Phoenixville Hospital Fires Employee for HIPAA Violation

Phoenixville Hospital in Pennsylvania has recently fired an employee for accessing the medical records of patients without authorization. According to the hospital operator, Tower Health, the unauthorized access was discovered during a routine audit of medical record access logs.

An employee was discovered to have accessed the medical records of several patients without authorization between October 2021 and May 2022, when there was no legitimate work reason for viewing those records. When the privacy violation was discovered, the employee was immediately suspended pending an internal investigation and was later fired for the HIPAA breach.

The employee viewed names, addresses, dates of birth, appointment dates, diagnoses, vital sign information, medications, test results, and physicians’ notes. Some of the accessed records included partial Social Security numbers and health insurance information. Tower Health said additional training has been provided to the workforce regarding patient privacy and the accessing of medical records.

Family Practice Center Reports October 2021 Hacking Incident

Family Practice Center in Pennsylvania has recently started sending notification letters to patients whose protected health information was exposed in an October 2021 cyberattack. According to the substitute breach notice on its website, an attempt was made to shut down its computer systems on October 11.

An investigation was launched and on May 21, 2022 – 7 months after the discovery of the attack – it was determined that some of the files accessed in the incident included patient data such as names, addresses, medical insurance information, and health and treatment information. Patient medical records were not involved. Notification letters were sent to affected individuals on July 5, 2022. Family Practice Center said it is unaware of any misuse of patient information.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Southwest Health Center Suffers Cyberattack

The Platteville, WI-based non-profit community healthcare provider, Southwest Health Center, has recently started notifying patients about a cyberattack that was first discovered on January 11, 2022. A forensic investigation determined that an unauthorized third party accessed files containing the personal and protected health information of current and former employees, their dependents, and patients who received healthcare services at Southwest Health.

The information compromised in the breach included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, medical information, and/or health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Information Compromised at Phoenixville Hospital, Family Practice Center, and Southwest Health Center appeared first on HIPAA Journal.

Roanoke, VA-based Benefit Plan Administrators Inc., has recently notified 3,775 individuals that an unauthorized individual gained access to its network and removed files that contained some of their protected health information. It is unclear from the breach notification letters when the incident occurred, but the forensic investigation concluded on March 15, 2022, and the notification letters were sent to affected individuals on or around June 15.

Benefit Plan Administrators said the following types of information were in the files that were removed from its systems: full names, addresses, dates of birth, Social Security numbers, gender classification, claims information, medications information, and medical diagnosis/conditions information. The breach was reported to the HHS’ Office for Civil Rights as four separate incidents. Employees of Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc. are known to have been affected.

No evidence was found to indicate any of the removed information has been misused. Complimentary credit monitoring services have been provided to affected individuals. Benefit Plan Administrators said additional safeguards have been implemented by the IT department to prevent similar incidents in the future.

The People Concern Reports Breach of Employee Email Accounts

The People Concern, a Los Angeles, CA-based homeless service, has discovered the email accounts of some of its employees have been accessed by an unauthorized third party. The accounts contained the sensitive information of community members such as date of birth, Social Security number, health insurance information, and medical information regarding care received through its programs.

The security breach was detected when suspicious activity was observed in the email accounts, with the investigation revealing they had been accessed by unauthorized individuals at various times between April 6, 2021, and December 9, 2021

In response to the breach, email security measures have been enhanced and affected individuals have been offered complimentary memberships to an identity theft protection and resolution service for one year. It is currently unclear how many individuals have been affected.

Advocates Inc. Discovers Further Individuals Affected by 2021 Data Breach

In January 2022, Framingham, MA-based Advocates Inc. started notifying individuals affected by a cyberattack that saw its network compromised between September 14, 2021, and September 18, 2021. The incident was initially thought to have affected 68,236 individuals, but the investigation later confirmed that additional individuals had been affected. The review of the impacted files continued until June 9, 2022, and additional notifications were mailed to affected individuals on June 28, 2022. Details of the breach can be found in this post. It is currently unclear how many additional individuals have been affected.

The post Security Breaches Reported by Benefit Plan Administrators and The People Concern appeared first on HIPAA Journal.

