HIPAA Breach News

Cyberattacks Reported by Heartland Alliance and CentraState Medical Center

Posted by HIPAA Journal

The Chicago, IL-based social justice and human rights organization, Heartland Alliance, announced on December 15, 2022, that it was the victim of a cyberattack. The security breach was discovered on January 26, 2022, and prompt action was taken to secure its systems to prevent further unauthorized access. A leading third-party cybersecurity firm was engaged to investigate the incident.

On April 27, 2022, Heartland Alliance confirmed that an unauthorized individual had gained access to its network and potentially accessed or obtained files containing sensitive personal information. A lengthy review process was then initiated to determine the extent of the data breach and to obtain up-to-date contact information for the affected individuals. That process was completed in December 2022.

Heartland Alliance has confirmed that the protected health information of individuals who sought health care or participated in other Heartland programs was potentially compromised, along with the personal information of employees, directors, and independent contractors. The data involved varied from individual to individual and may have included one or more of the following data types: names, dates of birth, Social Security numbers, driver’s license numbers, bank account numbers, and medical/health information. Heartland Alliance said it is unaware of any actual or attempted misuse of that information.

Notification letters were sent to affected individuals on December 15, 2022, and a one-year membership to an identity and credit monitoring service has been offered. Heartland Alliance has also confirmed that it has upgraded its IT security systems to prevent similar security breaches in the future.

CentraState Medical Center Facing Ongoing Disruption Following Late December Cyberattack

CentraState Medical Center in Freehold, NJ, has been dealing with a cyberattack that occurred on or around December 30, 2022. The cyberattack was detected during a shift change around 7 am when computer systems started to malfunction. As a precaution, the medical center went on full diversion, with ambulances directed to alternative facilities while the cause of the IT system outage was investigated.

Tom Scott, President, and CEO of CentraState Medical Center, has confirmed that the disruption was due to a cyberattack that affected certain IT systems. Systems were promptly isolated to contain the attack and an investigation was launched to determine the nature and scope of the breach. Employees have been recording patient data manually while IT systems are out of action, and extra staff has been brought in to deal with the increased workload.

CentraState Medical Center issued an update on January 3, 2023, confirming that the usual high standards of patient care are being maintained, but some services at the medical center continue to be affected, including outpatient radiology, radiation treatment, mammography, labs, and catheterization lab services. Scheduled inpatient procedures are continuing as normal, but some outpatient appointments have been postponed or rescheduled.

No timescale has been provided on when systems will be fully restored, and no information has been disclosed on the exact nature of the attack. It is also unclear at this early stage of the investigation if, and to what extent, patient data was involved.

The post Cyberattacks Reported by Heartland Alliance and CentraState Medical Center appeared first on HIPAA Journal.

Ransomware Attack at Fitzgibbon Hospital Affects 112,000 Patients

Posted by HIPAA Journal

Back in June 2022, HIPAA Journal reported on a cyberattack on Fitzgibbon Hospital in Marshall, MO, after being contacted directly by a spokesperson for a threat group called DAIXIN Team, who claimed responsibility for the attack. That individual said the hospital’s systems had been compromised and 40GB of data had been exfiltrated, which included files containing patient names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information. Some of that information was released on the group’s dark web data leak site.

6 months after the attack, the hospital has now confirmed that a data breach occurred involving the protected health information of 112,072 patients. According to Fitzgibbon Hospital, the attack was detected on June 6, and an investigation was immediately launched to determine the nature and scope of the breach. Third-party cybersecurity professionals were engaged to investigate and, according to the December 2022 breach notice, that investigation is still ongoing. Fitzgibbon Hospital said it discovered on December 1, 2022, that some patient data had been compromised in the attack including “full names, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, and/or medical information,” with the data involved varying from individual to individual.

Fitzgibbon Hospital said it is unaware of any misuse of the stolen data at the time of issuing notifications to patients, which were sent on December 30, 2022, and that, “out of an abundance of caution,” individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Fitzgibbon Hospital confirmed that it had taken many steps to protect patient information prior to the cyberattack and continually evaluates and modifies its practices to enhance the security and privacy of its patients’ information. This includes the education and counseling of its workforce regarding patient privacy matters.

