HIPAA Breach News

PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack

Posted by HIPAA Journal

Atlanta Allergy & Asthma has started notifying 9,851 patients about a January 2021 cyberattack in which their protected health information was exposed and potentially compromised. Atlanta Allergy & Asthma said its investigation into the breach determined hackers had access to its network between January 5 and January 13, 2021. Upon discovery of the breach, steps were immediately taken to kick the unauthorized individuals out of its network and mitigate against any potential harm.

Atlanta Allergy & Asthma engaged third party cybersecurity professionals to determine the nature and scope of the breach, with the investigation confirming the attackers had access to parts of the network where documentation was stored that included protected health information.

A comprehensive review was conducted of those documents. Atlanta Allergy & Asthma said it was confirmed on July 8, 2021 that the following types of information had potentially been compromised: Names, dates of birth, Social Security numbers, financial account numbers and/or routing numbers, diagnoses, treatment information and costs, procedure types, provider names, treatment location, dates of service, patient account numbers and/or health insurance information.

Atlanta Allergy & Asthma said it is not aware of any attempted or actual misuse of patient data as a result of the breach. Starting on August 20, 2021, letters were sent to affected individuals to alert them to the exposure of their patient data to allow them to take steps to protect against identity theft and fraud, including availing of the credit monitoring and identity protection services that are being offered free of charge to affected patients.

Atlanta Allergy & Asthma said it continuously evaluates its cybersecurity practices and internal controls and will be taking steps to enhance the security and privacy of patient data.

Atlanta Allergy & Asthma did not disclose the exact nature of the cyberattack in its breach notification letter; however, DataBreaches.net obtained evidence that this was a ransomware attack by the Nefilim ransomware threat group, and that sensitive data were stolen in the attack. Some of the stolen files contained patient information and 2GB of stolen data were dumped on the Nefilim data leak site in March 2021.

The post PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack appeared first on HIPAA Journal.

Metro Infectious Disease Consultants Reports 172,000-Record Data Breach

Posted by HIPAA Journal

Metro Infectious Disease Consultants is notifying 171,740 patients about an email security incident discovered on June 24, 2021. An unauthorized individual was found to have gained access to certain employees’ email accounts which contained the protected health information of patients.

Upon discovery of the security breach, steps were immediately taken to secure the accounts to prevent further access and Metro Infectious Disease Consultants engaged a computer forensics firm to determine the extent and scope of the breach. The investigation confirmed the breach was confined to its email environment and that the compromised email accounts contained patient data such as names, addresses, dates of birth, account numbers, insurance information, prescription information, limited clinical information, Social Security numbers, and driver’s license numbers. The types of data in the account varied from individual to individual.

Metro Infectious Disease Consultants has sent notification letters to all individuals affected by the breach and complimentary credit monitoring and identity theft protection services have been offered to all individuals whose Social Security number or driver’s license number was exposed in the incident.

Metro Infectious Disease Consultants said it has no reason to believe that anyone’s personal information has been misused, or that the unauthorized party that accessed the account viewed or acquired patient data; however, as a precaution, affected individuals have been advised to regularly monitor their credit reports, account statements and explanation of benefit statements for suspicious activity.

The computer forensics firm analyzed the cybersecurity defenses of Metro Infectious Disease Consultants and made recommendations to enhance security, which are being implemented to prevent further data breaches.

The post Metro Infectious Disease Consultants Reports 172,000-Record Data Breach appeared first on HIPAA Journal.

South Florida Community Care Plan Notifies Patients About Insider Email Breach

Posted by HIPAA Journal

South Florida Community Care Plan has discovered a former employee sent internal documents containing the protected health information of plan members to a personal email account. The breach was discovered on June 21, 2021 during a review of the former employee’s email account.

An investigation was launched into the unauthorized activity which determined on June 21, 2021 that the documents contained the following types of plan member information: Names, addresses, dates of birth, member identification numbers, primary care physician names, diagnoses, procedure billing codes, approved services, and/or procedure types.

The sending of plan members’ information to personal email accounts is a violation of South Florida Community Care Plan policies; however, no evidence was found to indicate the information was sent outside the scope of the former employee’s employment.

South Florida Community Care Plan said data security is one of its top priorities and steps were taken to prevent unauthorized data access and exfiltration. The employee’s email and login credentials were revoked at the time employment came to an end, a full audit was conducted into the activities of the employee within the IT system, and all company-issued equipment was recovered. A further audit was then conducted into the employee’s actions while employed at CCP to ensure there were no other instances of unauthorized activity.

All individuals affected by the incident have now been notified and, as a precaution against identity theft and fraud, have been provided with complimentary credit monitoring services. Affected individuals have been advised to monitor their accounts and credit reports over the next 12-24 months for any signs of suspicious activity.

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The report is not yet showing on the breach portal, so it is currently unclear how many individuals have been affected.

The post South Florida Community Care Plan Notifies Patients About Insider Email Breach appeared first on HIPAA Journal.

