HIPAA Breach News

Healthback Holdings Email Security Breach Affects 21,000 Individuals

Posted by HIPAA Journal

The Oklahoma City home health provider, Healthback Holdings, has started notifying 21,114 individuals that some of their protected health information has potentially been viewed or obtained by unauthorized individuals. Unusual activity was detected within its email environment on June 1, 2022. A third-party cybersecurity firm was engaged to assist with the investigation and confirmed that a limited number of employee email accounts had been accessed by an unauthorized third party between October 5, 2021, and May 15, 2022, as a result of responses to phishing emails.

It was not possible to tell which emails, if any, had been viewed, nor if any information in the accounts had been stolen. Notification letters were therefore sent to all individuals whose protected health information was present in the affected email accounts. The exposed information varied from individual to individual and may have included names, health insurance information, Social Security numbers, and clinical information.

Complimentary credit monitoring and identity theft protection services are being provided to eligible individuals. Healthback Holdings has strengthened its email security and further training has been provided to employees on how to detect and avoid phishing emails.

Hacking Incident Reported by the City of Newport in Rhode Island

The City of Newport, RI, has recently reported a breach of the protected health information of 6,109 individuals to the HHS’ Office for Civil Rights. Unusual network activity was detected within its network on June 9, 2022, and certain systems on the network became unavailable. The forensic investigation confirmed hackers had gained access to its network on June 8, 2022, and removed files containing sensitive information from its systems.

A review of the affected files was completed on June 12, 2022, and confirmed that they contained the information of current and former employees and their spouses and/or dependents, including names, addresses, dates of birth, Social Security numbers, financial account numbers used for direct deposit, and information related to group health insurance.

Notification letters were sent to affected individuals on July 22, 2022. Complimentary memberships to identity monitoring services have been offered to affected individuals and steps have been taken to improve the security of the network.

Minuteman Senior Services Email Account Accessed by Unauthorized Individual

Bedford, MA-based Minuteman Senior Services has discovered that an unauthorized individual gained access to an employee’s email account and potentially viewed or obtained sensitive information in the account. The unauthorized access was detected on June 1, 2022, with the forensic investigation confirming the account had been accessed for less than 24 hours.

In a July 29, 2022, substitute breach notification, Minuteman explained that the account contained information such as full names, addresses, birth dates, gender, health insurance information, diagnosis, and service utilization information. No evidence of data theft or misuse has been identified at the time of issuing notifications.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 4,000 individuals.

OrthoArizona Notifies Patients About October 2021 Cyberattack

OrthoArizona has recently started notifying 2,748 individuals that their protected health information was exposed and potentially stolen in a cyberattack that was detected on October 30, 2021. OrthoArizona said it quickly engaged the services of a third-party cybersecurity company to assist with the investigation but said the investigation and remediation process was “extensive and labor intensive,” which is why it has taken so long to issue notifications.

The review of the affected files confirmed they contained names, mailing addresses, dates of birth, Social Security numbers, and certain health insurance information. No cases of fraud have been identified as a result of the incident. Individuals who had their Social Security number exposed have been offered complimentary credit monitoring and identity theft protection services through IDX. OrthoArizona said it has reviewed and enhanced its data security policies and procedures.

The post Healthback Holdings Email Security Breach Affects 21,000 Individuals appeared first on HIPAA Journal.

Fast Track Urgent Care Confirms 258,411 Individuals Affected by 2021 PracticeMax Ransomware Attack

Posted by HIPAA Journal

Fast Track Urgent Care, a network of urgent healthcare clinics in Florida, has confirmed that 258,411 individuals have had their protected health information exposed and potentially stolen in a ransomware attack on billing and practice management vendor, PracticeMax.

PracticeMax said it identified suspicious activity within its network on May 1, 2021, and confirmed that ransomware was installed on its network. The billing vendor was able to recover the data on its system on May 6, 2021, with the investigation into the breach confirming that its systems had been compromised between April 17 and May 5, 2021. A server used by PracticeMax and several email accounts were affected and data on its systems was encrypted.

