HIPAA Breach News

Harvard Pilgrim Health Care Increases Ransomware Victim Count to 2.86 Million

Posted by Steve Alder

In February, Harvard Pilgrim Health Care revised the total number of individuals affected by an April 2023 ransomware attack, increasing the total by more than 81,000 to 2,632,275 individuals. That total was increased for the fourth time on March 27, 2024, as the ongoing investigation identified more data that was compromised in the attack. Now, at least 2,860,795 individuals are known to have been affected.

The ransomware attack was discovered on April 17, 2023, with the forensic investigation determining there had been unauthorized access to its network between March 28, 2023, and April 17, 2023. The additional 228,520 affected individuals have now been notified by mail and the notification letters state the exact types of data that were likely compromised in the attack. Harvard Pilgrim Health Care said it is offering complimentary credit monitoring and identity protection services through IDX.

It is not unusual for data breach investigations to uncover additional compromised data. Further data identified as having been accessed in the attack included the information of patients of Brigham and Women’s Physician Organization (BWPO). BWPO is not part of Harvard Pilgrim, but an employee of Harvard Pilgrim Health Care Institute also worked at BWPO part-time. The employee had backed up the contents of their laptop to Harvard Pilgrim’s servers, and the backup file included BWPO data. BWPO learned of the data exposure in January 2024.

BWPO said the backup file included data from January 1, 2017, to May 1, 2019, including names, addresses, phone numbers, dates of birth, medical record numbers, health insurance numbers, and limited clinical information, such as lab results, procedures, medications, and diagnoses related to care provided at BWPO. A BWPO spokesperson said appropriate steps have been taken to address the breach and prevent similar incidents from occurring in the future.

The post Harvard Pilgrim Health Care Increases Ransomware Victim Count to 2.86 Million appeared first on HIPAA Journal.

California and North Dakota Hospitals Report Cyberattacks

Posted by Steve Alder

Cyberattacks have been reported by Pembina County Memorial Hospital, Pomona Valley Hospital Medical Center, and Rancho Family Medical Group. The Massachusetts Department of Developmental Services has discovered documents containing PHI have been left unsecured for a decade.

Pembina County Memorial Hospital

Pembina County Memorial Hospital in Cavalier, ND, has recently confirmed that unauthorized individuals gained access to its network and exfiltrated sensitive patient data. Suspicious activity was detected within its network on April 13, 2023, and after securing its systems, a forensic investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that there had been unauthorized access to its network between March 7, 2023, and April 13, 2023, and files had been exfiltrated from the network.

The forensic investigation and document review took almost a year, with the hospital stating in its breach notice that those processes were not completed until March 4, 2024. The types of information involved varied from individual to individual and may have included first and last names in combination with one or more of the following: address, phone number, email address, date of birth, driver’s license number, government identification number, vehicle identification number, passport number, Social Security number, patient ID account number, medical information, health information and/or health insurance information.

Pembina County Memorial Hospital said it has implemented additional cybersecurity safeguards, enhanced its cybersecurity training, and revised and updated its policies, procedures, and protocols. Complimentary identity monitoring and protection services have been offered to individuals whose Social Security numbers were involved. The breach is not yet showing on the HHS’ Office for Civil Rights breach portal, but the notification sent to the Maine Attorney General indicates that 23,451 individuals have been affected.

Pomona Valley Hospital Medical Center

Pomona Valley Hospital Medical Center in California is notifying 13,345 individuals about a data breach at a subcontractor of one of its business associates. The hospital used a vendor to run its patient-management tool, and the vendor subcontracted out the storage of the underlying data to another company. In November 2023, the vendor was unable to access the patient management tool and worked with its subcontractor to address the problem. The access problems were due to a ransomware attack.

The attacker was discovered to have accessed patient data, including names, medical record numbers, dates of birth, and clinical information such as allergies, diagnoses, medications, and doctors’ notes. The hospital clarified the data that was involved, verified contact information, and notification letters have now been sent to the affected individuals. The hospital has confirmed that it no longer uses the vendor or subcontractor in connection with patient data.

Rancho Family Medical Group

Rancho Family Medical Group, Inc., a 10-location Californian health system, has confirmed that it has been affected by a data breach at its business associate, KMJ Health Solutions, a provider of online signout and charge capture systems.

