HIPAA Breach News

Cyberattack and Data Destruction Reported by First Street Family Health

Posted by HIPAA Journal

Salida, CO-based First Street Family Health has suffered a destructive cyberattack, in which files containing patient information were exfiltrated and then deleted from its systems. This method of attack is becoming more common, where data is stolen, deleted, and then threats are issued to publish or sell the data if payment is not made to the attackers, but files are not encrypted using ransomware.

First Street Family Health said the attack was detected on July 16, 2022, with the investigation confirming that the attackers first gained access to its systems on July 5, 2022. The unauthorized access was blocked on July 16. The attackers deleted electronic medical records from June 28, 2021, to July 15, 2022, and while backups of those records had been made, the backups were also deleted so the information in those records has been lost. No evidence was found to indicate those records were stolen. Medical referral forms stored on the affected computer systems may have been viewed or acquired, but those records were successfully restored from backups.

The breached records included full names, addresses, birth dates, phone numbers, email addresses, Social Security numbers, dates of service, nature of services, diagnoses, conditions, lab results, medications, health insurance identification cards and numbers, and billing information.

Notification letters were sent to affected individuals on August 26, 2022, and complimentary memberships to CyberScout’s credit monitoring service have been offered. First Street Family Health said a national cybersecurity firm assisted with the investigation and conducted a security review, and additional security measures are being implemented based on the firm’s recommendations.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northeast Rehabilitation Hospital Network Notifies Patients About 2021 Cyberattack

Salem, NH-based Northeast Rehabilitation Hospital Network (NRHN) has started notifying patients that unauthorized individuals gained access to its computer systems and may have viewed or obtained sensitive data. The data breach was detected on September 30, 2021, when suspicious activity was detected within its network. The subsequent investigation confirmed its systems were compromised between September 30, 2021, and October 5, 2021.

NRHN said the delay in issuing notifications to affected individuals was due to the time-consuming process of reviewing all affected files on its systems, and that process was not completed until August 3, 2022. Notification letters are now being sent and individuals will be informed in those letters about the types of information that were involved. NRHN said it is unaware of any attempted or actual misuse of patient data. Credit monitoring and Identity theft protection services have been offered to affected individuals.

This post will be updated when the number of affected individuals is known.

The post Cyberattack and Data Destruction Reported by First Street Family Health appeared first on HIPAA Journal.

EmergeOrtho & General Health System Victims of Ransomware Attacks

Posted by HIPAA Journal

EmergeOrtho, a North Carolina orthopedic practice, has recently notified 75,200 patients that some of their protected health information has been accessed by unauthorized individuals. According to EmergeOrtho’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on May 18, 2022. The forensic investigation confirmed that the threat actors behind the attack had accessed files containing patients’ protected health information.

A comprehensive review of all affected files confirmed on August 19, 2022, that they contained information such as first and last names, addresses, Social Security numbers, and, for certain individuals, date of birth. No medical records, treatment information, or financial information was compromised in the attack and no evidence has been identified that suggests any of the affected information has been specifically misused.

EmergeOrtho said leading IT specialists were engaged to confirm the security of its network environment, steps will continue to be taken to enhance the security of its systems, and additional monitoring tools have been deployed to proactively identify any future attempted intrusions. EmergeOrtho has offered affected individuals a complimentary membership to single bureau credit monitoring services.

General Health System Notifies Patients About Ransomware Attack and Data Theft

Baton Rouge, LA-based General Health System, which operates Baton Rouge General Medical Center, has recently confirmed that unauthorized individuals gained access to its network and exfiltrated files containing patient data. The forensic investigation confirmed that the attackers had access to its network and files within certain directories between June 24, 2022, to June 29, 2022. The cyberattack was detected on June 28, 2022.

General Health System said the investigation into the attack is ongoing and a comprehensive review is being conducted of all files within the directories that could have been accessed. At this stage, the extent to which patient data has been compromised has yet to be confirmed and it is currently unclear how many individuals have been affected. Notification letters will be sent once that process has been completed.

The attack has caused some disruption to operations, and while care continues to be provided to patients, ambulances have been directed to alternative facilities. General Health System did not provide details on the nature of the attack; however, the Hive ransomware group has claimed responsibility and has started to add some of the stolen data to its leak site, which suggests the ransom was not paid.

The post EmergeOrtho & General Health System Victims of Ransomware Attacks appeared first on HIPAA Journal.