The breach affected several of its healthcare clients, including Anthem Inc and Humana. The two health insurance firms confirmed they had been affected in late February 2022, with PracticeMax publicly reporting the breach in the fall of 2021. Fast Track Urgent Care said it was first notified about the ransomware attack by PracticeMax on May 10, 2021, but at that stage of the investigation, it was unclear whether the protected health information of its patients had been viewed or stolen in the attack.

On February 14, 2022, Fast Track Urgent Care said it was ‘first informed’ by PracticeMax that patient data may have been impacted, but PracticeMax could still not confirm whether customer and patient data had been accessed or stolen and that the investigation was ongoing. Fast Track Urgent Care said it took until June 6, 2022, 13 months after the initial breach, for PracticeMax to confirm that Fast Track Urgent Care patient data had been accessed.

Fast Track Urgent Care said the types of information compromised in the incident included names, Social Security numbers, passport numbers, treatment and diagnosis information, driver’s license numbers, birth dates, health insurance information, and financial information, and has confirmed that PracticeMax has offered affected individuals’ complimentary memberships to credit monitoring and identity theft protection services. Notification letters are being sent to affected individuals by PracticeMax on behalf of Fast Track Urgent Care.

Fast Track Urgent Care said PracticeMax took several steps to resolve the security incident and has reviewed policies and procedures and implemented additional safeguards to better secure the information on its systems.

The post Fast Track Urgent Care Confirms 258,411 Individuals Affected by 2021 PracticeMax Ransomware Attack appeared first on HIPAA Journal.

326,278 Aetna ACE Members Affected by Ransomware Attack at Mailing Vendor

Posted by HIPAA Journal

The health insurer Aetna ACE is one of the latest healthcare organizations to announce it has been affected by a ransomware attack on a mailing vendor, which involved the protected health information of 326,278 plan members. Aetna said the breach was limited to individuals insured under Aetna ACE, and that no protected health information of individuals served by Aetna or CVS Health was involved.

The ransomware attack affected OneTouchPoint, which provides printing and mailing services for U.S. companies, including billing vendors used by healthcare organizations. OneTouchPoint is provided with contact information and limited other data types to provide its contracted services. On April 28, 2022, OneTouchPoint discovered files had been encrypted on its systems, with the unauthorized access occurring the previous day on April 27, 2022.

Third-party cybersecurity specialists were engaged to investigate the security incident and completed the investigation on June 1, 2022, but were unable to determine which specific files were exfiltrated from its systems. Affected customers were notified on June 3, 2022, and OneTouchPoint worked with those customers to determine the type of information that could potentially have been viewed or removed from its systems. The exposed and potentially stolen data included names, addresses, dates of birth, member IDs, and limited medical information.

OneTouchPoint said it offered to send notifications to all affected individuals; however, some of its clients have chosen to self-report the breach and send notifications themselves. OneTouchPoint has reported the incident on behalf of 30 health plans and informed the Maine Attorney general that 1,073,316 individuals had been affected. Aetna ACE chose to self-report the breach. Other health plans affected by the OneTouchPoint ransomware attack include Anthem, Humana, Kaiser Permanente, Geisinger, Health First, UPMC Health Plan, Blue Shield of California Promise Health, Blue Cross and Blue Shield of Alabama, and other Blue Cross Blue Shield-affiliated health plans.

Aetna ACE is no stranger to data breaches at business associates. In 2020, a phishing attack on a business associate exposed the PHI of 484,157 Aetna ACE plan members. An employee of vendor EyeMed responded to a phishing email, which give unauthorized individuals access to email accounts that contained the PHI of 2.1 million individuals. EyeMed was fined $600,000 by the New York State Attorney General for security failures that led to the data breach.

