HIPAA Breach News

June 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month.

The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022).

Healthcare data breaches in the past 12 months

For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months.

While huge numbers of healthcare records are being breached, fewer records were breached in the first half of 2022 than were breached in either the first half or the second half of 2021. In 1H 2022, 20,191,930 records were breached – 26.84% fewer than the 27,600,651 records breached in 1H 2021 and 9.2% fewer than the 22,239,769 records breached in 2H 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in June 2022

There were 31 reported breaches of 10,000 or more healthcare records in June – the same number as May 2022  – two of which affected more than 1.2 million individuals. Several healthcare providers submitted breach reports in June 2022 due to the ransomware attack on the HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Cause of Breach
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Other Eye Care Leaders ransomware attack
Baptist Medical Center TX Healthcare Provider 1,243,031 Network Server Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Network Server Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Network Server Ransomware attack
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Network Server Eye Care Leaders ransomware attack
Spectrum Eye Physicians CA Healthcare Provider 175,000 Network Server Eye Care Leaders ransomware attack
90 Degree Benefits, Inc. WI Business Associate 172,450 Network Server Unspecified hacking incident
Michigan Avenue Immediate Care IL Healthcare Provider 144,104 Network Server Unspecified hacking and data theft incident
Mattax Neu Prater Eye Center, Inc. MO Healthcare Provider 92,361 Electronic Medical Record Eye Care Leaders ransomware attack
Sight Partners Physicians, P.C. WA Healthcare Provider 86,101 Electronic Medical Record Eye Care Leaders ransomware attack
Clinivate LLC CA Business Associate 77,652 Network Server Unspecified hacking incident – No information publicly released
Kaiser Foundation Health Plan of Washington WA Healthcare Provider 69,589 Email Compromised email account
Carolina Eyecare Physicians, LLC SC Healthcare Provider 68,739 Electronic Medical Record Eye Care Leaders ransomware attack
Precision Eye Care, Ltd. MO Healthcare Provider 58,462 Electronic Medical Record Eye Care Leaders ransomware attack
Resolute Health Hospital TX Healthcare Provider 54,239 Network Server Ransomware attack
Aloha Laser Vision HI Healthcare Provider 43,263 Electronic Medical Record Eye Care Leaders ransomware attack
Center for Sight, Inc. MA Healthcare Provider 41,041 Electronic Medical Record Eye Care Leaders ransomware attack
McCoy Vision Center AL Healthcare Provider 33,930 Electronic Medical Record Eye Care Leaders ransomware attack
Chesapeake Eye Center PA MD Healthcare Provider 32,770 Network Server Eye Care Leaders ransomware attack
Kevin Wolf, DPM d/b/a Goldsboro Podiatry NC Healthcare Provider 30,669 Network Server Unspecified hacking incident
Long Vision Center TX Healthcare Provider 29,237 Electronic Medical Record Eye Care Leaders ransomware attack
Foxhall Ob Gyn Associates DC Healthcare Provider 27,000 Other No information
Alabama Eye &Cataract, P.C. AL Healthcare Provider 26,000 Network Server Eye Care Leaders ransomware attack
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic NE Healthcare Provider 23,993 Electronic Medical Record Eye Care Leaders ransomware attack
DialAmerica Marketing, Inc. NJ Business Associate 19,796 Network Server Unspecified hacking incident
Central Florida Inpatient Medicine FL Healthcare Provider 19,625 Email Compromised email account
Yale New Haven Hospital CT Healthcare Provider 19,496 Other Data exposed on a public-facing website
Cherry Creek Eye Physicians and Surgeons, P.C. CO Healthcare Provider 17,732 Electronic Medical Record Eye Care Leaders ransomware attack
Bayhealth Medical Center, Inc. DE Healthcare Provider 17,481 Network Server Ransomware attack on business associate (Professional Finance Company)
Kernersville Eye Surgeons, P.C. NC Healthcare Provider 13,412 Electronic Medical Record Eye Care Leaders ransomware attack
Phelps County Regional Medical Center d/b/a Phelps Health MO Healthcare Provider 12,602 Network Server Data breach at business associate (MCG Health)

Causes of June 2022 Healthcare Data Breaches

As the above table shows, ransomware attacks on healthcare organizations continue to be reported in high numbers. 20 of the 31 affecting 10,000 or more individuals have been confirmed as involving ransomware. When these attacks occur at business associates they can affect many different HIPAA-covered entities. As mentioned, the Eye Care Leaders ransomware attack has affected at least 37 eye care providers, and a ransomware attack on Professional Finance Company affected 657 of its healthcare provider clients.

