Lake Mary, FL-based Central Florida Inpatient Medicine (CFIM) has recently discovered that the email account of an employee has been accessed by an unauthorized individual, who may have viewed emails and files containing patients’ protected health information.

The substitute breach notice states that CFIM learned that the email account contained sensitive patient data on May 5, 2022; however, the email account was breached between August 21, 2021, and September 17, 2021. The delay in issuing notifications to affected individuals was due to “an extensive forensic investigation and comprehensive and time-consuming manual document review.”

The review revealed the emails and attachments included information such as names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of Social Security numbers, driver’s license numbers, financial account information, and usernames and passwords were also exposed. CFIM said no evidence was found to indicate any patient data has been misused.

Affected individuals have been advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity. Complimentary credit monitoring services have been offered to individuals who had Social Security numbers exposed.

CFIM said further technical safeguards have been implemented to prevent similar incidents in the future, including multifactor authentication, and additional training has been provided to employees to increase awareness of the risks of malicious emails.

Yale New Haven Hospital Says Patient Data Exposed over the Internet

Yale New Haven Hospital in Connecticut has announced that a file that was created for research purposes has been accidentally posted online on a public-facing website and was potentially accessed by a limited number of unauthorized individuals. The exposed file was detected by the hospital on April 18, 2022, and was immediately removed to prevent any further unauthorized access. Yale New Haven Hospital has confirmed that the file is no longer accessible over the Internet.

A third-party forensics firm was engaged to assist with the investigation and determined that the file had been uploaded on December 16, 2021, and remained accessible until April 18, 2022. The upload was not malicious and occurred as a result of human error.

The file related to radiology services provided, and included protected health information such as names, telephone numbers, email addresses, age ranges, preferred languages, medical record numbers, procedure types, and dates and location of services.

A spokesperson for Yale New Haven Hospital said the incident prompted a review of security permissions for Internet-facing systems, and further training and guidance have been provided to employees to remind them of the continued need to safeguard patient health information. Existing technical safeguards have also been enhanced to better protect patient data.

Yale New Haven Hospital did not disclose how many individuals have been affected and the breach is not yet shown on the HHS’ Office for Civil Rights website.

The post Central Florida Inpatient Medicine Security Incident Affects Almost 198,000 Patients appeared first on HIPAA Journal.

Texas Tech University Health Sciences Center has confirmed that the protected health information of 1,290,104 patients was compromised in a data breach at its electronic medical record vendor, Eye Care Leaders.

Eye Care Leaders said it detected a breach on Dec. 4, 2021, and disabled the affected systems within 24 hours. Texas Tech University Health Sciences Center said it received the final results of the forensic investigation on April 19, 2022. The compromised information included the following data elements: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services. No evidence of data exfiltration was found.

Over the past few weeks, the number of eye care providers known to have been affected by the Eye Care Leaders data breach has been growing. At least 23 eye care providers have confirmed they have been affected and the protected health information of more than 2 million patients is known to have been exposed.

Baptist Health Says Information of 1.24 Million Patients Potentially Compromised in Cyberattack

Baptist Health has recently started notifying patients about a cyberattack that was discovered on April 20, 2022, that may have seen malicious code installed on its network. According to the announcement, an unauthorized individual had access to certain Baptist Health systems between March 31 and April 24, 2022.  During that period of access, some data was removed from its systems.

Upon discovery of the breach, user access was suspended, the affected systems were taken offline to prevent further unauthorized access, and cybersecurity protection protocols were implemented. The parts of the system that were accessed included the data of patients of Baptist Medical Center in San Antonio and Resolute Health Hospital in New Braunfels in Texas, and included names, dates of birth, addresses, Social Security numbers, health insurance information, medical record numbers, dates of service, provider and facility names, chief complaint/reason for a visit, visit procedures and diagnosis information, and billing and claims information.

Baptist Health said it is improving its security and monitoring capabilities to reduce the risk of further data breaches. Affected individuals have now been notified and individuals whose Social Security numbers were potentially compromised have been offered complimentary credit monitoring and identity protection services.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 1,243,031 individuals.

Santa Barbara County Department of Behavioral Wellness Reports Medical Record Breach

Santa Barbara County Department of Behavioral Wellness in California has recently confirmed that a staff member has accessed the medical records of patients without authorization. The unauthorized access was detected on March 30, 2022, when the department implemented a new security system for detecting unauthorized medical record access, which immediately flagged the HIPAA breach.

The employee’s access to the medical record system was immediately terminated pending an investigation, and that the employee in question was subjected to appropriate disciplinary actions. The records accessed by the employee included names, addresses, email addresses, telephone numbers, Social Security numbers, insurance information, medical record numbers, and medical information. No evidence was found to indicate any patient information had been printed, sent externally, or written down. The department said it will be conducting additional security audits in the future and will be updating client outreach procedures to prevent any recurrences.

Notification letters have now been sent to all affected individuals. The breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many people have been affected.

The post Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records appeared first on HIPAA Journal.

The South Carolina-based health insurance company, Choice Health, now part of Alight Solutions, has recently announced that the protected health information of some of its members has been obtained by an unauthorized individual.

