HIPAA Breach News

700,000 Patients Affected by Yuma Regional Medical Center Ransomware Attack

Posted by HIPAA Journal

Yuma Regional Medical Center (YRMC) in Arizona has announced it was the victim of a ransomware attack in April in which the attackers obtained the protected health information of approximately 700,000 current and former patients.

According to the recent YRMC announcement, the attack was detected on April 25, 2022, which affected some of its IT systems. YRMC said immediate action was taken to contain the attack, and systems were taken offline to prevent further unauthorized access. Law enforcement was notified, and a third-party computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The investigation confirmed that the attackers gained access to its systems between April 21 and April 25, 2022, and, prior to file encryption, a subset of files were exfiltrated from its systems.

YRMC said it is working with security experts to bring its systems back online as quickly as possible. Throughout the attack, its facilities remained open and operated using established backup processes and downtime procedures, which did result in some delays to certain services; however, most scheduled services continued as scheduled.

Notification letters have recently been sent to affected individuals. YRMC said the files exfiltrated from its systems included names, Social Security numbers, health insurance information, and limited medical information. YRMC said its electronic medical record system was not accessed. The affected individuals included current and former patients in Yuma County on individuals working in Yuma County on a short-term or seasonable basis.

Steps have been taken to improve security to prevent further attacks and affected individuals have been offered complimentary credit monitoring and identity theft protection services. Ransomware attacks often result in the exposure of stolen data if the ransom is not paid. It is unclear in this case if payment was made. No ransomware threat group appears to have claimed responsibility for the attack.

The post 700,000 Patients Affected by Yuma Regional Medical Center Ransomware Attack appeared first on HIPAA Journal.

Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan

Posted by HIPAA Journal

Aesto Health, a Birmingham, AL-based software company that provides solutions to help healthcare enterprises and medical providers exchange, organize, and protect patient information, has announced it recently experienced a cyberattack that caused disruption to certain internal IT systems.

The security breach was detected on March 8, 2022, and steps were immediately taken to prevent further unauthorized access to its systems. A third-party computer forensics company was engaged to assist with the investigation, which confirmed that an unauthorized individual had access to the affected systems from December 25, 2021, to March 8, 2022.

During that time frame, certain files were exfiltrated from a backup storage device, which include radiology reports from Osceola Medical Center (OMC) in Wisconsin. A review of the affected files confirmed they contained patients’ protected health information, including names, dates of birth, physician names, and report findings related to radiology imaging at OMC. No Social Security numbers or financial information were viewed or stolen, and OMC systems and electronic medical records were unaffected. Aesto Health said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 17,400 patients.

Motion Picture Industry Health Plan Informs Members of Unauthorized PHI Disclosure

The Motion Picture Industry Health Plan (MPIHP) has announced that the protected health information of 16,838 plan members has been impermissibly disclosed in a mis-mailing incident. On March 31, 2022, MPIHP discovered an error with a mailing that saw information about plan members sent to incorrect mailing addresses. In each case, a letter intended for one MPIHP member was sent to an incorrect MPIHP member.

No medical information or health claims information was included in the letters, only name, address, hours worked, the last four digits of the individual’s Social Security number, and recent dates of eligibility. Notification letters have now been sent to all affected individuals to the last address provided by those participants. Affected individuals have been offered complimentary identity monitoring services for one year. MPIHP said the exact source of the error has been identified and steps have been taken to prevent any repeat mis-mailing incidents.

The post Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan appeared first on HIPAA Journal.

Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists

Posted by HIPAA Journal

Allaire Healthcare Group and Platinum Hospitalists have recently announced that an unauthorized individual has gained access to an employee email account and potentially viewed or copied patient data.

PHI Potentially Compromised in Email Account Breach at Allaire Healthcare Group

Freehold, NJ-based Allaire Healthcare Group, which runs five residential healthcare facilities in the tri-state area that provide subacute care, dementia care, and respite care, has discovered an unauthorized individual has gained access to the email account of one of its employees. Suspicious activity was detected in the employee’s email account on November 24, 2021. Prompt action was taken to secure the account and its email system and to prevent further unauthorized access.