There is no sign that ransomware attacks on healthcare providers will slow. This month, CISA has warned the health and public health sector that North Korean state-sponsored hackers are known to be targeting the sector and are using ransomware for extortion.

Hacking incidents continue to dominate the breach reports, with all but two of the top 31 breaches involving hacking. 81% of the month’s breaches were reported as hacking/IT incidents, and across those 57 incidents, the records of 5,784,009 were breached – 98.75% of all the breached records in June. The average breach size was 101,474 records and the median breach size was 12,602 records.

There were 6 unauthorized access/disclosure data breaches reported involving 59,224 records. The average breach size was 9,871 records and the median breach size was 5,672 records. 5 loss theft incidents were reported (4 x theft, 1 x loss) involving 12,184 records. The average breach size was 2,437 records and the median breach size was 1,126 records. Finally, there were two improper disposal incidents reported, both of which involving paper/films. In total 1,726 records were exposed as a result of those incidents.

Causes of June 2022 healthcare data breaches

Location of Breached Protected Health Information

The bar graph below shows where the breached information was stored. The high number of network server breaches indicates the extent to which hackers are attacking healthcare organizations. Many of these attacks involved ransomware. Most data breaches reported by healthcare providers do not involve electronic health records, which are separate from other systems. The high number of breaches involving EHRs is due to the ransomware attack on Eye Care Leaders, which provides electronic medical record systems to eye care providers.

Location of breached PHI (June 2022)

Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected HIPAA-covered entity in June, accounting for 55 data breaches of 500 or more records, with 4 data breaches reported by health plans. Business associates of HIPAA-covered entities self-reported 11 data breaches; however, 29 data breaches occurred at business associates but were reported by the affected covered entity rather than the business associate.

Taking this into account, the breakdown of the month’s data breaches by HIPAA-regulated entity type is shown in the chart below.

June 2022 Healthcare Data Breaches - HIPAA-regulated entity type

Geographic Distribution of Breached Entities

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states and the District of Columbia.

State Number of Data Breaches
Washington 5
California, New Jersey, North Carolina, Ohio, South Carolina, Texas, & Virginia 4
Alabama, Missouri, Nebraska, & New York 3
Delaware, Illinois, Kansas, Maryland, Michigan, Pennsylvania, Tennessee, & the District of Columbia. 2
Arizona, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Massachusetts, Mississippi, & Wisconsin 1

HIPAA Enforcement Activity in June 2022

There were no HIPAA enforcement actions announced by the OCR or state attorneys general in June; however, OCR announced this month (July) that a further 12 HIPAA penalties have been imposed, 11 of which were for violations of the HIPAA Right of Access.

The post June 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack

Posted by HIPAA Journal

BJC HealthCare has agreed to settle a class action lawsuit to resolve claims it failed to adequately protect patient data from phishing attacks. The nonprofit St. Louis-based hospital system reported a breach of its email system to the HHS’ Office for Civil Rights on May 5, 2020, that affected 287,876 individuals. The investigation confirmed that three email accounts had been compromised in March 2020 as a result of responses to phishing emails. While data theft could not be determined, the affected email accounts contained the protected health information of patients of 19 of its hospitals, including names, birth dates, health insurance information, Social Security numbers, driver’s license, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, originally included 10 counts against the defendants and survived two motions to dismiss, with the lawsuit allowed to proceed on 8 of the 10 counts: unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

BJC HealthCare agreed to settle the lawsuit with no admission of liability or wrongdoing. Under the terms of the settlement, BJC HealthCare will make funds available to cover claims from affected individuals up to a maximum of $5,000. Each individual affected may submit a claim for ordinary and extraordinary expenses incurred as a result of the data breach.

Claims can be submitted for ordinary expenses such as bank fees, interest, credit monitoring costs, postage, mileage, and up to 3 hours of lost time at $20 per hour. Ordinary claims are capped at $250 per person. Claims of up to $5,000 can be submitted for extraordinary expenses, including documented monetary losses and up to three hours of additional lost time at $20 per hour. BJC Healthcare has also agreed to cover the cost of two years of credit monitoring and identity theft protection services. Named plaintiffs will receive up to $2,000 and BJC HEalthCare will cover the plaintiffs’ legal costs. BJC HealthCare has committed $2.7 million to cover the cost of implementing multi-factor authentication for its email accounts to improve protection against phishing attacks.