Rancho Family Medical Group was notified on January 11, 2024, that there had been unauthorized access to the KMJ Health Solutions network on November 19, 2023. The compromised parts of the network contained the protected health information of 10,480 individuals, including names, dates of birth, hospital medical record numbers, hospital treatment locations, dates of service, and procedure medical codes. Rancho Family Medical Group mailed individuals notifications to the affected individuals on March 11, 2024, along with information about the steps that the affected individuals can take to protect themselves against misuse of their data.

Massachusetts Department of Developmental Services

The Massachusetts Department of Developmental Services (DDS), a state agency that provides support to individuals with intellectual and developmental disabilities across the state, has discovered physical records have been exposed and may have been accessed by unauthorized individuals.

Personal documents containing protected health information were inadvertently left in buildings that were part of the former Walter E. Fernald Developmental Center campus in Waltham, MA, which was sold to the city of Waltham in 2014. The records included the PHI of individuals served by the DSS at the Fernald Developmental Center, as well as some staff records. DDS received a complaint about the documents on January 11, 2024, and visited the facilities to recover the documents the following day.

The documents had been improperly stored in the buildings since 2014 and many had degraded, so it was not possible to tell the exact types of information that had been exposed. Some documents contained names, dates of birth, diagnoses, medical information, medication/prescription information, and other treatment information. Financial account information or Social Security numbers have not been found, but DDS said it could not confirm whether those data types had been exposed due to the state of the documents. Similarly, it may not be possible to determine exactly how many people have been affected. An interim figure of 500 individuals was used when reporting the breach. DDS is now awaiting recommendations from the State Archivist and Secretary of State’s Office on how long the documents should be retained.

The post California and North Dakota Hospitals Report Cyberattacks appeared first on HIPAA Journal.

Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks

Posted by Steve Alder

Health Plan Intermediaries Holdings (Benefytt) has been affected by a cyberattack on a vendor, Emergency Medical Services Authority said patient data was exposed in a February cyberattack, and the Bian Lian group has claimed responsibility for a cyberattack on Lindsay Municipal Hospital.

Bian Lian Hacking Group Claims Responsibility for Lindsay Municipal Hospital Cyberattack

Lindsay Municipal Hospital in Oklahoma has recently reported a hacking incident to the HHS’ Office for Civil Rights (OCR) that has affected 500 individuals, a number that is commonly used as a placeholder to meet the breach reporting requirements of the HIPAA Breach Notification Rule when the number of affected individuals has yet to be confirmed.

Aside from the report to OCR, Lindsay Municipal Hospital has remained quiet about the cyberattack and data breach; however, the group behind the attack has not. The Bian Lian hacking group has claimed responsibility for the attack and added Lindsay Municipal Hospital to its data leak site, including evidence to support its claims.

Bian Lian has been in operation since at least 2021 and favors attacks on healthcare providers, manufacturing companies, and law firms, where there is greater potential for a high ransom payment. The group engages in double extortion tactics, where data is stolen, and payment is required to prevent the release of that data and to obtain the keys to decrypt encrypted files. The listing states that the stolen data will be uploaded soon. It is unclear whether Lindsay Municipal Hospital is negotiating with the group.

Patient Data Stolen in Cyberattack on Emergency Medical Services Authority

The Emergency Medical Services Authority (EMSA) in Oklahoma City, OK, has announced that it fell victim to a cyberattack that saw unauthorized individuals gain access to its network between February 10, 2024, and February 13, 2024. The intrusion was detected on February 13, 2024, and systems were shut down to prevent further unauthorized access. The forensic investigation confirmed that the attackers exfiltrated files containing patient data including names, addresses, dates of birth, dates of service, and, for some individuals, the name of their primary care provider and/or Social Security number.

Notification letters have started to be mailed to the affected individuals, although EMSA has yet to publicly confirm how many individuals have been affected. Complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers exposed.

