HIPAA Breach News

Data Breaches Reported by Jefferson Health and Allegheny Health Network Home Infusion

Posted by HIPAA Journal

Allegheny Health Network Home Infusion Patients Affected by Ransomware Attack on Vendor

Pittsburgh, PA-based Allegheny Health Network Home Infusion has been notified about a ransomware attack on one of its vendors, Vantage Healthcare Network, Inc.

On October 17, 2021, Vantage detected suspicious activity within its network and engaged a third-party cybersecurity firm to investigate the security breach. AHN Home Infusion was informed on November 22, 2021, that the systems accessed by the ransomware gang contained patient data, some of which had been exfiltrated by the attackers prior to file encryption.

AHN Home Infusion conducted its own investigation alongside Vantage to determine which patients had been affected, and the types of information that had been compromised and has confirmed the following types of information had potentially been accessed or exfiltrated in the attack:

Names, billing information, nurse’s notes, patient referral information, prescriptions, treatment and therapy records, medical device orders, scheduling information, and a small number of Social Security numbers. AHN Home Infusion said the investigation into the attack and the document review is ongoing. So far there are no indications that any patient information has been or will be misused.

Vantage has confirmed it has restored all data encrypted in the attack. Individuals whose Social Security numbers have been compromised will be offered complimentary credit monitoring services.  The breach has been reported to the HHS’ Office for Civil Rights as affecting 7,500 patients.

Hacker Gained Access to Jefferson Health Insurance Portal

Philadelphia, PA-based Jefferson Health has discovered unauthorized individuals gained access to an online health insurance portal that was used to submit billing information for payment. The breach occurred on November 18, 2021, and the attacker attempted to divert wire payments intended for Jefferson Health.

On November 22, 2021, Jefferson Health discovered the attacker had obtained a remittance sheet that included the billing information of 5,239 patients of Thomas Jefferson University Hospital and 3,475 patients of Abington Memorial Hospital. The remittance sheet included names, month and year of birth, date(s) of service, treatment codes, and treatment costs. No Social Security numbers, health insurance information, financial account information, or other treatment information were compromised.

Jefferson Health has sent notification letters to affected individuals and said it is reviewing and enhancing its security protocols.

The post Data Breaches Reported by Jefferson Health and Allegheny Health Network Home Infusion appeared first on HIPAA Journal.

Former South Georgia Medical Center Employee Arrested Over 41K-Record Data Breach

Posted by HIPAA Journal

The Hospital Authority of Valdosta and Lowndes County Georgia has recently reported a data breach involving the unauthorized copying of patient data by a former employee of South Georgia Medical Center.

On November 12, 2021, security software generated an alert indicating an employee had downloaded data from the hospital’s systems onto a USB drive. The investigation confirmed the downloaded data included patients’ names, dates of birth, and test results. The breach was recently reported to the Department of Health and Human Services’ Office for Civil Rights as involving the protected health information of 41,692 individuals.

The employee had been provided with access to patient data in order to complete work duties, but no authorization was given to copy patient data and remove it from the hospital. The employee left employment at the hospital on November 11, 2021.

South Georgia Medical Center said no data was erased from its systems and the copied files have now been recovered. The data theft incident was reported to law enforcement and the Lowndes County Sheriff’s Office investigated the breach and the recovered files.

South Georgia Medical Center CEO, Ronald Dean, said there is no reason to believe any of the copied information has been misused in any way, and financial data and Social Security numbers were not removed from the premises; however, individuals whose protected health information was removed from the hospital have been offered a complimentary membership to a credit monitoring and identity theft restoration service.

The sheriff’s office confirmed to the Valdosta Daily Times that a 43-year-old former employee of the hospital has been charged with felony computer theft and felony computer invasion of privacy in relation to the incident. The motive behind her copying the data is unclear.

South Georgia Medical Center said changes have been implemented following the incident to improve security, including limiting the use of USB drives and providing further training to the workforce.

The post Former South Georgia Medical Center Employee Arrested Over 41K-Record Data Breach appeared first on HIPAA Journal.

Concerning Healthcare Data Breach Reporting Trend

Posted by HIPAA Journal

The HIPAA Breach Notification Rule calls for data breach notifications to be issued to the Secretary of the HHS “without unnecessary delay” and no later than 60 days after the date of discovery of a data breach. The same time frame applies to issuing notification letters to affected individuals.

There has been a trend in recent years for HIPAA-regulated entities to wait the full 60 days from the date of discovery of the breach to issue notifications to affected individuals and the HHS, but recently growing numbers have taken the date of discovery as the date when the breach investigation has been completed, or even the date when the full review of impacted documents is finished. In some cases, notifications have been issued many months after the initial system breach was detected. There may be valid reasons for a delay in reporting, such as a request from law enforcement to delay making a cyberattack or data theft incident public to avoid interfering with the law enforcement investigation; however, it is rare for individual notifications to mention these law enforcement requests.