Howard Memorial Hospital Announces December 2022 Cyberattack

Howard Memorial Hospital in Nashville, AR, has recently announced that it detected suspicious activity within its computer network on December 4, 2022. Prompt action was taken to secure the network and investigate to determine the nature and scope of the incident, with third-party cybersecurity professionals engaged to assist with that process. On December 29, 2022, the hospital confirmed that unauthorized individuals had gained access to its network on November 14, 2022, and access remained possible until December 4, 2022, when its network was secured.

During that time the threat actor had access to and exfiltrated certain files, some of which contained patient information. It is unclear how many individuals have been affected as the review of the affected files is ongoing, but it has been confirmed that information such as names, contact information, dates of birth, and Social Security numbers have been affected, along with employee data that may also have included direct deposit bank account information. Notification letters will be sent to affected individuals when they have been identified and up-to-date contact information has been obtained.

The post Ransomware Attack at Fitzgibbon Hospital Affects 112,000 Patients appeared first on HIPAA Journal.

Diagnostic Lab Settles Medical Record Access Case for $16,500

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced its first HIPAA enforcement action of 2023, which serves as a reminder that individuals and their personal representatives must be provided with timely access to their medical records. Life Hope Labs, LLC, has agreed to settle the case and will pay a $16,500 penalty.

43 Enforcement Actions for HIPAA Right of Access Failures

The HIPAA Right of Access requires covered entities to provide a copy of an individual’s protected health information that is maintained in a designated record set within 30 days of receipt of that request. In certain circumstances, a delay of up to 30 days is permitted, provided the individual is notified about the reason for the delay and the individual is informed in that response when the request will be satisfied.

OCR launched a new HIPAA compliance initiative in the fall of 2019 targeting organizations that were not providing individuals and their personal representatives with a copy of the requested medical records in a timely manner, and organizations that were charging unreasonable fees for providing those records. Including the latest settlement, OCR has imposed financial penalties on 43 healthcare organizations for potential HIPAA Right of Access violations.

Life Hope Labs Enforcement Action

Life Hope Labs is a Sandy Springs, GA-based full-service diagnostic laboratory. On August 24, 2021, OCR received a complaint from the personal representative of a patient’s estate for the medical records of the decedent. The complainant alleged a request had been made with Life Hope Labs on July 7, 2021, but the records were not provided. It took Life Hope Labs seven months (225 days) from the initial request to provide those records. The complainant – the daughter of the decedent – received the complete set of records on February 16, 2022. OCR confirmed that the delay in providing the requested records was a violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524.

Life Hope Labs agreed to settle the case with OCR and paid a $16,500 penalty to settle the potential HIPAA Right of Access violation, with no admission of wrongdoing. Under the terms of the settlement, Life Hope Labs is required to adopt a corrective action plan that includes the requirement to develop, maintain, and revise, as necessary, written policies regarding the HIPAA Privacy Rule, including the right of patients to access and obtain a copy of their PHI and to distribute those policies to all members of the workforce. HIPAA training on those policies must also be provided to all new staff members within 30 days of commencing employment. The settlement also includes two years of monitoring.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

The post Diagnostic Lab Settles Medical Record Access Case for $16,500 appeared first on HIPAA Journal.

Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty

Posted by HIPAA Journal

Avalon Healthcare has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws with the Oregon and Utah Attorneys General that were uncovered during an investigation of a 2019 breach of the personal and protected health information of 14,500 of its employees and patients.

Avalon Healthcare is part of the Avalon Health Care Group and provides skilled nursing, therapy, senior living, assisted living, and other medical services throughout Oregon, Utah, California, Nevada, Washington, and Hawaii. In July 2019, an employee responded to a phishing email and disclosed credentials that allowed an email account to be accessed by unauthorized individuals. The account contained sensitive information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, and some financial information. It took 10 months from the date of the breach for the incident to be reported to the HHS and state attorneys general, and for affected individuals to be notified.

Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes launched an investigation into the data breach that focused on the email security practices at Avalon Healthcare and compliance with the HIPAA Security and Breach Notification Rules and state data breach notification statutes. The HIPAA Breach Notification Rule requires notifications to be issued about breaches of protected health information without undue delay and no more than 60 days from the date of the breach. In Oregon, data breach notifications must be issued in the most expeditious manner, and no later than 45 days after the date of discovery of the breach. The investigation uncovered potential violations of the Oregon Unlawful Trade Practices Act and HIPAA with respect to breach notifications and data security. Avalon Healthcare agreed to settle the case to avoid further controversy and expense.