Health Plan Intermediaries Holdings (Benefytt) Affected by Cyberattack on Vendor

Health Plan Intermediaries Holdings, which operates as Benefytt, has recently confirmed that it was affected by a data breach at a business associate of its vendor, Multiplan Inc. Multiplan used the law firm, Orrick, Herrington & Sutcliffe, LLP, which suffered a ransomware attack. Benefytt said its systems and those of Multiplan were unaffected; however, data provided to the law firm to perform its contracted duties was exposed and potentially compromised. The cyberattack was detected on March 13, 2023, and on March 10, 2023, Orrick, Herrington & Sutcliffe confirmed that files containing sensitive data had been stolen. Benefytt said neither MultiPlan nor Orrick could determine which health insurance plans were affected, and that it has been working with the two firms to obtain the necessary information to issue notifications.

Benefytt said it is notifying all affected individuals and is offering them complimentary credit monitoring services. Orrick, Herrington & Sutcliffe reported the breach to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals; however, the total was revised upwards to 152,818 individuals, and the notification to the Maine attorney General in December 2023 states that 637,620 individuals were affected. It is currently unclear how many Multiplan/Benefytt health plan members have been affected.

The post Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks appeared first on HIPAA Journal.

Med-Data Settles Data Breach Lawsuit for $7 Million

Posted by Steve Alder

The Spring, TX-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve all claims stemming from a data breach between 2018 and 2019 that involved the protected health information of approximately 136,000 individuals.

Between December 2018 and September 2019, an employee of Med-Data uploaded patient data to the public-facing software development hosting platform GitHub. The files were added to personal folders on GitHub Arctic Code Vault and contained the protected health information of patients of several of its clients. The exposed data included names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. Med-Data removed the files when it was alerted to the data exposure and offered the affected individuals complimentary credit monitoring and identity protection services.

A lawsuit was filed in response to the data breach that claimed Med-Data failed to adequately protect the sensitive data it obtained from its clients and did not issue timely notifications when the breach was discovered. Med-Data chose to settle the lawsuit and the settlement has received preliminary court approval. There are two tiers to the settlement. The first tier allows affected individuals to claim up to $5,000 to cover documented, unreimbursed losses incurred due to the data breach, including out-of-pocket expenses such as bank fees, credit costs, and communication expenses, up to five hours of lost time at $25 per hour, and losses due to identity theft, identity theft, and medical identity theft.

Alternatively, class members can opt for the second tier, which will provide a cash payment of up to $500 to cover time spent in response to the data breach, including monitoring credit reports, signing up for credit monitoring services, changing passwords, and other actions. Claims will be paid pro rata, depending on the number of claims received.

Regardless of the tier chosen, class members can also claim a 3-year membership to a health data and fraud monitoring service (Medical Shield Premium), which includes a $1 million identity theft insurance policy (Pango). Class members have until April 26, 2024, to object to or exclude themselves from the settlement, and the final approval hearing has been scheduled for September 11, 2024.

The post Med-Data Settles Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million

Posted by Steve Alder

Roper St. Francis Healthcare has agreed to a $1.5 million settlement to resolve a class action lawsuit that was filed in response to a data breach in 2020. Roper St. Francis Healthcare is a South Carolina-based healthcare system with 4 hospitals and more than 117 healthcare facilities in the state. In late October 2020, Roper St. Francis Healthcare discovered three email accounts had been compromised after employees responded to phishing emails. The email accounts were accessed by unauthorized individuals between October 14 and October 29, 2020. The compromised accounts contained the protected health information of 89,761 patients, including names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information.

A lawsuit was filed in response to the breach that claimed Roper St. Francis Healthcare was negligent by failing to implement reasonable and appropriate cybersecurity measures, and that Roper St. Francis Healthcare should have been aware that it was vulnerable to cyberattacks as it had experienced multiple data breaches in the past. Roper St. Francis Healthcare disagreed with the plaintiffs’ claims and chose to settle the lawsuit with no admission of wrongdoing.

Under the terms of the settlement, individuals who were notified about the data breach by Roper St. Francis Healthcare may claim up to $325 as reimbursement for data breach-related expenses, including credit costs and bank fees, and up to four hours of lost time at $20 per hour. If extraordinary losses have been incurred due to identity theft and fraud, claims may be submitted up to a maximum of $3,250. All class members are entitled to one year of credit monitoring services, in addition to those already offered in the individual notifications about the data breach. The deadline for exclusion from and objection to the settlement is April 30, 2024, and the final approval hearing has been scheduled for May 2, 2024.