PHI Exposed in Cyberattacks on Methodist McKinny Hospital and Columbia River Mental Health Services

Posted by HIPAA Journal

Methodist McKinny Hospital in Texas has recently announced that its systems have been accessed by unauthorized individuals who removed files containing sensitive data from its systems. The security incident was detected on July 5, 2022, and a third-party cybersecurity firm was engaged to investigate the nature and scope of the incident. The investigation confirmed that the attackers had access to its systems between May 20, 2022, and July 7, 2022, and during that time, files were exfiltrated that contained patient data. The preliminary investigation has confirmed that the files contained names, addresses, Social Security numbers, birth dates, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information.

The investigation into the security breach is ongoing and a detailed review of all affected files has been initiated to determine the patients affected. The breach is known to have affected patients of Methodist McKinney Hospital, Methodist Allen Surgical Center, and Methodist Craig Ranch Surgical Center. Notifications will be sent to affected individuals in due course. It is currently unclear how many individuals have been affected.

Methodist McKinny Hospital did not disclose the nature of the attack in the substitute breach notification, but this appears to have been a ransomware attack. The Karakurt ransomware gang has listed Methodist McKinny Hospital on its data leak site as a pre-release and claims to have exfiltrated 367 GB of data in the attack.

Columbia River Mental Health Services Reports Breach of Employee Email Accounts

Columbia River Mental Health Services has recently notified the HHS’ Office for Civil Rights about a security incident involving certain employee email accounts. According to the breach notice, suspicious activity was detected in certain email accounts, and third-party forensics experts were engaged to investigate the breach. The investigation confirmed that the email accounts were accessed by unauthorized individuals between May 14, 2021, and April 8, 2022.

A review was conducted of the affected accounts, which confirmed on July 6, 2022, that they contained patients’ protected health information. The review of the information in the accounts is ongoing and notification letters will be sent to affected individuals when the review is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting ‘501’ individuals to meet the deadline for reporting the incident. The breach total will be updated when the number of affected individuals is confirmed.

The post PHI Exposed in Cyberattacks on Methodist McKinny Hospital and Columbia River Mental Health Services appeared first on HIPAA Journal.

Data Breaches Reported by the New Jersey Department of Health, Onyx Technologies & San Diego American Indian Health Center

Posted by HIPAA Journal

Onyx Technologies, a Largo, MD-based provider of Information Technology and Consulting Services and a vendor of Independent Care Health Plan (iCare), has recently notified 96,814 health plan members that some of their protected health information has potentially been compromised.

On June 28, 2022, Onyx discovered its computer systems had been accessed by unauthorized individuals, who may have gained access to the protected health information of iCare members, including names, birth dates, addresses, phone numbers, iCare member ID numbers, Medicare ID Numbers, dates of service, and provider names.

Onyx said that a review of its computer systems was immediately conducted, a security firm was engaged to assist with the investigation, and access to its systems was regained on July 7, 2022. Onyx said, “a server may have been removed or accessed beginning on March 29, 2022, and ending on June 28, 2022. On July 15, 2022, the security firm found that some information related to individuals may have been accessed.”

Onyx said it found no evidence to suggest any of the affected information has been identified. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

San Diego American Indian Health Center Breach Affects 27,367 Patients

San Diego American Indian Health Center has notified 27,367 current and former patients that unauthorized individuals gained access to parts of its network and exfiltrated files containing some of their protected health information.

The security breach was detected on May 5, 2022, and steps were immediately taken to secure the network and prevent further unauthorized access. A digital forensics firm was engaged to assist with the investigation, which confirmed on July 22, 2022, that patient information had been obtained, including names, Social Security numbers, driver’s license numbers, state identification card numbers, tribal identification card numbers, medical information, health insurance information, and birth dates.

San Diego American Indian Health Center said it is unaware of any attempted or actual misuse of patient data. Affected individuals have been offered complimentary credit monitoring and identity protection services and steps have been taken to improve security to prevent further data breaches.

New Jersey Department of Health Alerts Patients About Vendor Data Breach

The New Jersey Department of Health, Division of Behavioral Health Services has recently announced that certain patients of Trenton Psychiatric Hospital and the Anne Klein Forensic Center have had some of their protected health information stolen in a security incident at a vendor that provided medical translation and dictation services to the hospitals.

Unauthorized individuals gained access to parts of the vendor’s systems and exfiltrated files that included the protected health information of patients.  The vendor notified the NJ Department of Health about the data breach on June 30, 2022. It is currently unclear which vendor was affected, the types of information compromised, and the number of individuals affected by the data breach. The affected hospitals will notify patients directly if they have been affected.

The post Data Breaches Reported by the New Jersey Department of Health, Onyx Technologies & San Diego American Indian Health Center appeared first on HIPAA Journal.

