HIPAA Breach News

Patient Privacy Violated in Incidents at VCU Health and Cheyenne Regional Medical Center

Posted July 8, 2022 by HIPAA Journal

A lengthy privacy violation has been detected by Virginia Commonwealth University Health System (VCU Health) that potentially started on January 4, 2006. According to the substitute breach notification on the VCU Health website, transplant donor information had been included in the medical records of certain transplant recipients, and transplant recipient information had also been included in the medical records of transplant donors.

When donors, recipients of transplants, or their representatives logged into the patient portal to view their medical records, they would have been able to view information about the donor/recipient. It is also possible that the information was provided to individuals who exercised their right under HIPAA to obtain a copy of their health information. In each case, the exposed information was not accessible to the public, only to specific transplant donors and recipients.

The privacy issue was detected by VCU Health on February 7, 2022, with the subsequent investigation confirming that additional information may also have been viewable, which included names, Social Security numbers, lab results, medical record numbers, date(s) of service, and/or dates of birth.

Affected individuals have been notified by mail and have been offered complimentary credit monitoring services if their Social Security numbers had been exposed. Steps have also been taken to improve privacy protections and prevent similar incidents in the future. VCH Health said, in total, 4,441 transplant donors and recipients had been affected.

Cheyenne Regional Medical Center Discovers Employee Snooped on Patient Records for 2 Years

Cheyenne Regional Medical Center (CRMC) has discovered a former employee had been accessing the medical records of patients without authorization for almost two years. The former employee had been provided with access to patient data to complete her work duties but had been accessing the records of patients for reasons unrelated to her role.

The privacy violation came to light when a former co-worker reported the individual for the HIPAA violation after a transfer to a different department within the medical center. The incident was investigated internally and it was confirmed that the records of up to 1,600 patients had been viewed without authorization between Aug. 31, 2020, and May 26, 2022.

CRMC compliance director, Gladys Ayokosok, said no evidence was found to suggest any patient information was copied or further disclosed by the former employee, and affected individuals have now been notified about the employee’s HIPAA violation. The types of information that may have been viewed included names, dates of birth, social security numbers, dates of care, medical record numbers, diagnoses, and treatments.

According to Ayokosok, the access went undetected for so long as the former employee had previously worked with the electronic health record provider. To detect any cases of snooping in the future, the IT department has created an audit trail, which will allow the IT team to tell if employees access records an unusual number of times, see why employees are accessing patient records, and check to make sure there is a legitimate reason for accessing patient data.

The post Patient Privacy Violated in Incidents at VCU Health and Cheyenne Regional Medical Center appeared first on HIPAA Journal.

Data Breaches Reported by University Pediatric Dentistry, OrthoNebraska, Michigan Avenue Immediate Care

Posted July 5, 2022 by HIPAA Journal

University Pediatric Dentistry in Buffalo, NY, has started notifying 6,843 patients that some of their protected health information has been exposed in an email security incident.

The email system was immediately secured when the breach was detected with the forensic investigation confirming that two email accounts had been accessed by an unauthorized third party between January 12, 2022, and January 19, 2022. University Pediatric Dentistry said it learned on April 25, 2022, that emails and attachments in the compromised accounts contained patient data, and information had potentially been viewed or obtained.

The compromised information included patient names, contact information, dates of birth, Social Security numbers, driver’s license numbers, government identification numbers, treatment and diagnosis information, provider names, medical record numbers, patient account numbers, prescription information, dates of service and/or health insurance information. A limited number of patients also had financial account information exposed.

Individuals who had their Social Security numbers or driver’s license numbers exposed have been offered complimentary credit monitoring and identity theft protection services. University Pediatric Dentistry said technical security measures will be implemented to further protect and monitor its email system.

Cyberattack Reported by Michigan Avenue Immediate Care

Michigan Avenue Immediate Care (MAIC) in Chicago, IL, has recently reported a hacking incident that saw an unauthorized third-party gain access to its computer network and exfiltrate files containing sensitive patient data. The cyberattack was detected on May 1, 2022, and on May 12, 2022, MAIC confirmed that the files exfiltrated from its systems included some patient information.

The types of data in the files varied from individual to individual and may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, treatment information, and/or health insurance information. Affected individuals have been notified by mail and have been offered a complimentary one-year membership of the Experian IdentityWorks Credit 3B service.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

OrthoNebraska Email Account Compromised

OrthoNebraska, an Omaha, NE-based orthopedic clinic, has recently announced that the email account of an employee has been accessed by an unauthorized individual. The breach occurred in early December 2021 and was detected when the account was used to send spam emails. A review of the affected email account confirmed the protected health information of certain patients was present in emails and attachments, and that information may have been viewed or obtained.

