The Manchester, NH-based medical equipment company, NuLife Med LLC, has recently announced it was the victim of a cyberattack in March 2022. Suspicious network activity was detected on or around March 11, 2022, and steps were immediately taken to prevent further unauthorized network access. An investigation was launched to determine the nature and scope of the attack and to allow its network and systems to be restored. The investigation confirmed that unauthorized individuals had accessed its network between March 9 and March 11, 2022, and potentially viewed and exfiltrated files from its systems.

It was not possible to determine which files had been viewed or removed from its systems, nor the exact number of files that had been accessed or exfiltrated. Notification letters have therefore been sent to all individuals potentially affected. The review of the files revealed they mostly contained protected health information such as names, addresses, medical information, and/or health insurance information. A limited number of individuals have also had their Social Security numbers, driver’s license information, and/or financial account or credit card information exposed.

NuLife Med said it is currently reviewing records to try to determine which individuals have had information beyond medical and/or health insurance information impacted, and additional notifications will be sent to those individuals when the breach investigation has concluded. NuLife said no reports have been received to date to indicate any patient information has been misused.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 81,244 individuals.

Ransomware Attack Affects 28,000 FPS Medical Center Patients

FPS Medical Center in Lake Havasu City, AV, has recently announced it was the victim of a malware incident that encrypted files on its network. The security breach was detected on March 3, 2022, with the subsequent investigation determining its systems were first breached on February 28, 2022. Unauthorized access was blocked on March 3, 2022.

A forensic investigation was conducted to determine whether patient information was accessed or exfiltrated, but it was not possible to tell if any files had been viewed or downloaded, although the possibility of unauthorized access and data theft could not be ruled out.

A review was conducted of all files on the parts of the network that were affected, which concluded on April 25, 2022. The files contained full names, addresses, birth dates driver’s license information, medical information such as treatment and diagnosis information, health insurance information, and limited Social Security numbers.

Notification letters have now been sent to the 28,024 patients whose protected health information has potentially been compromised. FPS Medical Center said it is reviewing its policies and procedures and will implement additional administrative and technical safeguards to further secure the information in its systems.

Schneck Medical Center Announces Cyberattack and Data Theft Incident

Schneck Medical Center in Seymour, IN, has started notifying certain patients that some of their protected health information was contained in files that were exfiltrated from its systems.

The medical center did not state in its notification whether the security incident was detected but said an extensive forensic investigation and manual document review were conducted which determined on March 17, 2022, that files had been exfiltrated from its systems on or around September 29, 2021.

The files contained names along with one or more of the following data types: Address, date of birth, medical record number, other internal identification numbers, driver’s license/state identification numbers, medical diagnosis and conditions information, and health insurance/claims information. The files also contained limited Social Security numbers, financial account information, and payment card information.

Schneck Medical Center said no evidence was found to indicate any actual or attempted misuse of patient data; however, as a precaution, individuals potentially at risk have been offered complimentary credit monitoring services. Notification letters were sent to affected individuals on May 13, 2022.

A review has been conducted of its security systems, policies, and procedures, and additional security measures are being implemented to prevent similar incidents in the future.

The post Cyberattacks Reported by Schneck Medical Center, NuLife Med, & FPS Medical Center appeared first on HIPAA Journal.

Refuah Health Center in New York has recently started notifying 260,740 patients about a security breach that occurred almost a year ago. According to the April 29, 2022, notification on the healthcare provider’s website, “We recently discovered unauthorized access to our network occurred between May 31, 2021, and June 1, 2021.” Upon discovery of the breach, an investigation was launched to determine the nature and scope of the attack, and a comprehensive review was then conducted of all documents that were potentially accessed.

Refuah Health Center said it discovered on March 2, 2022, that the attackers had exfiltrated some files from its network that contained “a limited amount” of patients’ protected health information, including names in combination with one or more of the following data types: Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank/financial account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and/or health insurance policy numbers. Notification letters started to be sent to affected individuals on April 29, 2022, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised.

