HIPAA Breach News

COVID-19 Vaccination Statuses of 500,000 VA Employees have been Impermissibly Disclosed

Posted December 7, 2022 by HIPAA Journal

The COVID-19 vaccination statuses of approximately 500,000 Department of Veterans Affairs employees have been impermissibly disclosed. According to the VA, a spreadsheet containing employee names and their vaccination statuses was placed on SharePoint without appropriate access permissions being set and an email with a link to the spreadsheet was sent on behalf of the Veterans Health Administration (VHA) Healthcare Operations Center to VHA VISN directors, deputy network directors, administrative representatives, central office senior leaders, and healthcare ops controllers. The spreadsheet also included details of claimed religious and medical exceptions to COVID-19 vaccination.

The internal investigation conducted by the VA’s Data Breach Response Service concluded the information had been impermissibly disclosed and the spreadsheet was removed from SharePoint. The VA concluded that there was a low risk of misuse of that information.

Urology of Greater Atlanta Notifies Almost 80,000 Patients About August 2021 Data Breach

In October 2022, Urology of Greater Atlanta in Georgia reported a data breach to the HHS’ Office for Civil Rights that had affected 79,795 patients. At the time it was unclear exactly how that information was breached. Urology of Greater Atlanta has now confirmed that it was the victim of a cyberattack that was detected on August 29, 2021. According to the substitute breach notice recently added to the Urology of Greater Atlanta website, the forensic investigation revealed an unauthorized third party had access to its network between August 8, and August 29, 2021.

When the breach was detected, third-party forensics experts were engaged to investigate the breach and secure its systems. The investigation confirmed that the medical records database and billing/practice management system were not accessed; however, documents on the network were potentially viewed or obtained that included protected health information such as names, addresses, birth dates, ages, date(s) of service, patient account numbers, diagnoses and treatment information, medical histories, and similar information found in medical charts. In some cases, Social Security numbers, driver’s license numbers, or financial account information, were also exposed.

Urology of Greater Atlanta said it has been working extensively with third-party security experts to better protect its systems, and additional safeguards have now been put in place, including replacing certain components and changing remote access protocols. Notification letters are now being sent and complimentary identity theft protection services are being offered. Urology of Greater Atlanta said no evidence of misuse of patient information was identified. Urology of Greater Atlanta did not explain why it took 15 months to issue notifications.

Salud Family Health Reports Data Breach Affecting 80,000 Individuals

Salud Family Health, a Fort Lupton, CO-based Federally Qualified Health Center (FQHC) with 13 clinics in Colorado, has recently announced that an unauthorized third party gained access to its network. The intrusion was detected on September 5, 2022, and third-party computer specialists were engaged to investigate the nature and scope of the breach.

The investigation determined that files containing patient and employee information may have been viewed or stolen. The review of those files revealed they contained information such as names, Social Security numbers, driver’s license numbers, government-issued ID numbers, financial information, medical information, and health insurance information. Salud Family Health said impacted employees and patients have been offered free credit monitoring and identity fraud protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, but the notification sent to the Texas Attorney General indicates up to 80,621 individuals have been affected.

Orlando Health Employee Email Account Breached

Orlando Health has recently notified 3,662 patients that some of their protected health information was stored in an employee’s email account that was accessed by an unauthorized individual. The email account was accessed between July 5, 2022, and July 13, 2022. Orlando Health said that based on the role of the employee, there was no expectation that the email account contained any patient information; however, the review of the contents of the account revealed on September 19, 2022, that emails and attachments in the account contained certain demographic and clinical information and, for certain patients, health insurance information and/or Social Security numbers.

It was not possible to tell which emails in the account were accessed or if any emails or attachments were downloaded. Notification letters started to be sent to affected individuals on November 18, 2022. The review of the emails is ongoing, and additional letters will be mailed to individuals who are later determined to have been affected. Complimentary credit monitoring and identity protection services have been offered to individuals who had their Social Security numbers exposed. Orlando Health said it is reinforcing education with its staff and is implementing additional security enhancements to its email environment.

The post COVID-19 Vaccination Statuses of 500,000 VA Employees have been Impermissibly Disclosed appeared first on HIPAA Journal.

CommonSpirit Health Says Patient Information Accessed in October 2022 Cyberattack

Posted December 5, 2022 by HIPAA Journal

CommonSpirit Health has provided an update on its October 2022 ransomware attack and has confirmed that the threat actors behind the attack accessed files containing patient information.

The attack was detected by CommonSpirit Health on October 2, 2022, and action was immediately taken to secure its network. While the attack caused disruption at its healthcare facilities due to systems being taken offline to contain the incident, CommonSpirit Health said there was no impact on clinic, patient care, and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth, or Centura Health facilities. The forensic investigation confirmed that the attackers had access to its network between September 16, 2022, and October 3, 2022.

