HIPAA Breach News

Phishing Attack on Washington Therapist Exposes Patients’ PHI

Posted by HIPAA Journal

A Washington therapist, Robert S. Miller LICSW, ACSW (RSM), has recently notified 640 current and former clients about a phishing incident that resulted in the exposure of some of their protected health information.

State laws require notifications to be sent to state attorneys general when there has been a breach of the private information of state residents. The notifications typically provide the minimum information about privacy breaches, but in this case, the therapist explained exactly how the phishing attack played out.

RSM had purchased an antivirus solution from the Iolo Software Company, and subsequently purchased an additional encryption program, which had disappeared from his computer. RSM was contacted by a person who claimed to be an Iolo employee who said he was aware that RSM’s computer had been hacked and requested access to clean the computer of viruses and malware. Access to the device was granted. RSM said he discovered this was a scam when the employee requested eBay cards worth $300.

As a result of this incident, that individual had access to the computer from December 2 to December 4, 2022, and potentially obtained files containing names, dates of birth, mailing addresses, email addresses, phone numbers, medical insurance ID numbers, Social Security numbers, and clinical information, which included evaluations, progress notes, mental health rating scales, and letters.

In response to this incident, RSM has taken several steps to prevent similar incidents in the future, including adopting encryption technologies, strengthening passwords, and engaging a third-party software company to review computers and remove any malware that may have been installed. Affected clients have been offered complimentary identity theft protection services.

Email Account Breach Reported by MJ Care

MJ Care, a New Berlin, WI-based provider of rehabilitation and health services, has recently notified 1,832 patients that some of their protected health information has potentially been accessed or obtained by an unauthorized individual. MJ Care did not state when the breach was detected; however, the investigation revealed the email account was accessed between May 31, 2022, and June 24, 2022.

The review of the affected email account concluded on November 2, 2022, and confirmed it contained patient names along with one or more of the following types of information: Social Security numbers, dates of birth, financial account information, credit/debit card information, biometric information, dates of service, treatment/diagnosis information, provider name, medical record numbers, patient numbers, medications, general medical information, and/or health insurance policy information. Notifications were sent to affected individuals on December 29, 2022. Complimentary credit monitoring services have been offered to patients whose Social Security numbers were exposed.

The post Phishing Attack on Washington Therapist Exposes Patients’ PHI appeared first on HIPAA Journal.

Tracking Code Privacy Incident Affects 29,000 Insulet Corporation Customers

Posted by HIPAA Journal

The Massachusetts-based medical device company, Insulet Corporation, has recently notified 29,000 of its Omnipod DASH customers about a recent privacy breach. A Medical Device Correction letter was recently sent to customers. Due to the importance of applying the update, a follow-up receipt acknowledgment request was sent via email on December 1, 2022.

The emails included a clickable link that directed customers to a webpage that was used for receipt verification; however, an error was made configuring that website which resulted in an impermissible disclosure of customers’ protected health information. Each customer was sent a unique URL that included their IP address, whether the customer was an Omnipod DASH user, and if they had a Personal Diabetes Manager.

Cookies and trackers embedded in the MDC acknowledgment pages transferred details of the URLs to third-party website performance and marketing partners. Insulet said the privacy violation was discovered on December 6, 2022, and all tracking technologies on the web pages were disabled to prevent further PHI exposure, and requests were sent to Insulet’s marketing partners requesting they delete the logs of the IP addresses and unique URLs.

Minnesota Department of Human Services Employee Error Impacts 4,307 Individuals

A mistake by an employee of the Minnesota Department of Human Services (DHS) has resulted in the impermissible disclosure of the protected health information of 4,307 Minnesota residents. On November 18, 2022, in response to a request from a client for a copy of their own data, the employee accidentally sent the billing statements of 4,307 individuals who were enrolled in Medical Assistance.

The investigation found no evidence to suggest the information was downloaded or misused. The patient who was sent the data notified DHS about the error and said the email would be deleted. The DHS confirmed that highly sensitive information such as Social Security Numbers, banking information, and credit card numbers were not included in the statements. Notification letters were sent to all affected individuals on January 11, 2023.