Aetna also experienced another mailing-related data breach in 2017 that affected 12,000 individuals. In that case, a mailing was sent to members to inform them about different options for filling prescriptions for their HIV medications; however, window envelopes were used through which the HIV drug information was clearly visible, making it clear that the members were being treated for HIV or were taking HIV medications to prevent infection. Aetna was investigated by state attorneys general and settled the cases and paid more than $2,725,000 million in penalties. A $1,000,000 penalty was also imposed by the HHS’ Office for Civil Rights, and Aetna settled a class action lawsuit for $17 million.

The post 326,278 Aetna ACE Members Affected by Ransomware Attack at Mailing Vendor appeared first on HIPAA Journal.

Data Breaches Reported by Allegheny Health Network, St. Luke’s Health System, & Goldsboro Podiatry

Posted by HIPAA Journal

St. Luke’s Health System in Boise, ID, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 31,579 patients. The breach occurred in May 2022 at Kaye-Smith, the health system’s billing vendor, and affected patients that were billed that month. The breach was discovered in June 2022 and was reported to St. Luke’s Health System on July 6, 2022.

Unauthorized individuals gained access to systems at Kaye-Smith, which contained information such as patient names, insured names, addresses, phone numbers, ID numbers, dates of birth, descriptions of services, amounts billed, outstanding balances, payment due dates, account statuses, and the last five digits of Social Security numbers. Kaye-Smith is investigating the breach and is working with the FBI to better understand how the breach happened.

St. Luke’s Health System said it is no longer working with the billing vendor. The investigation to date has not uncovered any evidence to suggest there has been any misuse of patient data. Affected individuals have been offered a complimentary membership to a credit monitoring service.

Goldsboro Podiatry Notifies 30,669 Patients About Data Breach

Kevin Wolf, DPM, doing business as Goldsboro Podiatry in North Carolina, has recently confirmed that the protected health information of 30,669 has potentially been obtained by unauthorized individuals. The breach occurred at an unnamed service provider that maintains patients’ electronic medical records for the practice. The breach was detected on April 29, 2022, when certain servers used by the company were encrypted in a ransomware attack. The service provider confirmed in May 2022 that data on the servers had been accessed and was potentially obtained by the attackers. Goldsboro Podiatry was notified about the attack on May 20, 2022.

The information compromised in the attack included names, contact information, dates of birth, Social Security Numbers, demographic information, medical history, medication information, clinical observations, diagnoses, and/or treatment plans.

Goldsboro Podiatry said its service provider has secured its information technology systems and enhanced its cybersecurity defenses to prevent future attacks and has offered affected individuals complementary access to credit monitoring and identity theft protection services.

Allegheny Health Network Phishing Attack Affects Thousands of Patients

Pennsylvania-based Allegheny Health Network has recently confirmed that the email account of an employee has been accessed by an unauthorized third party following a response to a phishing email. The employee responded to the message on May 31, 2022, and the breach was detected the following day.

A review of the email account confirmed it contained protected health information such as names, dates of birth, dates of medical services, medical histories, conditions, diagnoses and treatment information, and driver’s license numbers. A subset of individuals also had their Social Security number and/or financial information exposed.

Allegheny Health Network said prompt action was taken to address the incident, including performing a password reset to prevent further unauthorized access. A third-party cybersecurity firm has also been engaged to help improve its security controls.

Allegheny Health Network has reported the breach to the HHS’ Office for Civil Rights using a placeholder of 500 records until the breach is fully investigated and the number of individuals affected is known. Local media outlets have said around 8,000 individuals were affected.

Central Maine Medical Center Affected by Shields Healthcare Group Data Breach

Central Maine Medical Center (CMMC) has confirmed it has been affected by a data breach at Shields Healthcare Group. CMMC was one of 56 facility partners to be affected by the breach, which affected around 2 million individuals, including 11,938 CMMC patients. Further information on the breach is available in this post.

Granbury Eye Clinic in Texas Victim of Eye Care Leaders Data Breach

Granbury Eye Clinic in Texas is the latest eye care provider to confirm it was affected by the Eye Care Leaders data breach, which involved the PHI of 16, 475 patients. The data breach is now known to have affected at least 39 eye care providers, with the breach total currently standing at 3,091,694 patients.