The post Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million appeared first on HIPAA Journal.

Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

A $1.45 million settlement has been agreed by Avem Health Partners to resolve claims related to a 2022 data breach involving the protected health information of 271,303 individuals. Avem Health Partners is an Oklahoma City-based provider of administrative and technology services to healthcare organizations. On May 16, 2022, hackers were found to have gained access to the servers of one of its vendors, 365 Data Centers. The unauthorized access occurred on May 14, 2022, and Avem Health Partners was notified about the data breach on September 9, 2022.

The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information, and the affected individuals were notified by Avem Health Partners in December 2022. Legal action – Bingaman, et al. v. Avem Health Partners Inc. – was taken over the breach with the plaintiffs alleging their protected health information was negligently maintained and had appropriate cybersecurity measures been implemented, the breach could have been prevented. Avem Health Partners chose to settle the lawsuit with no admission of wrongdoing.

Claims will be accepted from individuals who were notified about the data breach by Avem Health Partners. Claims may be submitted for up to $7,000 to cover out-of-pocket expenses incurred due to the data breach, including credit expenses, bank fees, losses to identity theft and fraud, and up to five hours of lost time at $25 per hour. Individuals who do not submit claims to cover losses will be eligible to receive a cash payment of up to $100, although that amount may be reduced depending on the number of claims received.

Regardless of the option chosen, class members will be eligible to receive three years of identity theft protection and credit monitoring services, which include a $1 million identity theft insurance policy. The deadline for objection to and exclusion from the settlement is April 25, 2024, and the final approval hearing has been scheduled for May 10, 2024.

The post Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

February 2024 Healthcare Data Breach Report

Posted by Steve Alder

There has been a fall in the number of reported healthcare data breaches for the second consecutive month, with 59 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

 

There were 10.6% fewer breaches reported in February than in January, which followed a 22% reduction between December 2023 and January 2024. Over the past 12 months, an average of 64 healthcare breaches have been reported each month, and while February is well under that average, 22.9% more breaches were reported in February 2024 than in February 2023.

For the third consecutive month, the number of breached records has fallen, reducing by 41.7% from January to 5,130,515 records, which is well below the 12-month average of 8.9 million records a month and around half as many records as were breached in February 2023. These figures could increase as three data breaches were reported as involving 500 or 501 records. These figures are often placeholders to meet HIPAA’s breach reporting requirements when the number of affected individuals has yet to be determined.

Biggest Healthcare Data Breaches in February 2024

There were 24 data breaches of 10,000 healthcare records in February, the largest of which was a 2.35 million record data breach at Medical Management Resource Group, which does business as American Vision Partners. A further 1.67 million records were compromised in breaches at Eastern Radiologists and Unite Here, both of which were hacking incidents. Only four breaches of 10,000 or more records were not hacking incidents.

