HIPAA Breach News

United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack

Posted by HIPAA Journal

In August 2021, the Vice Society ransomware operation published data on its data leak site that had allegedly been obtained in a ransomware attack on United Health Centers of San Joaquin Valley.  On August 31, 2021, Bleeping Computer was made aware of the data leak and made multiple attempts to notify United Health Centers. Databreaches.net was also made aware of the data breach and similarly attempted to notify United Health Centers on multiple occasions. HIPAA Journal reported on the incident in September 2021.

Almost a year on and individuals whose protected health information was exposed or stolen in the attack have been notified by United Health Centers. The breach notification provided to the California Attorney General on August 12, 2022, explains that technical difficulties were experienced by United Health Centers on August 28, 2021, which caused disruption to its computer systems. Steps were immediately taken to secure its network and systems, and an investigation was launched to determine the nature of the incident.

United Health Centers said it discovered on September 22, 2021, that patient data had been exfiltrated from its systems. Third-party specialists were then engaged to confirm the scope of the data breach. The investigation confirmed that data had been exfiltrated between August 24, 2021, and August 28, 2021. A comprehensive review of the affected data was completed on April 11, 2022. United Health Centers said it “then worked expeditiously to provide notice to those patients whose information was found within those documents.”

The documents contained names, Social Security numbers, and medical record numbers. Affected individuals have been offered a one-year complimentary membership to Experian’s identity theft restoration and credit monitoring service. It is currently unclear exactly how many patients have been affected.

Lee County Emergency Medical Services Notifies Patients About Third-Party Data Breach

Lee County Emergency Medical Services has recently started notifying certain patients about a business associate-related data breach. Intermedix Corporation worked with Lee County Emergency Medical Services for almost 15 years, with the contract terminating in September 2014. Intermedix Corporation worked with a law firm, Smith, Gambrell & Russell (SGR), and certain patient data had been provided to that law firm.

Lee County Emergency Medical Services said in an August 11, 2022, breach notification on its website that it was notified on August 4, 2022, about the data breach at the law firm. SGR said it discovered on August 9, 2021, that files had been exfiltrated from its systems by an unauthorized individual, and those files contained the sensitive information of its clients. A vendor was engaged to assist with the investigation to determine the scope of the breach, and the review of the documents was completed on May 17, 2022. SGR said the breached information included names, addresses, Social Security numbers, driver’s license numbers, government IDs, and medical information, such as treatment, diagnosis, and medical history. SGR said it has taken steps to improve security and has offered affected individuals complimentary credit monitoring services.

Lee County Emergency Medical Services said it was notified about the incident on august 4, 2022, and has since been working closely with Intermedix Corporation to identify the affected individuals and said notifications. Notification letters will be sent to affected individuals within 14 to 21 days. The incident has yet to appear on the HHS’ Office for Civil Rights Breach portal so it is unclear how many individuals have been affected. Lee County Emergency Medical Services said around 2% of the records provided to SGR were compromised.

The post United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack appeared first on HIPAA Journal.

Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal

Posted by HIPAA Journal

Novant Health has recently notified patients about a breach of their protected health information due to the incorrect configuration of Meta Pixel code on its patient portal.

Code Snippet Sending Sensitive Patient Data to Meta

Earlier this year, an investigation conducted by The Markup into the use of Meta Pixel code on healthcare providers’ websites revealed 33 of the top 100 hospitals in the United States had included Meta Pixel code on their websites, and 7 of those hospitals had added the code to their password-protected patient portals. The 7 hospitals discovered by The Markup to have installed Meta Pixel on their patient portals were Community Health Network, FastMed, Edward-Elmhurst Health, Piedmont, Renown Health, WakeMed, and Novant Health.

Meta Pixel is a snippet of JavaScript code that is used to track website visitors, and the information gathered is sent to Meta (Facebook), which may be used to serve targeted ads. Meta claims that organizations that use Meta Pixel are not supposed to send sensitive data. If Meta discovers it has been sent sensitive data by mistake, it is filtered out to prevent the information from being used to serve targeted ads. That process does not appear to be working, and even if that information is filtered out, it is still being sent to Meta.

In the weeks following the publication of the report, multiple lawsuits were filed on behalf of individuals whose personal and protected health information was disclosed to Meta via Meta Pixel code on healthcare provider websites. The lawsuits allege violations of federal and state privacy laws as the information was sent without obtaining express consent from patients.

