Chicago’s South Shore Hospital has started notifying 115,670 current and former patients about a December 2021 cyberattack on its network. Suspicious activity was identified on its network on December 10, 2021, and prompt action was taken to contain the incident. Emergency protocols were implemented to ensure care could continue to be safely provided to patients.

South Shore Hospital engaged a team of third-party computer forensics experts to investigate the security breach and determine whether patient information was accessed or stolen. The investigation confirmed the attackers gained access to parts of its network where files were stored that contained the protected health information of patients and employee data, including names, addresses, dates of birth, Social Security numbers, health insurance information, medical information, diagnoses, health insurance policy numbers, Medicare/Medicaid information, and financial information.

South Shore Hospital said it will be implementing additional security measures to better protect its network against cyberattacks, including stronger password policies, multifactor authentication, and additional anti-malware and anti-phishing tools. Further training on data privacy and security will also be provided to the workforce.

South Shore Hospital has provided affected individuals with information on how they can protect themselves against the misuse of their information, which includes signing up for a 12-month complimentary membership to IDX’s credit and CyberScan monitoring service. Affected individuals will also be protected with a $1 million identity theft reimbursement insurance policy and will have access to identity theft recovery services if they are needed.

Spencer Gifts Health and Welfare Benefit Plan Reports Hacking Incident

Spencer Gifts has discovered unauthorized individuals gained access to its network between November 24, 2021, and November 26, 2021, and potentially viewed or obtained files containing the protected health information of 10,023 members of its health and welfare benefits plan.

The attack was detected on November 25, 2021, and its network was secured the following day. The investigation confirmed names, Social Security numbers, and plan selection information had been exposed. Notification letters started to be sent to all affected individuals on January 24, 2022, and complimentary identity theft monitoring services have been offered to affected individuals. Spencer Gifts said it is reviewing its security policies and procedures and further electronic security features will be implemented.

The post Hackers Gained Access to Files Containing the PHI of 115,670 South Shore Hospital Patients appeared first on HIPAA Journal.

Brownwood, Texas-based Cross Timbers Health Clinics, operating under the brand AccelHealth, suffered a ransomware attack on December 15, 2021, which prevented the Federally Qualified Health Center from accessing certain files and folders on its network. AccelHealth engaged third-party forensics specialists to investigate the security breach who determined unauthorized individuals first gained access to its network on December 9, 2021.

During the 6 days when network access was possible, the attackers may have viewed or acquired files containing patient information. A comprehensive review of all files on the compromised parts of the network revealed they contained the protected health information of 48,126 patients, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, health insurance information, medical record numbers, and treatment and diagnosis information.

No evidence was found of data exfiltration and, at the time of issuing notification letters, no reports had been received to suggest any actual or attempted misuse of patient data. AccellHealth said additional technical security measures are being implemented to prevent further cyber attacks and affected individuals have been offered complimentary credit monitoring services.

Pace Center for Girls Discovers 11-Month System Breach

Pace Center for Girls, a Jacksonville, FL-based 6-12 education program for at-risk teenage girls, has discovered certain infrastructure systems were accessed by unauthorized individuals who may have viewed or acquired the sensitive data of current and former students.

The security breach was detected in the week of December 13, 2021, with the investigation confirming certain parts of its IT infrastructure had been compromised in January 2021. The affected parts of its systems contained information such as students’ full names, addresses, phone numbers, dates of birth, Florida Department of Juvenile Justice identification numbers, enrollment data, behavioral health information, and parent/guardian names.

Pace Center for Girls said a third-party cybersecurity firm was hired to help secure its network and physical computer access and assess its data protection and gateway security systems. Additional security measures will be implemented, as appropriate, to better protect against unauthorized access. Affected individuals have been advised to place fraud alerts with Experian, Equifax, and TransUnion to identify any fraudulent use of their personal information. The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 18,300 individuals.

The post Hacking Incidents Reported by AccelHealth and Pace Center for Girls appeared first on HIPAA Journal.

Suncoast Skin Solutions, a network of 22 surgical, medical, and cosmetic dermatological care clinics in Florida, has recently started notifying 57,730 patients about a ransomware attack that was discovered on July 14, 2021.

Suncoast said when the cyberattack was detected, prompt action was taken to prevent the encryption of all of its systems and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack.

On October 14, 2021, the cybersecurity firm concluded its investigation and Suncoast conducted a preliminary review of its systems to determine if they contained any patient information. That process was completed on November 8, 2021, and a third-party vendor was engaged to review all affected files to determine the specific individuals whose information may have been compromised.

Suncoast has now confirmed that the following types of data were potentially viewed by the attackers: names, dates of birth, clinical information, doctor’s notes, and other limited treatment information. Suncoast said it is unaware of any attempted or actual misuse of patient data as a result of the security breach. Steps have been taken to prevent similar breaches in the future, including transferring all patient data to an encrypted system. Complimentary credit monitoring services have been offered to certain impacted individuals.

South City Hospital Reports Theft of Backup Server Containing PHI of 21,601 Individuals

South City Hospital in St. Louis, MO – formerly St. Alexius Hospital – was the victim of a burglary on November 13th or 14th and thieves stole a backup imaging server from one of its practice locations.

