South Denver Cardiology Associates (SDCA) has recently announced it was the victim of a cyberattack in January 2022 in which files containing patient information were accessed and potentially stolen by hackers.

Unusual network activity was detected on January 4, 2022, and the SDCA breach response process was immediately initiated. Systems were isolated from the network and shut down, with the investigation determining hackers had access to certain systems from January 2, 2022, to January 5, 2022.

During that time, the hackers accessed certain files stored on its systems, some of which contained patients’ personal and protected health information. A comprehensive review of those files confirmed they contained patient names along with one or more of the following types of information: dates of birth, Social Security numbers, drivers’ license numbers, patient account numbers, health insurance information, and clinical information such as physician names, dates and types of service, and diagnoses.

SDCA said the contents of medical records were unaffected, the patient portal was not compromised, and the investigation did not uncover any evidence of actual or attempted misuse of patient information; however, as a precaution, affected individuals have been offered complimentary access to credit monitoring and identity theft protection services.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 287,652 individuals.

Up to 80,000 Patients Affected by Memorial Village ER Cyberattack

Memorial Village ER in Houston TX, has recently started notifying 80,000 patients that some of their protected health information was stored on a server that was accessed by hackers on February 18, 2022.

Memorial Village ER said the server was secured with HIPAA-compliant safeguards, but the security defenses were breached by an unknown entity who potentially viewed and/or obtained files on the server. A comprehensive review was conducted to determine the types of information on the server, which confirmed the breach was limited to names, addresses, birth dates, and COVID-19 test results. Affected individuals were notified on March 9, 2022, less than a month after the breach was detected.

Social Security numbers, financial information, and insurance information were not compromised; however, out of an abundance of caution, affected individuals have been offered a complimentary 12-month membership to Experian’s IdentityWorks identity theft protection service.

Memorial Village ER said it has now upgraded its cybersecurity platform to prevent further security breaches in the future.

The post South Denver Cardiology Associates Confirms Data Breach Affecting 287,000 Patients appeared first on HIPAA Journal.

A round-up of 6 cyberattacks that have recently been reported by healthcare providers and business associates that resulted in the exposure and possible theft of patients’ protected health information.

Duncan Regional Hospital

Duncan Regional Hospital in Oklahoma has announced that hackers gained access to its systems and potentially exfiltrated sensitive patient and employee information. The breach was detected on January 20, 2022, and immediate action was taken to secure its systems, and an independent computer forensics company was engaged to conduct a forensic investigation to determine the nature and scope of the breach.

A review of the files on the affected parts of its system confirmed they contained patient information such as name, date of birth, Social Security number, limited treatment information, and medical appointment information such as date of service and name of providers. Employee data potentially accessed in the attack included personal information associated with W-2s, such as name, date of birth, address, and Social Security number.

Duncan Regional Hospital said it performed a full password reset, tightened firewall restrictions, and implemented endpoint threat detection and response monitoring software on workstations and servers. Affected individuals have now been notified and have been offered complimentary credit monitoring and identity theft protection services.

The breach was reported to the Maine attorney general as affecting 92,398 individuals.

Bako Diagnostics

Bako Diagnostics (BakoDx), a Georgia-based provider of laboratory services to healthcare providers, has announced it was the victim of a cyberattack that was discovered on December 28, 2021.

BakoDx said the investigation into the cyberattack is ongoing, but it has been confirmed that hackers gained access to its network and removed data between December 21, 2021, and December 28, 2021. The files exfiltrated from its systems included the protected health information of patients. In addition to names, one or more of the following data types may have been compromised: date of birth, address, telephone number, email address, health insurance information, medical record number, date(s) of service, provider and facility names, specimen/test information, billing and claims information, and financial account information.

BakoDx said it has enhanced its security and monitoring capabilities and has hardened the security of its systems to prevent further cyberattacks. Individuals whose Social Security number, driver’s license, state identification number, or financial account information may have been involved have been offered complimentary credit monitoring services.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 25,745 individuals.

Alliance Physical Therapy Group

Alliance Physical Therapy Group in Grand Rapids (APTG), MI, said it discovered unauthorized individuals had gained access to certain systems within its network on December 27, 2021. Assisted by a third-party cybersecurity firm, APTG determined on January 7, 2022, that files containing the protected health information of 14,970 patients may have been exfiltrated from its network between December 23, 2021, and December 28, 2021.

A review of those files confirmed they contained patient names, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information.

