Independent Living Systems, LLC (ILS), a Miami, FL-based provider of third-party administrative services to managed care organizations, has recently informed the Maine Attorney General that it suffered a data breach that has affected up to 4,226,508 individuals – the largest healthcare data breach to be reported so far this year.

According to the breach notification, ILS identified suspicious activity within its computer systems on July 5, 2022. Assisted by third-party cybersecurity experts, ILS determined that unauthorized individuals accessed its network between June 30, 2022, and July 5, 2022, and acquired files containing sensitive data.

ILS conducted a comprehensive review of all affected files and was provided with the results of the review on January 17, 2023. ILS then worked to validate those results and obtain up-to-date contact information for the affected individuals to allow notification letters to be sent.

The information compromised included names, addresses, dates of birth, state ID numbers, Social Security numbers, taxpayer ID numbers, financial account information, Medicare/Medicaid IDs, diagnosis codes/diagnosis information, admission/discharge dates, mental/physical conditions, treatment information, food delivery information, prescription information, billing/claims information, and health insurance information.  The types of information varied from individual to individual.

The affected individuals had previously received services directly from ILS, via its covered entity subsidiaries: Florida Community Care LLC and/or HPMP of Florida Inc (dba Florida Complete Care), or from other data owner clients/health plans.

ILS said it added a preliminary notice to its website on September 2, 2022, but was not able to send notification letters until the review and validation process had been completed. Notification letters started to be mailed to affected individuals on March 14, 2023. Affected individuals have been offered complimentary credit monitoring services.

ILS said it has been working on implementing additional safeguards to prevent further cyberattacks, including fortifying its firewall, updating complexity requirements for credentials, implementing additional internal security procedures, updating its employee training protocols, and providing additional training to its workforce.

The post More Than 4 Million Individuals Affected by Cyberattack on Independent Living Systems appeared first on HIPAA Journal.

ZOLL Medical has recently announced that it has suffered a cyberattack in which the protected health information of more than one million patients was exposed. ZOLL Medical develops and markets emergency care medical devices such as resuscitation, ventilation, oxygen therapy, and cardiac monitoring products and associated software solutions.

According to the notification letter sent to the Maine Attorney General, unusual activity was detected within its internal network on January 28, 2023. The forensic investigation revealed on February 2, 2023, that unauthorized individuals had gained access to parts of the network that included patient information such as names, addresses, dates of birth, and Social Security numbers. The individuals affected either used or were previously considered for use of the ZOLL LifeVest wearable cardioverter defibrillator (WCD).

ZOLL Medical did not provide details of the exact nature of the cyberattack, such as whether malware or ransomware was involved, nor if any data was exfiltrated, but did state that no evidence of actual or attempted misuse of patient data has been detected.

Notification letters are now being mailed to all affected individuals. While data misuse has not been detected, as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. In response to the cyberattack, ZOLL Medical is evaluating its security measures and will augment them, as appropriate, to improve security and prevent similar incidents in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal; however, the notification to the Maine Attorney General indicates the protected health information of 1,004,443 individuals has been exposed.

This isn’t the first large data breach to affect ZOLL Medical. In 2018, the protected health information of approximately 277,000 users of its medical equipment was exposed due to a breach at a third-party software vendor. A server migration error at Barracuda Networks resulted in parts of its email archive being exposed online.

The post ZOLL Medical Says 1 Million Patients Affected by January Cyberattack and Data Breach appeared first on HIPAA Journal.

Codman Square Health Center in Boston, MA, has confirmed that it was the victim of a ransomware attack in November 2022 in which hackers gained access to the protected health information of 10,161 current and former patients.

The incident was detected on November 28, 2022, and third-party digital forensics experts were engaged to investigate the security breach and determine the nature and scope of the attack. The investigation confirmed that unauthorized individuals gained access to parts of its network between November 23 and November 28, and during which time they may have viewed or acquired files containing patient data.

