HIPAA Breach News

Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks

Posted by Steve Alder

Health Plan Intermediaries Holdings (Benefytt) has been affected by a cyberattack on a vendor, Emergency Medical Services Authority said patient data was exposed in a February cyberattack, and the Bian Lian group has claimed responsibility for a cyberattack on Lindsay Municipal Hospital.

Bian Lian Hacking Group Claims Responsibility for Lindsay Municipal Hospital Cyberattack

Lindsay Municipal Hospital in Oklahoma has recently reported a hacking incident to the HHS’ Office for Civil Rights (OCR) that has affected 500 individuals, a number that is commonly used as a placeholder to meet the breach reporting requirements of the HIPAA Breach Notification Rule when the number of affected individuals has yet to be confirmed.

Aside from the report to OCR, Lindsay Municipal Hospital has remained quiet about the cyberattack and data breach; however, the group behind the attack has not. The Bian Lian hacking group has claimed responsibility for the attack and added Lindsay Municipal Hospital to its data leak site, including evidence to support its claims.

Bian Lian has been in operation since at least 2021 and favors attacks on healthcare providers, manufacturing companies, and law firms, where there is greater potential for a high ransom payment. The group engages in double extortion tactics, where data is stolen, and payment is required to prevent the release of that data and to obtain the keys to decrypt encrypted files. The listing states that the stolen data will be uploaded soon. It is unclear whether Lindsay Municipal Hospital is negotiating with the group.

Patient Data Stolen in Cyberattack on Emergency Medical Services Authority

The Emergency Medical Services Authority (EMSA) in Oklahoma City, OK, has announced that it fell victim to a cyberattack that saw unauthorized individuals gain access to its network between February 10, 2024, and February 13, 2024. The intrusion was detected on February 13, 2024, and systems were shut down to prevent further unauthorized access. The forensic investigation confirmed that the attackers exfiltrated files containing patient data including names, addresses, dates of birth, dates of service, and, for some individuals, the name of their primary care provider and/or Social Security number.

Notification letters have started to be mailed to the affected individuals, although EMSA has yet to publicly confirm how many individuals have been affected. Complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers exposed.

Health Plan Intermediaries Holdings (Benefytt) Affected by Cyberattack on Vendor

Health Plan Intermediaries Holdings, which operates as Benefytt, has recently confirmed that it was affected by a data breach at a business associate of its vendor, Multiplan Inc. Multiplan used the law firm, Orrick, Herrington & Sutcliffe, LLP, which suffered a ransomware attack. Benefytt said its systems and those of Multiplan were unaffected; however, data provided to the law firm to perform its contracted duties was exposed and potentially compromised. The cyberattack was detected on March 13, 2023, and on March 10, 2023, Orrick, Herrington & Sutcliffe confirmed that files containing sensitive data had been stolen. Benefytt said neither MultiPlan nor Orrick could determine which health insurance plans were affected, and that it has been working with the two firms to obtain the necessary information to issue notifications.

Benefytt said it is notifying all affected individuals and is offering them complimentary credit monitoring services. Orrick, Herrington & Sutcliffe reported the breach to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals; however, the total was revised upwards to 152,818 individuals, and the notification to the Maine attorney General in December 2023 states that 637,620 individuals were affected. It is currently unclear how many Multiplan/Benefytt health plan members have been affected.

The post Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks appeared first on HIPAA Journal.

Med-Data Settles Data Breach Lawsuit for $7 Million

Posted by Steve Alder

The Spring, TX-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve all claims stemming from a data breach between 2018 and 2019 that involved the protected health information of approximately 136,000 individuals.

Between December 2018 and September 2019, an employee of Med-Data uploaded patient data to the public-facing software development hosting platform GitHub. The files were added to personal folders on GitHub Arctic Code Vault and contained the protected health information of patients of several of its clients. The exposed data included names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. Med-Data removed the files when it was alerted to the data exposure and offered the affected individuals complimentary credit monitoring and identity protection services.

