HIPAA Breach News

Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists

Posted by HIPAA Journal

The Bradenton, FL-based gastroenterology healthcare provider Florida Digestive Health Specialists (FDHS) has recently started notifying more than 212,000 patients that some of their protected health information has been exposed in a December 2020 cyberattack.

Notification letters were sent to affected individuals on December 27, 2021, by attorney Jason M. Schwent of Clark Hill. The letters explain that suspicious activity was detected in an employee email account on December 16, 2020, which involved an unauthorized individual sending emails from that account.

This was a business email compromise attack where access to an internal email account is gained, usually via a phishing email, and the account is then used to impersonate an employee to convince other individuals to make fraudulent wire transfers. In this case, on December 21, 2020, FDHS determined a fraudulent transfer of funds had been made to an unknown bank account.

FDHS engaged the services of Clark Hill and a third-party cybersecurity firm to investigate the cyberattack. The investigation confirmed a limited number of employee email accounts had been accessed by unauthorized individuals. Those accounts were described as “voluminous” and contained the personal and protected health information of 212,509 patients. In attacks such as this, the aim of the attack is to obtain payments through fraudulent wire transfers rather than to obtain patient data; however, data theft could not be ruled out.

The amount of data present in the compromised email accounts was provided as a reason for a 12-month delay in issuing notification letters to affected patients. FDHS said the review of the email accounts was time-consuming and only concluded on November 19, 2021.

In response to the breach, several changes were made to its IT systems to improve security. Those measures include a password reset across its IT environment, implementation of multifactor authentication, strengthening password protocols, and reconfiguring its firewall.

Affected individuals have been offered 12-months of complimentary credit monitoring and identity theft protection services.

The post Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists appeared first on HIPAA Journal.

Patient Data Stolen in Cyberattack on the Medical Review Institute of America

Posted by HIPAA Journal

The Medical Review Institute of America (MRoiA) suffered a suspected ransomware attack in November 2021 in which sensitive patient data were stolen.

MRoiA is provided with patient data by HIPAA-covered entities as part of the clinical peer review process of healthcare services. In a data breach notice provided to the Vermont attorney general, MRoiA said it was the victim of a sophisticated cyberattack that was detected on November 9, 2021. Third-party cybersecurity experts were immediately engaged to conduct a forensic investigation to determine the nature and scope of the attack and to assist with its remediation efforts, including restoring its systems and operations.

On November 12, 2021, MRoiA discovered the attackers had exfiltrated sensitive data, including patients’ electronic protected health information (ePHI). MRoiA did not state in the breach notification letter whether ransomware was involved, although the attack has the hallmarks of a double-extortion ransomware attack.

MRoiA said on November 16, 2021, it received assurances that the stolen data were retrieved and copies of the data have been deleted, which suggests the ransom demand was paid, although that has not been confirmed.

MRoiA said the investigation into the attack is ongoing and a review of the compromised files has been completed. Individuals affected by the attack have had their full names compromised in addition to one or more of the following data elements: Gender, home address, phone number, email address, date of birth, Social Security number, medical history, diagnosis, treatment information, dates of service, lab test results, prescription information, provider name, medical account number (and other data stored in medical files/records), health insurance information, and claims information.

MRoiA said that prior to the breach it had adopted the HITRUST Common Security Framework (CSF), was compliant with the requirements of HIPAA and the HITECH Act, and had secured its systems to prevent unauthorized access. In response to the breach, additional cybersecurity safeguards are being implemented. These include constant monitoring of systems using advanced threat hunting and detection software, implementing additional authentication procedures, hardening its backup environment, and enhancing employee cybersecurity training.

New servers were built from the ground up to ensure no further unauthorized access was possible and MRoiA is working with third-party cybersecurity experts to further improve its security posture. Affected individuals have been offered complimentary identity monitoring services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Data Stolen in Cyberattack on the Medical Review Institute of America appeared first on HIPAA Journal.

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

Posted by HIPAA Journal

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December.

The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files.

Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims.

While the attack was detected in December 2020, it took until December 2021 for notification letters to be issued to affected individuals and for state attorneys general and the HHS’ Office for Civil Rights to be notified about the breach, 6 months after it was confirmed that sensitive data was stolen in the attack.

The lawsuit was filed by Mason Lietz & Klinger LLP in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. The lawsuit alleges Bansley & Kiener failed to safeguard the sensitive data of its clients and failed to provide timely, accurate, and adequate notice of the data breach to individuals whose sensitive information was stolen.

According to the lawsuit, Bansley & Kiener unnecessarily delayed the issuing of notifications about the data breach, even though the individuals whose data was stolen were placed at significant risk of identity theft and various other forms of personal, social, and financial harm. When the notifications were sent, they failed to fully explain the nature of the breach. They did not explain that this was a ransomware attack and referred to the incident as an unauthorized person gaining access to its network that resulted in the encryption of systems.

The lawsuit also takes issue with the response to the data breach. After discovering the attack, files were restored from backups and normal business operations were resumed, and it was only when it was discovered that data had been exfiltrated from its systems, 5 months after the attack, that cybersecurity experts were retained to investigate the breach.

The lawsuit alleges Bansley & Kiener suffered a data breach due to “negligent and/or careless acts and omissions” relating to the safeguarding of sensitive data, and failed to monitor its systems for security vulnerabilities. The lawsuit alleges victims of the breach have incurred out-of-pocket expenses related to the prevention, detection, and resolution of identity theft and/or unauthorized use of their data, have spent time trying to mitigate the effects of the data breach, and have suffered from the lost or diminished value of their personal data.

The lawsuit seeks actual, nominal, and consequential damages, punitive damages, injunctive relief, legal costs, and a jury trial.

The post Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures appeared first on HIPAA Journal.

Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impact More Than 355,000 Patients

Posted by HIPAA Journal

A hacker gained access to the IT network of Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services and accessed files containing sensitive patient data. The intrusion was detected on November 11, 2021, and steps were immediately taken to remove the hacker from its network. Assisted by a third-party computer forensics firm, BioPlus determined its IT environment was compromised on October 25, 2021, and the hacker was removed from its systems on November 11.

The investigation confirmed files containing the protected health information of certain patients had been accessed, but it was not possible to rule out the possibility that the hacker accessed the PHI of all of its patients. The decision was therefore taken to notify all 350,000 current and former patients about the breach.

Files that were accessible to the hacker included patient names, dates of birth, addresses, medical record numbers, current/former health plan member ID numbers, claims information, diagnoses, and/or prescription information. Some patients also had their Social Security number exposed. Notification letters started to be mailed on December 10, 2021. Patients who had their Social Security number exposed have been offered complimentary credit monitoring and identity protection services. BioPlus said it has implemented additional safeguards to prevent similar breaches in the future.

IT Systems Still Down a Week After Cyberattack on Capital Region Medical Center

Capital Region Medical Center (CMRC) in Jefferson City, MO, has confirmed it was the victim of a cyberattack that forced the shutdown of its network and phone systems. The cyberattack was detected on December 17, 2021, and its network and phone system are still offline. The medical center is operating on its downtime procedures and patients are being seen, but certain appointments have been canceled. The cyberattack has also affected Capital Region’s pharmacies.

“While our information security team is working diligently to bring our systems back online as quickly, and securely, as possible, nothing is more important to us than the health and safety of our patients and continuing to provide the care our patients expect,” said Lindsay Huhman, CRMC director of marketing and communications, said in a news release. “There are downtime procedures in place for physicians, nurses, and staff to provide care in these types of situations, and our staff is committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients.”

5,356 Individuals Affected by Data Breach at Weddell Pediatric Dental Specialists

Weddell Pediatric Dental Specialists in Carmel, IN, has started notifying 5,356 individuals that an unauthorized individual gained access to an employee’s email account that contained their protected health information.