CommonSpirit Health has now confirmed that the attackers gained access to parts of its network containing files that included the protected health information of patients of Franciscan Medical Group and Franciscan Health in Washington state, including patients that had received medical services at St. Michael Medical Center (formerly Harrison Hospital), St. Anne Hospital (formerly Highline Hospital), St. Anthony Hospital, St. Clare Hospital, St. Elizabeth Hospital, St. Francis Hospital, and St. Joseph Hospital. Those facilities are now known collectively as Virginia Mason Franciscan Health, which is an affiliated entity of CommonSpirit Health.

ComnmonSpirit Health has confirmed that the affected files contained the information of patients and their family members and caregivers, including names, addresses, phone numbers, birth dates, and unique internal patient identifiers. At this stage, no evidence has been found of attempted or actual misuse of the data stored on its systems.

CommonSpirit Health said the majority of EHRs across the CommonSpirit Health system are now back online and patient portals can now be accessed. The review of affected files is ongoing and it has yet to be confirmed how many individuals have been affected. CommonSpirit Health has recommended patients check their account statements for accuracy and should report any services or charges that were not incurred to their provider or insurance carrier.

The post CommonSpirit Health Says Patient Information Accessed in October 2022 Cyberattack appeared first on HIPAA Journal.

OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation

Posted December 2, 2022 by HIPAA Journal

The HHS’ Office for Civil Rights has issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a business associate agreement (BAA) is a HIPAA violation if the tracking technology collects and transmits individually identifiable health information. Even with a BAA in place, the use of the tracking technology may still violate the HIPAA Rules

The bulletin has been issued in response to the discovery earlier this year that Meta Pixel tracking code was being extensively used on the websites of hospitals and that the code snippet transferred data to Meta, including sensitive patient data. These privacy breaches came to light during an investigation by The Markup and STAT, which found Meta Pixel had been added to the websites of one-third of the top 100 hospitals in the United States and, in 7 cases, the code had been added to password-protected patient portals. The study was limited to the top 100 hospitals, so it is likely that hundreds of hospitals have used the code and have – in all likelihood unwittingly – transferred sensitive data to Meta/Facebook without a business associate agreement in place and without obtaining patient consent.

Following the publication of the report, several lawsuits were filed against healthcare providers over these impermissible disclosures, with some plaintiffs claiming the information disclosed on the websites of their healthcare providers had been transferred to Meta and was used to serve them targeted advertisements related to their medical conditions. The news came as a shock to healthcare providers, triggering investigations and recent data breach notifications; however, despite so the widespread use of the tracking code, only a handful of hospitals and health systems have reported the breach and have sent notifications so far. The bulletin from the HHS is likely to trigger a flurry of breach notifications as providers realize that the use of Meta Pixel and other tracking code constitutes a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are commonly snippets of code that are added to websites, web applications, and mobile apps for tracking user activity, typically for determining the journeys of users while using websites and monitoring their on-site interactions. The data collected by these technologies can be analyzed and used to improve the services provided through the websites and applications and enhance the user experience, which benefits patients. While there are benefits to individuals from the use of this code, there is also considerable potential for harm to be caused, as in addition to providing a HIPAA-regulated entity with useful information, the data collected through these technologies is usually transmitted to the vendor.

For instance, if a female patient arranged an appointment on the website of a healthcare provider to discuss the termination of a pregnancy, the tracking technology on the site could be transmitted to the vendor, and subsequently disclosed to other third parties. That information could be provided to law enforcement or other third parties. Information disclosed in confidence by a patient of a website or web application could be transferred to a third party and be used for fraud, identity theft, extortion, stalking, harassment, or to promote misinformation.

In many cases, these tracking technologies are added to websites and applications without the knowledge of users, and it is often unclear how any disclosed information will be used by a vendor and to whom that transmitted information will be disclosed. These tracking technologies often use cookies and web beacons that allow individuals to be tracked across the Internet, allowing even more information to be collected about them to form detailed profiles. When tracking technologies are included in web applications, they can collect device-related information, including location data which is tied to a unique identifier for that device, through which a user could be identified.

All Tracking Technologies Must be HIPAA Compliant

There is nothing in HIPAA that prohibits the use of these tracking technologies, but the HIPAA Rules apply when third-party tracking technologies are used, if the tracking technology collects individually identifiable information that is protected under HIPAA and if it transmits that information to a third party, be that the vendor of the tracking technology or any other third-party. If the tracking technology collects any identifiers, they are classed as protected health information because the information connects the individual to the regulated entity, indicating the individual has received or will receive health care services or benefits from the regulated entity, and that relates to the individual’s past, present, or future health or health care or payment for care.

