HIPAA Breach News

34K-Record Data Breach Reported by Aesthetic Dermatology Associates

Posted by HIPAA Journal

Pennsylvania-based Aesthetic Dermatology Associates has recently confirmed that its network has been accessed by unauthorized individuals who potentially viewed and/or acquired files containing the personal and protected health information of 33,793 current and former patients.

The cyberattack was detected on August 15, 2022, when suspicious activity was detected within its network. An investigation was launched to determine the nature and scope of the attack, which confirmed that unauthorized individuals had accessed its network, although the nature of the attack and length of time its network was compromised were not disclosed.

A comprehensive review of all files on the compromised parts of the network was completed on September 3, 2022, and confirmed the breach was limited to names, addresses, dates of birth, diagnosis codes, and health insurance information. Aesthetic Dermatology said a review is being conducted of its policies, procedures, and controls and updates will be made, as appropriate, to improve security. At the time of issuing notifications, no reports had been received to suggest any misuse of patient data.

Records of Almost 6,500 Patients Exposed in Ransomware Attack on Family Medicine Shady Grove

Family Medicine Shady Grove in Rockville, MD, has confirmed that it was the victim of an August 9, 2022, ransomware attack. Unauthorized individuals gained access to an internal server and encrypted files. The healthcare provider confirmed that patient medical records were not affected, as they were stored in a cloud-based system; however, the server did contain explanations of benefits and monthly billing printouts, which contained names, addresses, and dates of birth. No Social Security numbers or credit card information were exposed.

Family Medicine Shady Grove said a computer forensics team was engaged to assist with the investigation and that it was possible to recover and restore the affected files. That process was completed on September 5, 2022. No evidence of data theft was identified during the investigation and there have been no reports that suggest patient data has been misused. Steps have since been taken to improve data security to prevent further attacks in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,482 patients.

UW Medicine Affected by Ransomware Attack on Mail Service Vendor

UW Medicine in Seattle has confirmed that the protected health information of 3,800 patients was potentially compromised in a ransomware attack on its mail service vendor, Kaye-Smith. The investigation uncovered no evidence to suggest patient information has been misused; however, as a precaution, Kaye Smith has offered affected individuals complimentary credit monitoring and identity theft protection services.

Kaye-Smith notified UW Medicine about the breach on August 24, 2022, and confirmed that the attackers had access to Patient Account & Support Services statements and letters that were being sent in relation to billing services, which included information such as names, addresses, account numbers, medical record numbers, treatment provider names and descriptions of medical services.

In addition to the 3,800 UW Medicine patients, the breach affected 6,750 patients of Seattle Children’s, 2,857 Geisinger patients, and Kaye-Smith Enterprises self-reported the breach as affecting 2,857 individuals.

The post 34K-Record Data Breach Reported by Aesthetic Dermatology Associates appeared first on HIPAA Journal.

Email Breaches Reported by Cardiac Imaging Associates & Centerstone of Tennessee

Posted by HIPAA Journal

Cardiac Imaging Associates in Los Angeles, CA, has discovered an unauthorized individual has accessed an employee’s email account. The incident was detected in April 2022, and immediate action was taken to secure its email environment to prevent further unauthorized access. The forensic investigation confirmed the incident was confined to a single employee email account, which was accessed between March 30, 2022, and April 6, 2022. It was not possible to determine if any emails or file attachments were opened or acquired by the attacker.

A review of all emails and file attachments confirmed they contained protected health information such as names, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical diagnosis, and condition information, medical laboratory results information, medication and prescription information, and medical treatment information.

The review of emails was completed on August 17, 2022, and notification letters started to be sent to affected patients on October 7, 2022. Steps have since been taken to improve the security of its email system. It is currently unclear how many individuals have been affected.

Email Breach Affects 3,675 Patients of Centerstone of Tennessee

Centerstone, a Nashville, TN-based provider of behavioral health and addiction services, has reported a breach of its email environment. Unusual activity was detected in the email account of a Centerstone employee on February 14, 2022. The investigation confirmed that several employee email accounts had been accessed by an unknown actor between November 4, 2021, and February 14, 2022.

