HIPAA Breach News

SuperCare Health Sued Over 318,000-Record Data Breach

Posted by HIPAA Journal

A lawsuit has been filed against the in-home respiratory care provider, SuperCare Health, over a cyberattack and data breach that was reported to the Department of Health and Human Services on March 28, 2022. The incident involved the exposure and potential theft of the protected health information of 318,400 patients, including names, addresses, birth dates patient account numbers, medical record numbers, health insurance information, testing, diagnostic, treatment, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed.

SuperCare Health said unauthorized individuals had access to its network between July 23, 2021, to July 27, 2021, but did not disclose the nature of the cyberattack. It took SuperCare Health until February 4, 2022, to determine that the files potentially accessed in the attack contained patients’ PHI. Notification letters were sent on March 25, 2022, and according to the notice provided to the California Attorney General, credit monitoring and identity theft protection services were offered to affected individuals.

It is becoming more common for lawsuits to be filed over healthcare data breaches. According to a recently published report from the law firm BakerHostetler, lawsuits are often now filed over relatively small healthcare data breaches and it is common for multiple lawsuits to be filed. In 2021, the law firm was involved in 23 incidents, and 58 lawsuits were filed in response to those breaches. 43 of the lawsuits were filed in response to healthcare data breaches, and 11 of the lawsuits were filed for breaches affecting fewer than 700,000 individuals.

The SuperCare Health lawsuit was filed in the United States District Court for the Central District of California on April 12, 2022, two weeks after notification letters were sent to patients. The lawsuit, Vickey Angulo v. SuperCare Health, alleges SuperCare Health had not implemented adequate and reasonable cybersecurity procedures and protocols to secure the personal and protected health information of the plaintiff and members of the class, despite a known risk of cyberattacks and data breaches at healthcare providers, which are at an all-time high. The lawsuit also alleges SuperCare Health failed to adhere to the security guidelines and standards of the National Institute of Standards and Technology, Federal Trade Commission, and Health Insurance Portability and Accountability Act (HIPAA), and violated state laws.

The lawsuit claims SuperCare Health only provided scant details to victims about the nature of the cyberattack and data breach and did not inform patients about the data breach for more than 6 months after it was detected. The plaintiff said she was notified that unauthorized individuals accessed her information, which included her electronic medical records, but was not offered adequate credit monitoring and identity theft protection services or appropriate compensation for the harm caused.

The plaintiff alleges she has suffered actual injury from the data breach, including damage to and diminution of the value of her private information, and a substantial and present, imminent, and impending injury from the increased risk of identity theft and fraud, and maintains that her personal and protected health information is still available to the public, which would make it possible for anyone to use the information for nefarious purposes.

The lawsuit seeks class action certification, a jury trial, an award of damages, reimbursement of out-of-pocket costs, and a lifetime of credit monitoring services, and for SuperCare Health to make improvements to its security systems and submit to future annual security audits.

The post SuperCare Health Sued Over 318,000-Record Data Breach appeared first on HIPAA Journal.

Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches

Posted by HIPAA Journal

Resources for Human Development Reports Breach Affecting 46,673 Individuals

The Philadelphia, PA-based national human services nonprofit organization, Resources for Human Development (RHD), has recently confirmed that a hard drive containing the protected health information of 46,673 individuals has been stolen. The theft occurred on or around January 27, 2022, and was discovered by RHD on February 16, 2022.

The hard drive was used for its Point-to-Point program in Exton, PA, and contained information such as names, Social Security Numbers, drivers’ license numbers, financial account information, payment card information, dates of birth, prescription information, diagnosis information, treatment information, treatment providers, health insurance information, medical information, Medicare/Medicaid ID numbers, employer identification numbers, electronic signatures, usernames and passwords of clients and staff members.

RHD said it engaged outside forensics specialists to investigate the extent of the breach and ensure the security of its offices and computer servers. Training has also been provided to employees on best practices for protecting confidential information.

LockBit Ransomware Gang Claims Data Stolen from Tague Family Practice

The LockBit ransomware gang claims to have gained access to the systems of Tague Family Practice in St. Louis, MO, and exfiltrated sensitive data, some of which contained patients’ personal and protected health information.

A sample of the stolen data has been uploaded onto the gang’s data leak site. According to Databreaches.net, which was able to access a sample of the data, the data included claims and billing-related information. The data was uploaded to the leak site on March 17, 2022.