The email account breach was detected on July 23, 2021, and the account was immediately secured. Assisted by third-party cybersecurity professionals, the dental practice confirmed the breach was limited to one employee email account. The review and analysis of emails and attachments in the account were completed on October 27, 2021, and revealed the account contained patient names, along with one or more of the following data elements: date of birth, medical diagnosis, medical treatment information, financial account information and in some instances Social Security numbers.

Individuals who had their Social Security number exposed have been offered complimentary credit monitoring services for 12-months. Weddell Pediatric Dental Specialists said no information has been received to indicate any patient data has been misused.

The post Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impact More Than 355,000 Patients appeared first on HIPAA Journal.

PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack

Posted by HIPAA Journal

Morgantown, WV-based Monongalia Health System has started notifying almost 400,000 patients that some of their protected health information (PHI) may have been obtained by unauthorized individuals in a recent cyberattack.

The security incident came to light when one of its vendors reported not receiving a July 2021 payment that had left Monongalia Health’s accounts. The investigation into the incident confirmed this was a business email compromise (BEC) attack. The attacker had used a phishing email to obtain the credentials for a Monongalia Health contractor’s email account, which was used to send a request to Monongalia Health to have the bank account details for an upcoming payment changed to an account controlled by the attacker.

Monongalia Health said the investigation revealed several Monongalia Health email accounts had been compromised as a result of employees responding to phishing emails, and emails and email attachments in those accounts contained patients’ protected health information. The purpose of the attack appears to have solely been to obtain funds from Monongalia Health through fraudulent wire transfers, rather than to steal sensitive data.

The investigation confirmed several employee email accounts had been accessed by unauthorized individuals between May 10, 2021, and August 15, 2021, and while no evidence of data theft has been identified, unauthorized accessing of patients’ protected health information could not be ruled out. Monongalia Health said the data breach was limited to its email system and electronic medical records were unaffected. A review of the emails and attachments in the compromised accounts revealed they contained the PHI of patients of Monongalia County General Hospital and Stonewall Jackson Memorial Hospital. The PHI of patients of other Monongalia Health hospitals does not appear to have been compromised.

The exposed PHI included names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information, status as a current or former Mon Health patient, and Medicare health insurance claim numbers, which could contain Social Security numbers.

Monongalia Health said it will be reviewing and enhancing its existing security protocols and practices and will implement multi-factor authentication for remote access to its email system. The HHS’ Office for Civil Rights Breach Portal indicates up to 398,164 individuals have been affected.

The post PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack appeared first on HIPAA Journal.

Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare

Posted by HIPAA Journal

Paducah, KY-based Southern Orthopaedic Associates (SOA) has started notifying 106,910 patients about a breach of some of their protected health information.

SOA detected unauthorized activity in an employee email account on or around July 8, 2021. Steps were immediately taken to secure the account and an investigation was launched to determine the nature and scope of the breach. Assisted by a third-party computer forensics company, SOA determined that several employee email accounts had been compromised between June 24, 2021, and July 8, 2021; however, it was not possible to tell which, if any, emails in the account had been accessed.

A comprehensive review was conducted of all emails and attachments in the compromised accounts to determine if they contained any protected health information. The review was completed on October 21, 2021, and confirmed the accounts contained patient names and Social Security numbers.

Notification letters were sent to affected individuals starting on December 12, 2021. SOA has offered a complimentary 1-year membership to credit monitoring services through Experian, has implemented additional safeguards to improve email security, and has provided further security awareness training to the workforce.

Eduro Healthcare Data Breach Affects More Than 8,000 Patients

Salt Lake City, UT-based Eduro Healthcare has notified 8,059 patients about a potential breach of their protected health information. In March 2021, suspicious activity was detected in its network and action was immediately taken to contain the breach.  The healthcare provider implemented its incident response plan which allowed it to quickly restore access to its network.

Euro Healthcare said the prompt action taken in response to the breach was believed to have prevented unauthorized individuals from accessing and exfiltrating patient information; however, on August 24, 2021, Eduro Healthcare discovered some patient data had been exfiltrated and posted on a dark web data leak site.