There is an elevated risk of an impermissible disclosure of PHI when tracking technology is used on patient portals or any other pages that require authentication as these pages usually have access to PHI. If tracking code is added to these pages it must be configured in a way to ensure that the code only uses and discloses PHI in compliance with the HIPAA Privacy Rule, and that any information collected is secured in a manner compliant with the HIPAA Security Rule. Tracking code on unauthenticated pages also has the potential to have access to PHI. The same applies to tracking technologies within a HIPAA-regulated entity’s mobile apps, if it collects and transmits PHI. OCR confirmed that only mobile apps offered by healthcare organizations are covered by HIPAA. HIPAA does not apply to third-party apps that are voluntarily downloaded by individuals, even if the apps collect and transmit health information.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the bulletin.

The OCR bulleting confirms that if tracking technologies are used, the provider of that code – which includes Meta Platforms (Meta Pixel) and Google (Google Analytics) – would be classed as a business associate and must enter into a business associate agreement (BAA) with the HIPAA-regulated entity before the code can be added to a website or application. The BAA must state the responsibilities of the vendor with respect to the PHI and specify the permitted uses and disclosures of that information. If the vendor will not sign a BAA, PHI cannot legally be provided to that vendor, therefore the code cannot be used or must be configured in a way that it does not collect or transmit PHI. OCR also confirmed that if a vendor states that they will strip out any identifiable information prior to saving or using the transferred data, such a disclosure to the vendor would still only be permitted if a BAA was signed and if the HIPAA Privacy Rule permits such a disclosure.

Other potential violations of HIPAA could occur. If any PHI is disclosed to a vendor, it must be in line with the organization’s privacy policy and be detailed in their Notice of Privacy Practices. It is important to note that simply stating that tracking technology is used in a notice of privacy practices is not sufficient by itself to ensure compliance. In addition to a BAA, any disclosure of PHI for a purpose not expressly permitted by the HIPAA Privacy Rule requires a HIPAA-compliant authorization from a patient, giving their consent to disclose that information. Website banners that ask a website visitor to consent to cookies and the use of web tracking technologies do not constitute valid HIPAA authorizations.

Actions HIPAA-Regulated Entities Should Take Immediately

In light of the bulletin, HIPAA-regulated entities should read it carefully to make sure they understand how HIPAA applies to tracking technologies. They should also conduct a review of any tracking technologies that they are using on their websites, web applications, or mobile apps to ensure those technologies are being used in a manner compliant with the HIPAA Rules. If they are not already, website tracking technologies must be included in a HIPAA-regulated entity’s risk analysis and risk management processes.

It is important to state that a tracking technology vendor is classed as a business associate under HIPAA, even if a BAA is not signed. As such, any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.

If during the review a HIPAA-regulated entity discovers tracking technologies are being used in a manner not compliant with the HIPAA Rules, or have been in the past, then the HIPAA Breach Notification Rule applies. Notifications will need to be sent to OCR and the individuals whose PHI has been impermissibly disclosed.

The post OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation appeared first on HIPAA Journal.

Hacking and IT Incidents Affect 563,000 Patients and Health Plan Members

Posted December 1, 2022 by HIPAA Journal

Health Care Management Solutions LLC, a West Virginia-based consulting company focused on improving care quality for vulnerable populations including veterans, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected up to 500,000 individuals.

Little is currently known about the data breach as the company has yet to publicly announce the breach. There is no substitute breach notice on the company website. The OCR breach summary indicates this was a hacking incident affecting its network server(s). The extent to which protected health information has been compromised is not yet known. Notifications were issued on November 14, 2022

This post will be updated as and when further information about the incident becomes available.

Stanley Street Treatment and Resources Discloses October 2021 Data Breach

The Fall River, MA-based addiction and treatment center, Stanley Street Treatment and Resources, Inc. (STAR), has recently announced a data breach that occurred more than a year ago in October 2021. According to the STAR substitute breach notice, the breach was detected in September 2022. An unauthorized individual was found to have gained access to its network and downloaded files containing the protected health information of 45,785 patients. The files included names, Social Security numbers, government ID numbers, financial account information, dates of birth, dates of service, health insurance information, and medical information.

At the time of issuing notification letters, STAR said it was unaware of any cases of misuse of patient information. STAR said it continuously evaluates and modifies its practices to ensure the privacy and security of patient information and will continue to do so in the future.

California Health Insurance Agency Suffers Data Breach Affecting 14,600 Patients

The health insurance agency, CCA Health California, has announced that the protected health information of 14,631 members of the Vitality Health Plan of California has potentially been compromised. CCA Health California acquired Vitality Health Plan of California earlier this year.