A class action lawsuit was filed on behalf of a patient of Baltimore-based MedStar Health System, which alleges Meta Pixel has been used on the websites of at least 664 healthcare providers, allowing patient data to be sent to Meta in violation of the Health Insurance Portability and Accountability Act (HIPAA). Another lawsuit was filed against Meta and the University of California San Francisco and Dignity Health, with the lead plaintiff claiming to have been served targeted adverts following the disclosure of sensitive information about a health issue on the patient portal. Most recently, a similar lawsuit was filed against Meta and Northwestern Memorial Hospital in Chicago, IL.

Novant Health Notifies Patients About Meta Pixel Data Breach

Novant Health has recently notified an as-of-yet unspecified number of patients that some of their protected health information (PHI) has been sent to Meta. As far as HIPAA Journal has been able to establish, Novant Health is the first healthcare provider to issue breach notification letters to patients over the use of Meta Pixel code.

Novant Health explained in the breach notification letters that PHI was transferred to Meta due to “an incorrect configuration of [Meta] Pixel, an online tracking tool.” Novant Health said it wanted to be fully transparent over the data breach and the reasons for using the pixel code on its website.

“In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” explained Novant Health. “This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

When notified about the potential privacy violation, Novant Health immediately disabled and removed the pixel from the patient portal and launched an investigation to determine the extent to which information was being transferred to Meta. On June 17, 2022, Novant Health determined that PHI may have been inadvertently transferred based on the type of user activity on the patient portal. The information transferred would have varied from patient to patient, and may have included an individual’s email address, phone number, IP address, contact information entered into Emergency Contacts or Advanced Care Planning, appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes.

Novant Health said it has found no evidence that Meta or any other third party has acted upon the information provided. If an individual entered financial information or a Social Security number in free text boxes, that information may also have been sent to Meta. Novant Health said the individual notification letters would state if such information had been disclosed, and if so, complimentary credit monitoring services will be provided to affected individuals.

The post Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal appeared first on HIPAA Journal.

Data Breach Affects 120,000 Priority Health Plan Members

Posted by HIPAA Journal

The Michigan-based health plan provider, Priority Health, has confirmed that it has been affected by a data breach at a business associate, the law firm Warner Norcross & Judd (WNJ).

WNJ identified suspicious network activity on October 22, 2021. Steps were immediately taken to prevent further unauthorized access and a digital forensics firm was engaged to assist with the investigation. That investigation confirmed that the attackers had gained access to parts of its network that contained the protected health information of approximately 120,000 members of Priority Health’s health plans.

The affected information included names, pharmacy claim information from certain prescriptions filled in 2012, including drug names, prescription filling dates, and insurance provider names. WNJ said it found no evidence of misuse of plan members’ information, but the possibility of data theft could not be ruled out.

WNJ said Priority Health was notified about the breach n June 6, 2022 – Almost 8 months after the security incident was detected.

PHI Exposed in Attempted BEC Attack on Living Innovations

Living Innovations, a provider of services to people with disabilities, has confirmed that unauthorized individuals gained access to the email accounts of certain employees between June 6 and June 14, 2022, due to responses to phishing emails. The email account breaches were detected on June 7, 2022, when suspicious email account activity was detected.

The attack appears to have been conducted to try to divert invoice payment to an attacker-controlled account, rather than to access patient information; however, unauthorized access to patient information could not be ruled out. A review of the affected email accounts revealed they contained patient data such as names, client health insurance information, Medicaid information, Social Security numbers, and limited information related to services received at Living Innovations.

Living Innovations said it found no evidence of data theft or misuse of patient information; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Additional training has been provided to employees on how to identify and avoid phishing emails.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 4,000 individuals.

Phishing Attack on Microsoft 365 Account Affects 2,000 Florida Springs Surgery Center Patients

Florida Springs Surgery Center has discovered a breach of its Microsoft 365 email environment. The breach was detected on June 2, 2022, with the investigation confirming an unauthorized actor accessed an employee’s account between May 25, 2022, and June 2, 2022.

The account was compromised when an employee responded to a phishing email that spoofed a trusted entity. The review of the email environment confirmed the breach was limited to the employee’s account; however, that account contained the protected health information of 2,203 individuals. The types of information varied from individual to individual, and may have included names, addresses, birth dates, Social Security numbers, driver’s license/state ID numbers, financial account information, medical and/or treatment information, diagnosis or procedure information, prescriptions/medications, health insurance information, and billing and claims information.

