Unauthorized individuals have gained access to the systems of Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. On or around December 4, 2021, hackers gained access to its myCare Identity solution and deleted databases, systems configuration files, and data.

Eye Care Leaders said its incident response team immediately stopped the unauthorized activity when the breach was detected and launched an investigation into the security breach. The investigation is ongoing, but notifications have now been sent to affected ophthalmology and optometry practices.

While the investigation has not uncovered evidence to suggest the attackers viewed or exfiltrated sensitive data, the possibility of unauthorized data access and theft could not be ruled out. The types of information that have been exposed included patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices. The breach was confined to the myCare Identity solution. The systems of eye care providers that use the solution were not compromised. It is currently unclear how many individuals have been affected by the breach. The Eye Care Leaders website states that it provides software solutions to more than 9,000 ophthalmologists and optometrists.

Kirkland, WA-based EvergreenHealth has also been affected, and sent notifications to 20,533 patients on April 22, 2022, and confirmed that the breach only affected data related to the EvergreenHealth Eye Care Clinic. If any non-eye care medical services had been received at EvergreenHealth, the information would not have been stored in the affected system. EvergreenHealth said it is examining its relationship with Eye Care Leaders and assessing the security safeguards that have been implemented.

Nashville, TN-based Summit Eye Associates sent notifications to affected patients on April 28, 2022, and has reported the breach to the HHS’ Office for Civil Rights as affecting up to 53,818 individuals.

The post Eye Care Leaders Hack Impacts Tens of Thousands of Patients appeared first on HIPAA Journal.

Illinois Gastroenterology Group has recently announced that unauthorized individuals gained access to its computer environment and potentially accessed and exfiltrated sensitive patient data. The cyberattack was detected on October 22, 2021, when suspicious activity was identified within its computer network.

Third-party cybersecurity specialists were engaged to investigate the attack and determine the nature and scope of the incident. On November 18, 2021, Illinois Gastroenterology learned that the parts of its systems that were accessed by unauthorized individuals contained patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information, payment card information, employer-assigned identification numbers, medical information, and biometric data.

Illinois Gastroenterology said it was not possible to rule out unauthorized viewing or theft of files containing patient data, but at the time of issuing notification letters, no reports had been received to suggest any fraudulent misuse of the impacted information. The review of the affected files was completed on March 22, 2022, and notification letters have now been sent to affected individuals.

In response to the breach, policies and procedures related to network security were reviewed and augmented, the implementation of an enhanced managed Security Operations Center was accelerated, and multi-factor authentication has been implemented. While the security breach was not confirmed as involving ransomware, Illinois Gastroenterology said a new endpoint detection and response platform has been deployed that has policies enabled specifically for ransomware.

The data breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 227,943 patients.

Data of Patients of the Mental Health Center of Greater Manchester has been Exposed

The Mental Health Center of Greater Manchester (MHCGM) in New Hampshire has announced that patient data was potentially compromised in a cyberattack at a third-party community mental health services partner, Center for Life Management (CLM), which was used for data storage.

On February 21, 2022, CLM’s systems were accessed by an unauthorized individual. The attack was detected on February 23, 2022, and systems were immediately secured to prevent further unauthorized access. The breach was confined to CLM’s systems and the security of MHCGM’s systems was not affected.

CLM investigated the incident and it was confirmed on April 11, 2022, that the attackers potentially accessed and exfiltrated files containing patient information such as names, addresses, birth dates, Social Security numbers, diagnoses, medical information, discharge information, and treatment locations and/or healthcare providers.

No evidence was found to indicate any specific information was viewed or obtained by unauthorized individuals as a result of the attack; however, affected individuals have been offered 12 months of complimentary credit monitoring.  MHCGM said it is no longer using CLM for data storage and is working on removing all data from CLM’s systems.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

The post Hacking Incidents Reported by Illinois Gastroenterology Group & the Mental Health Center of Greater Manchester appeared first on HIPAA Journal.

