HIPAA Breach News

Data Breaches Reported by University Urology and McPherson Hospital

Posted by HIPAA Journal

University Urology – Hacking Incident

University Urology in New York City has started notifying 56,816 individuals that unauthorized individuals gained access to some of its systems and potentially obtained their personal and health information. Suspicious activity was detected within its computer systems on February 1, 2023, and third-party cybersecurity experts were engaged to conduct a forensic analysis of the incident to determine the nature and scope of the attack. The investigation concluded on March 3, 2023, that files within its network were accessed. A manual review of those files was conducted and concluded on March 30, 2023. Contact information was then verified, and notification letters were sent on May 1, 2023.

The types of information that were exposed varied from individual to individual and may have included first and last name, date of birth, address, medical condition, medical treatment, test results, prescription information, health insurance information, subscriber ID number, health plan beneficiary number, billing/invoice information, and username/email address plus passwords/security questions and answers that would allow account access.

University Urology said Sentinel One agents were deployed for 30 days, which allowed the cybersecurity firm to monitor its environment for malicious activity and indicators of compromise. It has now been confirmed that all methods of persistence, unauthorized remote access tools, and malicious files have been removed from its systems, and additional security measures have now been implemented.

While there have been no reported cases of actual or attempted misuse of the exposed data, complimentary credit monitoring and identity theft protection services have been offered to affected individuals for 12 or 24 months.

McPherson Hospital – Ransomware Attack

McPherson Hospital in Kansas has recently issued notification letters to 19,020 patients to alert them about a July 2022 ransomware attack. According to the breach notifications, third-party cybersecurity experts were engaged to investigate the data breach to determine the extent of the unauthorized activity and help with securing its systems. The internal investigation concluded on March 15, 2023, that patient data may have been acquired, including names, dates of birth, Social Security numbers, medical treatment information, billing information, and health insurance information. Notification letters were sent in early May, almost 10 months after the attack.

Affected individuals have been offered complimentary single-bureau credit monitoring services. McPherson Hospital said its technical safeguards have been reviewed and enhanced to prevent similar incidents in the future.

Catholic Health – Unauthorized Access by Employee of Business Associate

Catholic Health in New York has recently announced that the protected health information of some of its long-term care residents has been exposed in a security breach at one of its business associates, Minimum Data Set Consultants (MDS). MDS launched an investigation into a potential data breach in March 2023 after discovering suspicious system activity.

The investigation confirmed that an unauthorized individual accessed patient data on or around August 27, 2022, such as names, birthdates, Social Security and Medicare numbers, and diagnosis information. The unauthorized access was traced to a former employee. MDS has confirmed that that individual no longer has access to the system and that the matter has been reported to law enforcement, which has launched an investigation. While patient data is not believed to have been accessed with a view to committing identity theft or fraud, affected individuals have been told to monitor their accounts for suspicious activity.

It is currently unclear how many patients have been affected.

The post Data Breaches Reported by University Urology and McPherson Hospital appeared first on HIPAA Journal.

University of Iowa Hospitals and Clinics Sued for Unlawful Disclosures of PHI to Facebook

Posted by HIPAA Journal

A lawsuit has been filed in the U.S. District Court for the Southern District of Iowa that alleges University of Iowa Hospitals and Clinics (UIHC) unlawfully, negligently, and recklessly disclosed patients’ private information to Facebook, without obtaining patient consent.

HIPAA_regulated entities are facing increased scrutiny of their website practices following the discovery of widespread use of website tracking code, often referred to as pixels, for monitoring website visitor activity. The snippets of code record information about website and app activity that is tied to individual users. The information gathered can be used to improve the user experience, but the information collected is often transferred to the providers of the code. A study that was recently published in Health Affairs found 98.6% of nonfederal acute care hospital websites in the United States had tracking pixels on their websites, which collected and transferred sensitive data to Meta (Facebook), Google, and other third parties. The information transmitted could be used for a variety of purposes, such as serving targeted advertisements based on specific medical conditions researched or disclosed on healthcare providers’ websites.

