HIPAA Breach News

New York Provider of Administrative Anesthesiology Services Facing Multiple Class Action Data Breach Lawsuits

Posted November 15, 2022 by HIPAA Journal

A New York-based physician-owned provider of administrative services to anesthesiology firms is facing several class action lawsuits over a cyberattack and data breach that has affected at least 24 entities and involved the exposure and potential theft of the protected health information of more than 450,000 patients.

Anesthesiology firms started reporting data breaches to the Department of Health and Human Services’ Office for Civil Rights in September 2022, with the notification letters to patients indicating there had been a data breach at their anesthesia management services organization. The notification letters failed to name that company.

According to the notification letters, the management services organization detected the cyberattack on or around July 11, 2022, or July 15, 2022 – two templates were used by the affected firms that had different dates. The forensic investigation determined the attackers had access to parts of its system that contained the protected health information of patients, including names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information, including diagnosis and treatment information.

At least five complaints have now been filed in the U.S. District for Southern New York against the management company – Somnia Inc. – over the data breach that allege the company was negligent for failing to implement appropriate safeguards to ensure the confidentiality, integrity, and availability of patient information, that Somnia failed to comply with FTC guidelines and the HIPAA Rules and had not followed industry standards for data security.

Some of the lawsuits also take issue with the way the breach was reported due to the failure to mention Somnia Inc. by name in the notification letters, and in some cases, to fully disclose exactly what information had been compromised. One lawsuit took issue with Somnia Inc. only disclosing the breach as affecting 1,326 patients, when the breach was known to have affected more than 400,000 individuals at the time and suggested, “Somnia is trying to completely avoid any and all responsibility for the data breach and is using its local practices to obscure the identity of the responsible entity as well as to downplay the severity of the data breach.”

The lawsuits allege individuals affected by the breach now face an immediate and elevated risk of identity theft and fraud as a result of the negligence of Somnia, and seek class action status, damages, adequate credit monitoring and identity theft protection services, injunctive relief, and a court order that requires Somnia to implement enhanced security measures to ensure patient information is appropriately protected.

The post New York Provider of Administrative Anesthesiology Services Facing Multiple Class Action Data Breach Lawsuits appeared first on HIPAA Journal.

CommonSpirit Health Says EHRs Mostly Back Online Following Ransomware Attack

Posted November 11, 2022 by HIPAA Journal

CommonSpirit Health has recently provided an update on the progress that has been made in recovering from an October 2022 ransomware attack that affected many facilities across its network. The attack was detected on October 3, which forced the health system to take its IT systems offline, including its MyChart electronic health records (EHRs). CommonSpirit Health, Catholic Health Initiatives (CHI Health), MercyOne, and St. Luke’s Health facilities were affected and have been operating under emergency procedures since the attack. CommonSpirit Health had previously stated that there was no impact on patient care and associated systems at Dignity Health, TriHealth, and Centura Health.

It has now been more than a month since the attack and business operations have yet to return to normal; however, CommonSpirit Health has recently confirmed that the majority of impacted locations now have access to their EHR systems again and patients of those facilities should now be able to access patient portals to view their medical records. Appointment scheduling systems are still affected, so patients have been advised to contact their provider’s office directly to arrange appointments.

A forensic investigation into the attack was launched; however, the priority has been patient safety and bringing affected systems back online as quickly and safely as possible. The forensic investigation is trying to establish the methods used by the attackers to gain initial access to its network to allow security updates to be performed, and to determine the extent, if any, that patient data has been compromised. CommonSpirit Health will provide further updates pending the outcome of the investigation. The incident has been reported to law enforcement and third-party cybersecurity consultants have been engaged to assist with the recovery.

While some healthcare organizations have been able to recover from ransomware attacks relatively quickly within 1 or 2 weeks following an attack, longer disruptions are common, with the average recovery time being 22 days. There are several factors that can affect the recovery time, including the extent of the attack, the complexity of the IT environment, and whether a practiced incident response plan was in place. The importance of planning for security incidents and having a practiced incident response plan was recently emphasized by the HHS’ Office for Civil Rights in its October 2022 Cybersecurity Newsletter.

