HIPAA Breach News

Data Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital

Posted by HIPAA Journal

Lakeshore Bone & Joint Institute, an orthopedic practice in Indiana, has experienced a breach of its Microsoft Office 365 environment, which included emails and attachments that contained the protected health information of certain patients.

Unusual activity was detected in an employee email account on July 7, 2021. Steps were immediately taken to prevent further unauthorized access and a cybersecurity and digital forensic firm was retained to investigate the breach and assist with remediation efforts.

The breach investigation confirmed that an unauthorized individual had gained access to a single employee email account. A review of the account was completed on October 21, 2021, and revealed the following types of patient information may have been viewed or acquired in the attack:

Date of birth, treatment information, diagnosis, provider name, MRN/patient ID, health insurance information, treatment cost information, and, for certain individuals, Social Security numbers.

Individuals whose Social Security numbers were potentially compromised have been offered a 12-month membership to identity theft monitoring services at no cost.

The breach report submitted to the Maine attorney general indicates 23,627 individuals have potentially been affected by the breach.

PHI Potentially Compromised in Putnam County Memorial Hospital Ransomware Attack

Putnam County Memorial Hospital has started notifying 6,916 individuals about a July 2021 cyberattack in which protected health information was potentially compromised.

The attack was detected on July 18, 2021, when the staff was prevented from accessing ceratin computer systems and files. A forensic investigation confirmed an unauthorized individual had gained access to its network at some point between July 16 and July 18, deployed a variety of network reconnaissance tools to identify systems and data of interest, then used ransomware to encrypt files.

The forensic investigation confirmed the parts of the network accessed by the attacker included patient and employee data including names, addresses, Social Security numbers, physician-patient assessments and records, patient authorizations, and lab and radiology reports. Financial information is not believed to have been compromised.

Following the breach, new security measures were implemented to better protect patient data. Complimentary credit monitoring services have been offered to affected individuals for 12 months at no cost. Those services include darknet and clearnet monitoring, quick cash scan, fraud consultation and identity theft restoration services, and identity theft insurance.

The post Data Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital appeared first on HIPAA Journal.

PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches

Posted by HIPAA Journal

The protected health information of 1,271,642 individuals has been exposed and potentially stolen in two healthcare hacking incidents that were recently been reported to the Department of Health and Human Services’ Office for Civil Rights.

PHI of 688,000 Individuals Compromised in Sea Mar Community Health Centers Hack

Sea Mar Community Health Centers is a nonprofit community-based provider of health, human, housing, educational, and cultural services to underserved communities in Washington state.

On June 24, 2021, Sea Mar learned sensitive data had been exfiltrated from its IT systems by an unauthorized individual. Assisted by a leading third-party cybersecurity firm, Sea Mar determined its systems had been accessed between December 2020 and March 2021. According to the breach notice posted on its website, a review was conducted of the information potentially stolen from its network, which confirmed the following data types had been stolen:

Name, address, Social Security number, date of birth, client identification number, diagnostic and treatment information, insurance information, claims information, and/or images associated with dental treatment.

Sea Mar said the process of collecting the contact information required to issue notification letters to affected individuals was completed on August 30, 2021. Two months after obtaining the contact information, notification letters were sent to affected individuals. The notification sent to the Maine Attorney General indicates breach notification letters were sent between October 29, 2021, and November 5, 2021.

Sea Mar said it is not aware of any evidence of the misuse of information stolen in the incident, but has offered credit monitoring, identity theft protection, and fraud consultation services to individuals whose Social Security number was involved.

No mention is made in the breach notification letters about the stolen data being listed for sale on Marketo. Marketo is a darknet marketplace where stolen data are offered for sale. Marketo is not a ransomware-affiliated marketplace, although data stolen in ransomware attacks have previously been listed for sale on the site, including the data stolen in the Navistar ransomware attack.

The post on Marketo claims 3TB of data were exfiltrated in the attack, including emails, photographs, contact information, and photographs of agreements. The date of notification provided by Sea Mar corresponds with the date DataBreaches.net notified Sea Mar of the listing on Marketo.

