HIPAA Breach News

Data Breaches Reported by the New Jersey Department of Health, Onyx Technologies & San Diego American Indian Health Center

Posted by HIPAA Journal

Onyx Technologies, a Largo, MD-based provider of Information Technology and Consulting Services and a vendor of Independent Care Health Plan (iCare), has recently notified 96,814 health plan members that some of their protected health information has potentially been compromised.

On June 28, 2022, Onyx discovered its computer systems had been accessed by unauthorized individuals, who may have gained access to the protected health information of iCare members, including names, birth dates, addresses, phone numbers, iCare member ID numbers, Medicare ID Numbers, dates of service, and provider names.

Onyx said that a review of its computer systems was immediately conducted, a security firm was engaged to assist with the investigation, and access to its systems was regained on July 7, 2022. Onyx said, “a server may have been removed or accessed beginning on March 29, 2022, and ending on June 28, 2022. On July 15, 2022, the security firm found that some information related to individuals may have been accessed.”

Onyx said it found no evidence to suggest any of the affected information has been identified. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

San Diego American Indian Health Center Breach Affects 27,367 Patients

San Diego American Indian Health Center has notified 27,367 current and former patients that unauthorized individuals gained access to parts of its network and exfiltrated files containing some of their protected health information.

The security breach was detected on May 5, 2022, and steps were immediately taken to secure the network and prevent further unauthorized access. A digital forensics firm was engaged to assist with the investigation, which confirmed on July 22, 2022, that patient information had been obtained, including names, Social Security numbers, driver’s license numbers, state identification card numbers, tribal identification card numbers, medical information, health insurance information, and birth dates.

San Diego American Indian Health Center said it is unaware of any attempted or actual misuse of patient data. Affected individuals have been offered complimentary credit monitoring and identity protection services and steps have been taken to improve security to prevent further data breaches.

New Jersey Department of Health Alerts Patients About Vendor Data Breach

The New Jersey Department of Health, Division of Behavioral Health Services has recently announced that certain patients of Trenton Psychiatric Hospital and the Anne Klein Forensic Center have had some of their protected health information stolen in a security incident at a vendor that provided medical translation and dictation services to the hospitals.

Unauthorized individuals gained access to parts of the vendor’s systems and exfiltrated files that included the protected health information of patients.  The vendor notified the NJ Department of Health about the data breach on June 30, 2022. It is currently unclear which vendor was affected, the types of information compromised, and the number of individuals affected by the data breach. The affected hospitals will notify patients directly if they have been affected.

The post Data Breaches Reported by the New Jersey Department of Health, Onyx Technologies & San Diego American Indian Health Center appeared first on HIPAA Journal.

California Department of Corrections and Rehabilitation Hack Exposed Sensitive Data

Posted by HIPAA Journal

The California Department of Corrections and Rehabilitation (CDCR) has recently discovered that unauthorized individuals have gained access to one of its information systems. The compromised system contained medical information on all individuals who had been tested for COVID-19 between June 2020 and January 2022, including staff members, visitors, and other individuals, although not inmates. The information related to COVID-19 tests included name, personal address, telephone number, email, date of birth, and COVID-19 testing results.

Files on the system also included the mental health information of inmates in the Mental Health Services Delivery System dating back to 2008, as well as the information of individuals on parole who were in substance use disorder treatment programs. Some of the exposed data included Social Security Numbers, driver’s license numbers, and trust account information.

The data of inmates included name, CDCR number, mental health treatment, mental health history, and mental health diagnosis, and information in the Trust, Restitution, Accounting, and Canteen System (TRACS) was also potentially involved, which includes transaction records made by CDCR to and from trust accounts since 2008, along with some trust account numbers.

CDCR said the data breach was discovered during routine maintenance. The investigation did not confirm when the system was first compromised; however suspicious activity was identified in a file transfer system dating back to December 2021. CDCR was unable to confirm whether any specific information had been accessed or exfiltrated and said no corroborating evidence was found to suggest any exposed data has been compromised or misused.

CDCR said procedures and practices have been updated to limit the potential for further breaches and the affected computer system is no longer being used. A replacement computer system has been implemented with more security controls.

The incident has not yet appeared on the HHS’ Office for Civil Rights Breach Portal so it is currently unclear how many individuals have been affected.