Those email accounts were discovered to contain the personal and protected health information of current and former Centerstone clients. The review of the affected email accounts concluded on July 12, 2022, and then a search was conducted to identify the up-to-date mailing information for those individuals. Centerstone announced the breach publicly on August 15, 2022.

The breached information varied from individual to individual and may have included the following data types: Name, address, Social Security number, driver’s license or other government ID number, passport number, alien registration number, date of birth, financial account information, biometric information, username and password, medical record number, Medicare and/or Medicaid number, medical diagnosis/treatment information, and/or health insurance information.

Additional safeguards have been implemented to improve the security of its email environment. The breach has been reported to the HHS’ Office for Civil Rights as affecting 3,675 current and former patients of Centerstone of Tennessee.

The post Email Breaches Reported by Cardiac Imaging Associates & Centerstone of Tennessee appeared first on HIPAA Journal.

Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA

Posted by HIPAA Journal

A former physician with practices in New Jersey, New York, and Florida has pleaded guilty to criminal violations of HIPAA for disclosing patients’ protected health information to a sales representative of a pharmaceutical firm, according to the U.S. Attorney’s Office of the District of New Jersey.

The Frank Alario, 65, of Delray Beach, Florida, pleaded guilty to disclosing patient information to sales rep, Keith Ritson, who promoted compound prescription medications and other medications to the patients. Compound prescription medications are medications mixed specifically for individual patients when standard FDA-approved medications are determined to not be appropriate, due to an allergy for example. Compound prescription medications are not approved by the FDA but can be legally prescribed by physicians.

The HIPAA Privacy Rule permits disclosures of patients’ protected health information for the purposes of treatment, payment, or healthcare operations; however, other disclosures are only permitted if consent to share information is provided by each patient. Ritson was an outside pharmaceutical representative who was not associated with Alario’s practices, and as such Ritson was not permitted to access the protected health information of Alario’s patients. Permission to disclose the information was not provided by patients.

Alario allowed Ritson to have significant access to his office, patients’ medical files, and other patient information, both inside and outside normal business hours. Ritson was given access to areas of Alario’s office that were restricted to staff members, such as areas with patient files and computers. In addition to allowing access to these areas, Ritson was allowed to look up patient information in files and on computers to identify patients who had insurance coverage that would pay for the compound medications. Ritson would then mark the files of patients whose insurance would pay for the medications so Alario would know which patients to prescribe the medications to.

In some cases, Ritson was allowed to be present during appointments. Alario gave patients the impression that Ritson was a member of staff or was affiliated with the medical practice and during those appointments sensitive health information would be directly disclosed to Ritson. The information obtained was then used to fill out prescription forms for medications, which would then be authorized by Alario, with Ritson receiving a commission on the prescribed prescriptions.

Alario and Ritson were both charged in an indictment for conspiring to violate HIPAA. Ritson’s charges are still pending, with his trial scheduled for November 7, 2022. Alario pleaded guilty and sentencing is scheduled for February 7, 2023. Alario faces a maximum of one year in jail and a $50,000 fine.

The post Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA appeared first on HIPAA Journal.

Email Breach at CSI Laboratories Impacts Almost 245,000 Patients

Posted by HIPAA Journal

Cytometry Specialists, Inc., doing business as CSI Laboratories in Alpharetta, GA, has recently announced that the email account of an employee has been accessed by an unauthorized individual, who may have viewed or obtained the protected health information of 244,850 patients. CSI Laboratories is a leading cancer testing and diagnostics laboratory that serves pathologists, oncologists, and community hospitals throughout the U.S.

The email account breach was detected on July 8, 2022, and the account was immediately secured. The investigation into the incident indicates the purpose of the attack was to use the email account in a business email compromise (BEC) attack to redirect CSI customer health care provider payments to an account under the control of the attacker by posing as CSI using a fictitious email address, rather than to obtain patient information; however, the breach investigation confirmed on July 15, 2022, that certain files had been copied from the employee’s mailbox that contained patient information.