Utah Imaging Associates Reports 583,643-Record Data Breach

On November 3, 2021, Utah Imaging Associates reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 583,643 individuals. The breach has been listed as a hacking/IT incident involving PHI stored on a network server.

There is currently no mention of the data breach on the Utah Imaging Associates’ website, the breach has not been covered by the media at this stage, and the incident has not appeared on the websites of state attorneys general that publish breach summaries, so the nature of the Utah Imaging Associates data breach is currently unclear.

This post will be updated with further information as and when it becomes available.

The post PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches appeared first on HIPAA Journal.

Southern Ohio Medical Center Diverts Ambulances Due to Cyberattack

Posted by HIPAA Journal

Southern Ohio Medical Center (SOMC) Diverts in Portsmouth, OH, is recovering from a cyberattack that occurred on the morning of Thursday, November 18, 2021. The attack forced the hospital to go on diversion and direct ambulances to other healthcare facilities. The hospital also had to cancel some appointments and outpatient services.

“This morning, an unauthorized third-party gained access to SOMC’s computer servers in what appears to be a targeted cyberattack. We are working with federal law enforcement and Internet security firms to investigate this incident” explained SOMC in a Facebook post on Thursday. “Patient care and safety remain our top priority as we work to resolve this situation as quickly as possible. While this does not impact our ability to provide care to current inpatients, we are presently diverting ambulances to other hospitals.”

The 248-bed not-for-profit hospital came off diversion on Friday morning, although it has not yet been able to return to full operations. Law enforcement has been informed and a third-party cybersecurity company has been engaged to investigate the breach and determine the nature and scope of the attack.

The attack took its electronic medical record system offline, with staff forced to revert to pen and paper to record patient information. Outpatient medical imaging, cancer care services, cardiovascular testing, cardiac catheterization, sleep lab, and outpatient surgery and rehab have all experienced disruption due to the lack of access to computer systems and data.

No information has been provided on the nature of the cyberattack and whether ransomware was involved. At such an early stage of the investigation, it is unclear if any patient information was accessed or exfiltrated from the affected servers during the attack.

The hospital said it will continue to assess the situation and will be providing updates as and when they are available.

The post Southern Ohio Medical Center Diverts Ambulances Due to Cyberattack appeared first on HIPAA Journal.

New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations

Posted by HIPAA Journal

The New Jersey Attorney General and has fined two printing firms $130,000 over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) which contributed to a breach of the protected health information (PHI) of 55,715 New Jersey residents.

Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients.

When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include implementing safeguards to ensure the confidentiality, integrity, and availability of any PHI they are provided with.

The New Jersey Division of Consumer Affairs (DCA) launched an investigation into the printing firms and determined printing processes were changed in 2016 which resulted in an error being introduced that saw the final page of one member’s statement being added to the first page of another member’s statement. Procedures should have been implemented to check the benefits statements prior to mailing.

The DCA determined impermissible disclosure of PHI was in violation of HIPAA and the CFA. Specifically, the companies violated HIPAA by failing to ensure the confidentiality of PHI, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures to ensure reasonable and appropriate protections were in place to ensure the confidentiality of PHI.

The printing firms disputed the findings of the DCA investigation but agreed to a consent order which requires them to change their business practices and implement new safeguards to protect sensitive data.

The consent order requires a comprehensive security information program to be implemented and the use of an event management tool to identify and track potential vulnerabilities and threats to the confidentiality of PHI. Each company is required to appoint an employee as Chief Information Security Officer. That individual must have sufficient expertise in information security to implement, maintain, and monitor the information security program.

An employee with expertise in HIPAA compliance must be appointed as Chief Privacy Officer, a security awareness and anti-phishing training program must be implemented for the workforce, and policies and procedures must be put in place that require approval to be obtained from clients that store or transmit PHI prior to making material changes to printing processes. $65,000 of the penalty amount will be suspended and will not have to be paid if the companies comply with the terms of the consent order.

“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Bruck. “Inadequate protective measures are unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”

This is the second financial penalty for violations of HIPAA and the CFA to be announced by New Jersey in as many months. In October, Diamond Institute for Infertility and Menopause was fined $495,000 to resolve HIPAA and CFA violations that led to a breach of the PHI of 14,663 New Jersey residents.

