The mobile pharmacy solution provider, mscripts, has recently announced that a misconfiguration of its cloud storage environment has exposed client data online for the past 6 years. The misconfiguration was detected and remediated on November 18, 2022, with the third-party forensics investigation confirming the cloud storage environment had been unsecured since September 30, 2016.

A review of the files stored in that environment confirmed they contained the protected health information of 66,372 patients of participating pharmacies. The information related to locker pickups at pharmacy locations, and also included images of prescription bottles and insurance cards, which had been submitted via the mscripts web or mobile app. The information potentially accessed during that time includes names, dates of birth, phone numbers, addresses, prescription numbers, medication names, originating pharmacy information, health insurance company names, member IDs, group numbers, and, in certain cases, dependents’ names.

mscripts said the issue has now been resolved and security procedures have been enhanced to ensure similar data exposure incidents do not occur in the future. Affected individuals have been notified and advised to monitor their billing statements and notifications of prescriptions for any unauthorized activity.

Care Dimensions Says Website Compromised to Steal Payment Card Information

Danvers, MA-based Care Dimensions, a provider of hospice, palliative, and home primary care services, has recently reported a data breach to the Maine Attorney General that has affected up to 1,713 patients. Care Dimensions recently discovered that the donation page of its website had been altered, and malicious code was added to capture the payment card details of donors.

The forensic investigation confirmed on or around January 6, 2023, that the malicious code was added on February 18, 2022, and allowed an unknown threat actor to capture payment card information when donations were made, including cardholder name, contact information, credit and debit card numbers, expiration dates, and CVV codes. The malicious code was removed on December 8, 2022.

The breach affects all individuals who made donations through the website between February 18, 2022, and December 8, 2022. Those individuals have been advised to regularly review their financial account statements for fraudulent or irregular activity and to immediately report any unauthorized purchases. Fraud alerts and security freezes with credit agencies have also been recommended. Care Dimension said third-party cybersecurity experts have conducted a full review of its website code and penetration tests to ensure that the exploited vulnerability has been fully remediated.

Brooks Rehabilitation Reports Website Tracking Technology-Related Impermissible PHI Disclosure

Brooks Rehabilitation, a Florida-based network of medical rehabilitation services, has recently notified 1,554 patients about an impermissible disclosure of some of their protected health information to third parties due to the use of pixels and cookies on its website.

The pixels and cookies were used on its website for tracking user activity to enhance its website and improve the user experience. Brooks Rehabilitation recently learned that those technologies captured and transmitted user information to the technology companies that provided the code. The investigation confirmed that the following types of information may have been impermissibly disclosed to technology companies: name, phone number, email address, computer IP address, other information provided in the comments section of the website, and any Brooks sites visited while visiting its website. Brooks Rehabilitation said it was unable to determine whether any of that information has been further disclosed or used by the technology companies, such as for targeted advertising.

Brooks Rehabilitation said the tracking technologies were disabled in December 2022 and there are no plans to use them again unless it can be confirmed that they will not transmit any user information.

Email Account Compromised at Minuteman Senior Services

The Bedford, MA-based senior care provider, Minuteman Senior Services, has confirmed that an unauthorized individual gained access to the email account of an employee between November 21 and November 30, 2022. Third-party data review specialists are currently conducting a programmatic and manual review of all emails and attachments in the account to determine the extent of the privacy breach.

The information potentially accessed includes full name, address, date of birth, gender, health insurance information, diagnosis, and service utilization. The information exposed varies from patient to patient. Since it is not yet known how many individuals have been affected, the incident was reported to the HHS’ Office for Civil Rights with a placeholder of 500 individuals. Notification letters will be issued when the review is complete and the total will be updated with OCR when the extent of the incident is confirmed.

This is the second email account compromise incident to be reported by Minuteman Senior Services in the past year. A similar breach occurred on June 1, 2022, although in that case the unauthorized access was detected and blocked within 24 hours. That breach affected up to 4,000 individuals.

The Center for Autism and Related Disorders

The Center for Autism and Related Disorders (CARD) in Portland, OR, has notified certain patients about an impermissible disclosure of a limited amount of their personal information due to an error by a third-party billing vendor. When the software for the system for generating patient invoices was updated, a computer error occurred that resulted in certain caregivers being sent invoices for unrelated patients.

