HIPAA Breach News

Data Breaches Reported by Allegheny Health Network, St. Luke’s Health System, & Goldsboro Podiatry

Posted by HIPAA Journal

St. Luke’s Health System in Boise, ID, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 31,579 patients. The breach occurred in May 2022 at Kaye-Smith, the health system’s billing vendor, and affected patients that were billed that month. The breach was discovered in June 2022 and was reported to St. Luke’s Health System on July 6, 2022.

Unauthorized individuals gained access to systems at Kaye-Smith, which contained information such as patient names, insured names, addresses, phone numbers, ID numbers, dates of birth, descriptions of services, amounts billed, outstanding balances, payment due dates, account statuses, and the last five digits of Social Security numbers. Kaye-Smith is investigating the breach and is working with the FBI to better understand how the breach happened.

St. Luke’s Health System said it is no longer working with the billing vendor. The investigation to date has not uncovered any evidence to suggest there has been any misuse of patient data. Affected individuals have been offered a complimentary membership to a credit monitoring service.

Goldsboro Podiatry Notifies 30,669 Patients About Data Breach

Kevin Wolf, DPM, doing business as Goldsboro Podiatry in North Carolina, has recently confirmed that the protected health information of 30,669 has potentially been obtained by unauthorized individuals. The breach occurred at an unnamed service provider that maintains patients’ electronic medical records for the practice. The breach was detected on April 29, 2022, when certain servers used by the company were encrypted in a ransomware attack. The service provider confirmed in May 2022 that data on the servers had been accessed and was potentially obtained by the attackers. Goldsboro Podiatry was notified about the attack on May 20, 2022.

The information compromised in the attack included names, contact information, dates of birth, Social Security Numbers, demographic information, medical history, medication information, clinical observations, diagnoses, and/or treatment plans.

Goldsboro Podiatry said its service provider has secured its information technology systems and enhanced its cybersecurity defenses to prevent future attacks and has offered affected individuals complementary access to credit monitoring and identity theft protection services.

Allegheny Health Network Phishing Attack Affects Thousands of Patients

Pennsylvania-based Allegheny Health Network has recently confirmed that the email account of an employee has been accessed by an unauthorized third party following a response to a phishing email. The employee responded to the message on May 31, 2022, and the breach was detected the following day.

A review of the email account confirmed it contained protected health information such as names, dates of birth, dates of medical services, medical histories, conditions, diagnoses and treatment information, and driver’s license numbers. A subset of individuals also had their Social Security number and/or financial information exposed.

Allegheny Health Network said prompt action was taken to address the incident, including performing a password reset to prevent further unauthorized access. A third-party cybersecurity firm has also been engaged to help improve its security controls.

Allegheny Health Network has reported the breach to the HHS’ Office for Civil Rights using a placeholder of 500 records until the breach is fully investigated and the number of individuals affected is known. Local media outlets have said around 8,000 individuals were affected.

Central Maine Medical Center Affected by Shields Healthcare Group Data Breach

Central Maine Medical Center (CMMC) has confirmed it has been affected by a data breach at Shields Healthcare Group. CMMC was one of 56 facility partners to be affected by the breach, which affected around 2 million individuals, including 11,938 CMMC patients. Further information on the breach is available in this post.

Granbury Eye Clinic in Texas Victim of Eye Care Leaders Data Breach

Granbury Eye Clinic in Texas is the latest eye care provider to confirm it was affected by the Eye Care Leaders data breach, which involved the PHI of 16, 475 patients. The data breach is now known to have affected at least 39 eye care providers, with the breach total currently standing at 3,091,694 patients.

The post Data Breaches Reported by Allegheny Health Network, St. Luke’s Health System, & Goldsboro Podiatry appeared first on HIPAA Journal.

Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Posted by HIPAA Journal

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements.

Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted. Those selections could indicate a patient’s medical condition or why an appointment has been booked.

One of the targeted Facebook adverts served to Jane Doe. Source: Jane Doe v. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center, and Dignity Health Medical Foundation.