The post New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations appeared first on HIPAA Journal.

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

Posted by HIPAA Journal

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States.

Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses.

Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin.

The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat actors are believed to reside in Russia, where there is no extradition treaty, so there is little chance of them facing justice unless they leave Russia.

International arrest warrants have been issued for both individuals and Vasinskyi was arrested in October at the Polish border. Poland signed an extradition treaty with the United States in 1996 and the U.S. is currently seeking Vasinskyi’s extradition. Polyanin has yet to be apprehended.

“Ransomware can cripple a business in a matter of minutes. These two defendants deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers,” said Acting U.S. Attorney Chad E. Meacham for the Northern District of Texas. “In a matter of months, the Justice Department identified the perpetrators, effected an arrest, and seized a significant sum of money. The Department will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cybercriminals.”

State Department Offers $10 Million Reward for Information on Leaders of REvil and DarkSide Ransomware Operations

Individuals with information about Polyanin, other leaders of the REvil and DarkSide ransomware groups, or affiliates who conducted attacks, are being encouraged to come forward. The U.S. State Department has announced a reward of up to $10 million for information about that leads to the identification or location of leaders of the REvil/DarkSide ransomware groups, with up to $5 million paid for information that leads to the arrest and conviction of any individual who conspired to participate or attempted to participate in a REvil/DarkSide ransomware attacks. The size of the rewards being offered for information clearly shows how focused the United States is on bringing ransomware threat actors to justice.

The pressure being put on ransomware gangs appears to be having some effect. Chris Inglis, U.S. National Cyber Director, recently told House lawmakers that there has been a discernable decrease in Russia-based cyberattacks. and the DoJ says it expects there to be several more arrests in relation to the REvil and DarkSide ransomware attacks in the coming weeks.

Global Law Enforcement Effort Results in Multiple Arrests

The United States is not the only country to be laser-focused on bringing ransomware threat actors to justice. An international law enforcement operation dubbed GoldDust involving 17 nations has recently resulted in the arrest of 7 hackers believed to be involved in the REvil and GandCrab ransomware operations. The Europol, Eurojust, and INTERPOL-coordinated operation saw three individuals arrested in South Korea, two in Romania, one in Kuwait, and one in an unnamed European country, with the latest takedown occurring on November 4 in Romania and Kuwait.

The three individuals in South Korea were previously arrested in February, April, and October for their role in the GandCrab ransomware attacks, which is believed to be the predecessor of REvil/Sodinokibi. The GoldDust operation has been active since 2018 and was launched in response to the GandCrab ransomware attacks.

The previous week, Europol announced 12 individuals had been arrested in raids in Ukraine and Switzerland over their suspected involvement in ransomware attacks involving LockerGoga and other ransomware attacks. Those individuals are believed to have had specialist roles in various stages of the attacks, from infiltration to cashing out and laundering millions in ransom payments.

In September, a French National Gendarmerie, Ukrainian National Police, Europol, and INTERPOL operation resulted in the arrest of 2 individuals suspected to be members of two prolific ransomware operations. That operation also saw $375,000 in cash and luxury vehicles seized, and the asset freezing of $1.3 million in cryptocurrency.

In addition, a 30-month operation, dubbed Operation Cyclone, which involved law enforcement agencies in multiple countries resulted in the arrest of 6 individuals believed to be involved in the Clop ransomware operation, with those arrests occurring in June 2021. The operation saw searches conducted at 20 locations and resulted in the seizure of $185,00 in cash and computer equipment suspected of having been used to conduct the attacks. The Clop ransomware gang had conducted many attacks in the United States, including those on the University of Colorado, Stanford Medicine, University of California, and the University of Maryland Baltimore.

While these arrests will cause some disruption to the activities of ransomware gangs, they represent just a fraction of the individuals involved in ransomware attacks, many of whom can be easily replaced. The core members of the ransomware operations are believed to reside in Russia where they remain untouchable.

The post DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information appeared first on HIPAA Journal.

Malware Infection Discovered by JEV Plastic Surgery & Medical Aesthetics

Posted by HIPAA Journal

Owing Mills, MD-based JEV Plastic Surgery & Medical Aesthetics has started notifying 1,620 patients about a security breach that has exposed some of their protected health information.

