QRS Inc, a Tennessee-based healthcare technology services company and provider of the Paradigm practice management and electronic health records (EHR) solution, has announced a data breach involving the protected health information (PHI) of almost 320,000 individuals. The cyberattack was detected on August 26, 2021, three days after a server was breached.

QRS explained in its breach notification letters that a hacker gained access to the electronic patient portal and potentially accessed and exfiltrated the PHI of patients of some of its healthcare provider clients.

When the breach was detected, the compromised server was immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack.

Assisted by a third-party computer forensics firm, QRS determined the breach was limited to a single server. No other QRS systems nor those of its clients were affected. The compromised server contained files that included PHI such as names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames, and medical treatment and diagnosis information.

QRS said unauthorized access and data exfiltration could not be ruled out, but it is not aware of any cases of actual or attempted misuse of patient data.

On October 22, 2021, QRS started sending notification letters to all affected individuals on behalf of its affected healthcare provider clients. Individuals who had their Social Security number exposed have been offered complimentary access to identity theft protection services as a precaution. QRS said it is taking steps to assess and address the risk of a similar incident occurring in the future.

Law enforcement has been notified and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach portal indicates the PHI of up to 319,778 individuals was stored on the compromised server.

The post PHI of 320,000 Patients Potentially Compromised in EHR Vendor Hacking Incident appeared first on HIPAA Journal.

Boca Raton, FL-based Nationwide Laboratory Services, which was acquired by Quest Diagnostics in the summer, was the victim of a ransomware attack earlier this year.

Nationwide Laboratory Services detected a breach of its systems on May 19, 2021, when ransomware was used to encrypt files across its network and prevent files from being accessed. Steps were immediately taken to contain the attack and a third-party cybersecurity firm was engaged to assist with the investigation and remediation efforts.

The forensic investigation confirmed on August 31, 2021, that the attackers gained access to parts of its network where patients’ protected health information was stored, and potentially accessed information such as names, dates of birth, lab test results, medical record numbers, Medicare numbers, and health insurance information. A subset of the individuals affected had their Social Security numbers exposed. The types of information exposed in the attack varied from patient to patient.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of up to 33,437 individuals was potentially compromised.

Nationwide Laboratory Services said it is possible that the attackers exfiltrated a limited number of files from its network prior to deploying ransomware to encrypt files; however, no evidence has been uncovered to indicate patient data has been or will be used for any unintended purposes. As a precaution, affected individuals are being encouraged to review their accounts and explanation of benefits statements for signs of fraudulent activity.

Nationwide Laboratory Services has offered 12 months of complimentary credit monitoring services to individuals whose Social Security numbers were stored on the affected systems.

The FBI recently issued a private industry notification about ransomware actors targeting companies that are involved in significant financial events such as mergers and acquisitions and are using exfiltrated data as leverage in their efforts to extort money from victims. There have been several cases where the attackers have threatened to release sensitive and potentially harmful information to negatively affect stock prices to encourage payment of the ransom.

The post Nationwide Laboratory Services Ransomware Attack Affects 33,000 Patients appeared first on HIPAA Journal.

Seneca Family of Agencies, a California provider of mental health, education, juvenile justice, placement, and permanency services, identified unauthorized activity within its computer systems on August 27, 2021. Action was immediately taken to secure its systems and prevent further unauthorized access, with the subsequent investigation confirming its systems were compromised on August 25.

While no evidence of actual or attempted misuse of information has been identified, it is possible protected health information was compromised. The types of information stored on the affected systems differed from patient to patient and may have included the following data elements: name, date of birth, Social Security number, address, phone number, email address, medical record number, treatment/diagnosis information, health insurance information, Medicare/Medicaid number, provider name, prescription information, driver’s license/state identification number, and/or digital signature.

Seneca Family of Agencies said, as a precaution, affected individuals are being offered credit monitoring and identity protection services at no cost. Additional security measures have now been implemented to better protect information stored on its systems.

