HIPAA Breach News

August 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the third successive month, the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights has fallen, with 49 breaches of 500 or more records reported in August– well below the 12-month average of 58 breaches per month. The 25.75% percentage decrease from July 2022 was accompanied by a significant reduction in breached records, which dropped almost 30% month over month.

healthcare data breaches in the past 12 months

Across the 45 data breaches, 3,741,385 healthcare records were exposed or impermissibly disclosed – well below the 5,135,953 records that were breached in August 2021, although slightly more than the 12-month average of 3,382,815 breached healthcare records per month.

Breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in August 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in August 2022, which have been summarized in the table below. It should be noted that the exact nature of the data breach is not always reported by the breached entity, such as if ransomware was used to encrypt files.

As the table below shows, the largest reported data breach of the month occurred at Novant Health and was due to the use of the third-party JavaScript code snippet – Meta Pixel on the healthcare provider’s website. The code snippet is used on websites to track visitor activity but can send PHI to Meta (Facebook), which can then be used to serve targeted ads. Novant Health said there had been a misconfiguration that saw the code added behind the login on the patient portal.

So far, Novant Health is the only healthcare provider to report such a breach, even though investigations have revealed many other healthcare organizations have used the code snippet on their websites, several of which added the code to their patient portals. Multiple lawsuits have been filed over these privacy breaches.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Business Associate Present
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Electronic Medical Record Unauthorized disclosure to Meta through Meta Pixel code snippet on website
Practice Resources, LLC NY Business Associate 942,138 Network Server Ransomware attack
Warner Norcross and Judd, LLP MI Business Associate 255,160 Network Server Hacking and data theft incident
California Department of Corrections and Rehabilitation CA Healthcare Provider 236,000 Network Server Hacking incident
Conifer Revenue Cycle Solutions, LLC TX Business Associate 134,948 Email Hacking of Microsoft 365 Environment
Common Ground Healthcare Cooperative WI Health Plan 133,714 Network Server Ransomware attack on a business associate (OneTouchPoint)
Methodist McKinney Hospital TX Healthcare Provider 110,244 Network Server Hacking and data theft incident
First Choice Community Health Care, Inc. NM Healthcare Provider 101,541 Network Server Hacking incident
Onyx Technology LLC MD Business Associate 96,814 Network Server Hacking incident
EmergeOrtho NC Healthcare Provider 68,661 Network Server Ransomware attack
Lamoille Health Partners VT Healthcare Provider 59,381 Network Server Ransomware attack
Henderson & Walton Women’s Center, P.C. AL Healthcare Provider 34,306 Email Hacking incident
St. Luke’s Health System, Ltd. ID Healthcare Provider 31,573 Network Server Hacking incident at billing vendor
San Diego American Indian Health Center CA Healthcare Provider 27,367 Network Server Hacking and data theft incident
Rock County Human Services Department WI Healthcare Provider 25,610 Email Unauthorized access to email accounts
NorthStar HealthCare Consulting LLC GA Business Associate 18,354 Email Unauthorized access to email accounts
Methodist Craig Ranch Surgical Center TX Healthcare Provider 15,157 Network Server Hacking and data theft incident (Methodist McKinney)
Valley Baptist Medical Center – Harlingen TX Healthcare Provider 11,137 Network Server Ransomware attack (Practice Resources)

Causes of August 2022 Data Breaches

The above table shows hacking incidents continue to be a major problem for the healthcare industry, with ransomware often used in the attacks. There has been a growing trend for attackers to conduct data theft and extortion attacks, without using ransomware. While the consequences for patients may still be severe, the failure to encrypt files causes less disruption; however, a recent study by Proofpoint suggests that patient safety issues are still experienced after cyberattacks when ransomware is not used. Around 22% of healthcare providers reported seeing an increase in mortality rate following a major cyberattack and 57% reported poorer patient outcomes.

Healthcare organizations are vulnerable to email attacks, with phishing attacks a common cause of data breaches. There has also been an increase in the use of reverse proxies in attacks, which allow threat actors to steal credentials and bypass multifactor authentication to gain access to Microsoft (Office) 365 environments.

Causes of August 2022 Healthcare Data Breaches

35 of the month’s breaches (71.4%) were attributed to hacking/IT incidents and involved the exposure or theft of 2,337,485 healthcare records – 62.48% of the month’s reported breached records. The mean breach size was 66,785 records and the median breach size was 7,496 records.