Choice Health discovered on May 14, 2022, that an individual was offering a set of data that had allegedly been stolen from Choice Health. An investigation into a potential breach confirmed on May 18, 2022, that a single Choice Health database had been exposed over the Internet due to “a technical security configuration issue caused by a third-party service provider.” That issue meant the database could be accessed over the internet without authorization.

Choice Health determined that the database had been found and certain database files had been copied by an unauthorized individual on May 7, 2022. According to the notice submitted to the California Attorney General, the files contained information such as first and last names, Social Security numbers, Medicare beneficiary identification numbers, birth dates, addresses and contact information, and health insurance information.

Choice Health said it worked with the third-party service provider to secure the database and confirmed that it was no longer accessible over the Internet. Steps have also been taken to prevent similar incidents in the future, including implementing multi-factor authentication for access to its database files.

Choice Health said it has not identified any misuse of plan member data but has sent notifications to affected individuals and has offered them a 24-month membership to a credit monitoring and identity theft protection and resolution service.

At this stage, it is unclear how many individuals have been affected. Databreaches.net reported that the forum listing offering the data said 600MB of data had been obtained, spread across 2,141,006 files, which were described as having names such as “Agents, Commission, Contacts, Policies.”

MCG Health Announces Data Theft Incident

MCG Health in Seattle, WA, a provider of patient care guidelines to healthcare providers and health plans, started notifying patients and members of MCG customers that an unauthorized party has obtained some of their protected health information. According to the breach notice on the MCG website, MCG determined on May 25, 2022, that an unauthorized individual had obtained data that matched data on its systems, including names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender.

MCG Health has advised affected individuals to review their account statements and monitor their free credit reports for signs of misuse of their information. It does not appear that credit monitoring or identity theft protection services are being offered.

The breach notice does not explain the nature of the attack, how much data was stolen, how MCG Health learned that data had been stolen, or when the data theft incident occurred. This post will be updated when further information becomes available.

Goodman Campbell Brain and Spine Suffers Ransomware Attack

Goodman Campbell Brain and Spine in Indianapolis, IN, has recently announced that it suffered a cyberattack on May 20, 2022, which caused an outage of its computer network and communication systems. Goodman Campbell said steps were immediately taken to secure its systems and a third-party firm was engaged to assist with the investigation and incident response.

At this stage of the investigation, the full nature of the attack and the extent to which patients’ protected health information has been compromised has not been determined; however, so far it is clear that patient and employee data was accessed by an unauthorized individual. Notification letters will be sent to affected individuals when the investigation has been completed and it is clear which individuals have been affected and the types of data that were compromised. In the meantime, Goodman Campbell has recommended all patients monitor their credit reports, obtain a fraud alert, and place a security freeze on their credit as a precaution.

The exact nature of the cyberattack was not revealed by Goodman Campbell; however, the Hive ransomware gang has claimed responsibility for the attack and has listed some of the stolen data on its leak site.

The post Data Theft Incidents Reported at Choice Health, MCG Health, & Goodman Campbell Brain and Spine appeared first on HIPAA Journal.

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington.

Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours.

An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and last names, medical record numbers, dates of service, and laboratory test result information. No financial information or Social Security numbers were exposed.

No evidence was found that suggests any plan member information was accessed or removed from its systems, although unauthorized PHI access and data theft could not be ruled out. To date, no reports have been received about any actual or attempted misuse of individuals’ ePHI.

Notifications were sent to affected individuals on June 3, 2022, who have been advised to be vigilant for potential fraud. Kaiser Permanente said the employee whose credentials were compromised has been provided with additional training on safe email practices, and it is exploring other steps that can be taken ensure incidents like this do not happen in the future.

The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 69,589 individuals.

The post Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI appeared first on HIPAA Journal.

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington.

Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours.

An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and last names, medical record numbers, dates of service, and laboratory test result information. No financial information or Social Security numbers were exposed.

No evidence was found that suggests any plan member information was accessed or removed from its systems, although unauthorized PHI access and data theft could not be ruled out. To date, no reports have been received about any actual or attempted misuse of individuals’ ePHI.

Notifications were sent to affected individuals on June 3, 2022, who have been advised to be vigilant for potential fraud. Kaiser Permanente said the employee whose credentials were compromised has been provided with additional training on safe email practices, and it is exploring other steps that can be taken ensure incidents like this do not happen in the future.

The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 69,589 individuals.

The post Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI appeared first on HIPAA Journal.

Yuma Regional Medical Center (YRMC) in Arizona has announced it was the victim of a ransomware attack in April in which the attackers obtained the protected health information of approximately 700,000 current and former patients.

According to the recent YRMC announcement, the attack was detected on April 25, 2022, which affected some of its IT systems. YRMC said immediate action was taken to contain the attack, and systems were taken offline to prevent further unauthorized access. Law enforcement was notified, and a third-party computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The investigation confirmed that the attackers gained access to its systems between April 21 and April 25, 2022, and, prior to file encryption, a subset of files were exfiltrated from its systems.