Claims must be submitted by Dec. 14, 2022. The final approval hearing for the settlement is on Sept. 6, 2022.

In May 2022, BJC HealthCare reported another email breach to the HHS’ Office for Civil Rights. The incident was reported as affecting 500 individuals – a common placeholder used until the exact number of affected individuals is determined. The breach occurred two months previously.

The post BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

Carolina Behavioral Health Alliance Reports Breach of the PHI of 130,000 Health Plan Members

Posted by HIPAA Journal

The Winston-Salem, NC-based managed behavioral health organization, Carolina Behavioral Health Alliance (CBHA), the administrator of behavioral health benefits for Wake Forest University and Wake Forest Baptist Medical Center, has recently announced it was the victim of a ransomware attack.

The attack was detected on March 20, 2022, and resulted in computer systems being disabled. The forensic investigation of the incident confirmed the attackers had to its systems between March 19 and March 20 and may have viewed or obtained the sensitive data of 130,000 health plan members and their dependents, including names, addresses, health plan ID numbers, genders, and Social Security numbers.

To date, no reports have been received to indicate there has been any actual or attempted misuse of patient data. CBHA said it has implemented additional safeguards to better protect the data of health plan members in the future and has offered affected individuals access to single bureau credit monitoring, credit reporting, and credit score services for 24 months.

ATC Healthcare Announces Email Data Breach

ATC Healthcare in New York has recently confirmed that the email accounts of certain employees were accessed by unauthorized individuals, who may have viewed or obtained sensitive patient data. The incident was detected on December 22, 2021, when suspicious activity was identified within its email environment. The forensic investigation confirmed that several employee email accounts had been accessed by unauthorized individuals at various points between February 9, 2021, and December 22, 2021.

The affected email accounts included names, Social Security numbers, driver’s licenses, financial account information, usernames and passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures, and employer-assigned identification numbers.

ATC Healthcare said it found no evidence to suggest patient information was accessed, exfiltrated, or misused, and that notification letters were sent to all individuals potentially affected. It is currently unclear how many individuals have been affected by the data breach.

Employee Email Account Compromised at Community of Hope D.C.

Community of Hope D.C. (COHDC) has discovered the email account of an employee has been accessed by an unauthorized third party, who may have viewed or obtained patients’ protected health information. The breach was detected when the email account was used to send spam emails. The forensic investigation confirmed the breach was limited to a single employee email account, which was breached between January 27, 2022, and February 7, 2022.

The account contained names, Social Security numbers, driver’s license numbers, financial information, health insurance information, and health diagnostic information. 645 individuals have been affected by the breach and have been offered complimentary credit monitoring and identity theft protection services.

The post Carolina Behavioral Health Alliance Reports Breach of the PHI of 130,000 Health Plan Members appeared first on HIPAA Journal.

Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit

Posted by HIPAA Journal

Tenet Healthcare and Baptist Health are facing a class action lawsuit over a recently reported data breach that affected 1.2 million patients. The breach was detected on April 20, 2022, with the forensic investigation confirming an unauthorized third-party had accessed the IT networks of Baptist Medical Center or Resolute Health Hospital between March 31 and April 24, 2022, and removed files containing sensitive patient data. The information potentially compromised included names, addresses, Social Security numbers, health insurance information, medical information, and billing and claims data.

Tenet Healthcare issued a public notification about the cyberattack and data breach on April 26, 2022, while the investigation into the breach was ongoing. Notifications were sent to affected individuals in mid-June, less than two months after the discovery of the cyberattack. Affected individuals were offered complimentary credit monitoring and identity theft protection services.

The lawsuit was filed in Dallas County and names Texas resident, Troy Contreras, as the lead plaintiff. The lawsuit alleges the defendants were negligent for failing to protect the privacy of patients by implementing appropriate safeguards that met industry standards, such as multi-layered security, malware detection software, and providing sufficient security awareness education to the workforce, and that the data security practices of the defendants were not aligned with the guidelines issued by the Federal Trade Commission. The lawsuit also alleges a failure to issue proper notifications.

The plaintiff claims to have spent a significant amount of time ensuring his personal and protected health information is safe and that he is protected against fraud, and will continue to have to spend time doing so in the future. The lawsuit does not allege any actual misuse of the plaintiff’s data. The lawsuit seeks damages in excess of $1 million.