While Refuah Health Center did not disclose further information about the nature of the attack, databreaches.net reports that the attack appears to have been conducted by the Lorenz ransomware gang, which added Refuah Health Center to its list of victims on its data leak site on June 11, 2021, although that entry has now been removed.

Quantum Imaging Therapeutic Associates

Lewisberry, PA-based Quantum Imaging Therapeutic Associates, a provider of specialized diagnostic radiology services, has recently sent notification letters to patients advising them that their protected health information was exposed in a data security incident that was detected and blocked on October 7, 2021.

At the time of issuing notification letters, no evidence had been found to indicate any patient data has been accessed or stolen by the attackers, although it was not possible to rule out the possibility. The compromised parts of its network contained patient data such as names, addresses, birth dates, Social Security numbers, and information related to the radiology services provided.

After blocking the attack, Quantum launched an investigation assisted by third-party IT specialists, and has now reviewed its network environment and made improvements to security. Quantum will also be monitoring the threat landscape closely and will take proactive actions to address new threats.  Affected individuals have been offered complimentary identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

RiverKids Pediatric Home Health Reports Email Security Incident

RiverKids Pediatric Home Health in Texas has recently started notifying 3,494 patients that some of their protected health information has potentially been viewed or stolen as a result of an email security incident. On March 15, 2022, RiverKids discovered an unauthorized individual had gained access to the email account of an employee. The investigation into the breach determined multiple employee email accounts had been compromised, with the review of those accounts confirming they contained patient information such as names, birthdates, addresses, and health insurance member IDs. Financial information and Social Security numbers were not exposed.

RiverKids said additional email security measures have been implemented to prevent further security incidents.

The post Refuah Health Center Alerts 260K Patients About May 2021 Cyberattack appeared first on HIPAA Journal.

McKenzie Health System in Sandusky, MI, has recently started notifying 25,318 patients that some of their protected health information has been stolen in a recent security incident which has caused disruption to the operations of some of its systems. On March 11, 2022, suspicious activity was detected within its IT systems. Steps were immediately taken to secure those systems and a third-party investigator was engaged to determine the nature and scope of the security breach.

The investigation determined that an unauthorized individual had gained access to its network and exfiltrated files. The analysis of those files confirmed on April 22, 2022, that they contained patient information such as names, contact information, demographic information, dates of birth, Social Security numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information.

McKenzie Health System provided information on the steps that affected individuals should take to protect against the misuse of their personal and protected health information in its notification letters and said complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers have been exposed or compromised. Additional safeguards and technical security measures have now been implemented to better protect sensitive data and to improve the monitoring of its systems.

Omnicell Reports Recent Ransomware Attack in SEC Filing

Omnicell, a Mountain View, CA-based provider of medication management systems, has recently disclosed in an 8-K filing with the Securities and Exchange Commission (SEC) that it was the victim of a ransomware attack. The ransomware attack was detected on May 4, 2022, and resulted in certain internal information technology systems being taken offline.

Omnicell said it is still investigating the attack and the full effects are not yet known, but the attack has had an impact on some of the company’s products and services. Omnicell took immediate action when the attack was detected to prevent further unauthorized access to its systems, its business continuity plans were implemented, and it started working on restoring its systems. At the current stage of the investigation, Omnicell has been unable to determine the impact the attack will have on the business, the results of operations, or the financial impact of the attack, nor whether any impact will have a material adverse effect. Third-party cybersecurity experts have been engaged and are assisting with the investigation and recovery and the cyberattack has been reported to law enforcement.

Omnicell also recently submitted its quarterly earnings, and in its 10-Q form to the SEC explained that significant disruptions to its IT systems could adversely affect the business, as the company relies on its IT systems for maintaining financial and corporate records, communicating internally and with external parties, and operating critical business functions.