The invoices included HIPAA-protected information such as patient names, CARD internal reference numbers, and payment histories, which included insurance payments, patient payments, adjustments, and account balances. No other information was involved. The error was rapidly identified, detected, and fixed, and only affected its January 2023 billing statements for patient cost-sharing amounts. Processes have now been strengthened for detecting errors such as this to prevent any further mailing errors.

The incident has yet to appear on the HHS’ breach portal so it is currently unclear how many individuals have been affected.

The post mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years appeared first on HIPAA Journal.

The mobile pharmacy solution provider, mscripts, has recently announced that a misconfiguration of its cloud storage environment has exposed client data online for the past 6 years. The misconfiguration was detected and remediated on November 18, 2022, with the third-party forensics investigation confirming the cloud storage environment had been unsecured since September 30, 2016.

A review of the files stored in that environment confirmed they contained the protected health information of 66,372 patients of participating pharmacies. The information related to locker pickups at pharmacy locations, and also included images of prescription bottles and insurance cards, which had been submitted via the mscripts web or mobile app. The information potentially accessed during that time includes names, dates of birth, phone numbers, addresses, prescription numbers, medication names, originating pharmacy information, health insurance company names, member IDs, group numbers, and, in certain cases, dependents’ names.

mscripts said the issue has now been resolved and security procedures have been enhanced to ensure similar data exposure incidents do not occur in the future. Affected individuals have been notified and advised to monitor their billing statements and notifications of prescriptions for any unauthorized activity.

Care Dimensions Says Website Compromised to Steal Payment Card Information

Danvers, MA-based Care Dimensions, a provider of hospice, palliative, and home primary care services, has recently reported a data breach to the Maine Attorney General that has affected up to 1,713 patients. Care Dimensions recently discovered that the donation page of its website had been altered, and malicious code was added to capture the payment card details of donors.

The forensic investigation confirmed on or around January 6, 2023, that the malicious code was added on February 18, 2022, and allowed an unknown threat actor to capture payment card information when donations were made, including cardholder name, contact information, credit and debit card numbers, expiration dates, and CVV codes. The malicious code was removed on December 8, 2022.

The breach affects all individuals who made donations through the website between February 18, 2022, and December 8, 2022. Those individuals have been advised to regularly review their financial account statements for fraudulent or irregular activity and to immediately report any unauthorized purchases. Fraud alerts and security freezes with credit agencies have also been recommended. Care Dimension said third-party cybersecurity experts have conducted a full review of its website code and penetration tests to ensure that the exploited vulnerability has been fully remediated.

Brooks Rehabilitation Reports Website Tracking Technology-Related Impermissible PHI Disclosure

Brooks Rehabilitation, a Florida-based network of medical rehabilitation services, has recently notified 1,554 patients about an impermissible disclosure of some of their protected health information to third parties due to the use of pixels and cookies on its website.

The pixels and cookies were used on its website for tracking user activity to enhance its website and improve the user experience. Brooks Rehabilitation recently learned that those technologies captured and transmitted user information to the technology companies that provided the code. The investigation confirmed that the following types of information may have been impermissibly disclosed to technology companies: name, phone number, email address, computer IP address, other information provided in the comments section of the website, and any Brooks sites visited while visiting its website. Brooks Rehabilitation said it was unable to determine whether any of that information has been further disclosed or used by the technology companies, such as for targeted advertising.

Brooks Rehabilitation said the tracking technologies were disabled in December 2022 and there are no plans to use them again unless it can be confirmed that they will not transmit any user information.

Email Account Compromised at Minuteman Senior Services

The Bedford, MA-based senior care provider, Minuteman Senior Services, has confirmed that an unauthorized individual gained access to the email account of an employee between November 21 and November 30, 2022. Third-party data review specialists are currently conducting a programmatic and manual review of all emails and attachments in the account to determine the extent of the privacy breach.

The information potentially accessed includes full name, address, date of birth, gender, health insurance information, diagnosis, and service utilization. The information exposed varies from patient to patient. Since it is not yet known how many individuals have been affected, the incident was reported to the HHS’ Office for Civil Rights with a placeholder of 500 individuals. Notification letters will be issued when the review is complete and the total will be updated with OCR when the extent of the incident is confirmed.

This is the second email account compromise incident to be reported by Minuteman Senior Services in the past year. A similar breach occurred on June 1, 2022, although in that case the unauthorized access was detected and blocked within 24 hours. That breach affected up to 4,000 individuals.