A lengthy privacy violation has been detected by Virginia Commonwealth University Health System (VCU Health) that potentially started on January 4, 2006. According to the substitute breach notification on the VCU Health website, transplant donor information had been included in the medical records of certain transplant recipients, and transplant recipient information had also been included in the medical records of transplant donors.

When donors, recipients of transplants, or their representatives logged into the patient portal to view their medical records, they would have been able to view information about the donor/recipient. It is also possible that the information was provided to individuals who exercised their right under HIPAA to obtain a copy of their health information. In each case, the exposed information was not accessible to the public, only to specific transplant donors and recipients.

The privacy issue was detected by VCU Health on February 7, 2022, with the subsequent investigation confirming that additional information may also have been viewable, which included names, Social Security numbers, lab results, medical record numbers, date(s) of service, and/or dates of birth.

Affected individuals have been notified by mail and have been offered complimentary credit monitoring services if their Social Security numbers had been exposed. Steps have also been taken to improve privacy protections and prevent similar incidents in the future. VCH Health said, in total, 4,441 transplant donors and recipients had been affected.

Cheyenne Regional Medical Center Discovers Employee Snooped on Patient Records for 2 Years

Cheyenne Regional Medical Center (CRMC) has discovered a former employee had been accessing the medical records of patients without authorization for almost two years. The former employee had been provided with access to patient data to complete her work duties but had been accessing the records of patients for reasons unrelated to her role.

The privacy violation came to light when a former co-worker reported the individual for the HIPAA violation after a transfer to a different department within the medical center. The incident was investigated internally and it was confirmed that the records of up to 1,600 patients had been viewed without authorization between Aug. 31, 2020, and May 26, 2022.

CRMC compliance director, Gladys Ayokosok, said no evidence was found to suggest any patient information was copied or further disclosed by the former employee, and affected individuals have now been notified about the employee’s HIPAA violation. The types of information that may have been viewed included names, dates of birth, social security numbers, dates of care, medical record numbers, diagnoses, and treatments.

According to Ayokosok, the access went undetected for so long as the former employee had previously worked with the electronic health record provider. To detect any cases of snooping in the future, the IT department has created an audit trail, which will allow the IT team to tell if employees access records an unusual number of times, see why employees are accessing patient records, and check to make sure there is a legitimate reason for accessing patient data.

The post Patient Privacy Violated in Incidents at VCU Health and Cheyenne Regional Medical Center appeared first on HIPAA Journal.

University Pediatric Dentistry in Buffalo, NY, has started notifying 6,843 patients that some of their protected health information has been exposed in an email security incident.

The email system was immediately secured when the breach was detected with the forensic investigation confirming that two email accounts had been accessed by an unauthorized third party between January 12, 2022, and January 19, 2022. University Pediatric Dentistry said it learned on April 25, 2022, that emails and attachments in the compromised accounts contained patient data, and information had potentially been viewed or obtained.

The compromised information included patient names, contact information, dates of birth, Social Security numbers, driver’s license numbers, government identification numbers, treatment and diagnosis information, provider names, medical record numbers, patient account numbers, prescription information, dates of service and/or health insurance information. A limited number of patients also had financial account information exposed.

Individuals who had their Social Security numbers or driver’s license numbers exposed have been offered complimentary credit monitoring and identity theft protection services. University Pediatric Dentistry said technical security measures will be implemented to further protect and monitor its email system.

Cyberattack Reported by Michigan Avenue Immediate Care

Michigan Avenue Immediate Care (MAIC) in Chicago, IL, has recently reported a hacking incident that saw an unauthorized third-party gain access to its computer network and exfiltrate files containing sensitive patient data. The cyberattack was detected on May 1, 2022, and on May 12, 2022, MAIC confirmed that the files exfiltrated from its systems included some patient information.

The types of data in the files varied from individual to individual and may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, treatment information, and/or health insurance information. Affected individuals have been notified by mail and have been offered a complimentary one-year membership of the Experian IdentityWorks Credit 3B service.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

OrthoNebraska Email Account Compromised

OrthoNebraska, an Omaha, NE-based orthopedic clinic, has recently announced that the email account of an employee has been accessed by an unauthorized individual. The breach occurred in early December 2021 and was detected when the account was used to send spam emails. A review of the affected email account confirmed the protected health information of certain patients was present in emails and attachments, and that information may have been viewed or obtained.

