HIPAA Breach News

Benson Health Notifies 28,913 Patients About May 2021 Data Breach

Posted by HIPAA Journal

Benson Health in North Carolina has recently started notifying 28,913 patients that some of their protected health information was potentially accessed or acquired in a cyberattack that was detected on May 5, 2021. Benson Health said an investigation was immediately launched when the breach was detected, and a specialist cybersecurity and data privacy law firm and third-party forensic specialists were engaged to assist with the investigation. The investigation confirmed that a data set had been exposed and was potentially stolen by the attacker.

Data mining experts were retained to perform a comprehensive review of the affected information, which confirmed on July 7, 2022, that the dataset included names, birth dates, Social Security numbers, and health and treatment information.

Notification letters were sent to affected individuals on July 12, 2021, more than 14 months after the data breach was first detected. Affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge for 12 months.

Business Email Compromise Attack Reported by AllOne Health

AllOne Health, a Wilkes-Barre, PA-based provider of workplace physical and mental health services, has recently announced that the email account of an employee has been accessed by an unauthorized third party. The breach was detected in February 2022 when wire transfers intended for one of its payees were discovered to have been routed to a fraudulently created bank account. The investigation of the incident revealed the email account of an employee had been compromised and used in the business email compromise attack to request fraudulent transfers. A forensic review was then conducted to determine whether any patient information was contained in the account.

AllOne Health said the email account contained the protected health information of 13,669 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and limited health information. While that information may have been accessed or obtained, the purpose of the attack was to make fraudulent wire transfers. Limited financial documents were accessed as part of the scam, but no evidence was found to indicate any patient data was viewed or obtained by the scammer.

AllOne Health said all company passwords were reset when the attack was detected, and additional security measures have now been implemented on its systems to prevent further email account breaches. Affected individuals have been offered a complimentary 12-month membership to Epiq’s identity protection and credit monitoring services.

PHI of More than 46,000 Patients Compromised in Data Breach at Southwest Health Center

Southwest Health Center in Platteville, WI, has recently announced that the protected health information of 46,142 patients has been accessed and obtained by unauthorized individuals.

Southwest Health Center identified suspicious activity within its network environment on January 11, 2022, with the forensic investigation confirming that unauthorized individuals gained access to folders containing patient information and removed certain files from its systems. A comprehensive review of the files was completed on May 27, 2022, and confirmed that patient information such as names, dates of birth, clinical and treatment information, and Social Security numbers were present in the files. The delay in issuing notification letters to affected individuals was due to the lengthy process of determining current address information for those individuals.

Southwest Health Center sent notification letters to affected individuals on July 5, 2022, and has offered 12 months of complimentary credit monitoring and identity theft restoration services through IDX.

The post Benson Health Notifies 28,913 Patients About May 2021 Data Breach appeared first on HIPAA Journal.

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

Posted by HIPAA Journal

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk.

The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly notified the FBI about the attack and payment. The FBI was able to trace the payment, which was passed to money launderers in China, along with another payment of approximately $120,000 that was made by a healthcare provider in Colorado.

In May 2022, the FBI filed a seizure warrant in the District of Kansas to recover payments made in cryptocurrencies to the Maui ransomware gang, and ransom payments of approximately $500,000 were recovered from the seized cryptocurrency accounts. The funds have been forfeited by the ransomware gang and have been returned to healthcare providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Microsoft has also recently reported that a North Korean hacking group that operates under the name HolyGhost has also been using ransomware attacks on SMBs in the United States. It is not clear if the attacks are being conducted by a state-sponsored hacking group or if individuals associated with the Lazarus Group are moonlighting and conducting the attacks independently.

“Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyberattack; this provides law enforcement with the ability to best assist the victim,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

The post Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers appeared first on HIPAA Journal.

The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000

Posted by HIPAA Journal

The Methodist Hospitals Inc. has agreed to settle a class action lawsuit and has created a fund of $425,000 to cover claims from victims of a 2019 data breach that affected almost 70,000 current and former patients.

The Gary, IN-based healthcare provider reported an email security incident to the HHS’ Office for Civil Rights on April 4, 2019, that resulted in the exposure and potential theft of the protected health information of 68,039 patients. The investigation confirmed hackers gained access to two employee email accounts between March 13, 2019, and July 8, 2019, following responses to phishing emails and potentially exfiltrated patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare/Medicaid numbers, usernames, passwords, treatment and diagnosis information, and payment card information.