Delays to individual notifications oftentimes mean individuals’ PHI has been in the hands of cybercriminals for many months before they are told about the data theft and are given the opportunity to take steps to protect against any misuse of their personal data. Notification letters cannot be sent to affected individuals until those individuals have been identified, but any delay in issuing notifications is a compliance risk. There have been several cases where ransomware gangs have stolen patient data, posted the data on their data leak sites, and for that information to be available for months before notification letters are issued. In some cases, the notification letters have not made any mention of data theft.

Promptly sending individual notification letters and being transparent about the risk individuals face will allow them to take appropriate action to protect their identities and could reduce the risk of a data breach lawsuit. Several recent lawsuits have cited unnecessary delays in issuing notifications, which has placed breach victims at a much higher risk of harm.

Risk of Penalties for Delayed Breach Notifications

The HHS has made it clear in guidance on its website that the deadline for reporting breaches to the Secretary of the HHS is 60 days from the date of discovery of the breach. If the number of affected individuals is not known at the time of reporting, an estimate should be provided. The breach report can then be appended at a later date when further information about the breach is known. Some covered entities report the breach within 60 days of the detection of a cyberattack and use a total of 500 or 501 affected individuals as a place marker until the document review is completed.

While there have been few enforcement actions to date over the late reporting of data breaches, a missed deadline does place a HIPAA-regulated entity at risk of a substantial fine. Given the number of data breaches now being reported to the HHS well after the 60-day deadline, non-compliance with the HIPAA Breach Notification Rule reporting requirements could well be an area where the OCR decides to take enforcement actions in the future.

The post Concerning Healthcare Data Breach Reporting Trend appeared first on HIPAA Journal.

February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements

Posted by HIPAA Journal

The Government Accountability Office (GAO) has launched a rapid response survey of healthcare organizations and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) seeking feedback on their experiences reporting data breaches to the Secretary of the Department of Health and Human Services (HHS). The questionnaire was initially due to remain open until 4 p.m. EST on Friday, February 4, 2022., but the deadline has now been extended by a week to February 11, 2022. The survey is being conducted through Survey Monkey and can be accessed here.

Congress requested the GAO review the number of data breaches reported to the HHS since 2015, and the survey seeks to identify some of the challenges, if any, faced by covered entities and business associates in meeting the data breach reporting requirements of the HHS. The GAO will also determine what efforts the HHS has made to address any breach reporting issues and improve the data breach reporting process.

The survey is being distributed by the Health-ISAC, Health Sector Coordinating Council (HSCC) and the American Hospital Association (AHA) on behalf of the GAO, and responses will be provided in aggregate to GAO.

GAO has requested only one survey be completed by each covered entity and business associate. GAO said it will not attribute specific comments to specific individuals and/or organizations when it produces the report, and the only individually identifiable information passed to GAO will be the email address provided in the survey along with any individually identifiable information provided voluntarily in any of the open-ended questions.

“This is an important opportunity to inform the work of the GAO and help identify the benefits of, along with the many issues of concern expressed over the years by hospitals and health system victims of cyberattacks, regarding the ensuing HHS Office for Civil Rights audit and investigation process,” said John Riggi, AHA national advisor for cybersecurity and risk.

The post February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements appeared first on HIPAA Journal.

Cyberattacks and Data Theft Incidents Reported by Medical Healthcare Solutions and Advocates Inc.

Posted by HIPAA Journal

Advocates Inc., a Massachusetts-based nonprofit provider of support services for individuals experiencing life challenges such as addiction, autism, brain injury, intellectual disabilities, mental health, and behavioral health, has announced it recently experienced a sophisticated cyberattack and data theft incident.

Advocates was informed on October 1, 2021, that an unauthorized individual had gained access to its network and copied files containing the sensitive data of patients and employees. A leading cybersecurity firm was engaged to assist with the investigation, which revealed an unknown individual had accessed its network and copied files over a four-day period between September 14, 2021, and September 18, 2021.

The files contained names, addresses, dates of birth, Social Security numbers, health insurance information, client ID numbers, diagnoses, and treatment information. After confirming the individuals affected, Advocate collected up-to-date contact information to allow written notices to be provided, hence the delay in issuing notification letters.