According to the breach report submitted to the HHS’ Office for Civil Rights, the protected health information of 2,470 individuals may have been compromised.

PHI of 3,000 Individuals Potentially Compromised in Las Vegas Cancer Center Ransomware Attack

Las Vegas Cancer Center has announced it was the victim of a ransomware attack over the Labor Day weekend. The cyberattack was discovered on September 7, 2021, when the center re-opened.

The attackers succeeded in encrypting data on its network and, prior to using ransomware, may have exfiltrated the protected health information of current and former patients including names, addresses, dates of birth, Social Security numbers, medical record numbers, and health insurance information.

Las Vegas Cancer Center said it had implemented multiple cybersecurity measures to prevent unauthorized access prior to the attack. While patient data may have been exfiltrated, it was stored in a proprietary format so is not believed to have been accessed by the attackers. The cancer center also said no evidence of data theft was found nor was any ransom demand.

The post Cyberattacks Reported by Las Vegas Cancer Center and Seneca Family of Agencies appeared first on HIPAA Journal.

Baywood Medical Associates, doing business as Desert Pain Institute (DPI) in Mesa, AZ, has discovered unauthorized individuals gained access to parts of its computer network that contained the protected health information of patients.

The security breach was detected and stopped by DPI on September 13, 2021, and a third-party cybersecurity company was engaged to assist with the investigation and determine the nature and scope of the cyberattack. On October 15, 2021, the forensic investigators confirmed evidence was found indicating the attackers had accessed parts of its network where patients’ protected health information was stored.

A review of the files on systems accessible to the hackers releveled the following information may have been viewed or exfiltrated: Full names, addresses, dates of birth, Social Security numbers, tax identification numbers, driver’s license/state-issued identification card numbers, military identification numbers, financial account numbers, medical information, and health insurance policy number. The types of data potentially compromised varied from patient to patient.

From September 13 when the breach was detected until the date of issuing notifications, no evidence has been found to indicate any actual or attempted misuse of patient data; however, affected individuals have been advised to be vigilant against identity theft and fraud and to sign up for the complimentary credit monitoring services that are being provided.

DPI said security measures for its systems and servers have been enhanced, which includes new end-point monitoring tools to identify unauthorized activity.

The incident has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, but the breach notification provided to the Maine attorney general indicates the protected health information of 45,262 individuals was potentially compromised.

The post PHI of 45,262 Desert Pain Institute Patients Potentially Compromised in Cyberattack appeared first on HIPAA Journal.

Family of Woodstock (FOW), a New York provider of crisis intervention, information, prevention, and support services, has suffered a cyberattack in which the protected health information of 8,214 individuals was potentially compromised.

The cyberattack was detected on August 3, 2021, and rapid steps were taken to eject the attackers from its network and restore its systems and operations. Third-party forensic investigators were engaged to determine the nature and scope of the breach, with the initial phase of the investigation concluding on September 11, 2021.

FOW said the investigation confirmed the attackers had access to parts of its network that contained protected health information such as first and last names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, medical history, diagnosis, treatment, condition, and health insurance information. At the time of issuing notifications, no evidence had been found indicating any attempted or actual misuse of information.

FOW has implemented additional cybersecurity safeguards, is enhancing its policies, procedures, and protocols, and is providing additional cybersecurity training to the workforce.

Physical Therapy Center Notifies 6,500 Patients of PHI Exposure

Viverant PT, LLC, a Minneapolis, MN-based physical therapy center, is notifying 6,500 current and former patients about a March 2021 cyberattack that exposed their protected health information.

The breach was detected on March 9, 2021, when suspicious emails were sent from an employee’s email account. The email account was immediately secured and steps were taken to address and contain the breach. A comprehensive review was conducted of its email environment, which confirmed only one email account had been breached but that it contained a wide range of sensitive data.

No evidence was found to indicate any attempted or actual misuse of patient data, but the possibility of data theft could not be ruled out. Viverant said the types of data in the account varied from individual to individual and may have included the following data elements: name, address, date of birth, Social Security number, driver’s license number, medical record number, date of service, diagnostic/treatment information, credit/debit card number with password or security code, health insurance information, financial account number with or without password or routing number, medications, username with security questions and answers, vehicle identification number (VIN), and digital signature.