There were 10 reported unauthorized access/disclosure incidents involving 1,398,595 records – 37.38% of the month’s breached records. The mean breach size was 139,860 records and the median breach size was 1,375 records. 1,362,296 of those records were breached in the Novant Health incident. There were 4 loss/theft incidents (2 losses; 2 theft) involving 5,305 records. The mean breach size was 1,326 records and the median breach size was 1,357 records.

The number of hacking incidents is reflected in the location of breached PHI, as shown in the chart below.

Location of Breached PHI in August

Data Breached by HIPAA Regulated Entity

Health plans were the worst affected HIPAA-regulated entity, with 35 data breaches reported. 9 breaches were reported by business associates, and 5 breaches were reported by health plans. Data breaches are not always reported by business associates directly, with some HIPAA-covered entities choosing to report breaches at their business associates. The chart below takes this into account and shows data breaches based on where they occurred. While 14 data breaches occurred at business associates in August, this is a notable reduction from the previous few months. In July there were 36 data breaches at business associates, and 40 in June.

August 2022 healthcare data breaches - HIPAA-regulated entity type

Geographic Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August by HIPAA-regulated entities in 26 states, with Texas the worst affected with 8 reported data breaches.

State Breaches
Texas 8
North Carolina 4
Arkansas, California, & Michigan 3
Colorado, Florida, Illinois, New York, Vermont, Washington, & Wisconsin 2
Alabama, Arizona, Georgia, Idaho, Indiana, Louisiana, Maryland, Mississippi, New Hampshire, New Jersey, New Mexico, Ohio, Pennsylvania, & Virginia 1

HIPAA Enforcement Activity in August 2022

There was one HIPAA enforcement activity announced by OCR in August, and somewhat unusually given the focus on the HIPAA Right of Access over the past three years, it related to the improper disposal of PHI. Out of the past 25 enforcement actions that have resulted in financial penalties, only 5 have been for non-HIPAA Right of Access violations.

OCR launched an investigation of New England Dermatology and Laser Center after receiving a report on March 11, 2021, about the improper disposal of the PHI of 58,106 patients. In addition to failing to render PHI unreadable and indecipherable, OCR determined there was a failure to maintain appropriate administrative safeguards. The improper disposal of empty specimen containers with patient labels spanned from 2011 to 2021. New England Dermatology and Laser Center agreed to settle the case and paid a $300,640 penalty.

Lisa J Pino stepped down as OCR Director in July 2022 and has now been replaced by Melanie Fontes Rainer. It remains to be seen where she will lead the department regarding the enforcement of HIPAA compliance, although HHS Secretary Xavier Becerra has stated that HIPAA Privacy Rule violations with respect to unauthorized disclosures of PHI related to abortion care and other forms of sexual and reproductive health care will be an enforcement priority of OCR.

The post August 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

New York Ambulance Service Discloses Ransomware Attack and 318K-Record Data Breach

Posted by HIPAA Journal

The New York Ambulance Service, Empress EMS (Emergency Medical Services), has confirmed it was the victim of a ransomware attack. The attack was detected on July 14, 2022, and resulted in files on certain systems being encrypted. According to the company’s website notification, steps were immediately taken to contain the incident and third-party forensics experts were engaged to investigate the attack.

The forensic investigation revealed the attackers first gained access to its network on May 26, 2022, and copied “a small subset of files “on July 13, 2022. Ransomware was then deployed to encrypted files on the network. A comprehensive review of the affected files confirmed they contained protected health information such as names, insurance information, dates of service, and, for some individuals, Social Security numbers. Empress EMS has reported the data breach to the HHS’ Office for Civil Rights as affecting up to 318,558 patients. Empress EMS has notified all affected individuals and has advised them to monitor their healthcare statements for accuracy and said credit monitoring services will be offered to certain individuals.  Empress EMS said steps have been taken to strengthen system security to prevent similar incidents in the future.

Empress EMS did not confirm which group was behind the attack; however, the Hive ransomware gang has claimed responsibility for the attack. Databreaches.net obtained a copy of the ransom note and a sample of the stolen data and reports that the files appear to contain the protected health information of Empress EMS patients. The Hive gang claims to have obtained the Social Security numbers of more than 100,000 patients, and customer information such as email addresses, addresses, passport numbers, phone numbers, payments, and working hours. Employee data was also compromised, along with contracts, NDAs, and other private company information.