Revere Health Phishing Attack Impacts 12,000 Patients

Posted by HIPAA Journal

The U.S. Agency for International Development (USAID) was impersonated in phishing campaign that has resulted in the exposure of the protected health information of approximately 12,000 patients of the Utah healthcare provider Revere Health. The phishing attack was rapidly detected by the revere Health IT team, which quickly secured the mailbox to block unauthorized access. According to a breach notice published by Revere Health, the mailbox was only compromised for around 45 minutes on June 21, 2021.

An investigation was launched into the breach to determine whether any information in the email account was viewed or downloaded. While it was not possible to tell whether emails in the account were accessed or exfiltrated, Revere Health said it has monitored the Internet and has found no instances of patient data being shred online.

A review of emails and email attachments confirmed they contained the protected health information of patients of the Heart of Dixie Cardiology Department in St. George, which included medical record numbers, dates of birth, provider names, procedures, and insurance provider names, but no financial information or highly sensitive data.

Revere Health believes the aim of the attacker was not to gain access to patient data, but to use the email account for a more sophisticated phishing attack on Revere health employees. Given the short window of opportunity and the limited nature of the data contained in the account, the risk to patients is perceived to be low. Patients have been advised to be vigilant against any attempted misuse of their data.

The US Agency for International Development has recently been impersonated in a phishing campaign conducted by the Russian threat group Nobelium, which was behind the SolarWinds supply chain attack. The campaign has been ongoing since early 2021. The hackers gained control of the Constant Contact email marketing account used by USAID, and the account was used to send convincing phishing emails to more than 350 organizations. In that campaign the goal was to deliver malware by impersonating genuine USAID email communications. In late May, the U.S. Department of Justice seized two domains being used in the spear phishing campaign.

The post Revere Health Phishing Attack Impacts 12,000 Patients appeared first on HIPAA Journal.

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

Posted by HIPAA Journal

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to sent notifications to the HHS’ Office for Civil Rights (OCR) about data breaches, but healthcare organizations are also required to comply with state data breach notification laws.

Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified.

Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health information of California residents has likely been compromised in the attack.

California Attorney General Rob Bonta has recently issued a bulletin reminding all entities that house the confidential health-related information of California residents of their data breach reporting responsibilities under California law (Civil Code section 1798.82). Whenever there has been a breach of the health data of 500 or more California residents, a breach report must be submitted to the Office of the Attorney General. The California DOJ then publishes the breach notice on its website to ensure the public is made aware of the breach to allow victims to take appropriate action to protect themselves against identity theft and fraud. Individual notifications must also be issued to affected individuals.

“Timely breach notification helps affected consumers mitigate the potential losses that could result from the fraudulent use of their personal information obtained from a breach of health data,” said Attorney General Bonta. “Therefore, it is important for providers of healthcare to be proactive and vigilant about reducing their risk for ransomware attacks and to meet their health data breach notification obligations to protect the public.”

In the bulletin, Attorney General Bonta also urged healthcare organizations to take proactive steps to protect patient data against ransomware attacks.

“State and federal health data privacy frameworks, like the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), obligate healthcare entities and organizations that deal in health data to establish appropriate procedures to ensure the confidentiality of health-related information, including security measures that can help prevent the introduction of malware, including ransomware, to protect consumers’ healthcare-related information from unauthorized use and disclosure,” explained AG Bonta.

Healthcare organizations are encouraged to take the following proactive steps:

  • Keep operating systems and software housing health data current
  • Apply security patches promptly
  • Install and maintain antivirus software
  • Provide regular data security training to employees, including education about phishing attacks
  • Restrict users from downloading, installing, and running unapproved software
  • Maintain and regularly test the data backup and recovery plan for all critical information 

The post California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems

Posted by HIPAA Journal

In early August, a hacker made contact with Dissent of DataBreaches.net and claimed to have hacked into the systems of a HVAC vendor. Through that vendor the hacker claimed to have gained access to the networks of its clients, one of which was Boston Children’s Hospital.

The company in question is Canton, MA-based ENE Systems. DataBreaches.net reported in a recent blog post that the hacker had attempted to extort money from the HVAC vendor but the ransom was not paid. The hacker still claimed to have access to the network of ENE Systems and those of its clients and told Dissent that he/she was not interested in causing harm to the hospital. DataBreaches.net was asked to reach out to the hospital and make it clear that its network had been breached through the HVAC vendor, in case the vendor had not communicated the breach to the hospital. DataBreaches.net was provided with screenshots as proof of the hack.

While it was not confirmed whether the networks of other hospitals had been breached, ENE systems lists Brigham & Women’s Hospital and Mass General Hospital as its clients on its website.

Mass General Hospital issued a statement about the incident saying, “The hospital was made aware of potential cyber security issues involving one of its vendors. Once notified, immediate action was taken to follow appropriate guidance to mitigate the risk. Hospital systems and operations remain unaffected by this incident.” Boston Children’s Hospital also confirmed that its vendor had experienced a breach and stated there is no risk to hospital operations nor its business environment, and no patient data were affected in the security incident. Brigham & Women’s Hospital said it had not been notified about any issues with its HVAC vendor.