A lawsuit was filed in response to the data breach that claimed Med-Data failed to adequately protect the sensitive data it obtained from its clients and did not issue timely notifications when the breach was discovered. Med-Data chose to settle the lawsuit and the settlement has received preliminary court approval. There are two tiers to the settlement. The first tier allows affected individuals to claim up to $5,000 to cover documented, unreimbursed losses incurred due to the data breach, including out-of-pocket expenses such as bank fees, credit costs, and communication expenses, up to five hours of lost time at $25 per hour, and losses due to identity theft, identity theft, and medical identity theft.

Alternatively, class members can opt for the second tier, which will provide a cash payment of up to $500 to cover time spent in response to the data breach, including monitoring credit reports, signing up for credit monitoring services, changing passwords, and other actions. Claims will be paid pro rata, depending on the number of claims received.

Regardless of the tier chosen, class members can also claim a 3-year membership to a health data and fraud monitoring service (Medical Shield Premium), which includes a $1 million identity theft insurance policy (Pango). Class members have until April 26, 2024, to object to or exclude themselves from the settlement, and the final approval hearing has been scheduled for September 11, 2024.

The post Med-Data Settles Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million

Posted by Steve Alder

Roper St. Francis Healthcare has agreed to a $1.5 million settlement to resolve a class action lawsuit that was filed in response to a data breach in 2020. Roper St. Francis Healthcare is a South Carolina-based healthcare system with 4 hospitals and more than 117 healthcare facilities in the state. In late October 2020, Roper St. Francis Healthcare discovered three email accounts had been compromised after employees responded to phishing emails. The email accounts were accessed by unauthorized individuals between October 14 and October 29, 2020. The compromised accounts contained the protected health information of 89,761 patients, including names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information.

A lawsuit was filed in response to the breach that claimed Roper St. Francis Healthcare was negligent by failing to implement reasonable and appropriate cybersecurity measures, and that Roper St. Francis Healthcare should have been aware that it was vulnerable to cyberattacks as it had experienced multiple data breaches in the past. Roper St. Francis Healthcare disagreed with the plaintiffs’ claims and chose to settle the lawsuit with no admission of wrongdoing.

Under the terms of the settlement, individuals who were notified about the data breach by Roper St. Francis Healthcare may claim up to $325 as reimbursement for data breach-related expenses, including credit costs and bank fees, and up to four hours of lost time at $20 per hour. If extraordinary losses have been incurred due to identity theft and fraud, claims may be submitted up to a maximum of $3,250. All class members are entitled to one year of credit monitoring services, in addition to those already offered in the individual notifications about the data breach. The deadline for exclusion from and objection to the settlement is April 30, 2024, and the final approval hearing has been scheduled for May 2, 2024.

The post Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million appeared first on HIPAA Journal.

Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

A $1.45 million settlement has been agreed by Avem Health Partners to resolve claims related to a 2022 data breach involving the protected health information of 271,303 individuals. Avem Health Partners is an Oklahoma City-based provider of administrative and technology services to healthcare organizations. On May 16, 2022, hackers were found to have gained access to the servers of one of its vendors, 365 Data Centers. The unauthorized access occurred on May 14, 2022, and Avem Health Partners was notified about the data breach on September 9, 2022.

The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information, and the affected individuals were notified by Avem Health Partners in December 2022. Legal action – Bingaman, et al. v. Avem Health Partners Inc. – was taken over the breach with the plaintiffs alleging their protected health information was negligently maintained and had appropriate cybersecurity measures been implemented, the breach could have been prevented. Avem Health Partners chose to settle the lawsuit with no admission of wrongdoing.

Claims will be accepted from individuals who were notified about the data breach by Avem Health Partners. Claims may be submitted for up to $7,000 to cover out-of-pocket expenses incurred due to the data breach, including credit expenses, bank fees, losses to identity theft and fraud, and up to five hours of lost time at $25 per hour. Individuals who do not submit claims to cover losses will be eligible to receive a cash payment of up to $100, although that amount may be reduced depending on the number of claims received.

