In March 2021, ransomware was used in an attack on Broward County Public Schools in Florida and files were encrypted. The investigation into the breach revealed access to the school network was first gained by unauthorized individuals on November 12, 2020, with the ransomware deployed on March 6, 2021. The attack was detected on March 7, 2021.

The hackers demanded a ransom payment of $40 million for the keys to decrypt files, which was later reduced to $10, million but the school district refused to pay. Initially, it did not appear that any sensitive data had been obtained in the attack, but on April 19, 2021, it was discovered that some files stored on its systems had been stolen when they were released publicly on the Conti ransomware gang’s data leak website.

Schools are not usually covered by the Health Insurance Portability and Accountability Act (HIPAA), so HIPAA breach notifications are not required when student records are compromised; however, in this case, the school district is a HIPAA-covered entity as it operates a self-insured health plan.

On June 8, 2021, it was confirmed that some of the files obtained by the attackers included names and Social Security numbers, with further analysis of the security breach confirming on June 29, 2021, that the attackers accessed and potentially stole the protected health information of members of its health plan, including names, dates of birth, Social Security numbers, and benefits selection information.

Those individuals are now being notified about the exposure and potential theft of their PHI, more than a year after its systems were first breached and 5 months after it was discovered their PHI was involved. The delay in issuing notifications was explained by Chief Communications Officer Kathy Koch as being due to “a time-consuming review of the data that might have been accessed by the unauthorized party.” Complimentary credit monitoring services are now being provided.

It is unclear how many individuals in total have been affected by the breach, but the breach has been reported to the HHS’ Office for Civil Rights as affecting 48,684 individuals.

The post Almost 50,000 Health Plan Members Affected by Ransomware Attack on Broward County Public Schools appeared first on HIPAA Journal.

The Chicago, IL-based accountancy firm Bansley and Kiener LLP has announced it was the victim of a December 2020 ransomware attack that saw certain files within its systems encrypted. The attack only caused temporary disruption, and it was possible to restore all encrypted systems from backups and rapidly return to normal operations.

The attack occurred on December 10, 2020, and the subsequent investigation into the incident found no evidence of data theft and confirmed that the breach had been fully contained. However, Bansley and Kiener said in a December 3, 2021 data breach notification letter that the firm learned on May 24, 2021, that the attackers had exfiltrated some files from its systems, and those files contained sensitive client information.

A third-party cybersecurity firm was engaged to assist with the subsequent investigation and while it was not possible to confirm the specific types of information that had been accessed and exfiltrated, on August 24, 2021, the investigation confirmed the names and Social Security numbers of some individuals may have been obtained by the attackers.

Bansley and Kiener said the attack prompted a review of its security measures and they have since been strengthened to prevent further data breaches, and the workforce continues to be educated on cybersecurity best practices. Notification letters have now been sent to affected individuals with instructions on how to protect their personal information, including how to take advantage of the complimentary credit and identity theft monitoring services that have been offered.

It is not known how many individuals in total have had their names and Social Security numbers exposed, but the breach has been reported to the HHS’ Office for Civil Rights under four separate breach reports affecting a total of 70,941 individuals.

The post Chicago Accountancy Firm Discovers Data was Stolen in December 2020 Ransomware Attack appeared first on HIPAA Journal.

On July 11, 2021, Oregon Anesthesiology Group discovered it was the victim of a ransomware attack. Files on its systems had been encrypted which prevented access to its servers and patient data.

Following the attack, its IT infrastructure was reconstructed and offline data backups were used to promptly restore the affected files. A digital forensics firm was engaged to investigate the breach and it was confirmed that patient and employee information had been compromised, with the affected parts of its network found to contain files that included names, addresses, dates of service, diagnosis and procedure codes and descriptions, medical record numbers, insurance provider names, and insurance ID numbers. Employee data potentially compromised in the attack included names, addresses, Social Security numbers, and other information contained in W-2 forms.

The forensic investigation revealed that once the hackers had gained access to its network, they data-mined administrator credentials which allowed them to access encrypted data on its network. The FBI told Oregon Anesthesiology Group that the attackers most likely exploited a vulnerability in its third-party firewall to gain access to its network.

In response to the breach, the firewall was replaced, multi-factor authentication was implemented more comprehensively, network access control policies were upgraded, and a third-party vendor was engaged to provide 24/7 real-time security monitoring and gave advice on security system architecture, enhanced data and network segregation, and increased use of cloud-based infrastructure.