The post Tracking Code Privacy Incident Affects 29,000 Insulet Corporation Customers appeared first on HIPAA Journal.

Mayo Clinic Settles Lawsuit Alleging Former Employee Viewed Nude Patient Images

Posted by HIPAA Journal

Mayo Clinic has settled another lawsuit that stemmed from a data breach involving a former employee, who was discovered to have accessed the records of patients without authorization, including nude images.

In October 2020, Mayo Clinic notified 1,614 patients that some of their protected health information had been viewed by a former employee. That information included demographic information, birth dates, medical record numbers, and clinical notes. The employee was also discovered to have viewed photographs of patients that had been taken for medical purposes, which included nude images.

The employee in question, Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, was a doctor at Mayo Clinic, and terminated his employment in August 2022 around the time that the privacy violations were discovered. The Olmsted County Attorney’s Office opened a criminal investigation into Alsughayer over the privacy violations after a complaint was received from a patient who obtained a copy of her records and discovered they included three nude images that were in her medical records at the time the alleged privacy violations occurred. She obtained the records in response to being notified about the breach.

Alsughayer faces a gross misdemeanor charge for unauthorized computer access. His legal team sought to dismiss the case on the grounds that there was no probable cause to believe the defendant committed the alleged privacy violations; however, those efforts have been unsuccessful. Alsughayer pleaded not guilty to the charges in August 2021. A date has yet to be set for the trial.

At least three lawsuits were filed against Mayo Clinic over the privacy violations. One of those lawsuits was settled out of court with the complainant last year and another – filed in May 2021 – is scheduled to go to trial in September 2023. The third lawsuit, which was filed in November 2020 on behalf of Mayo Clinic patient Olga Ryabchuk, sought class action status for the 1,614 patients whose privacy was violated. That lawsuit was dismissed by an Olmsted County Judge in December after all parties agreed to a settlement, the details of which have not been publicly disclosed.

The post Mayo Clinic Settles Lawsuit Alleging Former Employee Viewed Nude Patient Images appeared first on HIPAA Journal.

Home Care Providers of Texas Announces 124K-Record Data Breach

Posted by HIPAA Journal

The Dallas, TX-based home help service provider, Home Care Providers of Texas (HCPT), has recently announced that unauthorized individuals gained access to its network and used ransomware to encrypt files. The security breach was detected on June 29, 2022, when staff members were prevented from accessing files. Leading third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the breach and confirmed that the threat actors had access to its network between June 15, 2022, and June 29, 2022. During that time, files were exfiltrated from the network that contained names, addresses, dates of birth, Social Security numbers, treatment or diagnosis information, and medication information.

The delay in issuing notification letters was due to the lengthy process of reviewing all files potentially accessed or obtained to determine which individuals had been affected. That process was completed on November 15, 2022. Affected individuals have been advised to monitor their credit reports, accounts, and explanation of benefits statements for unauthorized activity. HCPT said steps have since been taken to augment cybersecurity.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal but has been reported to the Texas Attorney General as affecting 124,363 Texas residents.

Circles of Care, Inc. Hacking Incident Affects 61,170 Individuals

Circles of Care, a Florida-based provider of behavioral care services, has recently announced that employee and patient information was potentially compromised in a September 2022 cyberattack. Suspicious activity was detected within its network on September 21, 2022, with the investigation confirming an unauthorized third party gained access to the network on September 6, 2022.

The forensic investigation confirmed on November 29, 2022, that the unauthorized third party had access to parts of the network that contained patient and employee information such as names, dates of birth, Social Security numbers, addresses, phone numbers, driver’s license numbers, bank routing and account numbers, medical account numbers, provider names, service dates, diagnoses, and medical procedure codes. That information was potentially accessed or acquired, although, at the time of issuing notifications, no reports of misuse of that information have been received. Affected individuals have been advised to be vigilant against incidents of identity theft and fraud by reviewing their account statements and explanation of benefit forms.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 61,170 individuals.

