HIPAA Breach News

1H 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Zenith American Solutions Reports Mailing Error that Exposed SSNs of 37,000 Individuals

Posted by HIPAA Journal

Zenith American Solutions, a third-party administrator for the Sound Health and Wellness Trust, has recently notified individuals about a mailing error that exposed individuals’ Social Security numbers. According to the breach notification, a mailing was sent to individuals on June 24, 2022, advising them to complete their Personal Health Assessments or Health Profiles to enroll in the 2023 Health Reimbursement Account.

The file used for printing the mailing labels included individuals’ full Social Security numbers, which were printed in full on the mailing labels along with full names, postal addresses, and unique ID numbers. The mailing labels also indicated an individual had enrolled in the Sound Health and Wellness Trust.

Zenith American Solutions said it has implemented new quality control procedures to ensure there are no similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

The breach was reported to the HHS’ Office for Civil Rights as affecting 37,146 individuals.

Centerstone Reports Breach of Email Environment

Centerstone, a national provider of mental health, addiction recovery, residential care, therapeutic foster care, counseling, and crisis services, has recently announced that the protected health information of certain current and former Centerstone clients has been exposed and potentially obtained by unauthorized individuals.

Unusual activity was detected in the Centerstone email environment on February 14, 2022. Steps were immediately taken to secure email accounts by performing a password reset, and an investigation was launched to determine the nature and scope of the security breach. The investigation confirmed that three employee email accounts had been accessed by an unauthorized third party between November 4, 2021, and February 14, 2022.

A comprehensive review of the affected email accounts was completed on July 12, 2022, and confirmed they contained individuals’ protected health information such as names, addresses, Social Security numbers, birth dates, client ID numbers, medical diagnoses, treatment information, and/or health insurance information.

Centerstone has reported the breach to the HHS’ Office for Civil Rights, but the breach is not yet showing on the OCR breach portal, so it is unclear how many individuals have been affected. Centerstone said it has implemented additional safeguards to better protect its email environment.

Southwest Behavioral & Health Services Reports Breach of Employee Email Account

Southwest Behavioral & Health Services, a Phoenix, Az-based provider of outpatient mental health treatment and psychiatric services, has recently notified 1,337 individuals that an unauthorized third party gained access to the email account of an employee. The email account contained individuals’ names, dates of birth, addresses, email addresses, resume information, medical diagnosis information, Social Security numbers, and phone numbers.

The breach was identified on July 15, 2022, and was confirmed to have occurred on May 5, 2022. Notification letters were sent to affected individuals on August 1, 2022. No evidence was found to indicate any theft of PHI; however, as a precaution, affected individuals have been offered a complimentary membership to identity theft protection services through IDX.

Southwest Behavioral & Health Services said further safeguards have been implemented to prevent further email data breaches and additional security awareness training has been provided to the workforce.

The post Zenith American Solutions Reports Mailing Error that Exposed SSNs of 37,000 Individuals appeared first on HIPAA Journal.

Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K

Posted by HIPAA Journal

Salinas Valley Memorial Healthcare System in California has agreed to settle a class action lawsuit for $340,000 to resolve claims from patients affected by a breach of its email environment in 2020.

Between April 30, 2020, and June 5, 2020, unauthorized individuals gained access to the email accounts of four employees and a contractor following responses to phishing emails. Prompt action was taken to secure its email environment, but during the 5-week period of compromise, the attacker(s) had access to emails containing sensitive patient information including names, hospital account numbers, medical record numbers, dates of service, and other information.

Legal action was taken against Salinas Valley by a patient affected by the data breach. The plaintiff alleged that Salinas Valley acted unlawfully by failing to prevent the attack, did not fulfill its legal obligations to safeguard the personal and protected health information of the plaintiff and class members, and violated the California Confidential Medical Information Act, Civil Code §§ 56 et seq.

Salinas Valley maintains it was fully compliant with state laws and denied any wrongdoing related to the security breach; however, the decision was taken to settle the lawsuit to prevent ongoing legal costs and the uncertainty of trial.  Under the terms of the proposed settlement, a fund of $340,000 has been created to cover claims from individuals affected by the breach.