The post CommonSpirit Health Says EHRs Mostly Back Online Following Ransomware Attack appeared first on HIPAA Journal.

Lurie Children’s Hospital Proposes Settlement to End Insider Breach Lawsuit

Posted November 10, 2022 by HIPAA Journal

Ann & Robert H. Lurie Children’s Hospital has proposed a settlement to resolve a class action lawsuit filed in response to two privacy breaches involving unauthorized medical record access by employees.

On November 15, 2019, the Chicago hospital discovered an employee had been impermissibly accessing patient records. The investigation determined the unauthorized access occurred between Sept. 10, 2018, and Sept. 22, 2019. The employee, a nursing assistant, viewed patient records that included names, addresses, dates of birth, and medical information, including diagnoses, medications, appointments, and procedures. Once the unauthorized access was confirmed, the employee was terminated. Lurie Children’s Hospital notified affected patients in December 2019 and said there was no reason to suggest the information had been further discovered or misused.

A similar breach was detected by the hospital in 2020. A nursing assistant was discovered to have accessed patient records without authorization between November 1, 2018, and February 29, 2020, and was also terminated. Patients were notified about the breach in May 2020. A mother took legal action against the hospital on behalf of her 4-year-old daughter, whose medical records and been impermissibly accessed by the two nursing assistants. Her daughter’s records included details of an examination to investigate suspected sexual abuse.

The lawsuit – Doe v. Lurie Children’s Hospital of Chicago – alleged the hospital had been negligent for failing to protect patient records, the hospital breached its implied contract, and failed to monitor employees’ access to patients’ medical records. Lurie Children’s Hospital denied liability for the breach and did not admit any wrongdoing and maintained the plaintiff failed to state a claim in the lawsuit upon which relief can be granted, as the plaintiff failed to assert any basis that the actions of the hospital caused any harm.

Lurie Children’s Hospital proposed a settlement to put an end to the allegations of wrongdoing. The proposed settlement does not include any monetary benefits, but the hospital has agreed to make changes to policies and procedures and implement additional safeguards to better protect patient data. Those measures include increased monitoring of employee access logs, which include twice weekly reviews of audit alerts, and a commitment to provide employees with additional training on medical record access. The hospital has also stated that it will be applying “break the glass” protocols for highly sensitive medical information related to certain treatments, including evaluations for sexual abuse and sexual assault.

The deadline for objection and exclusion is January 4, 2023. The final approval hearing has been scheduled for January 25, 2023.

The post Lurie Children’s Hospital Proposes Settlement to End Insider Breach Lawsuit appeared first on HIPAA Journal.

U.S. Vision Subsidiary and Florida Addiction Treatment Center Announce 2021 Data Breaches

Posted November 8, 2022 by HIPAA Journal

USV Optical, a subsidiary of U.S. Vision, has recently confirmed that the information of patients at several entities within its network has been exposed. Suspicious activity was detected within its network on May 12, 2021, with the forensic investigation confirming unauthorized individuals had access to its network for a month between April 20, 2021, and May 17, 2021. During that time, the attackers may have viewed or acquired sensitive patient data.

The breach was reported to U.S. Vision shortly after it was detected; however, at the time it was unclear which entities and patients had been affected. Nationwide Optical Group acquired or became affiliated with several U.S. Vision entities in September 2019, including Nationwide Optometry and SightCare. USV Optical started to provide administrative services to those entities around that time. Nationwide Optical Group was informed about the breach and requested U.S. Vision investigate the incident further to find out more information and recommended monitoring the dark web to determine if any sensitive data had been released. No further information was subsequently provided about any dark web detections.

On September 22, 2022, Nationwide Optical Group was informed that the review of the files on the compromised parts of the network had been completed, and it was confirmed that the following types of information had potentially been stolen: full names, dates of birth, addresses, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, medical and/or treatment information, prescription medications, health insurance information, and billing and claims information. The types of information exposed varied from patient to patient.

The information provided was validated and correct contact information was obtained, allowing individual notification letters to be sent. That process was completed on October 17, 2022. Affected individuals have now been notified and have been offered complimentary credit monitoring and identity theft protection services.