Viverant said a leading security firm was engaged to assist with the investigation and response to the attack, and additional measures have been implemented to improve the security of its systems and practices. They include changing passwords, implementing more robust authentication, conducting further training of the workforce, and retaining national privacy and security experts to assist with ongoing security. Viverant said complimentary credit monitoring services have been offered to affected individuals.

The post Cyberattacks Reported by Family of Woodstock and Viverant appeared first on HIPAA Journal.

The protected health information of more than 650,000 patients of Community Medical Centers (CMC) in California has potentially been obtained by hackers.

CMC is a not-for-profit network of community health centers that serve patients in the San Joaquin, Solano, and Yolo counties in Northern California. CMC identified suspicious activity in its computer systems on October 10, 2021, and shut down its systems to prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach, with assistance provided by third-party cybersecurity experts.

The forensic investigation confirmed that unauthorized individuals had gained access to parts of its network where protected health information was stored, including first and last names, mailing addresses, dates of birth, Social Security numbers, demographic information, and medical information.

Due to the sensitive nature of the exposed data, CMC is offering complimentary identity theft protection, identity theft resolution, and credit monitoring services to affected individuals. CMC said it has confirmed its systems are now secure, policies and procedures have been reviewed and updated to improve security, and data management policies have been reviewed and updated.

Law enforcement has been notified about the breach, as have appropriate state attorneys general and the Department of Health and Human Services.

The breach report submitted to the Maine attorney general indicates the protected health information of 656,047 individuals was potentially compromised.

Professional Healthcare Management Discloses Ransomware Attack

Memphis, TN-based Professional Healthcare Management (PMH) has started notifying certain patients that some of their protected health information has potentially been compromised in a September 2021 ransomware attack.

The attack was detected on September 14 and action was quickly taken to secure its servers and workstations. Assisted by third-party cybersecurity and incident response experts, PMH was able to quickly secure and restore its systems and operations. An investigation was conducted to determine the nature and scope of the breach which determined the personal and protected health information of patients may have been accessed and obtained by the attackers.

The breach investigation is ongoing but, at this stage, no evidence of data theft or misuse of patient data has been identified; however, notification letters are now being sent to affected individuals and the incident has been reported to the HHS’ Office for Civil Rights.

PMH said the following types of patient information were potentially compromised: first and last names, Social Security numbers, health insurance information (Medicaid number, Medicare number, and insurance identification number), prescription name(s), and diagnosis code(s).

Additional safeguards are being implemented to improve IT security, cybersecurity policies, protocols, and procedures are being updated, and additional cybersecurity training has been provided to the workforce.

The post More than 650K Patients of Community Medical Centers Notified About Hacking Incident appeared first on HIPAA Journal.

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed.

Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21.

While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed.

Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters have been sent to affected individuals. Out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Network monitoring tools have now been enhanced and its systems will be regularly audited for unauthorized activity.

Throckmorten County Memorial Hospital Discovers Malware Infection

Throckmorten County Memorial Hospital in Texas has discovered unauthorized individuals gained access to parts of its computer network that contained the personal information of 3,136 employees and patients.

An intrusion was detected on September 7, 2021, which involved unauthorized access to systems and the installation of malware. A forensic investigation determined its network was breached on August 25, 2021, and access remained possible until September 7.

A review of the affected systems confirmed they contained patient information such as first and last name, address, date of birth, gender, date(s) of service, diagnoses, current procedural terminology code, medical condition, medication, and details of hospital visits. Employee data potentially compromised included name, wage history, Social Security number, payroll information, and filing information.

Throckmorten County Memorial Hospital said affected individuals have been offered a complimentary membership to a credit monitoring service and will be protected by an identity theft and fraud insurance policy. Notifications about the security breach were delayed to allow time for the malware to be removed and security to be improved, as providing notifications earlier would have left its network vulnerable to other threat actors.