The Center for Autism and Related Disorders

The Center for Autism and Related Disorders (CARD) in Portland, OR, has notified certain patients about an impermissible disclosure of a limited amount of their personal information due to an error by a third-party billing vendor. When the software for the system for generating patient invoices was updated, a computer error occurred that resulted in certain caregivers being sent invoices for unrelated patients.

The invoices included HIPAA-protected information such as patient names, CARD internal reference numbers, and payment histories, which included insurance payments, patient payments, adjustments, and account balances. No other information was involved. The error was rapidly identified, detected, and fixed, and only affected its January 2023 billing statements for patient cost-sharing amounts. Processes have now been strengthened for detecting errors such as this to prevent any further mailing errors.

The incident has yet to appear on the HHS’ breach portal so it is currently unclear how many individuals have been affected.

The post mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years appeared first on HIPAA Journal.

Rise Interactive Media & Analytics, LLC

The Illinois-based digital marketing agency, Rise Interactive Media & Analytics, LLC, has recently confirmed that hackers gained access to its digital environment on November 14, 2022, and potentially accessed or exfiltrated the data of some of its clients. Rise Interactive has reported the breach to the Department of Health and Human Services as affecting 54,509 individuals, but it is currently unknown how many of its healthcare clients have been affected.

RGH Enterprises, Inc., doing business as Edgepark Medical Supplies, is one of the affected Rise Interactive clients. Edgepark explained in a notification letter to the California Attorney General that it was informed about the data security incident by Rise Interactive on December 5, 2022. While the investigation into the breach is ongoing, Edgepark Medical Supplies was informed that the files potentially accessed included names, email addresses, phone numbers, provider information, diagnoses, expected delivery dates, and health insurance information. The breach was confined to Rise Interactive’s systems. Edgepark Medical Supplies said Rise Interactive is evaluating its security measures and will modify internal controls and practices to improve the privacy and security of client information.

DotHouse Health Incorporated

DotHouse Health Incorporated, a Joint Commission-accredited health center in Dorchester, MA, has announced that unauthorized individuals gained access to certain parts of its network between October 31, 2022, and November 27, 2022. Suspicious activity was detected within its network in November 2022, and a third-party computer forensics firm was engaged to investigate the breach.  On or around January 12, 2023, the investigation confirmed that the parts of the network that were accessed included files containing patient information such as full names, addresses, dates of birth, medical record numbers, diagnoses/conditions, medications, other treatment information, and claims information.

The review of the affected files is ongoing and notification letters will be sent to affected individuals when that process is completed. DotHouse Health said that while data theft has not been confirmed, it is likely that patient information was accessed and downloaded. Affected individuals have been advised to monitor their accounts statements, credit reports, and Explanation of Benefits statements for unauthorized activity and to report any suspicious activity immediately. The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 10,000 individuals.

Reventics

Revenetics, a Greenwood Village, CO-based clinical documentation improvement and revenue cycle management company, has recently confirmed that hackers gained access to its computer environment and accessed and stole patient data. The cyber intrusion was detected by Revenetics on or around December 15, 2022, when suspicious activity was identified on some of its servers. A third-party cybersecurity and digital forensics company was engaged to investigate the breach, and determined on December 27, 2022, that the files exfiltrated from its systems contained HIPAA-protected data, including names, birth dates, Social Security numbers, financial information, healthcare provider details, health plan names, clinical data, and service/procedure codes and a brief description of those codes.

Reventics said it has implemented additional safeguards to prevent further cyberattacks and data breaches, including new encryption controls. A new, comprehensive security risk analysis has also been performed and further training has been provided to the workforce. Affected individuals are now being notified and have been offered complimentary credit monitoring and identity theft protection services.

The breach has yet to appear on the HHS’ Breach portal, so it is currently unclear how many individuals have been affected.

The post Rise Interactive Media & Analytics, DotHouse Health, and Reventics Hacked appeared first on HIPAA Journal.

Teijin Automotive Technologies Says Welfare Plan Data Compromised in December Ransomware Attack

Teijin Automotive Technologies has recently confirmed the protected health information of 25,464 members of its welfare plan has potentially been accessed and stolen in a December 1, 2022, ransomware attack. Teijin Automotive Technologies has been transparent about the attack and its cause, confirming that its security systems were circumvented in a phishing attack. An employee clicked on a link in a phishing email on November 30, which allowed the threat actor to steal credentials, compromise the company’s servers, and deploy ransomware the following day.  The attack was contained by December 5, 2022.

