Syracuse ASC, dba Specialty Surgery Center of Central New York, has started notifying 24,891 patients that some of their protected health information (PHI) was potentially accessed by unauthorized individuals who gained access to its computer systems.

The breach was identified by Syracuse ASC around March 31, 2021, and steps were immediately taken to secure its systems and prevent further unauthorized access. A third-party cybersecurity firm was engaged to assist with the forensic investigation, which concluded on April 30, 2021, and determined the hackers accessed parts of its systems that contained PHI.

A second investigation was conducted to determine which individuals’ PHI had been exposed. A list of individuals potentially affected by the incident was obtained on August 16, 2021, with the delay in issuing notifications due to a “substantial data validation process to verify the accuracy of the data.”

The file review confirmed names may have been compromised along with limited health information, but no evidence was found to indicate any actual or attempted misuse of data on the compromised systems.

Several steps have already been taken to improve IT security to prevent further data breaches, including updating its antivirus software and switching provider, locking down external websites, adding warning banners to emails from external sources, reconfiguring routers and closing unused ports and services, segregating the guest Wi-Fi network, updating switches and firewalls, upgrading operating systems on workstations, and providing further security awareness training to the workforce.

Computer Containing PHI Stolen from Advocate Lutheran General Hospital

A laptop computer containing the protected health information of patients of Advocate Lutheran General Hospital in Park Ridge, IL has been stolen.

The computer was stolen from the hospital on between 3:30 p.m. on September 22 and 06:30 a.m. on September 24, 2021. Upon discovery of the theft, technologies and processes were implemented to protect patient data and the laptop computer was remotely disabled; however, it is possible that in the short window of opportunity, data stored on the device could have been viewed. The hospital said it has found no evidence to indicate patient data was compromised.

The post PHI of 24,891 Specialty Surgery Center of Central New York Patients Potentially Compromised appeared first on HIPAA Journal.

Anthem health plan members with End Stage Kidney Disease who are enrolled in the VillageHealth program have been notified that some of their protected health information has potentially been compromised in a ransomware attack.

VillageHealth helps Anthem plan members through care coordination between the dialysis center, nephrologists, and providers and shares the results with Anthem via its vendor, PracticeMax.

PracticeMax, a provider of business management and information technology solutions to healthcare organizations, identified the attack on May 1, 2021. The investigation revealed the attackers gained access to its systems on April 17, 2021, with access possible until May 5, 2021. PracticeMax said it regained access to its IT systems the following day.

A forensic investigation of the attack confirmed one server was affected that contained protected health information (PHI) which may have been accessed and acquired by the attackers.

The investigation into the attack concluded on August 19, 2021, and confirmed the following types of data had been exposed: First and last name, date of birth, address, phone number, Anthem member ID number, and clinical data relating to kidney care services received. Financial information and Social Security numbers were not compromised.

PracticeMax says it has conducted a review of its policies and procedures and has implemented additional safeguards to block future attacks, including rebuilding systems, using additional endpoint security solutions, and enhancing its firewalls. Affected individuals have been offered complimentary credit monitoring services for 24 months.

UMass Memorial Health Alerts Patients About Phishing Attack

UMass Memorial Health has discovered unauthorized individuals gained access to the email accounts of some of its employees as a result of responses to phishing emails. The phishing attack was discovered on August 25, 2021 when suspicious activity was identified in its email environment.

Authorized access to the accounts was immediately blocked and a forensic investigation was launched, with assistance provided by a third-party computer forensics firm. The investigation confirmed the email accounts were breached between June 24, 2020 and January 7, 2021, and during that time, the attackers had access to protected health information stored in the accounts.

While no evidence was found that indicated emails were viewed or obtained by the attackers, the possibility could not be ruled out. A review of the PHI in the accounts was completed on August 25, 2021. The exposed information includes names, Social Security numbers, driver’s license numbers, and financial account information. UMass Memorial Health said complimentary credit monitoring and identity theft protection services have been offered to affected individuals. UMass Memorial said it is enhancing email security and will be re-educating the workforce on email best practices.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.

The post Data Breaches Reported by PracticeMax and UMass Memorial Health appeared first on HIPAA Journal.