The post Data Breaches Reported by Allegheny Health Network, St. Luke’s Health System, & Goldsboro Podiatry appeared first on HIPAA Journal.

Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Posted by HIPAA Journal

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements.

Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted. Those selections could indicate a patient’s medical condition or why an appointment has been booked.

One of the targeted Facebook adverts served to Jane Doe. Source: Jane Doe v. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center, and Dignity Health Medical Foundation.

Jane Doe said she has been a user of Facebook since 2012 and alleges her privacy has been violated, as her information was collected and used without her consent. The information entered on the form was used by Meta to serve her with targeted advertisements related to her medical condition. The lawsuit alleges a violation of HIPAA, as neither UCSF Medical Center nor Dignity Health Medical Foundation had entered into a business associate agreement with Meta or Facebook, and at no point did Meta, Facebook, or the hospitals obtain content or inform patients that their information was being provided to Meta to deliver targeted advertisements.

Under HIPAA, healthcare providers are permitted to disclose an individual’s protected health information to another HIPAA-covered entity or a third-party vendor for reasons related to treatment, payment, or healthcare operations, and in such cases, consent is not required from the patient. Most other disclosures require a HIPAA-covered entity to enter into a business associate agreement with the third party prior to any disclosure of PHI, and content is required from the individuals whose PHI is disclosed.

There is no private right of action in HIPAA, so it is not possible for individuals to sue their healthcare providers for HIPAA violations, but there are often equivalent federal and state laws that do have a private right of action. In this case, the lawsuit makes sixteen claims including common law invasion of privacy – intrusion upon seclusion, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Constitution, California Confidentiality of Medical Information Act (CMIA), California Business and Professions Code, California Invasion of Privacy Act, the Comprehensive Computer Data Access and Fraud Act, and the Federal Wiretap Act.

The lawsuit alleges the plaintiff and class members have suffered damage and loss as a result of the conduct of the defendants, which has deprived the plaintiff and class members of control of their valuable property, the ability to obtain compensation for their data, the ability to withhold their data from sale, and that the violations have resulted in irreparable and incalculable harm and injuries. The lawsuit seeks damages and injunctive and equitable relief.

The lawsuit makes similar allegations to another lawsuit filed against Meta, in that case by plaintiff John Doe, who was a patient of MedStar Health in Maryland. The Markup recently conducted an investigation into the sharing of healthcare data with Meta/Facebook via Meta Pixel on hospital websites and found that 33 of the top 100 hospitals in the United States had the Meta Pixel code on their websites, and 7 hospitals had the code installed on their patient portals behind logins, yet consent to share data was not obtained.

The post Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites appeared first on HIPAA Journal.

96 Senior Living and Healthcare Facilities Affected by Avamere Data Breach

Posted by HIPAA Journal

A major data breach has been reported that has affected dozens of healthcare, rehabilitation, and senior living facilities in Oregon, Washington, Nevada, Utah, Colorado, and Arizona, which are operated by companies that are part of the Wilsonville, OR-based group, Avamere Holdings.

Between January 19, 2022, and March 17, 2022, an unauthorized individual gained access to a third-party-hosted network that was used by Avamere Health Services, LLC. Avamere Health Services is a business associate of the Avamere Holdings group of companies and provides information technology services. The forensic investigation of the data breach confirmed that the individuals behind the attack exfiltrated files from its systems that contained the information of employees and patients, including names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.

The exact nature of the cyberattack was not disclosed in the substitute breach notice, but it would appear that this was a ransomware attack and that the exfiltrated data has been published on the group’s data leak site. Avamere Health Services said its information technology department has been working with third-party cybersecurity experts to review its existing security measures and security will be enhanced to prevent any repeat attacks.