CCA Health California discovered the data breach in September 2022. Unauthorized individuals had gained access to systems containing files that included protected health information and removed some of those files between May and September this year. It was not possible to determine which specific files were accessed or downloaded, but a review of all files that could potentially have been copied confirmed they contained the following types of information: names, Social Security numbers, dates of birth, diagnosis, and treatment information, demographic information, medical record numbers, passport numbers, health insurance information, provider names, lab results, and prescription information.

CCA Health California said security safeguards have been enhanced to prevent similar breaches in the future and monitoring capabilities have been enhanced.

Health Plan Member Data Potentially Compromised in Innovative Service Technology Management Services Ransomware Attack

Innovative Service Technology Management Services, a Georgia-based outsourcing company, has suffered a ransomware attack. A threat actor gained access to its systems and potentially removed files on June 3, 2022. The files that may have been accessed or copied included the protected health information of members of its health plan. A detailed review of the files was completed on October 17, 2022, and confirmed they contained the PHI of 2,654 individuals, including names, financial account information, and other personal information. In response to the breach, a global password reset was performed and all critical applications were updated. Affected individuals have been offered complimentary membership to the Experian IdentityWorks identity theft protection service.

The post Hacking and IT Incidents Affect 563,000 Patients and Health Plan Members appeared first on HIPAA Journal.

One Brooklyn Health Dealing with Ongoing Cyber Incident

Posted December 1, 2022 by HIPAA Journal

One Brooklyn Health System is currently dealing with a cyberattack that has caused disruption at its three hospitals – Interfaith Medical Center, Brookdale Hospital Medical Center, and Kingsbrook Jewish Medical Center. Little information has been released about the attack so far, which is believed to have occurred on or just before November 19. That was the date when the health system shut down its network, which has remained offline for more than a week.

The New York Post reports that the cyberattack has prevented hospital staff from accessing the electronic medical record system, so patient information has been recorded using pen and paper while the hospitals operate under emergency procedures. The decision was taken to reroute ambulances to other facilities, although communication with other hospitals in the area appears to have been non-existent. The health system also reportedly failed to notify New York Fire Department ambulance services that emergency cases were to be sent to alternative facilities.

“We are aware of the incident, and we are working with One Brooklyn Hospital Network to ensure patient safety. As this is an ongoing investigation, we cannot comment further,” said New York Department of Health spokesman Jeffrey Hammond.

The hospital has engaged third-party experts to help investigate the nature and scope of the attack and to assist with bringing IT systems back online. Some systems are now back online and there is now limited access to its electronic medical record system and some other clinical applications. One Brooklyn Health issued a statement confirming that patient care has been unaffected by the security breach and while ambulances were rerouted, appointments have not had to be canceled. At this stage of the breach response, it is too early to tell if, and to what extent, patient information has been affected.

Mena Regional Health System Breach Affects Almost 85,000 Patients

Mena Regional Health System (MRHS) in Arkansas announced on November 22, 2022, that an unauthorized third party gained access to its network and exfiltrated files containing the protected health information of 84,814 patients.

MRHS did not explain in its substitute breach notice when hackers first gained access to its network but said the intrusion was discovered on November 8, 2022. The investigation revealed files were exfiltrated from its network more than a year previously, on or around October 30, 2021. MRHS provided no explanation as to why it took so long to discover the breach.

The review of the files confirmed they contained full names, dates of birth, Social Security numbers, driver’s license/government identification numbers, financial account information, medical record/patient account numbers, medical diagnosis/treatment information, medical provider names, lab results, prescription information, and health insurance information.

MRHS said it is unaware of any attempted or actual misuse of patient information and that “out of abundance of caution” notification letters are being sent to affected individuals. That process commenced on November 22, 2022. Individuals whose Social Security numbers were compromised have been offered complimentary credit monitoring services. Security processes are being reviewed and will be updated to enhance the privacy and security of patient information.

Patient Information Stolen in Dallam Hartley Counties Hospital District Cyberattack

Dallam Hartley Counties Hospital District in Texas has recently confirmed that it suffered a cyberattack in late September and that the third party behind the attack was able to obtain files that contained the protected health information of 69,835 patients. The incident was detected on September 28, 2022, with the investigation confirming its network was first accessed by unauthorized individuals the previous day, with access continuing until its systems were secured on September 28.

A review of the files exfiltrated from its system confirmed they contained patient names, Social Security numbers, health insurance information, demographic information, and limited medical information. Medical records remained secure and were not accessed during the incident. Credit monitoring and identity theft protection services have been offered to affected individuals and steps are being taken to enhance the security of its IT systems. Notification letters were sent to affected patients on November 23, 2022.

The post One Brooklyn Health Dealing with Ongoing Cyber Incident appeared first on HIPAA Journal.

