Security breaches have been reported by the Center for Urban Community Services in New York, Riverview Health in Indiana, and Smile Design Management in Florida.

The Center for Urban Community Services, New York

The Center for Urban Community Services, a New York social services organization, has notified 38,000 individuals about a network intrusion that occurred between September 4, 2023, and September 9, 2023. The intrusion was detected on September 9, 2023, and an investigation was launched, but data acquisition was not confirmed at the time. Center for Urban Community Services has now confirmed sensitive data was exfiltrated in the incident. The types of information involved varied from individual to individual and may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, benefit identification numbers, health information, and prescription information. The Center for Urban Community Services is unaware of any misuse of the affected information.

Riverview Health, Indiana

Riverview Health in Noblesville, IN has discovered unauthorized access to an employee’s email account. An unidentified third party had access to the account for less than an hour on August 23, 2024, before the intrusion was detected by its security software and access to the account was blocked. The investigation confirmed that a single email account had been compromised after an employee was tricked by a social engineering scam. The window of opportunity for viewing and copying sensitive information in the account was short but it is possible that electronic files in the account may have been compromised. The files were reviewed and confirmed to contain patients’ protected health information such as name, sex, date of birth, medical record number, admission date(s), and medical information such as diagnosis.

Since social security numbers, financial information, bank account numbers, and health insurance information were not compromised, Riverview Health believes the risk of misuse of patient data is low. Riverview Health is reviewing its policies around phishing and social engineering and is evaluating methods and procedures for improving electronic access and controls. Notification letters were mailed to the affected individuals on October 24, 2024. The HHS’ Office for Civil Rights portal indicates that 1,562 individuals were affected.

Smile Design Management, Florida

Smile Design Management, a Tampa, FL-based operator of 50 dental care facilities in Florida, has discovered unauthorized access to files on its network. The breach was detected on February 22, 2024, when unusual network activity related to a third-party software solution was detected.

Third-party cybersecurity specialists were engaged to investigate the activity and confirmed unauthorized access to its network between February 22, 2024, and February 23, 2024. The review of the affected files was completed on August 15, 2024, and after verifying contact information, notification letters were sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. The substitute breach notice does not state the types of information compromised in the incident.

Smile Design Management said it has implemented additional technical safeguards to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights on October 10, 2024, as involving the protected health information of 500 individuals.

The post 38,000 Individuals Affected by Center for Urban Community Services Cyberattack appeared first on The HIPAA Journal.

Long Island Plastic Surgical Group, a network of 13 plastic surgery practices in New York, has confirmed to the HHS’ Office for Civil Rights that the protected health information of 161,707 individuals was compromised in a hacking incident earlier this year.

According to its substitute breach notice, external cybersecurity professionals were engaged to investigate the incident and confirmed that a network intrusion occurred between January 4, 2024, and January 8, 2024, involving the exfiltration of a limited amount of patient data. The file review was completed on September 15, 2024, and confirmed that full names had been stolen in combination with some or all of the following: date of birth, Social Security number, driver’s license number/state identification number, passport number, financial account information, medical information, biometric information, health insurance policy information, and clinical photographs.

Long Island Plastic Surgical Group said it is unaware of any improper use of the affected information as a direct result of the incident; however, as a precaution, individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Long Island Plastic Surgical Group said it had implemented many safeguards to protect patient data and will continue to evaluate and modify its internal controls to further enhance security.

Long Island Plastic Surgical Group did not state in its notification letter whether this was a ransomware attack; however, the Radar threat group claimed responsibility. In a conversation with databreaches.net, a spokesperson for the group said the attack was conducted in conjunction with the ALPHV threat group, where ALPHV handled the intrusion and Radar handled the data exfiltration. Radar claimed that ALPHV was paid a ransom but Radar was not given its cut of the ransom payment. Radar subsequently issued its own ransom demand to prevent the publication of the stolen data; however, the ransom was not paid. The Federal Bureau of Investigation (FBI) has now seized the Radar data leak site.

Dr. Daniel J. Leeman, M.D.

Dr. Daniel J. Leeman, M.D., a Texas-based board-certified plastic surgeon and ENT specialist, has reported a hacking-related data breach to the HHS’ Office for Civil Rights that involved the protected health information of 50,000 patients. This appears to have been a cyberattack on his practice rather than through a business associate. Dr. Leeman filed a breach notice with the Texas Attorney General on September 4, 2024, confirming names, addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued ID numbers (such as passport numbers or state IDs), financial information (such as account numbers, credit/debit card numbers), medical information, and health insurance information were involved. The affected individuals have now been notified by mail.