Under the terms of the settlement, Avalon Healthcare has agreed to comply with the requirements of state laws and HIPAA and will develop, implement, and maintain an information security program that includes reasonable data security practices to ensure all personal information and protected health information is adequately protected. An individual will be designated as having overall control of the information security program and a HIPAA compliance officer will be appointed. The information security program will include logging and monitoring of the network, multi-factor authentication, email filtering, and at least twice-yearly security awareness training for the workforce. Security awareness training must cover phishing and social engineering, and include phishing simulation exercises. Avalon Healthcare has also agreed to develop, implement, maintain, and test a data incident response plan and to implement and maintain a risk assessment and risk management program. Avalon Healthcare will also revise its email data retention policies to ensure that data is only kept in email accounts for as long as there is a legal basis to retain the information and all emails containing PHI will be encrypted.

In addition to the commitment to compliance with HIPAA and state laws, Avalon Healthcare will pay a $200,000 financial penalty, which will be split equally between the Oregon and Utah state attorneys general and will be used to pay for legal fees, investigation costs, and the future enforcement of compliance with HIPAA and state laws.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2,000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”

The post Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty appeared first on HIPAA Journal.

Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

Fertility Centers of Illinois has proposed a $450,000 settlement to resolve a lawsuit filed on behalf of patients and employees who were affected by its February 2021 data breach.

On February 1, 2021, hackers gained access to the network where sensitive employee and patient information was stored, including names, employee ID numbers, Social Security numbers, passport numbers, financial account and payment information, diagnoses, treatment information, medical record numbers, billings and claims information, occupational health information, Medicare/Medicaid information, and usernames and passwords with PINs or account login information.

The investigation of the breach took six months, but it then took a further four months for affected individuals to be notified. Notification letters were finally sent in December 2021 and the data breach was reported to the HHS’ Office for Civil Rights on December 27, 2021, as affecting 79,943 patients. It should be noted that the HIPAA Breach Notification Rule requires the HHS and affected individuals to be notified about breaches of protected health information within 60 days of the discovery of a data breach.

The lawsuit – Monegato, et al. v. Fertility Centers of Illinois PLLC – was filed in the Circuit Court of Cook County, IL, and takes issue with the length of time it took to issue notifications, alleging Fertility Centers of Illinois unnecessarily delayed notifications, attempted to conceal the severity of the breach, and misrepresented the nature of the breach and the threat posed to affected individuals. The lawsuit also alleges Fertility Centers of Illinois failed to adequately protect patient data, with the alleged lack of safeguards and breach notification delay in violation of Illinois law.

The alleged security failures include storing protected health information (PHI) and personally identifiable information (PII) in multiple locations, each with different security safeguards; a failure to adequately train employees on security protocols; and inadequate security measures for protecting PHI/PII. The lawsuit also alleges an ineffective breach response that took 6 months to determine hackers accessed PHI/PII. Also, the breach notification letters stated, in bold and underlined text, that electronic medical records had not been accessed when the next paragraph made it clear that the information contained in medical records had in fact been accessed.

The lawsuit claims victims of the data breach now face a lifetime risk of identity theft and fraud, they will continue to suffer damages, including monetary losses, lost time, anxiety, and emotional distress, and have lost the opportunity to control how their PHI/PII is used, suffered a diminution in value of their PII and PHI, and will have to deal with the continuing publication of their PII and PHI. Despite these risks, only 12-24 months of identity theft protection services were provided.

Fertility Centers of Illinois has not admitted any wrongdoing and chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals affected are entitled to submit a claim for up to $450 for ordinary losses such as out-of-pocket expenses incurred as a result of the data breach, and reimbursement for up to four hours of lost time at $20 per hour. Claims up to the value of $5,000 are permitted for documented extraordinary losses incurred between February 1, 2021, and June 5, 2023, that are not covered under ordinary losses. The settlement is capped at $450,000 and claims will be paid pro rata if that amount is reached. In addition, all affected individuals are entitled to claim an additional 24 months of credit monitoring services (via Pango) from the effective date of the settlement.

