HIPAA Breach News

PHI of 10,000 Individuals Exposed Due to Houston Health Department Portal Glitch

Posted by HIPAA Journal

The Houston Health Department has recently announced that the personal information and COVID-19 test results of 10,291 individuals have been exposed online as a result of a technical issue with its portal. The issue allowed approximately 3,500 portal users to access the data of other individuals.

The Houston Health Department said it detected the issue on January 6, 2022, and the portal was deactivated within 48 hours. Notification letters had to be delayed for several weeks while the portal issue was investigated to determine the full nature and scope of the incident. The health department confirmed that this was not a hacking incident, and it does not appear that any exposed information has been misused.

The types of data that could have been viewed included names, addresses, dates of birth, email addresses, testing dates, and test results. While no Social Security numbers were compromised, affected individuals have been offered a complimentary 12-month membership to an identity theft protection service.

Priority Health Confirms Breach of Member Portal Accounts

The Michigan health insurer Priority Health has recently announced a breach of several member portal accounts. According to a recent breach notice, the security breach was detected on December 16, 2021. Prompt action was taken to prevent further unauthorized access, including placing a hold on all member accounts from December 16 to December 21 while the incident was investigated and the portal was secured.

Priority Health said information in the compromised accounts included names, dates of birth, addresses, phone numbers, insurance information, claims information, and limited medical information. Priority Health has been working with third-party security consultants to improve security and prevent further breaches. On January 18, 2022, multifactor authentication was added to the portal.

It is currently unclear how many individuals have been affected.

Hofmann Arthritis Institute and Hofmann Arthritis Institute of Nevada

Hofmann Arthritis Institute in Utah and Hofmann Arthritis Institute of Nevada (HAI) have recently announced they were both victims of a cyberattack on one of their vendors – Alta Medical Management and ECL Group (AMM) – which provides accounting and billing services.

The attack occurred on or around November 15, 2021, and prevented HAI from accessing certain information on AMM systems. The investigation confirmed the attack was limited to AMM systems and HAI systems were unaffected. HAI said AMM did not provide any details on the nature of the attack, but HAI was able to determine on December 7, 2021, that the prevention of access to AMM systems was due to a cyberattack. HAI said its investigation into the incident is ongoing, but so far it has not been possible to tell if any patient information was stolen in the attack.

A comprehensive review of all files provided to AMM was conducted to determine the types of patient information that may have been compromised. The review was completed on January 27, 2022, and confirmed the following types of information were contained in the files: names, addresses, Social Security numbers, dates of birth, driver’s license numbers, financial information, medical information, health insurance information, and billing information. HAI said it is unaware of any actual or attempted misuse of patient data.

HAI said it is reviewing its security policies and procedures related to vendors and will implement additional measures to protect against further security breaches.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,338 individuals.

The post PHI of 10,000 Individuals Exposed Due to Houston Health Department Portal Glitch appeared first on HIPAA Journal.

Four Healthcare Providers Hit with Ransomware Attacks

Posted by HIPAA Journal

Ransomware attacks have recently been reported by four healthcare providers across the country, which have collectively resulted in the exposure and potential theft of the protected health information of more than 49,000 individuals.

Jax Spine & Pain Centers

Jax Spine and Pain Centers in Jacksonville, FL has recently announced it was the victim of a ransomware attack that occurred on January 24, 2022. The attack was conducted on an inactive server that contained records of patients who had visited either its Jacksonville or St. Augustine locations prior to May 2018.

Jacksonville Spine Center said the attackers claimed to have stolen files from the server and threatened to publish the stolen data if the ransom was not paid but did not say whether a payment was made to prevent the publication of the data.

Monitoring software had been installed on the server which allowed the attack to be rapidly detected, and due to the prompt action taken in response to the breach, it was possible to prevent the encryption of data. As soon as the breach was detected the server was shut down, but it was not possible to prevent the exfiltration of a compressed file that contained patient information.

Jacksonville Spine Center said its current patient record system is based in the cloud and was unaffected and the only patient data obtained in the attack was demographic information – names, addresses, dates of birth, and a limited number of Social Security numbers.

Extend Fertility

Extend Fertility, a New York City fertility clinic, has recently notified 10,373 patients that some of their protected health information has potentially been obtained by unauthorized individuals as a result of a ransomware attack that was detected on December 20, 2022.