Malware was detected which allowed an unauthorized individual to access systems that contained protected health information.

A third-party forensic investigation determined the malware had been installed on April 30, 2021, and allowed its systems to be accessed until June 14, 2021. A comprehensive review of files on the affected systems was conducted to determine whether any patient information had been viewed or acquired. On September 8, 2021, JEV Plastic Surgery confirmed files on the compromised systems contained protected health information such as names, dates of birth, consultation notes, medical histories, and surgical operative notes. JEV Plastic Surgery says it is unaware of any actual or attempted misuse of personal data.

JEV Plastic Surgery is reviewing its policies and procedures and will update them as necessary to improve data security. New internal training protocols have also been implemented to mitigate any risk associated with this event and to better protect against future security breaches.

Bryan Health Discovers Insider Breach Involving PHI of 2,753 Patients

Lincoln, NE-based Bryan Health has discovered an insider breach involving the protected health information of 2,753 patients. In August 2021, an employee was discovered to have accessed the health records of patients when there was no legitimate work-related reason for doing so.

The types of information accessed included names, personal information, and information stored in medical records; however, the access rights of that individual did not permit Social Security numbers or financial information to be viewed.

The unauthorized access occurred in September 2020, but it was not discovered until August 2021. All affected individuals have been notified about the breach by mail and Bryan Health has confirmed that the employee no longer works at Bryan Health

Billing Information of 946 UNC Health Patients Exposed

Chapel Hill, NC-based UNC Health has discovered the billing information of 946 patients may have been viewed by unauthorized individuals.

An internal review of billing fields in its electronic health records was conducted on September 9, 2021. One of the fields in the EHR identifies individuals authorized to view patient billing information, and any individual listed in that field is able to access patients’ billing information. The individuals listed in those fields are usually relatives of a patient or other individuals who have been authorized to access their billing information.

The review identified 946 patients who had an individual included in that field that the health system was unable to confirm was authorized to access billing information. Consequently, it is possible that information such as names, addresses, charges for services, and medical-related information may have been accessed by unauthorized individuals.

No Social Security numbers, financial information, or credit card information was exposed and the affected patients are not believed to be at financial risk. UNC Health said it has cleared and reset the field in its EHR, which will prevent authorized individuals from accessing billing information. Notification letters have been sent to patients along with instructions for re-establishing access to their billing information for named individuals.

Policies have also been changed to limit the number of employees who are authorized to update the field and employees who are permitted to access the field have been retrained. Additional safeguards have also been implemented to prevent similar issues in the future.

The post Malware Infection Discovered by JEV Plastic Surgery & Medical Aesthetics appeared first on HIPAA Journal.

Maxim Healthcare Group Notifies 65,000 Individuals About October 2020 Email Breach

Posted by HIPAA Journal

Columbia, MD-based Maxim Healthcare Group has started notifying 65,267 individuals about a historic breach of its email environment and the exposure of their protected health information.

Maxim Healthcare Group, which includes Maxim Healthcare Services and Maxim Healthcare Staffing, said it identified suspicious activity in its email environment on or around December 4, 2020. Steps were taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

The investigation revealed unauthorized individuals had access to several employee email accounts between October 1, 2020, and December 4, 2020. A comprehensive review of those accounts revealed they contained a range of protected health information that was potentially accessed and exfiltrated. The forensic investigation was unable to determine which emails, if any, were accessed and exfiltrated.

Maxim Healthcare said a manual and programmatic review was conducted of the contents of emails and attachments, which confirmed the following data may have been compromised: names, addresses, dates of birth, contact information, medical histories, medical conditions, treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid numbers, usernames/passwords, and limited Social Security numbers.

Maxim Healthcare said it received the initial results of the content review on August 24, 2021, then had to locate up-to-date contact information for the affected individuals. That process was completed on September 21, 2021. It then took until November 4, 2021, for notifications to be issued to affected individuals, 13 months after the first email accounts were compromised and 11 months after the breach was detected.