APTG said it is reviewing its cybersecurity policies and procedures and will implement additional measures and safeguards to prevent further cyberattacks. APTG found no evidence of misuse of patient data but has offered affected individuals 12 months of complimentary credit monitoring and identity restoration services. Notification letters were sent on January 28, 2022.

DataHealth

The Austin, TX-based cloud hosting and data storage company DataHEALTH has announced it was the victim of a ransomware attack on November 3, 2021. Prompt action was taken to contain the incident and a third-party cybersecurity firm was engaged to investigate the incident.

DataHEALTH said it learned on December 30, 2021, that the attackers obtained data from its servers through third-party software used by some of its healthcare provider clients, which included patients’ protected health information. DataHEALTH said it worked with the third-party software provider to update credentials for all customers that use the software and additional security protocols have been implemented to enhance the security of its network.

While sensitive information was stolen, DataHEALTH said it found no evidence to suggest any of that information has been misused; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services and will be protected by a $1 million identity theft insurance policy.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

JDC Healthcare Management

Dallas, TX-based JDC Healthcare Management, also known as Jefferson Dental & Orthodontics, has recently announced that malware was discovered on certain company systems which allowed unauthorized individuals to access and potentially exfiltrate sensitive patient information.

The malware was detected on or around August 9, 2021, with the investigation confirming the malware was downloaded onto its systems on July 27, 2021.  The malware was removed and unauthorized access to its systems was prevented on August 11, 2021.

JDC Healthcare Management performed a comprehensive review of all files on its systems that may have been compromised and confirmed they included patient names, Social Security numbers, passport numbers, driver’s license numbers, state identification numbers, dates of birth, clinical information, health insurance information, and financial information.

The review was completed on January 10, 2022, and notification letters were sent to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Dr. Douglas C. Morrow

Auburn, Indiana-based Dr. Douglas C. Morrow has recently announced that hackers gained access to his IT systems and used ransomware to encrypt data. The incident occurred on May 16, 2021, and a digital forensics firm was engaged to investigate the scope of the incident. The investigation confirmed on October 29, 2021, that the attackers had access to IT systems that contained patient data and that files containing patients’ protected health information may have been exfiltrated prior to file encryption.

A review of those files was completed on December 8, 2021, and confirmed the following types of information may have been stolen:  names, addresses, Social Security numbers, driver’s license numbers, health insurance information, Member/Medicaid ID numbers, treatment/diagnosis information, dates of service, provider name(s), patient account number(s), and medical record number(s). Dr. Douglas C. Morrow said notification letters were sent to affected individuals on February 23, 2022.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post 6 Healthcare Providers and Business Associates Report Hacks and Ransomware Attacks appeared first on HIPAA Journal.

Over 500,000 individuals have been affected by cyberattacks on Norwood Clinic, PracticeMax, Central Indiana Orthopedics, and an unauthorized electronic medical record incident at Ascension Michigan.

Norwood Clinic

The Birmingham, AL-based multi-specialty clinic, Norwood Clinic, has recently started notifying 228,103 individuals that some of their protected health information was accessed in a cyberattack that was detected on October 22, 2021. Upon detection of the breach, systems were immediately secured and third-party security experts were engaged to investigate the incident and determine the nature and scope of the breach.

The investigation confirmed that an unauthorized individual gained access to a server that housed patient information such as names, contact information, birth dates, Social Security numbers, driver’s license numbers, limited health information, and/or health insurance policy numbers. While unauthorized data access was confirmed, it was not possible to determine the specific information that was accessed, or whether any patient information was acquired in the attack.

Norwood Clinic said a complimentary 12-month membership to credit monitoring, dark web monitoring, and identity theft protection services has been offered to affected individuals and steps have been taken to improve cybersecurity, including revising email settings and policies, updating and modifying network security technical hardware, adding additional password complexity rules, and instituting more secure login mechanisms.

PracticeMax

The business management and information technology solution provider PracticeMax has recently notified the Maine Attorney General about a data breach that has affected 165,698 individuals. PracticeMax said it started experiencing technical difficulties on May 1, 2021 and launched an investigation into a potential security breach.

The forensic investigation confirmed that unauthorized individuals gained access to its systems on April 17, 2021, and access remained possible until May 5, 2021. The attackers gained access to a server and potentially copied files containing the protected health information of patients and health plan members of its clients, prior to deploying ransomware.