Regardless of the option chosen, class members will be eligible to receive three years of identity theft protection and credit monitoring services, which include a $1 million identity theft insurance policy. The deadline for objection to and exclusion from the settlement is April 25, 2024, and the final approval hearing has been scheduled for May 10, 2024.

The post Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

February 2024 Healthcare Data Breach Report

Posted by Steve Alder

There has been a fall in the number of reported healthcare data breaches for the second consecutive month, with 59 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

 

There were 10.6% fewer breaches reported in February than in January, which followed a 22% reduction between December 2023 and January 2024. Over the past 12 months, an average of 64 healthcare breaches have been reported each month, and while February is well under that average, 22.9% more breaches were reported in February 2024 than in February 2023.

For the third consecutive month, the number of breached records has fallen, reducing by 41.7% from January to 5,130,515 records, which is well below the 12-month average of 8.9 million records a month and around half as many records as were breached in February 2023. These figures could increase as three data breaches were reported as involving 500 or 501 records. These figures are often placeholders to meet HIPAA’s breach reporting requirements when the number of affected individuals has yet to be determined.

Biggest Healthcare Data Breaches in February 2024

There were 24 data breaches of 10,000 healthcare records in February, the largest of which was a 2.35 million record data breach at Medical Management Resource Group, which does business as American Vision Partners. A further 1.67 million records were compromised in breaches at Eastern Radiologists and Unite Here, both of which were hacking incidents. Only four breaches of 10,000 or more records were not hacking incidents.

Ransomware attacks continue to plague the healthcare industry, but it is difficult to determine the scale of the problem since breach notifications rarely mention whether ransomware was used. Ransomware groups typically steal data and leak it or sell it if the ransom is not paid. If the nature of the attack is not explained to the affected individuals, it is difficult for them to accurately assess the level of risk they face and make informed decisions about the steps they need to take to prevent their personal information from being misused.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Medical Management Resource Group, L.L.C. AZ Business Associate 2,350,236 Hacking incident (Data theft confirmed)
Eastern Radiologists, Inc NC Healthcare Provider 886,746 Hacking incident
UNITE HERE NY Business Associate 791,273 Hacking incident
Northeast Orthopedics and Sports Medicine, PLLC NY Healthcare Provider 177,101 Hacking incident
Bold Quail Holdings, LLC (NewGen Administrative Services, LLC) CA Healthcare Provider 105,425 Hacking incident
Prime Healthcare Employee Health Plan CA Health Plan 101,135 Hacking incident at business associate (Keenan & Associates)
Egyptian Health Department IL Healthcare Provider 100,000 Hacking incident
Scurry County Hospital District dba Cogdell Memorial Hospital TX Healthcare Provider 86,981 Hacking incident
MedQ, Inc. TX Business Associate 54,725 Ransomware attack (Data theft confirmed)
Coleman Professional Services Inc. OH Healthcare Provider 51,889 Email accounts compromised
Greater Cincinnati Behavioral Health Services OH Healthcare Provider 50,000 Hacking incident
Kirkland & Ellis LLP IL Business Associate 48,802 Hacking incident (MOVEit Transfer)
Employee Benefits Corporation of America and Benefit Design Group, Inc. VA Health Plan 38,912 Hacking incident
Washington County Hospital and Nursing Home AL Healthcare Provider 29,346 Ransomware attack (Data theft confirmed)
Qualcomm Incorporated CA Health Plan 27,038 Hacking incident at a business associate
McKenzie County Healthcare System, Inc. ND Healthcare Provider 21,000 Email accounts compromised
East Carolina University’s Brody School of Medicine, a member of the ECU Health affiliated covered entity NC Healthcare Provider 19,085 Unauthorized access to a network server
Tiegerman NY Healthcare Provider 19,000 Hacking incident
Human Affairs International of California CA Business Associate 18,347 Unauthorized Access/Disclosure of paper/films
Maryville, Inc. NJ Healthcare Provider 15,503 Email account compromised
Bay Area Anesthesia, LLC FL Healthcare Provider 15,196 Hacking incident at business associate (Bowden Barlow Law)
AGC Flat Glass North America, Inc. Welfare Benefits Plan GA Health Plan 13,079 Hacking incident
Littleton Regional Healthcare NH Healthcare Provider 12,614 Misdirected email
CVS Caremark Part D Services, L.L.C. (“CVS”) RI Business Associate 11,193 Unauthorized Access/Disclosure of paper/films