A lawsuit – Jones v. The Methodist Hospitals, Inc. – was filed in the Harris County District Court in Texas in the wake of the data breach that alleged The Methodist Hospitals was negligent for failing to adequately protect the protected health information of patients. Plaintiffs James Jones and Samantha L. Gordon, and members of the class allegedly suffered harm as a result of the data breach.

The Methodist Hospitals denied any wrongdoing and the OCR investigation was closed with no action taken; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, eligible class members are entitled to submit a claim for two additional years of credit monitoring and identity theft resolution services, reimbursement for economic losses, and reimbursement for time lost due to the data breach. Claims for reimbursement of documented economic losses of up to $3,000 can be submitted and/or claims of up to $300 can be submitted for reimbursement of lost time. Final approval of the settlement was received on June 13, 2022. Claims must be submitted by October 6, 2022.

The post The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000 appeared first on HIPAA Journal.

June 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month.

The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022).

Healthcare data breaches in the past 12 months

For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months.

While huge numbers of healthcare records are being breached, fewer records were breached in the first half of 2022 than were breached in either the first half or the second half of 2021. In 1H 2022, 20,191,930 records were breached – 26.84% fewer than the 27,600,651 records breached in 1H 2021 and 9.2% fewer than the 22,239,769 records breached in 2H 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in June 2022

There were 31 reported breaches of 10,000 or more healthcare records in June – the same number as May 2022  – two of which affected more than 1.2 million individuals. Several healthcare providers submitted breach reports in June 2022 due to the ransomware attack on the HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Cause of Breach
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Other Eye Care Leaders ransomware attack
Baptist Medical Center TX Healthcare Provider 1,243,031 Network Server Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Network Server Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Network Server Ransomware attack
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Network Server Eye Care Leaders ransomware attack
Spectrum Eye Physicians CA Healthcare Provider 175,000 Network Server Eye Care Leaders ransomware attack
90 Degree Benefits, Inc. WI Business Associate 172,450 Network Server Unspecified hacking incident
Michigan Avenue Immediate Care IL Healthcare Provider 144,104 Network Server Unspecified hacking and data theft incident
Mattax Neu Prater Eye Center, Inc. MO Healthcare Provider 92,361 Electronic Medical Record Eye Care Leaders ransomware attack
Sight Partners Physicians, P.C. WA Healthcare Provider 86,101 Electronic Medical Record Eye Care Leaders ransomware attack
Clinivate LLC CA Business Associate 77,652 Network Server Unspecified hacking incident – No information publicly released
Kaiser Foundation Health Plan of Washington WA Healthcare Provider 69,589 Email Compromised email account
Carolina Eyecare Physicians, LLC SC Healthcare Provider 68,739 Electronic Medical Record Eye Care Leaders ransomware attack
Precision Eye Care, Ltd. MO Healthcare Provider 58,462 Electronic Medical Record Eye Care Leaders ransomware attack
Resolute Health Hospital TX Healthcare Provider 54,239 Network Server Ransomware attack
Aloha Laser Vision HI Healthcare Provider 43,263 Electronic Medical Record Eye Care Leaders ransomware attack
Center for Sight, Inc. MA Healthcare Provider 41,041 Electronic Medical Record Eye Care Leaders ransomware attack
McCoy Vision Center AL Healthcare Provider 33,930 Electronic Medical Record Eye Care Leaders ransomware attack
Chesapeake Eye Center PA MD Healthcare Provider 32,770 Network Server Eye Care Leaders ransomware attack
Kevin Wolf, DPM d/b/a Goldsboro Podiatry NC Healthcare Provider 30,669 Network Server Unspecified hacking incident
Long Vision Center TX Healthcare Provider 29,237 Electronic Medical Record Eye Care Leaders ransomware attack
Foxhall Ob Gyn Associates DC Healthcare Provider 27,000 Other No information
Alabama Eye &Cataract, P.C. AL Healthcare Provider 26,000 Network Server Eye Care Leaders ransomware attack
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic NE Healthcare Provider 23,993 Electronic Medical Record Eye Care Leaders ransomware attack
DialAmerica Marketing, Inc. NJ Business Associate 19,796 Network Server Unspecified hacking incident
Central Florida Inpatient Medicine FL Healthcare Provider 19,625 Email Compromised email account
Yale New Haven Hospital CT Healthcare Provider 19,496 Other Data exposed on a public-facing website
Cherry Creek Eye Physicians and Surgeons, P.C. CO Healthcare Provider 17,732 Electronic Medical Record Eye Care Leaders ransomware attack
Bayhealth Medical Center, Inc. DE Healthcare Provider 17,481 Network Server Ransomware attack on business associate (Professional Finance Company)
Kernersville Eye Surgeons, P.C. NC Healthcare Provider 13,412 Electronic Medical Record Eye Care Leaders ransomware attack
Phelps County Regional Medical Center d/b/a Phelps Health MO Healthcare Provider 12,602 Network Server Data breach at business associate (MCG Health)