An investigation was launched into the attack and third-party computer forensics experts were engaged to determine the nature and scope of the security breach. The initial investigation concluded on January 28, 2022, and determined the attackers had gained access to its systems on or around December 15. 2021, and successfully encrypted files on its network and servers. While data theft was not 100% confirmed, Extend Fertility said it is likely files containing patient information were exfiltrated from its systems.

An analysis of all files potentially affected confirmed they contained the following types of information: First and last name, gender, home address, phone number, email address, date of birth, medical history, diagnosis and treatment information, date(s) of service, lab test results, prescription information, provider name, medical account number, health insurance policy and group plan number, group plan provider, and claim information.

Extend Fertility said it is unaware of any actual or attempted misuse of patient information; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Extend Fertility said it is working with external security consultants to identify ways that security can be improved and additional safeguards will be implemented based on the recommendations. The employee cybersecurity training program will also be enhanced.

Spine Diagnostic & Pain Treatment

Spine Diagnostic & Pain Treatment in Louisiana appears to have been the victim of a Conti ransomware attack. According to Databreaches.net, 3,351 files containing patient information have been uploaded to the Conti gang’s data leak site, which the Conti gang claims represents around 30% of the exfiltrated files. Around 4 GB of data was uploaded to the leak site and the files contained a selection of data including scanned driver’s licenses, patient records, insurance billing information, and other PHI.

Spine Diagnostic & Pain Treatment has yet to confirm that it has suffered an attack and there is currently no record of the breach on the Office for Civil Rights and state attorneys general websites, so it is currently unclear how many patients have been affected.

La Posada at Park Centre

La Posada at Park Centre, a retirement community in Sahuarita, AZ, has recently notified 812 individuals that some of their protected health information was exposed and potentially compromised in a cyberattack that occurred on December 10, 2021. La Posada said “a software virus” was downloaded onto its systems that prevented staff from accessing files and email. Assisted by third-party forensics experts, La Posada determined on January 24, 2022, that the attackers potentially had access to files that contained patient information.

The types of data in the affected files varied from patient to patient and may have included: first and last names, birth dates, driver’s license numbers, Social Security numbers, direct deposit information, passport numbers, drug and/or TB test results, Member ID numbers, COVID vaccine cards, and information associated with explanation of benefits and self-funded medical plan participants.

La Posada said it is reviewing its security policies and procedures and will take steps to improve security.

The post Four Healthcare Providers Hit with Ransomware Attacks appeared first on HIPAA Journal.

Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks

Posted by HIPAA Journal

Two HIPAA-regulated entities have recently started notifying individuals whose protected health information was potentially compromised in cyberattacks that occurred more than 12 months ago, including one where it took 18 months to notify affected individuals that their protected health information had been accessed and potentially acquired.

Comprehensive Health Services Notifies 94,449 Patients About September 2020 Cyberattack

Comprehensive Health Services, a Cape Canaveral, FL-based provider of workforce medical services and subsidiary of Acuity International, has recently announced it was the victim of a cyberattack that was detected on September 30, 2020.

The security incident came to light after multiple fraudulent wire transfers had been made from its accounts. Third-party forensics experts were engaged to determine the extent of the security incident, secure its digital environment, identify how the attacker gained access to its systems, and whether any sensitive data had been exfiltrated from those systems.

Comprehensive Health Services explained in its breach notification letter to the Maine Attorney general that it determined on November 3, 2021, that the personal information of a limited number of individuals employed by one of its customers may have been accessed and stolen in the attack. Notification letters were sent to those affected individuals on February 15, 2022. Those individuals have been offered either 12 or 24 months of credit monitoring and identity theft protection services. It is unclear why it took 15 months to determine protected health information had been compromised, and then a further three months to send notification letters to affected individuals.

According to the breach report sent to the Maine Attorney General, the protected health information of 94,449 individuals was potentially compromised.

Minimally Invasive Surgery of Hawaii Notifies Patients About February 2021 Cyberattack

Orthopedic Associates of Hawaii, All Access Ortho, and Specialty Suites, doing business as Minimally Invasive Surgery of Hawaii (MISH), has started notifying patients that were affected by “a recent event” in which their protected health information may have been compromised.