Avamere Health Services has reported the breach to the Department of Health and Human Services’ Office for Civil Rights as affecting 197,730 individuals and has now sent notifications to those individuals and has offered complimentary credit monitoring services. Avamere Health Services provided notifications on behalf of the 81 companies that it works with as a HIPAA business associate.

One of the 81 companies is Premere Infinity Rehab, LLC, which has also published its own substitute breach notice on behalf of a further 16 companies for which it acts as a HIPAA business associate. Premere Infinity Rehab has reported the breach to the HHS’ Office for Civil Rights as affecting 183,254 individuals.

It is currently unclear if the total of 380,984 individuals is the final breach total. Companies known to have been affected are detailed in the tables below.

Companies Affected by Avamere Data Breach

A-One Home Health Services, LLC Avamere at Port Townsend Avamere Gresham Rehabilitation and Specialty Care Avamere Rehabilitation of Lebanon Cascadia Healthcare Rockwood at Hawthorne
Avamere at Albany Avamere at Rio Rancho Avamere Harmony House of Bend Avamere Rehabilitation of Newport Christian Living Communities Rockwood South Hill
Avamere at Bethany Avamere at Roswell Avamere Health Services of Rogue Valley Avamere Rehabilitation of Oregon City Columbia Lutheran Home Salem Transitional Care
Avamere at Cascadia Village Avamere at Sandy Avamere Heritage Rehabilitation of Tacoma Avamere Rehabilitation of Richmond Beach Good Samaritan Society Signature Coastal, LLC
Avamere at Chestnut Lane Avamere at Seaside Avamere Home Health Care, LLC Avamere Riverpark of Eugene Goodman Group Signature Home Health Bend, LLC
Avamere at Englewood Heights Avamere at Seaside Avamere Living at Berry Park Avamere St. Francis of Bellingham Infinity Rehab Signature Hospice Eugene, LLC
Avamere at Hermiston Avamere at Sherwood Avamere Olympic Care of Sequim Avamere Transitional Care and Rehabilitation-Bellingham Kin On Health Care Center Signature Hospice Medford, LLC
Avamere at Hillsboro Avamere at South Hill Avamere Rehabilitation at Fiesta Park Avamere Transitional Care and Rehabilitation-Boise Laurelhurst Village Signature Hospice Nampa, LLC
Avamere at Las Vegas Avamere at St. Helens Avamere Rehabilitation of Beaverton Avamere Transitional Care and Rehabilitation-Brighton Mission Healthcare at Bellevue, JV Signature Hospice Oregon Coast, LLC
Avamere at Lexington Avamere at the Stratford Avamere Rehabilitation of Cascade Park Avamere Transitional Care and Rehabilitation-Malley Mission Healthcare at Renton Summitview Healthcare Center
Avamere at Moses Lake Avamere at Three Fountains Avamere Rehabilitation of Clackamas Avamere Transitional Care at Sunnyside Northwest Hospice, LLC Suzanne Elise Assisted Living Facility
Avamere at Mountain Ridge Avamere at Waterford Avamere Rehabilitation of Coos Bay Avamere Transitional Care of Puget Sound NP2U, LLC The Arbor at Avamere Court
Avamere at Newberg Avamere at Wenatchee Avamere Rehabilitation of Eugene Avamere Twin Oaks of Sweethome Pinecrest Community The Arbor at Bend
Avamere at Oak Park Avamere Court at Keizer Avamere Rehabilitation of Hillsboro Bend Transitional Care Prestige Care The Arbor at Bremerton
Avamere at Pacific Ridge Avamere Crestview of Portland Avamere Rehabilitation of Junction City Bethany at Pacific Prime Home Health, LLC The Pearl at Kruse Way
Avamere at Park Place Avamere Fern Gardens Memory Care Avamere Rehabilitation of King City Bethany at Silver Lake Queen Anne Healthcare The Stafford

The post 96 Senior Living and Healthcare Facilities Affected by Avamere Data Breach appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

Posted by HIPAA Journal

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM Security. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020.

The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services.