San Francisco Settles Medical Data Breach Lawsuit

The city and county of San Francisco have settled a long-running class action data breach lawsuit – Jane Doe, et al. vs. The City and County of San Francisco, et al – and have agreed to make $400,000 available to cover claims from the 8,884 class members. The lawsuit was filed following the impermissible disclosure of the private medical information of patients of Zuckerberg San Francisco General Hospital and Trauma Center, whose medical records were kept by neurosurgeon Dr. Shirley Stiver.

The case was filed in April 2016 in San Francisco Superior Court over the disclosure of highly sensitive data such as names, medical records, diagnoses – including HIV diagnoses – surgical notes, consultation notes, and radiologic films. The disclosures occurred without written consent from patients. The lawsuit alleged violations of the Confidential Medical Information Act and the California Health & Safety Code.

Class members are entitled to submit claims for up to $599. Claims must be submitted by August 30, 2022. The final approval hearing has been scheduled for September 29, 2022.

The post Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit appeared first on HIPAA Journal.

Associated Eye Care Partners Issues Notifications About December 2020 Data Breach

Posted by HIPAA Journal

Montana-based Associated Eye Care Providers (AEC) has recently started notifying patients that their private health information was compromised in a data breach at a business associate that was detected in early December 2020.

The data breach in question occurred at Netgain Technologies, which provided managed IT services to many organizations in the healthcare sector. Netgain Technologies experienced a ransomware attack in which files containing sensitive data were stolen. Netgain paid the ransom to prevent any further disclosure of the stolen data and received assurances from the ransomware gang that the stolen data had been deleted.

Netgain Technologies notified affected healthcare clients in January 2021, and those entities started to issue notification letters to affected patients over the next couple of months. While some affected healthcare clients took longer to issue notifications, it has now been 18 months since Netgain started notifying affected clients.

According to the AEC notification letter – dated July 8, 2022 – “Upon notification by Netgain to AEC, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further.” An extensive data mining project was then conducted to determine which individuals had been affected, and that process was completed on May 16, 2022.  After verifying contact information, notification letters were sent in July. AEC did not disclose when it was informed by Netgain about the data breach.

AEC said names, addresses, Social Security numbers, and medical histories had been exposed and potentially stolen, but there have been no reports of any actual or attempted misuse of patient data as a result of the data breach. In response to the breach, AEC replaced Netgain as its hosting vendor, migrated all data to another service provider, and has taken steps to introduce further safeguards to prevent any similar attacks in the future. AEC has offered affected individuals complimentary credit monitoring services.

The Netgain Technologies’ data breach was reported separately by each affected client and is understood to have affected more than 1 million individuals. It is currently unclear how many AEC patients have been affected, as the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.

The post Associated Eye Care Partners Issues Notifications About December 2020 Data Breach appeared first on HIPAA Journal.

Patient Information Compromised at Phoenixville Hospital, Family Practice Center, and Southwest Health Center

Posted by HIPAA Journal

Phoenixville Hospital Fires Employee for HIPAA Violation

Phoenixville Hospital in Pennsylvania has recently fired an employee for accessing the medical records of patients without authorization. According to the hospital operator, Tower Health, the unauthorized access was discovered during a routine audit of medical record access logs.

An employee was discovered to have accessed the medical records of several patients without authorization between October 2021 and May 2022, when there was no legitimate work reason for viewing those records. When the privacy violation was discovered, the employee was immediately suspended pending an internal investigation and was later fired for the HIPAA breach.

The employee viewed names, addresses, dates of birth, appointment dates, diagnoses, vital sign information, medications, test results, and physicians’ notes. Some of the accessed records included partial Social Security numbers and health insurance information. Tower Health said additional training has been provided to the workforce regarding patient privacy and the accessing of medical records.

Family Practice Center Reports October 2021 Hacking Incident

Family Practice Center in Pennsylvania has recently started sending notification letters to patients whose protected health information was exposed in an October 2021 cyberattack. According to the substitute breach notice on its website, an attempt was made to shut down its computer systems on October 11.

An investigation was launched and on May 21, 2022 – 7 months after the discovery of the attack – it was determined that some of the files accessed in the incident included patient data such as names, addresses, medical insurance information, and health and treatment information. Patient medical records were not involved. Notification letters were sent to affected individuals on July 5, 2022. Family Practice Center said it is unaware of any misuse of patient information.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Southwest Health Center Suffers Cyberattack

The Platteville, WI-based non-profit community healthcare provider, Southwest Health Center, has recently started notifying patients about a cyberattack that was first discovered on January 11, 2022. A forensic investigation determined that an unauthorized third party accessed files containing the personal and protected health information of current and former employees, their dependents, and patients who received healthcare services at Southwest Health.