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, the main cause of healthcare data breaches in February was hacking. In February, there were 41 data breaches classed as hacking/IT incidents – 69.5% of the month’s data breaches. These incidents typically see large numbers of records compromised and February was no exception. Across those 41 incidents, the protected health information of 5,017,167 individuals was exposed or compromised – 97.8% of the month’s breached records. The 16 largest healthcare data breaches in February were all hacking incidents. The average breach size was 122,370 records and the median breach size was 7,288 records.

HIPAA-regulated entities reported 16 data breaches that were classed as unauthorized access/disclosure incidents. Across those 16 data breaches, the records of 104,359 individuals were accessed by unauthorized individuals or were impermissibly disclosed. The largest of those incidents was a phishing attack that saw multiple email accounts compromised and the records of 21,000 individuals exposed. The average breach size was 6,522 records and the median breach size was 2,516 records. There were two theft incidents involving the records of 8,989 individuals. No loss or improper disposal incidents were reported in February. The most common location of breached healthcare data was network servers, followed by email accounts.

While it is not possible to prevent all data breaches, many could be avoided by ensuring compliance with the HIPAA Security Rule and implementing OCR’s HPH Cybersecurity Performance Goals (CPGs). The CPGs are split into essential CPGs and advanced CPGs. The Essential CPGs address common vulnerabilities, will significantly improve an organization’s security posture and incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defences against additional attack vectors. A recent IBM study determined that 85% of cyberattacks in critical infrastructure sectors could have been prevented with basic security measures such as those included in the essential CPGs.

Where Did the Data Breaches Occur?

OCR’s data breach portal shows there were 33 data breaches at healthcare providers (1,632,712 records), 16 data breaches at health plans (212,785 records), and 10 data breaches at business associates (3,285,018 records). These figures show the reporting entity rather than where the data breach occurred. When a data breach occurs at a business associate, it may be reported by the business associate, the affected covered entities, or a combination of the two. For example, in February,16 data breaches were reported by health plans, but 8 of those breaches occurred at business associates. The pie charts show where the data breaches occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

In February, large healthcare data breaches were reported by HIPAA-regulated entities in 27 states and the District of Columbia. California had the most breaches but Arizona was the worst affected in terms of the number of breached records, with 2,351,027 records compromised in 2 data breaches.

State Breaches
California 6
New York & Ohio 5
Illinois, Kentucky & Texas 4
Alabama, Florida & Michigan 3
Arizona, North Carolina & Rhode Island 2
Colorado, Georgia, Iowa, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, North Dakota, Oklahoma, Pennsylvania, South Carolina, Tennessee, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in February 2024

In February, OCR announced two settlements with HIPAA-regulated entities to resolve HIPAA compliance failures. OCR investigated Montefiore Medical Center, a non-profit hospital system based in New York City, over a data breach involving a malicious insider. The breach was discovered in 2015 by the New York Police Department, and the investigation revealed a former employee had stolen the data of 12,517 patients over a 6-month period in 2013. OCR launched an investigation in 2015, but it took until February 2024 for the case to be settled.

OCR identified multiple HIPAA failures, and the severity of those failures warranted a significant fine. Montefiore Medical Center was determined to have failed to conduct a comprehensive risk analysis, failed to implement procedures to regularly review records of information system activity, and failed to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI. Montefiore Medical Center agreed to pay a $4.75 million penalty to settle the alleged HIPAA violations.

OCR also announced a $40,000 settlement with Green Ridge Behavioral Health, a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy. This was the second settlement to be reached with a HIPAA-regulated entity over a ransomware attack. OCR determined that a comprehensive risk analysis had not been conducted, there was a failure to manage risks to the confidentiality, integrity, and availability of ePHI, and there were insufficient policies and procedures for reviewing records of information system activity. These failures contributed to the ransomware attack and the impermissible disclosure of the PHI of more than 14,000 patients.