PracticeMax said it issued notification letters on behalf of affected clients on October 19, 2021, even though the review of the server had not yet concluded. The review was concluded on February 2, 2022, and affected customers were updated on February 14, 2022. The types of data stored on the server varied from individual to individual and may have included names and Social Security numbers. PracticeMax said further notification letters started to be sent to individuals who had not previously been notified on March 4, 2022.

According to the recent web notice, “PracticeMax continues to assess the security of its systems and to enhance existing policies and procedures, including implementing additional technical and administrative safeguards.”

Central Indiana Orthopedics

External counsel for Central Indiana Orthopedics (CIO) has recently notified the Maine Attorney General and sent notification letters to 83,705 individuals affected by a cyberattack that was identified on October 16, 2021. While notification letters were delayed, the breach was announced on the CIO website shortly after it was detected in October 2021.

Following the discovery of suspicious network activity, CIO engaged a third-party cybersecurity firm to investigate the breach and help secure its IT systems. The investigation confirmed that files containing protected health information had been accessed by an unauthorized actor and may have been stolen in the attack. The potentially compromised data included names, addresses, Social Security numbers, and limited health information.

CIO said complimentary identity theft protection services are being offered to affected individuals, which include dark web monitoring and a $1 million identity theft insurance policy. Databreaches.net has previously reported on the incident and said a threat group known as Grief claimed responsibility and had uploaded some of the stolen data to the group’s data leak site.

Ascension Michigan

Ascension Michigan has recently started notifying 27,177 individuals about a lengthy unauthorized electronic medical record access incident. Ascension Michigan said the user’s access to the system was immediately terminated when the unauthorized access was discovered. The investigation into the incident confirmed that the user had improperly accessed patient information in the EHR system from October 15, 2015, until September 8, 2021.

A review of the unauthorized access was completed on November 30, 2021, and confirmed that the following types of information had been viewed: full names, birth dates, addresses, email addresses, phone numbers, health insurance information, health insurance identification numbers and carriers, dates of service, diagnoses, treatment-related information, and, in some cases, Social Security numbers.

Following the breach, internal controls were reviewed and processes have been updated to better safeguard patient information. Credit and identity theft protection monitoring services have been offered to affected individuals.

The post PHI of Over 500,000 Individuals Potentially Compromised in These 4 Security Incidents appeared first on HIPAA Journal.

Email account breaches have been reported by Montrose Regional Health, EPIC Pharmacy Network, and Acacia Network, and North Shore University Hospital has reported an incident involving a former employee accessing protected health information without authorization.

Montrose Regional Health

The Colorado-based health system Montrose Regional Health has recently started notifying 52,632 patients that some of their protected health information has been exposed when unauthorized individuals gained access to employee email accounts. Suspicious activity was detected in an employee’s email account prompting an immediate investigation. Assisted by a third-party cybersecurity company, Montrose Regional Health discovered multiple employee email accounts had been accessed by unauthorized individuals between August 2, 2021, and October 26, 2021.

A review of the emails and attachments was conducted and it was confirmed on February 25, 2022, that the accounts contained names along with one or more of the following data types: inpatient/outpatient status, internal patient account number, service date, treatment cost, procedure code, provider name, and/or health insurance provider. Montrose Regional Health said it found no evidence of misuse of any of the information stored in the email accounts.

Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts

Acacia Network has recently disclosed a data breach that happened more than 18 months ago and affected 30,220 individuals who received services through the Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts. According to a February 22, 2022, breach notice, Acacia detected a breach of its email environment on July 17, 2020, with the subsequent internal and forensic investigation confirming email accounts were accessed by unauthorized individuals between June 6, 2020, and June 12, 2020.

It was not possible to determine if the unauthorized individuals viewed or obtained any information in the accounts; however, it is possible the following types of information may have been compromised: names, Social Security numbers, driver’s license numbers, addresses, birth dates, financial account numbers, medical record numbers, resident identification numbers, health insurance information, Medicare numbers, provider names, treatment, prescription, and/or diagnostic information.

Acacia said it is offering complimentary credit monitoring and identity protection services to individuals who had either a Social Security number or driver’s license number exposed. It is unclear why it took so long for breach notifications to be issued.

EPIC Pharmacy Network

Mechanicsville, VA-based EPIC Pharmacy Network has recently disclosed a breach of its email environment. EPIC said two employee email accounts were accessed by unauthorized individuals, with the forensic investigation and document review concluding on December 22, 2021.

The forensic investigation confirmed the two email accounts were both accessed by unauthorized individuals on August 19, 2021. The accounts contained names, dates of birth, and medical diagnosis/treatment information, including but potentially not limited to prescription information, as well as medical identification number(s) and/or health insurance plan information.