Jane Doe said she has been a user of Facebook since 2012 and alleges her privacy has been violated, as her information was collected and used without her consent. The information entered on the form was used by Meta to serve her with targeted advertisements related to her medical condition. The lawsuit alleges a violation of HIPAA, as neither UCSF Medical Center nor Dignity Health Medical Foundation had entered into a business associate agreement with Meta or Facebook, and at no point did Meta, Facebook, or the hospitals obtain content or inform patients that their information was being provided to Meta to deliver targeted advertisements.

Under HIPAA, healthcare providers are permitted to disclose an individual’s protected health information to another HIPAA-covered entity or a third-party vendor for reasons related to treatment, payment, or healthcare operations, and in such cases, consent is not required from the patient. Most other disclosures require a HIPAA-covered entity to enter into a business associate agreement with the third party prior to any disclosure of PHI, and content is required from the individuals whose PHI is disclosed.

There is no private right of action in HIPAA, so it is not possible for individuals to sue their healthcare providers for HIPAA violations, but there are often equivalent federal and state laws that do have a private right of action. In this case, the lawsuit makes sixteen claims including common law invasion of privacy – intrusion upon seclusion, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Constitution, California Confidentiality of Medical Information Act (CMIA), California Business and Professions Code, California Invasion of Privacy Act, the Comprehensive Computer Data Access and Fraud Act, and the Federal Wiretap Act.

The lawsuit alleges the plaintiff and class members have suffered damage and loss as a result of the conduct of the defendants, which has deprived the plaintiff and class members of control of their valuable property, the ability to obtain compensation for their data, the ability to withhold their data from sale, and that the violations have resulted in irreparable and incalculable harm and injuries. The lawsuit seeks damages and injunctive and equitable relief.

The lawsuit makes similar allegations to another lawsuit filed against Meta, in that case by plaintiff John Doe, who was a patient of MedStar Health in Maryland. The Markup recently conducted an investigation into the sharing of healthcare data with Meta/Facebook via Meta Pixel on hospital websites and found that 33 of the top 100 hospitals in the United States had the Meta Pixel code on their websites, and 7 hospitals had the code installed on their patient portals behind logins, yet consent to share data was not obtained.

The post Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites appeared first on HIPAA Journal.

96 Senior Living and Healthcare Facilities Affected by Avamere Data Breach

Posted by HIPAA Journal

A major data breach has been reported that has affected dozens of healthcare, rehabilitation, and senior living facilities in Oregon, Washington, Nevada, Utah, Colorado, and Arizona, which are operated by companies that are part of the Wilsonville, OR-based group, Avamere Holdings.

Between January 19, 2022, and March 17, 2022, an unauthorized individual gained access to a third-party-hosted network that was used by Avamere Health Services, LLC. Avamere Health Services is a business associate of the Avamere Holdings group of companies and provides information technology services. The forensic investigation of the data breach confirmed that the individuals behind the attack exfiltrated files from its systems that contained the information of employees and patients, including names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.

The exact nature of the cyberattack was not disclosed in the substitute breach notice, but it would appear that this was a ransomware attack and that the exfiltrated data has been published on the group’s data leak site. Avamere Health Services said its information technology department has been working with third-party cybersecurity experts to review its existing security measures and security will be enhanced to prevent any repeat attacks.

Avamere Health Services has reported the breach to the Department of Health and Human Services’ Office for Civil Rights as affecting 197,730 individuals and has now sent notifications to those individuals and has offered complimentary credit monitoring services. Avamere Health Services provided notifications on behalf of the 81 companies that it works with as a HIPAA business associate.

One of the 81 companies is Premere Infinity Rehab, LLC, which has also published its own substitute breach notice on behalf of a further 16 companies for which it acts as a HIPAA business associate. Premere Infinity Rehab has reported the breach to the HHS’ Office for Civil Rights as affecting 183,254 individuals.

It is currently unclear if the total of 380,984 individuals is the final breach total. Companies known to have been affected are detailed in the tables below.

