HIPAA Breach News

PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised

Posted by HIPAA Journal

Anthem Inc. has alerted 2,003 members that some of their protected health information has potentially been viewed or obtained by an unauthorized individual who gained access to the network of one of its business associates.

Anthem works with the Atlanta, GA-based insurance broker OneDigital, which provides support for individuals enrolled in group health plans to help them procure and manage their health insurance. OneDigital had been provided with the protected health information of certain members to assist them or their current or former employer to obtain and manage their health insurance plan.

On November 24, 2021, Anthem was notified by OneDigital about a network server hacking incident that occurred in January 2021. Anthem said the investigation into the breach did not uncover any direct evidence of unauthorized viewing or theft of protected health information, but those activities could not be ruled out.

The types of data stored on the compromised systems included names, addresses, dates of birth, healthcare provider names, health insurance numbers, group numbers, dates and types of health care services, medical record numbers, lab test results, prescription information, payment information, claims information, Social Security numbers, and driver’s license numbers.

Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. Anthem said it is working with OneDigital to reduce the risk of similar breaches occurring in the future.

Billing Error Results in Exposure of the PHI of More Than 1,700 Advocate Aurora Health Patients

The Illinois-based 26-hospital health system, Advocate Aurora Health, has notified more than 1,700 patients that some of their protected health information has potentially been compromised.

On or around July 29, 2021, billing statements were prepared and mailed to patients, but they failed to reach their destination. The statements contained a limited amount of protected health information, such as patients’ names, dates of service, the types of services provided, the name of the healthcare provider they visited, and visit account numbers.

Advocate Aurora Health discovered the billing error on October 29, 2021. The subsequent investigation revealed there had been an accidental change to its billing software that went unnoticed, which resulted in statements being mailed to the wrong address. Advocate Aurora Health said it has not received any reports of attempted or actual misuse of any patient data as a result of the incident, but patients have been notified by mail as a precaution and have been offered complimentary credit monitoring services.

Advocate Aurora Health said it is making changes to its internal processes and technology to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights as affecting 1,729 individuals.

The post PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised appeared first on HIPAA Journal.

Over 30 Healthcare Providers Affected by CIOX Health Data Breach

Posted by HIPAA Journal

The health information management services provider CIOX Health has suffered a data breach that has affected at least 32 healthcare providers. In July 2021, CIOX Health discovered an unauthorized individual had gained access to the email of an employee in the customer service department. The email account was immediately secured, with the subsequent investigation confirming the email account had first been accessed by an unauthorized individual on June 24, 2021, and access remained possible until the security breach was detected on July 2, 2021.

The CIOX Health breach investigation confirmed that the incident was confined to a single employee email account, with the review of the contents of the email account determining on September 24, 2021, that it contained emails and attachments that included the protected health information of some of its healthcare provider clients such as names, dates of birth, provider names, dates of service, and the Social Security numbers, driver’s license numbers,  health insurance information, and/or treatment information of a very limited number of individuals.

The employee in question worked in customer service and, as such, serviced healthcare provider clients across the country with billing issues and helped with other customer service requests, hence a large number of affected clients. The employee did not, however, have access to the medical record systems of any of its healthcare provider clients.

CIOX Health said that during the time that the account was accessible it is possible that emails containing protected health information were accessed or copied, but no direct evidence of attempted or actual misuse of patient data has been uncovered. CIOX Health believes that the email account was compromised to send phishing emails from the company domain to individuals unrelated to CIOX Health.

COX Health is encouraging all individuals affected by the breach to check their statements and explanation of benefits statements from their healthcare providers and insurers for any sign of unauthorized use of their information.

In response to the breach, CIOX Health will be implementing stronger email security measures and will provide the workforce with further security awareness training.

CIOX health started notifying affected healthcare provider clients about the breach on December 30, 2021. Healthcare providers known to have been affected by the email account breach at CIOX Health are listed below.

