HIPAA Breach News

2 Million Patients Affected by Shields Health Care Group Cyberattack

Posted by HIPAA Journal

The protected health information of up to 2 million individuals has potentially been compromised in a Shields Health Care Group cyberattack. Massachusetts-based Shields Health Care Group provides ambulatory surgical center management and medical imaging services throughout New England. On March 28, 2022, suspicious activity was detected within its network. Immediate action was taken to secure its network and prevent further unauthorized access, and third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the security breach.

The forensic investigation determined that an unauthorized actor had access to certain Shields systems between March 7, 2022, to March 21, 2022. Shields said a security alert had been triggered on March 18, 2022, which was investigated, but at the time it did not appear that there had been a data breach. It has since been confirmed that during that period of access, certain data was removed from its systems. Shields said it has not been made aware of any cases of actual or attempted misuse of patient data.

A review of the files that were removed from its systems or may have been accessed by unauthorized individuals confirmed the following types of information were involved: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.  Shields is continuing to review the affected data and will issue notifications to affected individuals on behalf of all affected facility partners when that review has been completed.

When the attack was discovered, immediate action was taken to secure its network and data, certain systems have now been rebuilt, and additional safeguards have been implemented to better protect patient data. Cybersecurity measures will be reviewed and enhanced moving forward to ensure continued data security.

The HHS’ Office for Civil Rights Breach Portal has the breach listed as affecting 2,000,000 individuals. Shields said those individuals had received services at the following 56 facility partners:

Affected Facility Partners

  • Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc)
  • Cape Cod PET/CT Services, LLC
  • Cape Cod Radiation Therapy Service, LLC
  • Central Maine Medical Center
  • Emerson Hospital
  • Fall River/New Bedford Regional MRI Limited Partnership
  • Falmouth Hospital Association, Inc.
  • Franklin MRI Center, LLC
  • Lahey Clinic MRI Services, LLC
  • Massachusetts Bay MRI Limited Partnership
  • Mercy Imaging, Inc.
  • MRI/CT of Providence, LLC
  • Newton Wellesley Orthopedic Associates, Inc.
  • Newton-Wellesley Imaging, PC
  • Newton-Wellesley MRI Limited Partnership
  • Northern MASS MRI Services, Inc.
  • NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.)
  • PET-CT Services by Tufts Medical Center and Shields, LLC
  • Radiation Therapy of Southeastern Massachusetts, LLC
  • Radiation Therapy of Winchester, LLC
  • Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopaedics P.A.)
  • Shields CT of Brockton, LLC
  • Shields Healthcare of Cambridge, Inc.
  • Shields Imaging at Anna Jaques Hospital, LLC
  • Shields Imaging at University Hospital, LLC
  • Shields Imaging at York Hospital, LLC
  • Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital)
  • Shields Imaging of Eastern Mass, LLC
  • Shields Imaging of Lowell General Hospital, LLC
  • Shields Imaging of North Shore, LLC
  • Shields Imaging of Portsmouth, LLC
  • Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center)
  • Shields Management Company, Inc.
  • Shields MRI & Imaging Center of Cape Cod, LLC
  • Shields MRI of Framingham, LLC
  • Shields PET/CT at CMMC, LLC
  • Shields PET_CT at Berkshire Medical Center, LLC
  • Shields PET-CT at Cooley Dickinson Hospital, LLC
  • Shields PET-CT at Emerson Hospital, LLC
  • Shields Radiology Associates, PC
  • Shields Signature Imaging, LLC
  • Shields Sturdy PET-CT, LLC
  • Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.)
  • South Shore Regional MRI Limited Partnership
  • South Suburban Oncology Center Limited Partnership
  • Southeastern Massachusetts Regional MRI Limited Partnership
  • SportsMedicine Atlantic Orthopaedics P.A.
  • Tufts Medical Center, Inc.
  • UMass Memorial HealthAlliance MRI Center, LLC
  • UMass Memorial MRI – Marlborough, LLC
  • UMass Memorial MRI & Imaging Center, LLC
  • Winchester Hospital / Shields MRI, LLC

The post 2 Million Patients Affected by Shields Health Care Group Cyberattack appeared first on HIPAA Journal.

