada and California appeared first on HIPAA Journal.

More Than 233,000 Patients Affected by Cyberattack on FMC Services

Posted by HIPAA Journal

FMC (Family Medicine Centers) Services, an Amarillo, TX-based network of primary care clinics in Amarillo and Canyon, has recently announced it was the victim of a hacking incident that was detected and blocked on July 26, 2022. A forensic investigation was conducted by a third-party cybersecurity firm to determine the nature and scope of the attack. That investigation did not uncover any evidence to suggest the cyberattack was conducted with a view to misusing patient information; however, files containing patients’ protected health information were exposed and may have been viewed. FMC Services said that at the time of issuing notifications to affected individuals, it had not been made aware of any cases of identity theft or other misuses as a result of the incident.

A comprehensive review of the exposed files confirmed they contained information such as names, mailing addresses, birth dates, and Social Security numbers, and potentially other types of protected health information. Affected individuals have been offered a complimentary membership to an identity theft monitoring service as a precaution.

FMC Services said cybersecurity is taken very seriously and steps are continuously made to improve security to protect against evolving cyber threats, and appropriate actions will be taken in response to this data security incident to further improve its security posture. The incident was reported to the HHS’ Office for Civil Rights as affecting up to 233,948 patients.

Geisinger & Seattle Children’s Hospital Affected by Ransomware Attack on Mail Service Vendor

Danville, PA-based Geisinger Health System and Seattle Children’s Hospital in Washington have both announced that they have been affected by a ransomware attack on their mail service vendor, Kaye-Smith.

Geisinger uses VisitPay for its online billing services, and VisitPay uses the marketing vendor Kaye-Smith. In Late May 2022, Kaye-Smith suffered a ransomware attack that rendered data in its systems unavailable. After conducting an investigation into the attack and a risk assessment, Kaye Smith determined that the threat actors behind the attack potentially accessed and obtained files that contained information provided by its clients for use in marketing and communications campaigns.

Geisinger and Seattle Children’s were notified in September that the data of their patients had potentially been compromised. Geisinger said names, addresses, medical record numbers, dates of service, and payment installment plans had potentially been compromised. Seattle Children’s said the breach involved names, addresses, provider names, medical record numbers, visit details, lab information, guarantor numbers, and the names of insurance carriers.

Kaye Smith, Geisinger, and Seattle Children’s said they are unaware of any cases of misuse of patient data as a result of the incident. Geisinger and Seattle Children’s are working with Kaye Smith to ensure new safeguards are implemented to prevent further security breaches, and Kaye Smith has offered credit monitoring services to affected individuals.

The breach was reported to OCR as affecting 6,750 Seattle Children’s Hospital patients and 2,857 Geisinger patients.

Johnson Memorial Hospital Victim of Malware Attack

Johnson Memorial Hospital in Stafford Springs, CT, part of Trinity Health of New England, has recently announced that the personal and protected health information of some of its patients has been exposed as a result of a malware infection at the Hartford, CT-based law firm, Reid and Riege.

The law firm detected the security breach on March 21, 2022, with the investigation confirming its systems were subjected to unauthorized access between March 21, and March 27, 2022. Johnson Memorial Hospital was notified about the incident on May 27, 2022. At the time of writing, it is unclear how many patients have been affected or the types of information potentially compromised in the attack.

The post More Than 233,000 Patients Affected by Cyberattack on FMC Services appeared first on HIPAA Journal.