Omnicell explained that it does create backups and stores them securely off-site, but that the business would be adversely affected if it was not possible to restore systems and data from backups within an acceptable time frame and the business would also be adversely affected if a data theft incident occurred that resulted in the loss of intellectual property. It is unclear at this stage whether any sensitive data was stolen prior to the encryption of files.

The post Cyberattacks Reported by McKenzie Health System & Omnicell appeared first on HIPAA Journal.

Unauthorized individuals have gained access to the systems of Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. On or around December 4, 2021, hackers gained access to its myCare Identity solution and deleted databases, systems configuration files, and data.

Eye Care Leaders said its incident response team immediately stopped the unauthorized activity when the breach was detected and launched an investigation into the security breach. The investigation is ongoing, but notifications have now been sent to affected ophthalmology and optometry practices.

While the investigation has not uncovered evidence to suggest the attackers viewed or exfiltrated sensitive data, the possibility of unauthorized data access and theft could not be ruled out. The types of information that have been exposed included patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices. The breach was confined to the myCare Identity solution. The systems of eye care providers that use the solution were not compromised. It is currently unclear how many individuals have been affected by the breach. The Eye Care Leaders website states that it provides software solutions to more than 9,000 ophthalmologists and optometrists.

Kirkland, WA-based EvergreenHealth has also been affected, and sent notifications to 20,533 patients on April 22, 2022, and confirmed that the breach only affected data related to the EvergreenHealth Eye Care Clinic. If any non-eye care medical services had been received at EvergreenHealth, the information would not have been stored in the affected system. EvergreenHealth said it is examining its relationship with Eye Care Leaders and assessing the security safeguards that have been implemented.

Nashville, TN-based Summit Eye Associates sent notifications to affected patients on April 28, 2022, and has reported the breach to the HHS’ Office for Civil Rights as affecting up to 53,818 individuals.

The post Eye Care Leaders Hack Impacts Tens of Thousands of Patients appeared first on HIPAA Journal.

Illinois Gastroenterology Group has recently announced that unauthorized individuals gained access to its computer environment and potentially accessed and exfiltrated sensitive patient data. The cyberattack was detected on October 22, 2021, when suspicious activity was identified within its computer network.

Third-party cybersecurity specialists were engaged to investigate the attack and determine the nature and scope of the incident. On November 18, 2021, Illinois Gastroenterology learned that the parts of its systems that were accessed by unauthorized individuals contained patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information, payment card information, employer-assigned identification numbers, medical information, and biometric data.

Illinois Gastroenterology said it was not possible to rule out unauthorized viewing or theft of files containing patient data, but at the time of issuing notification letters, no reports had been received to suggest any fraudulent misuse of the impacted information. The review of the affected files was completed on March 22, 2022, and notification letters have now been sent to affected individuals.

In response to the breach, policies and procedures related to network security were reviewed and augmented, the implementation of an enhanced managed Security Operations Center was accelerated, and multi-factor authentication has been implemented. While the security breach was not confirmed as involving ransomware, Illinois Gastroenterology said a new endpoint detection and response platform has been deployed that has policies enabled specifically for ransomware.

The data breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 227,943 patients.

Data of Patients of the Mental Health Center of Greater Manchester has been Exposed

The Mental Health Center of Greater Manchester (MHCGM) in New Hampshire has announced that patient data was potentially compromised in a cyberattack at a third-party community mental health services partner, Center for Life Management (CLM), which was used for data storage.

On February 21, 2022, CLM’s systems were accessed by an unauthorized individual. The attack was detected on February 23, 2022, and systems were immediately secured to prevent further unauthorized access. The breach was confined to CLM’s systems and the security of MHCGM’s systems was not affected.

CLM investigated the incident and it was confirmed on April 11, 2022, that the attackers potentially accessed and exfiltrated files containing patient information such as names, addresses, birth dates, Social Security numbers, diagnoses, medical information, discharge information, and treatment locations and/or healthcare providers.

