Patient Information Potentially Compromised in Atrium Health Phishing Attack

A phishing incident has been reported by Charlotte, NC-based Atrium Health that exposed the protected health information of 6,695 patients who used its home health service, Atrium Health at Home. On April 7, 2022, an employee responded to a phishing email and disclosed credentials for an email and messaging account. The breach was detected on April 8 and the unauthorized access was immediately blocked.

Between April 7 and April 8, the unauthorized third party used the account to send other phishing emails, which suggests that obtaining patient information stored in the account was not the aim of the attack, although it was not possible to determine if any patient information was viewed or obtained.

A review of the emails, messages and attachments in the account revealed they contained patients’ full names, home addresses, birth dates, health insurance information, and medical information (such as medical record number, dates of service, provider and facility and/or diagnosis and treatment information). A limited number of individuals also had their Social Security numbers, driver’s license/state ID numbers, and/or financial account information exposed. Atrium Health said there have been no reported cases of misuse of patient data.

Affected individuals have been notified and complimentary credit monitoring and identity theft protection services have been offered to individuals who had either their Social Security number, driver’s license number, or financial account information exposed. Security controls have been enhanced and Atrium Health said it will continue to provide regular phishing training to the workforce.

Patient Data Stolen in Ransomware Attack on Heartland Healthcare Services

Heartland Healthcare Services in Toledo, OH, has confirmed that files containing patient data were exfiltrated from its network in an April 2022 ransomware attack. The attack was detected on April 11 when the staff was prevented from accessing files on the network.

Heartland Healthcare Services said a ransom demand was issued, but after consulting the Federal Bureau of Investigation, the decision was taken not to pay the ransom demand. Some of the data stolen in the attack has since been uploaded to the ransomware gang’s dark web data leak site.

An analysis of the affected files confirmed they contained the protected health information of 2,763 patients who had received medications through Heartland Healthcare Services, including Heartland Pharmacy of Pennsylvania, Heartland Pharmacy of Maryland, or Heartland Pharmacy of Illinois. The stolen data included names, addresses, telephone numbers, medication names, and other medication-related information.

Heartland Healthcare Services said it has strengthened its security measures to prevent similar attacks in the future.

Acorda Therapeutics Reports Breach of its Email Environment

The Ardsley, NY-based biotechnology company, Acorda Therapeutics, has discovered an unauthorized third party gained access to its email environment and potentially viewed emails and attachments containing patient data. The email account breach was detected in January 2022, and the forensic investigation confirmed that certain email accounts had been compromised on or around December 15, 2021.

The review of the affected email accounts was completed on April 27, 2022, then Acorda Therapeutics verified the contact information of affected patients, and notification letters were sent to affected individuals in May and June 2022. The types of information potentially accessed included names in combination with one or more of the following: date of birth, medical record number, diagnosis information, treatment information, clinical information, prescription information, Social Security number, financial account information, insurance provider, and/or treatment cost information.

Acorda Therapeutics said steps have been taken to improve email security to prevent similar breaches in the future. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

PHI of 6,200 TridentCare Patients Potentially Accessed in Break-in

The Maryland-based mobile clinical services provider, TridentCare, announced on June 16, 2022, that the personal and protected health information of clients and their guarantors may have been accessed by unauthorized individuals during a break-in at its facilities. The data was stored on physical hard drives in the facility. Third-party cybersecurity experts were engaged to assess whether patient data had been accessed and concluded that there was “a significant possibility that data on the hard drives would have been corrupted,” which would have rendered the data unreadable. If that had not happened, in order to read the data, individuals would have had to have “certain technical capabilities.”

A review of the hard drives confirmed they contained the protected health information of 6,200 individuals. For most individuals, the data on the hard drives consisted of names and dates of birth, and for some individuals, name, date of birth, and Social Security number. Other potentially sensitive information such as financial records or details relating to medical tests is not believed to have been compromised.

Avamere Health Services Says PHI Stolen in Hacking Incident

Wilsonville, OR-based Avamere Health Services has discovered an unauthorized third party had intermittently accessed its network between January 19, 2022, and March 17, 2022. The forensic investigation confirmed on May 18, 2022, that certain files and folders had been copied from its systems during that period, and some of those files contained patients’ protected health information.

Avamere Health Services has not publicly announced the types of information compromised in the breach, and that information has been redacted from the breach notice submitted to the Vermont Attorney General. Avamere Health Services has said that affected individuals have now been notified by mail and informed about the types of information that was exposed. Complimentary credit monitoring and identity theft protection and resolution services have been offered.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

The post 5 Security Breaches Reported in Which PHI was Potentially Compromised appeared first on HIPAA Journal.