The exposed information included names, demographic information, driver’s license numbers, state ID numbers, usernames/passwords, Social Security numbers, medical histories, and health insurance and claims information. Affected individuals have been notified by mail and credit monitoring and identity theft protection services have been offered. To date, no reports have been received that indicate any actual or attempted misuse of patient data. OrthoNebraska said it has provided further information security training to the workforce and additional safeguards have been implemented to improve email security.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jack Hughston Memorial Hospital Investigating Cyberattack

Jack Hughston Memorial Hospital in Phoenix City, AL has recently confirmed that hackers have gained access to its network. The cyberattack forced the hospital to take its computer systems offline, which has prevented access to electronic medical records. The hospital has continued to provide care to patients under emergency downtime procedures and a third-party computer forensics firm has been engaged to assist with the investigation. At this stage of the investigation, it is unclear if, and to what extent, patient information has been compromised.

Several More Eye Care Practices Impacted by Eye Care Leaders Data Breach

The number of eye care providers affected by the data breach at Eye Care Leaders has continued to grow, with Mattax Neu Prater Eye Center in Missouri, Aloha Laser Vision in Hawaii, and Sight Partners Physicians in Washington among the latest known to be affected. At least 33 eye care providers have confirmed they have been affected by the cyberattack and the records of more than 2.9 million individuals have potentially been compromised.

The post Data Breaches Reported by University Pediatric Dentistry, OrthoNebraska, Michigan Avenue Immediate Care appeared first on HIPAA Journal.

657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company

Posted July 4, 2022 by HIPAA Journal

A major data breach has been reported by the Greeley, CO-based accounts receivable management company, Professional Finance Company Inc. (PFC) which is believed to have affected 657 of its healthcare provider clients.

According to the PFC website, the company is one of the nation’s leading debt recovery agencies, and its client list includes many healthcare providers, retailers, financial organizations, and government agencies. According to the company’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on February 26, 2022; however, not in time to prevent some of its computer systems from being disabled.

Third-party forensics specialists were engaged to investigate the breach and provide assistance with securing its environment. That investigation confirmed that an unauthorized third party had access to systems that contained information about patients of its healthcare provider clients, and files containing patient data were accessed. PFC said it sent notification letters to all affected healthcare provider clients on May 5, 2022, and has since issued notification letters to all affected individuals.

The investigation uncovered no evidence of misuse of patient data, but data theft and misuse could not be ruled out. The types of information potentially accessed in the attack included names, addresses, accounts receivable balances, information regarding payments made to accounts, and, for some individuals, birth dates, Social Security numbers, health insurance information, and medical treatment information.

PFC said it is providing complimentary credit monitoring and identity theft protection services to affected individuals. In contrast to several recent data breaches at business associates of HIPAA-covered entities, PFC has published a list of the healthcare providers affected.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many patients have been affected by the breach, but with 657 healthcare providers affected, this has the potential to be one of the largest healthcare data breaches to be reported this year.

The post 657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company appeared first on HIPAA Journal.

Fitzgibbon Hospital, Diskriter, Christiana Spine Center Suffer Ransomware Attacks

Posted June 29, 2022 by HIPAA Journal

On June 25, 2022, a spokesperson for a threat group called DAIXIN Team contacted HIPAA Journal to share information about a ransomware attack and data theft incident at Fitzgibbon Hospital in Marshall, Missouri. A link was shared to a dark web resource where data stolen in the attack has been published.

The published data includes database tables from the MEDITECH database, and sensitive documents containing patient data stolen from internal servers. In total, 40GB of data was stolen in the attack and included names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information.

DAIXIN Team was previously not known to HIPAA Journal and appears to be a new ransomware group. Further information on the group and the attack has been obtained by databreaches.net and confirmed through a shared chat log that a representative for Fitzgibbon Hospital had made contact with DAIXIN Team to negotiate the ransom payment, but no payment has been made to date.

There is currently no breach notice on the Fitzgibbon Hospital website, and no reported breach at this stage on the HHS’ Office for Civil Rights website, so it is unclear how many patients have been affected. At the time of writing, the stolen data is still available for download.