Lamoille Health Partners Hit with Ransomware Attack

Lamoille Health Partners in Vermont has recently confirmed that it was the victim of a ransomware attack on June 13, 2022. Prompt action was taken to prevent further unauthorized access to its systems and a third-party digital forensics firm was engaged to assist with the investigation. Lamoille Health Partners said it was possible to securely restore the encrypted files from backups so no ransom was paid; however, the forensic investigation confirmed that the attackers had access to its systems between June 12, 2022 and June 13, 2022, and during that time it is possible that documents containing patients protected health information may have been accessed or acquired.

On June 24, 2022, Lamoille Health Partners determined that the documents that may have been accessed included patient information such as names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information. 59,381 individuals have been notified that their protected health information was exposed. Complimentary identity protection and credit monitoring services have been offered to individuals who had Social Security numbers exposed.

The post California Department of Corrections and Rehabilitation Hack Exposed Sensitive Data appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cyberattacks Reported by Independent Case Management & Conifer Health Solutions

Posted by HIPAA Journal

Little Rock, AR-based Independent Case Management (ICM), a provider of home and community-based support for individuals with intellectual and developmental disabilities, has recently notified 3,307 individuals that some of their protected health information may have been stolen in a ransomware attack.

According to the notification letters, three servers were affected by the attack. The servers were encrypted on December 24, 2021, and a ransom note was dropped on the servers; however, the attack was not detected by ICM until June 15, 2022, as the servers were only used to store historical employee and customer data.

When the attack was detected, a third-party IT vendor was engaged to isolate the servers and perform security scans to ensure that access to the servers was blocked and no other systems or data were affected. The investigation confirmed that only 3 servers were affected, and they contained information such as names, addresses, dates of birth, Social Security numbers, health records, insurance plan and payment information, Medicaid numbers, and medical and health records. Some employee files were also stored on the servers. ICM said it was not possible to determine if specific personal information was accessed, removed, or misused.

ICM said steps have been taken to improve the privacy and security of personal information, including conducting regular security scans, implementing multifactor authentication, improving monitoring systems, and providing additional cybersecurity training to employees.

Conifer Health Solutions Discovers Email Account Breach

Conifer Health Solutions, a Frisco, TX-based provider of revenue cycle management and other administrative services to healthcare providers, has recently discovered that an unauthorized third-party gained access to a Microsoft Office 365 hosted business email account.

The breach was detected during an internal review, with the subsequent investigation determining the email account was compromised on January 20, 2022. The breach was confined to a single email account, which was separate from its internal network and systems. The review of the email account was conducted between June 13 and August 3 and determined it contained the protected health information of 2,787 individuals, including full names, dates of birth, addresses, Social Security numbers, financial account information, medical and treatment information, health insurance information, and billing and claims information.

Steps were immediately taken to prevent further unauthorized access and additional security measures have now been implemented, including multifactor authentication and enhanced monitoring of the email environment. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers or financial account information was exposed.

The post Cyberattacks Reported by Independent Case Management & Conifer Health Solutions appeared first on HIPAA Journal.

Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Florida Orthopaedic Institute has proposed a $4 million settlement to resolve claims from patients affected by a 2020 data breach. In April 2020, Musculoskeletal Institute, dba Florida Orthopaedic Institute, discovered an unauthorized third party had gained access to a server that contained patients’ protected health information (PHI) and used ransomware to encrypt files.

The forensic investigation determined the PHI of 640,000 individuals had been exposed and potentially stolen in the attack, including names, contact information, birth dates, Social Security numbers, health insurance information, medical information, and other types of data. Notifications were sent to affected individuals in July 2020 and a 12-month membership to a credit monitoring service was offered to affected individuals.

Shortly after sending notifications, a lawsuit – Stoll et al. v. Musculoskeletal Institute- was filed in the U.S. District Court for the Middle District of Florida that alleged Florida Orthopaedic Institute was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and had not followed basic cybersecurity best practices. The lawsuit also alleged invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit alleged the sensitive protected health information of patients was now in the hands of cybercriminals and patients now faced a substantial risk of identity theft and fraud. Florida Orthopaedic Institute has admitted no wrongdoing but decided to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the proposed settlement, current and former patients who were notified about the data breach are entitled to submit a claim for a cash payment of up to $15,000 to cover out-of-pocket expenses and up to 5 hours of time that was lost remedying the data breach at $25 per hour.