All patients who received a breach notification from Salinas Valley about the exposure of their personal and protected health information will be entitled to submit a claim for up $750 for out-of-pocket expenses and time spent remediating the data breach. Claims will be paid from the fund after attorneys’ fees, expenses, and other court-approved costs have been deducted. Claims will be paid pro rata if the claims total is greater than the settlement fund. The settlement has yet to receive court approval.

Salina valley has also committed to improving security, with the measures including undergoing third-party audits and regular penetration tests, maintaining firewalls and access controls, and providing regular security awareness training to the workforce.

Claims must be submitted no later than August 26, 2022. Any individual who objects to the settlement or wants to remove themselves from the class must do so by August 11, 2022.

The post Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K appeared first on HIPAA Journal.

Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group

Posted by HIPAA Journal

Further information has been released on two cyberattacks on healthcare organizations: Goodman Campbell Brain and Spine and Behavioral Health Group.

Goodman Campbell Brain and Spine Notifies 363,000 Patients About Public Release of PHI on Dark Web

Carmel, IN-based Goodman Campbell Brain and Spine has started notifying 363,000 current and former patients that some of their protected health information was stolen prior to data being encrypted with ransomware and some of the stolen data has been published on the gang’s dark web data leak site.

The cyberattack was discovered by Goodman Campbell on May 20, 2022, and a third-party digital forensics firm was engaged to determine the nature and scope of the breach. The investigation confirmed that the electronic medical record system was not affected, but files containing patients’ protected health information had been exfiltrated from its systems. The stolen files contained information such as names, birthdates, addresses, telephone numbers, email addresses, medical record numbers, patient account numbers, diagnosis and treatment information, physician names, insurance information, dates of service, and Social Security numbers.

The attack caused disruption to its IT and phone systems. In a June 17, 2022, update on the attack, Goodman Campbell said that its phone system had been restored, but its email system remained down. In a July 19, 2022, update, Goodman Campbell said all clinical operations had been resumed and all communication systems had been restored.

While not confirmed by Goodman Campbell, the attack was conducted by the Hive ransomware operation, which has attacked many healthcare providers in the United States. Goodman Campbell said that the data was available on the dark web site for a period of 10 days. Data breach notification letters from healthcare providers rarely state that data has been made available on the dark web, even though patients should be made aware of the fact to allow them to take appropriate precautions to protect their identities. Goodman Campbell has offered affected individuals a 12-month membership to a credit monitoring and identity theft protection service.

Behavioral Health Group Confirms Patient Data Potentially Compromised in December 2021 Cyberattack

Behavioral Health Group (BHG), the operator of more than 80 outpatient opioid treatment centers in 17 U.S. states, has recently confirmed that it suffered a data security incident in 2021. The cyberattack forced BHG to take its systems offline, which caused disruption to operations for almost a week. BHG explained at the time that patients at some of its clinics were prevented from receiving their prescribed take-home methadone/suboxone doses; however, treatments were provided daily at its clinics. BHG did not disclose the exact nature of the cyberattack and if ransomware was used.

According to the BHG substitute breach notice, third-party cybersecurity experts were engaged to assist with the investigation and it was confirmed that unauthorized individuals removed certain files from its systems on December 5, 2021. The breach notice does not state when access to its network was first gained.

A comprehensive review of files on the parts of the network that were accessed confirmed they contained full names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, payment card information, passport numbers, biometrics, health insurance information, medical diagnosis and treatment information, medications, dates of service, and medical record numbers.

BHG said it has found no evidence to suggest any misuse of the above information but has offered complimentary credit monitoring services to individuals whose Social Security numbers were potentially compromised.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected. BHG said the breach did not affect all patients.

The post Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group appeared first on HIPAA Journal.

First Choice Community Healthcare and Arlington Skin Notify Patients About Cyberattacks

Posted by HIPAA Journal

First Choice Community Healthcare in Albuquerque, NM, has started notifying certain patients that an unauthorized individual gained access to its network and potentially stole patient data. In a substitute breach notification, First Choice explained that unusual activity was detected within its technological environment on March 27, 2022. A third-party cybersecurity firm was engaged to conduct a forensic investigation and determine the nature and scope of the breach. While it was not possible to confirm if any files had been accessed or exfiltrated, the possibility could not be ruled out.