119 Pediatric Practices Affected by Breach at EHR Vendor – 2.2 Million Patients Affected

Posted November 30, 2022 by HIPAA Journal

Connexin Software Inc., which provides electronic medical records and practice management software (Office Practicum) to pediatric physician practice groups has recently confirmed that it was the victim of a cyberattack in which an unauthorized third party gained access to its internal computer network.

While the electronic medical record system was not accessed in the attack, and none of its client databases, systems, or medical records were accessed, the threat actors did access parts of its network that contained the protected health information of patients of its clients. The substitute breach notice indicates 119 pediatric healthcare providers were affected by the breach.

Connexin Software reported the breach to the HHS’ Office for Civil Rights as affecting 2,216,365 million patients. At least one healthcare provider client has reported the breach (Forest Hill Pediatrics – 4,958 records), so the breach total may well be higher if other providers have also chosen to report the breach separately.

Connexin Software said a data anomaly was detected within its network on August 26, 2022, which prompted an immediate investigation into the suspicious activity. A third-party forensics company was engaged to assist with the investigation and determine the nature and scope of the incident. Connexin Software learned on September 13, 2022, that an unauthorized third party has accessed its network, which included an offline set of patient data that had been created for data conversion and troubleshooting. Some of that data was exfiltrated in the attack, although at the time of issuing notifications, no misuse of that data had been identified.

When the breach was detected, a password reset was performed for all corporate accounts. The offline data that was used for data conversion and troubleshooting has now been moved to a different part of the network that has greater security. Security and monitoring have also been stepped up to prevent similar breaches in the future.

Children’s protected health information is especially valuable to cybercriminals, as it can often be misused for long periods of time before that misuse is detected. Victims of this breach have been advised to closely monitor credit reports and statements from providers for signs of misuse. In cases where a child’s Social Security number was exposed or stolen, child identity monitoring services have been offered for 12 months.

Practices confirmed as being affected by the breach are detailed in the table below.

ABC Pediatrics Practice, PC	Discovery Pediatrics, Inc.	Honeygo Pediatrics, LLC	Orland Children’s Center, Inc.	Ruth Agwuna, M.D.
Academy Pediatrics, PA	Dr. Michael J Ulich Pediatrics, LLC	Jackson Pediatric Associates, PA	Passaic Pediatrics II, PA	Samuel R Williams, M.D., PA
Advanced Care Pediatric Centre, PLLC	Drexel Hill Pediatric Associates, PC	Jaleh Niazi, M.D., PC d/b/a New Day Pediatrics	Pediatric Associates, PSC	San Marino Pediatric Associates
Alice Tanner, M.D., PC	Eastern Carolina Pediatrics, PA	James A. Weidman, AMC	Pediatric Associates of Lawrenceville, LLC	SchoolCare, Inc. f/k/a CareDox, Inc.
All Star Pediatrics, LLC	Eastern Shore Children’s Clinic, PC	Jose F. Alvarado & Associates, PA	Pediatric Care Center No. 2, Inc.	SCS LLC d/b/a Bayshore Pediatrics
Angel Kids Pediatrics	Ekta Khurana, M.D., PLLC	Kate Bowers, M.D., PLLC d/b/a Firefly Pediatrics	Pediatric Center for Wellness, PC	Sistema Infantil Teleton USA, Inc. a/k/a CRITS
Arlington Pediatric Partners, PLLC d/b/a Kids Docs Pediatrics	Emily B. Vigour, M.D., LLC d/b/a Vigour Pediatrics	Kerrville Pediatrics, PLLC	Pediatric Health Center of El Paso	South River Pediatrics, LLC
Ascension Medical Group f/k/a Pediatric Associates, PA	Ennis Pediatric and Adolescent Health Care, PA	Kids First Pediatric Care, PA	Pediatric Healthcare Associates of McKinney	Springfield Medical, LLC
August Pediatrics, PA	Forest Hill Pediatrics, LLC MD	Kids Kare Pediatrics, PLLC	Pediatric Medicine of Cartersville, PC	Sumter Pediatrics, LLC
Austex Pediatrics, PA	Fox Pediatrics, PLLC	Kids World Pediatrics, LLC	Pediatric MultiCare West, LLC	Texoma Pediatrics, PLLC
Bristow Pediatrics, PLLC	Fraser-Branche Medical, PLLC	Kidswood Pediatrics, Inc.	Pediatric Physicians of Reston, PC	The Pediatric & Adolescent Clinic, Inc.
Cecilia A Nwankwo, M.D. FAAP, PC	Gaurang Patel, M.D., LLC	Kidzcare Pediatrics, PC	Pediatrics East, PC	The Pediatric Center of Frederick, LLC
Carolina Pediatrics and Adolescent Care, PA	Gold Pediatrics, PA	KION Pediatrics, PLLC	Peds First Pediatrics	Thomasville-Archedale Pediatrics, PLLC
Casey Thomas Mulcihy Austin Texas, PA	Goldsboro Pediatrics, PA	Kressly Pediatrics, PC	Pensacola Pediatrics PA	Thompson River Pediatrics and Urgent Care, LLC
Central Coast Pediatrics, Inc.	Goodlettsville Pediatrics, PC	Lilac City Pediatrics, PA	Petoskey Pediatrics PC	Valley Children’s Medical Group
Children’s Clinic, Ltd.	Graham Pediatrics of Woodstock, LLC	Madison Pediatric Associates, PC	Phillips Pediatrics, PC	Virginia Pediatric Group, Ltd.
Children’s Health Center of Columbus, Inc.	Great Bend Children’s Clinic, PA	Maria Luisa Lira, M.D., PA	Premiere Pediatrics, PLLC	Watch Us Grow Pediatrics, PC
Children’s Health of Ocala, PA	Harbor Pediatrics, PS	Mariano D. Cibran, M.D., Inc. d/b/a St. Petersburg Pediatrics	QC Kidz Pediatrics, PLLC	We Care Pediatrics, PC
Children’s Mercy – Pediatric Partners, Inc.	Hatboro Pediatrics, PC	Maryland Pediatric Care, LLC	Rachel Z. Chatters, M.D., Inc	Wee Tots Pediatrics, PA
Children’s Mercy – Shawnee Mission Pediatrics	Hawthorne Pediatrics, LLC	Maryvale Pediatric Specialists, LLC	Raleigh Group, PC	Westview Pediatric Care, LLC
Children’s Pediatric Center Northside, LLC	Hebron Pediatrics, LLC	Mayura Madani, M.D., PLLC	Rankin Children’s Group, PLLC	Winsted Pediatrics
Community Pediatrics, SC	Heights Pediatrics, PC	McComb Children’s Clinic, Ltd.	Raza Ali, MD, PC	Yazji Pediatrics
Cordova Pediatrics, PLLC	Helena Pediatric Clinic, PC	Northeast Pediatric Night Clinic, Inc.	Reading Pediatrics, Inc.	Zero Pediatrics, PLLC
Crockett Kids Pediatrics, PC	Holmdel Pediatrics, LLC	Oregon City Pediatrics	Renaissance Pediatrics, P.C.