The post Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit

Posted by HIPAA Journal

A settlement has been proposed by Scripps Health to resolve a consolidated class action lawsuit – In Re: Scripps Health Data Incident Litigation – to resolve all claims related to its 2021 ransomware attack.

In April 2021, Scripps Health suffered a ransomware attack that was reported to the Department of Health and Human Services as affecting 147,267 patients. The attack caused major disruption at Scripps Health hospitals. Scripps Health had to redirect ambulances and cancel scheduled appointments, and the staff was forced to record patient information on paper while the San Diego-based health system restored its IT systems – a process that around a month.

The investigation revealed the hackers stole files from its network on April 29, 2021, which contained protected health information such as names, Social Security numbers, driver’s license numbers, and healthcare information, including information stored in medical records. The ransomware attack has proven to be incredibly costly for Scripps Health. Its financial statements show the attack cost at least $113 million in lost revenue.

Multiple lawsuits were filed against Scripps Health in the San Diego County Superior Court in the wake of the data breach on behalf of individuals affected by the ransomware attack. The lawsuits allege Scripps Health failed to implement and maintain adequate security measures to protect patient information and had inadequate policies and procedures for detecting and remediating cyberattacks, despite being aware of the high risk of an attack.

The plaintiffs allege they have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, including being prevented from accessing the MyScripps patient portal, which is used by patients to access their healthcare information, request prescription refills, manage appointments, and communicate with doctors. The lawsuits sought damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring Scripps Health to implement adequate security measures to better protect patient data in the future.

Scripps Health has not admitted any wrongdoing and does not accept liability for the ransomware attack and data breach. The decision was taken to settle the lawsuit to prevent further legal costs, avoid the uncertainty of trial, and resolve all claims related to the data breach. Under the terms of the settlement, class members are entitled to submit a claim for a cash payment of up to $100 which is subject to a pro rata increase based on the number of claims received. In addition, class members are entitled to submit claims for documented ordinary and extraordinary losses. The settlement amount is expected to exceed $3.5 million.

Claims for reimbursement of ordinary out-of-pocket are permitted up to a maximum of $1,000 per class member. Ordinary losses include unreimbursed bank fees, card re-issuance fees, overdraft fees, over-limit fees, telephone charges, costs of credit reports, and similar losses that can be reasonably traced to the ransomware attack.

Extraordinary losses are those related to identity theft that are fairly traceable to the ransomware attack and were suffered between April 29, 2021, and March 23, 2023. To qualify for reimbursement for extraordinary losses, class members must have made reasonable efforts to avoid suffering losses and to have exhausted available avenues for recovering losses related to identity theft.

Class members wishing to exclude themselves from or object to the settlement have until March 8, 2023, to do so. The deadline for submitting claims is March 23, 2023. The final approval hearing is scheduled for April 7, 2023.

The post Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit appeared first on HIPAA Journal.

Lake Charles Memorial Health System Cyberattack Affects Almost 270,000 Patients

Posted by HIPAA Journal

Southwest Louisiana Health Care System, Inc. has confirmed that the protected health information of up to 269,752 patients of Lake Charles Memorial Health System has been compromised. The Louisiana healthcare system said suspicious activity was detected by its security team on October 21, 2022, and steps were taken to contain the activity and investigate a potential breach. On October 25, it was confirmed that an unauthorized third party had gained access to the network, with the forensic investigation confirming the attack started between October 20 and October 21, 2022, and involved the theft of patient data from the network.

The review of the exfiltrated files determined they contained information such as names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, payment information, and limited clinical information. Some Social Security numbers were also compromised. Notification letters were sent to affected individuals on December 23, 2022, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

Southwest Louisiana Health Care System did not disclose the exact nature of the cyberattack, but the Hive ransomware gang claimed responsibility. While Hive is known for using ransomware to encrypt files, the gang claims only to have exfiltrated patient data. Files were not encrypted. A ransom demand was issued, payment of which was required to ensure the stolen data was deleted. Payment does not appear to have been made as the Hive gang started dumping the stolen data last month.

FoundCare Email Account Breach Affects 14,000 Patients

The Palm Springs, FL-based federally qualified health center, FoundCare Inc., has announced that unauthorized individuals have gained access to its email environment and potentially viewed or obtained emails and files that contained the protected health information of 14,194 patients.

