Philadelphia FIGHT Community Health Centers has recently announced it was the victim of a cyberattack on November 30, 2021. Third-party forensic investigators were engaged to determine the nature and scope of the breach. The investigation confirmed its electronic medical record system and other clinical systems were not compromised in the attack; however, on January 13, 2022, Philadelphia FIGHT discovered the attacker had accessed non-clinical systems that housed files containing the protected health information of around 15,000 patients.

It was not possible to determine if the attacker viewed or obtained any patient information, although no reports have been received that suggest any patient information has been misused. The information potentially compromised in the attack included names, dates of birth, Social Security numbers, medical diagnoses, treatment information, and health insurance information.

Philadelphia FIGHT said a review of security protocols is being conducted and security measures will be enhanced to prevent further cyberattacks.

Vendor Email Account Breach Affects Over 6,000 Memorial Hermann Health System Patients

Memorial Hermann Health System has reported a breach at one of its vendors that exposed the protected health information of 6,260 patients. Memorial Hermann Health System had contracted with Advent Health Partners, a Nashville, TN-based provider of claims management services. In September 2021, Advent Health Partners discovered suspicious activity in certain employee email accounts and on December 2, 2021, confirmed the compromised email accounts contained the protected health information of its healthcare clients. They started to be notified on January 6, 2022.

Memorial Hermann Health System said the compromised information included first names, last names, dates of birth, social security numbers, driver’s licenses numbers, financial information, health insurance information, and treatment information. While patient information may have been accessed, no evidence has been found to suggest any actual or attempted misuse of patient data. Memorial Hermann Health System said Advent Health Partners is providing affected individuals with free access to a credit monitoring service.

The post 15,000 Patients Affected by Philadelphia FIGHT Community Health Centers Cyberattack appeared first on HIPAA Journal.

Family Christian Health Center (FCHC) in Illinois has announced it was the victim of a ransomware attack in November 2021 that compromised the protected health information of 31,000 patients. The attack was detected on November 30, 2021, with the investigation indicating the attackers first gained access to its IT systems on or around November 18, 2021.

The attackers compromised FCHC’s old dental system which contained the PHI of patients who had received dental services prior to August 31, 2020. The system contained patients’ names, birth dates, insurance card numbers, driver’s license numbers, and copies of patients’ insurance cards and driver’s licenses. FCHC said information about the dental care provided, credit card numbers, and the Social Security numbers of affected dental patients were not affected. The PHI of non-dental patients who received healthcare services between December 5, 2016, and August 31, 2020, was also compromised and included names, birthdates, addresses, insurance identification numbers, and Social Security numbers.

FCHC worked with external IT vendors to investigate the breach and a forensic investigator was engaged to determine how the attackers gained access to the network and to recommend additional security measures to prevent further attacks. FCHC said it has implemented additional technical safeguards.

Patient Data Potentially Compromised in Jackson County Hospital Ransomware Attack

Jackson County Hospital in Florida recently announced certain systems within its network have been accessed by unauthorized individuals who potentially viewed or obtained the personal and medical information of certain patients. The security breach was detected on or around January 9, 2022, when certain systems were rendered inaccessible.

Third-party forensic specialists investigated the cyberattack and determined limited patient data had been exfiltrated from its systems, including names, addresses, birthdates, telephone numbers, Social Security numbers, medical histories, medical conditions/treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid numbers, financial account information, and usernames/passwords. At this stage, Jackson County Hospital has not found any evidence to suggest there has been any misuse of patient data but affected patients have been advised to be vigilant and to check their account statements and explanation of benefits statements for signs of fraudulent activity.

Jackson County Hospital said the investigation into the cyberattack is ongoing and steps are being taken to improve security. Current policies and procedures are being reviewed and additional administrative and technical safeguards will be implemented to further secure the information in its systems.

The cyberattack has been reported to the HHS’ Office for Civil Rights but it is not yet showing on the breach portal, so it is currently unclear how many patients have been affected.