A review of the server confirmed it contained protected health information of 21,601 individuals, including names, Social Security numbers, health insurance information, radiology imaging, and/or other related medical information.

In response to the break-in, the hospital has implemented additional security measures to prevent further exposures of patient data.

Colorado Department of Human Services Affected by Cyberattack on Business Associate

The Colorado Department of Human Services (CDHS) has notified 6,132 individuals that some of their protected health information has potentially been compromised in a cyberattack on one of its vendors – Sound Generations.

Sound Generations is a Seattle, WA-based provider of services for adults with disabilities and CDHS contracts with Sound Generations to store data for its evidence-based fall prevention program – A Matter of Balance. Sound Generations investigated the breach and while no evidence of data misuse has been identified, it was not possible to rule out unauthorized data access.

The types of information potentially compromised includes names, addresses, phone numbers, email addresses, dates of birth, and whether or not clients have health insurance.

PHI of 4,897 Individuals Potentially Compromised in Raveco Medical Hacking Incident

Raveco Medical, a women’s health clinic in New York City, has notified 4,897 patients that some of their protected health information was potentially accessed by unauthorized individuals.

A security breach was detected on November 22, 2021, and a third-party cybersecurity firm was engaged to investigate the breach. The investigation confirmed files had been copied from its systems that contained patients’ first and last names, dates of birth, medications, diagnoses, Social Security numbers, and/or payment card information.

Raveco Medical said it is working to improve data security to prevent further hacking incidents. Affected individuals have been provided with complimentary access to credit monitoring and identity theft resolution services through IDX.

The post Data Breaches Reported by Suncoast Skin Solutions, Raveco Medical, South City Hospital, and the Colorado DHS appeared first on HIPAA Journal.

Taylor Regional Hospital in Campbellsville, KY has suffered a cyberattack that has resulted in its IT and phone systems being taken offline. The cyberattack was reported by the hospital on January 24, 2021, and the hospital is still experiencing outages with certain computer systems and phone lines. Temporary phone lines have been set up to allow patients to contact the hospital while the cyberattack is resolved.

Cyberattacks such as this often involve ransomware, but no details have been released so far about the exact nature of the cyberattack, nor when its IT systems are expected to be restored. At this early stage, it is unclear if any patient information has been accessed or stolen by attackers.

A notice on the hospital’s website explains that quality care continues to be provided to patients and it is working as quickly as possible to safely bring its IT systems back online. Patients are encouraged not to delay seeking medical care; however, without access to IT systems, patients have been asked to bring lists of their medication with them to any appointments that have previously been scheduled.

The hospital said routine outpatient labs will only be performed during limited hours until further notice, and patients have been advised to bring a written order and patients should expect longer wait times than normal. The walk-in COVID-19 clinic is still open but will operate on a first-come, first-served basis.

Data Stolen in Cyberattack on Connecticut Accountancy Firm

The Glastonbury, CT-based certified public accountancy firm, Fiondella, Milone & LaSaracina, has announced it was the victim of a cyberattack in September 2021. The security breach was detected on September 14, 2021, with the forensic investigation determining the hackers had access to its systems from September 9, 2021.

On or around October 13, 2021, it was determined the hackers copied files and folders from its system that contained the sensitive data of certain individuals. The information potentially compromised was mostly limited to names and Social Security numbers, with some individuals also having information stolen related to ambulance trips, including date and tracking numbers, service level, payor types and category, mileage information, charge/payment information, billing review information, and remittance advice details, which may have included medical information.

Fiondella, Milone & LaSaracina said a review of security measures has been conducted and additional safeguards will be implemented to prevent further security breaches. There is no mention in the website breach notice of credit monitoring and identity theft protection services.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,215 individuals.

The post Taylor Regional Hospital Still Recovering from January Cyberattack appeared first on HIPAA Journal.

Hackers have gained access to email accounts containing protected health information at Injured Workers Pharmacy, iRise Florida Spine and Joint Institute, and Volunteers of America Southwest California.

Injured Workers Pharmacy

Andover, MA-based Injured Workers Pharmacy has recently reported a data breach to the Maine Attorney General that was discovered on or around May 11, 2021, when suspicious activity was detected in an employee email account. The account was immediately secured and third-party computer forensics specialists were engaged to investigate the breach. The investigation revealed 7 email accounts had been compromised between January 16, 2021, and May 12, 2021.

Third-party data review specialists were engaged to check the emails and attachments in the compromised accounts, which confirmed they contained the protected health information of 75,771 individuals such as names, addresses, and Social Security numbers. After the review, Injured Workers Pharmacy validated the results, and that process was completed on or around December 14, 2021. Notification letters started to be sent to affected individuals on February 3, 2022.

Injured Workers Pharmacy said it has augmented its email security measures and is offering affected certain individuals complimentary credit monitoring and identity restoration services.

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has discovered an employee email account containing the protected health information of 61,595 patients has been accessed by an unauthorized individual. The forensic investigation revealed the email account was accessed between February 24, 2021, and February 26, 2021.