A comprehensive review of the affected files was completed on June 3, 2022, which confirmed that the following information had potentially been compromised: names, Social Security numbers, First Choice patient ID number, diagnosis, and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth, and provider information. Affected individuals were notified about the breach by mail on August 1, 2022, and have been offered complimentary identity theft protection services through IDX.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Arlington Skin Notifies 17,468 Patients About Electronic Medical Record Data Breach

Dr. Michelle A. Rivera, MD, doing business as Arlington Skin in Virginia, has started notifying 17,468 patients that their protected health information may have been accessed by unauthorized individuals in a security breach at business associate, Virtual Private Network Solutions (VPN Solutions).

VPN Solutions managed the electronic medical records of patients of Arlington Skin via the Allscripts practice management solution and electronic medical records platform. The cyberattack was discovered by VPN Solutions on or around October 31, 2021, and the forensic investigation confirmed that the information potentially compromised in the attack included names, addresses, dates of birth, diagnostic and treatment information, health insurance information, and Social Security numbers.

Notification letters started to be sent to affected individuals on July 8, 2022. No evidence of data theft was found but, as a precaution, fraud assistance and remediation services have been provided to affected individuals through CyberScout.

The post First Choice Community Healthcare and Arlington Skin Notify Patients About Cyberattacks appeared first on HIPAA Journal.

Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million

Posted by HIPAA Journal

Dental Care Alliance has agreed to settle a class action lawsuit filed in response to a data breach that affected more than 1.7 million individuals. A fund of $3 million has been created to cover claims from individuals affected by the breach.

Dental Care Alliance, LLC, is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices across 20 states. Dental Care Alliance said its systems were compromised on September 18, 2020, the breach was detected on October 11, 2020, and was contained on October 13, 2020. The forensic investigation confirmed that names, addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, payment card information, and health insurance information had potentially been compromised. Individuals were notified about the breach in December 2020.

The breach report submitted to the HHS’ Office for Civil Rights initially indicated 1,004,304 individuals had been affected, but it was later amended to 1,723,375 individuals. Dental Care Alliance said no specific evidence of data theft was found and it was unaware of any misuse of patient data. Despite highly sensitive information being involved, credit monitoring services were not offered.

A lawsuit – Paras v. Dental Care Alliance, LLC, Case No. 22-ev-000181 – was filed in the State Court of Fulton County, Georgia, on behalf of individuals affected by the data breach. Dental Care Alliance was alleged to have failed to adequately secure patient information and the plaintiffs claimed that had reasonable cybersecurity measures been implemented, the data breach would have been prevented. The plaintiffs alleged that they face an increased risk of identity theft and fraud due to the negligence of Dental Care Alliance and that their sensitive personal and protected health information is now in the hands of data thieves.

Dental Care Alliance has proposed a settlement to resolve claims related to the data breach but has not admitted any wrongdoing. Under the terms of the settlement, a fund of $3 million will be created to cover claims from affected individuals, and 2 years of identity theft protection services are being offered to all affected individuals. Those services include dark web monitoring and coverage by a $1 million identity theft insurance policy.

All class members are entitled to submit claims of up to $2,000 for documented losses due to the data breach, and up to two hours of lost time at $20 per hour. Individuals part of a settlement subclass can submit additional claims for up to $3,000 for documented losses and an additional two hours of lost time. The cap for claims is $3,000,000, so claims will be paid pro rata if that figure is exceeded. The attorneys for the plaintiffs will ask the court to award fees of $850,000 and payments of $1,500 for the class representatives. Under the terms of the settlement, Dental Care Alliance has committed to implementing additional data security measures.

The final approval hearing for the settlement is scheduled for Sept. 1, 2022. The deadline for opting out of the settlement – July 26, 2022 – has now passed. Claims must be submitted no later than August 25, 2022.

The post Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million appeared first on HIPAA Journal.