Summary of 2022 Data Breach Costs

  • Global average cost of a data breach – $4.35 million (+2.6%)
  • Global average cost per record – $164 (+1.9%)
  • Average cost of a U.S. data breach – $9.44 million (+4.3%)
  • Average cost of a healthcare data breach – $10.1 million (+9.4%)
  • Average cost of a ransomware attack – $4.54 million (-1.7%)
  • Average cost where phishing was the initial attack vector $4.91 million
  • Average cost of a $1 million record data breach – $49 million
  • Average cost of 50-60 million record data breach – $387 million

For the first time in at least six years, the biggest component of the data breach costs was detection and escalation, which cost $1.44 million in 2022, up from $1.24 million in 2021. Next was lost business, which cost an average of $1.42 million in 2022, down from $1.59 million in 2022. Post-breach response increased slightly from $1.14 million in 2021 to $1.18 million in 2022, and there was a small increase in notification costs, which rose from $0.27 million in 2021 to $0.31 million in 2022.

On average, 52% of the breach costs are incurred in the first year, 29% in the second year, and 19% after two years. In highly regulated industries such as healthcare, a much larger percentage of the costs are incurred later, with 45% of costs in the first year, 31% in year 2, and 24% later than year 2, which was attributed to regulatory and legal costs.

The report explored the different initial attack vectors and found that the most common entry route was the use of stolen credentials, which accounted for 19% of all data breaches, with these data breaches costing an average of $4.5 million. Phishing attacks accounted for 16% of all data breaches, and phishing was the costliest attack vector, with an average data breach cost of $4.91 million, closely followed by business email compromise attacks, which accounted for 6% of all data breaches and cost an average of $4.89 million. Cloud misconfigurations accounted for 15% of data breaches and cost an average of $4.14 million, and vulnerabilities in third-party software accounted for 13% of data breaches and cost an average of $.55 million per breach.

The average time to identify a data breach was 207 days in 2022, down from 212 days in 2021. The average time to contain a data breach was 277 days, down from 287 days in 2021. A shorter data breach lifecycle (time to identify and contain a breach) equates to a lower breach cost. Data breaches with a lifecycle of fewer than 200 days cost 26.5% ($1.12 million) less on average than data breaches with a lifecycle of over 200 days.

One of the most important steps to take to improve security is to adopt zero trust strategies, but only 59% of organizations had adopted zero trust, and almost 80% of critical infrastructure organizations had yet to implement zero-trust strategies. The average breach cost for critical infrastructure organizations without zero trust was $5.4 million, which was $1.17 million more than those that had implemented zero trust strategies.

Cost of Data Breaches by Breach Cause

The average cost of a ransomware attack fell slightly by 1.7% to $4.54 million, not including the cost of the ransom itself. Ransomware attacks increased significantly in 2022 and accounted for 11% of all data breaches, up from 7.8% of data breaches in 2021. Ransomware attacks took 49 days longer to identify and contain than the global average, taking an average of 237 days to identify the intrusion and 89 days to contain the attack. Paying the ransom only saw a $610,000 reduction in data breach costs, on average, not including the amount of the ransom. Since ransom amounts are often high, the report indicates that paying the ransom does not necessarily lower the breach cost. In fact, paying may well increase the cost of the breach.

Around one-fifth of data breaches were the result of supply chain compromises. The average cost of a supply chain compromise was $4.46 million, which was 2.5% higher than the overall average cost of a data breach. It took an average of 235 days to identify the breach and 68 days to contain the breach – 26 days more than the average data breach

45% of data breaches occurred in the cloud, with data breaches in the public cloud costing considerably more than data breaches with a hybrid cloud model. 43% of organizations that experienced a data breach in the cloud were in the early stages of their migration to the cloud and had not started applying security practices to secure their cloud environments. Organizations in the early stages of cloud adoption had data breach costs of an average of $4.53 million, whereas those at a mature stage had average breach costs of $3.87 million.