Community Health Network Says Tracking Technologies Impermissibly Disclosed PHI of Fishers Digestive Care Patients

Indianapolis, IN-based Community Health Network has recently announced that tracking technologies were used on the website and patient portal of its affiliated organization, Fishers Digestive Care, which resulted in patient data being impermissibly disclosed to third parties. The disclosed information included names, medical record numbers, IP addresses, appointments, insurance coverage, healthcare provider information, and conversations between individuals and others through the MyChart patient portal. The extent to which each individual was affected could not be determined and would have depended on their interactions on the website and patient portal.

Community Health Network previously reported the breach to the Office for Civil Rights as affecting up to 1.5 million patients. It is currently unclear how many Fishers Digestive Care patients have been affected, and whether they are included in the 1.5 million total.

The post Home Care Providers of Texas Announces 124K-Record Data Breach appeared first on HIPAA Journal.

December 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

The number of reported healthcare data breaches declined for the second successive month, with 40 data breaches of 500 or more healthcare records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in December 2022 – The lowest monthly total of the year and 29.7% fewer data breaches than the average monthly for 2022. The year ended with 683 data breaches, which is a year-over-year reduction of 4.3%. Only one other year has seen a fall in recorded data breaches (2014).

2022 Healthcare data breaches

The worst month of 2022 for breached records was followed by the best, with 2,174,592 healthcare records exposed or compromised in December, well below the 2022 average of 3,986,025 records per month and 68.5% fewer breached records than in November. While this is certainly great news, even with this reduction, 2022 was the second worst-ever year for healthcare data breaches with more than 47 million records exposed or compromised from January 1 to December 31, 2022.

2022 Breached healthcare records

Largest Healthcare Data Breaches in December 2022

December saw 13 data breaches of 10,000 or more healthcare records reported to OCR. HIPAA Journal has been unable to obtain information on two of those breaches. Ransomware attacks continue to plague the healthcare industry, with 5 of the 13 largest breaches in December confirmed as involving ransomware, two of which involved the protected health information of more than 600,000 patients. Ransomware attacks on the healthcare industry more than doubled between 2016 and 2021 according to one recent analysis, although it is becoming increasingly difficult to obtain reliable data on the extent to which ransomware is used in cyberattacks due to the lack of standardized reporting. While healthcare organizations of all sizes are being attacked, ransomware gangs tend to focus their efforts on larger healthcare organizations, according to a recent report by Delinea.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
CommonSpirit Health IL Business Associate 623,774 Ransomware attack with business associate involvement
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare TX Healthcare Provider 612,000 Ransomware attack
Avem Health Partners OK Business Associate 271,303 Hacking Incident at a business associate
Southwest Louisiana Health Care System, Inc. d/b/a Lake Charles Memorial Health System LA Healthcare Provider 269,752 Ransomware attack
Fitzgibbon Hospital MO Healthcare Provider 112,072 Ransomware attack
Monarch NC Healthcare Provider 56,155 Hacking Incident – No information released
Ola Equipment LLC HI Business Associate 39,000 Hacking Incident – No information released
The Elizabeth Hospice CA Healthcare Provider 35,496 An employee sent PHI to a personal email account
Legacy Operating Company d/b/a Legacy Hospice AL Healthcare Provider 21,202 Compromised email accounts
Employee Group Insurance Benefits Plan of Acuity Brands, Inc. GA Health Plan 20,849 Hacking incident (data theft confirmed)
San Gorgonio Memorial Hospital CA Healthcare Provider 16,846 Hacking incident (data theft confirmed)
Hawaiian Eye Center HI Healthcare Provider 14,524 Ransomware attack
Foundcare, Inc. FL Healthcare Provider 14,194 Compromised email account

Causes of December 2022 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports and typically involve many more records than other types of data breaches. In December, 28 incidents were classified as hacking/IT incidents – 70% of the month’s total breaches. 1,965,032 healthcare records were exposed or impermissibly disclosed in those incidents– 90.4% of the month’s breached records. The average breach size was 70,180 records and the median breach size was 4,152 records. 20 of the month’s breaches involved compromised network servers, with 12 incidents involving hacked email accounts.