State Attorneys General also have the authority to issue financial penalties for HIPAA violations; however, no civil monetary penalties or settlements were announced in February.

The post February 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.

R1 RCM Data Breach Impacts 16,000 Patients

Posted by Steve Alder

Data breaches have recently been reported by R1 RCM, St. Mary’s Healthcare System for Children, Philips Respironics, and California Correctional Health Care Services.

R1 RCM

R1 RCM Inc., a provider of revenue cycle management services to hospitals, has recently reported a breach of the protected health information of 16,121 individuals. According to a breach notice sent to the Massachusetts Attorney General, R1 learned on November 23, 2023, that protected health information associated with Dignity Health’s St. Rose Dominican Hospital de Lima was in the possession of an unauthorized third party. The hospital’s network was not compromised in the incident.

A review was conducted to determine the data types that had been obtained, and on January 11, R1 determined that the information contained names, contact information, dates of birth, Social Security numbers, location of services, clinical and/ or diagnosis information, and patient account and/or medical record numbers. R1 has notified the affected individuals directly and has offered them 2 years of complimentary credit monitoring and identity theft protection services.

St. Mary’s Healthcare System for Children, Inc.

St. Mary’s Healthcare System for Children, Inc. in Bayside, NY, identified unauthorized activity within its computer network on or around November 9, 2023, and the forensic investigation confirmed that files were removed from its network the same day. A review of those files confirmed they contained the personal information of 5,650 individuals, including names and Social Security numbers. Individual notifications were mailed to the affected individuals on March 20, 2024, and 12 months of complimentary credit monitoring services have been offered. In a comment to The HIPAA Journal, a representative of St. Mary’s Healthcare System for Children stated that “Only 254 individuals were patients whose PHI may have been viewed, the remainder were employees, former employees and other individuals whose personal information (SSNs, not PHI) may have been viewed”.

Philips Respironics

Philips Respironics has recently reported a breach to the HHS’ Office for Civil Rights that involved the protected health information of 1,125 individuals. While the breach has recently been reported to OCR, it occurred on May 31, 2023, and involved the exploitation of a zero day vulnerability in Progress Software’s MOVEit Transfer software. Philips Respironics discovered the breach on June 5, 2023.

Two clients of Philips Respironics have recently confirmed that they have been affected: Forward Healthcare LLC and Rotech Healthcare. Forward Healthcare said it was notified by Philips Respironics on December 20, 2023, that there had been unauthorized access to the Care Orchestrator and Encore Anywhere software solutions via the MOVEit vulnerability, and personal and health information was potentially compromised. 3,999 Forward Healthcare patients were affected. Rotech Healthcare said it was notified about the incident on December 26, 2024, and was provided with a list of the affected patients. The compromised information included names, contact information, dates of birth, medical information related to the therapy delivered, and health insurance information. It is currently unclear how many Rotech patients have been affected.

California Correctional Health Care Services

California Correctional Health Care Services (CCHCS) has recently identified an impermissible disclosure of personal information. On or around February 26, 2024, a member of staff accidentally emailed an attachment to an unauthorized recipient. The attachment contained protected health information such as last names, CDCR numbers, medical information, risk/priority levels, order types/names, reasons for appointments, and dates of appointments.

CCHCS said the recipient of the email did not open or view the attached file and CCHCS received confirmation that the attachment has been deleted and was not shared with any other individual. The employee in question has been provided with additional privacy awareness and information security awareness training. It is currently unclear how many individuals have been affected.

The post R1 RCM Data Breach Impacts 16,000 Patients appeared first on HIPAA Journal.

Valley Oaks Health Reports 50,000-Record Data Breach

Posted by Steve Alder

Cyberattacks and data breaches have been reported by Valley Oaks Health and Sycamore Rehabilitation Services in Indiana, Plymouth Tube Company in Illinois, and Weirton Medical Center in West Virginia.