Healthback Holdings Email Security Breach Affects 21,000 Individuals

Posted by HIPAA Journal

The Oklahoma City home health provider, Healthback Holdings, has started notifying 21,114 individuals that some of their protected health information has potentially been viewed or obtained by unauthorized individuals. Unusual activity was detected within its email environment on June 1, 2022. A third-party cybersecurity firm was engaged to assist with the investigation and confirmed that a limited number of employee email accounts had been accessed by an unauthorized third party between October 5, 2021, and May 15, 2022, as a result of responses to phishing emails.

It was not possible to tell which emails, if any, had been viewed, nor if any information in the accounts had been stolen. Notification letters were therefore sent to all individuals whose protected health information was present in the affected email accounts. The exposed information varied from individual to individual and may have included names, health insurance information, Social Security numbers, and clinical information.

Complimentary credit monitoring and identity theft protection services are being provided to eligible individuals. Healthback Holdings has strengthened its email security and further training has been provided to employees on how to detect and avoid phishing emails.

Hacking Incident Reported by the City of Newport in Rhode Island

The City of Newport, RI, has recently reported a breach of the protected health information of 6,109 individuals to the HHS’ Office for Civil Rights. Unusual network activity was detected within its network on June 9, 2022, and certain systems on the network became unavailable. The forensic investigation confirmed hackers had gained access to its network on June 8, 2022, and removed files containing sensitive information from its systems.

A review of the affected files was completed on June 12, 2022, and confirmed that they contained the information of current and former employees and their spouses and/or dependents, including names, addresses, dates of birth, Social Security numbers, financial account numbers used for direct deposit, and information related to group health insurance.

Notification letters were sent to affected individuals on July 22, 2022. Complimentary memberships to identity monitoring services have been offered to affected individuals and steps have been taken to improve the security of the network.

Minuteman Senior Services Email Account Accessed by Unauthorized Individual

Bedford, MA-based Minuteman Senior Services has discovered that an unauthorized individual gained access to an employee’s email account and potentially viewed or obtained sensitive information in the account. The unauthorized access was detected on June 1, 2022, with the forensic investigation confirming the account had been accessed for less than 24 hours.

In a July 29, 2022, substitute breach notification, Minuteman explained that the account contained information such as full names, addresses, birth dates, gender, health insurance information, diagnosis, and service utilization information. No evidence of data theft or misuse has been identified at the time of issuing notifications.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 4,000 individuals.

OrthoArizona Notifies Patients About October 2021 Cyberattack

OrthoArizona has recently started notifying 2,748 individuals that their protected health information was exposed and potentially stolen in a cyberattack that was detected on October 30, 2021. OrthoArizona said it quickly engaged the services of a third-party cybersecurity company to assist with the investigation but said the investigation and remediation process was “extensive and labor intensive,” which is why it has taken so long to issue notifications.

The review of the affected files confirmed they contained names, mailing addresses, dates of birth, Social Security numbers, and certain health insurance information. No cases of fraud have been identified as a result of the incident. Individuals who had their Social Security number exposed have been offered complimentary credit monitoring and identity theft protection services through IDX. OrthoArizona said it has reviewed and enhanced its data security policies and procedures.

The post Healthback Holdings Email Security Breach Affects 21,000 Individuals appeared first on HIPAA Journal.

Fast Track Urgent Care Confirms 258,411 Individuals Affected by 2021 PracticeMax Ransomware Attack

Posted by HIPAA Journal

Fast Track Urgent Care, a network of urgent healthcare clinics in Florida, has confirmed that 258,411 individuals have had their protected health information exposed and potentially stolen in a ransomware attack on billing and practice management vendor, PracticeMax.

PracticeMax said it identified suspicious activity within its network on May 1, 2021, and confirmed that ransomware was installed on its network. The billing vendor was able to recover the data on its system on May 6, 2021, with the investigation into the breach confirming that its systems had been compromised between April 17 and May 5, 2021. A server used by PracticeMax and several email accounts were affected and data on its systems was encrypted.

The breach affected several of its healthcare clients, including Anthem Inc and Humana. The two health insurance firms confirmed they had been affected in late February 2022, with PracticeMax publicly reporting the breach in the fall of 2021. Fast Track Urgent Care said it was first notified about the ransomware attack by PracticeMax on May 10, 2021, but at that stage of the investigation, it was unclear whether the protected health information of its patients had been viewed or stolen in the attack.