The files related to invoices sent to CSI Health Care provider customers which were most likely obtained to support the BEC scam. The files typically only contained patient names and identifiers (patient numbers), although some files contained further information such as dates of birth and health insurance information. As such, the potential for misuse of patient data is believed to be very low.

In response to the breach, CSI Laboratories has taken steps to enhance the security of its email environment, has provided further training to employees on how to recognize phishing attempts, and has enhanced monitoring of its network and email systems.

CSI Laboratories announced earlier this year that it had suffered a ransomware attack, for which the Conti ransomware gang took credit. The PHI of 312,000 patients was compromised in that attack.

Trillium Health Email Account Breach Exposes PHI of 3,200 Patients

The Rochester, NY-based healthcare provider, Trillium Health, has reported a data security incident that exposed the protected health information of 3,191 patients. On or around August 1, 2022, Trillium Health discovered suspicious activity in the email account of one of its employees. Steps were immediately taken to secure the email account and an investigation was launched to determine the nature and scope of the incident.

Trillium Health confirmed that only one email account was affected and that an unauthorized individual had access to the employee’s mailbox for a short period of time on July 26, 2022. During that period of access, it is possible that the entire contents of the mailbox may have been copied. A review of the emails and attachments confirmed they contained patient information such as names, birth dates, treatment information, medications, diagnoses, and provider information. In very limited instances, more extensive information was potentially compromised.

Trillium Health said it has implemented additional safeguards to prevent further email account breaches, including multi-factor authentication, and has modified its internal email settings.

Keck Medicine of USC Affected by Breach at Business Associate

Keck Medicine of USC has recently announced that it has been affected by a data breach at one of its business associates, Conifer Revenue Cycle Solutions. Conifer provides revenue cycle management and other administrative services, which requires access to patient information. On April 14, 2022, Conifer determined an unauthorized individual gained access to its Office 365 email environment, which contained the information of patients of its healthcare provider clients.

The information potentially compromised included names, dates of birth, addresses, Social Security numbers, driver’s license numbers, state ID numbers, financial account information, medical and/or treatment information such as medical record numbers, provider names, diagnoses and symptoms, and prescription/medication information, and health insurance information. The data exposed varied from patient to patient.

Keck Medicine said its business associate has enhanced its security controls and monitoring practices and has accelerated the implementation of multi-factor authentication. Complimentary credit monitoring services have been offered to affected individuals.

The post Email Breach at CSI Laboratories Impacts Almost 245,000 Patients appeared first on HIPAA Journal.

PHI Exposed in Data Incidents at Anthem, WellMed Medical Management and CareOregon

Posted by HIPAA Journal

Anthem has confirmed that the protected health information of certain plan members has been compromised in a data breach at its vendor, Choice Health. Choice Health was provided with the data of plan members to perform its contracted duties. On August 5, 2022, Anthem discovered that an unauthorized individual had gained access to a database and downloaded files containing plan members’ protected health information, including names, addresses, dates of birth, phone numbers, email addresses, Medicare ID numbers, and Medicaid ID numbers.

The database was accessible over the Internet due to a misconfiguration by a third-party service provider and was accessed and downloaded on May 7, 2022. Choice Health confirmed that the database has now been secured and that steps have been taken to improve its data security measures to prevent similar incidents in the future, including implementing multi-factor authentication for access to database files. Affected individuals have been offered complimentary credit monitoring services.

The breach affected several Choice Health clients, including Humana. Anthem notified the Maine Attorney General about the breach and said 13,406 AnthemMainHealth members had been affected. The breach also affected certain Anthem Blue Cross members. HIPAA Journal has not yet been able to establish exactly how many Anthem Blue Cross members have been affected.

WellMed Medical Management Warns Patients About Physician Soliciting Business

The San Antionio, TX-based healthcare delivery company, WellMed Medical Management, has warned 10,506 patients that one of its former physicians obtained their records prior to leaving employment with the intention of making contact with those individuals to encourage them to become patients of his new clinic.