The extent to which patient privacy was being violated prompted the HHS’ Office for Civil Rights to issue guidance in 2022 on the use of website tracking code, and this year OCR Director Melanie Fontes Rainer confirmed that these unauthorized disclosures of PHI are now an enforcement priority for OCR. Lawyers have also been quick to take action, with more than 50 lawsuits already filed against healthcare entities over the use of these tracking tools.

The UIHC lawsuit – Yeisley v. University of Iowa Hospitals & Clinics – was filed on behalf of plaintiff Eileen Yeisley and similarly situated individuals. The lawsuit claims UIHC manages or controls two websites that are used for booking appointments, locating treatment facilities and physicians, and registering patients for events and classes. The lawsuit alleges UIHC intentionally included a Facebook pixel on both of those websites that shared visitor activity with Facebook and linked that information to individuals’ personal Facebook accounts. The lawsuit also alleges UIHC installed a Facebook conversion application programming interface (API) on the websites, which works independently of the pixel and allows additional disclosures of protected health information (PHI) to Facebook.

The use of these code snippets results in the sensitive data of patients and prospective patients being sent to Facebook without their consent or knowledge and that information can then be sold by Facebook to third parties to allow individuals to be targeted with advertisements specific to medical conditions disclosed or researched on the websites. The lawsuit claims that the code was added by UIHC to boost profits and includes evidence – screenshots – that shows the source code of UIHC websites includes the Facebook code snippets.

OCR confirmed in its guidance that these disclosures of PHI are generally not permitted by the HIPAA Privacy Rule, and warrant notifications under the HIPAA Breach Notification Rule. Several healthcare providers have reported breaches of PHI due to tracking code to OCR, but UIHC has yet to issue breach notifications. University of Iowa Health has issued a statement in response to the allegations, “University of Iowa Health Care is committed to protecting patient privacy. We do not share protected health information of our patients with Meta or Facebook. We will review the lawsuit once received.”

The lawsuit alleges negligence, invasion of privacy, unjust enrichment breach of confidence, and violations of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act and seeks class action status, equitable and injunctive relief, and an order from the court to prevent UIHC from engaging in this activity in the future. The lawsuit also seeks an award of damages, including actual, consequential, punitive, and nominal damages.

The post University of Iowa Hospitals and Clinics Sued for Unlawful Disclosures of PHI to Facebook appeared first on HIPAA Journal.

NetGen Healthcare Reports Breach Affecting More than 1 Million Patients

Posted by HIPAA Journal

NextGen Healthcare has started notifying more than 1 million individuals across the United States about a hacking incident that exposed their protected health information. NextGen Healthcare is an Atlanta, GA-based provider of electronic health records and practice management solutions to doctors and ambulatory care providers. On March 30, 2023, suspicious activity was detected in its NextGen Office system and third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the security breach. The investigation revealed unauthorized individuals had access to the system between March 29, 2023, and April 14, 2023.

The attackers had access to a limited dataset during that period that included names, addresses, dates of birth, and Social Security numbers. No evidence was found to indicate the attackers accessed patient medical records or any health or medical data and there have been no reports of any actual or attempted misuse of patient data. Passwords were reset when the breach was discovered, and additional security measures have now been implemented to strengthen security. Notification letters have already started to be sent to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months.

The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal, but is showing on the websites of several state Attorneys General. The breach notification issued to the Maine Attorney General indicates 1,049,375 individuals were affected in total, including 3,913 Maine residents. The breach was reported to the Texas Attorney General as involving the PHI of 131,815 Texas residents.

This is the second cyberattack to affect NextGen Healthcare in recent months. In January 2023, NextGen was added to the data leak site of the BlackCat ransomware group, although the listing was later taken down. The incident was investigated and a spokesman for NextGen said no patient data had been exposed or downloaded, and consequently this was not a reportable data breach.