The post Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital appeared first on HIPAA Journal.

Chicago’s South Shore Hospital has started notifying 115,670 current and former patients about a December 2021 cyberattack on its network. Suspicious activity was identified on its network on December 10, 2021, and prompt action was taken to contain the incident. Emergency protocols were implemented to ensure care could continue to be safely provided to patients.

South Shore Hospital engaged a team of third-party computer forensics experts to investigate the security breach and determine whether patient information was accessed or stolen. The investigation confirmed the attackers gained access to parts of its network where files were stored that contained the protected health information of patients and employee data, including names, addresses, dates of birth, Social Security numbers, health insurance information, medical information, diagnoses, health insurance policy numbers, Medicare/Medicaid information, and financial information.

South Shore Hospital said it will be implementing additional security measures to better protect its network against cyberattacks, including stronger password policies, multifactor authentication, and additional anti-malware and anti-phishing tools. Further training on data privacy and security will also be provided to the workforce.

South Shore Hospital has provided affected individuals with information on how they can protect themselves against the misuse of their information, which includes signing up for a 12-month complimentary membership to IDX’s credit and CyberScan monitoring service. Affected individuals will also be protected with a $1 million identity theft reimbursement insurance policy and will have access to identity theft recovery services if they are needed.

Spencer Gifts Health and Welfare Benefit Plan Reports Hacking Incident

Spencer Gifts has discovered unauthorized individuals gained access to its network between November 24, 2021, and November 26, 2021, and potentially viewed or obtained files containing the protected health information of 10,023 members of its health and welfare benefits plan.

The attack was detected on November 25, 2021, and its network was secured the following day. The investigation confirmed names, Social Security numbers, and plan selection information had been exposed. Notification letters started to be sent to all affected individuals on January 24, 2022, and complimentary identity theft monitoring services have been offered to affected individuals. Spencer Gifts said it is reviewing its security policies and procedures and further electronic security features will be implemented.

The post Hackers Gained Access to Files Containing the PHI of 115,670 South Shore Hospital Patients appeared first on HIPAA Journal.

Brownwood, Texas-based Cross Timbers Health Clinics, operating under the brand AccelHealth, suffered a ransomware attack on December 15, 2021, which prevented the Federally Qualified Health Center from accessing certain files and folders on its network. AccelHealth engaged third-party forensics specialists to investigate the security breach who determined unauthorized individuals first gained access to its network on December 9, 2021.

During the 6 days when network access was possible, the attackers may have viewed or acquired files containing patient information. A comprehensive review of all files on the compromised parts of the network revealed they contained the protected health information of 48,126 patients, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, health insurance information, medical record numbers, and treatment and diagnosis information.

No evidence was found of data exfiltration and, at the time of issuing notification letters, no reports had been received to suggest any actual or attempted misuse of patient data. AccellHealth said additional technical security measures are being implemented to prevent further cyber attacks and affected individuals have been offered complimentary credit monitoring services.

Pace Center for Girls Discovers 11-Month System Breach

Pace Center for Girls, a Jacksonville, FL-based 6-12 education program for at-risk teenage girls, has discovered certain infrastructure systems were accessed by unauthorized individuals who may have viewed or acquired the sensitive data of current and former students.

The security breach was detected in the week of December 13, 2021, with the investigation confirming certain parts of its IT infrastructure had been compromised in January 2021. The affected parts of its systems contained information such as students’ full names, addresses, phone numbers, dates of birth, Florida Department of Juvenile Justice identification numbers, enrollment data, behavioral health information, and parent/guardian names.

Pace Center for Girls said a third-party cybersecurity firm was hired to help secure its network and physical computer access and assess its data protection and gateway security systems. Additional security measures will be implemented, as appropriate, to better protect against unauthorized access. Affected individuals have been advised to place fraud alerts with Experian, Equifax, and TransUnion to identify any fraudulent use of their personal information. The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 18,300 individuals.