The recent event was a ransomware attack that was detected on February 19, 2021. According to the breach notifications, the threat actor encrypted data on systems that contained patient data. Steps were taken to quickly restore data and determine whether the unauthorized actor accessed or obtained files containing patient data.

MISH said the investigation confirmed on or around April 2, 2021, that the attacker accessed its systems between February 12, 2021, and February 19, 2021, and obtained limited data. A review was then conducted to determine which patients had been affected and the types of data that had been obtained, and then the contact information of those individuals had to be confirmed.

Notification letters dated February 19, 2021, were sent to the California attorney general, although the breach was reported to the HHS’ Office for Civil Rights in April 2021. The breach report states 500 individuals have been affected, although 500 is often used as a placeholder until the final total of affected individuals is known. This post will be updated should the breach total change.

MISH said the following types of information had been compromised: full names, addresses, dates of birth, medical treatment and diagnosis information, health insurance information, and a limited number of Social Security numbers. No evidence has been found to indicate any misuse of patient data. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

MISH said it reviewed its policies and procedures and has implemented additional administrative and technical safeguards to improve security.

The post Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks appeared first on HIPAA Journal.

Logan Health Medical Center Cyberattack Affects More Than 213,000 Patients

Posted by HIPAA Journal

Logan Health Medical Center in Kalispell, MT, has recently started notifying certain patients that hackers gained access to a file server that housed patient information in “a highly sophisticated criminal attack.”

A security breach of its information technology systems was detected on November 22, 2021, with the initial investigation confirming a hacker had breached its security defenses. Third-party forensic investigators were retained to conduct an investigation to determine the nature and scope of the attack and on January 5, 2022, it was confirmed that certain files on its systems that contained patient information had been accessed.

The intrusion was limited to a single file server and its electronic medical records were not compromised. A review of the files on the affected server revealed they contained patient information including names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance informa­tion. The types of information in the compromised files varied from patient to patient.

Logan Health Medical Center said no evidence has been found that suggests any information on the affected server has been misused; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity protection services through Kroll. Logan Health Medical Center said it has already implemented additional security measures to fortify its systems.

The breach has yet to appear on the HHS’ Office for Civil Rights Breach portal, but the report submitted to the Maine Attorney General indicates the protected health information of up to 213,543 individuals was potentially compromised.

NHS Management Alerts Patients About May 2021 Cyberattack

NHS Management, a Tuscaloosa, AL-based operator of 50 long-term rehabilitation facilities in Alabama, Arkansas, Florida, and Missouri, announced a data breach last month that was discovered in May 2021. NHS Management said in breach notification letters that it was the victim of a sophisticated cyberattack. There was no mention of ransomware, but NHS Management said the incident affected the functionality of certain systems and it worked quickly to restore access. At no point did the attack affect the quality of patient care. NHS said a third-party team of security specialists was assembled to investigate the attack and determine than nature and scope of the incident and the investigation is ongoing.

The incident was reported to the HHS’ Office for Civil Rights on October 29, 2021, as affecting 501 individuals. This appears to be a placeholder to meet HIPAA breach reporting requirements until the full extent of the breach is known. NHS Management said in its breach notification letters that the investigation into the attack is ongoing and the range and scope of compromised data is still unclear due to the “volume and complexity of the files at issue.” At this stage of the investigation, there has been no evidence uncovered to suggest employee or patient information has been misused.

The investigators determined hackers gained access to its system between May 14, 2021, and May 16, 2021, and accessed certain files, but did not gain access to electronic medical records. The files accessed included the following types of information. Name, contact information, medical history, treatment/diagnosis information, health information, health insurance information, Social Security number, date of birth, and driver’s license number. The types of information compromised varied from individual to individual.

Steps have already been taken to ensure the security of its systems to prevent further data breaches and NHS Management said notification letters will be sent to affected individuals as soon as is practicable after the individuals have been identified.

The post Logan Health Medical Center Cyberattack Affects More Than 213,000 Patients appeared first on HIPAA Journal.

January 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020.

Healthcare data breaches over the past 12 months to January 2022

The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.

