The New York State Department of Financial Services (DFS) has agreed to settle an investigation of EyeMed Vision Care (EyeMed) into potential violations of the DFS Cybersecurity Regulation for $4.5 million.

EyeMed is an Ohio-based licensed health insurance company, which collects and stores sensitive consumer information as part of its business practices. EyeMed Vision Care was investigated by the DFS after EyeMed disclosed it had been the victim of a phishing attack and data breach that was discovered on July 1, 2020. An employee responded to a phishing email and disclosed credentials to a shared EyeMed mailbox that contained more than 6 years’ worth of non-public consumer information, including the information of minors, related to vision benefits enrollment and coverage. After accessing the account, malicious actors used it to send more than 2,000 phishing emails to EyeMed clients to trick them into disclosing their EyeMed login credentials. EyeMed was alerted to the breached email account when its clients complained about receiving phishing emails from EyeMed.

EyeMed’s investigation confirmed the email account had been accessed by unauthorized individuals on June 24, 2020, and continued until July 1, 2020, when the breach was discovered and access to the email account was terminated. The email account contained the information of approximately 2.1 million individuals, including the data of 98,632 New York residents.

The DFS determined that EyeMed was in violation of the DFS Cybersecurity Regulation (23 NYCRR Part 500) due to the failure to implement multi-factor authentication for its email environment. EyeMed had also failed to limit user access privileges, as nine employees shared login credentials for the affected email account. Further, EyeMed had failed to implement sufficient data retention limits on information in the email account nor had the company implemented sufficient data disposal processes. If multifactor authentication had been implemented, the data breach could have been prevented, and proper data retention and disposal practices would have lessened the severity of the data breach if it was not possible to prevent it.

Further investigation revealed EyeMed had not conducted a comprehensive risk assessment, which is one of the core requirements of the DFS cybersecurity regulation. If a risk assessment had been conducted, it would have highlighted the shared login credentials, lack of multifactor authentication, and lack of data retention/disposal policies. Those risks could then have been managed and reduced to a low and acceptable level. DFS also determined that EyeMed’s cybersecurity certifications for the calendar years 2018 through 2021 were improper.

In addition to paying the financial penalty, EyeMed has agreed to conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan that describes how the risks identified in the assessment will be addressed. The risk assessment and action plan must be reviewed and approved by the DFS.

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” said New York State Superintendent of Financial Services, Adrienne A. Harris. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”

The phishing attack and data breach were also investigated by the Office of the New York Attorney General, which arrived at similar conclusions and fined EyeMed $600,000 in January 2022.

The post New York State Fines EyeMed $4.5 Million for Phishing Attack and 2.1M-Record Data Breach appeared first on HIPAA Journal.

Chambersburg, PA-based Keystone Health has recently announced that it fell victim to a cyberattack on August 19, 2022, which caused temporary disruption to its computer systems. Steps were immediately taken to restore the security of its systems and prevent further unauthorized access, and a third-party cybersecurity firm was engaged to investigate the breach and determine how the hackers gained access to its systems and the scope of the breach.

The forensic investigation revealed the hackers first gained access to its systems on July 28, 2022, with access terminated on August 19. During that time, files were accessed that contained patients’ protected health information, including names, Social Security numbers, and clinical information. A comprehensive review of those files confirmed they contained the information of 235,237 patients.

Law enforcement was notified about the cyberattack and all affected individuals have been notified by mail. Credit monitoring services are being offered to eligible patients. Keystone Health said it is implementing additional security measures to prevent further incidents of this nature, and employees have been provided with additional security awareness training.

Lifespire Services Provides Update on February 2022 Cyberattack

Lifespire Services, a New York-based provider of services to people with developmental disabilities, has provided an update on a security incident that was first disclosed in April 2022. The incident in question was detected on February 8, 2022, and caused disruption to its computer systems. Lifespire engaged a digital forensics company that determined that unauthorized individuals had access to its systems between January 14, 2022, and February 8, 2022, and during that time patient information may have been accessed.

A comprehensive review was conducted on all files on the compromised parts of its network, and that process took until October 7, 2022. Lifespire confirmed that the protected health information of 15,375 patients was compromised, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, bank account information, credit card information, medical diagnosis/treatment information, Medicare/Medicaid numbers, and health insurance information.

Lifespire said it is unaware of any instances of misuse of patient data but has offered affected individuals free access to credit monitoring and identity protection services. Policies and procedures related to network security have also been updated in response to the data breach.