PHI of Almost 69,000 Individuals Compromised in Hacking Incident at Comstar

Comstar, a Rowley, MA-based provider of ambulance billing, collection, ePCR Hosting, and client/patient services, has discovered an unauthorized third-party gained access to some of its servers which housed files that contained individuals’ personally identifiable and protected health information. Some of those files were confirmed as having been viewed.

The substitute breach notice did not state when the breach occurred, but it was detected on or around March 26, 2022. A review of the affected files confirmed they contained information such as names, dates of birth, medical assessment and medication information, health insurance information, and Social Security numbers. Comstar said it already had strict security measures in place, a review has been conducted of its policies and procedures relating to data security, and measures will be taken to further protect against similar incidents in the future. No evidence of data theft or misuse of individuals’ information was identified; however, as a precaution, complimentary credit monitoring and identity theft protection services are being offered.

The breach was reported to the HHS’ Office for Civil Rights as affecting 68,957 individuals.

DialAmerica Marketing Data Breach Affects Almost 20,000 Individuals

The New Jersey HIPAA business associate, DialAmerica Marketing, which provides telemarketing services for almost a quarter of the leading health plan providers in the United States, has confirmed it was the victim of a hacking incident that saw unauthorized individuals gain access to its network on July 4, 2021. The forensic investigation of the security breach determined that its network was compromised between February 2, 2021, and July 9, 2021, and during that time period, the protected health information of individuals may have been viewed or stolen. The review of the affected files was completed on February 4, 2022, and confirmed that names, addresses, and other (unspecified) data may have been compromised.

The breach was reported to the HHS’ Office for Civil Rights as affecting 19,796 individuals.

Express Scripts’ Customer Accounts Accessed by Unauthorized Third Party

The pharmacy benefit management organization, Express Scripts, has announced that the accounts of certain customers have been accessed by an unauthorized third party. In a breach notification to the Massachusetts Attorney General, Express Scripts explained that certain  Express Scripts mobile application accounts were accessed without authorization using a correct username and password.

The suspicious activity was detected on May 1, 2022, with the account breaches determined to have occurred between April 30 and May 3, 2022. Information in the accounts that may have been viewed included names, medication names, prescription numbers, medication dosage, prescribing physicians’ names, and the names of pharmacies.

When the security breach was detected, affected accounts were locked and passwords were reset. Incidents such as this are commonly the result of password spraying – the use of breached usernames and passwords to access totally unrelated accounts. These attacks are made possible due to password reuse on multiple platforms. Express Scripts has recommended that affected individuals change their passwords on all other accounts that share the same password.

It is currently unclear how many individuals have been affected.

Alliance Physical Therapy Partners Announces Hacking Incident

Grand Rapids Charter Township, MI-based Alliance Physical Therapy Partners, formerly Agility Health, has confirmed that an unauthorized third party accessed certain systems within its network that contained patients’ protected health information. The breach was detected on December 27, 2021, and it was determined on January 7, 2022, that patient data had been compromised. The unauthorized access occurred between December 23, 2021 and December 27, 2021. A comprehensive review of all potentially affected files was completed on April 19, 2022.

Alliance Physical Therapy Partners said policies and procedures have been reviewed and additional cybersecurity safeguards have been implemented.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.

Hacking Incident Reported by 90 Degree Benefits Minnesota

90 Degree Benefits Minnesota has announced it suffered a data security incident on February 27, 2022, which affected some of its IT systems. 90 Degree said the forensic investigation was unable to confirm whether personal information was viewed or acquired and there have been no reports of attempted or actual misuse of personal information; however, unauthorized access and data theft could not be ruled out.

The review of the affected files confirmed they contained names, dates of birth, Social Security numbers, phone numbers, addresses, and health information. 90 Degree said security measures have been enhanced to prevent similar incidents in the future. Affected individuals were notified on June 9, 2022, and have been offered complimentary credit monitoring and identity theft protection services.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.

The post 5 HIPAA-Regulated Entities Announced Hacking Incidents that Exposed PHI appeared first on HIPAA Journal.

Lake Mary, FL-based Central Florida Inpatient Medicine (CFIM) has recently discovered that the email account of an employee has been accessed by an unauthorized individual, who may have viewed emails and files containing patients’ protected health information.

The substitute breach notice states that CFIM learned that the email account contained sensitive patient data on May 5, 2022; however, the email account was breached between August 21, 2021, and September 17, 2021. The delay in issuing notifications to affected individuals was due to “an extensive forensic investigation and comprehensive and time-consuming manual document review.”