Healthcare records breached in the past 12 months to January 2022

 

Largest Healthcare Data Breaches in January 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach Cause
North Broward Hospital District d/b/a Broward Health FL Healthcare Provider 1,351,431 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
Medical Review Institute of America UT Business Associate 134,571 Hacking/IT Incident Network Server Ransomware attack
Medical Healthcare Solutions, Inc. MA Business Associate 133,997 Hacking/IT Incident Network Server Ransomware attack
Ravkoo FL Healthcare Provider 105,000 Hacking/IT Incident Other Cyberattack on cloud prescription portal
TTEC Healthcare Solutions CO Business Associate 86,305 Hacking/IT Incident Network Server Ransomware attack
Advocates, Inc. MA Healthcare Provider 68,236 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
iRise Florida Spine and Joint Institute, LLC FL Healthcare Provider 61,595 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Suncoast Skin Solutions FL Healthcare Provider 57,730 Hacking/IT Incident Network Server Ransomware attack
Hospital Authority of Valdosta and Lowndes County Georgia GA Healthcare Provider 41,692 Unauthorized Access/Disclosure Desktop Computer Unauthorized access and PHI theft by former employee
Family Christian Health Center IL Healthcare Provider 31,000 Hacking/IT Incident Network Server Ransomware attack
Lakeshore Bone & Joint Institute, PC IN Healthcare Provider 23,627 Hacking/IT Incident Email Email account accessed by unauthorized individual
South City Hospital MO Healthcare Provider 21,601 Theft Network Server, Other Burglary
Pace Center for Girls FL Healthcare Provider 18,300 Unauthorized Access/Disclosure Network Server Unspecified hacking and data theft incident
County of Kings, a political subdivision of the State of California CA Healthcare Provider 16,590 Hacking/IT Incident Network Server Misconfigured web server
Philadelphia FIGHT Community Health Centers PA Healthcare Provider 15,000 Hacking/IT Incident Network Server Unspecified hacking incident
Catholic Hospice, Inc. FL Healthcare Provider 14,986 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Houston Area Community Services, Inc. d/b/a Avenue 360 Health and Wellness TX Healthcare Provider 12,186 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Spencer Gifts LLC Health and Welfare Benefit Plan NJ Health Plan 10,023 Hacking/IT Incident Network Server Unspecified hacking and data theft incident

Causes of January 2022 Healthcare Data Breaches

Hacking incidents continue to dominate the breach reports and accounted for 76% of the month’s data breaches and 95.57% of the month’s breached records. The average breach size was 57,962 records and the median breach size was 6,174 records. The largest healthcare data breach of the month resulted in the theft of the protected health information of more than 1.35 million patients of Broward Health in Florida. A hacker gained access to the Broward Health network via a third-party medical provider that had been given access rights to Broward Health’s systems.

Causes of January 2022 Healthcare Data Breaches

Ransomware is still being extensively used in cyberattacks on healthcare organizations. 5 of the month’s top 10 data breaches were reported as ransomware attacks, with several others likely to have involved ransomware. Ransomware attacks have become highly sophisticated, with the attackers using a variety of methods to gain access to healthcare networks. CISA, the FBI, and the NSA recently issued a joint threat brief warning about the increased risk of ransomware attacks on critical infrastructure firms and provided mitigations that can be implemented to improve resilience to ransomware attacks.

Phishing attacks are also common. 12 of the month’s data breaches involved compromised email accounts. Combatting phishing attacks requires a combination of email security solutions and end user training. While HIPAA does not specify anti-phishing training for employees, HIPAA-regulated entities should go beyond the requirements of HIPAA and ensure the workforce receives regular security awareness training, including instruction on how to identify phishing emails. When combined with phishing simulation exercises, susceptibility to phishing attacks can be significantly reduced.

There were 11 unauthorized access/disclosure incidents reported to OCR in January, across which the protected health information of 80,456 individuals was impermissibly accessed or disclosed. One of the incidents reported in January involved the theft of the protected health information of 41,692 patients by a former employee. That individual was arrested and charged in connection to the incident. The average size of these breaches was 7,314 records, and the median breach size was 1,125 records. There was also one theft incident reported – a burglary – involving the theft of a network server that contained the protected health information of 21,601 patients.

January 2022 healthcare data breaches - location of breached PHI

Data Breaches by HIPAA-Regulated Entity Type

Data breaches were reported by 31 healthcare providers, 6 health plans, and 13 business associates in January; however, a further 5 breaches occurred at business associates but were reported by the HIPAA-covered entity. The pie chart below shows the adjusted figures for where the data breach occurred.

January 2022 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states, with Florida the worst affected with 7 data breaches.