Investigations into data breaches and reviews of affected files can take several weeks or months. Lifespire should be commended for issuing a notification to patients about the attack in April, even though the file review had yet to be completed. Prompt notification is a requirement of the HIPAA Breach Notification Rule and is important for patients, as it allows them to take appropriate steps to protect themselves against misuse of their information. Many healthcare organizations wait until the document review is completed before announcing a breach, which could be several months after data has been stolen.

Patient Information Potentially Compromised in Phishing Attack on Presbyterian Healthcare Services

Albuquerque, NM-based Presbyterian Healthcare Services recently said the protected health information of 2,624 patients was stored in an employee email account that was accessed by an unauthorized third party following a response to a phishing email.

The security breach was detected on July 8, 2022, with the subsequent investigation determining a single email account was accessed intermittently between March 21, 2022, and July 8, 2022. A review of the account confirmed no financial information was compromised; however, there may have been unauthorized access to names, dates of birth, Social Security numbers, medical record numbers, health insurance information, and limited clinical information related to billing, such as diagnosis codes and treatment information.

The review of the account is ongoing, but notification letters have started to be sent to affected individuals. Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security numbers were exposed. Additional security awareness training has been provided to the workforce and email security enhancements are being implemented.

This is not the first incident of this nature to be reported by Presbyterian Healthcare Services. In August 2019, a major email breach was reported that affected 1,120,629 patients. Just over a year later, a hacking incident resulted in the exposure of the PHI of 193,223 patients.

The post 235,000 Keystone Health Patients Affected by August 2022 Cyberattack appeared first on HIPAA Journal.

Austin, TX-based VisionWeb Holdings, a provider of Internet-delivered software solutions for the eye care industry for improving practice efficiency, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected up to 35,900 patients.

According to the breach report sent to the HHS on October 3, 2022, unauthorized individuals gained access to its email environment which contained patient information. The breach was also reported to the Texas Attorney General, with that report stating that names, Social Security numbers, government-issued identification numbers, medical information, and health insurance information had potentially been compromised. Individual notifications started to be sent to affected individuals on October 3, 2022, along with information on the steps they can take to protect against identity theft and fraud.

This post will be updated when further information about the breach becomes available.

Eventus WholeHealth Announces Email Account Breach

Durham, NC-based Eventus WholeHealth has recently confirmed that the email account of an employee has been accessed by an unauthorized individual. Suspicious email account activity was detected on June 1, 2022, and immediate action was taken to secure the account. The investigation into the breach confirmed on August 17, 2022, that an unauthorized third party had accessed the account and may have viewed or copied sensitive patient data, although no specific evidence of unauthorized data access or data theft was discovered.

Eventus said the breach was confined to a single email account and explained that the account had multifactor authentication in place, but that it failed to prevent unauthorized access. Individual notifications are being sent to affected individuals, who will be told the exact types of information that have been exposed. Those data types were not detailed in the breach notification sent to the Montana Attorney General. Affected individuals are being offered complimentary credit monitoring and identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

The post VisionWeb Data Breach Affects Up to 35,900 Individuals appeared first on HIPAA Journal.

Radiology Associates of Albuquerque (aka RAA Imaging/Advanced Imaging, LLC) has recently notified patients that some of their protected health information was stolen in a cyberattack that was detected more than 12 months previously. RAA said suspicious activity was detected within its environment in August 2021. Prompt action was taken to secure its systems and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the incident.

The forensic investigation confirmed that unauthorized individuals had access to certain systems between July 22, 2021, and August 3, 2021, and copied files from its network that contained patient data. The investigation also uncovered unauthorized access to email accounts, with the email accounts accessed by unauthorized individuals at various points over the preceding 8 months, between December 22, 2020, and July 15, 2021.

RAA explained in a substitute breach notice on its website that the delay in issuing notifications was due to the time taken to investigate the incident. RAA said the review and cataloging of the affected files took until July 2022 to complete, then it took until September 2022 to verify up-to-date contact information. Notification letters have now started to be sent to affected individuals – 22 months after the first email account was breached, and 14 months after files containing PHI were removed from its systems.

The types of data potentially obtained by the attackers varied from individual to individual, and may have included the following data elements: name, contact information, demographic information, diagnosis, treatment information, information regarding mental/physical condition, medical record number, patient number, health insurance information, billing/claim information, Medicaid/Medicare information, biometric data, electronic signature, email/username and password/pin, marriage certificate, mother’s maiden name, vehicle information (VIN, license plate number), financial account and/or credit/debit card information, driver’s license or state/federal identification number, and/or Social Security number.

RAA said steps have been taken to improve security and better protect patient data and affected individuals have been offered complimentary credit monitoring and identity theft protection services. RAA has not publicly disclosed how many people have been affected. This post will be updated when the scale of the breach is known.