Phoenix House Florida Email Accounts Compromised

Phoenix House Florida, a non-profit residential addiction treatment program provider, has recently announced that the protected health information of 6,594 patients has been exposed and potentially obtained by unauthorized individuals who gained access to certain employee email accounts.

The email accounts contained the protected health information of patients of Phoenix Programs of Florida, including names, Social Security numbers, driver’s license numbers, birth dates, credit/debit card numbers, expiry dates, and CVV codes, digitized or electronic signatures, Client IDs, medical information such as condition, treatment, or diagnosis, and health insurance information.

Phoenix House Florida did not disclose when the security breach was detected but said the email accounts were compromised between July 13, 2021, and November 1, 2021. The forensic investigation confirmed on September 2, 2022, that protected health information had been exposed, and notification letters were sent to affected individuals on October 19, 2022. No evidence was uncovered that suggested information in the email accounts was viewed or acquired. Complimentary identity theft protection services have been offered to individuals whose Social Security numbers or driver’s license numbers were involved.

The post U.S. Vision Subsidiary and Florida Addiction Treatment Center Announce 2021 Data Breaches appeared first on HIPAA Journal.

St. Luke’s Health Reports Third Party Data Breach

Posted November 7, 2022 by HIPAA Journal

St. Luke’s Health has recently notified 16,906 patients that some of their protected health information has been exposed in a security incident at a vendor that provides consulting services. On November 5, 2021, the email accounts of two employees of Adelanto Healthcare Ventures (AHCV) were accessed by an unauthorized individual.

An investigation was launched into the incident, which initially determined no patient information had been exposed; however, a subsequent review determined the information of certain St. Luke’s Health patients was present in the email accounts and could potentially have been accessed or acquired by the attackers. The exposed information included names, addresses, dates of birth, Social Security numbers, dates of service, medical record numbers, Medicaid numbers, and some limited clinical information, such as treatment and diagnosis codes. St. Luke’s Health was notified about the breach on September 1, 2022

St. Luke’s Health explained in its breach notification letters that no reports have been received that suggest there has been any misuse of patient data; however, as a precaution, AHCV is offering affected individuals complimentary identity theft and credit monitoring services.

St. Luke’s Health is currently recovering from a ransomware attack on its parent company, CommonSpirit Health, that occurred more than a month ago. CommonSpirit Health is still facing disruption to business operations as a result of the attack but has now restored the MyChart patient portal and providers can now access their patients’ electronic medical records.

Tift Regional Health System Investigating Cyberattack and Data Breach

Tift Regional Health System (TRHS) in Tifton, GA, has recently announced that its systems have been compromised and that the attackers potentially accessed and obtained the protected health information of some of its patients. The unauthorized system access occurred on or around August 16, 2022. Prompt action was taken to secure its systems and an investigation was launched to determine the nature and scope of the attack.

TRHS said files on its systems were not encrypted, and its electronic medical record system was not accessed; however, the forensic investigation was unable to rule out unauthorized access and theft of files that contained patient information. The files on the compromised part of the network contained Social Security numbers, patient identification numbers, driver’s license numbers, medical information, treatment information, diagnosis information, health insurance information, and dates of birth.

TRHS said it is reviewing its existing policies and procedures regarding cybersecurity and additional safeguards are being evaluated to protect against this type of incident in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals. That number is often used as a placeholder until the full extent of the breach is known.

Wenco Management Reports Breach of Health and Welfare Benefit Plan Member Data

The protected health information of 20,526 employees of Wenco Management, LLC, has been exposed and potentially obtained by unauthorized individuals. Wenco Management operates the Wendy’s fast-food chain. Affected employees were members of its Health and Welfare Benefit Plan.

Wenco Management identified the breach on August 21, 2022. After its systems were secured, a forensic investigation was launched to determine the nature and scope of the breach, which confirmed an unauthorized individual had accessed its network and potentially viewed and obtained employee records that included names, Social Security numbers, and plan selection information. The breach occurred on the same day it was identified and blocked. Affected individuals have been offered complimentary credit monitoring services. Wenco Management said it has taken steps to improve the security of its systems to prevent further data breaches in the future.

The post St. Luke’s Health Reports Third Party Data Breach appeared first on HIPAA Journal.