Attorneys argued that a 12-month membership to credit monitoring services was insufficient. All individuals affected by the data breach will now be eligible to receive 3 years of identity theft protection, credit monitoring, and identity restoration services, regardless of whether a claim is submitted. Parents or guardians of minors that have been affected by the data breach are entitled to enroll the affected children in these services for 3 years if their children are minors at the time of the settlement. These services include a $1,000,000 identity theft insurance policy. The services retail for around $196 per individual.

All claims must be submitted no later than September 16, 2022. The final approval hearing for the settlement is September 29, 2022.

The post Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Ransomware Attack on New York Billing Company Affects 942K Individuals

Posted by HIPAA Journal

Practice Resources, a Syracuse, NY, provider of billing and other professional services, has suffered a data breach involving the records of 942,138 individuals.

According to the breach notification sent to the California Attorney General, Practice Resources was the victim of a ransomware attack on April 12, 2022. Assisted by third-party digital forensics experts, Practice Resources determined that there had been unauthorized access to parts of the network where the protected health information of its clients was stored and the attackers may have infiltrated that information prior to file encryption.

A review of the documents potentially affected by the attack confirmed they contained information such as names, addresses, dates of treatment, health plan numbers, and medical record numbers. Practice Resources has offered affected individuals a complimentary membership to an identity theft protection and credit monitoring service.

Practice Resources said it has issued notification letters to affected individuals on behalf of 28 clients that were affected by the data breach.

  • Achieve Physical Therapy, PC
  • CNY Obstetrics and Gynecology, P.C.
  • Community Memorial Hospital, Inc
  • Crouse Health Hospital, Inc
  • Crouse Medical Practice PLLC
  • Family Care Medical Group, PC
  • Fitness Forum Physical Therapy, PC
  • FLH Medical PC
  • Greece Dermatological Associates, PC
  • Guidone Physical Therapy, PC
  • Hamilton Orthopedic Surgery & Sports Medicine
  • Helendale Dermatological and Medical Spa, PLLC
  • Kudos Medical, PLLC
  • Laboratory Alliance of Central New York, LLC
  • Liverpool Physical Therapy, PC
  • Michael J Paciorek, MD PC
  • Nephrology Associates of Watertown, PC
  • Nephrology Hypertension Associates of CNY, PC
  • Orthopedics East, PC
  • Salvation Army
  • Soldiers & Sailors Memorial Hospital—Physician Practices
  • Joseph’s Medical
  • Surgical Care West, PLLC
  • Syracuse Endoscopy Associates, LLC
  • Syracuse Gastroenterological Associates, PC
  • Syracuse Pediatrics
  • Tully Physical Therapy
  • Upstate Community Medical, PC

Valley Baptist Medical Center Systems Hacked

Brownsville, TX-based Valley Baptist Medical Center has recently started notifying certain patients that some of their protected health information has been exposed and potentially stolen. On June 14, 2022, Valley Baptist determined that an unauthorized third party had gained access to a computer system. The forensic investigation determined that unauthorized access occurred between March 31 and April 24, 2022.

When the breach was detected, user access to systems was suspended, cybersecurity protocols were implemented, and steps were taken to prevent further unauthorized access. The forensic investigation determined that patient information was potentially affected, including names, contact information, dates of birth, health insurance information, dates of service, patient account numbers, medical record numbers, medications, diagnosis information, provider and facility names, and visit information. Valley Baptist said patients of its Brownsville and Harlingen medical centers were affected.

The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ransomware Attack on New York Billing Company Affects 942K Individuals appeared first on HIPAA Journal.

United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack

Posted by HIPAA Journal

In August 2021, the Vice Society ransomware operation published data on its data leak site that had allegedly been obtained in a ransomware attack on United Health Centers of San Joaquin Valley.  On August 31, 2021, Bleeping Computer was made aware of the data leak and made multiple attempts to notify United Health Centers. Databreaches.net was also made aware of the data breach and similarly attempted to notify United Health Centers on multiple occasions. HIPAA Journal reported on the incident in September 2021.

Almost a year on and individuals whose protected health information was exposed or stolen in the attack have been notified by United Health Centers. The breach notification provided to the California Attorney General on August 12, 2022, explains that technical difficulties were experienced by United Health Centers on August 28, 2021, which caused disruption to its computer systems. Steps were immediately taken to secure its network and systems, and an investigation was launched to determine the nature of the incident.