Healthplex Inc., one of the largest providers of dental insurance in New York state, has announced that the email account of an employee was compromised in a phishing attack on November 24, 2021. Upon discovery of the breach, the email account was immediately secured to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

On April 5, 2021, Healthplex confirmed that the email account contained the personal and protected health information of 89,955 individuals who had previously enrolled in its dental plans. The exposed information varied from individual to individual and may have included first and last names in combination with one or more of the following data types:

Address, group name and number, member ID number, plan affiliation, date of birth, date of service, provider name, ADA codes and their description, billed/paid amounts, prescription drug names, Social Security number, banking information, credit card number, username and password for the member portal, email address, phone number, and driver’s license number.

Healthplex said notification letters were sent to affected individuals on April 15, 2022, who have been offered complimentary identity theft protection services through Lifelock. Steps have also been taken to improve the security of its email environment to prevent similar breaches in the future.

Optima Dermatology Email Breach Affects Almost 60,000 Patients

Optima Dermatology Holdings has announced it has experienced an email security incident that resulted in the exposure of the protected health information of patients of The Dermatology Center of Indiana and Advanced Dermatology & Skin Cancer Center.

Optima Dermatology did not disclose when the email security breach was discovered but said that after an extensive forensic investigation it was determined on February 17, 2022, that the breach was limited to a single email account, which was accessed by an unauthorized individual between August 30, 2021, and September 2, 2021.

A review of the email account revealed it contained the protected health information of 59,872 individuals, such as full names, birth dates, medical treatment and/or conditions information, health insurance claims and/or application information, health insurance policy and/or subscriber numbers, and medical record numbers. No evidence was found to indicate Social Security numbers, driver’s license numbers, or financial account/payment card information were exposed or compromised.

Optima Dermatology said notification letters were sent to affected individuals on April 18, 2022, and additional safeguards have been implemented to prevent further attacks.

The post Email Security Incidents Reported by HealthPlex and Optima Dermatology appeared first on HIPAA Journal.

Salusive Health, the developer of the myNurse platform which helps physician practices streamline disease management, has experienced a cyberattack in which patient data was compromised.

In its breach notification letters to patients, Salusive Health explained that it identified unauthorized activity within its computer network on March 7, 2022, and immediately implemented containment, mitigation, and restoration efforts, and engaged third-party cybersecurity experts to assist with those processes. The investigation confirmed that unauthorized individuals accessed the personal and protected health information of patients, including name, gender, home address, phone number, email address, date of birth, medical history, diagnosis and treatment information, dates of service, lab test results, prescription information, provider name, medical account number, health insurance policy and group plan number, group plan provider, and claim information.

Salusive Health said it implemented additional security measures to prevent further breaches, has notified affected individuals and offered free identity theft protection services, and reported the cyberattack to the Federal Bureau of Investigation. The incident has not yet appeared on the HHS’ Office for Civil Rights’ breach portal, so it is unclear at this stage how many individuals have been affected.

Salusive Health also explained in the breach notification letters that the difficult decision has been taken to cease clinical operations by the end of business on May 31, 2022, which will allow patients to hand their chronic care management and remote monitoring services back to their primary care physicians. Salusive Health said the decision to cease operations is unrelated to the data security incident.

New Creation Counseling Center Ransomware Attack Affects 24,000 Patients

New Creation Counseling Center (NCCC) in Tipp City, OH, has recently started notifying 24,029 patients that some of their protected health information has potentially been compromised in a recent cyberattack.

A breach of its IT systems was detected on February 13, 2022, when users were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. NCCC confirmed ransomware had been used to encrypt files, and third-party cybersecurity consultants have been assisting with the response and recovery.

NCCC said care continued to be provided to patients throughout and the ransomware has been confirmed as having been eradicated from its systems. While the investigation uncovered no evidence of data theft, it was not possible to rule it out. A review of files on the affected systems confirmed they contained names, telephone numbers, addresses, email addresses, birthdates, Social Security numbers, health insurance information, intake forms, medical releases, and treatment records.

Notifications were sent to affected individuals starting on April 12, 2022, and one year of credit monitoring services has been offered to patients at no cost.

The post Salusive Health Closes Business Following Cyberattack appeared first on HIPAA Journal.

6 data breaches have recently been reported by HIPAA-regulated entities that have collectively resulted in the exposure and potential theft of the protected health information of tens of thousands of individuals.