At this stage, Tague Family Practice has not confirmed a data breach has occurred and the incident has not appeared on the HHS’ Office for Civil Rights breach portal.

Email Breach Confirmed by Wellstar Health

Atlanta, GA-based Wellstar Health has recently confirmed that employee email accounts were accessed by unauthorized individuals who may have accessed or obtained patient information. Wellstar Health learned about the security breach on February 7, 2022, with the forensic investigation confirming that the breach was limited to two email accounts. No other systems were compromised.

The email accounts were discovered to have been compromised between December 6, 2021, and January 3, 2022. Upon discovery of the breach, the email accounts were immediately disabled and secured. A review of the accounts confirmed they contained protected health information such as employee names, medical record numbers, Internal account numbers, and laboratory information. No evidence was found to indicate any patient information was misused.

It is currently unclear how many patients have been affected.

Central Vermont Eye Care Reports Hacking Incident Affecting 30,000 Patients

A hacking incident has recently been reported by the Rutland, VT-based ophthalmology practice, Central Vermont Eye Care. The exact nature of the hacking incident is unclear at this stage; however, it has been confirmed that unauthorized individuals potentially gained access to the protected health information of up to 30,000 patients. Notification letters were sent to those individuals on April 6, 2022.

This post will be updated when further information becomes available.

The post Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches appeared first on HIPAA Journal.

Increase in Class Action Lawsuits Following Healthcare Data Incidents

Posted by HIPAA Journal

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector.

Ransomware Attacks Increased in 2021

Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022.

Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the ransom, and in 97% of cases, data was successfully restored after paying the ransom.

Data exfiltration is now the norm in ransomware attacks. 82% of the ransomware attacks handled by BakerHostetler in 2021 included a claim that the attackers had exfiltrated data prior to encrypting files. In 73% of those incidents, evidence of data theft was uncovered, and 81% required notice to be provided to individuals. The average number of notifications was 81,679 and the median number of notifications was 1,002.

The threat of the exposure of stolen data prompted many organizations to pay the ransom. 33% of victims paid the ransom even though they were able to partially restore files from backups and 24% paid even though they had fully restored files from backups.

There was also an increase in business email compromise (BEC) attacks, where phishing and social engineering are used to access organizations’ email accounts, which are then used to trick organizations into making fraudulent payments. While there was an improvement in detection in time to recover transferred funds – 43% compared to 38% in 2020 – there was an increase in the number of organizations that had to provide notifications about the incident to individuals and regulators, jumping from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are More Common, Even for Smaller Data Incidents

It is now more common for organizations to face class action lawsuits after data security incidents. While class action lawsuits tended to only be filed for large data incidents, it is now increasingly common for smaller data incidents to also result in lawsuits. In 2021, 23 disclosed data incidents resulted in lawsuits being filed, up from 20 in 2020. 11 of the lawsuits related to data incidents involving the data of fewer than 700,000 individuals, with 3 lawsuits filed in relation to incidents that affected fewer than 8,000 individuals.

BakerHostetler identified a trend in 2021 for multiple class action lawsuits to be filed following a data incident. More than 58 lawsuits were filed related to the 23 incidents, and 43 of those lawsuits were in response to data breaches at healthcare organizations.

“There was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue,” explained BakerHostetler in the report. “This duplicative litigation trend is increasing the “race to the courthouse” filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved.”

OCR is Requesting Evidence of “Recognized Security Practices”

2021 saw record numbers of data breaches reported by healthcare organizations. 714 incidents were reported to the HHS’ Office for Civil Rights in 2021 compared to 663 in 2020, and more data breaches were referred to the Department of Justice to investigate possible criminal violations than in previous years.

In 2021, there was an amendment made to the HITECH Act to include a HIPAA Safe Harbor for organizations that have adopted recognized security practices for at least 12 months prior to a data breach occurring. BakerHostetler said that out of the 40 OCR investigations of organizations that it worked with, OCR frequently asked about the recognized security practices that had been in place in the 12 months prior to the incident occurring. BakerHostetler strongly recommends organizations examine their security practices and ensure they match the definition of “recognized security practices” detailed in the HITECH amendment, and to consider further investments in cybersecurity to meet that definition if their security practices fall short of what is required.

