HIPAA Breach News

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

Posted by HIPAA Journal

A class action lawsuit filed against NorthEast Radiology PC and Alliance HealthCare Services over a data breach that exposed the protected health information of more than 1.2 million individuals has been dismissed by a New York Federal Judge for lack of standing.

The lawsuit was filed in July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose protected health information was exposed as a result of a misconfiguration of the companies’ Picture Archiving Communication System (PACS), which contained medical images and associated patient data. In late 2019, security researchers identified the exposed data and notified the affected companies, which included Northeast Radiology and its vendor, Alliance HealthCare Services.

According to the lawsuit, more than 61 million medical images were exposed along with the sensitive data of 1.2 million patients. Northeast Radiology reported the breach to the HHS’ Office for Civil Rights as affecting 298,532 individuals. The lawsuit alleged the defendants had implemented inadequate security safeguards to ensure the privacy of patient data, which allowed medical images and other protected health information to be accessed by unauthorized individuals between April 14, 2019, and January 7, 2020. The plaintiffs alleged that they face an ongoing and imminent risk of identity theft and fraud, as there is no way to cancel protected health information. They claim they now need to continuously monitor their accounts and use credit and identity theft monitoring services, and expend additional time and effort to prevent and mitigate against potential future losses.

It is now common for lawsuits to be filed against healthcare organizations following data breaches, but the lawsuits often do not succeed due to the failure to provide evidence that harm as a result of the exposure or theft of personal data, as was the case here. Judge Vincent L. Bricetti, Federal Judge for the Southern District of New York, dismissed the lawsuit as the plaintiffs failed to allege a cognizable injury. The judge ruled that the mere exposure of sensitive data did not establish the plaintiffs had been harmed by the incident, and that the risk of future harm from the exposure of their sensitive data was too speculative to establish standing.

While the data breach was reported to the HHS’ Office for Rights as affecting up to 298,532 individuals, NorthEast Radiology was only able to confirm that the data of 29 patients had definitely been subjected to unauthorized access, and the two plaintiffs named in the lawsuit were not part of that small group.

Judge Bricetti referred to the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC, which established a three-factor test for determining whether allegations of an injury from a data breach gave rise to a cognizable Article III injury-in-fact:

“(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”

Judge Bricetti rejected all of the plaintiffs’ claims for negligence, negligence per se, breach of contract, breach of implied contract, violations of New York General Business Law Section 349, and intrusion upon seclusion.

The post New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing appeared first on HIPAA Journal.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

Posted by HIPAA Journal

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer.

Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services.

In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion impaired medical examinations, treatment, and the care of multiple individuals.

Locker has been indicted on one count of intentionally causing damage to a protected computer. The arraignment has been scheduled for May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. If convicted, Lockner could serve up to 10 years in federal prison.

This case highlights the risks posed by insiders. The recently published 2022 Verizon Data Breach Investigations Report highlights the risk of attacks by external threat actors, which outnumber insider attacks by 4 to 1, but safeguards also need to be implemented to protect against insider threats.

In this case, the alleged access occurred two months after the application for employment was rejected and one month after being terminated from the IT company. When individuals leave employment, voluntarily or if terminated, access rights to systems need to be immediately revoked and scans of systems conducted to identify any malware or backdoors that may have been installed.

There have been multiple cases of disgruntled IT contractors retaining remote access to systems after termination, with one notable case at a law firm seeing a former IT worker installing a backdoor and subsequently accessing the system and intentionally causing damage after leaving employment. In that case, the individual was sentenced to 115 months in federal prison and was ordered to pay $1.7 million in restitution.

The post Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server appeared first on HIPAA Journal.

Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities

Posted by HIPAA Journal

Oswego County Opportunities (OCO) in New York has announced that a limited number of employee email accounts were recently accessed by an unknown actor. The security breach was identified when suspicious email activity was detected and the email accounts were immediately secured. Third-party cybersecurity experts were engaged to investigate the breach to determine the nature and scope of the attack, and what information, if any, had been accessed by the threat actor.

It was not possible to determine if any emails in the account had been viewed or obtained but the review of the affected email accounts confirmed they contained the following types of information: names, addresses, Social Security numbers, driver’s license numbers, certain health information, and a very limited amount of credit card numbers. The accounts also contained some employee information and information about vendors with connections to OCO.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 7,766 individuals. OCO said it has modified its email settings and controls to provide greater protection against cyberattacks of this nature.