The post Hacking Incidents Reported by AccelHealth and Pace Center for Girls appeared first on HIPAA Journal.

Suncoast Skin Solutions, a network of 22 surgical, medical, and cosmetic dermatological care clinics in Florida, has recently started notifying 57,730 patients about a ransomware attack that was discovered on July 14, 2021.

Suncoast said when the cyberattack was detected, prompt action was taken to prevent the encryption of all of its systems and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack.

On October 14, 2021, the cybersecurity firm concluded its investigation and Suncoast conducted a preliminary review of its systems to determine if they contained any patient information. That process was completed on November 8, 2021, and a third-party vendor was engaged to review all affected files to determine the specific individuals whose information may have been compromised.

Suncoast has now confirmed that the following types of data were potentially viewed by the attackers: names, dates of birth, clinical information, doctor’s notes, and other limited treatment information. Suncoast said it is unaware of any attempted or actual misuse of patient data as a result of the security breach. Steps have been taken to prevent similar breaches in the future, including transferring all patient data to an encrypted system. Complimentary credit monitoring services have been offered to certain impacted individuals.

South City Hospital Reports Theft of Backup Server Containing PHI of 21,601 Individuals

South City Hospital in St. Louis, MO – formerly St. Alexius Hospital – was the victim of a burglary on November 13th or 14th and thieves stole a backup imaging server from one of its practice locations.

A review of the server confirmed it contained protected health information of 21,601 individuals, including names, Social Security numbers, health insurance information, radiology imaging, and/or other related medical information.

In response to the break-in, the hospital has implemented additional security measures to prevent further exposures of patient data.

Colorado Department of Human Services Affected by Cyberattack on Business Associate

The Colorado Department of Human Services (CDHS) has notified 6,132 individuals that some of their protected health information has potentially been compromised in a cyberattack on one of its vendors – Sound Generations.

Sound Generations is a Seattle, WA-based provider of services for adults with disabilities and CDHS contracts with Sound Generations to store data for its evidence-based fall prevention program – A Matter of Balance. Sound Generations investigated the breach and while no evidence of data misuse has been identified, it was not possible to rule out unauthorized data access.

The types of information potentially compromised includes names, addresses, phone numbers, email addresses, dates of birth, and whether or not clients have health insurance.

PHI of 4,897 Individuals Potentially Compromised in Raveco Medical Hacking Incident

Raveco Medical, a women’s health clinic in New York City, has notified 4,897 patients that some of their protected health information was potentially accessed by unauthorized individuals.

A security breach was detected on November 22, 2021, and a third-party cybersecurity firm was engaged to investigate the breach. The investigation confirmed files had been copied from its systems that contained patients’ first and last names, dates of birth, medications, diagnoses, Social Security numbers, and/or payment card information.

Raveco Medical said it is working to improve data security to prevent further hacking incidents. Affected individuals have been provided with complimentary access to credit monitoring and identity theft resolution services through IDX.

The post Data Breaches Reported by Suncoast Skin Solutions, Raveco Medical, South City Hospital, and the Colorado DHS appeared first on HIPAA Journal.

Taylor Regional Hospital in Campbellsville, KY has suffered a cyberattack that has resulted in its IT and phone systems being taken offline. The cyberattack was reported by the hospital on January 24, 2021, and the hospital is still experiencing outages with certain computer systems and phone lines. Temporary phone lines have been set up to allow patients to contact the hospital while the cyberattack is resolved.

Cyberattacks such as this often involve ransomware, but no details have been released so far about the exact nature of the cyberattack, nor when its IT systems are expected to be restored. At this early stage, it is unclear if any patient information has been accessed or stolen by attackers.

A notice on the hospital’s website explains that quality care continues to be provided to patients and it is working as quickly as possible to safely bring its IT systems back online. Patients are encouraged not to delay seeking medical care; however, without access to IT systems, patients have been asked to bring lists of their medication with them to any appointments that have previously been scheduled.