Companies Affected by Avamere Data Breach

A-One Home Health Services, LLC Avamere at Port Townsend Avamere Gresham Rehabilitation and Specialty Care Avamere Rehabilitation of Lebanon Cascadia Healthcare Rockwood at Hawthorne
Avamere at Albany Avamere at Rio Rancho Avamere Harmony House of Bend Avamere Rehabilitation of Newport Christian Living Communities Rockwood South Hill
Avamere at Bethany Avamere at Roswell Avamere Health Services of Rogue Valley Avamere Rehabilitation of Oregon City Columbia Lutheran Home Salem Transitional Care
Avamere at Cascadia Village Avamere at Sandy Avamere Heritage Rehabilitation of Tacoma Avamere Rehabilitation of Richmond Beach Good Samaritan Society Signature Coastal, LLC
Avamere at Chestnut Lane Avamere at Seaside Avamere Home Health Care, LLC Avamere Riverpark of Eugene Goodman Group Signature Home Health Bend, LLC
Avamere at Englewood Heights Avamere at Seaside Avamere Living at Berry Park Avamere St. Francis of Bellingham Infinity Rehab Signature Hospice Eugene, LLC
Avamere at Hermiston Avamere at Sherwood Avamere Olympic Care of Sequim Avamere Transitional Care and Rehabilitation-Bellingham Kin On Health Care Center Signature Hospice Medford, LLC
Avamere at Hillsboro Avamere at South Hill Avamere Rehabilitation at Fiesta Park Avamere Transitional Care and Rehabilitation-Boise Laurelhurst Village Signature Hospice Nampa, LLC
Avamere at Las Vegas Avamere at St. Helens Avamere Rehabilitation of Beaverton Avamere Transitional Care and Rehabilitation-Brighton Mission Healthcare at Bellevue, JV Signature Hospice Oregon Coast, LLC
Avamere at Lexington Avamere at the Stratford Avamere Rehabilitation of Cascade Park Avamere Transitional Care and Rehabilitation-Malley Mission Healthcare at Renton Summitview Healthcare Center
Avamere at Moses Lake Avamere at Three Fountains Avamere Rehabilitation of Clackamas Avamere Transitional Care at Sunnyside Northwest Hospice, LLC Suzanne Elise Assisted Living Facility
Avamere at Mountain Ridge Avamere at Waterford Avamere Rehabilitation of Coos Bay Avamere Transitional Care of Puget Sound NP2U, LLC The Arbor at Avamere Court
Avamere at Newberg Avamere at Wenatchee Avamere Rehabilitation of Eugene Avamere Twin Oaks of Sweethome Pinecrest Community The Arbor at Bend
Avamere at Oak Park Avamere Court at Keizer Avamere Rehabilitation of Hillsboro Bend Transitional Care Prestige Care The Arbor at Bremerton
Avamere at Pacific Ridge Avamere Crestview of Portland Avamere Rehabilitation of Junction City Bethany at Pacific Prime Home Health, LLC The Pearl at Kruse Way
Avamere at Park Place Avamere Fern Gardens Memory Care Avamere Rehabilitation of King City Bethany at Silver Lake Queen Anne Healthcare The Stafford

The post 96 Senior Living and Healthcare Facilities Affected by Avamere Data Breach appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

Posted by HIPAA Journal

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM Security. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020.

The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services.

Summary of 2022 Data Breach Costs

  • Global average cost of a data breach – $4.35 million (+2.6%)
  • Global average cost per record – $164 (+1.9%)
  • Average cost of a U.S. data breach – $9.44 million (+4.3%)
  • Average cost of a healthcare data breach – $10.1 million (+9.4%)
  • Average cost of a ransomware attack – $4.54 million (-1.7%)
  • Average cost where phishing was the initial attack vector $4.91 million
  • Average cost of a $1 million record data breach – $49 million
  • Average cost of 50-60 million record data breach – $387 million

For the first time in at least six years, the biggest component of the data breach costs was detection and escalation, which cost $1.44 million in 2022, up from $1.24 million in 2021. Next was lost business, which cost an average of $1.42 million in 2022, down from $1.59 million in 2022. Post-breach response increased slightly from $1.14 million in 2021 to $1.18 million in 2022, and there was a small increase in notification costs, which rose from $0.27 million in 2021 to $0.31 million in 2022.