  • AdventHealth – Orlando
  • Alabama Orthopaedic Specialists
  • Baptist Memorial Health Care
  • Butler Health Systems
  • Cameron Memorial Community Hospital
  • Centra Health
  • Children’s Healthcare of Atlanta
  • Coastal Family Health Center
  • Copley Hospital
  • DeSoto Memorial Hospital Health System
  • EvergreenHealth
  • Hoag Health System
  • Hospital Sisters Health System
  • Huntsville Hospital Health System
  • Indiana University Health
  • McLeod Health System
  • MD Partners
  • Niagara Falls Memorial Medical Center Health System
  • Northern Light Mercy Hospital
  • Northwestern Medicine
  • Ohio State University Health System
  • OrthoConnecticut
  • Prisma Health – Greenville Health System
  • Prisma Health – Palmetto Health
  • Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
  • Trinity Health – Holy Cross Hospital
  • Trinity Health – Mount Carmel Health System
  • Trinity Health – Saint Alphonsus Health System
  • Trinity Health – St. Francis Medical Center
  • Trinity Health – St. Joseph Mercy Health System
  • Union Hospital Healthcare System
  • Women’s Health Specialist

The security breach has been reported to the HHS’ Office for Civil Rights by CIOX Health as affecting 12,493 individuals.

The post Over 30 Healthcare Providers Affected by CIOX Health Data Breach appeared first on HIPAA Journal.

Millennium Eye Care Says Ransomware Gang Stole a Large Amount of Patient Data

Posted by HIPAA Journal

Millennium Eye Care, a Freehold, NJ-based provider of ophthalmology services, announced on December 22, 2021, that hackers recently gained access to its computer network and used ransomware to encrypt files in an attempt to extort money from the practice.

It is unclear when the attack occurred from its breach notification letters, but Millennium Eye Care said it discovered on November 14, 2021, that the attackers had exfiltrated “a large amount of data” prior to encrypting files. The files obtained in the attack included a range of protected health information including names and Social Security numbers.

Millennium Eye Care said it has increased network security measures to reduce the risk of further attacks and has provided additional cybersecurity training to the workforce to help them recognize external attacks.

Affected individuals have been notified by mail and have been provided with information on the steps they can take to protect against identity theft and fraud. Identity theft protection services are being provided free of charge and affected patients will also be covered by a $1,000,000 identity theft reimbursement policy.

The breach has been reported to regulators but has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

Cyberattack Reported by Duneland School Corporation

Duneland School Corporation in Indiana has notified the HHS’ Office for Civil Rights about a recent cyberattack in which the protected health information of 7,000 individuals was potentially compromised.

The cyberattack was detected on October 27, 2021, and resulted in certain systems within its computer network being made unavailable. A third-party cybersecurity firm was engaged to investigate and determine the nature and scope of the attack. The investigation confirmed that unauthorized individuals had access to parts of its network between October 21 and October 27, and those systems contained the personal information of employees and information related to its self-insured health plan, such as names, dates of birth, Social Security numbers, driver’s license numbers, and benefits information.

Duneland School Corporation says it has implemented additional safeguards and technical security measures to prevent any further cyberattacks. Identity monitoring services are being provided to current and former employees, beneficiaries, and dependents, whose data were compromised.

The post Millennium Eye Care Says Ransomware Gang Stole a Large Amount of Patient Data appeared first on HIPAA Journal.

BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach

Posted by HIPAA Journal

A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen.

Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered.

Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost.

In late December, BioPlus patient Bonnie Gilbert and her attorneys filed a lawsuit in the U.S. District Court of the Middle District of Florida alleging BioPlus had violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to ensure the confidentiality, integrity, and availability of the PHI of its patients.

The lawsuit alleges negligence for failing to maintain reasonable data security safeguards, failing to implement industry-standard data security practices, and failing to exercise reasonable care in the hiring and supervision of its employees and agents. The lawsuit also claims BioPlus failed to detect the attack and the exfiltration of sensitive data from its network, and delayed breach notifications. The lawsuit claims that if a reasonable amount of care had been taken and appropriate data security measures had been in place, the attack could have been detected sooner and/or prevented.