Causes of December 2022 Healthcare data breaches

The risk of email-related data breaches can be greatly reduced by providing regular security awareness training to the workforce, as is required by the HIPAA Security Rule, and by implementing multi-factor authentication, with FIDO-based MFA providing the greatest level of protection. HIPAA-regulated entities should also ensure that their password management practices are kept up to date. A recent audit of the Department of the Interior identified many password management failures, which are all too common in the healthcare industry.

There were 10 unauthorized access/disclosure-related data breaches in December involving 168,386 records. The average breach size was 16,839 records and the median breach size was 1,739 records. There has been a decline in these types of data breaches in recent years as HIPAA training and monitoring of medical record access have improved. There were two loss/theft incidents reported involving 41,174 records. Both of these incidents involved computers/other electronic devices and could have been prevented by encrypting the devices.

December 2022 healthcare data breaches - location of breached PHI

December Data Breaches by HIPAA Regulated Entity

Healthcare providers were the worst affected type of HIPAA-regulated entity, with 24 breaches reported of 500 or more records. Business associates reported 11 data breaches and 5 data breaches were reported by 5 health plans. Two of the data breaches reported by healthcare providers had business associate involvement but were reported by the healthcare provider. The chart below shows the breakdown based on where the breach occurred.

December 2022 healthcare data breaches - HIPAA-regulated entity type

States Affected by December 2022 Data Breaches

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states. California was the worst affected with 4 reported breaches.

State Reported Data Breaches
California 4
Florida, New York, Texas & Washington 3
Georgia, Hawaii, Illinois, Massachusetts, Missouri, South Dakota & Virginia 2
Alabama, Connecticut, Louisiana, Maryland, North Carolina, Nebraska, Oklahoma, Rhode Island, Wisconsin & West Virginia 1

HIPAA Enforcement Activity in 2022

OCR closed the year with two financial penalties to resolve alleged HIPAA violations. Health Specialists of Central Florida’s case stemmed from an investigation into a HIPAA Right of Access violation over the failure to provide a woman with a copy of her deceased father’s medical records. The records were provided, but there was a 5-month delay. Health Specialists of Central Florida settled the case and paid a $20,000 financial penalty. This was the 42nd financial penalty to be imposed under OCR’s HIPAA Right of Access enforcement, which was launched in 2019.

New Vision Dental in California was one of just two healthcare providers to settle a HIPAA violation case with OCR in 2022 that did not involve a HIPAA Right of Access violation. OCR investigated New Vision Dental in response to complaints that patient information was being impermissibly disclosed online in response to negative reviews on Yelp. OCR also identified a Notice of Privacy Practices failure. The case was settled for $23,000. Including these two penalties, OCR resolved 22 HIPAA violation cases with settlements and civil monetary penalties in 2022, more than any other year since OCR was given the authority to impose financial penalties for HIPAA violations.

State Attorneys General also have the authority to impose financial penalties for HIPAA violations. In December, a joint investigation by Oregon and Utah resulted in a financial penalty for Avalon Healthcare over a phishing attack. Avalon Healthcare was determined to be in violation of the HIPAA Security and Breach Notification Rules and state laws due to a lack of appropriate safeguards to protect against phishing attacks and an unreasonable delay in sending breach notification letters, which were issued 10 months after the breach was detected. The case was settled for $200,000. This was one of three enforcement actions by state attorneys general in 2022 to resolve HIPAA violations.

The post December 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Round Up of Recent Hacking Incidents and Email Account Breaches

Posted by HIPAA Journal

West Oaks Eyecare – Ransomware Attack

West Oaks Eyecare in Texas has notified 1,045 Texas residents that a malicious actor gained access to its network and installed malware that rendered files inaccessible. The attack was detected on November 7, 2022, and steps were taken to contain the attack and secure its systems. The affected system contained billing information that was potentially accessed and obtained in the attack. The files included patients’ names along with one or more of the following types of information: address, date of birth, email address, phone number, patient ID number, Social Security number, optical scan images, exam results, insurance information, and billing information.