Oregon Anesthesiology Group sent notification letters to approximately 750,000 patients and 522 current and former employees. While no evidence of attempted or actual misuse of patient data has been found, identity theft protection and credit monitoring services have been provided to affected individuals, who will also be covered by an identity theft insurance policy.

In order to recover data stolen by ransomware gangs, it is usually necessary to pay the ransom demand. In this case, however, the ransom was not paid but Oregon Anesthesiology Group was notified by the FBI on October 21, 2021, that it had seized “an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files.” It is unclear if the seized account contained the only copy of the stolen data.

The post PHI of 750,000 Patients of Oregon Anesthesiology Recovered Following Ransomware Attack appeared first on HIPAA Journal.

Howard University College of Dentistry discovered on September 3, 2021, that unauthorized individuals had gained access to its network and used ransomware to encrypt files. An announcement was made by the university shortly after the attack that it had been forced to cancel online and hybrid classes while its systems were restored, and that a nationally recognized computer forensics firm had been engaged to investigate the incident to determine the extent of the attack and whether sensitive information was accessed or stolen.

On September 24, 2021, the university determined that a system that housed patients’ dental records was affected by the attack. No specific evidence of unauthorized access or data exfiltration was found, although dental records were encrypted. The encrypted records related to dental visits between October 5, 2019, and September 3, 2021, and included information such as names, contact information, dates of birth, dental record numbers, health insurance information, dental history information, and for a limited number of patients, Social Security numbers.

The university has notified all affected patients by mail and has advised them to monitor their account statements for any sign of fraudulent activity and said it has further enhanced its cybersecurity measures to better protect against future cyberattacks and data breaches.

Howard University College of Dentistry recently reported the incident to the HHS’ Office for Civil Rights that affected up to 80,915 patients.

Great Plains Manufacturing Health Plan Members Affected by Cyberattack

Kansas-based Great Plains Manufacturing has notified 4,110 employees that some of their protected health information has potentially been compromised in a cyberattack that was discovered on October 11, 2021.

The investigation confirmed unauthorized individuals first gained access to its systems on September 28, 2021, and access remained possible until October 11, 2021, when the breach was detected, and the hackers were ejected from its network. A review of the affected file server revealed on November 1, 2021, that files had been accessed that contained information such as names, dates of birth, Social Security numbers, health insurance numbers, and members’ health plan selection.

The breach only affected employees and their dependents who were covered by the Great Plains Manufacturing, Inc. Employee’s Beneficiary Association Trust health plan. Notifications were sent to affected individuals on December 1, 2021, and all affected individuals have been offered complimentary identity theft monitoring services for 12 months.

The post Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients appeared first on HIPAA Journal.

The University of Houston College of Optometry has discovered an unauthorized individual from outside the United States gained access to the network of an affiliated eye clinic and stole information contained in the clinic’s database.

The Community Eye Clinic in Fort Worth, TX, is managed and administered by UH College of Optometry. Security staff identified the intrusion at 9 a.m. on September 13, 2021, the morning after the breach occurred. The IT security team immediately took steps to secure the system, further defensive safeguards have been implemented to better protect patient data, and its monitoring and alerts have been enhanced. A review has also been conducted of the clinic’s IT protocols and procedures to ensure that industry-standard practices are followed.

The files obtained by the attacker related to patients who received treatment at the Community Eye Clinic between May 22, 2013, and September 13, 2021. The information in the database included names, dates of birth, contact information, government ID numbers, health insurance information, passport numbers, Social Security numbers, driver’s license numbers, and diagnosis and treatment information. No financial information was stored in the database and no College of Optometry or University of Houston network systems were affected.

The 18,500 affected individuals have been advised to monitor their accounts and explanation of benefits statements for signs of fraudulent activity, to check their credit reports, and to consider placing a security fraud alert on their credit reports.

Phishing Attack on Valley Mountain Regional Center Affects 17,197 Patients

Stockton, CA-based Valley Mountain Regional Center (VMRC) has started notifying 17,197 patients that some of their protected health information was stored in email accounts that were accessed by unauthorized individuals.

VMRC detected phishing emails in its mailboxes on September 15, 2021, and took steps to remove all copies of the messages from its email system; however, the subsequent investigation into the phishing attack revealed 14 employees had clicked the links and disclosed credentials which allowed their email accounts to be accessed.