On average, 52% of the breach costs are incurred in the first year, 29% in the second year, and 19% after two years. In highly regulated industries such as healthcare, a much larger percentage of the costs are incurred later, with 45% of costs in the first year, 31% in year 2, and 24% later than year 2, which was attributed to regulatory and legal costs.

The report explored the different initial attack vectors and found that the most common entry route was the use of stolen credentials, which accounted for 19% of all data breaches, with these data breaches costing an average of $4.5 million. Phishing attacks accounted for 16% of all data breaches, and phishing was the costliest attack vector, with an average data breach cost of $4.91 million, closely followed by business email compromise attacks, which accounted for 6% of all data breaches and cost an average of $4.89 million. Cloud misconfigurations accounted for 15% of data breaches and cost an average of $4.14 million, and vulnerabilities in third-party software accounted for 13% of data breaches and cost an average of $.55 million per breach.

The average time to identify a data breach was 207 days in 2022, down from 212 days in 2021. The average time to contain a data breach was 277 days, down from 287 days in 2021. A shorter data breach lifecycle (time to identify and contain a breach) equates to a lower breach cost. Data breaches with a lifecycle of fewer than 200 days cost 26.5% ($1.12 million) less on average than data breaches with a lifecycle of over 200 days.

One of the most important steps to take to improve security is to adopt zero trust strategies, but only 59% of organizations had adopted zero trust, and almost 80% of critical infrastructure organizations had yet to implement zero-trust strategies. The average breach cost for critical infrastructure organizations without zero trust was $5.4 million, which was $1.17 million more than those that had implemented zero trust strategies.

Cost of Data Breaches by Breach Cause

The average cost of a ransomware attack fell slightly by 1.7% to $4.54 million, not including the cost of the ransom itself. Ransomware attacks increased significantly in 2022 and accounted for 11% of all data breaches, up from 7.8% of data breaches in 2021. Ransomware attacks took 49 days longer to identify and contain than the global average, taking an average of 237 days to identify the intrusion and 89 days to contain the attack. Paying the ransom only saw a $610,000 reduction in data breach costs, on average, not including the amount of the ransom. Since ransom amounts are often high, the report indicates that paying the ransom does not necessarily lower the breach cost. In fact, paying may well increase the cost of the breach.

Around one-fifth of data breaches were the result of supply chain compromises. The average cost of a supply chain compromise was $4.46 million, which was 2.5% higher than the overall average cost of a data breach. It took an average of 235 days to identify the breach and 68 days to contain the breach – 26 days more than the average data breach

45% of data breaches occurred in the cloud, with data breaches in the public cloud costing considerably more than data breaches with a hybrid cloud model. 43% of organizations that experienced a data breach in the cloud were in the early stages of their migration to the cloud and had not started applying security practices to secure their cloud environments. Organizations in the early stages of cloud adoption had data breach costs of an average of $4.53 million, whereas those at a mature stage had average breach costs of $3.87 million.

Data Breach Cost Savings

IMB identified several steps that organizations can take to reduce the financial cost and reputational consequences of a data breach. The main cost-saving elements were:

  • Fully deployed security AI and automation – $3.05 million
  • Incident response team with regularly tested IR plan – $2.66 million
  • Adoption of zero trust – $1.5 million
  • Mature cloud security practices – $720,000
  • Being fully staffed vs insufficiently staffed $550,000
  • Use of extended detection and response (XDR) technologies – 29-day reduction in response time

The post IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million appeared first on HIPAA Journal.

Recent Hacks, Malware, and Device Theft Incidents Affect 208,000 Individuals

Posted by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state Attorneys General.

Californian EHR Vendor Reports Breach of 77,652 Records

Further information has been obtained on a data breach reported to the HHS’ Office for Civil Rights on June 2, 2022, by Clinivate, a Pasadena, CA-based provider of EHR solutions for behavioral health agencies and schools.