The cyberattack was reported to the Federal Bureau of Investigation and regulators. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 68,236 individuals was included in the stolen files. Advocates said it is unaware of any attempted or actual misuse of the stolen information; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

PHI Stolen in Cyberattack on Medical Healthcare Solutions

The Boston, MA-based medical billing company Medical Healthcare Solutions, has recently announced it was the victim of a cyberattack. The attack was discovered on November 19, 2021, and steps were immediately taken to secure its network to prevent further unauthorized access. The investigation confirmed an unauthorized individual had accessed its network between October 1, 2021, and October 4, 2021, and copied certain files from its network.

A review of the stolen files revealed they contained the following types of data: Name, address, date of birth, sex, phone number, email address, Social Security number, driver’s license/state ID number, financial account number, routing number, payment card number, card CVV/expiration, diagnosis/treatment information, procedure type, provider name, prescription information, date of service, medical record number, patient account number, insurance ID number, insurance group number, claim number, insurance plan name, provider ID number, procedure code, treatment cost, and diagnosis code.

A final list of individuals affected by the breach was obtained on January 8, and notification letters have now been issued. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. The incident has been reported to the HHS’ Office for Civil Rights, but it has not yet appeared on the breach portal, so it is currently unclear how many individuals have been affected.

The post Cyberattacks and Data Theft Incidents Reported by Medical Healthcare Solutions and Advocates Inc. appeared first on HIPAA Journal.

Data Breaches Reported by Houston Area Community Services, County of Kings, and NYU Langone Health

Posted by HIPAA Journal

Data breaches have recently been reported by Houston Area Community Services, County of Kings in California, and NYU Langone Health.

Avenue 360 Health and Wellness Reports Breach of Employee Email Accounts

Houston Area Community Services, Inc., doing business as Avenue 360 Health and Wellness, has discovered an unauthorized individual has gained access to the email accounts of certain employees and may have viewed or obtained the protected health information of 12,186 individuals.

Avenue 360 Health and Wellness said its investigation determined the email accounts were compromised between January 15, 2021, and April 2, 2021. A third-party vendor that specializes in the analysis of security incidents such as this was engaged to assist with the investigation.

A comprehensive review was conducted of all emails and attachments in the account. On November 9, 2021, Avenue 360 discovered the account contained names, medical record numbers, health insurance information, birthdates, diagnoses, clinical and treatment information, and prescription information. A limited number of individuals also had their Social Security numbers and/or financial information exposed.

Avenue 360 has not received any reports of actual or attempted misuse of patient data as a result of the email security breach. Notification letters started to be sent to affected individuals on January 5, 2022, and complimentary credit monitoring services have been offered to individuals whose Social Security number was exposed. Email security has since been improved with anti-spam technology and multi-factor authentication.

Web Server Misconfiguration Exposed COVI-19 Data of 16,590 Individuals

County of Kings, a political subdivision of the State of California, has discovered a public web server has been misconfigured which resulted in the exposure of information about COVID-19 cases.

The data had been provided to County’s Public Health Department by the California Department of Public Health and County healthcare providers and included names, dates of birth, addresses, and COVID-19 related information. The misconfiguration was detected on November 24, 2021, and the issue was fully corrected on December 6, 2021. The investigation revealed the misconfiguration occurred on February 15, 2021.

County of Kings officials said they could not rule out unauthorized accessing of the data over those 10 months, although there are no indications that any of the exposed information has been or will be misused.

Notification letters started to be sent to the 16,590 individuals whose sensitive information had been exposed on January 21, 2022. The County believes that the limited nature of the exposed data means individuals are not at risk and do not need to take any further actions. The County said it is taking steps to ensure COVID-19 information is better protected in the future.

NYU Langone Health Notifies 1,123 Patient About Mismailing Incident

NYU Langone Health has started notifying 1,123 patients about a vendor mailing error. On or around November 12, 2021, NYU Langone notified patients about a planned relocation of one of its oncology surgeons, who was based in Lake Success, NY.

A third-party vendor was used to send the notification letters and reformatted the addresses which resulted in a misalignment of patient names and addresses on the envelopes. As a result, the letters were sent to incorrect addresses. The letters were addressed as “Dear Patient,” and did not include any protected health information.

NYU Langone has received assurances from its vendor that policies, procedures, and practices have been reviewed and updated to prevent similar misdirected mailings in the future.

The post Data Breaches Reported by Houston Area Community Services, County of Kings, and NYU Langone Health appeared first on HIPAA Journal.

Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack

Posted by HIPAA Journal

Marietta Area Health Care Inc., doing business as Memorial Health System, is facing a class action lawsuit over a cyberattack and data breach that was detected by Memorial Health System on August 14, 2021.

The investigation into the attack confirmed the attackers first gained access to company servers on or around July 10, 2021, and installed malware on its systems. Unauthorized access remained possible until August 15, 2021.