University Hospital Newark (NY) has discovered the protected health information of thousands of patients has been acquired by a former employee, who accessed the information without authorization over the course of a year. That information was subsequently disclosed to other individuals who were also not authorized to view the information.

Insider breaches such as this are fairly common, although what makes this case stand out is when the access occurred. In its substitute breach notice, University Hospital Newark said the unauthorized access occurred between January 1, 2016, and December 31, 2017.

The former employee had been provided with access to patient data to complete work duties but had exceeded the authorized use of that access and had viewed patient data not pertinent to job functions. The types of information viewed and obtained by the individual included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to care patients received at University Hospital. University Hospital said the matter has been reported to law enforcement and a criminal investigation into the unauthorized access and disclosure is ongoing.

University Hospital said it started mailing notification letters to affected individuals on October 11, 2021, and has offered those individuals complimentary identity theft and credit monitoring services for 12 months. University Hospital said steps have been taken to reduce the risk of further data breaches of this nature, including a review of internal policies and procedures and further training for the workforce on patient privacy. The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 8, 2021 as affecting 9,329 patients.

Employees often access and disclose PHI to identity thieves, although the nature of the data obtained suggests that may not be the case in this instance. University Hospital has not disclosed the reason for the access or how the breach was discovered, only that the former employee accessed the PHI of patients who visited the emergency department and received treatment for injuries sustained in a motor vehicle accident between 2016 and 2017.

On November 5, 2021, University Hospital reported another insider breach to the HHS’ Office for Civil Rights that affected 10,067 individuals. The breach involved the same data types as the previously reported breach and was also linked to individuals involved in road traffic accidents. The unauthorized access occurred between January 1, 2018, and December 31, 2019 and involved the PHI of individuals involved in motor vehicle accidents between 2018 and 2019. University Hospital did not say if this was the same individual but confirmed a criminal investigation is ongoing and the individual concerned is no longer employed at University Hospital. Notification letters were sent to affected individuals starting November 5, 2021.

In August this year, Long Island Jewish Forest Hills Hospital in New York notified more than 10,000 patients whose PHI was impermissibly accessed and disclosed between August 23, 2016, and October 31, 2017. The breach similarly impacted patients who had visited the emergency department after a motor vehicle accident. That breach came to light when a subpoena was received as part of a “No Fault” motor vehicle accident insurance scheme.

In January 2020, Beaumont Health announced an impermissible access and disclosure incident also involving the PHI of patients who were involved in a motor vehicle accident between February 1, 2017, and October 22, 2019. The former employee was believed to have disclosed the PHI to an affiliated personal injury lawyer.

The post University Hospital Newark Notifies More Than 19,000 Individuals About Historic Insider Theft appeared first on HIPAA Journal.

Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group, has notified tens of thousands of patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021.

Professional Dental Alliance says the breach occurred at its vendor North American Dental Management. Steps were immediately taken to secure the affected accounts and prevent further unauthorized access. An investigation was launched which revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails.

The investigation into the breach uncovered no evidence of attempted or actual misuse of patient data, with the investigators concluding the breach was likely limited to credential harvesting. A comprehensive review of the affected email accounts confirmed they contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information. Professional Dental Alliance says the electronic dental record system and dental images were not accessed.

While it appears that protected health information was not stolen, affected individuals have been advised to exercise caution and review their credit reports and account statements and be vigilant for signs of misuse of their data.  Professional Dental Alliance says affected individuals are being offered complimentary membership to credit monitoring and identity theft protection services for two years.

The breach has been reported to the DHS’ Office for Civil Rights by each covered entity affected.  At least 125,760 patients are known to have had their protected health information exposed

The post Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients appeared first on HIPAA Journal.

Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group, has notified tens of thousands of patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021.

Professional Dental Alliance says the breach occurred at its vendor North American Dental Management. Steps were immediately taken to secure the affected accounts and prevent further unauthorized access. An investigation was launched which revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails.