Codman Square Health Center said it was confirmed on January 25, 2023, that a folder on the compromised part of its network contained patient data, although it was not possible to tell if that folder was accessed. The files in that folder included names, addresses, birth dates, medical record numbers, diagnoses, treatment information, and claims information.

Notifications are being sent to affected individuals and steps have been taken to improve privacy and security and prevent further incidents of this nature.

Email Exposure Reported by Community Health Center of Greater Dayton

Community Health Center of Greater Dayton in Ohio has recently announced that the protected health information of more than 500 patients has been exposed as a result of an email error. On February 2, 2023, a business associate was sent an email that included a list of patients’ dental appointments. The business associate was authorized to receive that information; however, the email was not encrypted and therefore could have been intercepted.

The list included patient names, dates of birth, medical record numbers, appointment dates/times, and a brief description of why the appointment was booked. The risk of misuse of the data is believed to be low, but notification letters have been sent alerting patients about the HIPAA breach.  Additional safeguards have been implemented and the staff has been retrained on how to send emails securely.

The post Ransomware Attack Announced by Codman Square Health Center appeared first on HIPAA Journal.

The telehealth company, Cerebral Inc., has confirmed that pixels and other tracking technology on its website resulted in the impermissible disclosure of the personal and protected health information of 3,179,835 patients. Cerebral is a fully remote telehealth provider that provides access to mental health services, including online therapy, mental health assessments, and visits with clinicians to treat mental health issues such as anxiety, depression, and insomnia. On January 3, 2023, Cerebral said it discovered pixels and other tracking technologies on its platform had collected and transferred sensitive HIPAA-protected information to third parties such as Meta (Facebook), Google, TikTok, and others.

Cerebral said in its breach notice that tracking technologies have been used by many bricks and mortar healthcare providers, telehealth companies, and other businesses on their websites, but was made aware that these technologies could potentially capture and impermissibly disclose sensitive data to the companies that provided those tracking technologies. An investigation was launched into the use of these tools, which confirmed that the tracking technologies had been added to Cerebral’s platforms on October 12, 2019. The review confirmed that protected health information had been impermissibly disclosed to certain third parties and some subcontractors, without first obtaining patient consent or business associate agreements that included HIPAA-required assurances about uses and disclosures of any transferred protected health information.

Cerebral confirmed that the pixels and tracking technologies were disabled when the issue was detected, and were either removed or reconfigured to prevent any further unauthorized data sharing with any third party or subcontractor that was unable or unwilling to meet HIPAA requirements. Security practices and technology vetting procedures have also been enhanced to mitigate the risk of similar impermissible disclosures in the future.

Cerebral said it is unaware of any misuse of the transferred data, which may have included an individual’s name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information if they created a Cerebral account. If they completed or partially completed a mental health self-assessment, information such as the service the individual selected, assessment responses, and certain associated health information may also have been disclosed. If a subscription plan was purchased, the information disclosed may also have included the plan type, appointment dates/booking information, treatment and other clinical information, health insurance/pharmacy benefit information, and insurance co-pay amounts.

Notification letters were sent to all individuals who fell into one of those categories, even if they did not become Cerebral patients or if they provided information beyond what was required to create a Cerebral account. Cerebral confirmed that Social Security numbers, credit card information, and bank account information were not disclosed; however, out of an abundance of caution, free credit monitoring services have been offered to affected individuals. Cerebral also provided information in the notification letters on how privacy can be protected against tracking technologies, including blocking/deleting cookies, using browsers that have privacy features such as an incognito mode, and setting privacy protections in social media and Google accounts.

The post Pixel Use Results in Impermissible Disclosure of the PHI 3.1 Million Cerebral Platform Users appeared first on HIPAA Journal.

In mid-February, Community Health Systems filed a report with the U.S. Security and Exchange Commission (SEC) confirming it had been affected by a security incident involving its secure file transfer software, Fortra’s GoAnywhere MFT. The Clop ransomware gang claimed responsibility for the attack and claimed to have exfiltrated data from around 130 users of the software. As per the group’s modus operandi, ransom demands were issued along with threats to publish the stolen data; however, somewhat atypically, ransomware was not used to encrypt files. In the SEC filing, Community Health Systems explained that the protected health information of up to 1 million individuals was potentially compromised and stated that the investigation into the incident was ongoing.