Data Security Incident Reported by Washington University School of Medicine

Washington University School of Medicine in St Louis, MO, has recently announced that patient information has been exposed as a result of a recent data security incident. An unknown actor gained access to the email accounts of certain employees between March 4, 2022, and March 28, 2022.

A forensic investigation was conducted to determine if any emails or attachments were opened or obtained in the attack, although it was not possible to determine if patient data had been accessed or stolen. A review of all affected emails and attachments was conducted and confirmed they contained patient information such as names, dates of birth, addresses, medical records, patient account numbers, clinical information, and, for a limited number of patients, health insurance information and/or Social Security numbers.

In response to the breach, enhancements have been made to email security and employee training has been reinforced on how to identify and avoid suspicious emails. At present the data breach has not appeared on the HHS’ Office for Civil Right website so it is unclear how many patients have been affected; however, the School of Medicine said the breach did not affect all patients and research participants.

The post Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities appeared first on HIPAA Journal.

SAC Health Theft Incident and Multiple Ransomware Attacks Reported

Posted by HIPAA Journal

Social Action Community Health System (SAC Health) has recently notified 149,940 patients that documents containing their protected health information were stolen in a break-in at an off-site storage location where patient records were stored.

The break-in was discovered on March 4, 2022, with the subsequent investigation confirming on April 22, 2022, that six boxes of paper documents had been stolen from the facility, which included files relating to patients served by SAC Health in 1997 and between 2006 and 2020.

An analysis was conducted to determine which types of information were included in the files and concluded the documents may have contained information such as names, addresses, dates of birth, and diagnosis codes. Notification letters were sent to those individuals on May 3, 2022. SAC Health said it is unaware of any actual or attempted misuse of patient data as a result of the break-in; however, as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring services. SAC Health said it is conducting a review of its policies and procedures concerning the storage of paper data.

Bryan County Ambulance Authority Ransomware Attack Affects 14,000 Patients

The Bryan County Ambulance Authority in Oklahoma has recently started notifying 14,273 patients about the exposure and potential theft of some of their protected health information. According to the notification letters, the attack was detected on November 24, 2021, when files on its systems were encrypted. Immediate action was taken to prevent further unauthorized access, and third-party cybersecurity consultants were engaged to assist with the forensic investigation.

The breach notice does not indicate what types of information were stolen in the attack but says affected individuals have been offered a complimentary membership to an identity theft protection service. According to the notice, the forensic investigation and document review took until April 7, 2022, hence the delay in issuing notifications to affected individuals.

Lifespan Services Suffers Ransomware Attack

Charlotte, NC-based Lifespan Services, a non-profit provider of services to individuals with disabilities, has recently confirmed it was the victim of a ransomware attack that affected data on its servers. The attack occurred on April 12, 2022, and prompt action was taken to secure its systems.

Lifespan said it was possible to restore all encrypted data within 24 hours of the attack, but the forensic investigation confirmed on May 3, 2022, that the individuals behind the attack had accessed files containing patients’ personal information, including names Social Security numbers, Medicaid numbers, driver’s license numbers, and bank routing numbers.

Lifespan said multiple layers of protection were in place, and additional security measures have now been implemented. A complimentary one-year membership to identity theft protection services has been offered to the 8,006 individuals affected.

Vice Society Claims Responsibility for Ransomware Attack on Atlanta Perinatal Associates

The Vice Society ransomware gang has claimed responsibility for a ransomware attack on Atlanta Perinatal Associates in Georgia. Atlanta Perinatal Associates specializes in treating mothers who have high-risk pregnancies, and coordinates care with other medical providers.

The healthcare provider has not yet confirmed it was a victim of a ransomware attack; however, Vice Society has uploaded data to its leak site that was allegedly stolen in the attack. The data includes names, dates of birth, ID numbers, expected due dates, referring physician names, sonographer names, ultrasound results, drug and alcohol use histories, other health information, and some records include credit card information and health insurance information. According to databreaches.net, which reviewed some of the files, they relate to records created between 2019 and April 2022.

Since the incident has yet to be reported to regulators, it is currently unclear how many patients have been affected.

The post SAC Health Theft Incident and Multiple Ransomware Attacks Reported appeared first on HIPAA Journal.

Over 850,000 Individuals Affected by Partnership HealthPlan of California Cyberattack

Posted by HIPAA Journal

In March 2022, Partnership HealthPlan of California (PHC) announced that third-party forensic specialists had been engaged to help restore the functionality of its IT systems following a cyberattack. PHC has now confirmed in a breach notification to the Maine Attorney General that the protected health information of 854,913 current and former health plan members has potentially been stolen, making this one of the largest healthcare data breaches to be reported so far this year.