Valley Oaks Health, Indiana

Valley Oaks Health in Niles, IL, has recently notified 50,352 individuals about a breach of its network environment. Unauthorized individuals gained access to parts of its network between June 8, 2023, and June 13, 2023. Its network was secured, and third-party cybersecurity experts were engaged to assist with the investigation and confirmed that files containing patient data had been exposed and may have been stolen.

The forensic investigation and document review were completed on February 2, 2024. The breach notice sent to the Maine Attorney General has the specific types of compromised data redacted but the notice confirmed that names have been exposed along with Social Security numbers. Consumer notifications were mailed on March 18, 2024, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Weirton Medical Center, West Virginia

Weirton Medical Center in West Virginia identified suspicious activity within its computer network on January 18, 2024. Systems were immediately secured, and third-party cybersecurity experts were engaged to investigate the breach and determined there had been unauthorized access to the network between January 14, 2024, and January 18, 2024, and files were copied from its systems.

The information involved varied from individual to individual and may have included one or more of the following: name, Social Security number, date of birth, medical information, health insurance information, treatment information, and the balance due on medical bills. While files were confirmed as having been removed from the network, Weirton Medical Center is unaware of any misuse of patient data. Weirton Medical Center said strict security measures were already in place and they have been augmented to prevent similar incidents in the future. Notification letters were sent to the affected individuals on March 18, 2024. The incident has been reported to the HHS’ Office for Civil Rights as affecting 26,793 individuals.

Sycamore Rehabilitation Services, Indiana

Sycamore Rehabilitation Services, Inc. in Danville, IL, has reported a breach of its email system and the exposure of the personal data of 3,414 individuals. The breach was detected on September 21, 2023, with the forensic investigation confirming there had been unauthorized access to its network between July 29, 2023, and August 9, 2023. During that time, there may have been unauthorized access to names, dates of birth, Social Security numbers, driver’s license/state identification numbers, account numbers, routing numbers, medical information, and health insurance information. It was not possible to determine exactly what types of information were acquired in the attack.

Sycamore Rehabilitation Services said it had implemented security measures prior to the breach. Multi-factor authentication was enabled on all email accounts, a VPN was required for access to internal resources from outside the organization, critical patches were applied each month, email security solutions were in place, all endpoints were protected with Sentinel One anti-virus, Azure PowerShell access was off by default, and POP/IMAP was disabled by default. Those measures have now been augmented with Proofpoint email scanning and security, Breach Secure Now phishing testing, and DUO MFA on VPN accounts.

The affected individuals were notified by mail on March 1, 2024, and have been offered complimentary credit monitoring and identity theft protection services. Sycamore Rehabilitation Services said the delay in issuing notifications was due to the time taken to investigate the breach and identify the affected individuals.

Plymouth Tube Company, Illinois

Plymouth Tube Company in Warrenville, IL, has identified unauthorized access to its computer network. The forensic investigation confirmed that there was unauthorized access between January 27, 2024, and January 29, 2024, and during that time, the unauthorized actor accessed or acquired files on its servers which included files that contained employee benefit plan data.

The review of the affected files confirmed that 2,652 current and former employees and their dependents had been affected and had one or more of the following compromised: name, date of birth, Social Security number, driver’s license number, and plan information. The affected individuals were notified on March 13, 2024, and complimentary credit monitoring and identity theft protection services have been made available.

The post Valley Oaks Health Reports 50,000-Record Data Breach appeared first on HIPAA Journal.

Humana Reports Mailing Errors Affecting More than 10,000 Members

Posted by Steve Alder

Three mailing error incidents have resulted in the impermissible disclosure of the PHI of more than 10,000 Humana members. Data breaches have also recently occurred at KMJ Health Solutions, Jewish Home Lifecare, and Lake of the Woods County Social Services.

Insurance ACE/Humana Inc.

The Kentucky-based health insurance provider Humana Inc. has recently disclosed three separate mailing error incidents that have resulted in the impermissible disclosure of the protected health information of 10,688 of its members. On December 8, 2023, a programming error resulted in Explanation of Payment documents intended for providers being sent to an incorrect address. The documents included first and last names, Humana ID numbers, provider names, dates of service, and claim payment information.