Notification letters were mailed to affected individuals on January 6, 2022.  Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were involved.

The Kelberman Center – Email Account Breach

The Kelberman Center, a Utica, NY-based provider of services to individuals with autism, has notified 3,501 patients about a breach of employee email accounts. Suspicious activity was detected within its email environment on November 1, 2022, with the investigation confirming that a single email account had been accessed by an unauthorized individual between October 21 and November 3, during which time emails and attachments may have been accessed or acquired.

A third-party digital forensics expert was engaged to investigate the breach and review system security and confirmed that no other systems had been accessed. A review of the email account confirmed the following types of information had been exposed: names, dates of birth, diagnoses, treatment information, and provider information. A very limited number of individuals had other information exposed and were notified if that was the case.  Notifications were mailed to affected individuals on December 30, 2022.

Quality Behavioral Health – Hacked Network Server

Quality Behavioral Health in Washington has recently reported a hacking incident to the HHS’ Office for Civil Rights that has affected 500 individuals – a number often used as a placeholder until the full extent of a data breach is known in order to meet the HIPAA Breach Notification Rule reporting requirements.

The cyberattack was detected on November 26, 2022, and steps were immediately taken to secure its network and prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach and the extent to which patient data was involved. That investigation and file review are ongoing, but it has been confirmed that its network was subject to unauthorized access between November 24 and November 26, 2022.

The exposed information included names, contact information, demographic information, Social Security numbers, driver’s license numbers, state identification card numbers, financial account information, birth dates, student, military, or passport identification numbers, health insurance information, medical histories, mental or physical conditions, medical diagnoses, and treatment information.

St. Rose Hospital – Hacking Incident with Data Theft Confirmed

St. Rose Hospital in Hayward, CA, has recently confirmed that a malicious actor gained access to its network and exfiltrated files containing patient information. Suspicious activity was detected in its computer systems on November 29, 2022, and third-party digital forensics specialists were engaged to investigate the breach. The investigation confirmed that its network was first accessed on November 18, 2022, and data theft occurred around that time.

The review of all files potentially accessed or copied revealed they contained names, Social Security numbers, dates of birth, e-mail addresses, and home addresses. St. Rose Hospital said it is unaware of any misuse of patient information, although databreaches.net has reported that data potentially related to the attack has been included in a dataset on a hacking forum. St. Rose Hospital has offered complimentary credit monitoring services to affected individuals.

Mindpath Health – Email System Breach

Community Psychiatry Management, doing business as Mindpath Health, has recently notified certain patients about a breach of its email system. Suspicious activity was identified within its email environment during a routine security audit. Third-party forensics experts were engaged to investigate the security breach and confirmed that two employee email accounts had been compromised, one in March 2022 and the other in June 2022. The forensic investigation concluded on November 15, 2022, and confirmed that protected health information may have been accessed, including patient names, addresses, Social Security numbers, dates of birth, medical diagnoses, treatment information, health insurance information, and prescription information. Mindpath health said it is unaware of any actual or attempted misuse of patient data.

Notification letters were sent to affected individuals on December 30, 2022. It is currently unclear how many individuals were affected.

Bay Bridge Administrators – Hacking Incident

Bay Bridge Administrators, an Austin, TX-based third-party administrator of insurance products, has recently announced that unauthorized individuals gained access to its network on or before August 25, 2022, and exfiltrated files on September 3, 2022.

The security breach was detected on September 5, 2022, when network disruption was experienced. Prompt action was taken to secure its network and investigate the breach, which revealed on December 5, 2022, that the stolen files included the personal information of individuals enrolled in certain employment insurance benefits that were administered by BBA for calendar year 2022. That information included names, addresses, Social Security numbers, driver’s license numbers, state identification card numbers, medical information, health insurance information, and/or dates of birth.

Affected individuals were notified on January 10, 2022, and have been offered 24 months of complimentary credit monitoring and identity protection services.