The post 119 Pediatric Practices Affected by Breach at EHR Vendor – 2.2 Million Patients Affected appeared first on HIPAA Journal.

Unsecured Database Exposed 16,000+ Children’s Records

Posted November 29, 2022 by HIPAA Journal

A database containing the personally identifiable information (PII) of more than 16,000 children has been exposed over the Internet and could be accessed without a password or any other form of authentication. The database was found by security researcher Jeremiah Fowler and the Website Planet team and was traced to Tridas Group LLC. Tridas Group is the developer of Tridas eWriter, a web-based software solution that allows parents and teachers to rapidly complete interviews to facilitate the diagnosis and management of children with developmental and behavioral issues.

Fowler sampled 1,000 records and said all of the records contained at least some form of PII of children, with each of the records having a unique patient ID number. The records also included names, birth dates, home addresses, school attended, special needs, medical diagnoses, and details of behavioral or social problems. The records appeared to be questionnaires that had been completed by parents ahead of their first evaluation appointment.

According to the website planet report, the database could be accessed by anyone “through a misconfigured IP that showed the host domain, login portal, and where the data was stored.” The researchers were unable to determine for how long the records had been exposed or if those records had been accessed by unauthorized individuals. There were no indications that the database included test data or dummy records and, in many cases, the records recorded behavioral problems in great detail. According to the Trident website, the Trident Center closed on December 31, 2019. Further details can be found in the Website Planet report.

South Walton Fire District Ransomware Attack Affects Up to 25,331 Individuals

South Walton Fire District in Florida has recently announced that it was the victim of a ransomware attack in late May 2022. The fire district, which provides fire protection and emergency medical services, discovered on May 30 that an unauthorized third party had gained access to its computer network. Assisted by third-party cybersecurity experts, the fire district learned that the threat actor had access to parts of the network that contained information protected under HIPAA, including names, addresses, Social Security numbers, dates of birth, treatment dates, medical diagnostic and treatment information, and health insurance information.

The investigation and subsequent verification of contact information for affected individuals were completed in October 2022. Notification letters have now been sent to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. The fire department confirmed that it was able to secure its digital environment without paying the ransom demand and has implemented additional layers of security to prevent further incidents in the future.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 25,331 individuals.