The information compromised in the breach included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, medical information, and/or health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Information Compromised at Phoenixville Hospital, Family Practice Center, and Southwest Health Center appeared first on HIPAA Journal.

Health Aid of Ohio Settles Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Health Aid of Ohio has agreed to settle a class action lawsuit to resolve claims that it failed to protect the sensitive personal information of its customers.

Health Aid of Ohio is a Parma, OH-based full-service home medical equipment provider. On February 19, 2021, Health Aid discovered hackers had gained access to its network and viewed and removed files containing sensitive customer information. The files contained information such as name, telephone number, Social Security number, date of birth, medical diagnosis, insurance information, and the type of equipment that was delivered or repaired. Notifications were issued to affected customers in May 2021. The data breach affected 141,149 individuals.

A lawsuit was filed on behalf of affected individuals, which alleged Health Aid had failed to implement reasonable cybersecurity measures to ensure the confidentiality of customer data. The lawsuit alleged negligence, unjust enrichment, invasion of privacy, and other claims.

Health Aid admitted no wrongdoing but decided to settle the lawsuit to resolve all claims related to the data breach. Under the terms of the settlement, any individual affected who had their Social Security number exposed is entitled to a cash payment of up to $250 and can submit a claim for out-of-pocket expenses, including credit monitoring costs, and up to four hours of lost time at $15 per hour. Documentation must be submitted to support any claim. Any individual who can provide documentation that proves they were a victim of fraud can submit a claim of up to $2,500. Claims must be submitted by August 22, 2022, and the deadline for exclusion or objection is July 22, 2022.

Regardless of the types of information exposed in the data breach, all class members are entitled to a 12-month complimentary membership to credit monitoring and identity theft restoration service. Health Aid has also agreed to implement a range of additional safeguards to better protect customer information in the future and will undergo annual security risk assessments in 2022 and 2023 to determine whether further security enhancements can be made.

The final approval hearing for the settlement has been scheduled for Sept. 20, 2022.

The post Health Aid of Ohio Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Security Breaches Reported by Benefit Plan Administrators and The People Concern

Posted by HIPAA Journal

Roanoke, VA-based Benefit Plan Administrators Inc., has recently notified 3,775 individuals that an unauthorized individual gained access to its network and removed files that contained some of their protected health information. It is unclear from the breach notification letters when the incident occurred, but the forensic investigation concluded on March 15, 2022, and the notification letters were sent to affected individuals on or around June 15.

Benefit Plan Administrators said the following types of information were in the files that were removed from its systems: full names, addresses, dates of birth, Social Security numbers, gender classification, claims information, medications information, and medical diagnosis/conditions information. The breach was reported to the HHS’ Office for Civil Rights as four separate incidents. Employees of Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc. are known to have been affected.

No evidence was found to indicate any of the removed information has been misused. Complimentary credit monitoring services have been provided to affected individuals. Benefit Plan Administrators said additional safeguards have been implemented by the IT department to prevent similar incidents in the future.

The People Concern Reports Breach of Employee Email Accounts

The People Concern, a Los Angeles, CA-based homeless service, has discovered the email accounts of some of its employees have been accessed by an unauthorized third party. The accounts contained the sensitive information of community members such as date of birth, Social Security number, health insurance information, and medical information regarding care received through its programs.

The security breach was detected when suspicious activity was observed in the email accounts, with the investigation revealing they had been accessed by unauthorized individuals at various times between April 6, 2021, and December 9, 2021

In response to the breach, email security measures have been enhanced and affected individuals have been offered complimentary memberships to an identity theft protection and resolution service for one year. It is currently unclear how many individuals have been affected.

Advocates Inc. Discovers Further Individuals Affected by 2021 Data Breach

In January 2022, Framingham, MA-based Advocates Inc. started notifying individuals affected by a cyberattack that saw its network compromised between September 14, 2021, and September 18, 2021. The incident was initially thought to have affected 68,236 individuals, but the investigation later confirmed that additional individuals had been affected. The review of the impacted files continued until June 9, 2022, and additional notifications were mailed to affected individuals on June 28, 2022. Details of the breach can be found in this post. It is currently unclear how many additional individuals have been affected.

The post Security Breaches Reported by Benefit Plan Administrators and The People Concern appeared first on HIPAA Journal.