Supply chain attacks can see the systems of many organizations compromised, as the recent attacks on SolarWinds and Kaseya demonstrated. Attacks can occur at any point in the supply chain, and HVAC vendors have been targeted in the past as they are a potential security weak point.

One notable attack involving an HVAC vendor was the 2013 cyberattack on Target. Hackers gained access to the network of its HVAC vendor, Fazio Mechanical Services. The company was contracted to monitor Target’s refrigerated units and was provided with access to Target’s network to perform the contracted duties.

The hackers exploited that access, compromised Target’s network, then moved laterally and accessed its POS system and stole the credit card data of 41 million individuals and the contact information of 60 million customers. Target’s 2016 financial report put the total breach cost at $292 million.

The post HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems appeared first on HIPAA Journal.

Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online

Posted by HIPAA Journal

The personal information of 750,000 Hoosiers collected as part of a COVID-19 contact tracing survey conducted by the Indiana Department of Health has been exposed online and downloaded by a company not authorized to access the data. The survey included information such as names, addresses, dates of birth, emails, and information on gender, ethnicity and race.

The Indiana Department of Health was notified about the unauthorized access on July 2, 2021 and immediately took steps to secure the data to prevent further unauthorized access. According to Tracy Barnes, the Chief Information Officer of the state of Indiana, the company that accessed and downloaded the data was a firm “that intentionally looks for software vulnerabilities, then reaches out to seek business.”

Last week, the Indiana Department of Health obtained a signed “certificate of destruction” from the company confirming the downloaded data had been permanently destroyed and that no further copies of the data had been retained. The company also confirmed the downloaded data had not been disclosed to any other company or individual.  The Indiana Department of Health said the data were returned on August 4, 2021.

State Health Commissioner Kris Box believes the risk to state residents is minimal, especially considering the compromised data did not include highly sensitive information such as health data, health insurance information, Social Security numbers, or financial information.

An investigation was launched into the incident, and it was determined that the reason the data had been exposed was due to a software configuration issue, which left the data exposed to the Internet. Currently it is unclear if any individuals other than those at the cybersecurity company downloaded the records while they were exposed over the Internet.

“We take the security and integrity of our data very seriously,” said Barnes. “We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.” Indiana’s Office of Technology will conduct scans regularly to ensure that the downloaded data is not transferred to third parties.

Notification letters are being sent to affected individuals to make them aware of the privacy breach, and the state said it will be offering a 12-month membership to a credit monitoring service provided by Experian to individuals affected by the breach.

The Indiana Department of Health did not name the company concerned, but HIPAA Journal has learned the company is UpGuard, a firm that regularly scans the Internet for misconfigured cloud services to identify sensitive exposed data. The company is proactive in searching for security vulnerabilities and exposed data and has identified many cases where sensitive data have been left unprotected. In all cases, the company alerts the entities concerned to ensure data are secured to prevent sensitive information falling into the hands of cybercriminals.

“Our team sent a note to the state of Indiana to notify them that they had an API that was configured for public access. Upon looking at the data, we determined that the information was sensitive and that it should not be public,” said UpGuard spokeswoman, Kelly Rethmeyer.

The post Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online appeared first on HIPAA Journal.

1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack

Posted by HIPAA Journal

Around 4 a.m. on Thursday June 17, 2021, St. Joseph’s/Candler (SJ/C) hospital system in Savannah, GA suffered a ransomware attack. Upon detection of suspicious network activity, SJ/C immediately took steps to isolate and secure its systems. The attack prevented access to computer systems and emergency protocols were implemented, with staff reverting to pen and paper to record patient data.

SJ/C notified law enforcement about the security breach and launched an investigation. Assisted by third party cybersecurity firms, SJ/C determined the hackers first gained access to its systems on December 18, 2020 and continued to have access to those systems until June 17, 2021, when the ransomware was deployed.

“Patient care operations continue at our facilities using established back-up processes and other downtime procedures,” explained SJ/C in a statement shortly after the attack was detected. “Our physicians, nurses and staff are trained to provide care in these types of situations and are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients.”

As the investigation into the breach continued it became clear that the parts of the network accessible to the hackers contained files that included patients’ protected health information. A comprehensive review of those files was conducted and determined the files contained patient information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member IDs, medical record numbers, dates of service, provider names, and medical and clinical treatment information regarding care received from SJ/C.

SJ/C has now confirmed the protected heath information of 1,400,000 patients was potentially compromised in the ransomware attack. Notification letters started to be sent to affected individuals on August 10, 2021 and complimentary credit monitoring and identity theft protection services are being offered. SJ.C said additional safeguards and technical security measures are being implemented to further protect and monitor its systems.

The post 1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack appeared first on HIPAA Journal.