Maxim Healthcare said it is offering complimentary credit monitoring services to affected individuals and steps have been taken to improve security. Maxim Healthcare said it immediately instituted additional security protocols, including multi-factor authentication for all email accounts, has transitioned to a new Security Operations Center with advanced detection and response capabilities, and will continuously integrate additional cybersecurity infrastructure and security measures as appropriate.

The post Maxim Healthcare Group Notifies 65,000 Individuals About October 2020 Email Breach appeared first on HIPAA Journal.

Ransomware Roundup: 5 Healthcare Organizations Fall Victim to Ransomware Attacks

Posted by HIPAA Journal

Ransomware attacks have recently been reported by Surecare Specialty Pharmacy, Victory Health Partners, Strategic Benefits Advisors, Blue Shield of California, and Blue Cross of California.

PHI of 8,412 Patients Potentially Compromised in Surecare Specialty Pharmacy Ransomware Attack

El Paso, TX-based Surecare Specialty Pharmacy has recently announced it was the victim of a sophisticated ransomware attack on August 16, 2021. Surecare’s IT service provider took immediate action when the attack was detected, and a third-party forensics firm was engaged to investigate the attack.

The investigation confirmed on August 31, 2021, that files containing a limited amount of patients’ protected health information may have been accessed and/or exfiltrated prior to the deployment of ransomware, although no evidence was found to indicate that was the case nor have any reports been received that suggest any misuse of patient data.

A review of the encrypted files confirmed they contained patient names, addresses, dates of birth, health insurance information, and prescription information. The Social Security numbers of a very small subset of individuals were also included in the compromised files.

Surecare says additional security measures have now been implemented to prevent further cyberattacks and policies and procedures are being reviewed and will be updated as necessary to improve data security.

Ransomware Attack on Vendor Affects Blue Shield of California and Blue Cross of California Members

A ransomware attack on the Santa Ana, CA-based health insurance broker, Team Alvarez Insurance Services, has resulted in the exposure of the protected health information of 2,841 Blue Shield of California and 672 Blue Cross of California members.

On August 27, 2021, Team Alvarez notified the health plans about a cyberattack that occurred on August 25. Team Alvarez immediately secured its network to prevent further unauthorized access and conducted a comprehensive investigation to determine the nature and scope of the attack.

On October 13, 2021, the health plans learned the attacker accessed parts of the Team Alvarez network where members’ enrollment forms were saved. It was not possible to determine if those forms were viewed or downloaded. The forms contained the following data elements: name, address, phone number, email address, date of birth, gender, subscriber ID number, policy effective date, emergency contact information, authorized representative/power of attorney information, and broker information.

Team Alvarez said that in addition to performing a reset of all passwords, firewall configurations have been reviewed, a system-wide security scan has been conducted, and its infrastructure and servers are being rebuilt in a clean environment on new servers.

Affected Individuals have been offered complimentary access to the Experian IdentityWorksSM identity theft protection service for 12 months.

Victory Health Partners Notifies Patients About September 2021 Ransomware Attack

Mobile, AL-based Victory Health Partners has notified patients about a ransomware attack it discovered on September 23, 2021. Prior to the encryption of files, the attackers exfiltrated sensitive data which has potentially been released.

When the attack was detected, systems were shut down to contain the incident and prevent further unauthorized access. A forensic investigation was launched to determine the extent and nature of the attack which confirmed that the following types of patient information may have been obtained by the attackers: name, address, Social Security number, date of birth, and other protected health information. Health information such as diagnoses, health conditions, and other health data was not involved as Victory Health Partners still uses paper charts.

Victory Health Partners has conducted a thorough review of existing operating and IT systems and steps will be taken to improve the confidentiality and security of its records. Further, an external computer consultant has been engaged to advise the clinic on new systems and equipment to protect against future cyberattacks.

PHI Potentially Compromised in Ransomware Attack on Strategic Benefits Advisors

The Georgia-based benefits consulting firm, Strategic Benefits Advisors, has announced it suffered a ransomware attack in which protected health information may have been accessed and/or acquired.

The attack was detected on September 19, 2021, and steps were immediately taken to prevent further unauthorized IT system access. An investigation was conducted into the attack and while that investigation is ongoing, it was determined on October 7, 2021, that certain files within its environment had been accessed and/or exfiltrated by the attackers.