Lawsuits Filed Against OakBend Medical Center and Keystone Health Over Data Breaches

Posted November 7, 2022 by HIPAA Journal

Oakbend Medical Center in Richmond, TX, and Keystone Health in Chambersburg, PA, are facing class action lawsuits over recent hacking incidents that resulted in the exposure and theft of the protected health information of hundreds of thousands of patients.

OakBend Medical Center

On September 1, 2022, OakBend Medical Center discovered its systems had been compromised and files had been encrypted. The breach was contained and access to its network was terminated, and a forensic investigation was conducted to determine the nature and scope of the attack. The forensic investigation confirmed that the attackers had exfiltrated files containing patient data. OakBend Medical Center said entire medical records do not appear to have been stolen. The stolen data included names, contact information, dates of birth, and Social Security numbers. The threat actors behind the attack – Daixin Team – claim the data they stole included 1 million patient records, although that has yet to be confirmed by Oakbend Medical Center.

On October 28, 2022, two patients affected by the data breach – Ryan Higgs and Alissa Wojnar – took legal action over the theft of their protected health information. The lawsuit was filed by Dallas, TX-based attorney, Joe Kendall, in the District Court for the Southern District of Texas and alleges Oakbend Medical Center maintained the private information of patients “in a reckless manner,” and failed to properly monitor its IT network. The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, intrusion upon seclusion, invasion of privacy, and unjust enrichment.

The plaintiffs claim they have suffered the loss of the benefit of their bargain, out-of-pocket expenses, the value of their time that was incurred to remedy and mitigate the effects of the attack, emotional distress, and the imminent risk of future harm caused by the compromise of their sensitive personal information. The lawsuit seeks class action status, compensatory damages, reimbursement of out-of-pocket expenses, and injunctive relief that requires OakBend Medical Center to implement additional security measures to better protect patient data and to also provide adequate credit monitoring services to affected patients.

Keystone Health

On August 19, 2022, Keystone Health discovered its network had been compromised. After systems were secured, a forensic investigation was launched to determine the scope of the attack, and it was confirmed that hackers had access to its network between July 28, 2022, and August 19, 2022. During that time, they had access to sensitive patient data including names, Social Security numbers, and clinical information. The breach affected 235,237 patients, who were notified on October 14, 2022.

A lawsuit was filed in the District Court for the Middle District of Pennsylvania by the law firm Milberg Coleman Bryson Phillips Grossman, PLLC that named Jacob Whitehead as plaintiff, on behalf of his minor son. The lawsuit alleges Keystone Health failed to properly secure and safeguard personally identifiable information, and that the private information of patients was maintained in a reckless and negligent manner that made it vulnerable to cyberattacks.

The lawsuit alleges negligence for failing to implement minimum industry standards for protecting patient data and claims Keystone Health failed to meet its obligations under the HIPAA Security Rule as appropriate safeguards had not been implemented to protect patients’ electronic protected health information. The lawsuit also alleges a violation of the HIPAA Breach Notification Rule for failing to properly notify patients about the data breach.

The lawsuit claims the plaintiff and others affected by the data breach are now at significant risk of identity theft and various other forms of personal, social, and financial harm. They allege an injury has been sustained in the form of the lost or diminished value of their private information, out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their private information, lost time and opportunity, and a continued and substantially increased risk of cyberattacks and fraud.

The lawsuit seeks class action status, a jury trial, damages, and equitable and injunctive relief, including a requirement for Keystone Health to ensure it has an effective and comprehensive security program, to undergo independent security audits and penetration tests, to engage internal personnel to run automated security monitoring, and to provide security awareness training to all employees, at least annually.

The post Lawsuits Filed Against OakBend Medical Center and Keystone Health Over Data Breaches appeared first on HIPAA Journal.

Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches

Posted November 4, 2022 by HIPAA Journal

Two class action lawsuits have been filed on behalf of patients whose protected health information (PHI) was impermissibly disclosed to Meta/Facebook as a result of the use of the Meta Pixel JavaScript code snippet on the websites and web applications of Advocate Aurora Health and WakeMed Health and Hospitals. Advocate Aurora Health said the PHI of up to 3 million patients had potentially been disclosed to Meta/Facebook, and WakeMed said around 495,000 patients were affected due to the inclusion of the code on the MyChart patient portal and its appointment scheduling page. Both healthcare providers have admitted to an impermissible disclosure of PHI but said at the time of issuing notifications that they were unaware of any cases of misuse of patient information and that there are no indications that employees of Meta or Facebook viewed the transmitted data.