Ransomware attacks continue to plague the healthcare industry, but it is difficult to determine the scale of the problem since breach notifications rarely mention whether ransomware was used. Ransomware groups typically steal data and leak it or sell it if the ransom is not paid. If the nature of the attack is not explained to the affected individuals, it is difficult for them to accurately assess the level of risk they face and make informed decisions about the steps they need to take to prevent their personal information from being misused.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Medical Management Resource Group, L.L.C. AZ Business Associate 2,350,236 Hacking incident (Data theft confirmed)
Eastern Radiologists, Inc NC Healthcare Provider 886,746 Hacking incident
UNITE HERE NY Business Associate 791,273 Hacking incident
Northeast Orthopedics and Sports Medicine, PLLC NY Healthcare Provider 177,101 Hacking incident
Bold Quail Holdings, LLC (NewGen Administrative Services, LLC) CA Healthcare Provider 105,425 Hacking incident
Prime Healthcare Employee Health Plan CA Health Plan 101,135 Hacking incident at business associate (Keenan & Associates)
Egyptian Health Department IL Healthcare Provider 100,000 Hacking incident
Scurry County Hospital District dba Cogdell Memorial Hospital TX Healthcare Provider 86,981 Hacking incident
MedQ, Inc. TX Business Associate 54,725 Ransomware attack (Data theft confirmed)
Coleman Professional Services Inc. OH Healthcare Provider 51,889 Email accounts compromised
Greater Cincinnati Behavioral Health Services OH Healthcare Provider 50,000 Hacking incident
Kirkland & Ellis LLP IL Business Associate 48,802 Hacking incident (MOVEit Transfer)
Employee Benefits Corporation of America and Benefit Design Group, Inc. VA Health Plan 38,912 Hacking incident
Washington County Hospital and Nursing Home AL Healthcare Provider 29,346 Ransomware attack (Data theft confirmed)
Qualcomm Incorporated CA Health Plan 27,038 Hacking incident at a business associate
McKenzie County Healthcare System, Inc. ND Healthcare Provider 21,000 Email accounts compromised
East Carolina University’s Brody School of Medicine, a member of the ECU Health affiliated covered entity NC Healthcare Provider 19,085 Unauthorized access to a network server
Tiegerman NY Healthcare Provider 19,000 Hacking incident
Human Affairs International of California CA Business Associate 18,347 Unauthorized Access/Disclosure of paper/films
Maryville, Inc. NJ Healthcare Provider 15,503 Email account compromised
Bay Area Anesthesia, LLC FL Healthcare Provider 15,196 Hacking incident at business associate (Bowden Barlow Law)
AGC Flat Glass North America, Inc. Welfare Benefits Plan GA Health Plan 13,079 Hacking incident
Littleton Regional Healthcare NH Healthcare Provider 12,614 Misdirected email
CVS Caremark Part D Services, L.L.C. (“CVS”) RI Business Associate 11,193 Unauthorized Access/Disclosure of paper/films

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, the main cause of healthcare data breaches in February was hacking. In February, there were 41 data breaches classed as hacking/IT incidents – 69.5% of the month’s data breaches. These incidents typically see large numbers of records compromised and February was no exception. Across those 41 incidents, the protected health information of 5,017,167 individuals was exposed or compromised – 97.8% of the month’s breached records. The 16 largest healthcare data breaches in February were all hacking incidents. The average breach size was 122,370 records and the median breach size was 7,288 records.

HIPAA-regulated entities reported 16 data breaches that were classed as unauthorized access/disclosure incidents. Across those 16 data breaches, the records of 104,359 individuals were accessed by unauthorized individuals or were impermissibly disclosed. The largest of those incidents was a phishing attack that saw multiple email accounts compromised and the records of 21,000 individuals exposed. The average breach size was 6,522 records and the median breach size was 2,516 records. There were two theft incidents involving the records of 8,989 individuals. No loss or improper disposal incidents were reported in February. The most common location of breached healthcare data was network servers, followed by email accounts.

While it is not possible to prevent all data breaches, many could be avoided by ensuring compliance with the HIPAA Security Rule and implementing OCR’s HPH Cybersecurity Performance Goals (CPGs). The CPGs are split into essential CPGs and advanced CPGs. The Essential CPGs address common vulnerabilities, will significantly improve an organization’s security posture and incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defences against additional attack vectors. A recent IBM study determined that 85% of cyberattacks in critical infrastructure sectors could have been prevented with basic security measures such as those included in the essential CPGs.

Where Did the Data Breaches Occur?

OCR’s data breach portal shows there were 33 data breaches at healthcare providers (1,632,712 records), 16 data breaches at health plans (212,785 records), and 10 data breaches at business associates (3,285,018 records). These figures show the reporting entity rather than where the data breach occurred. When a data breach occurs at a business associate, it may be reported by the business associate, the affected covered entities, or a combination of the two. For example, in February,16 data breaches were reported by health plans, but 8 of those breaches occurred at business associates. The pie charts show where the data breaches occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

In February, large healthcare data breaches were reported by HIPAA-regulated entities in 27 states and the District of Columbia. California had the most breaches but Arizona was the worst affected in terms of the number of breached records, with 2,351,027 records compromised in 2 data breaches.

State Breaches
California 6
New York & Ohio 5
Illinois, Kentucky & Texas 4
Alabama, Florida & Michigan 3
Arizona, North Carolina & Rhode Island 2
Colorado, Georgia, Iowa, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, North Dakota, Oklahoma, Pennsylvania, South Carolina, Tennessee, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in February 2024

In February, OCR announced two settlements with HIPAA-regulated entities to resolve HIPAA compliance failures. OCR investigated Montefiore Medical Center, a non-profit hospital system based in New York City, over a data breach involving a malicious insider. The breach was discovered in 2015 by the New York Police Department, and the investigation revealed a former employee had stolen the data of 12,517 patients over a 6-month period in 2013. OCR launched an investigation in 2015, but it took until February 2024 for the case to be settled.