Florida Springs Surgery Center has taken steps to improve email security, including adding multi-factor authentication for all accounts. Complimentary credit monitoring and identity restoration services have been offered to individuals who had their Social Security number, driver’s license/state ID number, or financial account information exposed.

MultiCare Health System says 18,615 Patients Affected by Avamere Health Services Cyberattack

MultiCare Health Services has confirmed that it is one of the companies affected by a cyberattack on business associate Avamere Health Services. According to the notification, a threat actor accessed Avamere Health Services’ systems and potentially deleted information of patients who received services from MultiCare between September 2016 and November 2021.

The affected individuals had used the Connected Care Network, which is a subsidiary of MultiCare Health Services. Affected individuals have been offered complimentary credit monitoring and identity theft protection services. The breach has been covered in more detail in this post.

The post Data Breach Affects 120,000 Priority Health Plan Members appeared first on HIPAA Journal.

1H 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Zenith American Solutions Reports Mailing Error that Exposed SSNs of 37,000 Individuals

Posted by HIPAA Journal

Zenith American Solutions, a third-party administrator for the Sound Health and Wellness Trust, has recently notified individuals about a mailing error that exposed individuals’ Social Security numbers. According to the breach notification, a mailing was sent to individuals on June 24, 2022, advising them to complete their Personal Health Assessments or Health Profiles to enroll in the 2023 Health Reimbursement Account.

The file used for printing the mailing labels included individuals’ full Social Security numbers, which were printed in full on the mailing labels along with full names, postal addresses, and unique ID numbers. The mailing labels also indicated an individual had enrolled in the Sound Health and Wellness Trust.

Zenith American Solutions said it has implemented new quality control procedures to ensure there are no similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

The breach was reported to the HHS’ Office for Civil Rights as affecting 37,146 individuals.

Centerstone Reports Breach of Email Environment

Centerstone, a national provider of mental health, addiction recovery, residential care, therapeutic foster care, counseling, and crisis services, has recently announced that the protected health information of certain current and former Centerstone clients has been exposed and potentially obtained by unauthorized individuals.

Unusual activity was detected in the Centerstone email environment on February 14, 2022. Steps were immediately taken to secure email accounts by performing a password reset, and an investigation was launched to determine the nature and scope of the security breach. The investigation confirmed that three employee email accounts had been accessed by an unauthorized third party between November 4, 2021, and February 14, 2022.

A comprehensive review of the affected email accounts was completed on July 12, 2022, and confirmed they contained individuals’ protected health information such as names, addresses, Social Security numbers, birth dates, client ID numbers, medical diagnoses, treatment information, and/or health insurance information.

Centerstone has reported the breach to the HHS’ Office for Civil Rights, but the breach is not yet showing on the OCR breach portal, so it is unclear how many individuals have been affected. Centerstone said it has implemented additional safeguards to better protect its email environment.

Southwest Behavioral & Health Services Reports Breach of Employee Email Account

Southwest Behavioral & Health Services, a Phoenix, Az-based provider of outpatient mental health treatment and psychiatric services, has recently notified 1,337 individuals that an unauthorized third party gained access to the email account of an employee. The email account contained individuals’ names, dates of birth, addresses, email addresses, resume information, medical diagnosis information, Social Security numbers, and phone numbers.

The breach was identified on July 15, 2022, and was confirmed to have occurred on May 5, 2022. Notification letters were sent to affected individuals on August 1, 2022. No evidence was found to indicate any theft of PHI; however, as a precaution, affected individuals have been offered a complimentary membership to identity theft protection services through IDX.

Southwest Behavioral & Health Services said further safeguards have been implemented to prevent further email data breaches and additional security awareness training has been provided to the workforce.

The post Zenith American Solutions Reports Mailing Error that Exposed SSNs of 37,000 Individuals appeared first on HIPAA Journal.

Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K

Posted by HIPAA Journal

Salinas Valley Memorial Healthcare System in California has agreed to settle a class action lawsuit for $340,000 to resolve claims from patients affected by a breach of its email environment in 2020.

Between April 30, 2020, and June 5, 2020, unauthorized individuals gained access to the email accounts of four employees and a contractor following responses to phishing emails. Prompt action was taken to secure its email environment, but during the 5-week period of compromise, the attacker(s) had access to emails containing sensitive patient information including names, hospital account numbers, medical record numbers, dates of service, and other information.

