Barlow Respiratory Hospital in Los Angeles, CA has announced it has suffered a ransomware attack on August 27, 2021. The attack was conducted by the Vice Society ransomware gang, which gained access to its network and electronic medical record system. Prior to using ransomware to encrypt files, the gang exfiltrated patient data, some of which has been posted on the gang’s dark web data leak site.

Barlow Respiratory Hospital said while the attack affected several IT systems, the hospital was able to continue to operate under its emergency procedures and patient care was not interrupted.

Upon detection of the security breach, law enforcement agencies were notified and a third-party cybersecurity firm was engaged to assist with the investigation and determine the scope of the data breach. The investigation into the attack is ongoing.

While some ransomware operations have said they will not target healthcare providers, Vice Society does not fall into that category. The ransomware operation appeared in June 2021 and has already attacked multiple healthcare providers, including Eskenazi Health in Indianapolis. The ransomware gang is known to exploit new security vulnerabilities, including the Windows PrintNightmare flaws.

“We will continue to work with law enforcement to assist in their investigation, and we are working diligently, with the assistance of a cybersecurity firm, to assess what information may have been involved in the incident,” said a spokesperson for Barlow Respiratory Hospital. “If necessary, we will notify the individuals whose information may have been involved, in accordance with applicable laws and regulations, in due course.”

Missouri Delta Medical Center Suffers Hive Ransomware Attack

The protected health information of patients of Missouri Delta Medical Center in Sikeston, MO has been stolen in a ransomware attack conducted by the Hive ransomware gang. Earlier this month, a sample of the stolen data was uploaded to the ransomware gang’s data leak site in an effort to pressure the medical center into paying the ransom. The Hive ransomware gang has attacked multiple healthcare providers in the past few weeks, including Memorial Health System.

Missouri Delta Medical Center engaged the services of a leading forensic security firm to investigate the attack and determine the nature and scope of the breach. The medical center was later notified by a third party that some patient data had been stolen and published online. According to the post on the Hive gang’s data leak site, the names, addresses, phone numbers, dates of birth, Social Security numbers, sex/race, next of kin details, diagnoses, and financial information of 95,000 individuals was stolen in the attack. That information was contained in 400 GB of files that were exfiltrated prior to file encryption.

Missouri Delta Medical Center said the attack has not affected its ability to provide care for patients. The investigation into the cyberattack is ongoing but at this stage it appears that its electronic medical record system was not affected.

“We apologize for any inconvenience this incident may have caused, and are taking steps to increase our security and reduce the risk of a similar incident occurring in the future. We remain focused on continuing to serve our community,” said Missouri Delta Medical Center.

The post Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital appeared first on HIPAA Journal.

The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor.

The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days.

The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack.

The cyberattack was extensive and caused major disruption. Some IT systems affected remain offline, including the websites of many divisions. Temporary web pages have been used to host critical information until the websites can be restored. It is not yet known when all systems will be brought back online. The department’s IT infrastructure is complex, so the recovery process is taking a long time.

The cybersecurity firm Mandiant was engaged to conduct a forensic investigation into the cyberattack. In an August update, the DHSS said hackers had exploited a website vulnerability which allowed them to gain access to DHSS data. “This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period. The attackers took steps to maintain that long-term access even after they were detected,” said DHSS Technology Officer Scott McCutcheon.

All data stored on DHSS infrastructure at the time of the attack is presumed to have been compromised and could potentially be misused, which means the personal and health data of more than 700,000 individuals has likely been breached.

DHSS is currently unaware which information has been accessed or stolen, but it likely includes names, dates of birth, Social Security numbers, phone numbers, addresses, driver’s license numbers, internal identifying numbers (including case reports, protected service reports, Medicaid etc.), health information, financial information and historical information concerning any interactions with the DHSS.

“DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft,” explained the DHSS in its breach notice.  The DHSS says it is providing free credit monitoring services to “any concerned Alaskan” as a result of the cyberattack, and a code for signing up for those services is being provided in the breach notification letters, which will be mailed between September 27, 2021 and October 1, 2021.

This is a breach of both the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA).

“DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks,” said DHSS Chief Information Security Officer Thor Ryan. “Recommendations for future security enhancements are being identified and provided to state leadership.”

It is not the first time that a data breach has affected all state residents. In January 2019, around 700,000 Alaskans were notified by DHSS about a hacking incident that exposed their personal data. In that incident, the Zeus Trojan had been installed on its network in June 2018.

The post Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans appeared first on HIPAA Journal.

Wilmington, DE-based Simon Eye Management has suffered a breach of its email environment and hackers potentially gained access to the protected health information of 144,373 patients.