The exposed information included names, demographic information, driver’s license numbers, state ID numbers, usernames/passwords, Social Security numbers, medical histories, and health insurance and claims information. Affected individuals have been notified by mail and credit monitoring and identity theft protection services have been offered. To date, no reports have been received that indicate any actual or attempted misuse of patient data. OrthoNebraska said it has provided further information security training to the workforce and additional safeguards have been implemented to improve email security.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jack Hughston Memorial Hospital Investigating Cyberattack

Jack Hughston Memorial Hospital in Phoenix City, AL has recently confirmed that hackers have gained access to its network. The cyberattack forced the hospital to take its computer systems offline, which has prevented access to electronic medical records. The hospital has continued to provide care to patients under emergency downtime procedures and a third-party computer forensics firm has been engaged to assist with the investigation. At this stage of the investigation, it is unclear if, and to what extent, patient information has been compromised.

Several More Eye Care Practices Impacted by Eye Care Leaders Data Breach

The number of eye care providers affected by the data breach at Eye Care Leaders has continued to grow, with Mattax Neu Prater Eye Center in Missouri, Aloha Laser Vision in Hawaii, and Sight Partners Physicians in Washington among the latest known to be affected. At least 33 eye care providers have confirmed they have been affected by the cyberattack and the records of more than 2.9 million individuals have potentially been compromised.

The post Data Breaches Reported by University Pediatric Dentistry, OrthoNebraska, Michigan Avenue Immediate Care appeared first on HIPAA Journal.

A major data breach has been reported by the Greeley, CO-based accounts receivable management company, Professional Finance Company Inc. (PFC) which is believed to have affected 657 of its healthcare provider clients.

According to the PFC website, the company is one of the nation’s leading debt recovery agencies, and its client list includes many healthcare providers, retailers, financial organizations, and government agencies. According to the company’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on February 26, 2022; however, not in time to prevent some of its computer systems from being disabled.

Third-party forensics specialists were engaged to investigate the breach and provide assistance with securing its environment. That investigation confirmed that an unauthorized third party had access to systems that contained information about patients of its healthcare provider clients, and files containing patient data were accessed. PFC said it sent notification letters to all affected healthcare provider clients on May 5, 2022, and has since issued notification letters to all affected individuals.

The investigation uncovered no evidence of misuse of patient data, but data theft and misuse could not be ruled out. The types of information potentially accessed in the attack included names, addresses, accounts receivable balances, information regarding payments made to accounts, and, for some individuals, birth dates, Social Security numbers, health insurance information, and medical treatment information.

PFC said it is providing complimentary credit monitoring and identity theft protection services to affected individuals. In contrast to several recent data breaches at business associates of HIPAA-covered entities, PFC has published a list of the healthcare providers affected.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many patients have been affected by the breach, but with 657 healthcare providers affected, this has the potential to be one of the largest healthcare data breaches to be reported this year.

The post 657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company appeared first on HIPAA Journal.

On June 25, 2022, a spokesperson for a threat group called DAIXIN Team contacted HIPAA Journal to share information about a ransomware attack and data theft incident at Fitzgibbon Hospital in Marshall, Missouri. A link was shared to a dark web resource where data stolen in the attack has been published.

The published data includes database tables from the MEDITECH database, and sensitive documents containing patient data stolen from internal servers. In total, 40GB of data was stolen in the attack and included names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information.

DAIXIN Team was previously not known to HIPAA Journal and appears to be a new ransomware group. Further information on the group and the attack has been obtained by databreaches.net and confirmed through a shared chat log that a representative for Fitzgibbon Hospital had made contact with DAIXIN Team to negotiate the ransom payment, but no payment has been made to date.

There is currently no breach notice on the Fitzgibbon Hospital website, and no reported breach at this stage on the HHS’ Office for Civil Rights website, so it is unclear how many patients have been affected. At the time of writing, the stolen data is still available for download.