Healthcare Ransomware Attacks Increased by 94% in 2021

Posted by HIPAA Journal

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare.

66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks.

According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year.

Paying the ransom may help healthcare organizations recover from ransomware attacks more quickly, but there is no guarantee that paying the ransom will prevent data loss. On average, after paying the ransom, healthcare organizations were only able to recover 65% of encrypted data, down from 69% in 2020. In 2020, 8% of healthcare organizations recovered all of their data after paying the ransom. That figure fell to just 2% in 2021.

While the healthcare industry had the highest percentage of victims paying the ransom for the decryption keys and to prevent the exposure of sensitive data, healthcare had the lowest average ransom amount of $197,000. The global average across all industry sectors was $812,000. The ransom cost was lower in healthcare, but the overall cost of recovery was second-highest, with the total cost of a ransomware attack $1.85 million, which is considerably higher than the global average of $1.4 million.

Even though there is a high risk of suffering a costly ransomware attack, there are relatively low levels of cyber insurance coverage in healthcare. Across all industry sectors, 83% of organizations had cyber insurance. Only 78% of surveyed healthcare organizations said they had a cyber insurance policy. Many cyber insurance providers stipulate that certain baseline security measures must be implemented in order to take out insurance policies, and the level of maturity of cybersecurity programs can have a big impact on the cost of insurance.  97% of healthcare organizations said they had upgraded their cybersecurity defenses to improve their cyber insurance position.

97% of healthcare organizations that had cyber insurance that covered ransomware attacks said the policy paid out, with 47% saying the entire ransom payment was covered by their cyber insurance provider; however, obtaining cyber insurance to cover ransomware attacks is getting much harder due to the extent to which the healthcare industry is being targeted.

The post Healthcare Ransomware Attacks Increased by 94% in 2021 appeared first on HIPAA Journal.

FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

Posted by HIPAA Journal

In 2021, Iranian state-sponsored hackers attempted a destructive cyberattack on Boston Children’s Hospital, which the Federal Bureau of Investigation (FBI) was able to successfully block before the hospital’s computer network was damaged. FBI Director Christopher Wray said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.”

Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat.

Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident response plan that includes the FBI. Wray said this incident highlights the risk of high impact cyberattacks by nation-state threat actors from Russia, China, Iran, and North Korea, and said “We cannot let up on China or Iran or criminal syndicates while we’re focused on Russia.”

In November 2021, the FBI, in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC) in the UK, and the Australian Cyber Security Centre (ACSC) issued a security alert warning the healthcare sector and operators of critical infrastructure about an Iranian nation-state Advanced Persistent Threat actor who was known to be exploiting Microsoft Exchange and Fortinet vulnerabilities to steal data, conduct ransomware attacks and extort money from victims.

Wray did not specify what type of attack the threat actor was attempting to conduct, only that a cyberattack could have damaged the network, which could have had a devastating impact on the sick children that depend on it. The cyberattack in question appears to have been conducted through an HVAC vendor.

In August 2021, a threat actor contacted Databreaches.net and shared evidence of a successful attack on an HVAC vendor and claimed that they had breached the HVAC vendor’s systems and also had access to the systems of a children’s hospital. It was confirmed that the HVAC vendor in question ENE systems, which provides services to the Harvard-linked hospitals, Boston Children’s Hospital, Brigham & Women’s Hospital, and Mass General Hospital.

Boston Children’s Hospital is no stranger to cyberattacks. Back in 2014, the hospital suffered a series of attacks that disrupted its systems for more than a week. The attacks were conducted in retaliation for how the hospital handled the case of patient Justina Pelletier, who was involved in a custody battle. The individual behind that attack was apprehended and convicted and was sentenced to 10 years in jail in 2019.