The records were obtained between February 6, 2022, and May 17, 2022, and contained demographic information such as names, dates of birth, mailing addresses, phone numbers, and email addresses; health insurance information including payer name and health plan identifier; and medical information such as medical record numbers, providers, diagnoses, treatments, medications, and laboratory results. No financial information, Social Security numbers, or driver’s license numbers were taken.

WellMed said it took steps to prevent any further outreach to the patients and notified the appropriate authorities about the HIPAA violation. WellMed has also confirmed that the records taken by the physician have now been recovered. The incident prompted WellMed to reinforce its existing policies and practices and implement additional safeguards to prevent similar incidents in the future.

CareOregon Reports August 2022 Mailing Error

The Portland, OR-based health insurance agency, CareOregon, has recently announced that there has been an impermissible disclosure of a limited amount of the protected health information of 8,022 of its members due to a mailing error.

The incident occurred on August 9, 2022, and saw marketing letters intended for one CareOregon member sent to another member. The only information disclosed was the name and Medicaid ID number of one CareOregon member to another member. CareOregon said it has implemented additional policies and procedures and has provided further training to its employees to ensure similar breaches are avoided in the future.

The post PHI Exposed in Data Incidents at Anthem, WellMed Medical Management and CareOregon appeared first on HIPAA Journal.

Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail

Posted by HIPAA Journal

An affiliate of the infamous Netwalker ransomware gang has been sentenced to serve 20 years in jail for his role in ransomware attacks on entities in the United States.

Netwalker is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks and deploy ransomware in exchange for a cut of the ransom payments they generate, typically receiving up to 75% of any ransoms paid. After gaining access to a victim’s network, sensitive data would be identified and exfiltrated and used as leverage to pressure victims into paying. Threats were then issued to publish or sell the data if the ransom is not paid. Ransom demands ranged from hundreds of thousands to millions of dollars.

While some RaaS operations ban their affiliates from conducting attacks on healthcare organizations, that was not the case with Netwalker, which actively targeted healthcare organizations around the world. The gang also stepped up attacks on the sector during the COVID-19 pandemic.  Victims included the Champaign-Urbana Public Health District and the University of California San Francisco, which had files encrypted on the servers used by its School of Medicine. A ransom of $1.14 million was paid by UCSF for the decryptor to recover essential files.

Sebastien Vachon-Desjardins, 34, from Quebec, a former IT consultant who worked for the Public Works and Government Services in Canada, was arrested in Canada in January 2021 on suspicious of conducting ransomware attacks as part of a law enforcement crackdown on the Netwalker ransomware gang. Law enforcement searched his home and found 719 Bitcoin with a value of more than $28 million, CAD $640.040 in cash, and seized CAD $420,941 from his bank account.

Vachon-Desjardins pleaded guilty to breaching companies and conducting attacks and also admitted to training other individuals on how to conduct attacks. During the 9 months from May 2020 to January 2021, Vachon-Desjardins is alleged to have earned more than 2,000 Bitcoin for the gang and is estimated to have earned more than CAD $30 million in just 9 months. Vachon-Desjardins was charged for the attacks conducted in Canada, was sentenced to serve 6 years and 8 months in jail, and was ordered to pay restitution to 8 victims of his attacks, ranging from $2,500 to $999,239. While awaiting sentencing, Vachon-Desjardins was also sentenced to serve 4.5 years in jail for a separate drug trafficking case.

A law enforcement investigation into the ransomware attacks conducted by Vachon-Desjardins on U.S. firms was also underway and earlier this year, Vachon-Desjardins was extradited to the United States to face charges in Florida, including conducting a ransomware attack on a Tampa-based firm. Vachon-Desjardins entered into a plea deal and pled guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, causing intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

Federal sentencing guidelines were in the range of 12-15 years; however, U.S. District Court Judge, William F. Jung, opted for a much harsher sentence to serve as a deterrent to other would-be ransomware affiliates. Vachon-Desjardins was sentenced to serve 60 months in jail for conspiracy to commit computer fraud and transmitting a demand in relation to damaging a protected computer, 120 months for causing intentional damage to a protected computer, and 240 months for conspiracy to commit wire fraud, with the sentences to run concurrently. Vachon-Desjardins also agreed to forfeit $21.5 million and will have to serve 3 years of supervised release.