On February 14, 2022, Fast Track Urgent Care said it was ‘first informed’ by PracticeMax that patient data may have been impacted, but PracticeMax could still not confirm whether customer and patient data had been accessed or stolen and that the investigation was ongoing. Fast Track Urgent Care said it took until June 6, 2022, 13 months after the initial breach, for PracticeMax to confirm that Fast Track Urgent Care patient data had been accessed.

Fast Track Urgent Care said the types of information compromised in the incident included names, Social Security numbers, passport numbers, treatment and diagnosis information, driver’s license numbers, birth dates, health insurance information, and financial information, and has confirmed that PracticeMax has offered affected individuals’ complimentary memberships to credit monitoring and identity theft protection services. Notification letters are being sent to affected individuals by PracticeMax on behalf of Fast Track Urgent Care.

Fast Track Urgent Care said PracticeMax took several steps to resolve the security incident and has reviewed policies and procedures and implemented additional safeguards to better secure the information on its systems.

The post Fast Track Urgent Care Confirms 258,411 Individuals Affected by 2021 PracticeMax Ransomware Attack appeared first on HIPAA Journal.

326,278 Aetna ACE Members Affected by Ransomware Attack at Mailing Vendor

Posted by HIPAA Journal

The health insurer Aetna ACE is one of the latest healthcare organizations to announce it has been affected by a ransomware attack on a mailing vendor, which involved the protected health information of 326,278 plan members. Aetna said the breach was limited to individuals insured under Aetna ACE, and that no protected health information of individuals served by Aetna or CVS Health was involved.

The ransomware attack affected OneTouchPoint, which provides printing and mailing services for U.S. companies, including billing vendors used by healthcare organizations. OneTouchPoint is provided with contact information and limited other data types to provide its contracted services. On April 28, 2022, OneTouchPoint discovered files had been encrypted on its systems, with the unauthorized access occurring the previous day on April 27, 2022.

Third-party cybersecurity specialists were engaged to investigate the security incident and completed the investigation on June 1, 2022, but were unable to determine which specific files were exfiltrated from its systems. Affected customers were notified on June 3, 2022, and OneTouchPoint worked with those customers to determine the type of information that could potentially have been viewed or removed from its systems. The exposed and potentially stolen data included names, addresses, dates of birth, member IDs, and limited medical information.

OneTouchPoint said it offered to send notifications to all affected individuals; however, some of its clients have chosen to self-report the breach and send notifications themselves. OneTouchPoint has reported the incident on behalf of 30 health plans and informed the Maine Attorney general that 1,073,316 individuals had been affected. Aetna ACE chose to self-report the breach. Other health plans affected by the OneTouchPoint ransomware attack include Anthem, Humana, Kaiser Permanente, Geisinger, Health First, UPMC Health Plan, Blue Shield of California Promise Health, Blue Cross and Blue Shield of Alabama, and other Blue Cross Blue Shield-affiliated health plans.

Aetna ACE is no stranger to data breaches at business associates. In 2020, a phishing attack on a business associate exposed the PHI of 484,157 Aetna ACE plan members. An employee of vendor EyeMed responded to a phishing email, which give unauthorized individuals access to email accounts that contained the PHI of 2.1 million individuals. EyeMed was fined $600,000 by the New York State Attorney General for security failures that led to the data breach.

Aetna also experienced another mailing-related data breach in 2017 that affected 12,000 individuals. In that case, a mailing was sent to members to inform them about different options for filling prescriptions for their HIV medications; however, window envelopes were used through which the HIV drug information was clearly visible, making it clear that the members were being treated for HIV or were taking HIV medications to prevent infection. Aetna was investigated by state attorneys general and settled the cases and paid more than $2,725,000 million in penalties. A $1,000,000 penalty was also imposed by the HHS’ Office for Civil Rights, and Aetna settled a class action lawsuit for $17 million.

The post 326,278 Aetna ACE Members Affected by Ransomware Attack at Mailing Vendor appeared first on HIPAA Journal.