Causes of June 2022 Healthcare Data Breaches

As the above table shows, ransomware attacks on healthcare organizations continue to be reported in high numbers. 20 of the 31 affecting 10,000 or more individuals have been confirmed as involving ransomware. When these attacks occur at business associates they can affect many different HIPAA-covered entities. As mentioned, the Eye Care Leaders ransomware attack has affected at least 37 eye care providers, and a ransomware attack on Professional Finance Company affected 657 of its healthcare provider clients.

There is no sign that ransomware attacks on healthcare providers will slow. This month, CISA has warned the health and public health sector that North Korean state-sponsored hackers are known to be targeting the sector and are using ransomware for extortion.

Hacking incidents continue to dominate the breach reports, with all but two of the top 31 breaches involving hacking. 81% of the month’s breaches were reported as hacking/IT incidents, and across those 57 incidents, the records of 5,784,009 were breached – 98.75% of all the breached records in June. The average breach size was 101,474 records and the median breach size was 12,602 records.

There were 6 unauthorized access/disclosure data breaches reported involving 59,224 records. The average breach size was 9,871 records and the median breach size was 5,672 records. 5 loss theft incidents were reported (4 x theft, 1 x loss) involving 12,184 records. The average breach size was 2,437 records and the median breach size was 1,126 records. Finally, there were two improper disposal incidents reported, both of which involving paper/films. In total 1,726 records were exposed as a result of those incidents.

Causes of June 2022 healthcare data breaches

Location of Breached Protected Health Information

The bar graph below shows where the breached information was stored. The high number of network server breaches indicates the extent to which hackers are attacking healthcare organizations. Many of these attacks involved ransomware. Most data breaches reported by healthcare providers do not involve electronic health records, which are separate from other systems. The high number of breaches involving EHRs is due to the ransomware attack on Eye Care Leaders, which provides electronic medical record systems to eye care providers.

Location of breached PHI (June 2022)

Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected HIPAA-covered entity in June, accounting for 55 data breaches of 500 or more records, with 4 data breaches reported by health plans. Business associates of HIPAA-covered entities self-reported 11 data breaches; however, 29 data breaches occurred at business associates but were reported by the affected covered entity rather than the business associate.

Taking this into account, the breakdown of the month’s data breaches by HIPAA-regulated entity type is shown in the chart below.

June 2022 Healthcare Data Breaches - HIPAA-regulated entity type

Geographic Distribution of Breached Entities

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states and the District of Columbia.

State Number of Data Breaches
Washington 5
California, New Jersey, North Carolina, Ohio, South Carolina, Texas, & Virginia 4
Alabama, Missouri, Nebraska, & New York 3
Delaware, Illinois, Kansas, Maryland, Michigan, Pennsylvania, Tennessee, & the District of Columbia. 2
Arizona, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Massachusetts, Mississippi, & Wisconsin 1

HIPAA Enforcement Activity in June 2022

There were no HIPAA enforcement actions announced by the OCR or state attorneys general in June; however, OCR announced this month (July) that a further 12 HIPAA penalties have been imposed, 11 of which were for violations of the HIPAA Right of Access.