On December 14, 2023, large print/braille health plan communications were mailed to incorrect recipients. An error was made when fixing an unrelated coding issue that added a date/time stamp to the naming convention, which was not a unique identifier. As a result, the system began overwriting files as duplicates, which resulted in members receiving another member’s letter. The information impermissibly disclosed included first and last names, addresses, Humana ID numbers, provider names, dates of service, claim payment information, prescription medication information, and copay and premium information.

On January 12, 2024, Humana’s printing vendor in Louisiana, Broadridge Output Solutions, Inc., experienced a printing error that caused explanation of benefits information of Humana members to be printed on the reverse of other members’ statements. The information impermissibly disclosed included names, claim information, provider name, gender, copay information, deductible and coinsurance information. Humana said all of the errors have been rectified and it is unaware of any misuse of members’ information.

KMJ Health Solutions

KMJ Health Solutions, a Michigan-based provider of online signout and charge capture systems, has reported a breach of the protected health information of 2,191 individuals. On November 19, 2023, KMJ Health Solutions identified unauthorized access to the server that hosts its eDocList system. The attacker used ransomware to encrypt files and may have obtained the data of some of its clients. The threat actor first gained access to the server on July 1, 2023. KMJ Health Solutions notified the affected clients on or around January 11, 2024.

One of the affected clients was Saint Joseph’s Medical Center in New York. The information potentially compromised included names, dates of birth, medical record numbers, diagnoses, laboratory results, dates of service, provider names, medications, and/or treatment information. Saint Joseph’s sent notifications to the affected individuals on March 4, 2024, and has confirmed that it no longer uses KNJ Health Solutions. When business associates experience data breaches, notifications may be issued by the business associate, their covered entity clients, or a combination of the two. It is therefore unclear at this stage how many individuals in total have been affected.

Jewish Home Lifecare

Jewish Home Lifecare, Inc., a New York senior health care system, identified unusual activity in its computer systems on January 7, 2023, and assisted by computer forensics experts, determined that there had been unauthorized access to its systems and the hackers potentially viewed or obtained patient data. The information exposed included names, addresses, dates of birth, Social Security numbers, payment card information, financial account information, passport numbers, medical record information, and medical treatment information. Jewish Home Lifecare has reported the incident to the HHS Office for Civil Rights as affecting 501 individuals. 501 is a placeholder often used to meet breach reporting requirements when the total number of affected individuals has yet to be confirmed.

Lake of the Woods County Social Services

Lake of the Woods County Social Services in Minnesota has reported a data breach that has affected individuals served by the County Social Services Department and their household members. On November 14, 2023, the County’s cybersecurity solutions detected and blocked a ransomware attack. While file encryption was prevented, the forensic investigation confirmed there was unauthorized access to its systems between November 14 and November 15, 2023, and data was stolen in the attack.

A ransom demand was received, but the County refused to pay to have the stolen data deleted, consistent with the advice of the FBI. Some of the stolen data was subsequently posted on the dark web. The information compromised in the attack included the following: Name, in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account information, payment card information, information related to medical condition, treatment or diagnosis, medications, names of healthcare providers, information related to services individuals received from the County Social Services Department, such as locations of service, dates of service, client identification number or unique identifiers related to services provided to you, insurance identification number, and/or insurance information. For a limited number of individuals, the data included mental health reports and/or username(s) and password(s) used to access online accounts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 537 individuals.

The post Humana Reports Mailing Errors Affecting More than 10,000 Members appeared first on HIPAA Journal.

Data Breaches Reported by Rebound Orthopedics, CCM Health, BCBST & Orsini Pharmaceutical Services

Posted by Steve Alder

Data breaches have recently been reported by Rebound Orthopedics & Neurosurgery, CCM Health, BlueCare Plus Tennessee, and Orsini Pharmaceutical Services.