The post Round Up of Recent Hacking Incidents and Email Account Breaches appeared first on HIPAA Journal.

Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Sued Over 1.9 Million-Record Data Breach

Posted by HIPAA Journal

Multiple lawsuits have been filed against Massachusetts-based Shields Health Care Group, which suffered one of the largest healthcare data breaches of the year, affecting almost 2 million individuals. The lawsuits have recently been consolidated into a single lawsuit – Biscan v. Shields Health Care Group Inc – that was filed in a Massachusetts federal court this week.

Shields Health Care Group provides MRI, PET/CT, radiation oncology, and surgical services to healthcare practices, around 60 of which were affected by the breach. Hackers gained access to its network and stole the protected health information of patients over a two-week period in March 2022. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information. Affected individuals were offered a 2-year membership to a credit monitoring service.

The plaintiffs allege Shields Health Care Group failed to implement appropriate safeguards to prevent unauthorized access to highly sensitive patient data and then failed to issue timely notifications to patients to inform them that their data was in the hands of cybercriminals and that the notification letters did not provide adequate information to allow the affected individuals to take appropriate action to assess and mitigate risk.

The lawsuit alleges Shields Health Care Group was fully aware of the risk of hacking and ransomware attacks on healthcare organizations given the multiple security alerts issued by the FBI, CISA, and the HHS, yet failed to implement adequate measures to reduce risk, which was in violation of its obligations under the HIPAA Security Rule.

Shields Health Care Group said a security alert was triggered on March 18, 2022, which was investigated but no breach was detected, then suspicious activity was identified within its network on March 28, 2022. The investigation confirmed patient data had been compromised notifications were issued to affected individuals on June 7, 2022, outside the reporting time frame of the HIPAA Breach Notification Rule.

The lawsuit claims that the notifications were untimely, and deficient in information, failing to even provide basic information about the breach, such as whether patient data on the servers were accessed. The lawsuit also alleges the credit monitoring services offered were inadequate given that affected individuals face many years of ongoing identity theft.

While many lawsuits are filed based on future risk of harm, the plaintiffs claim to have suffered financial losses as a result of the breach and have had to spend a significant amount of time monitoring their financial accounts. One plaintiff said suspicious activity was identified in his email account and he had thousands of dollars of fraudulent charges to his Bank of America account, and another plaintiff claims to have been targeted by scammers over the phone since the data breach.

The consolidated lawsuit alleges negligence, breach of contract, invasion of privacy by intrusion, and breach of fiduciary duty, and seeks class action status, damages, and injunctive relief.

The post Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Sued Over 1.9 Million-Record Data Breach appeared first on HIPAA Journal.

Global Healthcare Cyberattacks Increased by 74% in 2022

Posted by HIPAA Journal

The latest data released by the cybersecurity firm Check Point has confirmed that 2022 was a particularly bad year for cyberattacks, which increased globally by 38% year-over-year fuelled by a sizeable increase in attacks on healthcare organizations. Globally, the healthcare industry had the highest percentage increase in weekly cyberattacks of any industry sector, with an increase of 74% from 2021 to an average of 1,463 attacks per week.

With that increase, healthcare rose to become the third most attacked industry globally behind the government/military with 1,661 attacks a week (+46%) and education/research with 2,314 attacks a week (+43%). In the United States, healthcare ranked second with 1,410 attacks per week, which is an 86% increase from 2021. Across all industry sectors, cyberattacks in the United States increased by 57% year-over-year.

The healthcare industry is an attractive target for cybercriminals due to the volume of easily monetizable data that can be stolen, and the higher-than-average probability of extortion demands being met to prevent the release of stolen data. The Check Point Research team also points out that as an added advantage, ransomware gangs gain a lot of publicity from attacks on hospitals, with the attention increasing their notoriety.

There were notable changes in the threat landscape in 2022, especially concerning ransomware attacks. While in previous years large ransomware groups dominated the threat landscape, in 2022 these larger groups evolved into much smaller, more agile cybercriminal groups that are better able to evade law enforcement. Check Point also notes a diversification in cyberattacks on businesses that now exploit a much wider range of business collaboration tools, including Slack, Microsoft Teams, Google Drive, and OneDrive, all of which are rich sources of valuable data that can be obtained through phishing attacks.