The post June 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack

Posted by HIPAA Journal

BJC HealthCare has agreed to settle a class action lawsuit to resolve claims it failed to adequately protect patient data from phishing attacks. The nonprofit St. Louis-based hospital system reported a breach of its email system to the HHS’ Office for Civil Rights on May 5, 2020, that affected 287,876 individuals. The investigation confirmed that three email accounts had been compromised in March 2020 as a result of responses to phishing emails. While data theft could not be determined, the affected email accounts contained the protected health information of patients of 19 of its hospitals, including names, birth dates, health insurance information, Social Security numbers, driver’s license, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, originally included 10 counts against the defendants and survived two motions to dismiss, with the lawsuit allowed to proceed on 8 of the 10 counts: unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

BJC HealthCare agreed to settle the lawsuit with no admission of liability or wrongdoing. Under the terms of the settlement, BJC HealthCare will make funds available to cover claims from affected individuals up to a maximum of $5,000. Each individual affected may submit a claim for ordinary and extraordinary expenses incurred as a result of the data breach.

Claims can be submitted for ordinary expenses such as bank fees, interest, credit monitoring costs, postage, mileage, and up to 3 hours of lost time at $20 per hour. Ordinary claims are capped at $250 per person. Claims of up to $5,000 can be submitted for extraordinary expenses, including documented monetary losses and up to three hours of additional lost time at $20 per hour. BJC Healthcare has also agreed to cover the cost of two years of credit monitoring and identity theft protection services. Named plaintiffs will receive up to $2,000 and BJC HEalthCare will cover the plaintiffs’ legal costs. BJC HealthCare has committed $2.7 million to cover the cost of implementing multi-factor authentication for its email accounts to improve protection against phishing attacks.

Claims must be submitted by Dec. 14, 2022. The final approval hearing for the settlement is on Sept. 6, 2022.

In May 2022, BJC HealthCare reported another email breach to the HHS’ Office for Civil Rights. The incident was reported as affecting 500 individuals – a common placeholder used until the exact number of affected individuals is determined. The breach occurred two months previously.

The post BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

Carolina Behavioral Health Alliance Reports Breach of the PHI of 130,000 Health Plan Members

Posted by HIPAA Journal

The Winston-Salem, NC-based managed behavioral health organization, Carolina Behavioral Health Alliance (CBHA), the administrator of behavioral health benefits for Wake Forest University and Wake Forest Baptist Medical Center, has recently announced it was the victim of a ransomware attack.

The attack was detected on March 20, 2022, and resulted in computer systems being disabled. The forensic investigation of the incident confirmed the attackers had to its systems between March 19 and March 20 and may have viewed or obtained the sensitive data of 130,000 health plan members and their dependents, including names, addresses, health plan ID numbers, genders, and Social Security numbers.

To date, no reports have been received to indicate there has been any actual or attempted misuse of patient data. CBHA said it has implemented additional safeguards to better protect the data of health plan members in the future and has offered affected individuals access to single bureau credit monitoring, credit reporting, and credit score services for 24 months.

ATC Healthcare Announces Email Data Breach

ATC Healthcare in New York has recently confirmed that the email accounts of certain employees were accessed by unauthorized individuals, who may have viewed or obtained sensitive patient data. The incident was detected on December 22, 2021, when suspicious activity was identified within its email environment. The forensic investigation confirmed that several employee email accounts had been accessed by unauthorized individuals at various points between February 9, 2021, and December 22, 2021.

The affected email accounts included names, Social Security numbers, driver’s licenses, financial account information, usernames and passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures, and employer-assigned identification numbers.

ATC Healthcare said it found no evidence to suggest patient information was accessed, exfiltrated, or misused, and that notification letters were sent to all individuals potentially affected. It is currently unclear how many individuals have been affected by the data breach.

Employee Email Account Compromised at Community of Hope D.C.

Community of Hope D.C. (COHDC) has discovered the email account of an employee has been accessed by an unauthorized third party, who may have viewed or obtained patients’ protected health information. The breach was detected when the email account was used to send spam emails. The forensic investigation confirmed the breach was limited to a single employee email account, which was breached between January 27, 2022, and February 7, 2022.

The account contained names, Social Security numbers, driver’s license numbers, financial information, health insurance information, and health diagnostic information. 645 individuals have been affected by the breach and have been offered complimentary credit monitoring and identity theft protection services.

The post Carolina Behavioral Health Alliance Reports Breach of the PHI of 130,000 Health Plan Members appeared first on HIPAA Journal.

Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit

Posted by HIPAA Journal

Tenet Healthcare and Baptist Health are facing a class action lawsuit over a recently reported data breach that affected 1.2 million patients. The breach was detected on April 20, 2022, with the forensic investigation confirming an unauthorized third-party had accessed the IT networks of Baptist Medical Center or Resolute Health Hospital between March 31 and April 24, 2022, and removed files containing sensitive patient data. The information potentially compromised included names, addresses, Social Security numbers, health insurance information, medical information, and billing and claims data.

Tenet Healthcare issued a public notification about the cyberattack and data breach on April 26, 2022, while the investigation into the breach was ongoing. Notifications were sent to affected individuals in mid-June, less than two months after the discovery of the cyberattack. Affected individuals were offered complimentary credit monitoring and identity theft protection services.

The lawsuit was filed in Dallas County and names Texas resident, Troy Contreras, as the lead plaintiff. The lawsuit alleges the defendants were negligent for failing to protect the privacy of patients by implementing appropriate safeguards that met industry standards, such as multi-layered security, malware detection software, and providing sufficient security awareness education to the workforce, and that the data security practices of the defendants were not aligned with the guidelines issued by the Federal Trade Commission. The lawsuit also alleges a failure to issue proper notifications.

The plaintiff claims to have spent a significant amount of time ensuring his personal and protected health information is safe and that he is protected against fraud, and will continue to have to spend time doing so in the future. The lawsuit does not allege any actual misuse of the plaintiff’s data. The lawsuit seeks damages in excess of $1 million.

San Francisco Settles Medical Data Breach Lawsuit

The city and county of San Francisco have settled a long-running class action data breach lawsuit – Jane Doe, et al. vs. The City and County of San Francisco, et al – and have agreed to make $400,000 available to cover claims from the 8,884 class members. The lawsuit was filed following the impermissible disclosure of the private medical information of patients of Zuckerberg San Francisco General Hospital and Trauma Center, whose medical records were kept by neurosurgeon Dr. Shirley Stiver.

The case was filed in April 2016 in San Francisco Superior Court over the disclosure of highly sensitive data such as names, medical records, diagnoses – including HIV diagnoses – surgical notes, consultation notes, and radiologic films. The disclosures occurred without written consent from patients. The lawsuit alleged violations of the Confidential Medical Information Act and the California Health & Safety Code.

Class members are entitled to submit claims for up to $599. Claims must be submitted by August 30, 2022. The final approval hearing has been scheduled for September 29, 2022.

The post Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit appeared first on HIPAA Journal.

Associated Eye Care Partners Issues Notifications About December 2020 Data Breach

Posted by HIPAA Journal

Montana-based Associated Eye Care Providers (AEC) has recently started notifying patients that their private health information was compromised in a data breach at a business associate that was detected in early December 2020.

The data breach in question occurred at Netgain Technologies, which provided managed IT services to many organizations in the healthcare sector. Netgain Technologies experienced a ransomware attack in which files containing sensitive data were stolen. Netgain paid the ransom to prevent any further disclosure of the stolen data and received assurances from the ransomware gang that the stolen data had been deleted.

Netgain Technologies notified affected healthcare clients in January 2021, and those entities started to issue notification letters to affected patients over the next couple of months. While some affected healthcare clients took longer to issue notifications, it has now been 18 months since Netgain started notifying affected clients.

According to the AEC notification letter – dated July 8, 2022 – “Upon notification by Netgain to AEC, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further.” An extensive data mining project was then conducted to determine which individuals had been affected, and that process was completed on May 16, 2022.  After verifying contact information, notification letters were sent in July. AEC did not disclose when it was informed by Netgain about the data breach.

AEC said names, addresses, Social Security numbers, and medical histories had been exposed and potentially stolen, but there have been no reports of any actual or attempted misuse of patient data as a result of the data breach. In response to the breach, AEC replaced Netgain as its hosting vendor, migrated all data to another service provider, and has taken steps to introduce further safeguards to prevent any similar attacks in the future. AEC has offered affected individuals complimentary credit monitoring services.

The Netgain Technologies’ data breach was reported separately by each affected client and is understood to have affected more than 1 million individuals. It is currently unclear how many AEC patients have been affected, as the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.

The post Associated Eye Care Partners Issues Notifications About December 2020 Data Breach appeared first on HIPAA Journal.