Hive Ransomware Threat Group Attacks Health Information Management Service Provider

The Hive ransomware group has claimed to have conducted a ransomware attack on Diskriter, a Pittsburgh, PA-based provider of health information management, transcription, and revenue cycle management services. The group claims to have exfiltrated 160GB of data prior to file encryption, including files containing software source code, financial data, employee information, sensitive business data, login data including passwords and usernames, and files containing patient data.

The attack was allegedly conducted on June 8, 2022, and in addition to encrypting files, backup files were also encrypted. At the time of writing, the ransom has not been paid. Some of the stolen data has been published on the Hive ransomware gang’s data leak website. Diskriter has not publicly confirmed the attack at this point and it is unclear how many patients have had their protected health information exposed.

Ransomware Attack Reported by Christiana Spine Center

Newark, DE-based Christiana Spine Center has confirmed it was the victim of a recent ransomware attack. The attack was detected on February 25, 2022, and steps were immediately taken to contain the attack. Forensic and cybersecurity experts were engaged to investigate the breach and determined files containing names, addresses, phone numbers, social security numbers, health insurance identification numbers, and personal health information may have been accessed in the attack.

The review of the affected files confirmed up to 3,500 patients may have been affected. They have been offered complimentary 12-month memberships to a credit monitoring service. Christiana Spine Center said no evidence was found to indicate any patient data has been stolen or misused.

The post Fitzgibbon Hospital, Diskriter, Christiana Spine Center Suffer Ransomware Attacks appeared first on HIPAA Journal.

Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise

Posted June 29, 2022 by HIPAA Journal

Aliso Viejo-based Covenant Care California, an operator of skilled nursing facilities and a provider of home health services in California and Nevada, has announced that an unauthorized third party has gained access to its email system, and potentially viewed or obtained electronic protected health information. Suspicious activity was detected in an employee’s email account in February 2022, with the subsequent investigation confirming multiple employee email accounts had been accessed between February 24 and March 22, 2022. The accounts contained data related to its home health services, which were provided under the following names:

Focus Health
RehabFocus Home Health
Elevate Health Group
Choice Home Health
San Diego Home Health

A review of the accounts was completed on March 27, 2022, and confirmed protected health information was present in the email accounts, which for most individuals included names, medical information, and health insurance information. A subset of individuals also had their date of birth, Social Security number, driver’s license number, and/or other personal information exposed. Covenant Care said safeguards are being reviewed and will be updated to improve security, which includes providing further training to employees on email security. Affected individuals have been offered complimentary identity monitoring services.

It is currently unclear how many individuals have been affected. This post will be updated when that information is publicly released.

Bergen’s Promise Email Account Accessed by Unauthorized Individual

Bergen’s Promise, the designated Care Management Organization for Bergen County in New Jersey, has recently announced that part of its email system has been compromised. Suspicious activity was detected in an employee’s email account, with the forensic investigation determining six email accounts had been compromised between November 15 and November 18, 2021. The suspicious activity was detected on November 15.

Bergen’s Promise said security protocols have been enhanced in response to the incident. Credit monitoring and identity theft protection services have been offered to affected individuals. It is unclear why it took 7 months from the date of discovery of the breach to issue notification letters.

The breach was reported to the HHS’ Office for Civil Rights as affecting 6,948 individuals.

Grandview Medical Center Notified About Theft of ER Activity Logs

Grandview Medical Center in Birmingham, AL, has started notifying 1,126 individuals that activity logs from its emergency department that contained protected health information have been stolen and recovered by law enforcement.

Grandview Medical Center was contacted by law enforcement on April 12, 2022, and was informed that the logs had been found in a residential apartment on April 4, 2022. The logs contained records of patient visits between February 1 and February 12, 2022, and included information such as name, date of birth, medical record number, account number, and treatment information including reason for visit, diagnosis, acuity, date/time of service, arrival mode and discharge disposition.

Grandview Medical Center said the law enforcement investigation is ongoing. At this stage, it is unclear what the person who stole the logs did with the data, but it is possible that the logs have been exposed to other individuals. As a precaution, credit monitoring services have been offered to affected individuals.

The medical center said it provides regular privacy and confidentiality training to employees and emphasizes the importance of protecting patient information.

The post Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise appeared first on HIPAA Journal.

GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process

Posted June 28, 2022 by HIPAA Journal

The Government Accountability Office (GAO) has recommended that the Department of Health and Human Services (HHS) establish a feedback mechanism to improve the effectiveness of its data breach reporting process.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, called for the Secretary of the HHS to create and maintain a list of data breaches involving the unsecured protected health information of 500 or more individuals on its website.

The HHS’ Office for Civil Rights (OCR) Breach Portal includes breaches of the personally identifiable protected health information (PHI), such as unauthorized access and disclosures, exposures, and the loss and theft of PHI. The number of reported data breaches has been increasing each year, with 2021 seeing 714 data breaches of 500 or more records reported to OCR.

GAO explained in its report that between 2015 and 2021, the number of individuals affected by healthcare data breaches at healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities has ranged from 5 million to 113 million each year.

OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR investigates data breaches and complaints about potential HIPAA violations and seeks to establish whether the HIPAA Rules have been violated. To date, OCR has imposed 110 financial penalties on HIPAA-regulated entities that have been determined to have violated the HIPAA Rules.

In January 2021, the HITECH Act was amended to require OCR to consider the ‘recognized security practices’ that were continuously in place for the 12 months previously when making determinations about actions to take against HIPAA-regulated entities that have experienced breaches of PHI. OCR sought feedback from the public on the implementation of recognized security practices and is due to finalize that process this summer.

GAO said it was asked to conduct a review of the breach reporting process, determine the extent to which the HHS had established a review process to assess whether covered entities had implemented recognized security practices, and determine the extent to which improvements can be made related to the breach reporting requirements of the HHS.

As part of that process, GAO reviewed privacy and information security laws; analyzed HHS documentation, policies, and procedures; interviewed cognizant OCR officials; and surveyed HIPAA-regulated entities.

GAO said in its report that OCR has been charged with the development and management of the breach reporting process but has not established a method to allow HIPAA-regulated entities to provide feedback on the breach reporting process. Without such a mechanism, HIPAA-regulated entities could face challenges during the breach reporting process and have no clear way of reporting those issues to OCR. GAO has recommended such a process be established, as this would help OCR to improve aspects of the breach reporting process.

The HHS concurred with the single GAO recommendation and explained that OCR would establish a mechanism for regulated entities to provide feedback on the breach reporting and investigative process. This would be achieved by adding language and contact information to the confirmation emails that HIPAA-regulated entities receive when they report data breaches through the HHS Breach Portal. The HHS said it will also be issuing procedures to OCR’s regional offices that require them to regularly review and address emails received about the breach reporting process.

The post GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process appeared first on HIPAA Journal.

5 Security Breaches Reported in Which PHI was Potentially Compromised

Posted June 24, 2022 by HIPAA Journal

Patient Information Potentially Compromised in Atrium Health Phishing Attack

A phishing incident has been reported by Charlotte, NC-based Atrium Health that exposed the protected health information of 6,695 patients who used its home health service, Atrium Health at Home. On April 7, 2022, an employee responded to a phishing email and disclosed credentials for an email and messaging account. The breach was detected on April 8 and the unauthorized access was immediately blocked.

Between April 7 and April 8, the unauthorized third party used the account to send other phishing emails, which suggests that obtaining patient information stored in the account was not the aim of the attack, although it was not possible to determine if any patient information was viewed or obtained.

A review of the emails, messages and attachments in the account revealed they contained patients’ full names, home addresses, birth dates, health insurance information, and medical information (such as medical record number, dates of service, provider and facility and/or diagnosis and treatment information). A limited number of individuals also had their Social Security numbers, driver’s license/state ID numbers, and/or financial account information exposed. Atrium Health said there have been no reported cases of misuse of patient data.

Affected individuals have been notified and complimentary credit monitoring and identity theft protection services have been offered to individuals who had either their Social Security number, driver’s license number, or financial account information exposed. Security controls have been enhanced and Atrium Health said it will continue to provide regular phishing training to the workforce.

Patient Data Stolen in Ransomware Attack on Heartland Healthcare Services

Heartland Healthcare Services in Toledo, OH, has confirmed that files containing patient data were exfiltrated from its network in an April 2022 ransomware attack. The attack was detected on April 11 when the staff was prevented from accessing files on the network.

Heartland Healthcare Services said a ransom demand was issued, but after consulting the Federal Bureau of Investigation, the decision was taken not to pay the ransom demand. Some of the data stolen in the attack has since been uploaded to the ransomware gang’s dark web data leak site.