The post Radiology Associates of Albuquerque Notifies Patients About Security Breach That Started in December 2020 appeared first on HIPAA Journal.

Phoenix, AZ-based Valle del Sol Community Health has notified 70,268 patients that some of their protected health information has been exposed. Valle de Sol did not state in its notification letters when hackers gained access to its network, or for how long they had access, but did confirm that the unauthorized activity was detected on January 25, 2022.

Valle del Sol immediately took steps to secure its network and prevent further unauthorized access and engaged an independent cybersecurity firm to investigate the breach to determine if patient data had been accessed. Valle de Sol said the investigation indicated unauthorized individuals had access to files containing sensitive patient data and that patient information may have been acquired. A comprehensive review was conducted of all files that may have been accessed, which was completed on July 18, 2022.

The delay in sending notification letters was due to the length of the investigation, then having to verify up-to-date contact information. The verification of addresses concluded on September 1, 2022. Valle de Sol explained in its October 5, 2022, website notification that arrangements were then made to notify affected individuals. Steps have also been taken to strengthen security to prevent similar incidents in the future. Valle De Sol said it has not received any reports from patients to suggest any misuse of their data.

The exposed information included names, dates of birth, Social Security numbers, driver’s license numbers, clinical/diagnosis information, health insurance member ID numbers, medical record numbers, and Medicare or Medicaid numbers. Complimentary credit monitoring and identity theft protection services do not appear to have been offered to affected individuals.

Legacy Post Acute Care Announces Breach of Employee Email Accounts

Martinez, CA-based Legacy Post Acute Care has recently confirmed that multiple employee email accounts have been accessed by an unauthorized individual, who may have viewed or acquired the protected health information of certain patients.

Legacy Post Acute Care explained in its breach notification letters that an investigation was launched after suspicious activity was detected in its email environment.  The investigation determined on September 12, 2022, that multiple employee email accounts were compromised between January 19, 2022, and March 3, 2022.

The review of emails and attachments confirmed the following types of information had been exposed: full names, along with one or more of the following data elements: Social Security number, date of birth, driver’s license number, state ID number, financial information, clinical/treatment Information, health insurance carrier, health insurance member ID/group number, medical provider name, medical record number, patient account number, and prescription information.

Legacy Post Acute Care said no evidence of misuse of patient data was uncovered; however, as a precaution against identity theft and fraud, affected individuals have been offered complimentary 12-month memberships to a credit monitoring and identity theft protection service. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Berkshire Farm Center & Services for Youth Confirms Server and Email Account Breaches

Canaan, NY-based Berkshire Farm Center & Services for Youth has confirmed that an unauthorized third party gained access to certain servers and potentially viewed or obtained files containing protected health information. The breach was detected on July 15, 2022, its systems were immediately secured, and an investigation was launched to determine the nature and scope of the incident. The review of the affected files is ongoing.

Berkshire also announced that on or around August 9, 2022, it was determined that an employee email account was accessed by an unauthorized individual. It is unclear if these two incidents are related. Berkshire said the review of the email account confirmed it contained the names of 951 individuals and information related to the treatment provided. No evidence of data theft or misuse of information has been detected.

The post 70,000 Valle del Sol Community Health Patients Affected by Cyberattack appeared first on HIPAA Journal.

A major data breach has occurred at the management company of multiple providers of anesthesia services to hospitals. According to a media breach notice from one of the affected providers, Anesthesia Associates of El Paso, the data breach occurred at its unnamed management company on July 15, 2022.

Unauthorized individuals gained access to the IT systems used by the management company and potentially viewed or obtained sensitive patient information, including patient names, addresses, health insurance policy numbers, payment information, Social Security numbers, and diagnosis and treatment information.

Details about the data breach are scant at present, so the exact nature of the unauthorized access and data breach is not known at present. Anesthesia Associates of El Paso said the management company has taken steps to contain the breach and has implemented additional security controls to prevent further unauthorized access and to better protect patient information.

At this stage, credit monitoring and identity theft protection services do not appear to have been offered to affected individuals, who have been advised to monitor their credit reports and financial statements and to report any suspicious activity. Individual notifications are being mailed to affected individuals.

At present, HIPAA Journal can confirm that at least 13 providers of anesthesia services have been affected, resulting in the exposure and potential theft of the protected health information of more than 380,104 individuals.

This post will be updated as further information about the security incident is obtained.

The post Data Breach Impacts More Than One Dozen Anesthesia Providers appeared first on HIPAA Journal.