According to a breach notification to the California Attorney General, unusual activity was detected in its digital environment on March 23, 2022. A forensic investigation confirmed that an unauthorized third party had gained access to its network, and on May 25, 2022, it was determined that files containing the protected health information of individuals were accessed by that third party between March 12, 2022, and March 21, 2022.

The files included the protected health information of 77,652 individuals, including names, medical record numbers, health plan beneficiary numbers, treatment information, diagnosis information, other medical information, and information about payments for medical services.

Clinivate has notified affected individuals and said it has implemented additional security measures to prevent further data breaches.

McLaren Port Huron Hospital Confirms PHI of 49,000 Individuals Compromised in Cyberattack at MCG Health

McLaren Port Huron Hospital has said the protected health information of certain patients has been compromised in a cyberattack at one of its former business associates, MCG Health. MCG Health provides patient care guidelines to many health plans and almost 2,600 hospitals in the United States. On March 25, 2022, MCG Health discovered an unauthorized third party had obtained data from its network that included data elements such as names, Social Security numbers, medical codes, postal addresses, phone numbers, email addresses, dates of birth, and gender. Many MCG Health clients were affected by the incident.

McLaren Port Huron Hospital said it was notified about the breach on June 9, 2022, and that the delay in being notified meant it has not conducted its own investigation to determine the probability of an actual compromise of patient data but has sent notifications to all affected individuals to warn them of the possibility that their PHI has been stolen. McLaren Port Huron Hospital stopped using MCG Health in 2019.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 48,957 McLaren Port Huron Hospital patients. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

Kaiser Permanente Reports Theft of iPad Containing PHI

Kaiser Permanente has started notifying certain individuals that some of their protected health information was stored on an iPad that was stolen from a locked storage area at the Kaiser Permanente Los Angeles Medical Center. An unknown individual broke into the storage area and stole the iPad, and also obtained the password that provided access to the device.

The device was used at a Kaiser Permanente COVID-19 testing site, and included photographs of COVID-19 specimen labels and protected health information such as names, medical record numbers, dates of birth, and the dates and locations of service. The theft was discovered the same day and Kaiser Permanente remotely deleted the data on the device, including all photographs.

Kaiser Permanente said it has moved devices containing PHI to a more secure location and has strengthened its internal practices and procedures. Kaiser Permanente said the iPad contained the protected health information of approximately 75,000 health plan members.

Blue Cross and Blue Shield of Massachusetts Reports Third-Party Data Breach

Blue Cross and Blue Shield of Massachusetts (BCBSofMA) has recently confirmed that a data breach at a business associate has exposed the protected health information of some of its health plan members. The breach occurred at LifeWorks US Inc, which provides services related to the administration of the Retirement Income Trust, which includes making payments to pension beneficiaries.

Around June 20, 2022, a former employee of LifeWorks emailed spreadsheets to a personal email account and copied the email to the personal email account of another former LifeWorks employee. The spreadsheets contained the protected health information of individuals who were eligible for or were receiving benefits from BCBSofMA.

The former employees maintained that the spreadsheets were sent to preserve the formula used, and that attempts were made to delete all protected health information in the spreadsheets; however, some PHI remained. The former employees said they did not further disclose the information in the spreadsheets and have now deleted the spreadsheets from their personal email accounts. The information that remained in the spreadsheets was limited to names, addresses, Social Security numbers, and some pension benefit information.

BCBSofMA has reported the breach as affecting 4,855 individuals and has offered 24 months of complimentary identity theft and credit monitoring services to affected individuals. LifeWorks said it is taking steps to prevent any recurrences of incidents such as this.

Business Associate Ransomware Attack Affects Blue Shield of California Health Plan Members

A subcontractor of a vendor used by Blue Shield of California (BSofC) has suffered a ransomware attack in which the protected health information of members of BSofC and the BSofC Promise Health Plan may have been accessed or obtained. The ransomware attack was detected on April 28, 2022, by OneTouchPoint (OTP), which was a subcontractor used by business associate Matrix Medical Network.