The lawsuit alleges the plaintiff and class members have suffered “numerous actual and imminent injuries” as a direct result of the data breach, including the theft of their PII and PHI, invasion of privacy, a reduction in the economic value of their PII and PHI, emotional distress and stress, and a significant present and future risk of identity theft and financial fraud, as well as incurring costs attempting to mitigate and deal with the consequences of the data breach.

The lawsuit seeks class action certification, a jury trial, injunctive relief, declaratory relief, and monetary damages. The plaintiff is represented by Morgan & Morgan and Markovits, Stock, & DeMarco LLC.

The post BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois

Posted by HIPAA Journal

Fertility Centers of Illinois (FCI) has recently notified 79,943 current and former patients that some of their protected health information may have been viewed or obtained by unauthorized individuals.

FCI identified suspicious network activity on February 1, 2021, and took prompt action to secure its systems. Independent forensic investigators were then engaged to determine the nature and scope of the security breach.

FCI had implemented security measures to keep patient data secure, and those measures ensured its electronic medical record system could not be accessed; however, the attackers were found to have accessed administrative files and folders. A review of those files confirmed on August 27, 2021, that they contained a range of patient data including names in combination with one or more of the following types of information:

Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs or account login information.

Employee information was also potentially compromised including names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence, and sickness certificates.

FCI said it had strict security measures in place to prevent unauthorized data access, but the attackers were able to bypass those controls. Steps have since been taken to further secure its systems, data, and equipment, including implementing enterprise-class identity verification software and providing additional training to the workforce on security practices.

All affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services for 12 months through Equifax.

The post Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois appeared first on HIPAA Journal.

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

Posted by HIPAA Journal

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan.

RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers.

RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach notice that it has implemented additional security measures to prevent further data breaches.

In the days following the mailing of notification letters, the office of the Rhode Island attorney general received a high number of calls from individuals who had received a notification letter who had no direct connection to RIPTA informing them that their personal and health information had been compromised in the data breach. Several complaints were also made to the Rhode Island American Civil Liberties Union (ACLU).

On December 28, 2021, Steve Brown, Executive Director of the Rhode Island ACLU, wrote to Scott Avedisian, CEO of RIPTA seeking answers about the data breach and why the personal data of individuals with no relationship whatsoever with RIPTA had been notified about the breach. Brown also said in the letter that “The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it.”

The public notice on the RIPTA website made two references to a breach of RIPTA health plan data, specifically stating the breach involved “the personal information of our health plan” and “files pertaining to RIPTA’s health plan.” Brown said the letters are “extremely misleading and seriously downplays the extensive nature of the breach.” Brown said all of the complainants said they had never been employed by RIPTA and some even said they had never even ridden on a RIPTA bus.

Further, the breach notice submitted to the HHS’ Office for Civil Rights indicates 5,015 health plan members were affected, when the notification letters stated the breach affected 17,378 individuals in Rhode Island, which raises the question of why RIPTA was storing the data of an additional 12,363 individuals.

Brown also pointed out that the notification letters explained the breach was detected on August 5, 2021, yet it took RIPTA two and a half months to identify the individuals that had been affected, and then a further two months for notification letters to be issued.

RIPTA senior executive Courtney Marciano explained to the Providence Journal that the files obtained by the hackers included the data of individuals with no connection to RIPTA because RIPTA’s previous health insurance provider had sent files that contained the personal and health data of individuals with no connection to RIPTA. RIPTA had previously used UnitedHealthcare for its group health plan but then switched to Horizon BlueCross/Blue Shield of Rhode Island. The files sent to RIPTA by UnitedHealthcare allegedly contained details of health claims of all state employees.

The reason for the delay in issuing notifications was explained as being due to the labor-intensive process of determining which individuals had been affected and verifying contact information, and also sorting through the files to determine which claims were for current or former RIPTA employees.