Suspicious activity was detected within its email environment on September 2, 2022, and a third-party digital forensics firm was engaged to conduct an investigation. FoundCare said it determined on October 18, 2022, that files in the email account contained patient data. The review of those files and verification of patient contain information has recently concluded and notification letters are now being sent to the affected individuals. Data exposed in the attack included names, addresses, email addresses, credit card numbers, Social Security numbers, birth dates, passport numbers, other government ID numbers, medical conditions, diagnoses, treatment information, health insurance information, and internal patient identifiers. FoundCare said the vast majority of individuals only had limited medical information exposed.

FoundCare has implemented additional security measures in response to the breach, including turning on multifactor authentication for all users, blocking basic authentication measures, adding a warning to all emails from new email addresses, and providing continuous phishing awareness training to all employees.

Ransomware Attack Affects 6,800 Patients of Midwest Orthopaedic Consultants

Midwest Orthopaedic Consultants in Illinois has announced that unauthorized individuals gained access to its computer network and used ransomware to encrypt files. The cyberattack was detected on September 29, 2022, and steps were immediately taken to contain the attack. A third-party forensic security firm was engaged to investigate the breach and determined that the attackers gained access to the network on September 27, 2022, and exfiltrated certain documents before encrypting files. Midwest Orthopaedic Consultants discovered on November 4 that the files contained patient data, with a comprehensive review of those documents confirming on November 21, 2022, that individually identifiable health information had been exposed such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, diagnosis and treatment information, and health insurance information. Notification letters were sent to affected individuals on December 22, 2022. Midwest Orthopaedic Consultants said the encrypted files were recovered from backups.

Complimentary identity theft protection services have been offered to individuals whose Social Security numbers or driver’s license numbers were compromised and additional technical measures have been implemented to prevent similar incidents in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,818 patients.

MultiCare Health System Affected by ransomware Attack on Mailing Vendor

MultiCare Health System in Washington has recently confirmed that the protected health information of more than 23,000 patients has potentially been compromised in a data breach at its mailing vendor, Kaye-Smith. Kaye-Smith detected suspicious activity within its digital environment in June 2022. The forensic investigation revealed hackers had gained access to its systems and used ransomware to encrypt files discretely since May 2022. MultiCare Health System was one of several health systems to be affected by the incident.

MultiCare Health System said the attackers may have accessed or acquired files that contained patients’ names, addresses, and Social Security numbers. Kaye-Smith said it has enhanced security and monitoring in response to the incident.

Collections Vendor Data Breach Affects Prairie Lakes Healthcare Patients

Watertown, SD-based Prairie Lakes Healthcare System, which serves patients in South Dakota and Western Minnesota, has recently announced that the protected health information of 1,059 patients has been exposed in a data breach at one of its business associates. Prairie Lakes Healthcare uses AAA Collections, Inc. which does business as Advanced Asset Alliance (AAA), to collect unpaid medical bills.

Between September 5, 2022, and September 7, 2022, hackers gained access to AAA’s systems and potentially obtained files containing the protected health information of patients of Prairie Lakes Healthcare and former Glacial Lakes Orthopaedics patients. An analysis of the files confirmed they contained information such as names, addresses, dates of birth, medical record numbers, provider/facility names, conditions, diagnoses, treatment information, payment information, and dates of service. Notifications were mailed by AAA to affected individuals on December 15, 2022. Prairie Lakes Healthcare said it is working with its vendor to prevent similar events from occurring in the future.

The post Lake Charles Memorial Health System Cyberattack Affects Almost 270,000 Patients appeared first on HIPAA Journal.

Class Action Data Breach Lawsuit Settled by Morley Companies

Posted by HIPAA Journal

Morley Companies has agreed to settle a class action lawsuit filed on behalf of individuals affected by a major data breach that occurred on or around August 1, 2022. A fund of $4.3 million has been created to cover claims from individuals affected by the data breach.

On or around August 1, 2021, Morley Companies, a Saignaw, MI-based provider of business services, suffered a cyberattack in which hackers gained access to parts of its network. Morley Companies said the attack prevented access to its information systems when files were encrypted, with the investigation confirming that the attackers exfiltrated files containing protected health information.