During his prison term, Vachon-Desjardins will not be permitted to use a computer capable of connecting to the Internet, including a smartphone, gaming device, or other electronic devices. U.S. District Court Judge, William F. Jung, said that were it not for the plea deal, and if the case had gone to trial, he would have sentenced Vachon-Desjardins to life in prison.

The post Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail appeared first on HIPAA Journal.

Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach

Posted by HIPAA Journal

Mon Health is facing a class action lawsuit over a hacking incident that allowed unauthorized individuals to gain access to its network for an 11-day period in December 2021. Mon Health said it detected the breach on December 30, 2021, with the forensic investigation determining hackers accessed its network between December 9 and December 19.

Mon Health announced the security breach on February 28, 2022, and confirmed that the hackers had access to the personal and protected health information of 492,861 individuals, including information about patients, employees, providers, and contractors. The information potentially accessed and stolen included names, addresses, birth dates, Social Security numbers, Medicare claim numbers, patient account numbers, health insurance information, medical record numbers, dates of service, provider names, claims information, and medical and clinical treatment information.

The lawsuit, which names Monongalia Health Systems Inc. and affiliated hospitals, Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co., and Preston Memorial Hospital Corp as defendants, was filed in Monongalia County Circuit Court in West Virginia by the Clarksburg law firm, Morgan and Morgan. The lawsuit names Rachel Silbaugh, Robin Stripling, and Michael Stripling as plaintiffs, with all other individuals affected by the breach included as class members.

The lawsuit alleges the data breach occurred as Mon Health failed to implement appropriate cybersecurity measures and was not in compliance with the security standards of the HIPAA Security Rule, alleging negligence, breach of contract, breach of confidence, and breach of implied contract. While the breach notification letters were sent within the maximum timeframe permitted by the HIPAA Breach Notification Rule, the plaintiffs allege those notification letters were untimely and were “woefully deficient” in information about the breach.

Typically, when healthcare organizations experience a breach of the types of information that are sought by identity thieves, affected individuals are offered complimentary credit monitoring services. The plaintiffs claim that these were not provided and that they have been placed with the burden of checking for misuse of their personal information. The plaintiffs claim they face an immediate and ongoing threat of identity theft and fraud as a direct result of the data breach and will continue to suffer damages, including covering the cost of ongoing credit monitoring and identity theft protection services.

The lawsuit seeks class certification, reimbursement of out-of-pocket expenses, and equitable relief, citing 20 data security measures that must be implemented to better protect patient data and prevent further data breaches.

The post Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach appeared first on HIPAA Journal.

LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims

Posted by HIPAA Journal

LifeBridge Health Inc. has agreed to settle a class action lawsuit to resolve claims from patients affected by a data breach that was discovered in 2018. The total value of the settlement is $9.475 million, which includes an $800,000 fund to cover claims from class members.

In March 2018, LifeBridge Health discovered a malware infection that provided unauthorized individuals with access to a server that hosted its electronic medical records, patient registration, and billing systems. The breach investigation determined the initial intrusion occurred 18 months previously in September 2016. The breach was disclosed by LifeBridge Health in May 2018, with the healthcare provider confirming the information of 582,174 patients had potentially been compromised, with the exposed information including names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers.

A lawsuitJohnson, et al. v. LifeBridge Health, Inc. – was filed in the Circuit Court for Baltimore City, MD, by the law firm Murphy, Falcon & Murphy on behalf of patients affected by the incident. The two patients named in the lawsuit, Jahima Scott and Darlene Johnson, claimed to have had their identities stolen as a direct result of the breach, with both claiming they were victims of credit card fraud shortly after the data breach occurred.