At the time of publication, the stolen data is not listed on the Hive group’s data leak site, although some data was briefly uploaded. Typically, if the ransom is not paid the group follows through on its threat and publishes the stolen data.

The post New York Ambulance Service Discloses Ransomware Attack and 318K-Record Data Breach appeared first on HIPAA Journal.

Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million

Posted by HIPAA Journal

Ambry Genetics has agreed to settle a class action lawsuit that stemmed from a breach of the protected health information of 232,772 patients. In April 2020, Ambry Genetics notified patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual over a two-day period in January 2020. Emails and attachments contained sensitive patient data such as names, diagnoses, and other medical information, with a subset of patients also having their Social Security numbers exposed. The investigation was not able to determine whether any information in the email account was exfiltrated by the attackers.

A lawsuit was filed in the US District Court for the Central District of California shortly after notifications were issued that alleged Ambry Genetics had failed to implement reasonable safeguards to protect patient information and had not followed industry best practices for cybersecurity and, as a direct consequence of those failures, the protected health information of patients was compromised. The lawsuit also took issue with the delay in issuing notification letters to affected individuals.  The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notification letters within 60 days of the discovery of a data breach, but it took almost 4 months for notification letters to be issued. The lawsuit also alleged invasion of privacy, breach of contract, and violations of state privacy and business laws.

The lawsuit had been dismissed, amended, and refiled on multiple occasions over the past two years, with the latest complaint filed in December 2021. The settlement was proposed to prevent further legal costs and the uncertainty of trial, and is intended to fully resolve, discharge, and settle all claims made by the plaintiffs and class members. Ambry Genetics has not admitted to any wrongdoing and accepts no liability for the data breach.

Under the terms of the settlement, Ambry Genetics has agreed to create a $12.25 million fund, $2.25 million of which will cover the costs of notifications, administrative costs, and three years of identity theft protection and credit monitoring services to the class members.

Individuals affected by the data breach will be entitled to submit claims of up to $10,000 for reimbursement of documented out-of-pocket expenses incurred due to the data breach, up to 10 hours of documented time at $30 per hour, and up to 3 hours of ‘default time’ at $30 an hour. Individuals who were residents of California or Illinois at the time of the data breach are entitled to claim $150 compensation, in addition to any other claims, to resolve potential violations of the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act. Class representatives will be entitled to claim a service award of $2,500.

In addition to the settlement, Ambry Genetics said it has spent in excess of $800,000 on issuing notifications and paying for credit monitoring services, with those costs potentially increasing to $1.4 million. Ambry Genetics said the total settlement amount is likely to increase to more than $14 million, and potentially more than $20 million when all remedial actions have been taken.

Those actions include changes to its business practices and additional security measures, including providing further security awareness training for staff members, adding warnings to external emails, and placing more stringent restrictions on access to patients’ protected health information. Ambry Genetics has also strengthened vendor management and requires all vendors to have SOC-2 certification, perform third-party risk assessments, and conduct penetration tests and phishing simulations on employees.

The post Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million appeared first on HIPAA Journal.

Ransomware Attack on Medical Associates of the Lehigh Valley Affects 75K Patients

Posted by HIPAA Journal

Medical Associates of the Lehigh Valley in Pennsylvania (MATLV) has announced that it recently fell victim to a sophisticated ransomware attack on its network. The attack was detected on July 3, 2022, and immediate action was taken to contain the attack and prevent further unauthorized access to its network. Third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the attack.

MATLV said the investigation did not uncover any evidence indicating the misuse of patient information, but parts of the network that were accessed by the attackers contained files that included the protected health information of 75,628 individuals, which may have been viewed or exfiltrated in the attack. The files contained names, addresses, email addresses, birth dates, Social Security numbers, driver’s license numbers, state ID numbers, health insurance provider names, medical diagnoses, treatment information, medications, and lab results. The types of information exposed in the attack varied from patient to patient.

Cybersecurity specialists evaluated the security measures that had been implemented prior to the attack and security has been reinforced based on their recommendations. Affected individuals have been encouraged to monitor their financial accounts and explanation of benefits statements and report any suspicious activity.

TennCare Reports Accidental Exposure of Patients’ PHI

TennCare, Tennessee’s state Medicaid program, has recently notified approximately 1,700 patients about the accidental exposure of some of their protected health information. According to a statement issued by TennCare officials, a new application was implemented that inadvertently associated people in one household with people in another household, if those households included some of the same people.