Prompt action was taken by the IT team to prevent any further unauthorized access and law enforcement and the FBI were immediately notified and provided assistance with the investigation. The review of the compromised servers revealed they contained information related to the company’s welfare plan such as names, addresses, birth dates, Social Security numbers, health insurance policy information, and, in a limited number of cases, banking information. Teijin Automotive Technologies said medical information was not believed to have been stored on the affected servers.

“The security and confidentiality of personal employee information and the business information of our customers is critical to Teijin Automotive Technologies,” said CEO Chris Twining. “We are sorry this incident occurred and apologize to our employees, customers, and affected individuals. We have taken additional steps to strengthen the security of our data, including enhancing our security procedures, investing in new technology, and requiring additional training for our employees.” Affected individuals have been notified and credit monitoring services have been offered.

Arizona Health Advantage Reports Malware Attack

Arizona Health Advantage, a Chandler, AZ-based healthcare provider that does business as Arizona Priority Care and AZPC Clinics, LLC, has recently announced that malware has been detected on its network which prevented access to some of its servers and allowed unauthorized individuals to access and exfiltrate patient and health plan member data.

The security incident was detected on December 5, 2022, when employees were prevented from accessing files on some of its servers. A third-party computer forensics company was engaged to investigate the breach and determined the attack occurred between December 1 and December 2, during which time files were exfiltrated that contained the data of patients and members of the following health plans: Alignment Health Plan of Arizona, Inc., Alignment Health Insurance Company of Arizona, Inc., Blue Cross Blue Shield of Arizona, Health Net of Arizona, Inc. (Centene), and WellCare Health Plans of Arizona, Inc. (Centene).

The types of data involved varied from person to person and may have included name, date of birth, address, treatment dates, treatment information, service authorization numbers, health plan member number, and other personal information. Affected individuals have been notified and offered a one-year membership to a credit monitoring service. Additional security protections and protocols have now been implemented to protect against attacks in the future. According to the HHS’ Office for Civil Rights, the protected health information of 10,978 individuals was potentially compromised.

Garrison Women’s Health Says Malware Allowed Access to Patient Data

Dover, NH-based Garrison Women’s Health, a division of Wentworth-Douglass Hospital, has recently announced that the protected health information of 4,158 patients was potentially stolen in a cyberattack on one of its business associates, Global Network Systems.

Global Network Systems, a provider of technology services, detected the attack on December 12, 2022, which caused a network outage that rendered its systems unavailable. The investigation confirmed that an unauthorized third party had access to Global’s systems for 8 months, with the initial access determined to have occurred on April 29, 2022.

Garrison Women’s Health said the attack corrupted information in its electronic health records, which were hosted by Global, and that information has not been recovered. The corrupted data related to patients who received healthcare services between April 29, 2022, and December 12, 2022, and included medical and treatment information, coding, claims data, insurance information, payment information, physician notes, and scheduling information.

Garrison Women’s Health said it was unable to restore the corrupted data from backups, but said it was possible to restore access to the information contained in specific radiology and ultrasound applications, and after investigating other potential backup sources, was able to restore its electronic medical record system and recover data prior to April 28, 2022.

While the incident was not reported as a ransomware attack, it has the hallmarks of a ransomware attack. Garrison Women’s Health said it does not believe there has been any misuse of patient data, although affected individuals have been advised to monitor their accounts and Explanation of Benefits statements for unauthorized activity.

While data loss was confirmed, Garrison Women’s Health said some of the lost information may have been duplicated and may be maintained by a patient’s primary care physician, hospital, or other providers, or could have been received by a patient’s health plan.

Malware Attack on Intelligent Business Solutions Exposed Riverside Health System Data

Intelligent Business Solutions (IBS) has recently started sending notifications to cardio-thoracic patients of Riverside Health System to inform them that some of their personal and protected health information has potentially been accessed or stolen. A security breach was detected on or around November 14, 2022, when suspicious activity was identified within the IBS network. The forensic investigation identified the presence of malware, which was used to encrypt files on certain servers and systems. The breach lasted from November 10, 2022, to November 15, 2022.