The post FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital appeared first on HIPAA Journal.

Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy

Posted by HIPAA Journal

Alameda Health System in California, Capsule pharmacy in New York, and Aon PLC in Illinois have recently reported data breaches affecting a total of 56,290 individuals.

Alameda Health System Notifying 90,000 Patients About PHI Breach

Oakland, CA-based Alameda Health System has recently reported a data breach to the Department of Health and Human Services’ Office for Civil Rights that has affected up to 90,000 patients. Limited information has been released so far on the nature of the breach. Alameda Health System said suspicious activity was detected in the email accounts of certain employees with the investigation confirming several employee email accounts had been accessed by an unauthorized third party.

The review of those accounts confirmed they contained the protected health information of patients, although it is currently unclear to what extent patient information has been compromised. Alameda Health System said no evidence has been found that suggests any information in the accounts has been viewed or removed. Notification letters will be sent to affected individuals shortly, and measures will be implemented to improve security and mitigate harm to patients.

Capsule Pharmacy Breach Affects 27,486 Individuals

Capsule, a NY-based digital pharmacy, has started notifying 27,486 individuals that some of their protected health information has been exposed in a recent cyberattack. According to the breach notification sent to the California Attorney General, unauthorized individuals gained access to certain Capsule accounts on April 5, 2022.

The security breach was detected the same day and a password reset was performed on all affected accounts. A third-party digital forensics firm was engaged to assist with the investigation, which confirmed that the following types of information had potentially been compromised: demographic information such as names, email addresses, phone numbers, addresses, birthdates, and sex, health information including medical conditions and prescribed medications, past order histories, insurance information, chat messages to and from Capsule agents, and the last 4 digits of credit card numbers and expiry dates.

Capsule said additional security safeguards are being implemented. While a password reset has been performed on all affected accounts, Capsule has recommended users “set different passwords for your different accounts, use complex passwords or passphrases that are not easy to guess, and not reuse previous passwords,” which suggests the security breach may have been a password spraying attack.

PHI of More Than 28,700 Individuals Potentially Compromised in Aon PLC Cyberattack

Aon PLC, a Chicago, IL-based business associate that provides financial risk-mitigation products, including insurance and health insurance plans, has recently announced that it was the victim of a cyberattack. The security breach was discovered on February 25, 2022, with the forensic investigation confirming an unauthorized third party had gained access to certain Aon systems at various times between December 29, 2020, and February 26, 2022, and that certain documents containing individuals’ protected health information had been removed from its systems.

Aon said it has taken steps to confirm that the removed information is no longer in the possession of the third party there are no indications that the removed information has been further copied, retained, or shared, and there is no reason to suspect that any information has or will be misused. The affected information was limited to names, Social Security numbers, driver’s license numbers, and, for a limited number of individuals, benefit enrolment information. Aon said the incident was reported to the Federal Bureau of Investigation and other law enforcement authorities, and steps have been taken to further enhance security.

The post Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy appeared first on HIPAA Journal.

PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx

Posted by HIPAA Journal

Allwell Behavioral Health Services in Zanesville, OH, has announced that a computer system used to store quality assurance information related to the treatment of patients has been accessed by an unauthorized individual. The unauthorized access was detected on March 5, 2022, with the subsequent forensic investigation determining the system was breached on March 2, 2022.

The breach investigation concluded in late April and determined that it was likely that files containing sensitive information had been copied in the attack, although at the time of issuing notifications to affected individuals there had been no reports of any actual or attempted misuse of patient data.

The types of information in the files varied from patient to patient and may have included information such as names, dates of birth, Social Security numbers, phone numbers, treatment activity, treatment provider, treatment date, treatment location, and payer information.