The lawsuit against Advocate Aurora Health, which also names Meta as a defendant, was filed in the U.S. District Court for the Northern District of Illinois and names Alistair Stewart, of Illinois, as the lead plaintiff. The lawsuit seeks class action status, damages, and injunctive and other equitable relief. According to the lawsuit, “Whenever a patient uses Advocate’s websites and applications, including its LiveWell portal, Advocate and Facebook intercept, contemporaneously cause transmission of, and use personally identifiable patient information and PHI without patients’ knowledge, consent, or authorization.” The lawsuit alleges Advocate Aurora Health and Meta were aware that protected health information was being transmitted, and that this was in violation of the HIPAA Rules. “This was evidenced from, among other things, the functionality of the Pixel, including that it enabled Advocate’s LiveWell portal to show targeted advertising to its digital subscribers based on the products those digital subscribers had previously viewed on the website, including certain medical tests or procedures, for which Advocate received financial remuneration.”

Advocate Aurora Health maintains that the tracking code was only used to improve the consumer experience across its websites, and to encourage individuals to schedule necessary preventive care, and said it has stopped using the code and has implemented additional safeguards and third-party code-checking procedures to prevent similar breaches in the future.

The lawsuit against WakeMed was filed in the Wake County Superior Court in North Carolina by attorneys Gary Jackson and Tom Wilmoth and similarly seeks class action status, damages, and injunctive relief. The lawsuit makes similar claims and also alleges that the code was added to the website in the knowledge that sensitive patient data would be shared with Meta, and that WakeMed received financial benefits from sharing that information with Meta. The lawsuit alleges violations of FTC Rules and HIPAA, as sensitive healthcare data, including PHI, was shared with Meta without the knowledge or consent of the plaintiff and class members.

The lawsuit states the plaintiff reasonably expected her online communications with WakeMed to be confidential and would not be shared with or intercepted by a third party, and that consent to share her data had not been requested or obtained. The lawsuit alleges negligence for failing to implement reasonable safeguards to prevent improper disclosures of PHI, failing to adequately train employees, and failing to follow industry-standard data security practices.

In order for healthcare data breach lawsuits to succeed, an actual injury must have been sustained. In contrast to data breach lawsuits filed against healthcare organizations that have been hacked, the plaintiffs’ PHI is not in the hands of cybercriminals and there has been no injury through fraud or identity theft. The lawsuits allege an injury has been suffered in the form of the diminution in the value of the plaintiffs’ and class members’ private information. The plaintiff in the WakeMed lawsuit alleges she has lost time and experienced annoyance, interference, and inconvenience, which has led to her suffering anxiety, emotional distress, and increased concerns about her loss of privacy.

Many healthcare providers added Meta Pixel code to their websites. A study conducted by The Markup revealed 33 of the top 100 hospitals in the United States used the code, several of which added Meta Pixel to their patient portals. In August 2022, Novant Health announced that the PHI of up to 1.36 million patients had potentially been disclosed to Meta/Facebook, and many other healthcare providers are expected to make similar announcements in the coming weeks. Lawsuits have already been filed against Medstar Health System in Maryland, UCSF Medical Center and Dignity Health Medical Foundation, and Northwestern Memorial Hospital in Chicago, due to the use of the tracking code on their websites.

The post Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches appeared first on HIPAA Journal.

Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty

Posted November 4, 2022 by HIPAA Journal

Aveanna Healthcare has agreed to pay a $425,000 financial penalty to the Office of the Attorney General of Massachusetts for failing to implement appropriate safeguards to prevent phishing attacks, in violation of state and federal laws.

Aveanna Healthcare operates in 33 states and is the nation’s largest provider of pediatric home care. In the summer of 2019, Aveanna Healthcare was targeted in a phishing campaign that saw more than 600 phishing emails sent to its employees. The phishing emails attempted to trick the recipients into providing credentials, money, or other sensitive information. The first email account was breached in July 2019, with the attacks continuing throughout the summer. Aveanna Healthcare discovered the breach on August 24, 2019.