The review of the affected files confirmed they contained the following data types: name, Social Security number, date of birth, health insurance information, medical treatment information, and procedure information. While data theft may have occurred, IBS said it is unaware of any actual or attempted misuse of the impacted data. IBS said it had extensive policies, procedures, and cybersecurity protections in place, but they were unable to prevent the attack. Those cybersecurity measures are being reviewed and will be updated, as appropriate, to reduce the likelihood of further attacks. Affected individuals have been offered complimentary memberships to credit monitoring and identity theft protection services for 24 months.

The post PHI Compromised in 4 Recent Ransomware and Malware Attacks appeared first on HIPAA Journal.

Franklin, TN-based Community Health Systems has recently confirmed that it has been affected by a security incident at a cybersecurity firm that has seen unauthorized individuals gain access to the protected health information of up to 1 million patients. Community Health Systems is one of the largest health systems in the United States, and operates 79 hospitals and more than 1,000 sites of care in 16 U.S. states. On February 13, 2023, Community Health Systems confirmed in a Securities and Exchange Commission 8-k filing that it was recently notified by one of its cybersecurity vendors – Fortra – about a security incident affecting some of its data.

Community Health Systems said the breach appears to be limited to Fortra’s GoAnywhere MFT platform, its own systems have not been compromised, and the security incident did not have any impact on the care provided to patients. It is too early to tell exactly what information has been exposed, the extent of any data theft, and how many individuals have been affected, but Community Health Systems believes up to 1 million individuals have most likely been affected.

Community Health Systems confirmed that it is covered by a cyber insurance policy that provides some degree of protection against losses due to cyberattacks and it will be offering identity theft protection services to affected individuals. Further information will be released as the investigation progresses.

Zero-Day Flaw Exploited in More Than 130 Attacks

Fortra is a cybersecurity company that provides a secure file transfer platform called GoAnywhere MFT. Fortra recently confirmed that a zero-day vulnerability has been identified that was being exploited in the wild. At the time of issuing the security alert, a patch was not available to fix the vulnerability. Fortra notified all customers and provided mitigations to prevent exploitation of the flaw, then released an emergency patch the following day.

The vulnerability – tracked as CVE-2023-0669 – can be exploited remotely on GoAnywhere MFT instances that have their admin consoles exposed to the Internet. Successful exploitation of the flaw will allow a malicious actor to remotely execute code. A proof-of-concept (PoC) exploit for the flaw was publicly released this week. The flaw cannot be exploited if the admin console is only available within a private network or through a VPN, nor if allow-lists have been created to restrict access to trusted IP addresses.

Bleeping Computer has reported that it was contacted by a hacker who claimed to be a member of the Clop ransomware gang who said the vulnerability had been exploited by the group at more than 130 organizations. The exploit allowed them to gain access to the platform and move laterally, and while it would have been possible to deploy ransomware, the decision was made to only exfiltrate data in an extortion-only attack.

Similar tactics were used in December 2020 in a wave of attacks that exploited a zero-day vulnerability in the Accellion File Transfer Appliance (FTA). Approximately 100 companies were affected, had data stolen, and were subject to extortion attempts. Data was subsequently leaked on the Clop data leak site when the ransoms were not paid. The attacks were attributed to a group called FIN11, which has ties to the Clop ransomware group.

While the claims by the Clop ransomware group member have not been verified, Joe Slowik, Threat Intelligence Manager at the cybersecurity firm Huntress, has linked the attacks to the threat actor tracked as TA505, which has previously conducted ransomware attacks using Locky, Philadelphia, Globelmposter, and Clop ransomware variants. Bleeping Computer reports that Shodan scans show there are more than 1,000 GoAnywhere MFT instances exposed to the Internet, but only 136 are vulnerable to the flaw, as they can be accessed via ports 8000 and 8001, which are used by the vulnerable admin console.

The post Up to 1 Million Community Health Systems’ Patients Affected by GoAnywhere MFT Hack appeared first on HIPAA Journal.

The risk and financial advisory solution provider Kroll reports that healthcare has overtaken finance as the most breached industry, based on the number of data breaches the firm has been called upon to assist with. In 2022, 22% of the data breaches investigated by Kroll occurred at healthcare organizations, up from 16% in 2021 – a year-over-year increase of 38%.

While the percentage of healthcare data breaches Kroll investigated increased in 2022, consumers appear to be much less concerned about breaches of their healthcare data than they are about breaches of their financial information. 32% of the calls Kroll received from individuals impacted by data breaches were in response to data breaches at healthcare organizations, compared to 49% of calls in response to data breaches at financial institutions. There was a 127% year-over-year increase in the number of calls Kroll received from consumers affected by breaches at financial institutions, yet despite the increase in healthcare data breaches, there was only a 19% increase in calls from consumers about those breaches.