United Health Centers said it discovered on September 22, 2021, that patient data had been exfiltrated from its systems. Third-party specialists were then engaged to confirm the scope of the data breach. The investigation confirmed that data had been exfiltrated between August 24, 2021, and August 28, 2021. A comprehensive review of the affected data was completed on April 11, 2022. United Health Centers said it “then worked expeditiously to provide notice to those patients whose information was found within those documents.”

The documents contained names, Social Security numbers, and medical record numbers. Affected individuals have been offered a one-year complimentary membership to Experian’s identity theft restoration and credit monitoring service. It is currently unclear exactly how many patients have been affected.

Lee County Emergency Medical Services Notifies Patients About Third-Party Data Breach

Lee County Emergency Medical Services has recently started notifying certain patients about a business associate-related data breach. Intermedix Corporation worked with Lee County Emergency Medical Services for almost 15 years, with the contract terminating in September 2014. Intermedix Corporation worked with a law firm, Smith, Gambrell & Russell (SGR), and certain patient data had been provided to that law firm.

Lee County Emergency Medical Services said in an August 11, 2022, breach notification on its website that it was notified on August 4, 2022, about the data breach at the law firm. SGR said it discovered on August 9, 2021, that files had been exfiltrated from its systems by an unauthorized individual, and those files contained the sensitive information of its clients. A vendor was engaged to assist with the investigation to determine the scope of the breach, and the review of the documents was completed on May 17, 2022. SGR said the breached information included names, addresses, Social Security numbers, driver’s license numbers, government IDs, and medical information, such as treatment, diagnosis, and medical history. SGR said it has taken steps to improve security and has offered affected individuals complimentary credit monitoring services.

Lee County Emergency Medical Services said it was notified about the incident on august 4, 2022, and has since been working closely with Intermedix Corporation to identify the affected individuals and said notifications. Notification letters will be sent to affected individuals within 14 to 21 days. The incident has yet to appear on the HHS’ Office for Civil Rights Breach portal so it is unclear how many individuals have been affected. Lee County Emergency Medical Services said around 2% of the records provided to SGR were compromised.

The post United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack appeared first on HIPAA Journal.

Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal

Posted by HIPAA Journal

Novant Health has recently notified patients about a breach of their protected health information due to the incorrect configuration of Meta Pixel code on its patient portal.

Code Snippet Sending Sensitive Patient Data to Meta

Earlier this year, an investigation conducted by The Markup into the use of Meta Pixel code on healthcare providers’ websites revealed 33 of the top 100 hospitals in the United States had included Meta Pixel code on their websites, and 7 of those hospitals had added the code to their password-protected patient portals. The 7 hospitals discovered by The Markup to have installed Meta Pixel on their patient portals were Community Health Network, FastMed, Edward-Elmhurst Health, Piedmont, Renown Health, WakeMed, and Novant Health.

Meta Pixel is a snippet of JavaScript code that is used to track website visitors, and the information gathered is sent to Meta (Facebook), which may be used to serve targeted ads. Meta claims that organizations that use Meta Pixel are not supposed to send sensitive data. If Meta discovers it has been sent sensitive data by mistake, it is filtered out to prevent the information from being used to serve targeted ads. That process does not appear to be working, and even if that information is filtered out, it is still being sent to Meta.

In the weeks following the publication of the report, multiple lawsuits were filed on behalf of individuals whose personal and protected health information was disclosed to Meta via Meta Pixel code on healthcare provider websites. The lawsuits allege violations of federal and state privacy laws as the information was sent without obtaining express consent from patients.

A class action lawsuit was filed on behalf of a patient of Baltimore-based MedStar Health System, which alleges Meta Pixel has been used on the websites of at least 664 healthcare providers, allowing patient data to be sent to Meta in violation of the Health Insurance Portability and Accountability Act (HIPAA). Another lawsuit was filed against Meta and the University of California San Francisco and Dignity Health, with the lead plaintiff claiming to have been served targeted adverts following the disclosure of sensitive information about a health issue on the patient portal. Most recently, a similar lawsuit was filed against Meta and Northwestern Memorial Hospital in Chicago, IL.

Novant Health Notifies Patients About Meta Pixel Data Breach

Novant Health has recently notified an as-of-yet unspecified number of patients that some of their protected health information (PHI) has been sent to Meta. As far as HIPAA Journal has been able to establish, Novant Health is the first healthcare provider to issue breach notification letters to patients over the use of Meta Pixel code.