La Casa de Salud, New York

The Acacia Network, a New York City-based human services organization, has recently notified the HHS’ Office for Civil Rights about an email account breach that was detected on July 17, 2020. According to the breach notice on the Acacia Network website, email accounts were accessed for a limited time between June 6, 2020, and June 12, 2020. An investigation was immediately launched and a forensic firm was engaged to provide assistance, but it was not possible to determine if any emails or attachments had been viewed or copied.

A review of the emails in the account revealed they contained patients’ names, Social Security numbers, driver’s license numbers, addresses, birthdates financial account numbers, medical record numbers, resident identification numbers, health insurance information, Medicare numbers, provider names, treatment, prescription, and/or diagnostic information.

The Acacia Network said the email accounts contained the data of a percentage of clients in the following programs:

• Bronx Accountable Healthcare Network
• Bronx Addiction Services Integrated Concepts System, Inc.
• Community Association of Progressive Dominicans
• El Regreso, Inc
• Greenhope Services for Women, Inc
• La Casa De Salud, Inc
• Promesa, Inc.
• United Bronx Parents, Inc.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 9,969 patients and was reported under the name La Casa De Salud. It is currently unclear if that is the total number of individuals affected. Notification letters were mailed on February 22, 2022, and complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security number or driver’s license number was exposed. No explanation was given as to why it took more than 18 months to notify the affected individuals.

Valley View Hospital, Colorado

Valley View Hospital in Colorado has recently announced that the email accounts of four employees have been accessed by unauthorized individuals after the employees responded to phishing emails. The email account breaches were detected by the hospital on January 19, 2022. The email accounts were immediately secured, and a forensic security firm was engaged to investigate and determine the nature and scope of the breach. On March 29, 2022, it was determined that four email accounts had been compromised that contained information about approximately 21,000 hospital employees and patients. Valley View Hospital did not state in its substitute breach notice what types of information had been compromised.

Notification letters started to be sent to affected individuals on March 19, 2022.

Fairfield County Implants and Periodontics, Connecticut

Fairfield County Implants and Periodontics (FCIP) in Connecticut has recently confirmed that an email account was accessed by an unauthorized individual. FCIP said it was determined on March 2, 2022, that the breached email account contained the protected health information of certain patients, with the review confirming the following types of information had been exposed: Names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, health insurance information, and medical history and treatment information.

Notification letters were sent to affected individuals on April 15, 2022. FCIP said no evidence of actual or attempted misuse of patient data had been identified at the time of issuing notification letters. Affected individuals have been offered 24 months of credit and CyberScan monitoring at no cost.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 10,502 individuals.

Los Angeles County Department of Mental Health, California

Los Angeles County Department of Mental Health has recently confirmed there has been a breach of three employee email accounts. The accounts were compromised on October 19, 2021, as a result of employees responding to phishing emails. A forensic investigation was unable to determine if any sensitive information was viewed or exfiltrated, but the possibility of unauthorized data access could not be ruled out.

A review of the affected email accounts revealed they contained the following types of information: names, addresses, dates of birth, driver’s license numbers, Social Security numbers, medical and/or health information, health insurance information, SSID student identifiers, and/or financial account numbers. When the breach was discovered, prompt action was taken to secure the accounts and all network credentials were reset. Additional safeguards have now been implemented.

The breach has been reported to the HHS’ Office for Civil Rights, although it is not currently showing on the breach portal, so it is unclear how many individuals have been affected.

Scott County, Iowa

Scott County in Iowa has recently confirmed it was the victim of a cyberattack that was discovered on November 30, 2021. The email account of an employee was discovered to have been used to send unauthorized emails to internal and external email addresses. The subsequent forensic investigation confirmed that the email accounts of three employees had been compromised and accessed by an unauthorized individual on October 27, 2021.

A review was conducted of all messages in the email accounts. That process was completed on February 22, 2022, when it was confirmed that the email accounts contained the sensitive information of clients, employees of Scott County, and other individuals who received healthcare treatment or services facilitated by Scott County. The email accounts contained information such as names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and financial account information. At this stage, no evidence of actual or attempted misuse of sensitive data has been identified.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post 6 HIPAA-Regulated Entities Report Email Account Breaches and the Exposure of PHI appeared first on HIPAA Journal.