Ransomware Gangs Leak Albany ENT & Allergy Services Data

The BianLian and RansomHouse ransomware groups have recently added Albany ENT and Allergy Services to their data leak sites, with the latter claiming to have stolen 1 TB of data before encrypting files. According to the listings, files were encrypted on March 27, 2023; however, Albany ENT and Allergy Services has yet to announce a cyberattack on its website. The dual listings suggest that both groups have conducted an attack; although only RansomHouse has posed evidence on its data leak site to back up its claims.

The post NetGen Healthcare Reports Breach Affecting More than 1 Million Patients appeared first on HIPAA Journal.

NationsBenefits Holdings Confirms 3 Million Record Data Breach

Posted by HIPAA Journal

NationsBenefits Holdings, LLC, a provider of supplemental benefits, flex cards, and member engagement solutions to health plans and managed care organizations, has confirmed that it has been affected by a security breach involving Fortra’s GoAnywhere MFT file transfer solution. The hackers behind the attack – the Clop ransomware group – gained access to NationsBenefits data on January 30, 2023, and exfiltrated that information from the GoAnywhere MFT solution. A ransom demand was issued, payment of which was required to prevent the publication of the stolen data. NationsBenefits was on of 130 organizations to have data stolen in the attacks.

The Clop group exploited a previously unknown (zero-day) vulnerability in the GoAnywhere MFT solution, which allowed them to access and steal data from vulnerable on-premises MFT servers. NationsBenefits Holdings said the Clop group was only able to access two MFT servers; however, a review of the files on those servers revealed they contained the protected health information of 3,037,303 health plan members, including, but not limited to, Aetna ACE, Elevance Health Flexible Benefit Plan, and UAW Retiree Medical Benefits Trust. The compromised information included: first and last name, address, phone number, date of birth, gender, health plan subscriber ID number, Social Security number, and/or Medicare number.

Other healthcare organizations known to have been affected include Community Health Systems (1 million individuals) and Brightline (at least 964,300 individuals); however, NationsBenefits is currently the worst affected healthcare entity. Overall, more than 4 million individuals had their protected health information stolen in these attacks. NationsBenefits said it learned about the security breach when its security monitoring team received an alert from one of its MFT servers at 16:02 on February 7, 2023, indicating unauthorized access. Fortra was contacted and asked to assist with the investigation, with the initial review confirming that the MFT server had been accessed and data had been stolen. The subsequent internal investigation confirmed that the threat actor did not move laterally to other NationsBenefits systems or applications.

NationsBenefits confirmed that prior to the attack layered security controls were already in place, but said security measures have since been strengthened. NationsBenefits has taken its MFT servers permanently offline and has transitioned to an alternative file transfer solution that does not rely on Fortra software. Notification letters started to be mailed to affected individuals on April 13, 2023. Complimentary credit monitoring services have been offered for 24 months.

The post NationsBenefits Holdings Confirms 3 Million Record Data Breach appeared first on HIPAA Journal.

Brightline: At Least 964,300 Individuals Affected by Fortra GoAnywhere Hack

Posted by HIPAA Journal

Brightline, a provider of virtual behavioral and mental services to families, has confirmed it was affected by the cyberattack on Fortra’s GoAnywhere MFT file transfer solution, which saw a zero-day vulnerability exploited in attacks on 130 organizations over a 10-day period starting on January 18, 2023. While the Clop threat group conducts ransomware attacks, ransomware was not used in these attacks. Like the attacks that exploited a vulnerability in the Accellion File Transfer Appliance (FTA) in 2021, the group opted for data theft and extortion with no file encryption.

Brightline explained in its website breach notification that the attack occurred on January 30, 2023, and said Fortra’s investigation confirmed that files had been downloaded that contained protected health information. Brightline was notified about the attack by Fortra on February 4, 2023. Brightline’s internal investigation confirmed that the attack was limited to data within the GoAnywhere solution and that its systems had not been compromised. After determining the extent of the breach and the individuals affected, Brightline started notifying the affected HIPAA-Covered Entities. The breach involved names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names. Affected individuals have been offered 24 months of complimentary credit monitoring services.