The post Unsecured Database Exposed 16,000+ Children’s Records appeared first on HIPAA Journal.

PHI Potentially Compromised in Ransomware Attacks at MD, TX, and FL Healthcare Providers

Posted November 28, 2022 by HIPAA Journal

Woodlawn, MD-based Hope Health Systems Inc. (HHS) has recently announced that it was the victim of a ransomware attack. The attack was detected on June 20, 2022, and third-party forensics experts were engaged to investigate the incident and determine the scope of the attack.

The investigation revealed an unauthorized third party first accessed its systems on June 10, 2022, several days prior to using ransomware to encrypt files. While evidence of data theft was not identified, on or around August 24, 2022, the forensic investigation concluded that data theft was a possibility. It took until October 18, 2022, to review all files on the compromised part of the network to determine who had been affected.

HHS says the protected health information of up to 9,972 patients was stored on the compromised systems, and included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and medical information. HHS said it is evaluating its existing cybersecurity policies, procedures, and processes, to determine where improvements can be made to prevent similar incidents in the future. Notifications were sent to affected individuals on November 21, 2022.

Ransomware Attack Affects Patients of Disability Services of the Southwest

The Texas-based home healthcare provider, Disability Services of the Southwest, has recently confirmed that unauthorized individuals gained access to its employment and training website and potentially obtained client information.

The website was operated by vendor Intermap Holdings. Unauthorized individuals gained access to the platform provider’s system on September 28, 2022, and used ransomware to encrypt files. Intermap Holdings was able to contain and block the attack on the same day; however, it is possible that during that short window of opportunity, sensitive data may have been viewed or obtained, although no evidence of unauthorized access or data theft was identified.

Affected individuals had either submitted an employment application, in which case their name, phone number, email address, and details of the job and location they were applying for may have been accessed. Current and past employee information may also have been compromised, such as name, address, phone number, employee ID, and training history. No financial information or Social Security numbers were affected as they were stored on a separate system.

Disability Services of the Southwest said the platform provider has removed the malware and is actively monitoring its platform for signs of intrusion. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Oceansview Optical Ransomware Attack Affects 2,000 Patients

Oceansview Optical in Sebastian, FL, has recently announced that part of its database was encrypted in a ransomware attack. The attack was detected on October 8, 2022, when its office software was shut down. The investigation revealed parts of its database had been encrypted using Venus ransomware, and two external hard drives and the backup server were corrupted. Paper charts had to be used for 9 days while systems were rebuilt.

The ransom was not paid, and without access to backups, it was not possible to restore the encrypted parts of the database from July 2021 to October 8, 2022. A copy of the encrypted database has been retained and it is hoped it can be recovered at some point in the future when a decryptor is made available for Venus ransomware.

In a detailed and honest breach notification, Jennifer L Loar OD said the intention of this attack appeared to be to corrupt data to prevent access, so data exfiltration is unlikely; however, the exfiltration of data could not be ruled out. The types of information potentially compromised included names, nicknames, addresses, phone numbers, email addresses, birth dates, ethnicity, preferred language, insurance information, diagnoses, medications, medication allergies, reports, and eyeglass and contact orders.

The attack has been reported to all appropriate authorities, including the HHS, CISA, and the FBI. New anti-ransomware software has been deployed along with new backup infrastructure, which the FBI has verified as providing very good security.

PHI Potentially Compromised in Cyberattack on The Stern Cardiovascular Foundation

The Stern Cardiovascular Foundation (SCF) has recently announced that it experienced a data security incident on September 6, 2022, that caused disruption to certain parts of its computer network. The Germantown, TN-based healthcare provider said it aggressively responded to the incident and engaged third-party technical experts to assist with the breach response and help mitigate and investigate the attack.

It was possible to quickly restore access to all computer systems and the attack did not disrupt patient services. On September 13, 2022, SCRF learned that the individuals behind the attack first gained access to its systems on September 4, 2022, and had access to the network until September 6. During that time, they may have viewed and/or exfiltrated data, including the personal and health data of patients and other individuals associated with SFC.

The investigation into the attack is ongoing, but there are no indications that the electronic medical record system has been accessed. At this stage, it has yet to be confirmed how many individuals have been affected or the exact types of information that may have been compromised. The breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a placeholder until the full extent of the data breach is confirmed. SFC said it has been working with external cybersecurity experts to remediate the attack and harden its defenses.

University Medical Center of Southern Nevada Alerts Patients About Insider Data Breach

University Medical Center (UMC) of Southern Nevada has recently written to 1,861 patients to advise them that a former employee has accessed their medical records when there was no legitimate work reason for doing so. UMC identified the HIPAA breach during a September 2022 review of medical record access.