Then commenced a painstaking process of identifying the individuals affected and the types of data that had been compromised. That process was completed on October 21, 2021. The data compromised included first and last names, dates of birth, provider name, date(s) of service, treatment information, Social Security numbers, and health insurance information.

Affected individuals have been offered 12 months of complimentary credit monitoring and identity restoration services through IDX and will be protected by a $1,000,000 identity theft insurance policy. Eduro Healthcare has implemented additional security controls, conducted a complete audit of all accounts, strengthened password protocols, reconfigured its firewall, implemented multi-factor authentication on email accounts, and updated its network security protocols and procedures.

The post Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare appeared first on HIPAA Journal.

November 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches.

The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month.

Largest Healthcare Data Breaches Reported in November 2021

In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The average breach size in November was 34,862 records and the median breach size was 5,403 records.

The worst breach of the month saw the protected health information of 582,170 individuals exposed when hackers gained access to the network of Utah Imaging Associates. Planned Parenthood also suffered a major data breach, with hackers gaining access to its network and exfiltrating data before using ransomware to encrypt files.

Sound Generations, a non-profit that helps older adults and adults with disabilities obtain low-cost healthcare services, notified patients about two ransomware attacks that had occurred in 2021, which together resulted in the exposure and potential theft of the PHI of 103,576 individuals.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Cause of Breach
Utah Imaging Associates, Inc. Healthcare Provider 582,170 Hacking/IT Incident Network Server Unspecified hacking incident
Planned Parenthood Los Angeles Healthcare Provider 409,759 Hacking/IT Incident Network Server Ransomware attack
The Urology Center of Colorado Healthcare Provider 137,820 Hacking/IT Incident Network Server Unspecified hacking incident
Sound Generations Business Associate 103,576 Hacking/IT Incident Network Server Two ransomware attacks
Mowery Clinic LLC Healthcare Provider 96,000 Hacking/IT Incident Network Server Malware infection
Howard University College of Dentistry Healthcare Provider 80,915 Hacking/IT Incident Electronic Medical Record, Network Server Ransomware attack
Sentara Healthcare Healthcare Provider 72,121 Hacking/IT Incident Network Server Unspecified hacking incident at a business associate
Ophthalmology Associates Healthcare Provider 67,000 Hacking/IT Incident Electronic Medical Record, Network Server Unspecified hacking incident
Maxim Healthcare Group Healthcare Provider 65,267 Hacking/IT Incident Email Phishing attack
True Health New Mexico Health Plan 62,983 Hacking/IT Incident Network Server Unspecified hacking incident
TriValley Primary Care Healthcare Provider 57,468 Hacking/IT Incident Network Server Ransomware attack
Broward County Public Schools Health Plan 48,684 Hacking/IT Incident Network Server Ransomware attack
Consociate, Inc. Business Associate 48,583 Hacking/IT Incident Network Server  
Doctors Health Group, Inc. Healthcare Provider 47,660 Hacking/IT Incident Network Server Patient portal breach at business associate (QRS Healthcare Solutions)
Baywood Medical Associates, PLC dba Desert Pain Institute Healthcare Provider 45,262 Hacking/IT Incident Network Server Unspecified hacking incident
Medsurant Holdings, LLC Healthcare Provider 45,000 Hacking/IT Incident Network Server Ransomware attack
One Community Health Healthcare Provider 39,865 Hacking/IT Incident Network Server Unspecified hacking incident
Educators Mutual Insurance Association Business Associate 39,317 Hacking/IT Incident Network Server Malware infection
Victory Health Partners Healthcare Provider 30,000 Hacking/IT Incident Network Server Ransomware attack
Commission on Economic Opportunity Business Associate 29,454 Hacking/IT Incident Network Server Hacked public claimant portal

Causes of November 20021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in November, accounting for 50 of the reported breaches. Ransomware continues to be extensively used in attacks on healthcare providers and their business associates, with the attacks often seeing sensitive patient data stolen and posted on data leak sites. The theft of patient data in these attacks also makes lawsuits more likely. Planned Parenthood, for example, was hit with a class action lawsuit a few days after mailing notification letters to affected patients.