California Department of Corrections and Rehabilitation Hack Exposed Sensitive Data

Posted by HIPAA Journal

The California Department of Corrections and Rehabilitation (CDCR) has recently discovered that unauthorized individuals have gained access to one of its information systems. The compromised system contained medical information on all individuals who had been tested for COVID-19 between June 2020 and January 2022, including staff members, visitors, and other individuals, although not inmates. The information related to COVID-19 tests included name, personal address, telephone number, email, date of birth, and COVID-19 testing results.

Files on the system also included the mental health information of inmates in the Mental Health Services Delivery System dating back to 2008, as well as the information of individuals on parole who were in substance use disorder treatment programs. Some of the exposed data included Social Security Numbers, driver’s license numbers, and trust account information.

The data of inmates included name, CDCR number, mental health treatment, mental health history, and mental health diagnosis, and information in the Trust, Restitution, Accounting, and Canteen System (TRACS) was also potentially involved, which includes transaction records made by CDCR to and from trust accounts since 2008, along with some trust account numbers.

CDCR said the data breach was discovered during routine maintenance. The investigation did not confirm when the system was first compromised; however suspicious activity was identified in a file transfer system dating back to December 2021. CDCR was unable to confirm whether any specific information had been accessed or exfiltrated and said no corroborating evidence was found to suggest any exposed data has been compromised or misused.

CDCR said procedures and practices have been updated to limit the potential for further breaches and the affected computer system is no longer being used. A replacement computer system has been implemented with more security controls.

The incident has not yet appeared on the HHS’ Office for Civil Rights Breach Portal so it is currently unclear how many individuals have been affected.

Lamoille Health Partners Hit with Ransomware Attack

Lamoille Health Partners in Vermont has recently confirmed that it was the victim of a ransomware attack on June 13, 2022. Prompt action was taken to prevent further unauthorized access to its systems and a third-party digital forensics firm was engaged to assist with the investigation. Lamoille Health Partners said it was possible to securely restore the encrypted files from backups so no ransom was paid; however, the forensic investigation confirmed that the attackers had access to its systems between June 12, 2022 and June 13, 2022, and during that time it is possible that documents containing patients protected health information may have been accessed or acquired.

On June 24, 2022, Lamoille Health Partners determined that the documents that may have been accessed included patient information such as names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information. 59,381 individuals have been notified that their protected health information was exposed. Complimentary identity protection and credit monitoring services have been offered to individuals who had Social Security numbers exposed.

The post California Department of Corrections and Rehabilitation Hack Exposed Sensitive Data appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cyberattacks Reported by Independent Case Management & Conifer Health Solutions

Posted by HIPAA Journal

Little Rock, AR-based Independent Case Management (ICM), a provider of home and community-based support for individuals with intellectual and developmental disabilities, has recently notified 3,307 individuals that some of their protected health information may have been stolen in a ransomware attack.

According to the notification letters, three servers were affected by the attack. The servers were encrypted on December 24, 2021, and a ransom note was dropped on the servers; however, the attack was not detected by ICM until June 15, 2022, as the servers were only used to store historical employee and customer data.

When the attack was detected, a third-party IT vendor was engaged to isolate the servers and perform security scans to ensure that access to the servers was blocked and no other systems or data were affected. The investigation confirmed that only 3 servers were affected, and they contained information such as names, addresses, dates of birth, Social Security numbers, health records, insurance plan and payment information, Medicaid numbers, and medical and health records. Some employee files were also stored on the servers. ICM said it was not possible to determine if specific personal information was accessed, removed, or misused.

ICM said steps have been taken to improve the privacy and security of personal information, including conducting regular security scans, implementing multifactor authentication, improving monitoring systems, and providing additional cybersecurity training to employees.

Conifer Health Solutions Discovers Email Account Breach

Conifer Health Solutions, a Frisco, TX-based provider of revenue cycle management and other administrative services to healthcare providers, has recently discovered that an unauthorized third-party gained access to a Microsoft Office 365 hosted business email account.

The breach was detected during an internal review, with the subsequent investigation determining the email account was compromised on January 20, 2022. The breach was confined to a single email account, which was separate from its internal network and systems. The review of the email account was conducted between June 13 and August 3 and determined it contained the protected health information of 2,787 individuals, including full names, dates of birth, addresses, Social Security numbers, financial account information, medical and treatment information, health insurance information, and billing and claims information.

Steps were immediately taken to prevent further unauthorized access and additional security measures have now been implemented, including multifactor authentication and enhanced monitoring of the email environment. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers or financial account information was exposed.

The post Cyberattacks Reported by Independent Case Management & Conifer Health Solutions appeared first on HIPAA Journal.

Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Florida Orthopaedic Institute has proposed a $4 million settlement to resolve claims from patients affected by a 2020 data breach. In April 2020, Musculoskeletal Institute, dba Florida Orthopaedic Institute, discovered an unauthorized third party had gained access to a server that contained patients’ protected health information (PHI) and used ransomware to encrypt files.