No evidence was found to indicate any specific information was viewed or obtained by unauthorized individuals as a result of the attack; however, affected individuals have been offered 12 months of complimentary credit monitoring.  MHCGM said it is no longer using CLM for data storage and is working on removing all data from CLM’s systems.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been affected.

The post Hacking Incidents Reported by Illinois Gastroenterology Group & the Mental Health Center of Greater Manchester appeared first on HIPAA Journal.

Healthplex Inc., one of the largest providers of dental insurance in New York state, has announced that the email account of an employee was compromised in a phishing attack on November 24, 2021. Upon discovery of the breach, the email account was immediately secured to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

On April 5, 2021, Healthplex confirmed that the email account contained the personal and protected health information of 89,955 individuals who had previously enrolled in its dental plans. The exposed information varied from individual to individual and may have included first and last names in combination with one or more of the following data types:

Address, group name and number, member ID number, plan affiliation, date of birth, date of service, provider name, ADA codes and their description, billed/paid amounts, prescription drug names, Social Security number, banking information, credit card number, username and password for the member portal, email address, phone number, and driver’s license number.

Healthplex said notification letters were sent to affected individuals on April 15, 2022, who have been offered complimentary identity theft protection services through Lifelock. Steps have also been taken to improve the security of its email environment to prevent similar breaches in the future.

Optima Dermatology Email Breach Affects Almost 60,000 Patients

Optima Dermatology Holdings has announced it has experienced an email security incident that resulted in the exposure of the protected health information of patients of The Dermatology Center of Indiana and Advanced Dermatology & Skin Cancer Center.

Optima Dermatology did not disclose when the email security breach was discovered but said that after an extensive forensic investigation it was determined on February 17, 2022, that the breach was limited to a single email account, which was accessed by an unauthorized individual between August 30, 2021, and September 2, 2021.

A review of the email account revealed it contained the protected health information of 59,872 individuals, such as full names, birth dates, medical treatment and/or conditions information, health insurance claims and/or application information, health insurance policy and/or subscriber numbers, and medical record numbers. No evidence was found to indicate Social Security numbers, driver’s license numbers, or financial account/payment card information were exposed or compromised.

Optima Dermatology said notification letters were sent to affected individuals on April 18, 2022, and additional safeguards have been implemented to prevent further attacks.

The post Email Security Incidents Reported by HealthPlex and Optima Dermatology appeared first on HIPAA Journal.

Salusive Health, the developer of the myNurse platform which helps physician practices streamline disease management, has experienced a cyberattack in which patient data was compromised.

In its breach notification letters to patients, Salusive Health explained that it identified unauthorized activity within its computer network on March 7, 2022, and immediately implemented containment, mitigation, and restoration efforts, and engaged third-party cybersecurity experts to assist with those processes. The investigation confirmed that unauthorized individuals accessed the personal and protected health information of patients, including name, gender, home address, phone number, email address, date of birth, medical history, diagnosis and treatment information, dates of service, lab test results, prescription information, provider name, medical account number, health insurance policy and group plan number, group plan provider, and claim information.

Salusive Health said it implemented additional security measures to prevent further breaches, has notified affected individuals and offered free identity theft protection services, and reported the cyberattack to the Federal Bureau of Investigation. The incident has not yet appeared on the HHS’ Office for Civil Rights’ breach portal, so it is unclear at this stage how many individuals have been affected.

Salusive Health also explained in the breach notification letters that the difficult decision has been taken to cease clinical operations by the end of business on May 31, 2022, which will allow patients to hand their chronic care management and remote monitoring services back to their primary care physicians. Salusive Health said the decision to cease operations is unrelated to the data security incident.

New Creation Counseling Center Ransomware Attack Affects 24,000 Patients

New Creation Counseling Center (NCCC) in Tipp City, OH, has recently started notifying 24,029 patients that some of their protected health information has potentially been compromised in a recent cyberattack.