In response to the breach, Brightline deactivated the unauthorized user’s credentials used to access its data, turned off the GoAnywhere service, and rebuilt it with the zero-day vulnerability addressed. Additional data security measures were also implemented, including limiting access to verified users, removing all data in the service, and taking steps to reduce data exposure until an alternative file transfer solution can be implemented.  Affected individuals were notified starting on April 7, 2023, and notifications were issued on behalf of some affected Covered Entities. Brightline was listed on the Clop data leak site on March 16, 2023, although has since been removed. While this typically only occurs when a ransom is paid, a member of the Clop group emailed Bleeping Computer to say that Brightline’s data were deleted as the group was unaware of the nature of the business conducted by Brightline and said, “We ask for forgiveness for this incident,” which suggests no ransom was paid.

Brightline has published a list of 58 HIPAA-Covered Entities that were affected by the data breach and has – at the time of writing – submitted 9 data breach notifications to the HHS’ Office for Civil Rights. Those notifications indicate 964,300 individuals have been affected. Those notifications indicate between 4,044 and 462,241 individuals were affected. It is unclear to what extent the notifications cover the 58 affected Covered Entities. If a separate breach notification has been issued for each affected Covered Entity, 49 of the affected Covered Entities may be issuing their own notifications, which would likely take the total number of affected individuals well past 1,000,000. Some of the notifications issued to state attorneys general by the affected clients state that Brightline issued multiple requests to Fortra asking for it to issue notifications to affected individuals and regulators, but Fortra refused.

The 58 Covered Entities known to have been affected are detailed below:

  • Insitu, Inc.
  • IUOE
  • Keller Supply
  • Kodiak Island Borough School District
  • KPMG LLP
  • Legal Name: Continental Mills, Inc. Common Name: The Krusteaz Co
  • MacDonald-Miller Facility Solutions, LLC
  • Manke Lumber Company Inc.
  • MIIA
  • Municipality of Anchorage
  • Nintendo of America Inc.
  • Northwest Cascade, Inc.
  • Oberto Snacks Inc.
  • PND Engineers, Inc.
  • Pyrotek Inc
  • Rail Management Services
  • Seagen Inc.
  • Seward Association for the Advancement of Marine Science dba Alaska SeaLife Center
  • SolstenXP, Inc.
  • SOUTH SHORE HEALTH
  • Space Needle LLC & Center Art LLC
  • Spokane Teachers Credit Union
  • Stanford Health Care – ValleyCare Employee Health Care Plan
  • Stanford Health Care Employee Health and Welfare Benefit Plan
  • Stanford Medicine Partners Employee Health and Welfare Benefit Plan
  • Stanford University Post-doctoral Scholars
  • Symetra Life Insurance Company
  • Tanana Chiefs Conference
  • The Board of Directors of the Leland Stanford Junior University (Educated Choices)
  • Undead Labs
  • University of Alaska
  • VERTEX
  • Walla Walla University
  • Washington Trust Bank
  • Whitman College

The post Brightline: At Least 964,300 Individuals Affected by Fortra GoAnywhere Hack appeared first on HIPAA Journal.

Ransomware Attack Results in 2 Week Shutdown of Operations at TN Medical Clinic

Posted by HIPAA Journal

A cyberattack on Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee forced the healthcare provider to completely shut down operations for around two weeks to contain to attack and restore its IT systems. It is common for healthcare organizations to perform an emergency shutdown of the network to contain a cyberattack and limit the harm caused, and to operate under emergency procedures with staff recording patient information manually while systems are out of action. Some attacks see ambulances diverted and some appointments canceled for patient safety reasons, but the disruption caused by this attack was much more extensive.

The cyberattack occurred on April 22, 2023, and the network was rapidly shut down to contain the attack. Third-party cybersecurity experts were engaged to assist with the investigation and recovery from the attack. MMC said the rapid action taken in response to the security breach limited the damage caused, and work has continued round the clock to safely bring systems back online and enhance security controls. MMC has been working with cybersecurity experts and law enforcement to investigate the incident and determine the extent of the attack, and while those processes were completed, the decision was taken to close all operations. MMC planned to reopen on a limited basis on May 3, 2023, then restore full operations shortly thereafter; however, the recovery process took longer than planned.