Rhode Island Attorney General Peter Neronha told The Providence Journal that he will be opening an investigation into the data breach to determine if any state laws have been violated, such as the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights may also choose to investigate UnitedHealthcare over the apparent impermissible disclosure of the PHI of state employees to RIPTA. The OCR breach portal has no corresponding breach report from UnitedHealthcare.

The post Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General appeared first on HIPAA Journal.

Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach

Posted by HIPAA Journal

The year has started with a major breach report from Broward Health in Florida, which has recently started notifying more than 1.3 million patients and employees about a data breach that occurred on October 15, 2021. A hacker gained access to the Broward Health network through the office a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services.

Broward Health discovered and blocked the intrusion on October 19, 2021, and a password reset was performed for all employees to prevent further unauthorized access. Assisted by a third-party cybersecurity company, Broward Health conducted a comprehensive investigation to determine the nature and scope of the breach.

The investigation confirmed the attacker had access to parts of the network where employee and patient information were stored, including sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial/bank account information, health insurance information, medical histories, health conditions, treatment and diagnosis information, medical record numbers, and driver’s license numbers. Broward Health said some data was exfiltrated from its systems.

The cyberattack was reported to the Department of Justice which requested Broward Health delay sending breach notification letters to affected individuals so as not to interfere with the law enforcement investigation.

Broward Health has taken steps to improve security and prevent similar incidents in the future, which include implementing multifactor authentication for all users of its systems and setting minimum-security requirements for all devices not managed by Broward Health’s information technology department with access to its network. Those security requirements will take effect this January.

Broward Health has not received any reports that indicate patient or employee data have been misused, but as a precaution against identity theft and fraud, affected individuals have been offered a complimentary 2-year membership to the Experian IdentityWorksSM service, which includes identity theft protection, detection, and resolution services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal but has been reported to the Maine Attorney General as potentially affecting 1,357,879 patients.

The post Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach appeared first on HIPAA Journal.

Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach

Posted by HIPAA Journal

Nampa, Idaho-based Saltzer Health has started notifying certain patients that some of their protected health information (PHI) has been exposed in an email account breach that was detected on June 1, 2021.

The investigation revealed an unauthorized individual had access to an employee’s email account between May 25, 2021, and June 1, 2021. Saltzer Health was unable to find evidence indicating the attacker viewed or exfiltrated emails from the account, but it was not possible to rule the possibility of unauthorized PHI access and data theft.

The investigation confirmed the breach was confined to a single email account and no other systems were affected. Assisted by third-party specialists, Saltzer Health conducted a comprehensive review of the email account to determine which patients had been affected.

The review was completed on September 21, 2021, and revealed the following types of patient data were stored in the account: Names, contact information, state identification numbers, driver’s license numbers, medical record numbers, medical histories, diagnoses, treatment information, physician information, prescription information, and health insurance information, along with limited Social Security numbers and financial account information.

Once the affected patients were identified, Saltzer Health conducted a manual review of internal records to verify patients’ contact information, hence the delay in issuing breach notification letters until December.

Saltzer Health has provided affected patients with information about the steps they can take to guard against identity theft and fraud, but there is no mention in the substitute breach notice about the provision of credit monitoring or identity theft protection services.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights, but it has yet to appear on the OCR breach portal, so it is currently unclear how many patients have been affected.

The post Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2021

Posted by HIPAA Journal

The largest healthcare data breaches of 2021 rank as some of the worst of all time. In this post, we summarize some of the most serious data breaches to be reported in what has turned out to be another record-breaking year.

The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches.

It has also been a particularly bad year in terms of the number of breached healthcare records. Across the 686 2021 healthcare data breaches, 44,993,618 healthcare records have been exposed or stolen, which makes 2021 the second-worst year in terms of breached healthcare records.

There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals. Almost three-fourths of the year’s breaches (73.9%) were hacking or other IT incidents.