2,327,353 healthcare records were exposed or stolen across those hacking incidents, which is 98.18% of all records breached in November. The average breach size for those incidents was 42,316 records and the median breach size was 11,603 records.

There were 11 unauthorized access/disclosure breaches in November – half the number of unauthorized access/disclosure breaches reported in October. Across those breaches, 37,646 records were impermissibly accessed or disclosed. The average breach size was 3,422 records and the median breach size was 1,553 records. There were also two reported cases of theft of portable electronic devices containing the electronic protected health information of 5,601 individuals.

November Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 50 reported breaches, with four of those breaches occurring at business associates but were reported by the healthcare provider. 8 data breaches were reported by health plans, 3 of which occurred at business associates, and business associates self-reported 10 data breaches. The pie chart below shows the breakdown of breaches based on where the breach occurred.

Geographic Distribution of November Healthcare Data Breaches

Healthcare data breaches of 500 or more records were reported by HIPAA-regulated entities in 32 states and the District of Columbia.

State Number of Reported Data Breaches
California & New York 7
Maryland & Pennsylvania 4
Colorado, Kentucky, Ohio, & Utah 3
Illinois, Indiana, Michigan, Minnesota, New Mexico, Tennessee, Texas, Virginia, and the District of Columbia 2
Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Kansas, Massachusetts, Missouri, Nebraska, New Hampshire, New Jersey, North Carolina, Oregon, South Carolina, and Washington 1

HIPAA Enforcement Activity in November 2021

There was a flurry of HIPAA enforcement activity in November with financial penalties imposed by federal and state regulators. The HHS’ Office for Civil Rights announced a further 5 financial penalties to resolve alleged violations of the HIPAA Right of Access. In all cases, the healthcare providers had failed to provide patients with a copy of their requested PHI within a reasonable period of time after a request was received.

Covered Entity Penalty Penalty Type Alleged Violation
Rainrock Treatment Center LLC (dba Monte Nido Rainrock)

 

 $160,000

 

 Settlement HIPAA Right of Access
Advanced Spine & Pain Management $32,150

 

 Settlement HIPAA Right of Access
Denver Retina Center $30,000

 

 Settlement HIPAA Right of Access
Wake Health Medical Group

 

 $10,000

 

 Settlement HIPAA Right of Access
Dr. Robert Glaser

 

 $100,000 Civil Monetary Penalty HIPAA Right of Access

The New Jersey Attorney General and the Division of Consumer Affairs announced in November that a settlement had been reached with two New jersey printing firms – Command Marketing Innovations, LLC and Strategic Content Imaging LLC – to resolve violations of HIPAA and the New Jersey Consumer Fraud Act. The violations were uncovered during an investigation into a data breach involving the PHI of 55,715 New Jersey residents.

The breach was due to a printing error that saw the last page of one individual’s benefit statement being attached to the benefit statement of another individual.  The Division of Consumer Affairs determined the companies failed to ensure confidentiality of PHI, did not implement sufficient PHI safeguards and failed to review security measures following changes to procedures. A financial penalty of $130,000 was imposed on the two firms, and $65,000 was suspended and will not be payable provided the companies address all the security failures identified during the investigation.

The post November 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos

Posted by HIPAA Journal

The number of healthcare providers affected by the recent ransomware attack on Kronos has been growing over the past few days. 7 healthcare providers have now confirmed they have been affected by the attack.

Kronos is a Lowell, MA-based workforce management and human capital management solution provider that many healthcare organizations use for payroll, scheduling, and other services. On December 11, 2021, Kronos discovered unusual activity in its systems deployed within the Kronos Private Cloud. Steps were immediately taken to investigate the activity and block any unauthorized access. It was rapidly determined to be a ransomware attack, that affected parts of its cloud environment where Ultimate Kronos Group (UKG) solutions are deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling.