The post Increase in Class Action Lawsuits Following Healthcare Data Incidents appeared first on HIPAA Journal.

Cyberattack on SuperCare Health Affects 318,000 Patients

Posted by HIPAA Journal

SuperCare Health, a Downey, CA-based post-acute, in-home respiratory care provider serving the Western United States, has recently started notifying 318,379 patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals in a cyberattack that occurred in July 2021.

In its March 25, 2022, breach notification letters, SuperCare Health explained that it identified unauthorized activity within its IT systems on July 27, 2021. Steps were immediately taken to secure its network and prevent further unauthorized access, and independent cybersecurity experts were engaged to investigate the nature and scope of the incident.

The investigation determined that unauthorized individuals had access to parts of its network from July 23, 2021, to July 27, 2021, and that it was possible that files on the network were accessed that contained patients’ protected health information. A comprehensive review of the contents of the files was conducted, which determined on February 4, 2022, that they contained sensitive patient data such as names, addresses, birth dates, hospital/medical group, patient account numbers, medical record numbers, health insurance information, testing/diagnostic/treatment information, other health-related information, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed.

SuperCare Health said the security breach prompted a review of its security safeguards and additional security measures have now been implemented to better protect the personal and protected health information of its patients.

SuperCare Health is offering affected individuals a complimentary membership to an identity theft protection service, which includes credit monitoring, dark web monitoring, and an identity theft reimbursement insurance policy.

Englewood Health Warns 3,900 Patients About PHI Exposure

Englewood Health, the operator of an acute care 289-bed teaching hospital in Englewood, NJ, has recently reported a security breach that involved the protected health information of 3,901 patients. On February 14, 2022, Englewood Health learned that the username and password of an employee had been compromised, which allowed an unauthorized individual to access patient names, dates of birth, and limited health information. Englewood Health said the unauthorized actor had access to patient data for less than 40 minutes before the intrusion was identified and blocked.

In response to the breach, Englewood Health has upgraded its physical, administrative, and technical network controls. Patients have now been notified by mail and while only a limited amount of data was exposed, complimentary credit monitoring services have been offered to affected patients.

The post Cyberattack on SuperCare Health Affects 318,000 Patients appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.

Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked

Posted by HIPAA Journal

Partnership Health Plan of California Recovering from Suspected Ransomware Attack

The Fairfield, CA-based nonprofit managed care health plan, Partnership Health Plan of California (PHC), has suffered a cyberattack that has taken its IT systems out of action for more than a week. PHC started notifying regional healthcare clinics on March 21, 2022, that its IT systems were disrupted, along with its website and phone lines and that efforts were underway to restore its systems. A timeline for when IT systems would likely be restored was not provided.

PHC did not state in its notifications what caused the outage, but it appears to have been a ransomware attack by the Hive ransomware operation. The Hive ransomware gang claimed responsibility for the cyberattack on its clear web and dark web sites and said 400 gigabytes of data was exfiltrated from PHC systems that included 850,000 unique records of name, SSNs, dates of birth, addresses, and other information. That claim has since been removed.

PHC has yet to confirm whether ransomware was used and the extent to which plan members’ data has been affected. PHC has around 618,000 health plan members in Northern California. The Hive ransomware gang is known to target the healthcare industry, having previously conducted ransomware attacks on Memorial Health System and Johnson Memorial Health last year.

Cancer and Hematology Centers of Western Michigan Suffers Ransomware Attack

Cancer and Hematology Centers of Western Michigan has recently announced it was the victim of a ransomware attack in December 2021 that affected part of its database. The healthcare provider said it partnered with a third-party IT and forensics firm to investigate the breach and restore its systems.

The breach investigation did not uncover evidence to suggest any patient data has been misused, but the parts of its systems that were accessed by the attackers contained parts of patients’ health records and employees’ Social Security numbers and bank account information.

Cancer and Hematology Centers of Western Michigan has started notifying affected individuals and complimentary credit monitoring services have been offered. Steps have been taken to strengthen data security procedures, including decommissioning several servers, providing additional training to the workforce, reviewing security policies and procedures, and contracting with a third-party company to provide ongoing security monitoring.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 43,071 individuals.

LockBit Ransomware Gang Claims to Have Attacked Val Verde Regional Medical Center

The LockBit ransomware gang has recently published data on its leak site which it claims was stolen in a ransomware attack on Val Verde Regional Medical Center in Texas.