Clay Platte Family Medicine – Barry Pointe Family Medicine Clinic – Summit Family and Sports Medicine Clinic – Cobblestone Family Medicine Clinic

The protected health information of patients of Clay Platte Family Medicine and Barry Pointe Family Medicine Clinic in Kansas City, MO; Summit Family and Sports Medicine Clinic in Summit, MO; and Cobblestone Family Medicine Clinic in Liberty, MO was compromised in a June 2024 data security incident. Suspicious network activity was detected on June 26, 2024, and immediate action was taken to secure its network. A cybersecurity firm was engaged to investigate the activity and confirmed that an unauthorized third party had access to the network and potentially viewed or acquired files containing patient information.

On September 10, 2024, the affected clinics confirmed names, addresses, Social Security numbers, dates of birth, and health insurance information were involved. Individual notifications were mailed on October 16, 2024, and complimentary credit monitoring and identity theft protection services have been made available. The breach was reported to the Maine Attorney General as involving the personal information of 53,916 individuals, including 4 Maine residents. The clinics said they are reviewing and enhancing their data security policies and procedures to prevent similar breaches in the future.

Wellfleet Group, LLC

Wellfleet Group, a Massachusetts-based third-party administrator for Wellfleet Insurance Company and Wellfleet New York Insurance Company that provides health insurance solutions and services to students at post-secondary education institutions, is notifying 22,959 individuals that some of their protected health information has been compromised.

Wellfleet Group learned on August 1, 2024, that student medical referral information could be accessed online via search engines and launched an investigation to determine the cause and extent of the data exposure. The investigation revealed a previously unknown misconfiguration on its website “allowed deep-links to the medical referral print page of users to be accessible without authentication.” Search engine web crawlers scraped the referrals and indexed them, allowing them to be found by performing Internet searches using the students’ names.

Wellfleet Group corrected the misconfiguration and worked to have the indexed referrals removed from the Internet. A review was also conducted to identify any further misconfigurations on its website, data security controls for the website were reset, and its standards for review and technical support of applications and software development processes have been updated to prevent similar incidents in the future.

The affected individuals were students participating in their educational institution’s student health plan and the compromised information included their full name, address, phone number, date of birth, insurance group/policy number, school ID number, and health/medical information such as the reason for referral and diagnosis code. The affected individuals have been offered complimentary credit monitoring services.

The post Long Island Plastic Surgical Group Confirms 161K-Record Data Breach appeared first on The HIPAA Journal.

SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.

South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.

A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.

Call 4 Health Issues Notifications About March 2024 Cyberattack

Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.

Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.

In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.

Clear Spring Health Notifies Patients About Change Healthcare Data Breach

Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.

Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.

The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.

SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.

South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.

A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.

Call 4 Health Issues Notifications About March 2024 Cyberattack

Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.

Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.

In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.

Clear Spring Health Notifies Patients About Change Healthcare Data Breach

Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.

Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.

The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.

The Florida Department of Health has confirmed to FOX 35 in Orlando that it is investigating a cyberattack. The attack has affected its Vital Statistics System, which is used to process birth and death certificates. The disruption to the system has been causing problems for funeral homes across the state for the past two weeks. Some funeral homes have postponed their services or have been forced to physically visit healthcare providers to get signed copies of death certificates.

The Department of Health has released few details about the attack but this appears to have been a ransomware attack involving the exfiltration of a large volume of data. The RansomHub group claimed responsibility for the attack and said it had stolen around 100 gigabytes of data from the Department and started to leak the stolen data when the ransom was not paid by its deadline of July 1, 2024. The Department of Health has not commented on the validity of the group’s claims nor the extent of any data breach.

The failure to pay the ransom should not have come as a surprise, as Florida amended its State Cybersecurity Act to prohibit state agencies, counties, and municipalities that experience a ransomware attack from paying or otherwise complying with a ransom demand. The ban on ransom payments took effect on July 1, 2022.

There are no reasons to believe that the hacking group’s data theft claims are not genuine. RansomHub has conducted many attacks in the United States, including attacks on healthcare organizations and government departments. The group was also indirectly involved in the February ransomware attack on Change Healthcare, having obtained the data stolen in the attack from a BlackCat ransomware group affiliate after BlackCat performed an exit scam, pocketed the $22 million ransom, and refused to pay the affiliate.

The post RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data appeared first on The HIPAA Journal.

Palomar Health Medical Group has warned patients that they may have been affected by an April 2024 cyberattack, and DaVita has learned that tracking tools on its website and mobile app may have sent user data to third-party vendors.

Palomar Health Medical Group Announces April 2024 Cyberattack

Palomar Health Medical Group, a provider of primary and specialty care to communities in North San Diego County, has informed patients about a recent cyberattack that exposed some of their protected health information. A security breach was detected on or around May 5, 2024, and immediate action was taken to prevent further unauthorized access to its systems. An investigation was launched to determine the nature and scope of the incident, which confirmed that hackers had access to its network from April 23, 2024, to May 5, 2024.