OTP said it immediately terminated the unauthorized access to the network and launched an investigation into the breach. While it could not be confirmed if files containing health plan members’ protected health information were viewed or obtained, the possibility could not be ruled out. The files potentially accessed included names, subscriber ID numbers, diagnoses, medications, patient addresses, dates of birth, sex, physician demographics information, advance directives, family histories, social histories, allergies, vitals, immunizations, encounter data, assessment ID numbers, and assessment dates.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 1,506 health plan members. Affected individuals have been offered a complimentary 12-month membership to a credit monitoring and identity theft protection service.

The post Recent Hacks, Malware, and Device Theft Incidents Affect 208,000 Individuals appeared first on HIPAA Journal.

Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022

Posted by HIPAA Journal

A cyberattack and data breach cost Tenet Healthcare $100 million in lost revenue and mitigation costs in Q2, 2022. Dallas, TX-based Tenet Healthcare is one of the largest healthcare providers in the United States, running 65 hospitals and more than 450 healthcare facilities across the United States through its brands and subsidiaries. In April 2022, Tenet experienced a cyberattack that caused major disruption to its IT systems and acute care operations for several weeks. The attack forced the staff forced to work with pen and paper during the recovery period, and at least one of the affected hospitals had to temporarily divert ambulances to other facilities. The attack also disrupted its phone system, with doctors forced to leave the premises to make phone calls. The cyberattack affected at least two hospitals and started on April 20, 2022. Tenet did not publicly release details of the attack, such as if it involved ransomware.

According to Tenet’s Q2 2022 earnings report, the attack has had a $100 million unfavorable EBITDA (earnings before interest, taxes, depreciation, and amortization) impact. Adjusted admissions fell by 5.3% year-over-year, with total admissions down 8% from Q2, 2021, and same-hospital net patient service revenue was down 0.2% as a direct result of the cyberattack. Over the quarter, Tenet saw a reduction in income of 68% compared to Q1, 2021, which fell to $38 million, and its operating revenue was down 6.4% to $4.6 million for the quarter. The attack was also partly responsible for a 2.8-day increase in its outstanding accounts receivable.

Tenet CEO Saum Sutaria said IT systems at the affected hospitals had to be totally rebuilt, and while the cyberattack had a significant business and financial impact, Tenet still recorded a strong quarter. Sutaria said the company had ample cybersecurity insurance which has helped to reduce the overall financial impact of the cyberattack. Its insurance policies paid out $5 million in Q2, 2022. The cost of the attack is significant, but it is comparable to other cyberattacks. For example, the ransomware attack on Scripps Health that affected 5 hospitals and 19 outpatient facilities cost Scripps Health $112.7 million in lost revenue and remediation costs.

Tenet will also have to cover further costs. A class action lawsuit was filed in Florida in June that alleges Tenet failed to implement appropriate security safeguards to protect against cyberattacks and did not provide adequate notifications to affected individuals. The lawsuit also alleges that notification letters have still not been sent to all individuals affected by the data breach.

The post Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022 appeared first on HIPAA Journal.

Benson Health Notifies 28,913 Patients About May 2021 Data Breach

Posted by HIPAA Journal

Benson Health in North Carolina has recently started notifying 28,913 patients that some of their protected health information was potentially accessed or acquired in a cyberattack that was detected on May 5, 2021. Benson Health said an investigation was immediately launched when the breach was detected, and a specialist cybersecurity and data privacy law firm and third-party forensic specialists were engaged to assist with the investigation. The investigation confirmed that a data set had been exposed and was potentially stolen by the attacker.

Data mining experts were retained to perform a comprehensive review of the affected information, which confirmed on July 7, 2022, that the dataset included names, birth dates, Social Security numbers, and health and treatment information.

Notification letters were sent to affected individuals on July 12, 2021, more than 14 months after the data breach was first detected. Affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge for 12 months.

Business Email Compromise Attack Reported by AllOne Health

AllOne Health, a Wilkes-Barre, PA-based provider of workplace physical and mental health services, has recently announced that the email account of an employee has been accessed by an unauthorized third party. The breach was detected in February 2022 when wire transfers intended for one of its payees were discovered to have been routed to a fraudulently created bank account. The investigation of the incident revealed the email account of an employee had been compromised and used in the business email compromise attack to request fraudulent transfers. A forensic review was then conducted to determine whether any patient information was contained in the account.