State Number of Reported Data Breaches
Florida 7
Pennsylvania 6
California 4
Illinois, Massachusetts, New Jersey & New York 3
Colorado, Georgia, Ohio, Tennessee, Texas, & Utah 2
Arkansas, Connecticut, Idaho, Indiana, Minnesota, Missouri, Oklahoma, South Carolina, & Wisconsin 1

HIPAA Enforcement in January 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in January 2022.

The post January 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach

Posted by HIPAA Journal

Seattle, WA-based Sea Mar Community Health Centers is facing a class action lawsuit over a cyberattack in which the protected health information of 688,000 individuals was compromised. The breach came to light in June 2021 when files stolen in the attack were posted on the Marketo dark web leak site.

Databreaches.net spotted the leaked data on the Marketo data leak site in June 2021 and contacted Sea Mar. In October 2021, Sea Mar sent notification letters to affected individuals and explained that the hackers gained access to its network between December 2020 and March 2021 and exfiltrated sensitive data including names, addresses, Social Security numbers, dates of birth, and health information. The data breach was reported to the HHS’ Office for Civil Rights the same month as affecting 688,000 current and former patients. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months.

According to Databreaches.net, the threat group behind the attack claimed to have stolen 3TB of data from Sea Mar. There may also have been a further disclosure of the stolen data by a threat group known as Snatch Team. Databreaches.net found multiple references to Sea Mar in a 22TB set of data, as did a researcher at Intel. In addition to being posted on dark web leak sites, Databreaches.net said the stolen data had also been posted on at least two clear net leak sites – Those operated by Marketo and Snatch Team.

The latest lawsuit – Hall v. Sea Mar Community Health Centers – was filed in Washington state superior court on behalf of former Sea Mar patient Alan Hall and “more than 650,000” others affected by the data breach.

The lawsuit alleges Sea Mar was negligent for failing to implement adequate and reasonable cybersecurity procedures and protocols to protect patient and employee information and maintained sensitive patient data “in a reckless manner.” Sea Mar is alleged to have failed to disclose it did not have adequately robust computer systems and security practices and was not properly monitoring its network for intrusions, which allowed the threat actors to access its systems for four months. The lawsuit also alleges Sea Mar delayed issuing breach notifications, which were sent around 10 months after the initial intrusion and 4 months after the data breach was discovered.

The lawsuit alleges the plaintiff and class members are exposed to a present and imminent risk of fraud and identity theft because their sensitive data is in the hands of data thieves and has been made available to other cybercriminals through the leaking of the data on the dark web.

The plaintiffs and class members are alleged to have suffered injury and ascertainable losses due to the threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, the value of their time spent mitigating the effects of the cyberattack and data breach, and loss of value of their personal information.

The lawsuit seeks compensatory damages, nominal damages, reimbursement of out-of-pocket expenses, and injunctive relief, including investment in cybersecurity to better protect patient and employee data, submitting to future annual data security audits, and the provision of at least three years of identity theft and credit monitoring services to victims of the data breach.

The post Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach appeared first on HIPAA Journal.

PHI of 521,000 Individuals Compromised in Security Breach at Morley Companies

Posted by HIPAA Journal

Morley Companies, a Saignaw, MI-based provider of business services, has recently announced it was the victim of a cyberattack that started on August 1, 2021, that prevented access to data on its information systems.

Rapid action was taken to isolate the affected systems and a leading cybersecurity firm was engaged to investigate and determine the nature and scope of the security incident. In addition to encrypting data on its systems, the attackers exfiltrated certain data from its systems.

A comprehensive review was conducted of all files on its systems that could have been accessed by the attackers, and Morley Companies then started collecting contact information for those individuals to allow notification letters to be sent. Morley Companies said that process was completed in early 2022, and notification letters started to be sent to affected individuals on February 1, 2022.

The forensic investigation confirmed the following types of information were potentially accessed and/or stolen in the cyberattack: Names, addresses, Social Security numbers, birthdates, client identification numbers, medical diagnostic and treatment information, and health insurance information.

Morley Companies said it has reviewed its data security safeguards and has now made alterations to its cyber environment to prevent similar attacks in the future. Affected individuals have been offered a complimentary membership to credit monitoring and identity theft protection services.

The security breach has been reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR data breach portal indicates the protected health information of 521,046 individuals was potentially compromised.