The review revealed the emails and attachments included information such as names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of Social Security numbers, driver’s license numbers, financial account information, and usernames and passwords were also exposed. CFIM said no evidence was found to indicate any patient data has been misused.

Affected individuals have been advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity. Complimentary credit monitoring services have been offered to individuals who had Social Security numbers exposed.

CFIM said further technical safeguards have been implemented to prevent similar incidents in the future, including multifactor authentication, and additional training has been provided to employees to increase awareness of the risks of malicious emails.

Yale New Haven Hospital Says Patient Data Exposed over the Internet

Yale New Haven Hospital in Connecticut has announced that a file that was created for research purposes has been accidentally posted online on a public-facing website and was potentially accessed by a limited number of unauthorized individuals. The exposed file was detected by the hospital on April 18, 2022, and was immediately removed to prevent any further unauthorized access. Yale New Haven Hospital has confirmed that the file is no longer accessible over the Internet.

A third-party forensics firm was engaged to assist with the investigation and determined that the file had been uploaded on December 16, 2021, and remained accessible until April 18, 2022. The upload was not malicious and occurred as a result of human error.

The file related to radiology services provided, and included protected health information such as names, telephone numbers, email addresses, age ranges, preferred languages, medical record numbers, procedure types, and dates and location of services.

A spokesperson for Yale New Haven Hospital said the incident prompted a review of security permissions for Internet-facing systems, and further training and guidance have been provided to employees to remind them of the continued need to safeguard patient health information. Existing technical safeguards have also been enhanced to better protect patient data.

Yale New Haven Hospital did not disclose how many individuals have been affected and the breach is not yet shown on the HHS’ Office for Civil Rights website.

The post Central Florida Inpatient Medicine Security Incident Affects Almost 198,000 Patients appeared first on HIPAA Journal.

Texas Tech University Health Sciences Center has confirmed that the protected health information of 1,290,104 patients was compromised in a data breach at its electronic medical record vendor, Eye Care Leaders.

Eye Care Leaders said it detected a breach on Dec. 4, 2021, and disabled the affected systems within 24 hours. Texas Tech University Health Sciences Center said it received the final results of the forensic investigation on April 19, 2022. The compromised information included the following data elements: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services. No evidence of data exfiltration was found.

Over the past few weeks, the number of eye care providers known to have been affected by the Eye Care Leaders data breach has been growing. At least 23 eye care providers have confirmed they have been affected and the protected health information of more than 2 million patients is known to have been exposed.

Baptist Health Says Information of 1.24 Million Patients Potentially Compromised in Cyberattack

Baptist Health has recently started notifying patients about a cyberattack that was discovered on April 20, 2022, that may have seen malicious code installed on its network. According to the announcement, an unauthorized individual had access to certain Baptist Health systems between March 31 and April 24, 2022.  During that period of access, some data was removed from its systems.

Upon discovery of the breach, user access was suspended, the affected systems were taken offline to prevent further unauthorized access, and cybersecurity protection protocols were implemented. The parts of the system that were accessed included the data of patients of Baptist Medical Center in San Antonio and Resolute Health Hospital in New Braunfels in Texas, and included names, dates of birth, addresses, Social Security numbers, health insurance information, medical record numbers, dates of service, provider and facility names, chief complaint/reason for a visit, visit procedures and diagnosis information, and billing and claims information.

Baptist Health said it is improving its security and monitoring capabilities to reduce the risk of further data breaches. Affected individuals have now been notified and individuals whose Social Security numbers were potentially compromised have been offered complimentary credit monitoring and identity protection services.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 1,243,031 individuals.

Santa Barbara County Department of Behavioral Wellness Reports Medical Record Breach

Santa Barbara County Department of Behavioral Wellness in California has recently confirmed that a staff member has accessed the medical records of patients without authorization. The unauthorized access was detected on March 30, 2022, when the department implemented a new security system for detecting unauthorized medical record access, which immediately flagged the HIPAA breach.

The employee’s access to the medical record system was immediately terminated pending an investigation, and that the employee in question was subjected to appropriate disciplinary actions. The records accessed by the employee included names, addresses, email addresses, telephone numbers, Social Security numbers, insurance information, medical record numbers, and medical information. No evidence was found to indicate any patient information had been printed, sent externally, or written down. The department said it will be conducting additional security audits in the future and will be updating client outreach procedures to prevent any recurrences.

Notification letters have now been sent to all affected individuals. The breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many people have been affected.

The post Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records appeared first on HIPAA Journal.