Simon Eye identified suspicious activity in certain employee email accounts on or around June 8, 2021. Action was immediately taken to secure the accounts and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. Assisted by third -party security experts, Simon Eye determined that unauthorized individuals gained access to employee email accounts between May 12 and May 18, 2021.

The incident was an attempted business email compromise (BEC) attack, where employee email accounts are compromised and used in a scam to trick employees into making fraudulent wire transfers, in this case through the manipulation of invoices. Simon Eye said none of the attackers’ attempts were successful.

While gaining access to patient data did not appear to be the goal of the attackers, the email accounts they were able to access did contain patients’ protected health information and it is possible PHI was viewed or obtained in the attack. Simon Eye found no evidence indicating any patient information was viewed or stolen, and there have been no reported cases of actual or attempted misuse of patient data as a result of the cyberattack.

A comprehensive review was conducted to identify patients whose PHI was contained in emails and email attachments. The review confirmed the following types of patient data were present in the accounts: name, medical history, treatment/diagnosis information, health information, health insurance information, and insurance application and/or claims information. A subset of individuals also had their Social Security number, date of birth, and/or financial account information exposed.

Simon Eye has implemented additional data security protocols to enhance email security and is in the process of verifying the contact information of all affected patients. Notification letters will be mailed to those individuals in due course.

The post Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients appeared first on HIPAA Journal.

Resource Anesthesiology Associates (RAA) of California has started notifying certain patients of Dignity Health’s Mercy Hospital Downtown and Mercy Hospital Southwest that some of their protected health information was stored on a laptop computer that has been stolen.

RAA of California provides anesthesiology services at the Dignity Health hospitals, which requires access to patient data. On July 8, the laptop was stolen from an RAA of California administrator. The theft was reported to law enforcement, but the device has not been recovered.

RAA of California conducted an investigation to determine which patient information was stored on the device and could potentially be accessed. The review confirmed the following types of information were stored on the device: Names, addresses, dates of birth, provider names, dates of service, diagnoses and treatment information, health insurance information, and other information related to patients’ medical care.

The laptop computer was protected with a password, which provides a degree of protection against unauthorized access. However, passwords can be cracked, so there is a risk that information on the laptop could be viewed by unauthorized individuals. RAA of California said to date there has been no evidence found which indicates any of the information stored on the laptop computer has been accessed or misused.

RAA of California believes the risk of misuse of patient data is low but, out of an abundance of caution, is offering affected individuals a complimentary membership to identity theft protection services through IDX. Patients will receive 12 months of CyberScan monitoring and will be protected by a $1 million identity theft insurance policy, which includes fully managed identity theft recovery services.

The post Stolen Laptop Contained the PHI of Dignity Health Patients appeared first on HIPAA Journal.

The Department of State Hospitals – Coalinga (DSH-C) in California has notified 1,738 patients that some of their protected health information has been impermissibly disclosed by a DSH-C employee.

The United States District Court, Eastern District of California had made a request to be provided with DSH-C patient rosters in order to determine whether patients were eligible for a waiver of filing fees when filing a lawsuit. Those rosters were provided to a District Court Clerk by a DSH-C employee.

The patient rosters contained information about patients that had not filed a lawsuit, and the rosters contained more information than was required by the District Court Clerk to determine eligibility for a waiver. The disclosure was therefore in violation of the HIPAA Rules.

The rosters contained the following data elements: name, case number, birth date, legal commitment, admission date, unit number, and gender. DSH-C said it has no reason to believe the information was used for any reason other than for an eligibility determination for a public benefit provided by the Court.

Upon discovery of the breach, the District Court Clerk was contacted and instructed to destroy all DSH-C patient rosters that were provided to the District Court. Staff members are being provided with further training on data protection and policies and procedures are being reviewed and revised to ensure greater clarity on allowable uses and disclosures of patient information.

The post 1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI appeared first on HIPAA Journal.

Austin Cancer Centers is alerting 36,503 patients about a security incident discovered on August 4, 2021 in which some of their protected health information was exposed.

Unauthorized individuals were discovered to have gained access to computer systems and installed malware. To prevent further unauthorized access, computer systems were immediately shut down and law enforcement was notified. Since then, Austin Cancer Centers has worked with cybersecurity experts to learn about the exact nature and scope of the incident. Austin Cancer Centers said the malware has now been removed, systems have been restored and secured, and its facilities are open.

The forensic investigation into the security breach confirmed hackers first gained access to its computer systems on July 21, and access remained possible until the breach was discovered on August 4. A comprehensive review was conducted to identify all files on the network that could possibly have been accessed in the attack. Those files were found to contain patient information such as names, addresses, dates of birth, insurance carrier names, and medical notes. The Social Security numbers of certain patients were also exposed, as were the credit card numbers of a limited number of patients.