Lockbit has published around 400 MB of data on its website which includes files that include the data of more than 96,000 patients. The files contain information such asnames, patient ID numbers, account numbers, email addresses, addresses, phone numbers, dates of birth, employer addresses, marital status, guarantor names, referring physician names, health insurance information, notes, and other information.

Val Verde Regional Medical Center has not confirmed whether the claims of the Lockbit gang are genuine and the breach is not yet showing on the HHS’ Office for Civil Rights breach portal.

The post Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked appeared first on HIPAA Journal.

Spokane Regional Health District Announces Second Phishing Attack in 3 Months

Posted by HIPAA Journal

Spokane Regional Health District (SRHD) in Washington has once again fallen victim to a phishing attack. For the second time this year, the health district has announced patient data has potentially been compromised after an employee responded to a phishing email.

On March 24, 2022, SRHD announced that its IT department discovered a compromised email account, with the investigation recently confirming that the employee responded to a phishing email on February 24, 2022, and disclosed credentials that allowed the account to be accessed. Last week, SRHD confirmed that the email account contained the protected health information of 1,260 individuals. That information may have been ‘previewed’ by an unauthorized individual, although no evidence was found to suggest information had been accessed or downloaded.

Information in the account included names, birth dates, service dates, source of referral, provider hospital name, diagnosing state, whether the patient had been located, date located, patient risk level, staging level, how medications were collected, test type, test result, treatment information, medication information, delivery dates and any treatments provided to the baby, diagnostic information, medical information, and client notes.

A spokesperson for SRHD said corrective actions have been taken to mitigate the current breach and prevent further phishing attacks, including reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.

“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts. In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves,” said SRHD Deputy Administrative Officer, Lola Phillips. “We have a strong commitment to safeguard personal information, and we are working diligently to reduce the likelihood of future events.”

On January 24, 2022, SRHD announced that an employee email account had been compromised on December 21, 2021. The email account contained the sensitive data of 1,058 individuals, including names, birth dates, case numbers, counselor names, test results and dates of urinalysis, medications, and date of last dose.

After that attack, SRHD said it will be reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.

Catholic Health Notifies Patients About Data Theft Incident at Business Associate

Catholic Health has recently started notifying approximately 1,300 patients that some of their protected health information has been exposed in a cyberattack on its business associate, Ciox Health.

Buffalo, NY-based Ciox Health provides health information management services to healthcare providers and insurers. Between June 24, 2021, and July 2, 2021, emails and attachments in a Ciox Health employee’s email account were downloaded by an unauthorized individual.

The breach was detected last year and in September 2021, Ciox Health learned that the email account contained patient information related to billing inquiries and customer service requests. A review of the information in the account was completed in early November, and affected providers and insurers were notified between November 23 and December 30, 2021.

Catholic Health said the compromised information included patient names, provider names, dates of birth, dates of service, health insurance information, and/or medical record numbers. “While Ciox’s investigation did not find any instances of fraud or identity theft as a result of this incident, out of an abundance of caution, beginning today, Ciox is notifying affected Catholic Health patients,” said Catholic Health, in a March 30, 2022 post on its website.

The post Spokane Regional Health District Announces Second Phishing Attack in 3 Months appeared first on HIPAA Journal.

CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters

Posted by HIPAA Journal

Conti Ransomware Gang Claims Responsibility for Cyberattack on CSI Laboratories

Cytometry Specialists, Inc. doing business as CSI Laboratories in Alpharetta, GA, has recently announced it was the victim of a cyberattack that was discovered on February 12, 2022. An investigation was launched which confirmed that files containing limited patient data were exfiltrated from its systems, which mostly contained patient names and case numbers used for identifying patients, but for limited patients also included addresses, dates of birth, medical record numbers, and health insurance information.

CSI Laboratories said in its web notification that at this stage of the investigation there does not appear to have been any misuse of patient data. While CSI Laboratories did not disclose the nature of the cyberattack, the Conti ransomware gang has claimed responsibility and has published a sample of the exfiltrated data on its data leak site. CSI Laboratories said it has now brought its system back online and it is monitoring its network closely for unusual activity. There was no mention made about any ransom being paid.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Email Account Breach Reported by Christie Clinic

Christie Business Holdings Company, P.C., doing business as Christie Clinic, has recently announced a security incident involving an employee’s email account. The company’s breach notice did not say when the breach was discovered, but the forensic investigation confirmed on January 27, 2022, that the email account was accessed by an unauthorized individual between July 14, 2021, and August 19, 2021.