A comprehensive review of the contents of the affected mailboxes confirmed they contained names, addresses, dates of birth, state-issued client identifier numbers, telephone numbers, personal e-mail addresses, diagnoses, medications, other potential unique identifiers, and dates of service.

VMRC said it found no evidence to suggest any information in the email accounts was accessed, acquired, or misused; however, affected individuals have been advised to monitor their accounts and credit reports for unusual activity.

The post Data Breaches Reported by UH College of Optometry and Valley Mountain Regional Center appeared first on HIPAA Journal.

On October 11, 2021, Perkasie, PA-based TriValley Primary Care discovered ransomware had been installed on its networks and servers, which contained the protected health information of some of its patients. Action was quickly taken to secure its systems and prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation.

The forensic investigation concluded on November 4, 2021, but it was not possible to tell exactly when unauthorized individuals first gained access to its systems nor whether any specific patient information was viewed or obtained by the attackers. At the time of issuing notification letters to affected individuals, TriValley Primary Care was unaware of any actual or attempted misuse of patient data.

As a precaution against identity theft and fraud, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. TriValley Primary Care said it has taken action to prevent further security breaches, including implementing additional technical safeguards, strengthening its existing cybersecurity infrastructure, and providing further security awareness training to the workforce.  External cybersecurity consultants have been engaged to assist with improving its policies, procedures, and protocols to further strengthen its security posture.

The breach was reported to the HHS’ Office for Civil Rights as affecting 57,468 patients.

45,000 Individuals Affected by Medsurant Health Ransomware Attack

Pennsylvania-based Medsurant Holdings has reported a ransomware attack to the HHS’ Office for Civil Rights that has affected up to 45,000 Medsurant Health patients.

Medsurant said it received an email from the attacker on September 30, 2021, stating sensitive data had been accessed and exfiltrated from its systems. An investigation was launched to determine whether files had been subjected to unauthorized access and to determine if the claims of data theft were true. According to the notice on the Medsurant website, the investigation confirmed the threat actor had access to its systems between September 23 and November 12. Some files on its systems were encrypted in the attack, but they have successfully been restored.

A review is currently being conducted to determine which files were accessed and stolen and to identify all affected patients. Notification letters will be sent to affected individuals when the review is complete and once contact information has been verified.

At this stage, the types of information believed to have been stolen include full names, addresses, diagnoses, medical conditions, dates of birth, claims information, and Social Security numbers. Medsurant is unaware of any attempted or actual misuse of patient data at the time of publishing the notice.

Existing policies and procedures are being reviewed and will be updated as necessary and further technical and administrative safeguards will be implemented to better protect the information stored in its systems.

The post Ransomware Attacks Reported by TriValley Primary Care and Medsurant Health appeared first on HIPAA Journal.

Seattle, WA-based Sound Generations has announced that unauthorized individuals have gained access to its internal systems and have used ransomware to encrypt files.

Sound Generations is a nonprofit that helps older adults and adults with disabilities obtain free to low-cost healthcare resources. The organization is the largest provider of comprehensive services for aging adults in King County, WA.

According to the substitute breach notification letter uploaded to its website, unauthorized individuals accessed its systems and encrypted data on July 18, 2021, and again on September 18, 2021. In both cases, the unauthorized access was promptly terminated and both incidents were investigated by a third-party forensics firm to determine the nature and scope of the security breaches; however, it was not possible to tell if any protected health information was viewed or obtained by the attackers.

An internal review of the affected systems confirmed the protected health information of 103,576 individuals was stored on the affected systems. That information included demographic and health information, including names, addresses, phone numbers, email addresses, dates of birth, and whether or not an individual has health insurance. Health histories and health conditions may have been exposed if that information was provided to Sound Generations and individuals who participated in the EnhanceFitness program may also have had their health insurance number exposed.

Sound Generations said it has received no indication that any of the information stored on its systems has been used by any person to commit fraud, but all affected individuals should exercise caution and monitor their accounts and explanation of benefits statements for signs of fraudulent activity.

Sound Generations says it has significantly enhanced its cybersecurity controls as a result of the recent attacks

The post Sound Generations Reports Two Ransomware Attacks Affecting Over 100,000 Individuals appeared first on HIPAA Journal.

Three healthcare providers have recently reported security breaches involving the email accounts of employees, resulting in the exposure and potential theft of the protected health information of more than 40,000 individuals.