Austin Cancer Centers does not believe the attackers had access to its entire network, but the decision was taken to send notifications to 36,500 patients out of an abundance of caution. Since the attackers no longer had access to its network from August 4, new patients who received medical services after that date were definitely not affected.

Austin Cancer Centers said the attackers took steps to avoid detection and hide their activities, which is why it took around two weeks to discover the security breach. Throughout the investigation the priority was to ensure systems were secured and patient data were protected, so notifications were delayed until it was certain that appropriate safety measures were in place.

The exact nature of the malware attack, including whether ransomware was involved, has not been released as the investigation into the security breach is ongoing. Austin Cancer Centers said further information about the incident will be shared with affected individuals via its website when it is deemed appropriate for the information to be released.

Since the breach occurred, Austin Cancer Centers has implemented additional technical safeguards to further enhance security, and rigorous privacy and security training has been provided for the entire staff.

Affected patients have been provided with a complimentary 1-yuear membership to the Equifax Credit Watch Gold credit monitoring service, which includes automatic fraud alerts and cover through a $1,000,000 identity theft insurance policy.

“We are deeply saddened and frustrated by this incident.  Caring for our patients during medically stressful times in their life, is our core business,” said Austin Cancer Center CEO, Laurie East. “We apologize to our family of patients for any concern this may create, and we will do everything we can to remedy the situation and help them through necessary steps to ensure their safety.”

The post 36,500 Patients of Austin Cancer Centers Notified About PHI Exposure appeared first on HIPAA Journal.

Queen Creek, AZ-based Desert Wells Family Medicine has started notifying 35,000 patients that their protected health information has been compromised in a recent ransomware attack. The attack occurred on May 21, 2021 and resulted in the encryption of data, including its electronic health record (EHR) system.

All data had been backed up prior to the attack, but in addition to encrypting files, the attacker corrupted backup files which means all data contained in its EHR system prior to May 21 cannot be recovered. The types of data in the system, which may also have been obtained by the hackers in the incident, included patient names, addresses, dates of birth, billing account numbers, Social Security numbers, medical record numbers, and treatment information.

Desert Wells said it has not found any evidence that suggests there has been any attempted or actual misuse of patient data, and the third-party computer forensics investigators found no evidence that patient data had been exfiltrated prior to file encryption, although it was not possible to rule out data theft with a high degree of certainty. Consequently, the decision was taken to offer affected patients complimentary identity theft protection and credit monitoring services.

“Upon discovering the extent of the damage, we engaged additional forensics and recovery services as part of our exhaustive efforts to do everything we could to try and recover the data. Unfortunately, these efforts to date have been unsuccessful and patient electronic records before May 21, 2021, are unrecoverable,” said Daniel Hoag, MD, a family medicine physician at Desert Wells.

Desert Wells is constructing a new EHR system and is attempting to populate patient records with data obtained from other sources, which includes hospitals, pharmacies, laboratories, and medical imaging centers; however, it is likely that some patient data have been permanently lost.

“We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause,” said Hoag. “I’m sure many of you have been reading about other healthcare providers in the community, and around the country, that have been impacted by cybersecurity events. For our part, we are continuing to take steps to enhance the security of our systems and the data entrusted to us, including by implementing enhanced endpoint detection and 24/7 threat monitoring, and providing additional training and education to our staff.”

The post Desert Wells Family Medicine Ransomware Attack Causes Permanent Loss of EHR Data appeared first on HIPAA Journal.

The protected health information (PHI) of 116,898 patients of Waterville, MA-based HealthReach Community Health Centers has been exposed and potentially compromised.

HealthReach Community Health Centers, which operates 11 community health centers in Central and Western Maine, discovered a worker at a third-party data storage facility had improperly disposed of hard drives that contained the data of patients.

Under HIPAA, all electronic devices that contain PHI must be disposed of in a manner that ensures data on the devices cannot be read or reconstructed. This typically involves clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field), or destroying the media via disintegration, pulverization, melting, incineration, or shredding.

In a data breach notice sent to the Maine Attorney General, HealthReach said patient data had been exposed on April 7 and it was notified about the improper disposal incident on May 7.  Upon discovery of the incident, HealthReach launched an investigation to determine what information was stored on the drives and which individuals had been affected.

The types of information on the stored drives varied from patient to patient and included patient names in addition to some or all of the following types of information: addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, lab test results, treatment records, and financial account information.

Notification letters were mailed to affected individuals on September 9, 2021. Individuals who had their Social Security number or financial information exposed have been offered complimentary identity theft protection and credit monitoring services for one year. At the time of issuing notification letters, HealthReach had not received any reports of attempted or actual misuse of patient data.

HealthReach said it is working with its data storage vendors to ensure similar breaches do not occur in the future, including providing further training for the workforce.

The post HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients appeared first on HIPAA Journal.