Data Breach Cost Savings

IMB identified several steps that organizations can take to reduce the financial cost and reputational consequences of a data breach. The main cost-saving elements were:

  • Fully deployed security AI and automation – $3.05 million
  • Incident response team with regularly tested IR plan – $2.66 million
  • Adoption of zero trust – $1.5 million
  • Mature cloud security practices – $720,000
  • Being fully staffed vs insufficiently staffed $550,000
  • Use of extended detection and response (XDR) technologies – 29-day reduction in response time

The post IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million appeared first on HIPAA Journal.

Recent Hacks, Malware, and Device Theft Incidents Affect 208,000 Individuals

Posted by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state Attorneys General.

Californian EHR Vendor Reports Breach of 77,652 Records

Further information has been obtained on a data breach reported to the HHS’ Office for Civil Rights on June 2, 2022, by Clinivate, a Pasadena, CA-based provider of EHR solutions for behavioral health agencies and schools.

According to a breach notification to the California Attorney General, unusual activity was detected in its digital environment on March 23, 2022. A forensic investigation confirmed that an unauthorized third party had gained access to its network, and on May 25, 2022, it was determined that files containing the protected health information of individuals were accessed by that third party between March 12, 2022, and March 21, 2022.

The files included the protected health information of 77,652 individuals, including names, medical record numbers, health plan beneficiary numbers, treatment information, diagnosis information, other medical information, and information about payments for medical services.

Clinivate has notified affected individuals and said it has implemented additional security measures to prevent further data breaches.

McLaren Port Huron Hospital Confirms PHI of 49,000 Individuals Compromised in Cyberattack at MCG Health

McLaren Port Huron Hospital has said the protected health information of certain patients has been compromised in a cyberattack at one of its former business associates, MCG Health. MCG Health provides patient care guidelines to many health plans and almost 2,600 hospitals in the United States. On March 25, 2022, MCG Health discovered an unauthorized third party had obtained data from its network that included data elements such as names, Social Security numbers, medical codes, postal addresses, phone numbers, email addresses, dates of birth, and gender. Many MCG Health clients were affected by the incident.

McLaren Port Huron Hospital said it was notified about the breach on June 9, 2022, and that the delay in being notified meant it has not conducted its own investigation to determine the probability of an actual compromise of patient data but has sent notifications to all affected individuals to warn them of the possibility that their PHI has been stolen. McLaren Port Huron Hospital stopped using MCG Health in 2019.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 48,957 McLaren Port Huron Hospital patients. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

Kaiser Permanente Reports Theft of iPad Containing PHI

Kaiser Permanente has started notifying certain individuals that some of their protected health information was stored on an iPad that was stolen from a locked storage area at the Kaiser Permanente Los Angeles Medical Center. An unknown individual broke into the storage area and stole the iPad, and also obtained the password that provided access to the device.

The device was used at a Kaiser Permanente COVID-19 testing site, and included photographs of COVID-19 specimen labels and protected health information such as names, medical record numbers, dates of birth, and the dates and locations of service. The theft was discovered the same day and Kaiser Permanente remotely deleted the data on the device, including all photographs.

Kaiser Permanente said it has moved devices containing PHI to a more secure location and has strengthened its internal practices and procedures. Kaiser Permanente said the iPad contained the protected health information of approximately 75,000 health plan members.

Blue Cross and Blue Shield of Massachusetts Reports Third-Party Data Breach

Blue Cross and Blue Shield of Massachusetts (BCBSofMA) has recently confirmed that a data breach at a business associate has exposed the protected health information of some of its health plan members. The breach occurred at LifeWorks US Inc, which provides services related to the administration of the Retirement Income Trust, which includes making payments to pension beneficiaries.

Around June 20, 2022, a former employee of LifeWorks emailed spreadsheets to a personal email account and copied the email to the personal email account of another former LifeWorks employee. The spreadsheets contained the protected health information of individuals who were eligible for or were receiving benefits from BCBSofMA.