OCR identified multiple HIPAA failures, and the severity of those failures warranted a significant fine. Montefiore Medical Center was determined to have failed to conduct a comprehensive risk analysis, failed to implement procedures to regularly review records of information system activity, and failed to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI. Montefiore Medical Center agreed to pay a $4.75 million penalty to settle the alleged HIPAA violations.

OCR also announced a $40,000 settlement with Green Ridge Behavioral Health, a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy. This was the second settlement to be reached with a HIPAA-regulated entity over a ransomware attack. OCR determined that a comprehensive risk analysis had not been conducted, there was a failure to manage risks to the confidentiality, integrity, and availability of ePHI, and there were insufficient policies and procedures for reviewing records of information system activity. These failures contributed to the ransomware attack and the impermissible disclosure of the PHI of more than 14,000 patients.

State Attorneys General also have the authority to issue financial penalties for HIPAA violations; however, no civil monetary penalties or settlements were announced in February.

The post February 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.

R1 RCM Data Breach Impacts 16,000 Patients

Posted by Steve Alder

Data breaches have recently been reported by R1 RCM, St. Mary’s Healthcare System for Children, Philips Respironics, and California Correctional Health Care Services.

R1 RCM

R1 RCM Inc., a provider of revenue cycle management services to hospitals, has recently reported a breach of the protected health information of 16,121 individuals. According to a breach notice sent to the Massachusetts Attorney General, R1 learned on November 23, 2023, that protected health information associated with Dignity Health’s St. Rose Dominican Hospital de Lima was in the possession of an unauthorized third party. The hospital’s network was not compromised in the incident.

A review was conducted to determine the data types that had been obtained, and on January 11, R1 determined that the information contained names, contact information, dates of birth, Social Security numbers, location of services, clinical and/ or diagnosis information, and patient account and/or medical record numbers. R1 has notified the affected individuals directly and has offered them 2 years of complimentary credit monitoring and identity theft protection services.

St. Mary’s Healthcare System for Children, Inc.

St. Mary’s Healthcare System for Children, Inc. in Bayside, NY, identified unauthorized activity within its computer network on or around November 9, 2023, and the forensic investigation confirmed that files were removed from its network the same day. A review of those files confirmed they contained the personal information of 5,650 individuals, including names and Social Security numbers. Individual notifications were mailed to the affected individuals on March 20, 2024, and 12 months of complimentary credit monitoring services have been offered. In a comment to The HIPAA Journal, a representative of St. Mary’s Healthcare System for Children stated that “Only 254 individuals were patients whose PHI may have been viewed, the remainder were employees, former employees and other individuals whose personal information (SSNs, not PHI) may have been viewed”.

Philips Respironics

Philips Respironics has recently reported a breach to the HHS’ Office for Civil Rights that involved the protected health information of 1,125 individuals. While the breach has recently been reported to OCR, it occurred on May 31, 2023, and involved the exploitation of a zero day vulnerability in Progress Software’s MOVEit Transfer software. Philips Respironics discovered the breach on June 5, 2023.

Two clients of Philips Respironics have recently confirmed that they have been affected: Forward Healthcare LLC and Rotech Healthcare. Forward Healthcare said it was notified by Philips Respironics on December 20, 2023, that there had been unauthorized access to the Care Orchestrator and Encore Anywhere software solutions via the MOVEit vulnerability, and personal and health information was potentially compromised. 3,999 Forward Healthcare patients were affected. Rotech Healthcare said it was notified about the incident on December 26, 2024, and was provided with a list of the affected patients. The compromised information included names, contact information, dates of birth, medical information related to the therapy delivered, and health insurance information. It is currently unclear how many Rotech patients have been affected.

California Correctional Health Care Services

California Correctional Health Care Services (CCHCS) has recently identified an impermissible disclosure of personal information. On or around February 26, 2024, a member of staff accidentally emailed an attachment to an unauthorized recipient. The attachment contained protected health information such as last names, CDCR numbers, medical information, risk/priority levels, order types/names, reasons for appointments, and dates of appointments.