A comprehensive review of emails and attachments was conducted, and the process was completed on November 22, 2021. iRise said the following types of information may have been viewed or acquired in the attack: Names, dates of birth, diagnoses, clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, financial account information, credit card numbers, and/or usernames and passwords exposed.

Affected individuals have been notified and a 12-month complimentary membership to a credit monitoring service has been offered to individuals whose Social Security numbers were exposed. iRise has reviewed its email security measures and has implemented additional technical safeguards, including multifactor authentication. Additional training on email security has also been provided to the workforce.

Volunteers of America Southwest California

The San Diego, CA-based social service organization Volunteers of America Southwest California recently announced it was the victim of a phishing attack. An employee received an email that appeared to be a voicemail message, that included a link to a website that required login credentials to be entered to listen to the message. The login credentials were captured and used to access the employee’s email account.

The email account was accessed by the attackers on or around November 16, 2021, and the intrusion was detected and remediated on November 16. A review of the email account revealed it contained the first and last names of clients in the vast majority of cases, with some of the records also including individuals’ COVID-19 vaccination status.

The breach appears to have been fully remediated and third-party experts have been engaged to validate the containment measures. Email security has been enhanced in response to the breach.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,300 individuals.

The post PHI of 138K Individuals Exposed in 3 Email Security Incidents appeared first on HIPAA Journal.

Allegheny Health Network Home Infusion Patients Affected by Ransomware Attack on Vendor

Pittsburgh, PA-based Allegheny Health Network Home Infusion has been notified about a ransomware attack on one of its vendors, Vantage Healthcare Network, Inc.

On October 17, 2021, Vantage detected suspicious activity within its network and engaged a third-party cybersecurity firm to investigate the security breach. AHN Home Infusion was informed on November 22, 2021, that the systems accessed by the ransomware gang contained patient data, some of which had been exfiltrated by the attackers prior to file encryption.

AHN Home Infusion conducted its own investigation alongside Vantage to determine which patients had been affected, and the types of information that had been compromised and has confirmed the following types of information had potentially been accessed or exfiltrated in the attack:

Names, billing information, nurse’s notes, patient referral information, prescriptions, treatment and therapy records, medical device orders, scheduling information, and a small number of Social Security numbers. AHN Home Infusion said the investigation into the attack and the document review is ongoing. So far there are no indications that any patient information has been or will be misused.

Vantage has confirmed it has restored all data encrypted in the attack. Individuals whose Social Security numbers have been compromised will be offered complimentary credit monitoring services.  The breach has been reported to the HHS’ Office for Civil Rights as affecting 7,500 patients.

Hacker Gained Access to Jefferson Health Insurance Portal

Philadelphia, PA-based Jefferson Health has discovered unauthorized individuals gained access to an online health insurance portal that was used to submit billing information for payment. The breach occurred on November 18, 2021, and the attacker attempted to divert wire payments intended for Jefferson Health.

On November 22, 2021, Jefferson Health discovered the attacker had obtained a remittance sheet that included the billing information of 5,239 patients of Thomas Jefferson University Hospital and 3,475 patients of Abington Memorial Hospital. The remittance sheet included names, month and year of birth, date(s) of service, treatment codes, and treatment costs. No Social Security numbers, health insurance information, financial account information, or other treatment information were compromised.

Jefferson Health has sent notification letters to affected individuals and said it is reviewing and enhancing its security protocols.

The post Data Breaches Reported by Jefferson Health and Allegheny Health Network Home Infusion appeared first on HIPAA Journal.

The Hospital Authority of Valdosta and Lowndes County Georgia has recently reported a data breach involving the unauthorized copying of patient data by a former employee of South Georgia Medical Center.

On November 12, 2021, security software generated an alert indicating an employee had downloaded data from the hospital’s systems onto a USB drive. The investigation confirmed the downloaded data included patients’ names, dates of birth, and test results. The breach was recently reported to the Department of Health and Human Services’ Office for Civil Rights as involving the protected health information of 41,692 individuals.

The employee had been provided with access to patient data in order to complete work duties, but no authorization was given to copy patient data and remove it from the hospital. The employee left employment at the hospital on November 11, 2021.

South Georgia Medical Center said no data was erased from its systems and the copied files have now been recovered. The data theft incident was reported to law enforcement and the Lowndes County Sheriff’s Office investigated the breach and the recovered files.

South Georgia Medical Center CEO, Ronald Dean, said there is no reason to believe any of the copied information has been misused in any way, and financial data and Social Security numbers were not removed from the premises; however, individuals whose protected health information was removed from the hospital have been offered a complimentary membership to a credit monitoring and identity theft restoration service.

The sheriff’s office confirmed to the Valdosta Daily Times that a 43-year-old former employee of the hospital has been charged with felony computer theft and felony computer invasion of privacy in relation to the incident. The motive behind her copying the data is unclear.

South Georgia Medical Center said changes have been implemented following the incident to improve security, including limiting the use of USB drives and providing further training to the workforce.

The post Former South Georgia Medical Center Employee Arrested Over 41K-Record Data Breach appeared first on HIPAA Journal.