UKG said it engaged a leading cyber security firm to assess and mitigate the attack and the investigation into the breach is ongoing. The affected solutions remain offline and Kronos has strongly suggested its clients should evaluate and implement alternative business continuity protocols related to the affected UKG solutions as it may take several weeks to restore system availability.

Seven healthcare provider clients have recently confirmed that they have been affected by the ransomware attack: Allegheny Health Network, Highmark Health, Baptist Health, UF Health, Ascension, Shannon Medical Center, and Franciscan Missionaries of Our Lady Health System.

San Angelo, TX-based Shanon Medical Center, Jackson, Fl-based Baptist Health, Gainesville, FL-based UF Health, and Indianapolis, IN-based Ascension St. Vincent Hospital said payroll has been affected and they have switched to alternate systems to ensure their employees get paid, while Pittsburg, PA-based Allegheny Health Network and Highmark Health said they are doing everything they can to ensure employees are paid on time.

Baton Rouge, LA-based Franciscan Missionaries of Our Lady Health System used Kronos for timekeeping and scheduling and has switched to emergency downtime procedures to ensure there is no disruption to its services.

The American Hospital Association (AHA) said it has received several reports from members confirming they have been affected and are working to minimize disruption. “A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients,” said John Riggi, AHA senior advisor for cybersecurity and risk. “This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. If mission-critical third-party services are made unavailable due to a cyberattack, it may result in disruptions to hospital operations. As such, we urge all third-party providers that serve the health care community to examine their cyber readiness, response, and resiliency capabilities.”

The post Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos appeared first on HIPAA Journal.

Over 535,000 Individuals Affected by Ransomware Attack on Texas ENT Specialists

Posted by HIPAA Journal

Texas Ear, Nose & Throat Specialists P.A. (Texas ENT Specialists) has recently announced it was the victim of a cyberattack that was detected on October 19, 2021.

When the attack was detected, prompt action was taken to prevent further unauthorized system access and a third-party cybersecurity firm was engaged to investigate and determine the nature and extent of the attack. The forensic investigation revealed the attackers first gained access to its systems on August 9, 2021, and between then and August 15, files were copied and exfiltrated from its systems.

A review of those files confirmed they contained the protected health information (PHI) of 535,489 patients, including names, dates of birth, medical record numbers, and procedure codes. A subset of individuals also had their Social Security numbers stolen; however, its electronic medical record system was unaffected.

Texas ENT Specialists mailed notification letters to affected individuals on December 10, 2021. Patients who had their Social Security number stolen have been offered complimentary membership to Experian’s identity theft monitoring service.

Texas ENT Specialists said has strengthened its privacy and information security program and has implemented additional technical security measures to better protect and monitor its systems.

Virginia Department of Behavioral Health and Developmental Services Suffers Second Funding Portal Breach

The Virginia Department of Behavioral Health and Developmental Services (DBHDS) is notifying 4,037 individuals who applied for Individual and Family Support Program (IFSP) funding that some of their protected health information may have been impermissibly disclosed. The breach affected its IFSP Funding Portal and occurred on October 7, 2021. The breach was detected within minutes and the portal was immediately taken offline to prevent further unauthorized data access.

In 2019, DBHDS experienced a breach of its IFSP funding portal that exposed the data of 1,442 individuals. In the 17 months that followed, the internal team and the Virginia Information Technology Agency (VITA) investigated the attack and attempted to simulate and solve the issue. Extensive testing of the Portal was performed, and it was determined the Portal was clear to operate again. The latest breach appears to be similar to the 2019 incident and may also have allowed information to be viewed by other applicants.

DBHDS said it will not attempt to repair the Portal again, and an alternative solution will be found for future IFSP application processes. Individuals who had their application information exposed to other individuals will be able to sign up for free credit monitoring services for 2 years.

The post Over 535,000 Individuals Affected by Ransomware Attack on Texas ENT Specialists appeared first on HIPAA Journal.