Legal action was taken against Salinas Valley by a patient affected by the data breach. The plaintiff alleged that Salinas Valley acted unlawfully by failing to prevent the attack, did not fulfill its legal obligations to safeguard the personal and protected health information of the plaintiff and class members, and violated the California Confidential Medical Information Act, Civil Code §§ 56 et seq.

Salinas Valley maintains it was fully compliant with state laws and denied any wrongdoing related to the security breach; however, the decision was taken to settle the lawsuit to prevent ongoing legal costs and the uncertainty of trial.  Under the terms of the proposed settlement, a fund of $340,000 has been created to cover claims from individuals affected by the breach.

All patients who received a breach notification from Salinas Valley about the exposure of their personal and protected health information will be entitled to submit a claim for up $750 for out-of-pocket expenses and time spent remediating the data breach. Claims will be paid from the fund after attorneys’ fees, expenses, and other court-approved costs have been deducted. Claims will be paid pro rata if the claims total is greater than the settlement fund. The settlement has yet to receive court approval.

Salina valley has also committed to improving security, with the measures including undergoing third-party audits and regular penetration tests, maintaining firewalls and access controls, and providing regular security awareness training to the workforce.

Claims must be submitted no later than August 26, 2022. Any individual who objects to the settlement or wants to remove themselves from the class must do so by August 11, 2022.

The post Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K appeared first on HIPAA Journal.

Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group

Posted by HIPAA Journal

Further information has been released on two cyberattacks on healthcare organizations: Goodman Campbell Brain and Spine and Behavioral Health Group.

Goodman Campbell Brain and Spine Notifies 363,000 Patients About Public Release of PHI on Dark Web

Carmel, IN-based Goodman Campbell Brain and Spine has started notifying 363,000 current and former patients that some of their protected health information was stolen prior to data being encrypted with ransomware and some of the stolen data has been published on the gang’s dark web data leak site.

The cyberattack was discovered by Goodman Campbell on May 20, 2022, and a third-party digital forensics firm was engaged to determine the nature and scope of the breach. The investigation confirmed that the electronic medical record system was not affected, but files containing patients’ protected health information had been exfiltrated from its systems. The stolen files contained information such as names, birthdates, addresses, telephone numbers, email addresses, medical record numbers, patient account numbers, diagnosis and treatment information, physician names, insurance information, dates of service, and Social Security numbers.

The attack caused disruption to its IT and phone systems. In a June 17, 2022, update on the attack, Goodman Campbell said that its phone system had been restored, but its email system remained down. In a July 19, 2022, update, Goodman Campbell said all clinical operations had been resumed and all communication systems had been restored.

While not confirmed by Goodman Campbell, the attack was conducted by the Hive ransomware operation, which has attacked many healthcare providers in the United States. Goodman Campbell said that the data was available on the dark web site for a period of 10 days. Data breach notification letters from healthcare providers rarely state that data has been made available on the dark web, even though patients should be made aware of the fact to allow them to take appropriate precautions to protect their identities. Goodman Campbell has offered affected individuals a 12-month membership to a credit monitoring and identity theft protection service.

Behavioral Health Group Confirms Patient Data Potentially Compromised in December 2021 Cyberattack

Behavioral Health Group (BHG), the operator of more than 80 outpatient opioid treatment centers in 17 U.S. states, has recently confirmed that it suffered a data security incident in 2021. The cyberattack forced BHG to take its systems offline, which caused disruption to operations for almost a week. BHG explained at the time that patients at some of its clinics were prevented from receiving their prescribed take-home methadone/suboxone doses; however, treatments were provided daily at its clinics. BHG did not disclose the exact nature of the cyberattack and if ransomware was used.

According to the BHG substitute breach notice, third-party cybersecurity experts were engaged to assist with the investigation and it was confirmed that unauthorized individuals removed certain files from its systems on December 5, 2021. The breach notice does not state when access to its network was first gained.

A comprehensive review of files on the parts of the network that were accessed confirmed they contained full names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, payment card information, passport numbers, biometrics, health insurance information, medical diagnosis and treatment information, medications, dates of service, and medical record numbers.

BHG said it has found no evidence to suggest any misuse of the above information but has offered complimentary credit monitoring services to individuals whose Social Security numbers were potentially compromised.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected. BHG said the breach did not affect all patients.

The post Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group appeared first on HIPAA Journal.