Community Health Systems has now released further information on the data breach and said it will start sending notification letters to all affected individuals in mid-March. Community Health Systems confirmed that Fortra contracts with CHSPSC, LLC, which is a professional services company that provides services to hospitals and clinics affiliated with Community Health Systems Inc. Fortra notified CHSPSC that a security incident was detected on the evening of January 30, 2023, and took the system offline on January 31, 2023. The investigation confirmed that an unauthorized individual had gained access to the system between January 28, 2023, and January 30, 2023, by exploiting a previously unknown vulnerability – a pre-authentication command injection issue – and compromised a set of files throughout the GoAnywhere platform. CHSPSC was notified about the breach on February 2, 2023, and initiated its own investigation to determine the extent to which patient data had been affected.

Community Health Systems has now confirmed that the personal and protected health information of patients of CHSPSC affiliates has been compromised, along with the personal information of a limited number of employees and other individuals.  That information includes full names, addresses, medical billing information, insurance information, medical information such as diagnoses and medications, and demographic information, such as birth dates and Social Security numbers.

Fortra said it terminated access when the breach was detected by taking the platform offline. The GoAnywhere platform has now been rebuilt with additional system limitations and restrictions, and a patch for the exploited vulnerability was released on February 6, 2023. CHSPSC has confirmed that it has implemented further security measures to harden the security of the GoAnywhere platform.

All affected individuals will be offered complimentary identity restoration and credit monitoring services for 24 months. Community Health Systems has also confirmed that it has been assisting law enforcement, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) with their investigations.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear exactly how many individuals have been affected.

The post Community Health Systems to Notify Up to 1 Million Individuals About GoAnywhere Data Breach appeared first on HIPAA Journal.

The personal information of lawmakers and staffers has been stolen in a cyberattack on the health insurance marketplace, DC Health Link. DC Health Link serves around 100,000 people, including 11,000 Congress members and staffers. The investigation into the data breach is still in the early stages so it is currently unclear how many Congress members and staffers have been affected. At this stage of the investigation, it appears that the hacker behind the attack did not specifically target the personally identifiable information (PII) of members of Congress or the House of Representatives.

House Chief Administrative Officer, Catherine Szpindor, issued a statement confirming there had been “a significant data breach” that potentially involved the theft of the PII of thousands of enrollees. She said the Federal Bureau of Investigation (FBI) has been assisting with the investigation and believes the PII of hundreds of Congress members and staffers has been stolen. She also confirmed that some DC Health Link Customer data has been exposed on a public forum. An investigation is currently underway to determine how access to the health insurance marketplace was gained and the extent of the data breach. She recommends credit freezes be placed with the three main credit bureaus as a precaution and to also extend those credit freezes to spouses and dependents, as their information may also have been compromised.

Senate members were notified about the data breach via email by the Senate Sergeant at Arms, who said the stolen data included full names, dates of enrolment, relationship (self, spouse, child), and email addresses, and that no other PII appeared to have been compromised.  House Speaker Kevin McCarthy (R-CA) and House Minority Leader Hakeem Jeffries (D-NY) sought further information about the data breach from DC Health Link and the actions that were being taken in response to the breach.

An established member of a hacking forum was attempting to sell the stolen data, which was claimed to include the PII of 170,000 individuals and included personal information, dates of birth, the names of spouses and dependents, Social Security numbers, and other sensitive information. A sample of the PII of 11 individuals was added to the listing as proof that the dataset was legitimate. McCarthy and Jeffries said the FBI purchased some of the data and confirmed that Social Security numbers were included along with other sensitive information. The hacker appeared not to have realized the dataset included the PII of members of Congress and staffers; however, now that the data breach has been made public that will be abundantly clear. The hacker has since updated the post to indicate the data has been sold. A spokesperson for the DC Health Benefit Exchange Authority, which runs DC Health Link, said credit monitoring services are being offered to affected individuals.