It has yet to be determined exactly how many individuals have been affected, and which types of protected health information were compromised for each individual, but the types of information on the compromised systems included names, addresses, and Social Security numbers. Strategic Benefits Advisors says it is unaware of any actual or attempted misuse of personal information.

Notifications are being sent to affected individuals and steps have been taken to improve the security of its systems to prevent further cyberattacks.

The post Ransomware Roundup: 5 Healthcare Organizations Fall Victim to Ransomware Attacks appeared first on HIPAA Journal.

PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers

Posted by HIPAA Journal

Four healthcare providers have recently announced their IT systems have been compromised and patient data may have been accessed.

Hacker Gains Access to Server of New York Psychotherapy and Counseling Center

New York Psychotherapy and Counseling Center (NYPCC), an NYC-based non-profit mental health services provider, has announced it was the victim of a cyberattack that was discovered on September 11, 2021.

Steps were immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. NYPCC said its electronic medical record system was not compromised; however, the attacker is believed to have accessed some files on the server that contained patients’ protected health information.

A review of the files on the server revealed the following information may have been compromised: names, dates of service, addresses, Medicaid IDs, and dates of birth. NYPCC said it is committed to continually reviewing and updating its security protocols related to the protected health information of patients.

Affected individuals have been notified by mail and have been offered complimentary identity monitoring, credit monitoring, and other related services to protect them against any misuse of their information.

The incident has been reported to the HHS’ Office for Civil Rights, but it has not year appeared on the OCR breach portal, so it is currently unclear how many individuals have been affected.

The Urology Center of Colorado Network Accessed by Unauthorized Individual

The Urology Center of Colorado (TUCC) has discovered parts of its computer network have been accessed by an unauthorized individual. The security breach was detected and blocked on September 8, 2021, with the breach investigation confirming the attack started the previous day.

The compromised parts of its network were reviewed to determine whether any patient data may have been accessed. TUCC said the review found the following types of protected health information had been exposed: name, date of birth, Social Security number, address, phone number, email address, medical record number, diagnosis, treating physician, insurance provider, treatment cost, and/or guarantor name.

TUCC said account passwords were changed to prevent further unauthorized access and additional security measures are being considered to prevent further data breaches. Out of an abundance of caution, TUCC is offering complimentary credit monitoring and identity protection services to affected individuals.

The incident has been reported to the HHS’ Office for Civil Rights, but it has not year appeared on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Mowery Clinic Alerts Patients About September 2021 Cyberattack

Mowery Clinic in Salina, KS, has started notifying certain patients about a cyberattack that was detected on September 14, 2021. Action was immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation.

The forensic investigation confirmed the attacker had not accessed the electronic health record system, but malware had been deployed that allowed the attacker to access and acquire documents that contained employee and patient information.

At this stage of the investigation, no evidence has been found of any actual or attempted misuse of patient data. The types of information potentially obtained include names, addresses, dates of birth, medical information such as office/diagnostic notes, and a limited number of Social Security numbers. In some cases, information about an employee’s spouse, dependents, beneficiaries, or minor children may have been compromised.

The clinic is still investigating the incident to determine exactly how access to its network was gained. Appropriate measures will be implemented to prevent similar breaches in the future.

Prairie Lakes Healthcare System Says Hacker Gained Access to Some of Its IT Systems

Watertown, S.D.-based Prairie Lakes Healthcare System has discovered an unauthorized individual has gained access to a small number of its IT systems.

The healthcare system learned of the attack on October 6, 2021, when it experienced disruption to parts of its network. Rapid action was taken to isolate the affected systems and prevent further unauthorized access, and a third-party cybersecurity firm was engaged to investigate the incident and assist with remediation efforts.

Prairie Lakes Healthcare said all the affected systems have now been restored; however, the investigation into the security breach is ongoing. At this stage of the investigation, no evidence of unauthorized access or exfiltration of patient data has been found. If patient data is believed to have been compromised, notification letters will be sent to affected individuals.

The post PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers appeared first on HIPAA Journal.