Hive Ransomware Threat Group Attacks Health Information Management Service Provider

The Hive ransomware group has claimed to have conducted a ransomware attack on Diskriter, a Pittsburgh, PA-based provider of health information management, transcription, and revenue cycle management services. The group claims to have exfiltrated 160GB of data prior to file encryption, including files containing software source code, financial data, employee information, sensitive business data, login data including passwords and usernames, and files containing patient data.

The attack was allegedly conducted on June 8, 2022, and in addition to encrypting files, backup files were also encrypted. At the time of writing, the ransom has not been paid. Some of the stolen data has been published on the Hive ransomware gang’s data leak website. Diskriter has not publicly confirmed the attack at this point and it is unclear how many patients have had their protected health information exposed.

Ransomware Attack Reported by Christiana Spine Center

Newark, DE-based Christiana Spine Center has confirmed it was the victim of a recent ransomware attack. The attack was detected on February 25, 2022, and steps were immediately taken to contain the attack. Forensic and cybersecurity experts were engaged to investigate the breach and determined files containing names, addresses, phone numbers, social security numbers, health insurance identification numbers, and personal health information may have been accessed in the attack.

The review of the affected files confirmed up to 3,500 patients may have been affected. They have been offered complimentary 12-month memberships to a credit monitoring service. Christiana Spine Center said no evidence was found to indicate any patient data has been stolen or misused.

The post Fitzgibbon Hospital, Diskriter, Christiana Spine Center Suffer Ransomware Attacks appeared first on HIPAA Journal.

Aliso Viejo-based Covenant Care California, an operator of skilled nursing facilities and a provider of home health services in California and Nevada, has announced that an unauthorized third party has gained access to its email system, and potentially viewed or obtained electronic protected health information. Suspicious activity was detected in an employee’s email account in February 2022, with the subsequent investigation confirming multiple employee email accounts had been accessed between February 24 and March 22, 2022. The accounts contained data related to its home health services, which were provided under the following names:

• Focus Health
• RehabFocus Home Health
• Elevate Health Group
• Choice Home Health
• San Diego Home Health

A review of the accounts was completed on March 27, 2022, and confirmed protected health information was present in the email accounts, which for most individuals included names, medical information, and health insurance information. A subset of individuals also had their date of birth, Social Security number, driver’s license number, and/or other personal information exposed. Covenant Care said safeguards are being reviewed and will be updated to improve security, which includes providing further training to employees on email security. Affected individuals have been offered complimentary identity monitoring services.

It is currently unclear how many individuals have been affected. This post will be updated when that information is publicly released.

Bergen’s Promise Email Account Accessed by Unauthorized Individual

Bergen’s Promise, the designated Care Management Organization for Bergen County in New Jersey, has recently announced that part of its email system has been compromised. Suspicious activity was detected in an employee’s email account, with the forensic investigation determining six email accounts had been compromised between November 15 and November 18, 2021. The suspicious activity was detected on November 15.

Bergen’s Promise said security protocols have been enhanced in response to the incident. Credit monitoring and identity theft protection services have been offered to affected individuals. It is unclear why it took 7 months from the date of discovery of the breach to issue notification letters.

The breach was reported to the HHS’ Office for Civil Rights as affecting 6,948 individuals.

Grandview Medical Center Notified About Theft of ER Activity Logs

Grandview Medical Center in Birmingham, AL, has started notifying 1,126 individuals that activity logs from its emergency department that contained protected health information have been stolen and recovered by law enforcement.

Grandview Medical Center was contacted by law enforcement on April 12, 2022, and was informed that the logs had been found in a residential apartment on April 4, 2022. The logs contained records of patient visits between February 1 and February 12, 2022, and included information such as name, date of birth, medical record number, account number, and treatment information including reason for visit, diagnosis, acuity, date/time of service, arrival mode and discharge disposition.

Grandview Medical Center said the law enforcement investigation is ongoing. At this stage, it is unclear what the person who stole the logs did with the data, but it is possible that the logs have been exposed to other individuals. As a precaution, credit monitoring services have been offered to affected individuals.

The medical center said it provides regular privacy and confidentiality training to employees and emphasizes the importance of protecting patient information.

The post Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise appeared first on HIPAA Journal.