The breach notification letters state Memorial Health System learned on September 17, 2021, that the threat actor potentially accessed or acquired information from its systems. The review of the affected systems was completed on November 1, 2021, and affected individuals were notified on January 12, 2022, and were offered a 12-month complimentary membership to a credit monitoring service. The breach notice submitted to the Maine attorney general indicates the personal information of 216,478 was potentially accessed by the attackers.

The lawsuit was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health Care Inc. dba Memorial Health System on behalf of plaintiff Kathleen Tucker and other individuals affected by the breach.

The lawsuit alleges the plaintiff’s and class members’ personal information, which included names, dates of birth, medical record numbers, patient account numbers, Social Security Numbers, and medical information, was compromised and unlawfully accessed, and that the plaintiff and class members, “suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

The lawsuit alleges Memorial Health System was negligent for maintaining the private information of patients in a reckless manner by storing the information on systems that were vulnerable to cyberattacks. The lawsuit alleges the risk of cyberattacks was known to the defendant yet the necessary steps to secure private information were not taken. In addition to the negligence claim, the lawsuit alleges negligence per se, breach of implied contract, and unjust enrichment.

The plaintiff and class members are alleged to now be exposed to a heightened and imminent risk of fraud and identity theft and must now and in the future closely monitor their financial accounts to guard against identity theft. Out-of-pocket expenses have also been incurred, including the cost and time of arranging credit monitoring services, credit freezes, and credit reports.

The lawsuit seeks a jury trial and compensatory damages, treble damages, punitive damages, reimbursement of out-of-pocket costs, and injunctive relief, which should include improvements to Memorial Health System’s data security systems, future annual audits, and providing adequate credit monitoring services to individuals affected by the breach.

The lawsuit was filed by attorney Joseph M. Lyon of The Lyon Firm, LLC. The law firm of Console & Associates, P.C. has also initiated an investigation into the cyberattack and data breach.

The post Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack appeared first on HIPAA Journal.

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015 involving the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers.

The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the initial intrusion to detect the security breach.

The HHS’ Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several potential violations of the HIPAA Rules, including security failures and the impermissible disclosure of the PHI of 9.3 individuals. The case was settled in January 2021 and Excellus agreed to pay a financial penalty of $5.1 million to resolve the HIPAA violations and to implement a corrective action plan to address the security failures and the alleged HIPAA non-compliance issues.

The lawsuit was brought against Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and the Blue Cross Blue Shield Association, on behalf of all individuals affected by the data breach. Initially, the lawsuit sought monetary damages and injunctive relief; however, for several legal reasons, the court was unable to certify classes seeking monetary damages, and only certified a class for injunctive relief.

The plaintiffs alleged the defendants had failed to implement appropriate security measures to ensure the confidentiality of PII and PHI, failed to detect the security breach for 17 months, and when the breach was detected, waited too long to notify affected individuals and then failed to provide sufficient information about how victims could protect themselves from harm. The lawsuit required the Excellus defendants and BCBSA to change their information security practices with respect to PII and PHI and to invest in information security. The Excellus defendants and BCBSA denied any wrongdoing and, to date, no court has determined the defendants have done anything wrong.

The Excellus defendants and BCBSA have agreed to cover reasonable attorneys’ fees, costs, and expenses as approved by the courts. The costs include a maximum of $3.3 million to cover attorneys’ fees and the reimbursement of expenses of no more than $1,000,000. Service awards of up to $7,500 will also be provided to class representatives.

Changes will be made to business practices regarding the safeguarding of PII and PHI which will cover the three years from the finalization of the settlement or the two years after each of the changes has been implemented. The information security requirements detailed in the settlement require the Excellus defendants and BCBSA to:

  • Increase and maintain a minimum information security budget
  • Develop a strategy and engage vendors to ensure records containing PII or PHI are disposed of within one year of the original retention period
  • Take steps to improve the security of its network, including the use of tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention
  • Engage in an extensive data archiving program and provide plaintiffs with documentation confirming the extent, scope, and thoroughness of the archiving project
  • Provide the plaintiffs with copies of documents provided to OCR that demonstrate compliance with the OCR settlement and corrective action plan
  • Make an annual declaration attesting to compliance with each aspect of the items in the settlement, including the extent to which it has not been possible to comply with any of the items

If the settlement is agreed by the court – a hearing has been scheduled for April 13, 2022 – all plaintiffs and class members will be required to release all claims against the Excellus defendants and BCBSA for injunctive and declaratory relief. The settlement will not release any claims against the Excellus defendants and BCBSA for monetary damages.

The post Settlement Reached in Excellus Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

  • Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
  • Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
  • Encrypting sensitive consumer information
  • Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
  • Implementing and maintaining appropriate logging and monitoring of network activity
  • Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.