Approximately 628,000 breach notification letters were mailed, and the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 521,046 individuals. The breached information included names, addresses, Social Security numbers, birthdates, client identification numbers, medical diagnostic and treatment information, and health insurance information. Morley Companies accepts no liability for the incident and has admitted no wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, class members can submit a claim to receive reimbursement of up to $2,500 for documented out-of-pocket expenses that are reasonably traceable to the cyberattack and data breach. These can include unreimbursed losses relating to fraud or identity theft, professional fees including attorneys’ and accountants’ fees, and fees for credit repair services, costs associated with freezing or unfreezing credit with any credit reporting agency, credit monitoring costs incurred on or after August 1, 2021, and miscellaneous expenses such as notary, data charges, fax, postage, copying, mileage, cell phone charges, and long-distance telephone charges (conditions apply).

Class members can also claim up to four hours of lost time at a rate of $20 per hour, and residents of California at the time of the breach can claim a payment of $75. In addition, individuals who did not previously claim the credit and identity monitoring services provided by Morley Companies through IDX will be provided with a new offer and activation code valid for 90 days to claim 3-bureau credit monitoring for a three-year period from the effective date of the settlement. Class members will also be provided with a one-year membership to the Dashlane password management service.

Class members have until February 7, 2023, to object to or exclude themselves from the settlement. Claims must be submitted by March 20, 2023. The final approval hearing for the settlement has been scheduled for April 19, 2023.

The post Class Action Data Breach Lawsuit Settled by Morley Companies appeared first on HIPAA Journal.

Privacy Breaches Reported by Blue Shield of California and VA Medical Center

Posted by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state attorneys general.

Blue Shield of California

Blue Shield of California has started notifying certain health plan members about a privacy violation by one of its employees. A spreadsheet containing plan members’ names, phone numbers, email addresses, addresses, Social Security numbers, and/or Taxpayer ID numbers was emailed from the employee’s work account to a personal email address on June 17, 2022. Blue Shield of California’s Privacy Officer, David Keystone, said the privacy breach was discovered on October 30, 2022, and the employee was interviewed and instructed to delete the email and any copies of the spreadsheet.

The incident has prompted Blue Shield of California to strengthen its system detection tools to prevent further impermissible disclosures of PHI. As a precaution against identity theft, affected individuals have been offered complimentary access to a credit monitoring and identity theft protection service for 12 months.

HIPAA Journal has not been able to confirm how many individuals have been affected.

Medstar Mobile Healthcare

Medstar Mobile Healthcare, which operates an emergency and non-emergency ambulance service in Tarrant County, TX, has recently announced that it was the victim of a cyberattack in which patient information was potentially compromised. Suspicious network activity was detected on October 20, 2022, and it was later confirmed that an unauthorized third party had gained access to parts of the network where patient data was stored. It was not possible to determine if those files had been accessed or copied. The review of the files revealed they mostly included non-financial billing information only; however, some individuals also had their full name, date of birth, contact information, and limited medial information exposed.  The investigation into the breach is ongoing.

HIPAA Journal has not been able to confirm how many individuals have been affected.

Pediatrics West & Allergy West

Pediatrics West & Allergy West in Massachusetts have notified 1,364 patients that some of their protected health information was stored on a system that was accessed by unauthorized individuals. The breach was detected on October 17, 2022, with the forensic investigation confirming the unauthorized access occurred between August 19, 2021, and August 15, 2022. The files on the system included names, contact information, demographic information, dates of birth, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information. Pediatrics West said it has implemented additional safeguards and technical security measures to further protect and monitor its IT infrastructure.

The Louis A. Johnson VA Medical Center

The Louis A. Johnson Veterans’ Administration Medical Center in West Virginia has recently announced a privacy breach involving the protected health information of 736 individuals. An error was made in a mailing to veterans which resulted in their full Social Security numbers being visible on the letters.  Affected veterans have been notified by mail and have been offered complimentary access to credit monitoring services. The VA has also formed a work group to investigate mailing processes to assess potential vulnerabilities, and additional controls will be put in place to prevent similar errors in the future.

The post Privacy Breaches Reported by Blue Shield of California and VA Medical Center appeared first on HIPAA Journal.