The post PII of Lawmakers and Capitol Hill Staff Stolen in DC Health Link Data Breach appeared first on HIPAA Journal.

Asante, an Oregon-based health system with three hospitals and more than 30 primary care facilities, has started notifying certain patients that their medical records have been accessed by a local doctor who had no treatment relationship with the patients.

An investigation was launched when the unauthorized access was detected which revealed the unauthorized access had been occurring over a period of 9 years, starting in 2014. The doctor – Dr. Paul Hoffman – has had his access to the electronic medical record system terminated. Asante is satisfied that the records were not accessed with any malicious intent and that the medical records were simply accessed out of curiosity and said there is no reason to suggest the affected patients are at risk of identity theft or fraud. The types of information accessed included names, demographic information, and treatment information. No financial information, driver’s license numbers, or Social Security numbers were viewed. Asante said it is now investigating how to improve the detection of unauthorized medical record access by its staff.

The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unclear at this stage how many individuals have been affected.

Patient Data Compromised in Hacking Incident at Northeast Surgical Group

Northeast Surgical Group in Macomb Township, MI, has recently notified 15,298 patients that some of their sensitive health information has been compromised in a recent hacking incident. Suspicious activity was detected within its network on January 8, 2023, and third-party cybersecurity consultants were engaged to conduct a forensic investigation.

Northeast Surgical Group explained in its notification letters that while the breach was detected in January, it took more than a month to determine the extent to which patient data was involved. The forensic investigation concluded on February 13, 2023, and confirmed that information such as names, addresses, and Social Security numbers had been compromised. Some patients also had their date of birth, medical information, and treatment information exposed. A review was conducted to assess the security of its network and additional monitoring tools have now been deployed.

Northeast Surgical Group said it had not found any evidence to suggest that any patient information has been or will be misused as a result of the breach but has provided affected individuals with complimentary credit monitoring services for 12 months. This appears to have been an attack by the BianLian threat group, which has uploaded some of the stolen data to its data leak site.

White Bird Clinic Says Email Error Resulted in a Disclosure of Patients’ PHI

White Bird Clinic in Oregon has recently notified 584 dental patients that some of their personal and protected health information has been impermissibly disclosed due to an email error. A report containing patient names, dates of birth, medical record numbers, and demographic information was accidentally sent to a patient. The patient confirmed that the attached file had not been opened or further disclosed and said the email and attachment had been deleted.

The post Asante Discovers 9 Years of Unauthorized Medical Record Access by a Physician appeared first on HIPAA Journal.

Asante, an Oregon-based health system with three hospitals and more than 30 primary care facilities, has started notifying certain patients that their medical records have been accessed by a local doctor who had no treatment relationship with the patients.

An investigation was launched when the unauthorized access was detected which revealed the unauthorized access had been occurring over a period of 9 years, starting in 2014. The doctor – Dr. Paul Hoffman – has had his access to the electronic medical record system terminated. Asante is satisfied that the records were not accessed with any malicious intent and that the medical records were simply accessed out of curiosity and said there is no reason to suggest the affected patients are at risk of identity theft or fraud. The types of information accessed included names, demographic information, and treatment information. No financial information, driver’s license numbers, or Social Security numbers were viewed. Asante said it is now investigating how to improve the detection of unauthorized medical record access by its staff.

The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unclear at this stage how many individuals have been affected.

Patient Data Compromised in Hacking Incident at Northeast Surgical Group

Northeast Surgical Group in Macomb Township, MI, has recently notified 15,298 patients that some of their sensitive health information has been compromised in a recent hacking incident. Suspicious activity was detected within its network on January 8, 2023, and third-party cybersecurity consultants were engaged to conduct a forensic investigation.