According to the notification, the cyberattack was detected on or around March 19, 2022. Steps were immediately taken to contain the breach and an investigation was launched to determine the nature and scope of the attack. PHC said the forensic investigation uncovered evidence that the unauthorized party behind the cyberattack had removed files from the PHC network on or around March 19.

The review of the affected files is ongoing, and while it has yet to be confirmed which specific types of protected health information were included in the affected files, notification letters are starting to be sent to affected individuals. PHC said the types of information potentially stolen may include names, birth dates, addresses, email addresses, Social Security numbers, driver’s license numbers, Tribal ID numbers, medical record numbers, health insurance information, diagnoses, treatment and prescription information other medical information, and member portal usernames and passwords.

While PHC did not state the nature of the cyberattack in its breach notification, the Hive ransomware gang has claimed responsibility for the attack and alleges around 400 GB of files were stolen, a sample of which was temporarily uploaded to the group’s data leak site. PHC said it is reviewing and enhancing its policies and procedures relating to data protection and security, and additional security measures and safeguards will be implemented to protect against this type of event in the future. PHC is covering the cost of access to credit monitoring services for affected individuals for two years. A class action lawsuit has already been filed on behalf of individuals affected by the breach.

The post Over 850,000 Individuals Affected by Partnership HealthPlan of California Cyberattack appeared first on HIPAA Journal.

April 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Healthcare data breaches in the past 12 months (April 2022)

While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records.

Breached healthcare records in the past 12 months (April 2022)

Largest Healthcare Data Breaches in April 2022

22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its systems and potentially allowed hackers to access the records of 345,353 individuals. Refuah Health Center reported a hacking and data theft incident in April, which had occurred almost a year previously in May 2021 and affected up to 260,740 patients.

Illinois Gastroenterology Group, PLLC reported a hacking incident where the attackers had access to the records of 227,943 individuals, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were affected by a data breach at the cloud-EHR vendor Eye Care Leaders (ECL), which exposed the records of 194,035 individuals. The ECL cyberattack saw the attackers delete databases and system configuration files of one of its cloud services. The cyberattack affected close to a dozen eye care providers and resulted in the exposure of more than 342,000 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking incident with potential data theft
ARcare AR Healthcare Provider 345,353 Malware infection
Refuah Health Center NY Healthcare Provider 260,740 Hacking incident and data theft incident
Illinois Gastroenterology Group, PLLC IL Healthcare Provider 227,943 Hacking incident with potential data theft
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown WV Healthcare Provider 194,035 Hacking incident at EHR provider
Healthplex, Inc. NY Health Plan 89,955 Email account breach
Optima Dermatology Holdings, LLC NH Healthcare Provider 59,872 Unspecified email incident
SUMMIT EYE ASSOCIATES P.C. TN Healthcare Provider 53,818 Hacking incident at EHR provider
Newman Regional Health KS Healthcare Provider 52,224 Email account breach
WellStar Health System, Inc. GA Healthcare Provider 30,417 WellStar Health System
Central Vermont Eye Care VT Healthcare Provider 30,000 Unspecified hacking incident
Frank Eye Center, P.A. KS Healthcare Provider 26,333 Hacking incident at EHR provider
New Creation Counseling Center OH Healthcare Provider 24,029 Ransomware attack
Georgia Pines CSB GA Healthcare Provider 24,000 Theft of laptop computers
The Guidance Center, Inc. AZ Healthcare Provider 23,104 Email account breach
Allied Eye Physicians and Surgeons, Inc. OH Healthcare Provider 20,651 Hacking incident at EHR provider
King County Public Hospital District No. 2 d/b/a EvergreenHealth WA Healthcare Provider 20,533 Hacking incident at EHR provider
Onehome Health Solutions FL Healthcare Provider 15,401 Theft of laptop computers
Southern Ohio Medical Center OH Healthcare Provider 15,136 Hacking incident with potential data theft
Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin NE Healthcare Provider 14,984 Hacking incident at EHR provider
Pediatric Associates, P.C. VA Healthcare Provider 13,000 Hacking incident at EHR provider
Fairfield County Implants and Periodontics, LLC CT Healthcare Provider 10,502 Email account breach

Causes of April 2022 Healthcare Data Breaches

Hacking and IT incidents accounted for 73.2% of the healthcare data breaches reported in April 2022 and 97.1% of the month’s breached healthcare records. 2,098,390 individuals were affected by those hacking incidents and may have had their protected health information stolen. The average breach size was 51,180 records and the median breach size was 9,969 records. 16 of the hacking incidents involved unauthorized individuals gaining access to employee email accounts, and there were 7 breaches of electronic health records, due to the hacking incident at the EHR vendor Eye Care Leaders.