The forensic investigation confirmed the breach was limited to a single email account that was accessed by an unauthorized individual between November 10, 2021, and November 24, 2021. A programmatic and manual review of the affected email account was completed on March 18, 2022. The review confirmed the email account contained the protected health information of 13,148 individuals, including first and last names, Social Security numbers, Allaire-issued unique client identifier numbers, driver’s license numbers, passport numbers, financial account numbers, payment card information, information regarding medical histories, treatment/diagnosis information, prescription information, and/or health insurance information.

The forensic investigation found no evidence to suggest any of that information was viewed or downloaded, and no reports have been received of any instances of actual or attempted misuse of the data.

Platinum Hospitalists Discovers Phishing Attack and Data Breach

Platinum Hospitalists has recently started notifying 6,000 patients that some of their protected health information has potentially been compromised. On March 29, 2022, Platinum Hospitalists discovered an email account had been accessed by an unauthorized individual. The investigation confirmed that the employee’s credentials were stolen following a response to a phishing email. The breach was limited to a single email account, with the review of the account confirming it contained individually identifiable protected health information.

Platinum Hospitalists said patient data is encrypted when it is sent externally, including via email, but the nature of the attack meant the information in the account could have been viewed and downloaded in a readable form. The investigation has been unable to confirm the specific information that was compromised, but the following types of information were present in the email account: patient names, dates of birth, dates of service, diagnosis and procedure codes, medical record numbers/patient account numbers, insurance identification numbers, and invoiced amounts. No addresses or Social Security numbers were exposed.

The data mostly related to patients who were insured through Humana and received medical services from Platinum providers at acute hospitals and other medical facilities in the Las Vegas area between approximately October 2018 and March 2022.

The post Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists appeared first on HIPAA Journal.

2 Million Patients Affected by Shields Health Care Group Cyberattack

Posted by HIPAA Journal

The protected health information of up to 2 million individuals has potentially been compromised in a Shields Health Care Group cyberattack. Massachusetts-based Shields Health Care Group provides ambulatory surgical center management and medical imaging services throughout New England. On March 28, 2022, suspicious activity was detected within its network. Immediate action was taken to secure its network and prevent further unauthorized access, and third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the security breach.

The forensic investigation determined that an unauthorized actor had access to certain Shields systems between March 7, 2022, to March 21, 2022. Shields said a security alert had been triggered on March 18, 2022, which was investigated, but at the time it did not appear that there had been a data breach. It has since been confirmed that during that period of access, certain data was removed from its systems. Shields said it has not been made aware of any cases of actual or attempted misuse of patient data.

A review of the files that were removed from its systems or may have been accessed by unauthorized individuals confirmed the following types of information were involved: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.  Shields is continuing to review the affected data and will issue notifications to affected individuals on behalf of all affected facility partners when that review has been completed.

When the attack was discovered, immediate action was taken to secure its network and data, certain systems have now been rebuilt, and additional safeguards have been implemented to better protect patient data. Cybersecurity measures will be reviewed and enhanced moving forward to ensure continued data security.

The HHS’ Office for Civil Rights Breach Portal has the breach listed as affecting 2,000,000 individuals. Shields said those individuals had received services at the following 56 facility partners:

Affected Facility Partners

  • Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc)
  • Cape Cod PET/CT Services, LLC
  • Cape Cod Radiation Therapy Service, LLC
  • Central Maine Medical Center
  • Emerson Hospital
  • Fall River/New Bedford Regional MRI Limited Partnership
  • Falmouth Hospital Association, Inc.
  • Franklin MRI Center, LLC
  • Lahey Clinic MRI Services, LLC
  • Massachusetts Bay MRI Limited Partnership
  • Mercy Imaging, Inc.
  • MRI/CT of Providence, LLC
  • Newton Wellesley Orthopedic Associates, Inc.
  • Newton-Wellesley Imaging, PC
  • Newton-Wellesley MRI Limited Partnership
  • Northern MASS MRI Services, Inc.
  • NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.)
  • PET-CT Services by Tufts Medical Center and Shields, LLC
  • Radiation Therapy of Southeastern Massachusetts, LLC
  • Radiation Therapy of Winchester, LLC
  • Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopaedics P.A.)
  • Shields CT of Brockton, LLC
  • Shields Healthcare of Cambridge, Inc.
  • Shields Imaging at Anna Jaques Hospital, LLC
  • Shields Imaging at University Hospital, LLC
  • Shields Imaging at York Hospital, LLC
  • Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital)
  • Shields Imaging of Eastern Mass, LLC
  • Shields Imaging of Lowell General Hospital, LLC
  • Shields Imaging of North Shore, LLC
  • Shields Imaging of Portsmouth, LLC
  • Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center)
  • Shields Management Company, Inc.
  • Shields MRI & Imaging Center of Cape Cod, LLC
  • Shields MRI of Framingham, LLC
  • Shields PET/CT at CMMC, LLC
  • Shields PET_CT at Berkshire Medical Center, LLC
  • Shields PET-CT at Cooley Dickinson Hospital, LLC
  • Shields PET-CT at Emerson Hospital, LLC
  • Shields Radiology Associates, PC
  • Shields Signature Imaging, LLC
  • Shields Sturdy PET-CT, LLC
  • Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.)
  • South Shore Regional MRI Limited Partnership
  • South Suburban Oncology Center Limited Partnership
  • Southeastern Massachusetts Regional MRI Limited Partnership
  • SportsMedicine Atlantic Orthopaedics P.A.
  • Tufts Medical Center, Inc.
  • UMass Memorial HealthAlliance MRI Center, LLC
  • UMass Memorial MRI – Marlborough, LLC
  • UMass Memorial MRI & Imaging Center, LLC
  • Winchester Hospital / Shields MRI, LLC

The post 2 Million Patients Affected by Shields Health Care Group Cyberattack appeared first on HIPAA Journal.

Healthcare Ransomware Attacks Increased by 94% in 2021

Posted by HIPAA Journal

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare.

66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks.

According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year.

Paying the ransom may help healthcare organizations recover from ransomware attacks more quickly, but there is no guarantee that paying the ransom will prevent data loss. On average, after paying the ransom, healthcare organizations were only able to recover 65% of encrypted data, down from 69% in 2020. In 2020, 8% of healthcare organizations recovered all of their data after paying the ransom. That figure fell to just 2% in 2021.

While the healthcare industry had the highest percentage of victims paying the ransom for the decryption keys and to prevent the exposure of sensitive data, healthcare had the lowest average ransom amount of $197,000. The global average across all industry sectors was $812,000. The ransom cost was lower in healthcare, but the overall cost of recovery was second-highest, with the total cost of a ransomware attack $1.85 million, which is considerably higher than the global average of $1.4 million.

Even though there is a high risk of suffering a costly ransomware attack, there are relatively low levels of cyber insurance coverage in healthcare. Across all industry sectors, 83% of organizations had cyber insurance. Only 78% of surveyed healthcare organizations said they had a cyber insurance policy. Many cyber insurance providers stipulate that certain baseline security measures must be implemented in order to take out insurance policies, and the level of maturity of cybersecurity programs can have a big impact on the cost of insurance.  97% of healthcare organizations said they had upgraded their cybersecurity defenses to improve their cyber insurance position.

97% of healthcare organizations that had cyber insurance that covered ransomware attacks said the policy paid out, with 47% saying the entire ransom payment was covered by their cyber insurance provider; however, obtaining cyber insurance to cover ransomware attacks is getting much harder due to the extent to which the healthcare industry is being targeted.

The post Healthcare Ransomware Attacks Increased by 94% in 2021 appeared first on HIPAA Journal.

FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

Posted by HIPAA Journal

In 2021, Iranian state-sponsored hackers attempted a destructive cyberattack on Boston Children’s Hospital, which the Federal Bureau of Investigation (FBI) was able to successfully block before the hospital’s computer network was damaged. FBI Director Christopher Wray said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.”

Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat.

Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident response plan that includes the FBI. Wray said this incident highlights the risk of high impact cyberattacks by nation-state threat actors from Russia, China, Iran, and North Korea, and said “We cannot let up on China or Iran or criminal syndicates while we’re focused on Russia.”

In November 2021, the FBI, in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC) in the UK, and the Australian Cyber Security Centre (ACSC) issued a security alert warning the healthcare sector and operators of critical infrastructure about an Iranian nation-state Advanced Persistent Threat actor who was known to be exploiting Microsoft Exchange and Fortinet vulnerabilities to steal data, conduct ransomware attacks and extort money from victims.

Wray did not specify what type of attack the threat actor was attempting to conduct, only that a cyberattack could have damaged the network, which could have had a devastating impact on the sick children that depend on it. The cyberattack in question appears to have been conducted through an HVAC vendor.

In August 2021, a threat actor contacted Databreaches.net and shared evidence of a successful attack on an HVAC vendor and claimed that they had breached the HVAC vendor’s systems and also had access to the systems of a children’s hospital. It was confirmed that the HVAC vendor in question ENE systems, which provides services to the Harvard-linked hospitals, Boston Children’s Hospital, Brigham & Women’s Hospital, and Mass General Hospital.

Boston Children’s Hospital is no stranger to cyberattacks. Back in 2014, the hospital suffered a series of attacks that disrupted its systems for more than a week. The attacks were conducted in retaliation for how the hospital handled the case of patient Justina Pelletier, who was involved in a custody battle. The individual behind that attack was apprehended and convicted and was sentenced to 10 years in jail in 2019.

The post FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital appeared first on HIPAA Journal.

Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy

Posted by HIPAA Journal

Alameda Health System in California, Capsule pharmacy in New York, and Aon PLC in Illinois have recently reported data breaches affecting a total of 56,290 individuals.

Alameda Health System Notifying 90,000 Patients About PHI Breach

Oakland, CA-based Alameda Health System has recently reported a data breach to the Department of Health and Human Services’ Office for Civil Rights that has affected up to 90,000 patients. Limited information has been released so far on the nature of the breach. Alameda Health System said suspicious activity was detected in the email accounts of certain employees with the investigation confirming several employee email accounts had been accessed by an unauthorized third party.

The review of those accounts confirmed they contained the protected health information of patients, although it is currently unclear to what extent patient information has been compromised. Alameda Health System said no evidence has been found that suggests any information in the accounts has been viewed or removed. Notification letters will be sent to affected individuals shortly, and measures will be implemented to improve security and mitigate harm to patients.

Capsule Pharmacy Breach Affects 27,486 Individuals

Capsule, a NY-based digital pharmacy, has started notifying 27,486 individuals that some of their protected health information has been exposed in a recent cyberattack. According to the breach notification sent to the California Attorney General, unauthorized individuals gained access to certain Capsule accounts on April 5, 2022.

The security breach was detected the same day and a password reset was performed on all affected accounts. A third-party digital forensics firm was engaged to assist with the investigation, which confirmed that the following types of information had potentially been compromised: demographic information such as names, email addresses, phone numbers, addresses, birthdates, and sex, health information including medical conditions and prescribed medications, past order histories, insurance information, chat messages to and from Capsule agents, and the last 4 digits of credit card numbers and expiry dates.

Capsule said additional security safeguards are being implemented. While a password reset has been performed on all affected accounts, Capsule has recommended users “set different passwords for your different accounts, use complex passwords or passphrases that are not easy to guess, and not reuse previous passwords,” which suggests the security breach may have been a password spraying attack.

PHI of More Than 28,700 Individuals Potentially Compromised in Aon PLC Cyberattack

Aon PLC, a Chicago, IL-based business associate that provides financial risk-mitigation products, including insurance and health insurance plans, has recently announced that it was the victim of a cyberattack. The security breach was discovered on February 25, 2022, with the forensic investigation confirming an unauthorized third party had gained access to certain Aon systems at various times between December 29, 2020, and February 26, 2022, and that certain documents containing individuals’ protected health information had been removed from its systems.