The Largest Healthcare Data Breaches of 2021

Each of the data breaches below involved the personal and protected health information of more than 1,000,000 individuals. All of these data breaches were hacking incidents where unauthorized individuals gained access to healthcare networks where electronic healthcare data were stored.

Accellion FTA Hack – At Least 3.51 Million Records

The largest healthcare data breach was a hacking incident involving the firewall vendor Accellion. Four vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) were exploited and more than 100 companies were affected, including at least 11 U.S. healthcare organizations. The Accellion FTAs were used for transferring files too large to be sent via email. The attack was conducted by a threat actor linked to the Clop ransomware gang.  Ransomware was not used in the attack, but sensitive data were stolen, ransom demands issued, and stolen data were leaked on the Clop ransomware gang’s leak site.

The Accellion FTA hack does not appear as a single incident on the HHS’ Office or Civil Rights breach portal as each affected healthcare organization reported the breach separately. In total, the protected health information of at least 3.51 million individuals is believed to have been stolen.

Florida Healthy Kids Corporation – 3.5 Million Records

The largest healthcare data breach of 2021 to be reported to the HHS’ Office for Civil Rights by a HIPAA-covered entity was a hacking incident at the Florida health plan, Florida Healthy Kids Corporation (FHKC). The breach was reported in January 2021 and was due to the failure of a security vendor to apply patches to fix multiple vulnerabilities on the FHKC website over a period of 7 years.

Hackers had access to the website for several years, and potentially stole highly sensitive information such as Social Security numbers and financial information. Some of the data on the website was also tampered with. The analysis of the breach revealed the personal and protected health information of 3.5 million individuals was exposed.

20/20 Eye Care Network, Inc – 3,253,822 Records

20/20 Eye Care Network, a Florida-based provider of eye and ear care services, exposed the personal and protected health information of 3,253,822 individuals as a result of a misconfigured Amazon Web Services S3 cloud storage bucket. In January 2021, 20/20 Eye Care Network discovered an unauthorized individual accessed the exposed storage bucket and downloaded some data, which may have included Social Security numbers, dates of birth, and health insurance information. The attacker then deleted the data in the bucket.

NEC Networks, LLC dba CaptureRx – At Least 2.42 Million Records

Texas-based NEC Networks, doing business as CaptureRx, was the victim of the largest healthcare ransomware attack of 2021. Prior to the use of ransomware to encrypt files, the attackers exfiltrated files containing the personal and protected health information of its healthcare provider clients. The breach was reported by NEC Networks as affecting 1,656,569 patients of its healthcare provider clients, but several clients reported the breach separately. In total, at least 2.42 million individuals were affected.

Forefront Dermatology, S.C. – 2,413,553 Records

The Wisconsin-based healthcare provider, Forefront Dermatology, discovered in June 2021 that unauthorized individuals had gained access to its network and potentially viewed and potentially obtained private and confidential employee and patient information, including names and Social Security numbers.

The investigation confirmed the personal and protected health information of 4,431 individuals had been compromised, but the systems accessed by the attacker contained the records of 2,413,553 individuals, all of whom may have been affected.

Eskenazi Health – 1,515,918 Records

The Indiana-based healthcare provider Eskenazi Health suffered a ransomware attack in August conducted by the Vice ransomware gang. Prior to encrypting files, the attackers exfiltrated files containing the personal and protected health information of 1,474,284 patients, including Social Security numbers, passport numbers, driver’s licenses, photographs, pharmacy records, and financial information, some of which were leaked on the group’s data leak site when the ransom was not paid.

The Kroger Co. – 1,474,284 Records

The Ohio-based grocery chain and pharmacy operator, the Kroger Company, was one of the companies worst affected by the exploitation of vulnerabilities in its Accellion File Transfer Appliance (FTA).  Kroger said the internal investigation revealed fewer than 1% of its customers were affected – 1,474,284 individuals. Names, contact information, Social Security numbers, insurance claim information, prescription information, and some medical history information was stolen in the attack. Lawsuits were filed in response to the breach, which Kroger settled for $5 million.