The South Carolina-based health insurance company, Choice Health, now part of Alight Solutions, has recently announced that the protected health information of some of its members has been obtained by an unauthorized individual.

Choice Health discovered on May 14, 2022, that an individual was offering a set of data that had allegedly been stolen from Choice Health. An investigation into a potential breach confirmed on May 18, 2022, that a single Choice Health database had been exposed over the Internet due to “a technical security configuration issue caused by a third-party service provider.” That issue meant the database could be accessed over the internet without authorization.

Choice Health determined that the database had been found and certain database files had been copied by an unauthorized individual on May 7, 2022. According to the notice submitted to the California Attorney General, the files contained information such as first and last names, Social Security numbers, Medicare beneficiary identification numbers, birth dates, addresses and contact information, and health insurance information.

Choice Health said it worked with the third-party service provider to secure the database and confirmed that it was no longer accessible over the Internet. Steps have also been taken to prevent similar incidents in the future, including implementing multi-factor authentication for access to its database files.

Choice Health said it has not identified any misuse of plan member data but has sent notifications to affected individuals and has offered them a 24-month membership to a credit monitoring and identity theft protection and resolution service.

At this stage, it is unclear how many individuals have been affected. Databreaches.net reported that the forum listing offering the data said 600MB of data had been obtained, spread across 2,141,006 files, which were described as having names such as “Agents, Commission, Contacts, Policies.”

MCG Health Announces Data Theft Incident

MCG Health in Seattle, WA, a provider of patient care guidelines to healthcare providers and health plans, started notifying patients and members of MCG customers that an unauthorized party has obtained some of their protected health information. According to the breach notice on the MCG website, MCG determined on May 25, 2022, that an unauthorized individual had obtained data that matched data on its systems, including names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender.

MCG Health has advised affected individuals to review their account statements and monitor their free credit reports for signs of misuse of their information. It does not appear that credit monitoring or identity theft protection services are being offered.

The breach notice does not explain the nature of the attack, how much data was stolen, how MCG Health learned that data had been stolen, or when the data theft incident occurred. This post will be updated when further information becomes available.

Goodman Campbell Brain and Spine Suffers Ransomware Attack

Goodman Campbell Brain and Spine in Indianapolis, IN, has recently announced that it suffered a cyberattack on May 20, 2022, which caused an outage of its computer network and communication systems. Goodman Campbell said steps were immediately taken to secure its systems and a third-party firm was engaged to assist with the investigation and incident response.

At this stage of the investigation, the full nature of the attack and the extent to which patients’ protected health information has been compromised has not been determined; however, so far it is clear that patient and employee data was accessed by an unauthorized individual. Notification letters will be sent to affected individuals when the investigation has been completed and it is clear which individuals have been affected and the types of data that were compromised. In the meantime, Goodman Campbell has recommended all patients monitor their credit reports, obtain a fraud alert, and place a security freeze on their credit as a precaution.

The exact nature of the cyberattack was not revealed by Goodman Campbell; however, the Hive ransomware gang has claimed responsibility for the attack and has listed some of the stolen data on its leak site.

The post Data Theft Incidents Reported at Choice Health, MCG Health, & Goodman Campbell Brain and Spine appeared first on HIPAA Journal.

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington.

Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours.

An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and last names, medical record numbers, dates of service, and laboratory test result information. No financial information or Social Security numbers were exposed.

No evidence was found that suggests any plan member information was accessed or removed from its systems, although unauthorized PHI access and data theft could not be ruled out. To date, no reports have been received about any actual or attempted misuse of individuals’ ePHI.

Notifications were sent to affected individuals on June 3, 2022, who have been advised to be vigilant for potential fraud. Kaiser Permanente said the employee whose credentials were compromised has been provided with additional training on safe email practices, and it is exploring other steps that can be taken ensure incidents like this do not happen in the future.

The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 69,589 individuals.

The post Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI appeared first on HIPAA Journal.

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington.

Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours.

An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and last names, medical record numbers, dates of service, and laboratory test result information. No financial information or Social Security numbers were exposed.

No evidence was found that suggests any plan member information was accessed or removed from its systems, although unauthorized PHI access and data theft could not be ruled out. To date, no reports have been received about any actual or attempted misuse of individuals’ ePHI.

Notifications were sent to affected individuals on June 3, 2022, who have been advised to be vigilant for potential fraud. Kaiser Permanente said the employee whose credentials were compromised has been provided with additional training on safe email practices, and it is exploring other steps that can be taken ensure incidents like this do not happen in the future.

The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 69,589 individuals.

The post Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI appeared first on HIPAA Journal.