The MMC Pediatric and Internal & Family Walk-In Clinics at its Garrison Drive location reopened on May 4, 2023, but all other locations remained closed. On May 5, 2023, all surgeries in its SurgiCenter, Gastroenterology procedures, Laboratory and Radiology services were canceled, MMC Now locations remained closed, although phone lines were restored. Over the weekend of May 6th and 7th, MMC Pediatrics resumed normal weekend operations, but MMC Now Family Walk-In Clinics and Laboratory and Radiology services remained closed for the weekend. On Monday, May 8, 2023, operations remained limited, although some scheduled appointments went ahead as planned, although laboratory and radiology services and MMC Now Family Walk-In locations remained closed.

“Preserving sensitive patient and employee information is of the utmost importance to MMC, but like so many other organizations around the country and despite its best efforts, MMC has found itself as the target of criminals attempting to steal personal or company data. I want to thank our patients and employees for their understanding and patience while we work to make sure our computer infrastructure is secure and free of any harmful software,” said Joey Peay, CEO of MMC. “We have worked diligently to communicate closures with all patients in a timely manner using all methods of communication at our disposal… we apologize for the vagueness of our recent communications, but we did not want to do anything that would impede law enforcement’s investigative efforts.”

While the exact nature of the cyberattack has not been disclosed, this is understood to be a ransomware attack involving data theft. The extent to which patient data has been affected is being investigated and MMC will make further announcements and issue notifications as necessary when the investigation concludes.

The post Ransomware Attack Results in 2 Week Shutdown of Operations at TN Medical Clinic appeared first on HIPAA Journal.

Patient No Longer Seeking Injunction to Force Healthcare Provider to Pay Ransom

Posted by HIPAA Journal

There has been an update to a lawsuit filed against Lehigh Valley Health Network over a ransomware attack that involved the theft of sensitive patient data and the publication of naked images of patients on the Internet.

Lehigh Valley Health Network detected the ransomware attack on February 6, 2023, and was issued with a ransom demand. The BlackCat group threatened to release the stolen data online if the ransom was not paid. While it is common for ransomware gangs to steal sensitive data and publish files if the victim fails to cooperate, the BlackCat ransomware group took the extortion a step further and published naked images of patients to pressure Lehigh Valley Health Network into paying the ransom. The images in question were clinically appropriate for radiation oncology treatment and showed patients naked from the waist up. The ransomware group was seeking payment of approximately $5 million. Lehigh Valley Health Network chose not to pay the ransom.

A lawsuit was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania, which alleged Lehigh Valley Health Network failed to adequately protect patient data and failed to meet its obligations under the Health Insurance Portability and Accountability Act (HIPAA). The lead plaintiff, Jane Doe, had her naked images posted by the group. She maintains that she was not aware that the photographs had been taken.

The lawsuit sought class action status, a jury trial, and remedies including damages, reimbursement of out-of-pocket costs, and equitable and injunctive relief, including an order from the court compelling Lehigh Valley Health Network to improve its data security systems and provide identity theft protection services for the plaintiff and class.

Court Order Sought to Force Lehigh Valley Health Network to Pay the Ransom

One of those remedies sought by the plaintiff concerned the removal of her partially naked photographs from the Internet. Lehigh Valley Health Network no longer had control of those photographs, so the plaintiff sought a court order compelling Lehigh Valley Health Network to pay the ransom and obtain a pledge from the BlackCat group that the images would be removed from the Internet.

The plaintiff’s legal team said the plaintiff is worried that she may be identified by the images, that they may be viewed by her employer or people at work, and that she would be constantly worried that the images would be discovered for as long as they were available online. The patient’s attorney claimed images stolen by the group had been published online and could be found by searching using the individuals’ names, and that this was a deeply upsetting violation of patient privacy. The move to compel Lehigh Valley Health Network to pay the ransom was the only way that the plaintiff’s legal team could get the images removed from the Internet. The request was unusual, but this was not a typical ransomware and extortion attempt.