Christie Clinic said the purpose of the attack appeared to be to intercept a business transaction between the clinic and a third-party vendor, rather than to obtain sensitive data from the email account, but it was not possible to determine to what extent emails in the account had been accessed. Christie Clinic said the investigation confirmed that the breach was limited to a single email account and no other systems or accounts were affected. The review of information in the account revealed on March 10, 2022, that the emails included protected health information such as names, addresses, Social Security numbers, medical information, and health insurance information. Notification letters were sent to affected individuals on March 24, 2022.

Christie Clinic said it already uses industry-leading network security solutions and performs regular and ongoing data security and privacy training and additional safeguards have been implemented.

Scripps Health Sends Additional Notification Letters About 2021 Ransomware Attack

On June 1, 2021, Scripps Health in San Diego notified the HHS’ Office for Civil Rights about a ransomware attack in which the protected health information of 147,267 patients was potentially compromised. Hackers had gained access to its network between April 26, 2021, and May 1, 2021, and potentially exfiltrated files containing patient data. The attack prompted class action lawsuits and cost the healthcare provider more than 113 million in losses.

Almost a year after its network was breached, NBC 7 was contacted by a patient who received a notification letter dated March 15, 2021, informing her that her protected health information was potentially compromised in the attack, including her name, address, date of birth, health insurance information, medical record number, patient account number, and clinical information such as diagnosis or treatment information had potentially been compromised. The patient had not previously been notified about the ransomware attack.

NBC 7 contacted Scripps Health, which confirmed that the manual document review recently concluded, and it was determined that additional patient data had potentially been compromised in the attack, but declined to say how many additional patients had been affected.

The post CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters appeared first on HIPAA Journal.

Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks

Posted by HIPAA Journal

Oklahoma City Indian Clinic and Law Enforcement Health Benefits Inc. have confirmed they were recent victims of cyberattacks, both of which involved the use of ransomware.

Ransomware Attack Affects 85,282 Law Enforcement Health Benefits Members

Law Enforcement Health Benefits, Inc. (LEHB) has recently announced that it was the victim of a ransomware attack that was detected on September 14, 2021. External cybersecurity professionals were engaged to assist with the investigation and remediation efforts, and a manual review of files on the affected parts of the network was conducted. That process concluded on February 25, 2022, when it was confirmed that files containing the personal and protected health information of plan members had been exfiltrated from its network.

LEHB said the following types of information had been compromised: names, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, medical record numbers, patient account numbers, and diagnosis/treatment information.

While it was confirmed that files were exfiltrated from its systems, LEHB said it is unaware of any actual or attempted misuse of members’ information. Notification letters have been sent to individuals for whom a current address could be determined, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised. LEHB said it has taken steps to secure its network and improve internal procedures to allow the rapid identification and remediation of future threats.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 85,282 individuals.

Oklahoma City Indian Clinic Investigating Cyberattack

Oklahoma City Indian Clinic (OKCIC), a 501(c)(3) non-profit organization that provides healthcare services to more than 20,000 patients from 200 Native American tribes in Oklahoma, recently announced on its website and social media accounts that ‘technological issues’ and network disruption are currently being experiencing which have prevented access to certain computer systems. The attack appears to have occurred on or around March 10, 2022 and has affected the automatic refill line and mail order services of its pharmacy.

The OKCIC IT team and third-party specialists are currently investigating the incident and are working to restore access to the affected systems. No mention was made of the nature of the incident, but it appears to be a ransomware attack. The Suncrypt ransomware gang has claimed responsibility for the cyberattack and has added Oklahoma City Indian Clinic to its data leak website. According to Databreaches.net, Suncrypt claims to have stolen more than 350 GB of data prior to encrypting files, including patients’ electronic medical records and financial documents.

Suncrypt has threatened to leak the data if Oklahoma City Indian Clinic does not negotiate and pay the ransom demand. Oklahoma City Indian Clinic said the investigation into the attack is ongoing and at this stage of the investigation, no evidence of data theft has been found.

This post will be updated when further information is made available.

The post Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks appeared first on HIPAA Journal.