Novant Health explained in the breach notification letters that PHI was transferred to Meta due to “an incorrect configuration of [Meta] Pixel, an online tracking tool.” Novant Health said it wanted to be fully transparent over the data breach and the reasons for using the pixel code on its website.

“In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” explained Novant Health. “This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

When notified about the potential privacy violation, Novant Health immediately disabled and removed the pixel from the patient portal and launched an investigation to determine the extent to which information was being transferred to Meta. On June 17, 2022, Novant Health determined that PHI may have been inadvertently transferred based on the type of user activity on the patient portal. The information transferred would have varied from patient to patient, and may have included an individual’s email address, phone number, IP address, contact information entered into Emergency Contacts or Advanced Care Planning, appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes.

Novant Health said it has found no evidence that Meta or any other third party has acted upon the information provided. If an individual entered financial information or a Social Security number in free text boxes, that information may also have been sent to Meta. Novant Health said the individual notification letters would state if such information had been disclosed, and if so, complimentary credit monitoring services will be provided to affected individuals.

The post Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal appeared first on HIPAA Journal.

Data Breach Affects 120,000 Priority Health Plan Members

Posted by HIPAA Journal

The Michigan-based health plan provider, Priority Health, has confirmed that it has been affected by a data breach at a business associate, the law firm Warner Norcross & Judd (WNJ).

WNJ identified suspicious network activity on October 22, 2021. Steps were immediately taken to prevent further unauthorized access and a digital forensics firm was engaged to assist with the investigation. That investigation confirmed that the attackers had gained access to parts of its network that contained the protected health information of approximately 120,000 members of Priority Health’s health plans.

The affected information included names, pharmacy claim information from certain prescriptions filled in 2012, including drug names, prescription filling dates, and insurance provider names. WNJ said it found no evidence of misuse of plan members’ information, but the possibility of data theft could not be ruled out.

WNJ said Priority Health was notified about the breach n June 6, 2022 – Almost 8 months after the security incident was detected.

PHI Exposed in Attempted BEC Attack on Living Innovations

Living Innovations, a provider of services to people with disabilities, has confirmed that unauthorized individuals gained access to the email accounts of certain employees between June 6 and June 14, 2022, due to responses to phishing emails. The email account breaches were detected on June 7, 2022, when suspicious email account activity was detected.

The attack appears to have been conducted to try to divert invoice payment to an attacker-controlled account, rather than to access patient information; however, unauthorized access to patient information could not be ruled out. A review of the affected email accounts revealed they contained patient data such as names, client health insurance information, Medicaid information, Social Security numbers, and limited information related to services received at Living Innovations.

Living Innovations said it found no evidence of data theft or misuse of patient information; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Additional training has been provided to employees on how to identify and avoid phishing emails.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 4,000 individuals.

Phishing Attack on Microsoft 365 Account Affects 2,000 Florida Springs Surgery Center Patients

Florida Springs Surgery Center has discovered a breach of its Microsoft 365 email environment. The breach was detected on June 2, 2022, with the investigation confirming an unauthorized actor accessed an employee’s account between May 25, 2022, and June 2, 2022.

The account was compromised when an employee responded to a phishing email that spoofed a trusted entity. The review of the email environment confirmed the breach was limited to the employee’s account; however, that account contained the protected health information of 2,203 individuals. The types of information varied from individual to individual, and may have included names, addresses, birth dates, Social Security numbers, driver’s license/state ID numbers, financial account information, medical and/or treatment information, diagnosis or procedure information, prescriptions/medications, health insurance information, and billing and claims information.

Florida Springs Surgery Center has taken steps to improve email security, including adding multi-factor authentication for all accounts. Complimentary credit monitoring and identity restoration services have been offered to individuals who had their Social Security number, driver’s license/state ID number, or financial account information exposed.

MultiCare Health System says 18,615 Patients Affected by Avamere Health Services Cyberattack

MultiCare Health Services has confirmed that it is one of the companies affected by a cyberattack on business associate Avamere Health Services. According to the notification, a threat actor accessed Avamere Health Services’ systems and potentially deleted information of patients who received services from MultiCare between September 2016 and November 2021.

The affected individuals had used the Connected Care Network, which is a subsidiary of MultiCare Health Services. Affected individuals have been offered complimentary credit monitoring and identity theft protection services. The breach has been covered in more detail in this post.

The post Data Breach Affects 120,000 Priority Health Plan Members appeared first on HIPAA Journal.