A breach of its IT systems was detected on February 13, 2022, when users were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. NCCC confirmed ransomware had been used to encrypt files, and third-party cybersecurity consultants have been assisting with the response and recovery.

NCCC said care continued to be provided to patients throughout and the ransomware has been confirmed as having been eradicated from its systems. While the investigation uncovered no evidence of data theft, it was not possible to rule it out. A review of files on the affected systems confirmed they contained names, telephone numbers, addresses, email addresses, birthdates, Social Security numbers, health insurance information, intake forms, medical releases, and treatment records.

Notifications were sent to affected individuals starting on April 12, 2022, and one year of credit monitoring services has been offered to patients at no cost.

The post Salusive Health Closes Business Following Cyberattack appeared first on HIPAA Journal.

6 data breaches have recently been reported by HIPAA-regulated entities that have collectively resulted in the exposure and potential theft of the protected health information of tens of thousands of individuals.

La Casa de Salud, New York

The Acacia Network, a New York City-based human services organization, has recently notified the HHS’ Office for Civil Rights about an email account breach that was detected on July 17, 2020. According to the breach notice on the Acacia Network website, email accounts were accessed for a limited time between June 6, 2020, and June 12, 2020. An investigation was immediately launched and a forensic firm was engaged to provide assistance, but it was not possible to determine if any emails or attachments had been viewed or copied.

A review of the emails in the account revealed they contained patients’ names, Social Security numbers, driver’s license numbers, addresses, birthdates financial account numbers, medical record numbers, resident identification numbers, health insurance information, Medicare numbers, provider names, treatment, prescription, and/or diagnostic information.

The Acacia Network said the email accounts contained the data of a percentage of clients in the following programs:

• Bronx Accountable Healthcare Network
• Bronx Addiction Services Integrated Concepts System, Inc.
• Community Association of Progressive Dominicans
• El Regreso, Inc
• Greenhope Services for Women, Inc
• La Casa De Salud, Inc
• Promesa, Inc.
• United Bronx Parents, Inc.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 9,969 patients and was reported under the name La Casa De Salud. It is currently unclear if that is the total number of individuals affected. Notification letters were mailed on February 22, 2022, and complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security number or driver’s license number was exposed. No explanation was given as to why it took more than 18 months to notify the affected individuals.

Valley View Hospital, Colorado

Valley View Hospital in Colorado has recently announced that the email accounts of four employees have been accessed by unauthorized individuals after the employees responded to phishing emails. The email account breaches were detected by the hospital on January 19, 2022. The email accounts were immediately secured, and a forensic security firm was engaged to investigate and determine the nature and scope of the breach. On March 29, 2022, it was determined that four email accounts had been compromised that contained information about approximately 21,000 hospital employees and patients. Valley View Hospital did not state in its substitute breach notice what types of information had been compromised.

Notification letters started to be sent to affected individuals on March 19, 2022.

Fairfield County Implants and Periodontics, Connecticut

Fairfield County Implants and Periodontics (FCIP) in Connecticut has recently confirmed that an email account was accessed by an unauthorized individual. FCIP said it was determined on March 2, 2022, that the breached email account contained the protected health information of certain patients, with the review confirming the following types of information had been exposed: Names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, health insurance information, and medical history and treatment information.

Notification letters were sent to affected individuals on April 15, 2022. FCIP said no evidence of actual or attempted misuse of patient data had been identified at the time of issuing notification letters. Affected individuals have been offered 24 months of credit and CyberScan monitoring at no cost.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 10,502 individuals.

Los Angeles County Department of Mental Health, California

Los Angeles County Department of Mental Health has recently confirmed there has been a breach of three employee email accounts. The accounts were compromised on October 19, 2021, as a result of employees responding to phishing emails. A forensic investigation was unable to determine if any sensitive information was viewed or exfiltrated, but the possibility of unauthorized data access could not be ruled out.