Causes of April 2022 Healthcare Data Breaches (april 2022)

There were just breaches reported as unauthorized access/disclosure incidents which involved a total of 20,391 records. The average breach size was 1,854 records and the median breach size was 820 records. There were two theft incidents reported involving laptop computers and one loss incident involving an ‘other portable electronic device’. Across the three loss/theft incidents, the records of 40,298 individuals were potentially compromised. All three breaches could have been prevented if data had been encrypted. There was also one improper disposal incident reported, involving 1,115 paper records.

Location of breached protected health information (April 2022)

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected HIPAA-covered entity, with 39 reporting breaches in April. 7 data breaches were reported by health plans, and 10 data breaches were reported by business associates. However, a further 17 data breaches occurred at business associates but were reported by the respective covered entity. The chart below shows the month’s data breaches adjusted to reflect where the breaches occurred.

Healthcare Data Breaches by Covered Entity Type (April 2022)

Healthcare Data Breaches by State

In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the worst affected states in April, with 7 & 6 data breaches reported respectively.

State Number of Data Breaches
New York 7
Ohio 6
California 4
Arizona, Georgia, Kansas, Michigan, Tennessee, & Virginia 3
Florida, Maryland, North Carolina & New Hampshire 2
Alabama, Arkansas, Colorado, Connecticut, Illinois, Nebraska, North Dakota, Pennsylvania, South Carolina, Utah, Vermont, Washington & West Virginia 1

HIPAA Enforcement Activity in April 2022

There were no HIPAA enforcement activities announced by the HHS’ Office for Civil Rights or State Attorneys General in April 2022. So far this year, 4 financial penalties have been imposed to resolve HIPAA violations.

The post April 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval

Posted by HIPAA Journal

A $9.76 million settlement proposed by Solara Medical Supplies to resolve a class action lawsuit related to a 2019 data breach has received preliminary approval from the court.

Solara Medical Supplies, which provides products and services to help people manage their diabetes, was the victim of a phishing attack that saw employees’ Microsoft Office 365 email accounts accessed by unauthorized individuals between April 2, 2019, and June 20, 2019.

The email accounts contained the protected health information of patients and sensitive employee information, including names, dates of birth, billing and claims information, health insurance information, medical information, financial account information and credit card numbers, Social Security numbers, driver’s license numbers, state ID numbers, and Medicare/Medicaid IDs. The breach was reported to the HHS’ Office for Civil Rights as affecting 114,007 individuals.

Legal action was taken on behalf of the individuals affected by the breach, with the class including all individuals residing in the United States and its territories who were notified in November 2019 that their information had been exposed. The plaintiffs alleged Solara Medical Supplies was negligent for failing to prevent the breach.

Solara Medical Supplies denies any wrongdoing and liability and believes there are meritorious defenses and legal challenges to the plaintiffs’ claims; however, agreed to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of litigation.

Under the terms of the settlement, a fund of $5.06 million will be created to cover costs associated with the administration of the settlement, attorneys’ fees, and payments to class members. All individuals who submit a valid claim will be eligible to receive a cash payment of $100, which may be adjusted up or down depending on the number of individuals who submit a claim.

Solara Medical Supplies has committed to taking steps to improve security to prevent further data breaches, such as implementing systems for detecting suspicious activity, multifactor authentication, improvements to email filtering, and other security measures, which have been estimated to cost $4.7 million over the next 5 years.

The settlement has received preliminary approval from the court and a final hearing for the settlement has been scheduled for September 12, 2022. The deadline for submitting a claim is August 8, 2022, and the deadline for objecting to the settlement or requesting to be excluded from the settlement is August 22, 2022.

The post Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval appeared first on HIPAA Journal.

Parker-Hannifin Cyberattack Affects Almost 120,000 Health Plan Members

Posted by HIPAA Journal

Cleveland, OH-based Parker-Hannifin Corporation, a manufacturer of motion and control technologies, has recently announced that unauthorized individuals have gained access to some of its IT systems and may have acquired files containing the sensitive information of current and former employees, their dependents, and other individuals affiliated with the company.