Palomar Health Medical Group said the attack “may have caused certain files to files to become unrecoverable,” which suggests that ransomware was used. Palomar Health Medical Group has confirmed that certain files were exfiltrated from its network and the review of those files is ongoing, as is the process of restoring the affected files. A full recovery of the affected systems was expected by July 1, 2024; however, the recovery process is taking longer than anticipated.

It is still not possible to tell exactly how many patients have been affected or the specific types of data that have been exposed or obtained in the attack; however, Palomar Health Medical Group has identified the categories of data involved. The compromised data varies from individual to individual and, based on the initial findings of the investigation, will include patient names in combination with one or more of the following: address, date of birth, Social Security number, medical history information, disability information, diagnostic information, treatment information, prescription information, physician information, medical record number, health insurance information, subscriber number, health insurance group/plan number, credit/debit card number, security code/PIN number, expiration date, email address and password, and username and password.

The breach has affected current and former patients of Palomar Health Medical Group and its affiliates Graybill Medical Group and Pacific Accountable Care. Individual notification letters will be mailed to the affected individuals when the file review is completed.

DaVita Notifies Patients About Tracking Technology Privacy Incident

DaVita Inc., a Denver, CO-based provider of kidney dialysis services, notified 67,443 patients on July 2, 2024, about a pixel-related data breach.  Pixels are online tracking technologies that are used on websites and mobile applications for recording visitor activity. DaVita explained that it learned on June 17, 2024, that tracking tools had been installed on its website health portal and Care Connect mobile application that they may have transmitted data to third-party vendors.

The types of information disclosed varied from individual to individual based on their interactions on the website and use of the mobile application. That information may have included usernames and third-party identifiers/cookies, employment status, patient classification/reference, information about the use of the app or pages visited on the website, and information indicating whether the user was signed into a DaVita account, but not the account password. For certain users, limited demographic information may also have been disclosed and, potentially, lab test names or lab test resources viewed on the website but no lab test results. The above types of information could be tied to an individual via their IP address and third-party identifiers, such as if a user was logged into their Google or Facebook account at the time. First and last names would only have been disclosed if they were used to create a username.

DaVita said it has removed all third-party tracking technologies that are not part of a HIPAA-compliant service and has implemented new policies and procedures and provided additional training to members of its workforce to prevent similar privacy breaches in the future. DaVita said it is not aware of any misuse of the disclosed information that is likely to result in financial or similar harm.

The post Patient Data Compromised in Palomar Health Medical Group Cyberattack appeared first on The HIPAA Journal.

HealthEquity has confirmed a breach of its SharePoint data, which included protected health information. Data breaches have also been reported by Kairos Health Arizona and Ambulnz.

HealthEquity

HealthEquity, a Draper, UT-based financial technology and business services company, has suffered a cyberattack that has exposed protected health information. HealthEquity provides health savings account (HSA) services and other consumer-directed benefits solutions, including health reimbursement arrangements (HRAs), and manages millions of HSAs, HRAs, and other benefit accounts.

HealthEquity explained in an 8-K filing with the Securities and Exchange Commission (SEC) that it recently identified anomalous behavior in a business partner’s device, and said the initial investigation indicates that the device had been compromised and was used to access members’ information. No malware was found on its systems and business operations were unaffected, and while the company is still evaluating the financial impact of the incident, it does not believe that the incident will have any material effect on its business or financial results.

The breach was detected on March 25, 2024, and immediate action was taken to prevent further unauthorized access. A forensic investigation was launched to determine the extent of the breach, which revealed an unauthorized actor accessed and exfiltrated HealthEquity’s SharePoint data. Its transactional systems, where integrations occur, were not affected. HealthEquity has started notifying the affected partners, clients, and members and is offering complimentary credit monitoring and identity theft protection services. The extent of the breach and the types of information involved has bot yet been publicly disclosed.

Kairos Health Arizona

Kairos Health Arizona, an employee benefits pool serving public entity employers in Arizona, has discovered that there has been unauthorized access to member data by a former third-party vendor. An investigation was launched which determined that between November 2, 2023, and March 29, 2024, the vendor accessed and downloaded information from a Kairos database.

A review was conducted to determine the types of data involved and confirmed that the downloaded data included names, insurance identification numbers, claims/coverage information, and health information. No Social Security numbers, driver’s license numbers, or financial account information were accessed or downloaded. Notification letters have now been sent to the 14,364 affected individuals and steps have been taken to enhance the security of its network, internal systems, and applications to prevent similar incidents in the future.