A review of the affected email accounts revealed they contained the following types of information: names, addresses, dates of birth, driver’s license numbers, Social Security numbers, medical and/or health information, health insurance information, SSID student identifiers, and/or financial account numbers. When the breach was discovered, prompt action was taken to secure the accounts and all network credentials were reset. Additional safeguards have now been implemented.

The breach has been reported to the HHS’ Office for Civil Rights, although it is not currently showing on the breach portal, so it is unclear how many individuals have been affected.

Scott County, Iowa

Scott County in Iowa has recently confirmed it was the victim of a cyberattack that was discovered on November 30, 2021. The email account of an employee was discovered to have been used to send unauthorized emails to internal and external email addresses. The subsequent forensic investigation confirmed that the email accounts of three employees had been compromised and accessed by an unauthorized individual on October 27, 2021.

A review was conducted of all messages in the email accounts. That process was completed on February 22, 2022, when it was confirmed that the email accounts contained the sensitive information of clients, employees of Scott County, and other individuals who received healthcare treatment or services facilitated by Scott County. The email accounts contained information such as names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and financial account information. At this stage, no evidence of actual or attempted misuse of sensitive data has been identified.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post 6 HIPAA-Regulated Entities Report Email Account Breaches and the Exposure of PHI appeared first on HIPAA Journal.

Irvine, CA-based Smile Brands, a provider of support services for dental offices, has recently provided an update on the number of individuals affected by a ransomware attack that was discovered on April 24, 2021. The attackers gained access to parts of its system on April 23, 2021, that housed files that contained individuals protected health information, including names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, government-issued ID numbers, and health information.

The breach was initially reported to the HHS’ Office for Civil Rights in June 2021 as affecting 1,200 individuals, but the breach report was later amended to indicate up to 199,683 individuals had been affected. However, in the latest update to the Maine attorney general, the breach has been reported as affecting up to 2,592,494 individuals. The initial notice to the Maine attorney general was submitted on October 8, 2021.

Smile Brands said affected individuals have been offered a complimentary 12-month membership to a credit monitoring service, which includes identity theft assistance services and a $1 million identity theft insurance policy.

Malware Potentially Allowed Hackers to Access ArCare Patient Data

Arcare, a provider of primary care and behavioral health services in Arkansas, Mississippi, and Kentucky has confirmed that patient data was potentially accessed by unauthorized individuals in a cyberattack that was discovered on February 24, 2022. Malware was identified on its network which caused a temporary disruption to its services. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the incident.

The investigation confirmed on March 14, 2022, that the attackers may have accessed sensitive data between January 18, 2022, and February 24, 2022. A review of the affected files was completed on April 4, 2022, and confirmed they contained names, Social Security numbers, driver’s license or state identification numbers, dates of birth, financial account information, medical treatment information, prescription information, medical diagnosis or condition information, and health insurance information.

While data has been exposed, no evidence has been found of any actual or attempted misuse of patient data. ARcare said it has updated its policies and procedures relating to data protection and security and sent notification letters to affected individuals on April 25, 0222.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

Unencrypted Laptops Stolen from Home of Employee of Onehome Health Solutions

Two unencrypted laptop computers have been stolen from the home of an employee of the Miramar, FL-based home-based healthcare provider, Onehome Health Solutions.

The theft was discovered on March 3, 2021, and the incident was reported to law enforcement. A forensic analysis determined the laptop computers contained the protected health information of up to 15,401 patients, including names, addresses, phone numbers, medical information, health insurance information, and the last four digits of Social Security numbers.

Onehome said all affected individuals have been notified about the exposure of their information and complimentary identity theft protection services have been offered to individuals whose partial Social Security numbers were exposed.

The post Up to 2,592,494 individuals Affected by Smile Brands Ransomware Attack appeared first on HIPAA Journal.