Individuals impacted by data breaches at healthcare organizations are also much less likely to take advantage of the complimentary credit monitoring and identity theft protection services that they are offered. 69% of individuals who were offered these complimentary services following a data breach at a financial institution took advantage of those services, compared to just 20% of individuals who were affected by healthcare data breaches.

While financial data is valuable to cybercriminals and is often misused, data breaches at healthcare organizations also put victims at risk. When personal information is stolen along with Social Security numbers and/or driver’s license numbers, victims are put at risk of identity theft and fraud, so it is surprising that so few victims of healthcare data breaches avail themselves of these services.

It is also surprising considering the number of lawsuits that are now being filed in response to healthcare data breaches. It is common for multiple lawsuits to be filed following a healthcare data breach, often within days or weeks of notification letters being sent. These lawsuits allege victims face an imminent and increased risk of identity theft and fraud as a result of the theft of their personal and protected health information. The lawsuits often also take issue with the short duration of credit monitoring and identity theft services provided to victims.

It is worthwhile noting that there is a growing breach notification trend in healthcare of providing as little information as possible in breach notifications, to the point where victims of the data breaches are unable to accurately assess the level of risk they face. For instance, breach victims are not always told that their data has been stolen in a hacking incident, only that their data has potentially been stolen, or they are not informed that a ransomware gang has published the stolen data on its leak site. This could well be a factor in why so few victims of healthcare data breaches take advantage of these services.

While the data from Kroll appears to suggest that consumers are not nearly as concerned about breaches of their healthcare data as financial information, concern does appear to be growing. There was a 66% year-over-year increase in the number of consumers signing up for credit monitoring and identity theft services following a healthcare data breach, although not nearly as big an increase as finance, which saw a 126% year-over-year increase in people signing up for credit monitoring and identity theft services.

“Understanding the drivers behind the Data Breach Outlook figures is subjective, and it is important that businesses combine this data with their own insight from talking to customers and market research,” suggests Kroll. “It is also true that while an industry may make up less of the overall number of data breach cases, it is not immune from the impact of a data breach and should similarly have playbooks if an incident was to occur.”

The post Few Victims of Healthcare Data Breaches Take Advantage of Free Credit Monitoring Services appeared first on HIPAA Journal.

Sharp HealthCare in San Diego has recently notified almost 63,000 patients that some of their personal and protected health information has potentially been stolen in a recent cyberattack on its web server. Sharp HealthCare detected the cyberattack on January 12, 2023, and immediately shut down the web server while the incident was investigated. A third-party digital forensics company was engaged to investigate and determine the nature and scope of the incident and confirmed that an unauthorized third party successfully compromised the web server that powered the sharp.com website for a few hours on January 12. During that time the third party downloaded a file that contained patient data.

Sharp HealthCare stressed that the FollowMyHealth patient portal was not accessed, and no highly sensitive information was exposed or stolen. Financial information, contact information, dates of birth, Social Security numbers, health insurance information, or medical information were not accessed or stolen in the attack. The affected individuals had previously visited the website and paid medical bills online between August 12, 2021, and January 12, 2023. Sharp HealthCare said the information in the stolen file varied from patient to patient and included names, internal identification numbers, invoice numbers, payment amounts, and the names of the Sharp HealthCare facilities that received those payments.

Notification letters were sent to the 62,777 affected individuals on February 3, 2023. Credit monitoring services are not being offered due to the limited nature of the stolen information. Sharp HealthCare said no reports of actual or attempted misuse of patient data have been received and that, as a precaution, affected individuals should review the statements they receive from their healthcare providers and should report any charges for healthcare services that have not been received. Sharp HealthCare said it has upgraded the security tools on its website to prevent similar breaches in the future and constantly monitors its IT systems for suspicious activity.

The post Hackers Compromised Sharp HealthCare Web Server and Stole Patient Data appeared first on HIPAA Journal.

Regal Medical Group, a San Bernardino, CA-based affiliate of the Heritage Provider Network, recently announced that it was attacked with ransomware. On December 2, 2022, employees experienced difficulty accessing data. Third-party cybersecurity experts were engaged to investigate the attack and assist with the breach response and confirmed that malware had been used to encrypt files on some of its servers.