Irvine, CA-based Smile Brands, a provider of support services for dental offices, has recently provided an update on the number of individuals affected by a ransomware attack that was discovered on April 24, 2021. The attackers gained access to parts of its system on April 23, 2021, that housed files that contained individuals protected health information, including names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, government-issued ID numbers, and health information.

The breach was initially reported to the HHS’ Office for Civil Rights in June 2021 as affecting 1,200 individuals, but the breach report was later amended to indicate up to 199,683 individuals had been affected. However, in the latest update to the Maine attorney general, the breach has been reported as affecting up to 2,592,494 individuals. The initial notice to the Maine attorney general was submitted on October 8, 2021.

Smile Brands said affected individuals have been offered a complimentary 12-month membership to a credit monitoring service, which includes identity theft assistance services and a $1 million identity theft insurance policy.

Malware Potentially Allowed Hackers to Access ArCare Patient Data

Arcare, a provider of primary care and behavioral health services in Arkansas, Mississippi, and Kentucky has confirmed that patient data was potentially accessed by unauthorized individuals in a cyberattack that was discovered on February 24, 2022. Malware was identified on its network which caused a temporary disruption to its services. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the incident.

The investigation confirmed on March 14, 2022, that the attackers may have accessed sensitive data between January 18, 2022, and February 24, 2022. A review of the affected files was completed on April 4, 2022, and confirmed they contained names, Social Security numbers, driver’s license or state identification numbers, dates of birth, financial account information, medical treatment information, prescription information, medical diagnosis or condition information, and health insurance information.

While data has been exposed, no evidence has been found of any actual or attempted misuse of patient data. ARcare said it has updated its policies and procedures relating to data protection and security and sent notification letters to affected individuals on April 25, 0222.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

Unencrypted Laptops Stolen from Home of Employee of Onehome Health Solutions

Two unencrypted laptop computers have been stolen from the home of an employee of the Miramar, FL-based home-based healthcare provider, Onehome Health Solutions.

The theft was discovered on March 3, 2021, and the incident was reported to law enforcement. A forensic analysis determined the laptop computers contained the protected health information of up to 15,401 patients, including names, addresses, phone numbers, medical information, health insurance information, and the last four digits of Social Security numbers.

Onehome said all affected individuals have been notified about the exposure of their information and complimentary identity theft protection services have been offered to individuals whose partial Social Security numbers were exposed.

The post Up to 2,592,494 individuals Affected by Smile Brands Ransomware Attack appeared first on HIPAA Journal.

Security incidents have recently been reported by Georgia Pines CSB and Ballard Health, which have included the protected health information (PHI) of 28,295 individuals.

Ballad Health Discovers Breach of Employee Email Account

Ballard Health, an integrated community health improvement organization serving communities in the Appalachian Highlands in Northeast Tennessee, Southwest Virginia, Northwest North Carolina, and Southeast Kentucky, has recently discovered an unauthorized individual has accessed the email account of one of its employees.

Suspicious activity was detected in the email account of an employee on or around January 13, 2022. The email account was immediately secured, and a forensic investigation was conducted to determine the nature and scope of the breach. On February 17, 2022, it was determined that the email account was accessed for a short period by an unauthorized individual who may have viewed or acquired information in the account.

A review of the emails in the account confirmed on March 16, 2022, that they included the protected health information of 4,295 patients, such as names, dates of birth, medical histories, medical conditions, treatment information, medical record numbers, diagnosis codes, and patient account numbers. It was not possible to tell which emails, if any, had been viewed or obtained.

Ballard Health said it will continue to educate the workforce on the importance of security measures that must be taken by employees to protect its email system.

Laptops Stolen from Georgia Pines Community Service Board

Two laptop computers containing the protected health information of up to 24,000 patients were stolen in a break-in at Georgia Pines Community Service Board (CSB) at some point between April 6 and April 7, 2022. Georgia Pines CBS staff discovered the break-in at its main campus on the morning of April 7, 2022.

The laptops contained files that included protected health information such as names, addresses, Social Security numbers, and medical records. No evidence has been found to indicate any information on the laptops has been viewed or misused by unauthorized individuals, but unauthorized access and misuse cannot be ruled out.

Notification letters started to be sent to affected individuals on April 7, 2022.

The post PHI Exposed in Security Incidents at Georgia Pines CSB & Ballad Health appeared first on HIPAA Journal.