Rebound Orthopedics & Neurosurgery

Rebound Orthopedics & Neurosurgery in Vancouver, WA, has recently announced that it fell victim to a cyberattack on February 2, 2024. The attack was detected on February 3 when its computer systems went offline, including its patient and scheduling portals, and the outage lasted for more than 2 weeks. Computer forensics specialists were engaged to investigate the incident and confirmed that an unknown and unauthorized actor had accessed its network and viewed or copied files that were stored on its systems. A detailed review has been conducted of those files which confirmed that they contained patient information although no evidence was found to indicate any information in those files has been misused.

It is currently unclear what information was involved, as that information was not present in the sample notice provided to the Montana Attorney General. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected. Rebound Orthopedics & Neurosurgery said additional security measures have been implemented to prevent similar incidents in the future and complimentary credit monitoring services have been offered to the affected individuals for 24 months.

CCM Health

CCM Health in Montevideo, MN, has recently notified 29,182 individuals about a network security incident that involved some of their personal and health information. In a March 12, 2024, breach notice, CCM Health explained that there had been unauthorized access to its network between April 3, 2023, and April 10, 2023, and an unauthorized third party may have accessed and removed files containing their sensitive information.

A comprehensive review was conducted of all files on the compromised parts of the network that confirmed they contained full names, date of birth, Social Security numbers, medical information, and health insurance information. The exposed health information included medical record numbers, patient account numbers, prescription information, healthcare provider names, medical diagnoses, diagnosis codes, treatment types, treatment locations, treatment dates, admission dates, discharge dates, and/or lab results.

The file review was completed on February 12, 2024, and notification letters have now been sent to the affected individuals. Single bureau credit monitoring/single bureau credit report/single bureau credit score services have been provided to the affected individuals at no charge

BlueCross BlueShield of Tennessee

BlueCross BlueShield of Tennessee, Inc. (BCBST) and Volunteer State Health Plan, Inc. which do business as BlueCare Plus Tennessee, have recently notified around 2,000 individuals about two security incidents that exposed their sensitive information.

BCBST said it identified suspicious login attempts to its member portal from outside the company on or around December 19, 2023. The attempts were made to log in using username and password combinations that came from an unknown source. The investigation found no evidence to suggest there had been a breach of BCBST systems, and it would appear that this was a credential stuffing attack, where username/password combinations that have been obtained in a third-party breach are used to try to log into accounts on other platforms.

The member portal was immediately disabled while the unauthorized activity was investigated, password security was enhanced, and third-party forensics experts were engaged to assist with the investigation. Between January 18 and January 24, 2024, BCBST learned that there had been a similar incident on August 7, 2023. The data potentially accessed in these two incidents included names, dates of birth, addresses, subscriber IDs, provider names, group numbers and names, plan information, medical information, claims information, and user IDs and passwords. For fewer than 1% of the affected individuals, financial information was also exposed. For individuals whose coverage ended more than two years ago the breached information only included IDs and passwords.

BCBST is implementing new login requirements and has notified the affected individuals and offered them identity monitoring services at no cost. They have also been asked to change their online account passwords when they sign in and to use a password that has not been used elsewhere. Two separate reports of data breaches have been logged by the HHS’ Office for Civil Rights that affected 1,251 and 790 individuals.

Orsini Pharmaceutical Services

Orsini Pharmaceutical Services in Illinois has recently discovered there has been unauthorized access to an employee’s email account. The breach was detected on January 10, 2024, and the investigation confirmed that a single email account was compromised between January 8 and January 10, 2024. The email account was reviewed to find out the types of information that had been exposed, which confirmed that the protected health information of 1,433 patients was present in the account, including names, addresses, dates of birth, medical record numbers, health insurance information, diagnoses, and/or prescription information.

Orsini Pharmaceutical Services did not find evidence to suggest that the attack was conducted to obtain patient data, but the possibility could not be ruled out. Additional safeguards and technical security measures have been put in place to further protect and monitor its systems, and the affected individuals have been notified and offered a complimentary 12-month membership to a credit monitoring service.

The post Data Breaches Reported by Rebound Orthopedics, CCM Health, BCBST & Orsini Pharmaceutical Services appeared first on HIPAA Journal.