The issue was rapidly identified and corrected, but for a short period, the names and ages of affected people and their dependents would have been visible to other people who at one time were part of the same case file. For 15 individuals, more sensitive information was visible such as Social Security number, address, and date of birth. While the risk of misuse of information is believed to be low, affected individuals have been offered a 12-month complimentary membership to an identity theft protection and credit monitoring service, which includes a $1 million identity theft insurance policy.

The post Ransomware Attack on Medical Associates of the Lehigh Valley Affects 75K Patients appeared first on HIPAA Journal.

Oakbend Medical Center Suffers Ransomware Attack

Posted by HIPAA Journal

Over the Labor Day weekend, Oakbend Medical Center in Richmond, TX, suffered a ransomware attack. The attack started on Thursday, September 1, 2022, and saw files on its network encrypted. The medical center said its IT team took all systems offline to contain the attack, and the medical center operated under lockdown procedures while the attack was investigated by the Federal Bureau of Investigation (FBI), the Cyber-Defense Campus CYD), and the Fort Bend County Government Cyberteam.

The internal IT team ensured that all patient-centric systems were secured, and cybersecurity experts from Microsoft, Dell, and Malware Protects were engaged to investigate the attack and assess the security of its systems. Once those systems were cleaned, work commenced on rebuilding those systems and restoring them in a controlled and systematic manner. Disruption is continuing to be experienced, and there have been temporary communication issues for patients, vendors, doctors, and administrators; however, at no point was patient safety at risk and the medical center continued to operate.

In a September 9, 2022, update, Oakbend Medical Center said the recovery process is ongoing and there are still issues with the telephone and email systems, but it is working to resolve those issues as quickly as possible. While Oakbend Medical Center did not confirm whether files containing patient data were exfiltrated from its systems, the ransomware gang responsible for the attack – Daixin Team – claimed on its data leak site that files were stolen prior to file encryption that contained patient information such as names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information. Some of the stolen data has been uploaded to the group’s data leak site. The group has threatened to release all of the stolen files, which are claimed to include the protected health information of more than 1 million patients. At the time of publication, it would appear that the ransom has not been paid and all communication between the medical center and Daixin Team has stopped.

Daixin Team is a relatively new threat group that is known to attack hospitals. In June 2022, the group conducted an attack on Fitzgibbon Hospital in Missouri and stole and published files containing sensitive patient data.

This post will be updated when further information about the attack is released and when the total number of affected patients is known.

The post Oakbend Medical Center Suffers Ransomware Attack appeared first on HIPAA Journal.

Data Breaches Reported by Henderson & Walton Women’s Center & Genesis Health Care

Posted by HIPAA Journal

Birmingham, AL-based Henderson & Walton Women’s Center (HWWC) has recently notified 34,306 patients that some of their protected health information may have been compromised as a result of a hacker gaining access to the email account of one of its employees. HWWC said the forensic investigation of the data breach confirmed the attacker did not gain access to the email server and the breach was confined to the email account of one employee.

HWWC did not disclose when the email account was compromised but said there was a delay in issuing notification letters due to the lengthy process of reviewing all emails in the account to determine the types of information and specific individuals that had been affected. That process concluded on June 24, 2022.

HWWC said it had implemented encryption for all external emails, but the forensic investigation determined that stored emails may have been accessed. Those emails contained patient information such as names, dates of birth, Social Security numbers, medical information, health insurance information, driver’s license numbers, and state ID numbers. The information exposed varied from patient to patient.

Notification letters were sent to all affected individuals in August. As a precaution against identity theft and fraud, complimentary memberships have been offered to a credit monitoring service for 12 months. Steps have also been taken to improve the security of its email system, including implementing a new procedure for automatically deleting emails containing PHI after 3 days, and a system is being implemented that will prevent the sharing of any personal information via email.

Genesis Health Care Reports Cyberattack and Data Breach

Kennett Square, PA-based Genesis Health Care has recently notified the Montana Attorney General about a cyberattack that was detected on April 11, 2022. Suspicious activity was detected in certain IT systems, prompting a comprehensive investigation. Third-party digital forensics specialists were engaged to determine the nature and scope of the incident and help restore the functionality of its systems. The investigation confirmed on June 9, 2022, that files may have been accessed or exfiltrated from its systems between January 19, 2022, and April 11, 2022. A programmatic and manual review of the affected files confirmed on July 13, 2022, that they contained patient information including, but not limited to, names and Social Security numbers. Genesis Health Care said it is reviewing its policies and procedures and will evaluate additional measures and safeguards to prevent similar breaches in the future.