CCHCS said the recipient of the email did not open or view the attached file and CCHCS received confirmation that the attachment has been deleted and was not shared with any other individual. The employee in question has been provided with additional privacy awareness and information security awareness training. It is currently unclear how many individuals have been affected.

The post R1 RCM Data Breach Impacts 16,000 Patients appeared first on HIPAA Journal.

Valley Oaks Health Reports 50,000-Record Data Breach

Posted by Steve Alder

Cyberattacks and data breaches have been reported by Valley Oaks Health and Sycamore Rehabilitation Services in Indiana, Plymouth Tube Company in Illinois, and Weirton Medical Center in West Virginia.

Valley Oaks Health, Indiana

Valley Oaks Health in Niles, IL, has recently notified 50,352 individuals about a breach of its network environment. Unauthorized individuals gained access to parts of its network between June 8, 2023, and June 13, 2023. Its network was secured, and third-party cybersecurity experts were engaged to assist with the investigation and confirmed that files containing patient data had been exposed and may have been stolen.

The forensic investigation and document review were completed on February 2, 2024. The breach notice sent to the Maine Attorney General has the specific types of compromised data redacted but the notice confirmed that names have been exposed along with Social Security numbers. Consumer notifications were mailed on March 18, 2024, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Weirton Medical Center, West Virginia

Weirton Medical Center in West Virginia identified suspicious activity within its computer network on January 18, 2024. Systems were immediately secured, and third-party cybersecurity experts were engaged to investigate the breach and determined there had been unauthorized access to the network between January 14, 2024, and January 18, 2024, and files were copied from its systems.

The information involved varied from individual to individual and may have included one or more of the following: name, Social Security number, date of birth, medical information, health insurance information, treatment information, and the balance due on medical bills. While files were confirmed as having been removed from the network, Weirton Medical Center is unaware of any misuse of patient data. Weirton Medical Center said strict security measures were already in place and they have been augmented to prevent similar incidents in the future. Notification letters were sent to the affected individuals on March 18, 2024. The incident has been reported to the HHS’ Office for Civil Rights as affecting 26,793 individuals.

Sycamore Rehabilitation Services, Indiana

Sycamore Rehabilitation Services, Inc. in Danville, IL, has reported a breach of its email system and the exposure of the personal data of 3,414 individuals. The breach was detected on September 21, 2023, with the forensic investigation confirming there had been unauthorized access to its network between July 29, 2023, and August 9, 2023. During that time, there may have been unauthorized access to names, dates of birth, Social Security numbers, driver’s license/state identification numbers, account numbers, routing numbers, medical information, and health insurance information. It was not possible to determine exactly what types of information were acquired in the attack.

Sycamore Rehabilitation Services said it had implemented security measures prior to the breach. Multi-factor authentication was enabled on all email accounts, a VPN was required for access to internal resources from outside the organization, critical patches were applied each month, email security solutions were in place, all endpoints were protected with Sentinel One anti-virus, Azure PowerShell access was off by default, and POP/IMAP was disabled by default. Those measures have now been augmented with Proofpoint email scanning and security, Breach Secure Now phishing testing, and DUO MFA on VPN accounts.

The affected individuals were notified by mail on March 1, 2024, and have been offered complimentary credit monitoring and identity theft protection services. Sycamore Rehabilitation Services said the delay in issuing notifications was due to the time taken to investigate the breach and identify the affected individuals.

Plymouth Tube Company, Illinois

Plymouth Tube Company in Warrenville, IL, has identified unauthorized access to its computer network. The forensic investigation confirmed that there was unauthorized access between January 27, 2024, and January 29, 2024, and during that time, the unauthorized actor accessed or acquired files on its servers which included files that contained employee benefit plan data.

The review of the affected files confirmed that 2,652 current and former employees and their dependents had been affected and had one or more of the following compromised: name, date of birth, Social Security number, driver’s license number, and plan information. The affected individuals were notified on March 13, 2024, and complimentary credit monitoring and identity theft protection services have been made available.

The post Valley Oaks Health Reports 50,000-Record Data Breach appeared first on HIPAA Journal.