Northeast Surgical Group explained in its notification letters that while the breach was detected in January, it took more than a month to determine the extent to which patient data was involved. The forensic investigation concluded on February 13, 2023, and confirmed that information such as names, addresses, and Social Security numbers had been compromised. Some patients also had their date of birth, medical information, and treatment information exposed. A review was conducted to assess the security of its network and additional monitoring tools have now been deployed.

Northeast Surgical Group said it had not found any evidence to suggest that any patient information has been or will be misused as a result of the breach but has provided affected individuals with complimentary credit monitoring services for 12 months. This appears to have been an attack by the BianLian threat group, which has uploaded some of the stolen data to its data leak site.

White Bird Clinic Says Email Error Resulted in a Disclosure of Patients’ PHI

White Bird Clinic in Oregon has recently notified 584 dental patients that some of their personal and protected health information has been impermissibly disclosed due to an email error. A report containing patient names, dates of birth, medical record numbers, and demographic information was accidentally sent to a patient. The patient confirmed that the attached file had not been opened or further disclosed and said the email and attachment had been deleted.

The post Asante Discovers 9 Years of Unauthorized Medical Record Access by a Physician appeared first on HIPAA Journal.

Cedar Park, TX-based Dental Health Management Solutions (DHMS), a provider of dental services to the government/military and private patients has recently announced – via its legal counsel – that the protected health information of certain patients was exposed in a 2021 hacking incident. In a February 2023 notification to the Maine Attorney General, DHMS said it detected a network intrusion on or around August 20, 2021, with the forensic investigation confirming its network was compromised on July 17, 2021.

A comprehensive review was conducted of all files that were potentially accessed or acquired in the attack and confirmed that 3,205 individuals have been affected. The types of information exposed varied from individual to individual and may have included names, addresses, medical information, health insurance information, Medicaid identification numbers, driver’s licenses, account and routing numbers, and Social Security numbers.

DHMS said it has changed passwords and implemented multifactor authentication and offered affected individuals complimentary credit monitoring and identity protection services. The notification letter lacks an explanation of why it took 18 months from the date of discovery of the breach for notification letters to be sent when the HIPAA breach notification rule requires notifications to be issued within 60 days or when the breach occurred.

Aloha Nursing Rehab Centre Breach Affects 20,000 Patients

Aloha Nursing Rehab Centre in Kaneohe, Hawaii, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 20,216 patients. According to the notification sent to the Maine Attorney General, its IT systems were accessed by an unauthorized individual on or around July 8, 2022. That individual accessed a limited number of electronic records in its systems.

Aloha Nursing Rehab Centre said the investigation and document review revealed on or around December 28, 2022, that the files accessed in the attack included patient information. The types of information involved included names, dates of birth, Social Security numbers, financial account information, driver’s license numbers, and state identification numbers. Affected individuals were notified by mail in February 2023 and were offered complimentary credit monitoring and identity theft protection services and will be protected by a $1,000,000 identity theft insurance policy.

The Chautauqua Center Identifies Limited Exposure of Patient Information

The Chautauqua Center (TCC) in Jamestown New York has recently announced that the protected health information of 747 individuals has been exposed in a data breach involving its business associate, WebPT, which provides electronic medical record services for Chautauqua Physical and Occupational Therapy.

The incident exposed the information of Chautauqua Physical and Occupational Therapy patients to other healthcare facilities during an upgrade to the EMR system on December 22, 2022. The referral report that was accessible to other healthcare clinics included names, case name/creation date, clinical notes from the initial evaluation, last seen/referral dates, insurance provider, treatment clinic, referring physician/physician group name, secondary insurance information, and total visit count for each case.

Due to the limited nature of the data involved, and the fact that the information was only exposed to HIPAA-covered entities, the risks to patients are believed to be minimal; however, all individuals were notified about the exposure in January. Access to the report was disabled within 19 hours of discovery of the exposure, an analysis was performed to identify the cause of the breach, the staff was retrained, and statements were obtained from all affected clinics confirming that there had been no use or further disclosure of the report.

The post Dental Health Management Solutions Notified Patients About Historic Data Breach appeared first on HIPAA Journal.