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Data Breaches Reported by Henderson & Walton Women’s Center & Genesis Health Care appeared first on HIPAA Journal.

Michigan Law Firm and Medical Imaging Companies Confirm Breaches of Patient Information

Posted by HIPAA Journal

The Michigan law firm, Warner Norcross and Judd LLP, has issued notification letters to 255,160 individuals advising them about an October 2021 security breach in which files containing their personal and protected health information were potentially accessed and exfiltrated from its systems. The breach was detected on October 22, 2021. The substitute breach notification does not state when, and for how long, unauthorized individuals had access to its systems.

A digital forensics firm was engaged to investigate the nature and scope of the data breach and a programmatic and manual review was conducted on files on the affected parts of its network. The review confirmed that the files contained information such as names, dates of birth, Social Security numbers, driver’s license numbers, government-issued IDs, annual compensation amounts, benefit contribution information, credit card or debit card numbers, credit card or debit card PINs, financial account or routing numbers, passport numbers, patient account numbers, health information, and life insurance policy information.

Notification letters were sent to affected individuals in August and information was provided on the steps that individuals can take to reduce the risk of identity theft and fraud, but it would appear that credit monitoring and identity theft protection services are not being offered. The law firm said it will be taking steps to improve security to prevent further data breaches.

Medical Imaging Companies Confirms Breach of PHI

Gateway Diagnostic Imaging, which operates 12 medical imaging facilities in North Texas, and the Tucson, AZ-based medical imaging company, Radiology Ltd, have recently started notifying certain patients about a breach of systems that contained patient information. The data breach was detected on December 24, 2021, with the forensic investigation confirming that unauthorized individuals had access to its systems between December 17 and December 24, 2021.

The files on the affected systems contained information such as names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, physician names, dates of service, and information related to the radiology services provided.

As a precaution against identity theft and fraud, affected individuals have been offered a complimentary 12-month membership to the Equifax Credit Watch Gold credit monitoring and identity theft protection service. Gateway Diagnostic Imaging and Radiology Ltd. said additional safeguards are being implemented to prevent further security breaches, and enhancements have been made to its monitoring capabilities.

The breach has yet to appear on the HHS’ Office for Civil Rights Breach portal so it is currently unclear how many individuals have been affected.

Health Insurers Confirm Members’ PHI was Compromised in OneTouchPoint Data Breach

Over the past few weeks, several health plans have confirmed that their members’ protected health information was compromised in a ransomware attack on the printing and mailing vendor OneTouchPoint. OneTouchPoint recently confirmed to the Maine Attorney General that the PHI of 2.65 million individuals was compromised in the attack. Initially, the breach was reported to the Maine Attorney General as affecting around 1.1 million individuals.

Arkansas Blue Cross and Blue Shield recently notified the HHS’ Office for Civil Rights that the PHI of 8,871 of its members was compromised in the attack, and Medical Mutual of Ohio has reported the breach as affecting 1,377 of its members.

The post Michigan Law Firm and Medical Imaging Companies Confirm Breaches of Patient Information appeared first on HIPAA Journal.

PHI Compromised in Incidents at CorrectHealth, UF Health Shands, Peter Brasseler, & Gifted Healthcare

Posted by HIPAA Journal

CorrectHealth Notifies 54,000 Patients About November 2021 Email System Breach

Alpharetta, GA-based CorrectHealth is notifying patients about a breach of its email environment. The breach was detected on November 10, 2021, with the investigation confirming several employee email accounts had been accessed by an unauthorized individual. Legal counsel for CorrectHealth said the third-party forensic investigation of the data breach concluded on January 28, 2022, and confirmed patients’ protected health information was present in the breached email accounts.

A comprehensive review of the affected accounts was conducted between March 2022 and July 2022 to determine the specific information that was affected, which confirmed names, addresses, and Social Security numbers had been exposed. CorrectHealth said it is unaware of any misuse of patient information.

Notification letters were sent on August 25, 2022, and complimentary credit monitoring and identity theft protection services have been offered to affected individuals. In response to the breach, CorrectHealth has implemented additional safeguards, including deploying an advanced phishing service, putting disclaimers on all externally received emails, implementing multi-factor authentication for administrative staff, and a single sign-on solution for clinical staff. CorrectHealth is also conducting weekly data security and monthly simulated phishing training for all employees.