Ambulnz

Ambulnz, a subsidiary of DocGo that provides medical transportation and ambulance services, has discovered the protected health information of 4,742 patients has been exposed and potentially stolen in a cyberattack that was detected on April 22, 2024. The forensic investigation confirmed that a threat actor first accessed its network on April 21, 2024, and access was blocked the following day; however, the attack was not detected in time to prevent the threat actor from downloading patient data from its network. The stolen files included names, plus one or more of the following: dates of birth, address, medical record number, patient account number, health insurance identification number, and/or diagnosis and treatment information. A limited number of patients also had their Social Security numbers and/or driver’s license numbers stolen.

The post Protected Health Information Stolen in HealthEquity SharePoint Breach appeared first on The HIPAA Journal.

The Mount Kisco Surgery Center, doing business as the Ambulatory Surgery Center of Westchester in New York, has recently notified 22,139 patients that some of their protected health information has been exposed and potentially stolen.

Suspicious activity was detected in an employee’s email account on November 3, 2023, and after securing the account, a forensic investigation was launched to determine the nature and scope of the activity. The investigation confirmed that the unauthorized third party had access to the account from October 23, 2023, to November 3, 2023, and that the account contained patient data.

A comprehensive review was then initiated to determine the individuals affected and the types of data involved. That process was completed on May 30, 2024, and then address information was verified. The affected individuals were notified by mail on June 26, 2024. The types of data involved varied from patient to patient and included names in combination with one or more of the following: Social Security number, driver’s license number, state identification number, date of birth, medical information, including diagnosis information, treatment information, and prescription information, and health insurance information, including claim information and health insurance number.

At the time of issuing notifications, no reports had been received to suggest there had been any misuse of patient data. Mount Kisco Surgery Center said it has enhanced network security to prevent similar breaches in the future.

Mobile Medical Response Warns Patients About PHI Breach

Mobile Medical Response, a Michigan-based provider of medical transportation and ambulance services, has announced that there has been an impermissible disclosure of patient information at one of its business associates. Mobile Medical Response contracted with CBM Services to provide collections services. CMB Services had issued a check to Mobile Medical Response, which an unauthorized individual attempted to cash.

When checks are issued to Mobile Medical Response by CMB Services, they are accompanied by a statement of accounts that includes the names of individuals to whom the payments relate. The statements include names, identify individuals as having received transportation services from Mobile Medical Response, and potentially include other information.

Mobile Medical Response has confirmed that addresses, dates of birth, Social Security numbers, driver’s license/state identification numbers, financial account information, payment card information, patient record information, medical diagnosis/condition information, medical treatment information, and health insurance information were not impermissibly disclosed.

Mobile Medical Response is currently investigating the incident to determine the full name, scope, and impact of the event. In the meantime, the breach has been reported as affecting 500 individuals. The total will be updated when the investigation has been completed.

The post Email Breach Affects 22,000 Ambulatory Surgery Center of Westchester Patients appeared first on The HIPAA Journal.

Providence Mission Heritage Endocrinology and Samaritan Health Services have identified unauthorized access to patient data by former employees.

Providence Mission Heritage Endocrinology

In May 2024, Providence Mission Heritage Endocrinology in Mission Viejo, CA, discovered an insider breach that involved unauthorized access to clinical records. Providence launched an investigation into the activity and confirmed that the unauthorized access had been ongoing for more than three years. The first instance occurred on December 15, 2020, and it continued until May 15, 2024. The nature of the access was not disclosed; however, Providence said there is an active investigation by the California Department of Insurance.

The review confirmed that only names, State IDs, driver’s license numbers, and health insurance coverage information were accessed. Social Security numbers were not accessed; however, as a precaution, credit monitoring and identity protection services have been offered to the affected individuals for 12 months at no cost. Cambria Haydon, Chief Privacy Officer, Providence has advised the affected patients to take advantage of those services.

The incident has been reported to the California Attorney General; however, it is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Samaritan Health Services

Samaritan Health Services in Oregon has announced that a physician who worked at its Lebanon Community Hospital may have accessed the protected health information of patients without authorization. An investigation was launched in November 2023, when unauthorized access was suspected.

The investigation involved a review of access logs to patient records, interviews with patients and employees, and a written attestation from the physician. While many of the records accessed by the physician were for legitimate purposes, Samaritan was unable to verify the purpose of the physician’s record access for 1,296 individuals.

Samaritan is confident that if the medical records of those individuals were accessed, it was not for malicious purposes and there are no indications that any patient data will be misused; however, as a precaution, the affected individuals have been advised to monitor their account statements and credit reports closely and should immediately report any unusual activity to the appropriate financial institution.

The post Insider Breaches Reported by Providence Mission Heritage Endocrinology & Samaritan Health Services appeared first on The HIPAA Journal.