The investigation into the breach uncovered no evidence of attempted or actual misuse of patient data, with the investigators concluding the breach was likely limited to credential harvesting. A comprehensive review of the affected email accounts confirmed they contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information. Professional Dental Alliance says the electronic dental record system and dental images were not accessed.

While it appears that protected health information was not stolen, affected individuals have been advised to exercise caution and review their credit reports and account statements and be vigilant for signs of misuse of their data.  Professional Dental Alliance says affected individuals are being offered complimentary membership to credit monitoring and identity theft protection services for two years.

The breach has been reported to the DHS’ Office for Civil Rights by each covered entity affected.  At least 125,760 patients are known to have had their protected health information exposed

The post Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients appeared first on HIPAA Journal.

Malborough, MA-based ReproSource Fertility Diagnostics has suffered a ransomware attack in which hackers gained access to systems containing the protected health information of approximately 350,000 patients.

ReproSource is a leading laboratory for reproductive health that is owned by Quest Diagnostics. ReproSource discovered the ransomware attack on August 10, 2021 and promptly severed network connections to contained the incident. An investigation into the security breach confirmed the attack occurred on August 8.

While it is possible that patient data was exfiltrated by the attackers prior to the deployment of ransomware, at this stage no evidence of data theft has been identified.

A review of the files on the affected systems was completed on September 24 and revealed they contained the following types of protected health information:

Names, phone numbers, addresses, email addresses, dates of birth, billing and health information (CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information), health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians. A small subset of individuals may have had driver’s license number, passport number, Social Security number, financial account number, and/or credit card number exposed.

Notification letters are now being sent to affected individuals by Quest Diagnostics.  Complimentary credit monitoring and protection services are being provided to affected individuals, who will also be protected by a $1,000,000 identity theft insurance policy.

ReproSource said additional safeguards have been implemented to protect against ransomware and other cyber threats, including additional monitoring and detection tools.

The post 350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack appeared first on HIPAA Journal.

Carrollton, TX-based Premier Patient Health Care has discovered the protected health information of 37,636 patients has been obtained by an unauthorized individual in an insider wrongdoing incident.

Premier Patient Health Care is an Accountable Care Organization (ACO) that works with physicians to improve clinical outcomes under the Medicare Shared Savings Program (MSSP). The ACO and Premier Patient Health Care are operated and run by Premier Management Company, which is a business associate of many primary care physicians who are HIPAA-covered entities.

On April 30, 2020, Wiseman Innovations, a technology vendor used by Premier Management Company, determined a former Premier Patient Health Care executive had accessed its computer system in July 2020 after the termination of employment and viewed and obtained a file containing patient data.

A review of the file confirmed it contained the protected health information of patients of primary care physicians, including full names, age, date of birth, sex, race, county, state of residence, and ZIP code along with Medicare beneficiary information such as Medicare eligibility period, spend information, and hierarchical condition category risk score.

The investigation into the breach is ongoing, but it has not been possible to date to determine what the former executive did with the file after it was acquired, although no evidence has been found to indicate any attempted or actual misuse of patient information.

As a precaution, all affected patients have been advised to be vigilant and monitor their accounts for signs of fraudulent activity. Premier said policies and procedures are being reviewed and will be updated to help prevent similar incidents in the future.

Oregon Eye Specialists Reports Breach of Employee Email Account

The Portland-OR-based optometry group, Oregon Eye Specialists, has discovered a breach of its email environment and the exposure of the protected health information of certain patients.

On August 10, 2021, suspicious activity was detected in an email account, prompting a password reset and investigation. The investigation confirmed an unauthorized individual had gained access to certain employee email accounts from June 29, 2021 to August 30, 2021. A review of those accounts revealed they contained protected health information such as names, dates of birth, dates of service, medical record numbers, financial information, and health insurance information, including provider name and policy number.

No evidence has been found of any actual or attempted misuse of patient data at this stage but affected individuals have been advised to monitor their account and explanation of benefits statements for suspicious activity. Credit monitoring and identity protection services are being offered to affected individuals.

It is currently unclear how many people have been affected. The post will be updated as and when further information becomes available.

The post Premier Patient Health Care Alerts Patients About Insider Data Breach appeared first on HIPAA Journal.