EPIC said it found no evidence that any information in the accounts was acquired or has been misused. Following the breach, EPIC worked with its information technology managed services providers to implement additional security measures to protect against any further email attacks.

Notification letters were sent to the 28,776 affected individuals on February 8, 2022, and complimentary credit monitoring services have been offered to certain individuals.

North Shore University Hospital

North Shore University Hospital (NSUH) in Manhasset, NY has recently started notifying 7,614 patients that some of their protected health information has been accessed by a former employee without authorization.

It is unclear when unauthorized access was detected. NSUH said it was determined on April 11, 2019, that unauthorized access had occurred between October 2009 and February 2019. The employee was initially suspended while the breach was investigated and was later terminated over the unauthorized access. The incident was reported to law enforcement which requested a delay in issuing notification letters so as not to interfere with the investigation. NSUH said it is unaware of any misuse of patient data and the hospital does not believe any charges were filed against the former employee in relation to the unauthorized access.

The post 3 Email Security Incidents Reported That Affect More Than 111,000 Patients appeared first on HIPAA Journal.

A round-up of data breaches that have recently been reported by healthcare organizations that have involved the exposure or theft of individuals’ personal and protected health information.

Catholic Health Services Reports Breach of Employee Email Accounts

Miami Lakes, FL-based Catholic Health Services has discovered the email accounts of three Catholic Hospice employees have been accessed by unauthorized individuals. Assisted by a third-party computer forensics firm, Catholic Health Services determined on December 1, 2021, that the email accounts contained sensitive data including names, addresses, and one or more of the following data types: demographic information, Social Security numbers, medical information, and treatment history, diagnosis, and other health-related information.

The breach was reported to the HHS’ Office for Civil Rights as affecting 14,986 individuals. Notifications have now been issued and breach victims have been offered complimentary credit monitoring and identity theft protection services, which include a $1, 000,000 identity theft insurance policy.

Crossroads Health Reports Breach of 10,324 Records

Crossroads Health in Ohio has experienced a cyberattack that disrupted some of its IT systems. The security incident was detected on January 18, 2022, with the subsequent investigation confirming unauthorized individuals had access to its systems between November 18, 2021, and January 18, 2022.

Assisted by a third-party computer forensics firm, Crossroads Health determined on January 24, 2022, that the attackers exfiltrated files from a legacy system that included the data of clients of the former behavioral health facility, Beacon Health, that has now merged with Crossroads Health. Those files included information such as names, contact information, dates of birth, Social Security numbers, driver’s license numbers, treatment and diagnosis information, and/or health insurance information.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 10,324 individuals. Patients who had their Social Security numbers and/or driver’s license numbers exposed have been offered complimentary credit monitoring and identity protection services.

Crossroads Health said it has implemented additional technical safeguards to protect against future cyberattacks.

CVS Pharmacy Password Spraying Attack Exposed PHI of 6,221 Individuals

CVS Pharmacy says it was the victim of a password spraying attack that allowed hackers to gain access to certain customer accounts on its retail website, CVS.com. Password spraying is the use of passwords exposed in previous data breaches to try to access other user accounts.

On January 25, 2022, CVS Pharmacy determined certain accounts had been compromised. Those accounts contained information such as first and last names, birth dates, mailing addresses, email addresses, and limited prescription information.

A password reset was performed on all affected accounts and steps have been taken to improve the security of its websites. The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,221 individuals.

Towne Home Care Reports Breach of the PHI of 5,591 Individuals

The New Jersey provider of home care services, Towne Home Care, has recently issued notifications to 5,591 individuals about a cyberattack that was detected and blocked on May 17, 2021, that resulted in protected health information being exposed.

Computer forensics experts were engaged to investigate the security breach and a review was conducted of all files on the affected systems. The investigation did not uncover any evidence to suggest any misuse of patient data; however, as a precaution, complimentary credit monitoring services are being offered to affected individuals.

Fellowship Community Suffers Breach of the PHI of 3,500 Individuals

Bible Fellowship Church Homes, Inc. dba Fellowship Community in Whitehall, PA, has recently announced it was the victim of a cyberattack that was detected on August 6, 2021. Digital forensics experts were engaged to investigate the breach, with the investigation determining unauthorized individuals gained access to its systems on July 31, 2021, and potentially accessed and acquired sensitive information.