An analysis of the affected files confirmed they contained the protected health information of 2,763 patients who had received medications through Heartland Healthcare Services, including Heartland Pharmacy of Pennsylvania, Heartland Pharmacy of Maryland, or Heartland Pharmacy of Illinois. The stolen data included names, addresses, telephone numbers, medication names, and other medication-related information.

Heartland Healthcare Services said it has strengthened its security measures to prevent similar attacks in the future.

Acorda Therapeutics Reports Breach of its Email Environment

The Ardsley, NY-based biotechnology company, Acorda Therapeutics, has discovered an unauthorized third party gained access to its email environment and potentially viewed emails and attachments containing patient data. The email account breach was detected in January 2022, and the forensic investigation confirmed that certain email accounts had been compromised on or around December 15, 2021.

The review of the affected email accounts was completed on April 27, 2022, then Acorda Therapeutics verified the contact information of affected patients, and notification letters were sent to affected individuals in May and June 2022. The types of information potentially accessed included names in combination with one or more of the following: date of birth, medical record number, diagnosis information, treatment information, clinical information, prescription information, Social Security number, financial account information, insurance provider, and/or treatment cost information.

Acorda Therapeutics said steps have been taken to improve email security to prevent similar breaches in the future. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

PHI of 6,200 TridentCare Patients Potentially Accessed in Break-in

The Maryland-based mobile clinical services provider, TridentCare, announced on June 16, 2022, that the personal and protected health information of clients and their guarantors may have been accessed by unauthorized individuals during a break-in at its facilities. The data was stored on physical hard drives in the facility. Third-party cybersecurity experts were engaged to assess whether patient data had been accessed and concluded that there was “a significant possibility that data on the hard drives would have been corrupted,” which would have rendered the data unreadable. If that had not happened, in order to read the data, individuals would have had to have “certain technical capabilities.”

A review of the hard drives confirmed they contained the protected health information of 6,200 individuals. For most individuals, the data on the hard drives consisted of names and dates of birth, and for some individuals, name, date of birth, and Social Security number. Other potentially sensitive information such as financial records or details relating to medical tests is not believed to have been compromised.

Avamere Health Services Says PHI Stolen in Hacking Incident

Wilsonville, OR-based Avamere Health Services has discovered an unauthorized third party had intermittently accessed its network between January 19, 2022, and March 17, 2022. The forensic investigation confirmed on May 18, 2022, that certain files and folders had been copied from its systems during that period, and some of those files contained patients’ protected health information.

Avamere Health Services has not publicly announced the types of information compromised in the breach, and that information has been redacted from the breach notice submitted to the Vermont Attorney General. Avamere Health Services has said that affected individuals have now been notified by mail and informed about the types of information that was exposed. Complimentary credit monitoring and identity theft protection and resolution services have been offered.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

The post 5 Security Breaches Reported in Which PHI was Potentially Compromised appeared first on HIPAA Journal.

University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000

Posted June 23, 2022 by HIPAA Journal

University of Pittsburgh Medical Center has agreed to settle a class action data breach lawsuit and will make $450,000 available to cover claims from individuals who have suffered losses due to the theft and misuse of their protected health information.

The data breach affected approximately 36,000 patients and saw their protected health information accessed and stolen by an unauthorized third party between April 2020 and June 2020. The breach occurred at UPMC’s legal counsel, Charles J. Hilton PC, (CJH), which provided billing-related services. The compromised data was stored within the firm’s email environment and included names, birth dates, Social Security numbers, financial information ID numbers, signatures, insurance information, and medical information. The data breach was detected in June 2020; however, notifications were not sent to affected individuals until December 2020.

While many speculative lawsuits are filed against healthcare organizations and their business associates over the exposure of patient data, in this case, the plaintiff was defrauded soon after the breach, which was, on the balance of probability, due to his information being stolen in the data breach at CJH. An Amazon credit card account had been opened in his name. The plaintiff claimed he had to spend a considerable amount of time addressing the misuse of his personal and protected health information. The lawsuit alleged UPMC and CJH failed in their duty to protect patient data and had not implemented reasonable and appropriate safeguards to protect their private data.

Neither UPMC nor CJH admitted any wrongdoing or liability but agreed to settle the lawsuit. Under the terms of the settlement, class members are entitled to make a claim for a $250 cash payment as reimbursement for documented out-of-pocket expenses related to the data breach and may submit claims for up to $2,500 to recover fraudulent charges and costs related to identity theft, plus $30 for undocumented time spent dealing with the breach. 12 months of complimentary credit monitoring, identity theft, and dark web monitoring services will also be provided to class members. Claims must be submitted no later than September 3, 2022.