The request raised some important legal issues that U.S. District Court Judge, Judge Malachy E. Manion, moved to address. Judge Manion questioned the plaintiff’s legal team on the legality of the request and whether the court had the authority to force a defendant to commit a potentially illegal act. While U.S. law does generally not prohibit the payment of a ransom for the return of people or goods; however, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) can impose sanctions on organizations that pay ransoms to cyber actors under its sanctions program.

In response to the request, Judge Manion ordered the plaintiff’s attorneys to file a brief in support of their preliminary injunction, “specifically providing authority that the court may force a party to comply with an illegal act or pay an illegal ransom.” On April 18, 2023, the plaintiff dropped the request for the injunction to force Lehigh Valley Health Network to pay the ransom.

The post Patient No Longer Seeking Injunction to Force Healthcare Provider to Pay Ransom appeared first on HIPAA Journal.

Healthcare Data Potentially Compromised in 5 Hacking Incidents

Posted by HIPAA Journal

NYSARC Columbia County Chapter Notifies Individuals About July 2022 Ransomware Attack

NYSARC Columbia County Chapter (COARC) has started notifying certain individuals that some of their protected health information has potentially been obtained by unauthorized individuals in a July 2022 ransomware attack. According to the notifications, suspicious activity was detected within its network on July 19, 2022, that was consistent with a ransomware attack. Steps were immediately taken to contain the incident and an investigation was launched, which confirmed that the attacker had access to certain COARC systems for a limited period in July.

The attack appears to have been conducted with the sole purpose of encrypting data for extortion purposes. It is not known if data exfiltration occurred but it could not be ruled out. COARC did not say if the ransom was paid. COARC said the types of information involved included names and one or more of the following: address, social security number, financial account, credit card information, medical information, student information, driver’s license, and passport number. No evidence of misuse of that information has been detected in the 9 months from the discovery of the breach to issuing notifications on April 28, 2023. COARC said additional security protocols have been implemented to better protect its network, email environment, and other systems from future attacks.

Network Security Incident at Petaluma Health Center

Petaluma Health Center (PHC) in California has recently confirmed that an unauthorized third party gained access to its network and potentially obtained patient information. PHC said a network security incident was detected on March 14, 2023, but did not disclose any further information on the nature of the incident, such as whether this was a ransomware attack or for how long its network was compromised.

PHC said information maintained for payroll and human resources purposes was potentially accessed, although no evidence of misuse of that information has been detected. The information exposed in the attack included one or more of the following: full name, address, Social Security number, driver’s license number, passport number, date of birth, and/or health insurance plan information.

PHC said it is reviewing and enhancing technical safeguards to prevent similar incidents in the future and affected individuals have been offered complimentary single-bureau credit monitoring services. The breach has been reported to the California Attorney General but is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Health Plan Services Malware Infection Affects 9,457 Individuals

Health Plan Services Inc, a Tampa, FL-based provider of technology-based services to health plans, has found malware on its network which may have allowed unauthorized individuals to access and acquire files containing the protected health information of 9,457 individuals.

According to the notification letter sent to the California Attorney General, the malware infection was detected on June 23, 2022. It took 8 months to complete the forensic investigation, which was concluded on February 28, 2023, and the document review was completed on March 21, 2023. Notifications were issued on or around April 28, 2023.

The breach involved names, personal information, and Social Security numbers. Individual notifications state the exact types of information that were exposed/acquired. Identity theft protection services have been offered to affected individuals and security practices have been reviewed and enhanced and additional training has been provided to the workforce.