According to the breach summary on the HHS’ Office for Civil Rights website, 29,972 patients have been affected. Complimentary identity theft protection services have been offered to eligible participants for 12 months, and for 24 months for affected patients in CT, DC, RI, or MA. Allwell Behavioral Health Services said its information technology and computer systems have been upgraded to improve security and prevent further unauthorized access.

Email Account Breach Reported by WellDyneRx

The pharmacy benefit manager, WellDyneRx, has recently started notifying 5,122 individuals that an unauthorized individual has gained access to a company email account that contained sensitive patient information. Suspicious activity was detected in the email account on December 2, 2021, and immediate action was taken to secure the account. The third-party forensic investigation confirmed the account had been accessed by an unauthorized individual between October 30, 2021, and November 11, 2021.

Evidence of data theft was not found, but the possibility of unauthorized access to ePHI could not be ruled out. The review of the email account confirmed the following types of information had potentially been compromised: names, birthdates, Social Security numbers, driver’s license numbers, treatment information, health insurance information, contact information, prescription information, and other medical/health information. Steps have been taken to improve security to prevent similar attacks in the future.

The post PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx appeared first on HIPAA Journal.

Email Accounts Compromised at BJC HealthCare & Cooper University Health Care

Posted by HIPAA Journal

BJC HealthCare, a non-profit healthcare organization based in St. Louis, MO, has started notifying certain patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual.

The investigation confirmed that a small number of email accounts of physicians and general practitioners had been accessed between March 4 and March 28, 2022. The forensic investigation did not determine whether emails and attachments had been viewed or copied, but unauthorized data access and theft could not be ruled out.

A comprehensive review of the email accounts confirmed they contained names, dates of birth, medical record numbers, and clinical information such as performance dates, diagnoses, provider names, and/or treatment locations. A limited number of patients also had their health insurance information, driver’s license numbers, and/or Social Security numbers exposed.

Individuals who had either their driver’s license number or Social Security number exposed can take advantage of the complimentary credit monitoring and identity theft protection services that have been offered.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Email Incident Reported by Cooper University Health Care

Camden, NJ-based Cooper University Health Care announced on May 25, 2022, that the email account of an employee was accessed by an unauthorized individual on November 24, 2021. The security incident was detected on December 13, 2021, and the investigation concluded on May 10, 2022.

The email account contained information such as names, dates of birth, medical professional names, diagnosis and treatment information, billing and claims information, and medical record numbers. No evidence of actual or attempted misuse of patient data has been identified at the time of issuing notification letters.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Email Accounts Compromised at BJC HealthCare & Cooper University Health Care appeared first on HIPAA Journal.

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

Posted by HIPAA Journal

A class action lawsuit filed against NorthEast Radiology PC and Alliance HealthCare Services over a data breach that exposed the protected health information of more than 1.2 million individuals has been dismissed by a New York Federal Judge for lack of standing.

The lawsuit was filed in July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose protected health information was exposed as a result of a misconfiguration of the companies’ Picture Archiving Communication System (PACS), which contained medical images and associated patient data. In late 2019, security researchers identified the exposed data and notified the affected companies, which included Northeast Radiology and its vendor, Alliance HealthCare Services.

According to the lawsuit, more than 61 million medical images were exposed along with the sensitive data of 1.2 million patients. Northeast Radiology reported the breach to the HHS’ Office for Civil Rights as affecting 298,532 individuals. The lawsuit alleged the defendants had implemented inadequate security safeguards to ensure the privacy of patient data, which allowed medical images and other protected health information to be accessed by unauthorized individuals between April 14, 2019, and January 7, 2020. The plaintiffs alleged that they face an ongoing and imminent risk of identity theft and fraud, as there is no way to cancel protected health information. They claim they now need to continuously monitor their accounts and use credit and identity theft monitoring services, and expend additional time and effort to prevent and mitigate against potential future losses.