The lawsuit alleged class members had been exposed to serious harm and that their personal and protected health information was in the hands of identity thieves, which placed them at immediate and ongoing risk of identity theft and fraud. The named plaintiffs claimed to have suffered monetary losses, had financial transactions declined, experienced issues with their email accounts, fraudulent accounts were created in their names, and their identities had been used to file fraudulent claims for unemployment benefits and COVID-19 disaster small business loans.

The lawsuit alleged LifeBridge Health was negligent as it failed to follow basic security practices, which violated several privacy protection statutes in Maryland, including the Maryland Personal Information Protection Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.

LifeBridge Health did not admit to any wrongdoing and did not accept liability for the incident, but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, LifeBridge Health has agreed to create an $800,000 fund to cover claims from class members and will invest $7.9 million in additional security measures to prevent further data breaches, including data encryption, network monitoring, security awareness training, asset tracking, and multi-factor authentication. The remaining $775,000 of the total settlement amount will cover legal fees.

Class members are entitled to submit claims for reimbursement of ordinary and extraordinary losses, including up to 3 hours of lost time at $20 per hour, and a further 2 hours if they suffered extraordinary losses. Claims for ordinary losses of up to $250 per class member can be submitted to cover bank fees, credit monitoring, credit freeze, communication, and other costs, and a claim can be submitted for extraordinary losses up to a maximum of $5,000.

A final approval hearing has been scheduled for October 26, 2022. Claims must be submitted by February 1, 2023.

The post LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims appeared first on HIPAA Journal.

CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack

Posted by HIPAA Journal

CommonSpirit Health is experiencing a data security incident that has affected many of its healthcare facilities. According to a statement issued by the health system on October 4, 2022, IT systems have been taken offline as a precautionary step while the incident is investigated, and the exact nature and scope of the incident is determined. A brief update was issued on Wednesday, October 5, 2022, confirming the IT security incident was still impacting some of its facilities and that staff members were operating under its tried and tested emergency protocols and are using pen and paper to record patient information while IT systems are offline.

The incident was detected on October 3, 2022, but little information has been released at this stage about the exact nature of the incident.  CommonSpirit Health said it is doing everything possible to minimize the impact on its patients. Without access to certain IT systems, the decision has been taken to reschedule some appointments while the security incident is mitigated. Some patients have reported that it has not been possible to make new appointments.

Chicago, IL-based CommonSpirit Health is the largest catholic health system in the United States and the second largest non-profit U.S. health system. It was formed in 2019 by the merger of Catholic Health Initiatives (CHI Health) of Colorado and Dignity Health of California. CommonSpirit Health operates 142 hospitals and approximately 1,500 care facilities in 21 states, has around 150,000 employees including 25,000 physicians, and serves more than 21 million patients a year. CommonSpirit Health’s hospitals and healthcare facilities are accessible to around 1 in 4 Americans.

Several CHI Health facilities in Nebraska have confirmed that they are experiencing outages as a result of the incident. MercyOne Des Moines Medical Center in Iowa has also been affected, and the decision was taken to divert ambulances for a short period of time. The incident is also known to have affected hospitals in Tennessee and Washington.

Reports have been received from patients claiming the MyChart tool from Epic Systems has been affected, although a spokesperson for the EHR provider said the issues are only being experienced by CommonSpirit Health. It should be noted that the decision to take the EHR system offline is common when cyberattacks are detected and does not mean the EHR system has been subjected to unauthorized access.

At such an early stage of the investigation it is unclear to what extent, if any, patient information has been affected and the exact nature of the attack has also not been disclosed; however, security researcher Kevin Beaumont said on Twitter that the incident response chatter indicates this was a ransomware attack, which would explain the widespread impact of the incident.

Further information about the incident will be released by CommonSpirit Health as the investigation progresses, and this article will be updated as further information becomes available.

The post CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack appeared first on HIPAA Journal.