Mars Area School District Reports 8-Month System Compromise

Mars Area School District in Pennsylvania says unauthorized individuals gained access to its network between January 27, 2022, and September 26, 2022, and potentially obtained the personal information and protected health information of up to 1,270 individuals. The breach notifications do not state when the intrusion was detected but explained that the delay in issuing notifications – almost 6 months – was due to the lengthy forensic investigation and manual document review. It was confirmed on March 30, 2023, that sensitive data had been exposed and notifications were mailed to affected individuals on April 24, 2023.

The school district said names were potentially accessed along with one or more of the following data types: Social Security number, driver’s license number, state identification number, health insurance information, medical information, username/password, and financial account information. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

“Mars continually evaluates and modifies practices and internal controls to enhance the security and privacy of personal information, including updating passwords and enhancing email access protocols”, explained the school district in its notification letters.

Network Security Breach Reported by Graceworks Lutheran Services

Graceworks Lutheran Services, a Centerville, OH-based social services organization, said unauthorized individuals gained access to its computer systems and potentially accessed and obtained the protected health information of 6,737 individuals. Suspicious activity was detected in its computer systems on or around February 18, 2023. A third-party computer forensics firm was engaged to investigate and confirmed the unauthorized access. While no evidence of misuse of the exposed data has been identified, unauthorized access and data theft could not be ruled out. The information exposed varied from individual to individual and may have included names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

The data review and verification of contact information was completed on March 31, 2023, and notification letters were mailed in April.

The post Healthcare Data Potentially Compromised in 5 Hacking Incidents appeared first on HIPAA Journal.

Credential Stuffing Attack Exposed United HealthCare Member Data

Posted by HIPAA Journal

United HealthCare (UHC) has started notifying certain members that some of their protected health information may have been disclosed to unauthorized individuals as a result of credential stuffing attacks on the UHC mobile application. Credential stuffing is a type of attack where username and password combinations obtained in a breach at one platform are used to access accounts on an unrelated platform. These attacks can only succeed if usernames and passwords have been reused on multiple platforms.

The accounts subjected to unauthorized access included information such as names, birthdates, addresses, health insurance member ID numbers, service dates, provider names, claim details, and group names and numbers. No Social Security numbers, financial information, or driver’s license numbers were exposed.

The attacks occurred between February 19 and February 25, 2023. UHC took its portal offline immediately when the attacks were detected to prevent further unauthorized access and a password reset was performed. The investigation found no evidence to suggest the credentials had been obtained in a cyberattack on UHC systems. Affected individuals have been offered complimentary credit protection services for 2 years.

Ethan Health Reports Email Account Breach

Ethan Health, a Richmond, KY-based medical laboratory, has recently confirmed that the protected health information of 4,047 individuals was contained in employee email accounts that were accessed by unauthorized individuals. Suspicious activity was detected within its email environment on August 31, 2022. The forensic investigation confirmed the accounts were accessed between May 5, 2022, and September 8, 2022. It took 7 months to investigate and complete the review of the contents of the accounts. That process was completed on March 9, 2023.

The information in the accounts varied from individual to individual and may have included names, dates of birth, driver’s license numbers, financial account information, credit or debit card information, medical information, and health insurance information. Affected individuals have been offered complimentary credit monitoring services for 24 months. Additional security measures have been implemented to prevent similar incidents in the future.

McLaren Greater Lansing Hospital Left Records ‘Unprotected’ in Decommissioned Hospital

McLaren Greater Lansing Hospital in Michigan has been accused of leaving boxes of confidential medical records in a decommissioned hospital, where the records could potentially be accessed by unauthorized individuals. The records were discovered by an individual who attended a preview of the campus on April 19, 2023, ahead of an auction. The man who found the records said the files included sensitive information such as names, addresses, phone numbers, and medical information. It is currently unclear how many individuals have had their data exposed.

McLaren Greater Lansing Hospital said the records were destined to be securely destroyed and were accessed before that process could take place. An investigation has been launched to determine how the whistleblower managed to gain access to the records and the hospital has confirmed that it is reverifying that all documents awaiting destruction are locked away to prevent unauthorized access.

The post Credential Stuffing Attack Exposed United HealthCare Member Data appeared first on HIPAA Journal.