Aon said it has taken steps to confirm that the removed information is no longer in the possession of the third party there are no indications that the removed information has been further copied, retained, or shared, and there is no reason to suspect that any information has or will be misused. The affected information was limited to names, Social Security numbers, driver’s license numbers, and, for a limited number of individuals, benefit enrolment information. Aon said the incident was reported to the Federal Bureau of Investigation and other law enforcement authorities, and steps have been taken to further enhance security.

The post Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy appeared first on HIPAA Journal.

PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx

Posted by HIPAA Journal

Allwell Behavioral Health Services in Zanesville, OH, has announced that a computer system used to store quality assurance information related to the treatment of patients has been accessed by an unauthorized individual. The unauthorized access was detected on March 5, 2022, with the subsequent forensic investigation determining the system was breached on March 2, 2022.

The breach investigation concluded in late April and determined that it was likely that files containing sensitive information had been copied in the attack, although at the time of issuing notifications to affected individuals there had been no reports of any actual or attempted misuse of patient data.

The types of information in the files varied from patient to patient and may have included information such as names, dates of birth, Social Security numbers, phone numbers, treatment activity, treatment provider, treatment date, treatment location, and payer information.

According to the breach summary on the HHS’ Office for Civil Rights website, 29,972 patients have been affected. Complimentary identity theft protection services have been offered to eligible participants for 12 months, and for 24 months for affected patients in CT, DC, RI, or MA. Allwell Behavioral Health Services said its information technology and computer systems have been upgraded to improve security and prevent further unauthorized access.

Email Account Breach Reported by WellDyneRx

The pharmacy benefit manager, WellDyneRx, has recently started notifying 5,122 individuals that an unauthorized individual has gained access to a company email account that contained sensitive patient information. Suspicious activity was detected in the email account on December 2, 2021, and immediate action was taken to secure the account. The third-party forensic investigation confirmed the account had been accessed by an unauthorized individual between October 30, 2021, and November 11, 2021.

Evidence of data theft was not found, but the possibility of unauthorized access to ePHI could not be ruled out. The review of the email account confirmed the following types of information had potentially been compromised: names, birthdates, Social Security numbers, driver’s license numbers, treatment information, health insurance information, contact information, prescription information, and other medical/health information. Steps have been taken to improve security to prevent similar attacks in the future.

The post PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx appeared first on HIPAA Journal.

Email Accounts Compromised at BJC HealthCare & Cooper University Health Care

Posted by HIPAA Journal

BJC HealthCare, a non-profit healthcare organization based in St. Louis, MO, has started notifying certain patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual.

The investigation confirmed that a small number of email accounts of physicians and general practitioners had been accessed between March 4 and March 28, 2022. The forensic investigation did not determine whether emails and attachments had been viewed or copied, but unauthorized data access and theft could not be ruled out.

A comprehensive review of the email accounts confirmed they contained names, dates of birth, medical record numbers, and clinical information such as performance dates, diagnoses, provider names, and/or treatment locations. A limited number of patients also had their health insurance information, driver’s license numbers, and/or Social Security numbers exposed.

Individuals who had either their driver’s license number or Social Security number exposed can take advantage of the complimentary credit monitoring and identity theft protection services that have been offered.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Email Incident Reported by Cooper University Health Care

Camden, NJ-based Cooper University Health Care announced on May 25, 2022, that the email account of an employee was accessed by an unauthorized individual on November 24, 2021. The security incident was detected on December 13, 2021, and the investigation concluded on May 10, 2022.

The email account contained information such as names, dates of birth, medical professional names, diagnosis and treatment information, billing and claims information, and medical record numbers. No evidence of actual or attempted misuse of patient data has been identified at the time of issuing notification letters.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Email Accounts Compromised at BJC HealthCare & Cooper University Health Care appeared first on HIPAA Journal.