The post PHI of 521,000 Individuals Compromised in Security Breach at Morley Companies appeared first on HIPAA Journal.

15,000 Patients Affected by Philadelphia FIGHT Community Health Centers Cyberattack

Posted by HIPAA Journal

Philadelphia FIGHT Community Health Centers has recently announced it was the victim of a cyberattack on November 30, 2021. Third-party forensic investigators were engaged to determine the nature and scope of the breach. The investigation confirmed its electronic medical record system and other clinical systems were not compromised in the attack; however, on January 13, 2022, Philadelphia FIGHT discovered the attacker had accessed non-clinical systems that housed files containing the protected health information of around 15,000 patients.

It was not possible to determine if the attacker viewed or obtained any patient information, although no reports have been received that suggest any patient information has been misused. The information potentially compromised in the attack included names, dates of birth, Social Security numbers, medical diagnoses, treatment information, and health insurance information.

Philadelphia FIGHT said a review of security protocols is being conducted and security measures will be enhanced to prevent further cyberattacks.

Vendor Email Account Breach Affects Over 6,000 Memorial Hermann Health System Patients

Memorial Hermann Health System has reported a breach at one of its vendors that exposed the protected health information of 6,260 patients. Memorial Hermann Health System had contracted with Advent Health Partners, a Nashville, TN-based provider of claims management services. In September 2021, Advent Health Partners discovered suspicious activity in certain employee email accounts and on December 2, 2021, confirmed the compromised email accounts contained the protected health information of its healthcare clients. They started to be notified on January 6, 2022.

Memorial Hermann Health System said the compromised information included first names, last names, dates of birth, social security numbers, driver’s licenses numbers, financial information, health insurance information, and treatment information. While patient information may have been accessed, no evidence has been found to suggest any actual or attempted misuse of patient data. Memorial Hermann Health System said Advent Health Partners is providing affected individuals with free access to a credit monitoring service.

The post 15,000 Patients Affected by Philadelphia FIGHT Community Health Centers Cyberattack appeared first on HIPAA Journal.

Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital

Posted by HIPAA Journal

Family Christian Health Center (FCHC) in Illinois has announced it was the victim of a ransomware attack in November 2021 that compromised the protected health information of 31,000 patients. The attack was detected on November 30, 2021, with the investigation indicating the attackers first gained access to its IT systems on or around November 18, 2021.

The attackers compromised FCHC’s old dental system which contained the PHI of patients who had received dental services prior to August 31, 2020. The system contained patients’ names, birth dates, insurance card numbers, driver’s license numbers, and copies of patients’ insurance cards and driver’s licenses. FCHC said information about the dental care provided, credit card numbers, and the Social Security numbers of affected dental patients were not affected. The PHI of non-dental patients who received healthcare services between December 5, 2016, and August 31, 2020, was also compromised and included names, birthdates, addresses, insurance identification numbers, and Social Security numbers.

FCHC worked with external IT vendors to investigate the breach and a forensic investigator was engaged to determine how the attackers gained access to the network and to recommend additional security measures to prevent further attacks. FCHC said it has implemented additional technical safeguards.

Patient Data Potentially Compromised in Jackson County Hospital Ransomware Attack

Jackson County Hospital in Florida recently announced certain systems within its network have been accessed by unauthorized individuals who potentially viewed or obtained the personal and medical information of certain patients. The security breach was detected on or around January 9, 2022, when certain systems were rendered inaccessible.

Third-party forensic specialists investigated the cyberattack and determined limited patient data had been exfiltrated from its systems, including names, addresses, birthdates, telephone numbers, Social Security numbers, medical histories, medical conditions/treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid numbers, financial account information, and usernames/passwords. At this stage, Jackson County Hospital has not found any evidence to suggest there has been any misuse of patient data but affected patients have been advised to be vigilant and to check their account statements and explanation of benefits statements for signs of fraudulent activity.

Jackson County Hospital said the investigation into the cyberattack is ongoing and steps are being taken to improve security. Current policies and procedures are being reviewed and additional administrative and technical safeguards will be implemented to further secure the information in its systems.

The cyberattack has been reported to the HHS’ Office for Civil Rights but it is not yet showing on the breach portal, so it is currently unclear how many patients have been affected.

The post Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital appeared first on HIPAA Journal.