Saltzer Health

Saltzer Health identified a breach of its email environment on June 1, 2021. Steps were promptly taken to prevent further unauthorized access, with the subsequent investigation confirming an unauthorized individual had accessed the account between May 25, 2021, and June 1, 2021. It was not possible to tell if any patient information was accessed or exfiltrated, but a comprehensive review of the account by third-party specialists confirmed it contained the protected health information of 15,650 patients.

The review was completed on September 21, 2021, and confirmed the email account contained the following types of information: Names, contact information, medical record numbers, patient identification numbers, driver’s license/state identification numbers, medical histories, diagnoses, treatment information, physician information, prescription information, health insurance information, and a limited number of Social Security numbers and financial account information. All affected individuals have now been notified by mail.

Boulder Neurosurgical and Spine Associates

Boulder Neurosurgical and Spine Associates in Colorado detected a breach of an employee email account on September 21, 2021. The email account was immediately secured, and third-party cybersecurity experts were engaged to assist with the investigation.

A comprehensive review of emails and attachments in the breached account confirmed protected health information had been exposed, although it was not possible to tell if any PHI had been viewed or obtained by unauthorized individuals. The compromised PHI included names, dates of birth, and medical records, but no addresses or Social Security numbers were exposed. The breach has been reported to the HHS’ Office for Civil Rights as affecting 21,450 individuals.

Region IV Area Agency on Aging

Region IV Area Agency on Aging in Michigan (AAA4) discovered on or around September 30, 2021, that an unauthorized individual had gained access to the email account of one of its employees as a result of a response to a phishing email. The purpose of the cyberattack was to try to get the employee’s paychecks diverted.

While this appears to be the sole aim of the attacker, the email account contained the PHI of 3,171 individuals and included names, addresses, dates of birth, social security numbers, insurance information, phone numbers, and medical conditions.

AAA4 said it found no evidence to suggest any PHI had been obtained or misused, but all affected individuals have been advised to exercise caution and monitor their accounts and explanation of benefits statements for suspicious activity. AAA4 said it has taken steps to prevent further phishing attacks, including providing additional training to the workforce.

The post PHI of 40,000 Individuals Exposed in Email Account Breaches appeared first on HIPAA Journal.

Planned Parenthood has recently confirmed it was a recent victim of a ransomware attack in October that affected its Los Angeles branch.

According to the announcement, a ransomware gang gained access to the network between October 9, 2021, and October 17, 2021, and deployed ransomware to encrypt files. A ransom demand was then issued, payment of which was required to obtain the keys to decrypt data. Prior to using ransomware, certain files were exfiltrated from its systems and were used as leverage to get Planned Parenthood to pay the ransom. It is currently unclear if the ransom was paid but, at the time of writing, the stolen files do not appear to have been published on any ransomware gang’s data leak site.

The ransomware attack was detected by Planned Parenthood Los Angeles on October 17, 2021, and steps were immediately taken to secure its network and investigate the security breach. When it was confirmed that files had been stolen, a review was conducted to determine the types of information that had been compromised.  On November 4, 2021, it was confirmed that some of the stolen files contained patient information.

The types of information contained in the files varied from patient to patient and may have included names, addresses, dates of birth, diagnosis, health insurance information, and medical information, including details of the procedures that had been performed and any prescriptions provided. The cyberattack has been reported to law enforcement and the investigation into the security breach is ongoing.

A spokesperson for Planned Parenthood Los Angeles said around 400,000 patients have potentially been affected and will be notified by mail and advised of the steps they can take to prevent misuse of their information. Planned Parenthood said there are no indications that any stolen patient information has been misused to date.

Planned Parenthood has taken steps to augment its existing security measures to prevent further cyberattacks, including enhancing monitoring of its network and hiring additional staff members to bolster its cybersecurity team.

“The type of data that bad actors exfiltrated from Planned Parenthood victims is extremely dangerous in the hands of criminals. PII like addresses and dates of birth is one thing, but coupled with clinical information – that can be disastrous. Tying these kinds of sensitive medical data back to individuals can open them up to fraudulent medical scams and also fraudulent insurance claims,” said Paul Laudanski, head of threat intelligence at email security firm Tessian.

This is not the first time Planned Parenthood has experienced a cyberattack. Patient infomation was stolen in a hacking incident that affected its Metropolitan Washington branch in 2020, and hacktivists breached its systems in 2015 and obtained the names and addresses of hundreds of its patients.

The post 400,000 Patients Potentially Affected by Planned Parenthood Ransomware Attack appeared first on HIPAA Journal.