St. Joseph’s/Candler Health System, Inc. – 1,400,000 Records

Georgia-based St. Joseph Candler Health System was another 2021 healthcare ransomware attack victim. The ransomware attack occurred in June; however, hackers had first breached its network 6 months previously. During those 6 months, the attackers had access to the sensitive data of 1,400,000 patients, including names, date of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information. Two class action lawsuits were filed in the wake of the breach alleging negligence for failing to prevent the attack and for failing to discover the breach for 6 months.

University Medical Center Southern Nevada – 1,300,000 Records

The Nevada-based healthcare provider University Medical Center Southern Nevada suffered a ransomware attack conducted by the REvil ransomware gang. The attackers allegedly issued a ransom demand of $12 million for the keys to unlock encrypted files and to prevent any misuse of stolen data. The gang potentially stole the personal and protected health information of 1,300,000 patients, and some of that information was posted to the gang’s data leak site, including names, dates of birth, Social Security numbers, passports, and health histories.

American Anesthesiology, Inc. – 1,269,074 Records

New York-based American Anesthesiology, Inc. was affected by a phishing attack on one of its business associates, MEDNAX. Employees responded to the phishing emails and disclosed their credentials, which provided the attackers with access to email accounts containing the protected health information of 1,269,074 patients. The attack did not appear to have been conducted to steal patient data, instead, the attackers were trying to divert payroll to their accounts.

Professional Business Systems, Inc. dba Practicefirst Medical Management Solutions and PBS Medcode Corp – 1,210,688 Records

The New York practice management company, Professional Business Systems, doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp., was the victim of an attempted ransomware attack. Prior to attempting to encrypt data, the attackers exfiltrated files containing the names, addresses, driver’s license numbers, Social Security numbers, email addresses, and tax identification numbers of employees and patients of its healthcare provider clients. In total, the protected health information of 1,210,688 individuals was potentially stolen.

Other Large Healthcare Data Breaches Reported in 2021

The table below shows the U.S. healthcare data breaches reported to the HHS’ Office for Civil Rights in 2021 that affected between 500,000 and 1,000,000 million individuals. At least 10 of the 15 breaches below are known to be ransomware attacks.

Name of Covered Entity State Entity Type Individuals Affected Type of Breach Breach Cause
Personal Touch Holding Corp. New York Business Associate 753,107 Hacking/IT Incident Ransomware
Oregon Anesthesiology Group, P.C. Oregon Healthcare Provider 750,500 Hacking/IT Incident Ransomware
UF Health Central Florida Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware
Sea Mar Community Health Centers Washington Healthcare Provider 688,000 Hacking/IT Incident Unspecified hacking incident involving data theft
Health Net Community Solutions California Health Plan 686,556 Hacking/IT Incident Accellion FTA data theft and extortion attack
Community Medical Centers, Inc. California Healthcare Provider 656,047 Hacking/IT Incident Unspecified hacking incident
DuPage Medical Group, Ltd. Illinois Healthcare Provider 655,384 Hacking/IT Incident Ransomware
Hendrick Health Texas Healthcare Provider 640,436 Hacking/IT Incident Ransomware
UNM Health New Mexico Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident involving data theft
Trinity Health Michigan Business Associate 586,869 Hacking/IT Incident Accellion FTA data theft and extortion attack
Utah Imaging Associates, Inc. Utah Healthcare Provider 582,170 Hacking/IT Incident Unspecified hacking incident
Texas ENT Specialists Texas Healthcare Provider 535,489 Hacking/IT Incident Ransomware
Wolfe Clinic, P.C. Iowa Healthcare Provider 527,378 Hacking/IT Incident Ransomware
Health Net of California California Health Plan 523,709 Hacking/IT Incident Accellion FTA data theft and extortion attack
State of Alaska Department of Health & Social Services Alaska Health Plan 500,000 Hacking/IT Incident Hack by nation-state espionage group

The post Largest Healthcare Data Breaches of 2021 appeared first on HIPAA Journal.