The breach was reported to the Maine attorney general as affecting 54,066 individuals.

Email Accounts breached at Gifted Healthcare

Metairie, LA-based Gifted Healthcare has reported a security breach involving the protected health information of its patients. While the incident appeared to be confined to a single email account, the investigation revealed three email accounts had been compromised between August 25, 2021, and December 10, 2021. Gifted Healthcare did not say when the breach was detected, but the review of the affected email accounts was completed on July 25, 2022. Notification letters were sent to affected individuals on August 25, 2022.

Data compromised in the incident included names, addresses, driver’s license numbers, Social Security numbers, financial information, health insurance information, and medical information. The breach was reported to the Maine attorney general as affecting 13,770 individuals.

Ransomware Attack Impacts Brasseler Patients

Savannah, GA-based Peter Brasseler Holdings, LLC, has recently confirmed it was the victim of a ransomware attack. The attack was detected on June 24, 2022, with the investigation confirming files containing individuals’ protected health information were stored on parts of the affected systems and may have been viewed or obtained in the incident. The breach also affected its subsidiaries, Brasseler U.S.A. Dental, LLC and Brasseler U.S.A. Medical, LLC.

The investigation into the breach is ongoing, but it has been confirmed that the following types of information were potentially compromised: names, government-issued identification numbers such as Social Security numbers, driver’s license numbers, and passport numbers; financial account information, such as debit card and credit card numbers; medical and insurance information; and other information, such as dates of birth.

The breach was reported to the Maine attorney general as affecting 3,353 individuals. Affected individuals have been offered a complimentary 24-month membership to Experian’s IdentityWorks credit monitoring and identity theft protection service.

UF Health Shands Employee Snooped on Records of Almost 1,000 Patients

UF Health Shands has recently confirmed that a former employee accessed the records of 941 patients without authorization between April 27, 2021, and July 21, 2022. When the unauthorized access was detected, the employee’s access to patient information was suspended pending a full investigation, which confirmed that the employee viewed patient information such as names, addresses, phone numbers, diagnoses and conditions, and some health insurance information.

UF Health Shands said the individual is no longer employed by UF Health Shands.

The post PHI Compromised in Incidents at CorrectHealth, UF Health Shands, Peter Brasseler, & Gifted Healthcare appeared first on HIPAA Journal.

OneTouchPoint Ransomware Victim Count Increases to 2.65 Million

Posted by HIPAA Journal

The number of individuals affected by the ransomware attack on the Hartland, WI-based mailing and printing vendor, OneTouchPoint, has now increased to 2,651,396 individuals, with Common Ground Healthcare Cooperative one of the latest organizations to confirm that it has been affected. Brookfield, WI-based Common Ground Healthcare Cooperative said 133,714 of its members were affected.

OneTouchPoint said it discovered the attack on April 28, 2022, when files on its systems were encrypted. A forensic investigation was launched to determine the nature and scope of the security breach, which revealed its servers were compromised on April 27, 2022, and certain files containing sensitive data were accessed.  The review of those files confirmed on July 15, 2022, that they contained the sensitive information of current and former employees and data of its customers. Customers were notified about the attack on June 3, 2022.

The breach involved employee information such as names, healthcare member IDs, and information provided during health assessments. Customers have reported the breach as involving names, subscriber ID numbers, diagnoses, medications, addresses, dates of birth, sexes, physician demographics information, family histories, social histories, allergies, vitals, immunizations, and other information.

Initially, the breach was reported as affecting 1.1 million individuals, but the total has now been increased to 2,651,396 individuals. At least 34 organizations are known to have been affected, including Matrix Medical Network breach also affected Blue Shield of California Promise Health plan Kaiser Permanente, Geisinger, Health First, UPMC Health Plan, Humana, Aetna ACE, Anthem Inc, and other Blue Cross Blue Shield affiliates.

OneTouchPoint is notifying certain individuals about the breach on behalf of some of its customers, but some customers have chosen to issue notifications themselves. OneTouchPoint said it is unaware of any misuse of the compromised information. Some of the affected customers have offered credit monitoring and identity theft protection services to their members.

At least one class action lawsuit has been filed against OneTouchPoint over the data breach.

The post OneTouchPoint Ransomware Victim Count Increases to 2.65 Million appeared first on HIPAA Journal.