The forensic investigation determined the PHI of 640,000 individuals had been exposed and potentially stolen in the attack, including names, contact information, birth dates, Social Security numbers, health insurance information, medical information, and other types of data. Notifications were sent to affected individuals in July 2020 and a 12-month membership to a credit monitoring service was offered to affected individuals.

Shortly after sending notifications, a lawsuit – Stoll et al. v. Musculoskeletal Institute- was filed in the U.S. District Court for the Middle District of Florida that alleged Florida Orthopaedic Institute was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and had not followed basic cybersecurity best practices. The lawsuit also alleged invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit alleged the sensitive protected health information of patients was now in the hands of cybercriminals and patients now faced a substantial risk of identity theft and fraud. Florida Orthopaedic Institute has admitted no wrongdoing but decided to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the proposed settlement, current and former patients who were notified about the data breach are entitled to submit a claim for a cash payment of up to $15,000 to cover out-of-pocket expenses and up to 5 hours of time that was lost remedying the data breach at $25 per hour.

Attorneys argued that a 12-month membership to credit monitoring services was insufficient. All individuals affected by the data breach will now be eligible to receive 3 years of identity theft protection, credit monitoring, and identity restoration services, regardless of whether a claim is submitted. Parents or guardians of minors that have been affected by the data breach are entitled to enroll the affected children in these services for 3 years if their children are minors at the time of the settlement. These services include a $1,000,000 identity theft insurance policy. The services retail for around $196 per individual.

All claims must be submitted no later than September 16, 2022. The final approval hearing for the settlement is September 29, 2022.

The post Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Ransomware Attack on New York Billing Company Affects 942K Individuals

Posted by HIPAA Journal

Practice Resources, a Syracuse, NY, provider of billing and other professional services, has suffered a data breach involving the records of 942,138 individuals.

According to the breach notification sent to the California Attorney General, Practice Resources was the victim of a ransomware attack on April 12, 2022. Assisted by third-party digital forensics experts, Practice Resources determined that there had been unauthorized access to parts of the network where the protected health information of its clients was stored and the attackers may have infiltrated that information prior to file encryption.

A review of the documents potentially affected by the attack confirmed they contained information such as names, addresses, dates of treatment, health plan numbers, and medical record numbers. Practice Resources has offered affected individuals a complimentary membership to an identity theft protection and credit monitoring service.

Practice Resources said it has issued notification letters to affected individuals on behalf of 28 clients that were affected by the data breach.

  • Achieve Physical Therapy, PC
  • CNY Obstetrics and Gynecology, P.C.
  • Community Memorial Hospital, Inc
  • Crouse Health Hospital, Inc
  • Crouse Medical Practice PLLC
  • Family Care Medical Group, PC
  • Fitness Forum Physical Therapy, PC
  • FLH Medical PC
  • Greece Dermatological Associates, PC
  • Guidone Physical Therapy, PC
  • Hamilton Orthopedic Surgery & Sports Medicine
  • Helendale Dermatological and Medical Spa, PLLC
  • Kudos Medical, PLLC
  • Laboratory Alliance of Central New York, LLC
  • Liverpool Physical Therapy, PC
  • Michael J Paciorek, MD PC
  • Nephrology Associates of Watertown, PC
  • Nephrology Hypertension Associates of CNY, PC
  • Orthopedics East, PC
  • Salvation Army
  • Soldiers & Sailors Memorial Hospital—Physician Practices
  • Joseph’s Medical
  • Surgical Care West, PLLC
  • Syracuse Endoscopy Associates, LLC
  • Syracuse Gastroenterological Associates, PC
  • Syracuse Pediatrics
  • Tully Physical Therapy
  • Upstate Community Medical, PC

Valley Baptist Medical Center Systems Hacked

Brownsville, TX-based Valley Baptist Medical Center has recently started notifying certain patients that some of their protected health information has been exposed and potentially stolen. On June 14, 2022, Valley Baptist determined that an unauthorized third party had gained access to a computer system. The forensic investigation determined that unauthorized access occurred between March 31 and April 24, 2022.

When the breach was detected, user access to systems was suspended, cybersecurity protocols were implemented, and steps were taken to prevent further unauthorized access. The forensic investigation determined that patient information was potentially affected, including names, contact information, dates of birth, health insurance information, dates of service, patient account numbers, medical record numbers, medications, diagnosis information, provider and facility names, and visit information. Valley Baptist said patients of its Brownsville and Harlingen medical centers were affected.

The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ransomware Attack on New York Billing Company Affects 942K Individuals appeared first on HIPAA Journal.