Tracking specific types of cyberattacks in healthcare can be a challenge, as there is no standardized reporting. HIPAA requires data breaches to be reported, but the HHS only tracks cyberattack-related data breaches as hacking/IT incidents. Further, many breached entities choose not to disclose the exact nature of attacks, such as if ransomware was involved. Data collected by Emsisoft suggests ransomware attacks have leveled off, but the cybersecurity firm only analyzed data breaches at hospitals, not the broader healthcare ecosystem which includes healthcare industry vendors which were heavily targeted in 2022.

While the data from Check Point Research indicates an increase in healthcare cyberattacks in the United States, these attacks do not always result in data breaches. The HHS’ Office for Civil Rights breach portal currently indicates a slight reduction in reported data breaches, although data for 2022 is still being added to the breach portal. HIPAA Journal will publish its end-of-year healthcare data breach report next week when there is a clearer picture of the year’s totals but, as it stands on January 10, 2023, 701 data breaches of 500 or more records have been reported to the HHS in 2022, 13 short of the record-breaking total of 714 data breaches in 2021.

While it appears that healthcare data breaches have declined slightly, it is worth noting the increase in the number of breached healthcare records in 2022. Across the 701 data breaches, the records of 51,884,675 individuals have been breached, which is more than any year other than 2015, which included the 78.8 million-record breach at Anthem Inc. That 13.1% increase in breached records is concerning.

2022 also saw two major milestones reached. In 2009, the HHS started publishing a summary of reported healthcare data breaches of 500 or more records. In 2022, the number of reported data breaches surpassed 5,000. The second unwelcome milestone is more healthcare records have now been breached than the entire population of the United States. Since the HITECH Act required OCR to start publishing healthcare data breaches in 2009, more than 382 million healthcare records have been reported as having been exposed or impermissibly disclosed.

The post Global Healthcare Cyberattacks Increased by 74% in 2022 appeared first on HIPAA Journal.

Hive RaaS Gang Leaks Stolen Consulate Health Care Data

Posted by HIPAA Journal

The Hive ransomware-as-a-service (RaasS) operation has claimed responsibility for an attack on Consulate Health Care, a Florida-based chain of 140 U.S. nursing homes. The group claims to have stolen 550 GB of data in the attack and said files were encrypted on December 3, 2022. The group posted on its leak site about the breach on January 6, 2023, and has already leaked some of the data allegedly stolen in the attack. The information stolen in the attack allegedly includes contracts, company information, employee information, and patient information such as medical records, Social Security numbers, contact information, and insurance information.

Consulate Health Care published a substitute breach notice on its website around the same time as Hive went public about the attack. In the website breach notice, Consulate Health Care claims the attack occurred at one of its (unnamed) vendors, which is still investigating the incident to determine the extent of the breach. Consulate Health Care said it is working closely with its vendor and has confirmed that the investigation is progressing as fast as possible to determine the extent to which protected health information was involved and which individuals have been affected. Consulate Health Care said, “we are providing this notice out of an abundance of caution as we value transparency.”

The Hive ransomware gang has a different view on the attack and claims no vendor was involved. Instead, a spokesperson for the group said in a conversation with databreaches.net that Consulate Health Care was attacked directly. The timing of the breach notice suggests that it refers to the same incident.

The Hive RaaS group is one of several ransomware gangs known to target the healthcare industry, including attacks on Lake Charles Memorial Health System in Louisiana which involved the data of 270,000 patients, and an attack on the New York ambulance service, Empress EMS, which affected up to 318,558 individuals. Due to the high risk of attacks, a joint cybersecurity advisory was issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) in November, 2022, which includes technical information about the tactics, techniques, and procedures used by the group and indicators of compromise for network defenders.

The post Hive RaaS Gang Leaks Stolen Consulate Health Care Data appeared first on HIPAA Journal.