The forensic investigation revealed multiple employees had been tricked into disclosing their account credentials, which provided the attackers with access to parts of the network that contained the protected health information (PHI) of 166,000 patients, including the PHI of approximately 4,000 Massachusetts residents. The patient information exposed and potentially copied included names, Social Security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment information. The threat actors also logged into the human resources system and attempted to change the direct deposit information of employees to divert payments.

The Massachusetts AG’s Office launched an investigation into the phishing attacks and determined that Aveanna Healthcare had failed to implement appropriate safeguards to protect against phishing attacks. The AG’s Office alleged Aveanna was aware that its cybersecurity program was insufficient at the time of the phishing attacks and that it did not have sufficient tools in place to adequately defend against phishing attacks, such as multifactor authentication and sufficient security awareness training for its workforce. The Massachusetts AG’s Office determined that Aveanna’s security program had not met the minimum level of security required by the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts nor the minimum standards for security demanded by the HIPAA Security Rule.

The consent judgment requires Aveanna to pay a financial penalty of $425,000 to the Massachusetts AG’s office to resolve the violations, and adopt a corrective action plan that requires Aveanna to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. Aveanna must also provide additional security awareness training to the workforce, including providing regular updates on the latest security threats. Aveanna is required to undergo annual independent assessments of its compliance with the consent order and will be monitored by the Massachusetts AG’s Office for a period of four years.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said Massachusetts Attorney General Maura Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

Aveanna Healthcare is also facing a class action lawsuit over the exposure of patient data. The lawsuit alleges the failure to implement appropriate security measures also takes issue with the length of time it took Aveanna to announce the data breach – 5 months after the breach was detected.

The post Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty appeared first on HIPAA Journal.

Update: CorrectCare Integrated Health Data Breach Affects Hundreds of Thousands of Inmates

Posted November 3, 2022 by HIPAA Journal

The medical claims processor, CorrectCare Integrated Health, has recently notified its clients that the protected health information of some of their patients was accidentally exposed over the Internet and may have been accessed by unauthorized individuals. On July 6, 2022, CorrectCare discovered two file directories on its web server had been misconfigured and could be accessed over the Internet without authentication.

The breach has affected patients treated by Mediko, Inc. – the largest provider of health care services to individuals in correctional facilities in Virginia. Mediko has reported the breach to the HHS’ Office for Civil Rights (OCR) as affecting 2,809 individuals. Sacramento County Adult Correctional Health says 5,372 individuals have been affected, and the Louisiana Department of Public Safety and Corrections says 85,466 individuals incarcerated in facilities in the state have been affected. Health Net Federal Services (HNFS) in California, a business associate of the California Correctional Health Care Services (CCHCS)/ California Department of Corrections and Rehabilitation (CDCR), has had data exposed, although at this stage it is unclear how many individuals have been affected.

CorrectCare said the web server was secured within 9 hours of the discovery of the misconfiguration. The forensic investigation confirmed the files were exposed from January 22, 2022, to July 7, 2022. The exposed data related to individuals treated between January 1, 2012, and July 7, 2022. The files in the exposed directories included names, dates of birth, inmate numbers, and limited health information, including diagnosis codes, CPT codes, treatment providers, dates of treatment, and, for some individuals, Social Security numbers.

On October 31, 2022, CorrectCare submitted three breach reports to OCR confirming the protected health information of 496,589 individuals had been exposed. The final breach total is not yet known, but more than 590,236 individuals are now known to have been affected.

Regions Hospital Reports Hackling Incident

Regions Hospital in St. Paul, MN, has recently confirmed that unauthorized individuals gained access to the protected health information of 978 patients. The attacker is believed to have accessed its secure network to steal payments from a health insurer, rather than to obtain patient information.

However, as part of that activity, a document on the network was opened that contained patient information, including first and last names and Social Security numbers. Affected individuals have been notified by mail and offered a 12-month membership to an identity theft protection service.

The post Update: CorrectCare Integrated Health Data Breach Affects Hundreds of Thousands of Inmates appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information