Suspicious activity was detected within its IT environment on March 14, 2022. The forensic investigation confirmed its systems were accessed by unauthorized individuals between March 11, 2022, and March 14, 2022. A comprehensive review of the affected files confirmed they contained information such as names, birth dates, addresses, Social Security numbers, driver’s license numbers, passport numbers, financial account information such as bank account and routing numbers, and online account usernames and passwords. Current and former members of the Parker Group Health Plan, or a health plan sponsored by an entity acquired by Parker, may also have had their enrollment information compromised, which includes health insurance plan member ID number and dates of coverage.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 119,513 group health plan members. Affected individuals have been notified and offered a complimentary 2-year membership to Experian’s IdentityWorks identity theft protection and resolution services.

Behavioral Health Partners of Metrowest Reports Data Theft Incident

Framingham, MA-based Behavioral Health Partners of Metrowest (BHPMW) has notified 11,288 individuals that some of their protected health information has been copied from its systems by an unauthorized individual. BHPMW learned of the data breach on October 1, 2022, with the forensic investigation confirming the unauthorized individual accessed its systems and removed data on September 14 and September 18, 2021.

The stolen data related to the Behavioral Health Community Partner Program which BHPMW operates under contract with MassHealth, in collaboration with the Advocates, Family Continuity, SMOC, Spectrum Health Systems, and Wayside Youth and Family Support provider agencies and included names, addresses, Social Security numbers, birth dates, client identification numbers, health insurance information, and medical diagnosis/treatment information. BHPMW is unaware of any attempted or actual misuse of the stolen information.

Notification letters were sent to affected individuals on May 11, 2022, and those individuals have been offered complimentary credit monitoring and identity protection services.

Vail Health Services Data Security Incident Affects 17,000 Patients

A data security incident at Vail Health in Colorado has resulted in the exposure and potential theft of the protected health information of 17,039 patients. Vail Health said it started experiencing disruption to its network systems and launched an investigation which revealed on April 5, 2022, that an unauthorized individual had gained access to its systems on February 11, 2022.

The compromised systems contained a small number of files that included information about individuals who received COVID-19 tests from Vail Health, such as names, birth dates, contact information, encounter numbers, and COVID-19 test results. No Financial information, health insurance information, or Social Security numbers were exposed or compromised.

The systems already had controls that restricted access to limited individuals. Additional security measures have now been implemented to further restrict access.

The post Parker-Hannifin Cyberattack Affects Almost 120,000 Health Plan Members appeared first on HIPAA Journal.

AvosLocker Claims Credit for Christus Health Ransomware Attack

Posted by HIPAA Journal

The Irving, TX-based nonprofit health system, Christus Health, which operates more than 600 healthcare facilities in Texas, Arkansas, Louisiana, and New Mexico, has announced it has recently identified suspicious activity in its computer systems and blocked an attempted cyberattack. The prompt action taken by the Christus IT team severely limited the scope of the attack and prevented the incident from impacting its patient care and clinical operations. Christus Health said it is working with third-party cybersecurity experts to investigate and determine the extent of the security breach.

A relatively new ransomware threat group called AvosLocker has claimed credit for the attack. AvosLocker operates under the ransomware-as-a-service (RaaS) model and was first identified in July 2021. The threat group engages in double extortion tactics and is known to exfiltrate data prior to file encryption, then threatens to auction the stolen data if the ransom is not paid.

The number of attacks conducted by Avosocker has been steadily growing, with data from Trend Micro indicating at least 30 attacks were conducted in January 2022, and 37 in February. The gang is known to exploit unpatched vulnerabilities to gain access to victim networks and is reported to use compromised RDP and VPN credentials. The location of the RaaS operation is not known, but it is probable that they are based in Russia or a Post-Soviet state since the group does not permit attacks in those countries. In March 2022, a joint cybersecurity advisory was issued by the FBI and the Department of the Treasury which provided Indicators of Compromise associated with AvosLocker.

Avoslocker has been targeting critical infrastructure entities in the United States, including healthcare organizations. One of the most recent victims was McKenzie Health System in Michigan, which was attacked by the gang in March 2022. The protected health information of 25,318 patients was potentially stolen in that attack, a sample of which was allegedly uploaded to the AvosLocker dark web leak site.

AvosLocker has uploaded a sample of data to its dark web leak site which was allegedly stolen in the attack on Christus Health. At this stage, the extent to which patient data has been affected has not been determined.

The post AvosLocker Claims Credit for Christus Health Ransomware Attack appeared first on HIPAA Journal.