It is now common for lawsuits to be filed against healthcare organizations following data breaches, but the lawsuits often do not succeed due to the failure to provide evidence that harm as a result of the exposure or theft of personal data, as was the case here. Judge Vincent L. Bricetti, Federal Judge for the Southern District of New York, dismissed the lawsuit as the plaintiffs failed to allege a cognizable injury. The judge ruled that the mere exposure of sensitive data did not establish the plaintiffs had been harmed by the incident, and that the risk of future harm from the exposure of their sensitive data was too speculative to establish standing.

While the data breach was reported to the HHS’ Office for Rights as affecting up to 298,532 individuals, NorthEast Radiology was only able to confirm that the data of 29 patients had definitely been subjected to unauthorized access, and the two plaintiffs named in the lawsuit were not part of that small group.

Judge Bricetti referred to the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC, which established a three-factor test for determining whether allegations of an injury from a data breach gave rise to a cognizable Article III injury-in-fact:

“(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”

Judge Bricetti rejected all of the plaintiffs’ claims for negligence, negligence per se, breach of contract, breach of implied contract, violations of New York General Business Law Section 349, and intrusion upon seclusion.

The post New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing appeared first on HIPAA Journal.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

Posted by HIPAA Journal

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer.

Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services.

In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion impaired medical examinations, treatment, and the care of multiple individuals.

Locker has been indicted on one count of intentionally causing damage to a protected computer. The arraignment has been scheduled for May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. If convicted, Lockner could serve up to 10 years in federal prison.

This case highlights the risks posed by insiders. The recently published 2022 Verizon Data Breach Investigations Report highlights the risk of attacks by external threat actors, which outnumber insider attacks by 4 to 1, but safeguards also need to be implemented to protect against insider threats.

In this case, the alleged access occurred two months after the application for employment was rejected and one month after being terminated from the IT company. When individuals leave employment, voluntarily or if terminated, access rights to systems need to be immediately revoked and scans of systems conducted to identify any malware or backdoors that may have been installed.

There have been multiple cases of disgruntled IT contractors retaining remote access to systems after termination, with one notable case at a law firm seeing a former IT worker installing a backdoor and subsequently accessing the system and intentionally causing damage after leaving employment. In that case, the individual was sentenced to 115 months in federal prison and was ordered to pay $1.7 million in restitution.

The post Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server appeared first on HIPAA Journal.

Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities

Posted by HIPAA Journal

Oswego County Opportunities (OCO) in New York has announced that a limited number of employee email accounts were recently accessed by an unknown actor. The security breach was identified when suspicious email activity was detected and the email accounts were immediately secured. Third-party cybersecurity experts were engaged to investigate the breach to determine the nature and scope of the attack, and what information, if any, had been accessed by the threat actor.

It was not possible to determine if any emails in the account had been viewed or obtained but the review of the affected email accounts confirmed they contained the following types of information: names, addresses, Social Security numbers, driver’s license numbers, certain health information, and a very limited amount of credit card numbers. The accounts also contained some employee information and information about vendors with connections to OCO.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 7,766 individuals. OCO said it has modified its email settings and controls to provide greater protection against cyberattacks of this nature.

Data Security Incident Reported by Washington University School of Medicine

Washington University School of Medicine in St Louis, MO, has recently announced that patient information has been exposed as a result of a recent data security incident. An unknown actor gained access to the email accounts of certain employees between March 4, 2022, and March 28, 2022.

A forensic investigation was conducted to determine if any emails or attachments were opened or obtained in the attack, although it was not possible to determine if patient data had been accessed or stolen. A review of all affected emails and attachments was conducted and confirmed they contained patient information such as names, dates of birth, addresses, medical records, patient account numbers, clinical information, and, for a limited number of patients, health insurance information and/or Social Security numbers.

In response to the breach, enhancements have been made to email security and employee training has been reinforced on how to identify and avoid suspicious emails. At present the data breach has not appeared on the HHS’ Office for Civil Right website so it is unclear how many patients have been affected; however, the School of Medicine said the breach did not affect all patients and research participants.

The post Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities appeared first on HIPAA Journal.