The post Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital appeared first on HIPAA Journal.

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed.

Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21.

While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed.

Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters have been sent to affected individuals. Out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Network monitoring tools have now been enhanced and its systems will be regularly audited for unauthorized activity.

Throckmorten County Memorial Hospital Discovers Malware Infection

Throckmorten County Memorial Hospital in Texas has discovered unauthorized individuals gained access to parts of its computer network that contained the personal information of 3,136 employees and patients.

An intrusion was detected on September 7, 2021, which involved unauthorized access to systems and the installation of malware. A forensic investigation determined its network was breached on August 25, 2021, and access remained possible until September 7.

A review of the affected systems confirmed they contained patient information such as first and last name, address, date of birth, gender, date(s) of service, diagnoses, current procedural terminology code, medical condition, medication, and details of hospital visits. Employee data potentially compromised included name, wage history, Social Security number, payroll information, and filing information.

Throckmorten County Memorial Hospital said affected individuals have been offered a complimentary membership to a credit monitoring service and will be protected by an identity theft and fraud insurance policy. Notifications about the security breach were delayed to allow time for the malware to be removed and security to be improved, as providing notifications earlier would have left its network vulnerable to other threat actors.

The post Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital appeared first on HIPAA Journal.

Tech Etch, a Plymouth, MA-based manufacturer of precision-engineered thin metal components, flexible printed circuits, and EMI/RFI shielding, has announced it was the victim of a ransomware attack in which the personal and protected health information of current and former employees was potentially compromised.

Companies such as Tech Etch would not normally be required to comply with HIPAA; however, the company provides a health plan for its employees and, as such, is classed as a HIPAA-covered entity.

Tech Etch discovered the ransomware attack on August 25, 2021, with the investigation determining the attackers gained access to its network on August 20. Tech Etch engaged an external forensic cybersecurity team to assist with the breach investigation, help secure its network, and prevent any further unauthorized access. Tech Etch had viable backups that were unaffected and was able to restore all encrypted data without paying the ransom.

Multiple safeguards had been implemented to secure employees’ personal and protected health information, but despite those protections, some employee data may have been stolen. Tech Etch said no direct evidence of data staging or data exfiltration was identified and the investigation indicated the attackers had not accessed the HR servers where employee data were stored. The attackers did try to access data backups containing employee data, but the backups were encrypted by Tech Etch and could not be viewed. Some employee information, such as names, addresses, Social Security numbers, dates of birth, and personal health information, was present in its email environment and could have been accessed or exfiltrated.

Tech Etch has not found any evidence that any employee data has been acquired or misused and it does not appear that any employee data have been posted publicly.

Affected employees have been advised to monitor their credit reports, accounts, and explanation of benefits statements for signs of fraudulent activity and to immediately report any suspicious transactions if they are discovered.  Tech Etch has already taken steps to enhance its security systems to prevent further security incidents and will continue to review those protocols to ensure they remain effective.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights and the Massachusetts Attorney General. This post will be updated when it is known how many individuals have been affected.

UNC Hospitals Discovers Insider Breach and Data Theft

The protected health information of 719 patients of UNC Hospitals has been stolen by a former employee, who used the information for financial gain.

The Chapel Hill, NC-based healthcare provider discovered the unauthorized access on September 10, 2021. The employee in question was responsible for handling patients’ payments for services at several UNC Hospitals clinics and was provided with access to sensitive patient data to complete work duties.

The employee stole patients’ demographic information, financial information, Social Security numbers, copies of insurance cards, and patients’ driver’s licenses and used that information to fraudulently obtain goods and services.

Patients whose protected health information was accessed or misused by the former employee have been notified by mail and have been offered complimentary credit monitoring services for 12 months. The UNC Hospitals Police Department has launched a criminal investigation into the incident.

The post PHI of Employees Potentially Compromised in Tech Etch Ransomware Attack appeared first on HIPAA Journal.