Last year, UPMC settled a long-running lawsuit for $2.65 million. The lawsuit was filed on behalf of 27,000 employees affected by a February 2014 data breach.

The post University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000 appeared first on HIPAA Journal.

5 HIPAA-Regulated Entities Announced Hacking Incidents that Exposed PHI

Posted June 22, 2022 by HIPAA Journal

PHI of Almost 69,000 Individuals Compromised in Hacking Incident at Comstar

Comstar, a Rowley, MA-based provider of ambulance billing, collection, ePCR Hosting, and client/patient services, has discovered an unauthorized third-party gained access to some of its servers which housed files that contained individuals’ personally identifiable and protected health information. Some of those files were confirmed as having been viewed.

The substitute breach notice did not state when the breach occurred, but it was detected on or around March 26, 2022. A review of the affected files confirmed they contained information such as names, dates of birth, medical assessment and medication information, health insurance information, and Social Security numbers. Comstar said it already had strict security measures in place, a review has been conducted of its policies and procedures relating to data security, and measures will be taken to further protect against similar incidents in the future. No evidence of data theft or misuse of individuals’ information was identified; however, as a precaution, complimentary credit monitoring and identity theft protection services are being offered.

The breach was reported to the HHS’ Office for Civil Rights as affecting 68,957 individuals.

DialAmerica Marketing Data Breach Affects Almost 20,000 Individuals

The New Jersey HIPAA business associate, DialAmerica Marketing, which provides telemarketing services for almost a quarter of the leading health plan providers in the United States, has confirmed it was the victim of a hacking incident that saw unauthorized individuals gain access to its network on July 4, 2021. The forensic investigation of the security breach determined that its network was compromised between February 2, 2021, and July 9, 2021, and during that time period, the protected health information of individuals may have been viewed or stolen. The review of the affected files was completed on February 4, 2022, and confirmed that names, addresses, and other (unspecified) data may have been compromised.

The breach was reported to the HHS’ Office for Civil Rights as affecting 19,796 individuals.

Express Scripts’ Customer Accounts Accessed by Unauthorized Third Party

The pharmacy benefit management organization, Express Scripts, has announced that the accounts of certain customers have been accessed by an unauthorized third party. In a breach notification to the Massachusetts Attorney General, Express Scripts explained that certain Express Scripts mobile application accounts were accessed without authorization using a correct username and password.

The suspicious activity was detected on May 1, 2022, with the account breaches determined to have occurred between April 30 and May 3, 2022. Information in the accounts that may have been viewed included names, medication names, prescription numbers, medication dosage, prescribing physicians’ names, and the names of pharmacies.

When the security breach was detected, affected accounts were locked and passwords were reset. Incidents such as this are commonly the result of password spraying – the use of breached usernames and passwords to access totally unrelated accounts. These attacks are made possible due to password reuse on multiple platforms. Express Scripts has recommended that affected individuals change their passwords on all other accounts that share the same password.

It is currently unclear how many individuals have been affected.

Alliance Physical Therapy Partners Announces Hacking Incident

Grand Rapids Charter Township, MI-based Alliance Physical Therapy Partners, formerly Agility Health, has confirmed that an unauthorized third party accessed certain systems within its network that contained patients’ protected health information. The breach was detected on December 27, 2021, and it was determined on January 7, 2022, that patient data had been compromised. The unauthorized access occurred between December 23, 2021 and December 27, 2021. A comprehensive review of all potentially affected files was completed on April 19, 2022.

Alliance Physical Therapy Partners said policies and procedures have been reviewed and additional cybersecurity safeguards have been implemented.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.

Hacking Incident Reported by 90 Degree Benefits Minnesota

90 Degree Benefits Minnesota has announced it suffered a data security incident on February 27, 2022, which affected some of its IT systems. 90 Degree said the forensic investigation was unable to confirm whether personal information was viewed or acquired and there have been no reports of attempted or actual misuse of personal information; however, unauthorized access and data theft could not be ruled out.

The review of the affected files confirmed they contained names, dates of birth, Social Security numbers, phone numbers, addresses, and health information. 90 Degree said security measures have been enhanced to prevent similar incidents in the future. Affected individuals were notified on June 9, 2022, and have been offered complimentary credit monitoring and identity theft protection services.