The forensic investigation confirmed that the attackers gained access to the servers on or around December 1 and exfiltrated files before the ransomware was deployed. The review of those files confirmed they contained the protected health information of patients of Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical. The files contained information such as names, phone numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and Social Security numbers.

Regal Medical Group said additional security measures have been implemented to protect against further attacks, and affected individuals have been offered complimentary memberships to the Norton LifeLock credit monitoring service for 12 months. The incident has been reported to the HHS’ Office for Civil Rights, but it is not yet showing on the HHS breach portal, so it is currently unclear how many patients have been affected.

Southeast Colorado Hospital District Announces Email Account Breach

Southeast Colorado Hospital District has discovered a breach of a single email account. The security breach was detected on December 6, 2022, with the forensic investigation determining that the account was accessed by an unauthorized third party on multiple occasions between November 23 and December 5.

Southeast Colorado Hospital District reviewed all emails and attachments in the account and confirmed that the protected health information of 1,435 patients had been exposed. Affected individuals had one or more of the following types of information exposed: Name, Social Security number, driver’s license number, date of birth, medical treatment or diagnosis information, and/or health insurance information.

Notification letters were sent to the affected individuals on February 3, 2023. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers or driver’s license numbers were exposed.

The post Regal Medical Group Ransomware Attack & Southeast Colorado Hospital District Email Breach appeared first on HIPAA Journal.

Pittsburg, PA-based Highmark Health, the second largest integrated delivery and financing system in the U.S., has recently announced that an unauthorized individual has accessed the email account of one of its employees following a response to a phishing email. After the employee clicked the link in the email and disclosed their credentials, the account was accessed remotely by an unauthorized third party who potentially viewed and exfiltrated emails and attachments from the account.

The unauthorized account activity was detected by Highmark Health on December 15, 2022, with the initial compromise occurring on December 13, 2022. A review of the emails and attachments revealed they contained the protected health information of health plan members, such as group name, identification numbers, claim numbers, dates of service, procedures, prescription information, addresses, phone numbers, email addresses, and financial information. The Social Security numbers of a subset of individuals were also exposed.

When the breach was detected, the affected mailbox was immediately deactivated, network blocking was implemented, and passwords were reset. Email security controls have also been enhanced and further training has been provided to employees on how to identify phishing attempts and other cyber threats. While no evidence of misuse of the affected data has been identified, affected individuals are being offered complimentary credit monitoring and identity theft protection services, irrespective of whether their Social Security numbers were involved.

According to the data breach notice sent to the Maine Attorney General, up to 300,000 individuals have been affected, including 2,774 Maine residents. Notification letters are being mailed on February 13, 2023.

Cardiovascular Associates Reports Cyberattack Involving Data Theft

On December 5, 2022, Cardiovascular Associates (CVA) in Birmingham, AL discovered suspicious activity within its computer systems. The systems were isolated while the potential intrusion was investigated, with the forensic analysis confirming hackers first gained access to its IT environment on November 28, 2022. Between that date and December 5, files containing patient data were exfiltrated from its systems.

The review of the affected files confirmed they contained names, dates of birth, addresses, Social Security numbers, health insurance information, medical and treatment information, billings and claims information, passport numbers, driver’s license numbers, credit/ debit card information, and financial account information and, for a limited number of individuals, usernames and passwords. CVA said its systems were secured as soon as the unauthorized activity was detected and its security and monitoring capabilities have been improved to prevent similar breaches in the future. Affected individuals have been offered complimentary credit monitoring and identity restoration services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Patient Data Potentially Stolen in Cyberattack on Aspire Surgical

UT Specialty Dental Services, PLLC, which operates several oral and maxillofacial surgery centers in Utah under the name, Aspire Surgical, has recently confirmed it was the victim of a cyberattack in December 2022, which may have involved unauthorized access to and the theft of sensitive patient data.

The cyberattack was detected on December 7, 2022, and third-party cybersecurity experts were immediately engaged to contain, assess, and remediate the attack. The investigation confirmed the attackers had access to parts of its IT environment that contained patient data such as names, patient account numbers, dates of service, and amounts paid. Medical treatment records, Social Security numbers, and financial information were not exposed.

While no evidence has been found to indicate any misuse of patient data, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Aspire Surgical has reviewed and enhanced its data security policies and procedures to protect against similar security breaches in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Highmark Health Phishing Attack Affects 300,000 Patients appeared first on HIPAA Journal.