First Choice Community Healthcare and Arlington Skin Notify Patients About Cyberattacks

Posted by HIPAA Journal

First Choice Community Healthcare in Albuquerque, NM, has started notifying certain patients that an unauthorized individual gained access to its network and potentially stole patient data. In a substitute breach notification, First Choice explained that unusual activity was detected within its technological environment on March 27, 2022. A third-party cybersecurity firm was engaged to conduct a forensic investigation and determine the nature and scope of the breach. While it was not possible to confirm if any files had been accessed or exfiltrated, the possibility could not be ruled out.

A comprehensive review of the affected files was completed on June 3, 2022, which confirmed that the following information had potentially been compromised: names, Social Security numbers, First Choice patient ID number, diagnosis, and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth, and provider information. Affected individuals were notified about the breach by mail on August 1, 2022, and have been offered complimentary identity theft protection services through IDX.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Arlington Skin Notifies 17,468 Patients About Electronic Medical Record Data Breach

Dr. Michelle A. Rivera, MD, doing business as Arlington Skin in Virginia, has started notifying 17,468 patients that their protected health information may have been accessed by unauthorized individuals in a security breach at business associate, Virtual Private Network Solutions (VPN Solutions).

VPN Solutions managed the electronic medical records of patients of Arlington Skin via the Allscripts practice management solution and electronic medical records platform. The cyberattack was discovered by VPN Solutions on or around October 31, 2021, and the forensic investigation confirmed that the information potentially compromised in the attack included names, addresses, dates of birth, diagnostic and treatment information, health insurance information, and Social Security numbers.

Notification letters started to be sent to affected individuals on July 8, 2022. No evidence of data theft was found but, as a precaution, fraud assistance and remediation services have been provided to affected individuals through CyberScout.

The post First Choice Community Healthcare and Arlington Skin Notify Patients About Cyberattacks appeared first on HIPAA Journal.

Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million

Posted by HIPAA Journal

Dental Care Alliance has agreed to settle a class action lawsuit filed in response to a data breach that affected more than 1.7 million individuals. A fund of $3 million has been created to cover claims from individuals affected by the breach.

Dental Care Alliance, LLC, is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices across 20 states. Dental Care Alliance said its systems were compromised on September 18, 2020, the breach was detected on October 11, 2020, and was contained on October 13, 2020. The forensic investigation confirmed that names, addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, payment card information, and health insurance information had potentially been compromised. Individuals were notified about the breach in December 2020.

The breach report submitted to the HHS’ Office for Civil Rights initially indicated 1,004,304 individuals had been affected, but it was later amended to 1,723,375 individuals. Dental Care Alliance said no specific evidence of data theft was found and it was unaware of any misuse of patient data. Despite highly sensitive information being involved, credit monitoring services were not offered.

A lawsuit – Paras v. Dental Care Alliance, LLC, Case No. 22-ev-000181 – was filed in the State Court of Fulton County, Georgia, on behalf of individuals affected by the data breach. Dental Care Alliance was alleged to have failed to adequately secure patient information and the plaintiffs claimed that had reasonable cybersecurity measures been implemented, the data breach would have been prevented. The plaintiffs alleged that they face an increased risk of identity theft and fraud due to the negligence of Dental Care Alliance and that their sensitive personal and protected health information is now in the hands of data thieves.

Dental Care Alliance has proposed a settlement to resolve claims related to the data breach but has not admitted any wrongdoing. Under the terms of the settlement, a fund of $3 million will be created to cover claims from affected individuals, and 2 years of identity theft protection services are being offered to all affected individuals. Those services include dark web monitoring and coverage by a $1 million identity theft insurance policy.

All class members are entitled to submit claims of up to $2,000 for documented losses due to the data breach, and up to two hours of lost time at $20 per hour. Individuals part of a settlement subclass can submit additional claims for up to $3,000 for documented losses and an additional two hours of lost time. The cap for claims is $3,000,000, so claims will be paid pro rata if that figure is exceeded. The attorneys for the plaintiffs will ask the court to award fees of $850,000 and payments of $1,500 for the class representatives. Under the terms of the settlement, Dental Care Alliance has committed to implementing additional data security measures.

The final approval hearing for the settlement is scheduled for Sept. 1, 2022. The deadline for opting out of the settlement – July 26, 2022 – has now passed. Claims must be submitted no later than August 25, 2022.

The post Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million appeared first on HIPAA Journal.