YRMC said it is working with security experts to bring its systems back online as quickly as possible. Throughout the attack, its facilities remained open and operated using established backup processes and downtime procedures, which did result in some delays to certain services; however, most scheduled services continued as scheduled.

Notification letters have recently been sent to affected individuals. YRMC said the files exfiltrated from its systems included names, Social Security numbers, health insurance information, and limited medical information. YRMC said its electronic medical record system was not accessed. The affected individuals included current and former patients in Yuma County on individuals working in Yuma County on a short-term or seasonable basis.

Steps have been taken to improve security to prevent further attacks and affected individuals have been offered complimentary credit monitoring and identity theft protection services. Ransomware attacks often result in the exposure of stolen data if the ransom is not paid. It is unclear in this case if payment was made. No ransomware threat group appears to have claimed responsibility for the attack.

The post 700,000 Patients Affected by Yuma Regional Medical Center Ransomware Attack appeared first on HIPAA Journal.

Aesto Health, a Birmingham, AL-based software company that provides solutions to help healthcare enterprises and medical providers exchange, organize, and protect patient information, has announced it recently experienced a cyberattack that caused disruption to certain internal IT systems.

The security breach was detected on March 8, 2022, and steps were immediately taken to prevent further unauthorized access to its systems. A third-party computer forensics company was engaged to assist with the investigation, which confirmed that an unauthorized individual had access to the affected systems from December 25, 2021, to March 8, 2022.

During that time frame, certain files were exfiltrated from a backup storage device, which include radiology reports from Osceola Medical Center (OMC) in Wisconsin. A review of the affected files confirmed they contained patients’ protected health information, including names, dates of birth, physician names, and report findings related to radiology imaging at OMC. No Social Security numbers or financial information were viewed or stolen, and OMC systems and electronic medical records were unaffected. Aesto Health said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 17,400 patients.

Motion Picture Industry Health Plan Informs Members of Unauthorized PHI Disclosure

The Motion Picture Industry Health Plan (MPIHP) has announced that the protected health information of 16,838 plan members has been impermissibly disclosed in a mis-mailing incident. On March 31, 2022, MPIHP discovered an error with a mailing that saw information about plan members sent to incorrect mailing addresses. In each case, a letter intended for one MPIHP member was sent to an incorrect MPIHP member.

No medical information or health claims information was included in the letters, only name, address, hours worked, the last four digits of the individual’s Social Security number, and recent dates of eligibility. Notification letters have now been sent to all affected individuals to the last address provided by those participants. Affected individuals have been offered complimentary identity monitoring services for one year. MPIHP said the exact source of the error has been identified and steps have been taken to prevent any repeat mis-mailing incidents.

The post Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan appeared first on HIPAA Journal.

Allaire Healthcare Group and Platinum Hospitalists have recently announced that an unauthorized individual has gained access to an employee email account and potentially viewed or copied patient data.

PHI Potentially Compromised in Email Account Breach at Allaire Healthcare Group

Freehold, NJ-based Allaire Healthcare Group, which runs five residential healthcare facilities in the tri-state area that provide subacute care, dementia care, and respite care, has discovered an unauthorized individual has gained access to the email account of one of its employees. Suspicious activity was detected in the employee’s email account on November 24, 2021. Prompt action was taken to secure the account and its email system and to prevent further unauthorized access.

The forensic investigation confirmed the breach was limited to a single email account that was accessed by an unauthorized individual between November 10, 2021, and November 24, 2021. A programmatic and manual review of the affected email account was completed on March 18, 2022. The review confirmed the email account contained the protected health information of 13,148 individuals, including first and last names, Social Security numbers, Allaire-issued unique client identifier numbers, driver’s license numbers, passport numbers, financial account numbers, payment card information, information regarding medical histories, treatment/diagnosis information, prescription information, and/or health insurance information.

The forensic investigation found no evidence to suggest any of that information was viewed or downloaded, and no reports have been received of any instances of actual or attempted misuse of the data.

Platinum Hospitalists Discovers Phishing Attack and Data Breach

Platinum Hospitalists has recently started notifying 6,000 patients that some of their protected health information has potentially been compromised. On March 29, 2022, Platinum Hospitalists discovered an email account had been accessed by an unauthorized individual. The investigation confirmed that the employee’s credentials were stolen following a response to a phishing email. The breach was limited to a single email account, with the review of the account confirming it contained individually identifiable protected health information.

Platinum Hospitalists said patient data is encrypted when it is sent externally, including via email, but the nature of the attack meant the information in the account could have been viewed and downloaded in a readable form. The investigation has been unable to confirm the specific information that was compromised, but the following types of information were present in the email account: patient names, dates of birth, dates of service, diagnosis and procedure codes, medical record numbers/patient account numbers, insurance identification numbers, and invoiced amounts. No addresses or Social Security numbers were exposed.

The data mostly related to patients who were insured through Humana and received medical services from Platinum providers at acute hospitals and other medical facilities in the Las Vegas area between approximately October 2018 and March 2022.

The post Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists appeared first on HIPAA Journal.