The investigation confirmed that the employee had accessed patient records on the electronic medical record system between May 19, 2021, and September 22, 2022. The records contained demographic, insurance, and clinical information. UMC said the individual is no longer employed by UMC and no evidence was found to indicate any information has been copied, misused, or further disclosed. Policies have since been updated to prevent similar incidents in the future and further training has been provided to the workforce.

PrimeCare Medical Affected by CorrectCare Integrated Health Breach

Pennsylvania-based PrimeCare Medical, a provider of healthcare services to inmates of correctional facilities, has confirmed that some of the patients it serves have been affected by a breach at its third-party administrator, CorrectCare Integrated Health. A misconfiguration of a web server resulted in two file directories being exposed to the public Internet, which contained patient data such as full names, birth dates, Social Security numbers, DOC IDs, and limited health information, such as a diagnosis and CPT codes.

The exposed files were discovered on July 6, 2022, and were secured within 9 hours. They had been exposed from as early as January 2022 and may have been accessed by unauthorized individuals during that time. Third-party experts have been helping CorrectCare improve the security of its systems to better protect client information.

PrimeCare Medical says the protected health information of 22,254 individuals was exposed. Those individuals received healthcare services between July 1, 2018, and July 7, 2022.

The post PHI Potentially Compromised in Ransomware Attacks at MD, TX, and FL Healthcare Providers appeared first on HIPAA Journal.

Gateway Rehabilitation Center Reports Cyberattack Affecting 130,000 Patients

Posted November 25, 2022 by HIPAA Journal

Pennsylvania-based Gateway Rehabilitation Center (Gateway Rehab) has recently announced that it experienced “an incident disrupting access to certain systems.” The incident in question was detected by Gateway Rehab on June 13, 2022. Immediate action was taken to prevent further unauthorized access to its systems and a digital forensics firm was engaged to investigate the breach. The forensic investigation concluded on July 8, 2022, that the individuals behind the attack may have accessed or obtained patients’ information. The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of up to 130,000 patients.

The types of information compromised in the attack included names, birth dates, Social Security numbers, driver’s license numbers, state ID numbers, financial account and/or payment card numbers, medical information, and health insurance information. While Gateway Rehab did not disclose the exact nature of the attack, it was a BlackByte ransomware attack. Samples of files stolen in the attack were posted on the group’s data leak site, as confirmed by databreaches.net.

According to Gateway Rehab, the review of all affected files was completed on September 21, 2022, and patients were notified on November 18, 2022. The substitute breach notice on the Gateway Rehab website makes no mention of credit monitoring and identity theft protection services. Gateway Rehab did state that steps have been taken to prevent similar incidents in the future.

Former Kaiser Permanente Employee Impermissibly Accessed Patient Information

Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. has recently announced that an employee was discovered to have impermissibly accessed the protected health information of certain Kaiser Permanente patients. The unauthorized access was detected on September 21, 2022, with the investigation confirming that parts of the medical records of 8,556 patients had been accessed by the employee outside the scope of their job functions.

The types of information accessed included demographic information such as names, medical record numbers, addresses, email addresses, telephone numbers, birth dates, and some medical information, including medical images. Social Security numbers and financial information were not viewed.

According to the substitute breach notice, the individual is no longer employed by Kaiser Permanente and the investigation found no evidence to suggest that any of the viewed information was copied, misused, or further disclosed. Kaiser Permanente says it is reviewing its policies and procedures concerning access to patients’ medical records.

Impermissible Disclosure of PHI Reported by Yakima Neighborhood Health Services

Yakima Neighborhood Health Services (YNHS) in Washington state has recently reported an incident that resulted in an impermissible disclosure of the protected health information of 2,689 individuals. On October 4, 2022, a file containing patient information was mistakenly distributed to an individual who was not authorized to receive the information. The file contained information such as names, birth dates, medical record numbers, and treatment locations.

YNHS said as soon as the incident was detected, steps were taken to ensure the misdirected file was deleted, and there are no indications that any of the information in the file has been misused. It took until November 10, 2022, to verify up-to-date contact information for affected individuals, and they have now been notified about the privacy breach. Steps have also been taken to prevent incidents such as this from occurring in the future.

DOCS Medical Group Victim of Ransomware Attack

DOCS Medical Group in Connecticut has recently confirmed the protected health information of up to 3,146 was potentially compromised in a ransomware attack. The attack was detected on September 7, 2022, and was rapidly blocked; however, the server that was attacked contained the protected health information of patients, including names, contact information, medical histories, reason for visiting, Social Security numbers, health insurance information, and some financial information. DOCS Medical Group said its electronic medical record and billing systems were not affected, and medical services were unaffected by the incident.

The post Gateway Rehabilitation Center Reports Cyberattack Affecting 130,000 Patients appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information