AllOne Health said the email account contained the protected health information of 13,669 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and limited health information. While that information may have been accessed or obtained, the purpose of the attack was to make fraudulent wire transfers. Limited financial documents were accessed as part of the scam, but no evidence was found to indicate any patient data was viewed or obtained by the scammer.

AllOne Health said all company passwords were reset when the attack was detected, and additional security measures have now been implemented on its systems to prevent further email account breaches. Affected individuals have been offered a complimentary 12-month membership to Epiq’s identity protection and credit monitoring services.

PHI of More than 46,000 Patients Compromised in Data Breach at Southwest Health Center

Southwest Health Center in Platteville, WI, has recently announced that the protected health information of 46,142 patients has been accessed and obtained by unauthorized individuals.

Southwest Health Center identified suspicious activity within its network environment on January 11, 2022, with the forensic investigation confirming that unauthorized individuals gained access to folders containing patient information and removed certain files from its systems. A comprehensive review of the files was completed on May 27, 2022, and confirmed that patient information such as names, dates of birth, clinical and treatment information, and Social Security numbers were present in the files. The delay in issuing notification letters to affected individuals was due to the lengthy process of determining current address information for those individuals.

Southwest Health Center sent notification letters to affected individuals on July 5, 2022, and has offered 12 months of complimentary credit monitoring and identity theft restoration services through IDX.

The post Benson Health Notifies 28,913 Patients About May 2021 Data Breach appeared first on HIPAA Journal.

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

Posted by HIPAA Journal

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk.

The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly notified the FBI about the attack and payment. The FBI was able to trace the payment, which was passed to money launderers in China, along with another payment of approximately $120,000 that was made by a healthcare provider in Colorado.

In May 2022, the FBI filed a seizure warrant in the District of Kansas to recover payments made in cryptocurrencies to the Maui ransomware gang, and ransom payments of approximately $500,000 were recovered from the seized cryptocurrency accounts. The funds have been forfeited by the ransomware gang and have been returned to healthcare providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Microsoft has also recently reported that a North Korean hacking group that operates under the name HolyGhost has also been using ransomware attacks on SMBs in the United States. It is not clear if the attacks are being conducted by a state-sponsored hacking group or if individuals associated with the Lazarus Group are moonlighting and conducting the attacks independently.

“Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyberattack; this provides law enforcement with the ability to best assist the victim,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

The post Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers appeared first on HIPAA Journal.

The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000

Posted by HIPAA Journal

The Methodist Hospitals Inc. has agreed to settle a class action lawsuit and has created a fund of $425,000 to cover claims from victims of a 2019 data breach that affected almost 70,000 current and former patients.

The Gary, IN-based healthcare provider reported an email security incident to the HHS’ Office for Civil Rights on April 4, 2019, that resulted in the exposure and potential theft of the protected health information of 68,039 patients. The investigation confirmed hackers gained access to two employee email accounts between March 13, 2019, and July 8, 2019, following responses to phishing emails and potentially exfiltrated patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare/Medicaid numbers, usernames, passwords, treatment and diagnosis information, and payment card information.

A lawsuit – Jones v. The Methodist Hospitals, Inc. – was filed in the Harris County District Court in Texas in the wake of the data breach that alleged The Methodist Hospitals was negligent for failing to adequately protect the protected health information of patients. Plaintiffs James Jones and Samantha L. Gordon, and members of the class allegedly suffered harm as a result of the data breach.

The Methodist Hospitals denied any wrongdoing and the OCR investigation was closed with no action taken; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, eligible class members are entitled to submit a claim for two additional years of credit monitoring and identity theft resolution services, reimbursement for economic losses, and reimbursement for time lost due to the data breach. Claims for reimbursement of documented economic losses of up to $3,000 can be submitted and/or claims of up to $300 can be submitted for reimbursement of lost time. Final approval of the settlement was received on June 13, 2022. Claims must be submitted by October 6, 2022.

The post The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000 appeared first on HIPAA Journal.