The former employees maintained that the spreadsheets were sent to preserve the formula used, and that attempts were made to delete all protected health information in the spreadsheets; however, some PHI remained. The former employees said they did not further disclose the information in the spreadsheets and have now deleted the spreadsheets from their personal email accounts. The information that remained in the spreadsheets was limited to names, addresses, Social Security numbers, and some pension benefit information.

BCBSofMA has reported the breach as affecting 4,855 individuals and has offered 24 months of complimentary identity theft and credit monitoring services to affected individuals. LifeWorks said it is taking steps to prevent any recurrences of incidents such as this.

Business Associate Ransomware Attack Affects Blue Shield of California Health Plan Members

A subcontractor of a vendor used by Blue Shield of California (BSofC) has suffered a ransomware attack in which the protected health information of members of BSofC and the BSofC Promise Health Plan may have been accessed or obtained. The ransomware attack was detected on April 28, 2022, by OneTouchPoint (OTP), which was a subcontractor used by business associate Matrix Medical Network.

OTP said it immediately terminated the unauthorized access to the network and launched an investigation into the breach. While it could not be confirmed if files containing health plan members’ protected health information were viewed or obtained, the possibility could not be ruled out. The files potentially accessed included names, subscriber ID numbers, diagnoses, medications, patient addresses, dates of birth, sex, physician demographics information, advance directives, family histories, social histories, allergies, vitals, immunizations, encounter data, assessment ID numbers, and assessment dates.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 1,506 health plan members. Affected individuals have been offered a complimentary 12-month membership to a credit monitoring and identity theft protection service.

The post Recent Hacks, Malware, and Device Theft Incidents Affect 208,000 Individuals appeared first on HIPAA Journal.

Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022

Posted by HIPAA Journal

A cyberattack and data breach cost Tenet Healthcare $100 million in lost revenue and mitigation costs in Q2, 2022. Dallas, TX-based Tenet Healthcare is one of the largest healthcare providers in the United States, running 65 hospitals and more than 450 healthcare facilities across the United States through its brands and subsidiaries. In April 2022, Tenet experienced a cyberattack that caused major disruption to its IT systems and acute care operations for several weeks. The attack forced the staff forced to work with pen and paper during the recovery period, and at least one of the affected hospitals had to temporarily divert ambulances to other facilities. The attack also disrupted its phone system, with doctors forced to leave the premises to make phone calls. The cyberattack affected at least two hospitals and started on April 20, 2022. Tenet did not publicly release details of the attack, such as if it involved ransomware.

According to Tenet’s Q2 2022 earnings report, the attack has had a $100 million unfavorable EBITDA (earnings before interest, taxes, depreciation, and amortization) impact. Adjusted admissions fell by 5.3% year-over-year, with total admissions down 8% from Q2, 2021, and same-hospital net patient service revenue was down 0.2% as a direct result of the cyberattack. Over the quarter, Tenet saw a reduction in income of 68% compared to Q1, 2021, which fell to $38 million, and its operating revenue was down 6.4% to $4.6 million for the quarter. The attack was also partly responsible for a 2.8-day increase in its outstanding accounts receivable.

Tenet CEO Saum Sutaria said IT systems at the affected hospitals had to be totally rebuilt, and while the cyberattack had a significant business and financial impact, Tenet still recorded a strong quarter. Sutaria said the company had ample cybersecurity insurance which has helped to reduce the overall financial impact of the cyberattack. Its insurance policies paid out $5 million in Q2, 2022. The cost of the attack is significant, but it is comparable to other cyberattacks. For example, the ransomware attack on Scripps Health that affected 5 hospitals and 19 outpatient facilities cost Scripps Health $112.7 million in lost revenue and remediation costs.

Tenet will also have to cover further costs. A class action lawsuit was filed in Florida in June that alleges Tenet failed to implement appropriate security safeguards to protect against cyberattacks and did not provide adequate notifications to affected individuals. The lawsuit also alleges that notification letters have still not been sent to all individuals affected by the data breach.

The post Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022 appeared first on HIPAA Journal.