A review was conducted of the files on the affected systems and that process was completed on February 1, 2022. Fellowship Community then confirmed contact information and issued notifications. The attackers potentially obtained names, dates of birth, Social Security numbers, financial account numbers, medical information, and/or health insurance information. Fellowship Community found no evidence to suggest there has been any misuse of individuals’ information.

The breach was reported to the HHS’ Office for Civil Rights as affecting 3,500 individuals.

Michigan Medicine Announces Breaches Affecting Over 3,000 Patients

Ann Arbor, MI-based Michigan Medicine has started notifying 2,920 patients about an email account breach. A hacker gained access to the email account of an employee following a response to a phishing email then used the account for further phishing attacks.

A Michigan Medicine spokesperson said the email account was accessed on December 23, 2021, but the unauthorized access was not detected until January 6, 2022, when the employee identified suspicious email activity. A comprehensive review of emails was conducted to determine which patients had their information exposed. That process was completed on February 15, 2022.

The information in the email account varied from patient to patient and included names, addresses, birth dates, medical record numbers, diagnostic and treatment information, and health insurance information. Financial information and Social Security numbers were not exposed.

Michigan Medicine has also notified 269 patients that some of their protected health information was accessed without authorization by a newly hired employee. The breach was detected on January 27, 2022, with the investigation confirming the unauthorized access occurred between January 12, 2022, and January 25, 2022. The incident appears to be a case of snooping. The former employee had links with the local Korean community and the records accessed related to members of that community. The former employee accessed demographic and clinical information, including diagnoses, treatment information, and test results, and was terminated for the HIPAA violation.

Charlotte Radiology Confirms Patient Data Stolen in Cyberattack

Charlotte Radiology in North Carolina has confirmed patient data was stolen in a cyberattack that saw its systems compromised between December 17, 2021, and December 24, 2021.

A forensics firm was engaged to investigate the breach and determine the extent and scope of the incident. The investigation confirmed that files were exfiltrated from its systems that included the protected health information of a limited number of individuals including names, addresses, birth dates, health insurance information, medical record numbers, patient account numbers, physician name(s), date(s) of service, diagnoses and/or treatment information related to radiology services.

Charlotte Radiology says the breach affected a very limited number of patients. Individuals who had their Social Security number exposed or stolen have been offered complimentary credit monitoring services. Steps have since been taken to improve information security, systems, and monitoring capabilities.

The post Healthcare Organizations Report Email Compromises, Hacking Incidents and Other ePHI Exposures appeared first on HIPAA Journal.

West Virginia-based Monongalia Health System (Mon Health) has announced it was the victim of a cyberattack that has exposed patient, employee, and contractor data. This is the second major data breach to be reported by the health system in the past 12 months. Mon Health has confirmed that these two data breaches are separate incidents, although it is unclear at this stage if they are in any way related.

The previous data breach was the result of a phishing attack that saw several employee email accounts compromised. Mon Health announced the breach on December 21, 2021, and said the security breach was discovered in July 2021 when a vendor reported not receiving a payment. The attackers used the compromised email accounts to divert a wire transfer. The investigation into the breach determined the email accounts were compromised between May 10, 2021, and August 15, 2021, and they contained the protected health information of 398,164 patients. In this incident, IT systems were not disrupted.

According to the latest Mon Health press release, the latest breach was discovered on December 30, 2021, 9 days after the announcement was made about the previous data breach. Mon Health detected unusual activity in its IT environment and took prompt action to secure its systems. IT systems were taken offline, downtime procedures were initiated, an organization-wide password reset was performed, and a third-party forensics firm was engaged to investigate the breach. This attack resulted in disruption to its IT systems.

Mon Health said its investigation determined that unauthorized individuals accessed IT systems between December 8, 2021, and December 19, 2021, that contained the protected health information of patients and members of its employee health plan, and contractor information. Mon Health said the incident also affected its affiliated hospitals: Monongalia County General Hospital Company, Stonewall Jackson Memorial Hospital Company, and Preston Memorial Hospital Corporation.

Mon Health was unable to rule out unauthorized access to files containing names, addresses, Social Security numbers, Medicare Health Insurance Claim Numbers, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or the status as a current or former Mon Health patient or member of Mon Health’s employee health plan.

Mon Health said it has since hardened network security and will continue to implement additional safeguards and technical security measures to better protect and monitor its systems. Notification letters started to be sent to affected individuals on February 28, 2022.

The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Monongalia Health System Suffers Another Major Data Breach appeared first on HIPAA Journal.