The hospital said routine outpatient labs will only be performed during limited hours until further notice, and patients have been advised to bring a written order and patients should expect longer wait times than normal. The walk-in COVID-19 clinic is still open but will operate on a first-come, first-served basis.

Data Stolen in Cyberattack on Connecticut Accountancy Firm

The Glastonbury, CT-based certified public accountancy firm, Fiondella, Milone & LaSaracina, has announced it was the victim of a cyberattack in September 2021. The security breach was detected on September 14, 2021, with the forensic investigation determining the hackers had access to its systems from September 9, 2021.

On or around October 13, 2021, it was determined the hackers copied files and folders from its system that contained the sensitive data of certain individuals. The information potentially compromised was mostly limited to names and Social Security numbers, with some individuals also having information stolen related to ambulance trips, including date and tracking numbers, service level, payor types and category, mileage information, charge/payment information, billing review information, and remittance advice details, which may have included medical information.

Fiondella, Milone & LaSaracina said a review of security measures has been conducted and additional safeguards will be implemented to prevent further security breaches. There is no mention in the website breach notice of credit monitoring and identity theft protection services.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,215 individuals.

The post Taylor Regional Hospital Still Recovering from January Cyberattack appeared first on HIPAA Journal.

Hackers have gained access to email accounts containing protected health information at Injured Workers Pharmacy, iRise Florida Spine and Joint Institute, and Volunteers of America Southwest California.

Injured Workers Pharmacy

Andover, MA-based Injured Workers Pharmacy has recently reported a data breach to the Maine Attorney General that was discovered on or around May 11, 2021, when suspicious activity was detected in an employee email account. The account was immediately secured and third-party computer forensics specialists were engaged to investigate the breach. The investigation revealed 7 email accounts had been compromised between January 16, 2021, and May 12, 2021.

Third-party data review specialists were engaged to check the emails and attachments in the compromised accounts, which confirmed they contained the protected health information of 75,771 individuals such as names, addresses, and Social Security numbers. After the review, Injured Workers Pharmacy validated the results, and that process was completed on or around December 14, 2021. Notification letters started to be sent to affected individuals on February 3, 2022.

Injured Workers Pharmacy said it has augmented its email security measures and is offering affected certain individuals complimentary credit monitoring and identity restoration services.

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has discovered an employee email account containing the protected health information of 61,595 patients has been accessed by an unauthorized individual. The forensic investigation revealed the email account was accessed between February 24, 2021, and February 26, 2021.

A comprehensive review of emails and attachments was conducted, and the process was completed on November 22, 2021. iRise said the following types of information may have been viewed or acquired in the attack: Names, dates of birth, diagnoses, clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, financial account information, credit card numbers, and/or usernames and passwords exposed.

Affected individuals have been notified and a 12-month complimentary membership to a credit monitoring service has been offered to individuals whose Social Security numbers were exposed. iRise has reviewed its email security measures and has implemented additional technical safeguards, including multifactor authentication. Additional training on email security has also been provided to the workforce.

Volunteers of America Southwest California

The San Diego, CA-based social service organization Volunteers of America Southwest California recently announced it was the victim of a phishing attack. An employee received an email that appeared to be a voicemail message, that included a link to a website that required login credentials to be entered to listen to the message. The login credentials were captured and used to access the employee’s email account.

The email account was accessed by the attackers on or around November 16, 2021, and the intrusion was detected and remediated on November 16. A review of the email account revealed it contained the first and last names of clients in the vast majority of cases, with some of the records also including individuals’ COVID-19 vaccination status.

The breach appears to have been fully remediated and third-party experts have been engaged to validate the containment measures. Email security has been enhanced in response to the breach.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,300 individuals.

The post PHI of 138K Individuals Exposed in 3 Email Security Incidents appeared first on HIPAA Journal.