Four healthcare providers have recently announced their IT systems have been compromised and patient data may have been accessed.

Hacker Gains Access to Server of New York Psychotherapy and Counseling Center

New York Psychotherapy and Counseling Center (NYPCC), an NYC-based non-profit mental health services provider, has announced it was the victim of a cyberattack that was discovered on September 11, 2021.

Steps were immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. NYPCC said its electronic medical record system was not compromised; however, the attacker is believed to have accessed some files on the server that contained patients’ protected health information.

A review of the files on the server revealed the following information may have been compromised: names, dates of service, addresses, Medicaid IDs, and dates of birth. NYPCC said it is committed to continually reviewing and updating its security protocols related to the protected health information of patients.

Affected individuals have been notified by mail and have been offered complimentary identity monitoring, credit monitoring, and other related services to protect them against any misuse of their information.

The incident has been reported to the HHS’ Office for Civil Rights, but it has not year appeared on the OCR breach portal, so it is currently unclear how many individuals have been affected.

The Urology Center of Colorado Network Accessed by Unauthorized Individual

The Urology Center of Colorado (TUCC) has discovered parts of its computer network have been accessed by an unauthorized individual. The security breach was detected and blocked on September 8, 2021, with the breach investigation confirming the attack started the previous day.

The compromised parts of its network were reviewed to determine whether any patient data may have been accessed. TUCC said the review found the following types of protected health information had been exposed: name, date of birth, Social Security number, address, phone number, email address, medical record number, diagnosis, treating physician, insurance provider, treatment cost, and/or guarantor name.

TUCC said account passwords were changed to prevent further unauthorized access and additional security measures are being considered to prevent further data breaches. Out of an abundance of caution, TUCC is offering complimentary credit monitoring and identity protection services to affected individuals.

The incident has been reported to the HHS’ Office for Civil Rights, but it has not year appeared on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Mowery Clinic Alerts Patients About September 2021 Cyberattack

Mowery Clinic in Salina, KS, has started notifying certain patients about a cyberattack that was detected on September 14, 2021. Action was immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation.

The forensic investigation confirmed the attacker had not accessed the electronic health record system, but malware had been deployed that allowed the attacker to access and acquire documents that contained employee and patient information.

At this stage of the investigation, no evidence has been found of any actual or attempted misuse of patient data. The types of information potentially obtained include names, addresses, dates of birth, medical information such as office/diagnostic notes, and a limited number of Social Security numbers. In some cases, information about an employee’s spouse, dependents, beneficiaries, or minor children may have been compromised.

The clinic is still investigating the incident to determine exactly how access to its network was gained. Appropriate measures will be implemented to prevent similar breaches in the future.

Prairie Lakes Healthcare System Says Hacker Gained Access to Some of Its IT Systems

Watertown, S.D.-based Prairie Lakes Healthcare System has discovered an unauthorized individual has gained access to a small number of its IT systems.

The healthcare system learned of the attack on October 6, 2021, when it experienced disruption to parts of its network. Rapid action was taken to isolate the affected systems and prevent further unauthorized access, and a third-party cybersecurity firm was engaged to investigate the incident and assist with remediation efforts.

Prairie Lakes Healthcare said all the affected systems have now been restored; however, the investigation into the security breach is ongoing. At this stage of the investigation, no evidence of unauthorized access or exfiltration of patient data has been found. If patient data is believed to have been compromised, notification letters will be sent to affected individuals.

The post PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers appeared first on HIPAA Journal.

QRS Inc, a Tennessee-based healthcare technology services company and provider of the Paradigm practice management and electronic health records (EHR) solution, has announced a data breach involving the protected health information (PHI) of almost 320,000 individuals. The cyberattack was detected on August 26, 2021, three days after a server was breached.

QRS explained in its breach notification letters that a hacker gained access to the electronic patient portal and potentially accessed and exfiltrated the PHI of patients of some of its healthcare provider clients.

When the breach was detected, the compromised server was immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack.

Assisted by a third-party computer forensics firm, QRS determined the breach was limited to a single server. No other QRS systems nor those of its clients were affected. The compromised server contained files that included PHI such as names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames, and medical treatment and diagnosis information.

QRS said unauthorized access and data exfiltration could not be ruled out, but it is not aware of any cases of actual or attempted misuse of patient data.

On October 22, 2021, QRS started sending notification letters to all affected individuals on behalf of its affected healthcare provider clients. Individuals who had their Social Security number exposed have been offered complimentary access to identity theft protection services as a precaution. QRS said it is taking steps to assess and address the risk of a similar incident occurring in the future.

Law enforcement has been notified and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach portal indicates the PHI of up to 319,778 individuals was stored on the compromised server.

The post PHI of 320,000 Patients Potentially Compromised in EHR Vendor Hacking Incident appeared first on HIPAA Journal.

Boca Raton, FL-based Nationwide Laboratory Services, which was acquired by Quest Diagnostics in the summer, was the victim of a ransomware attack earlier this year.

Nationwide Laboratory Services detected a breach of its systems on May 19, 2021, when ransomware was used to encrypt files across its network and prevent files from being accessed. Steps were immediately taken to contain the attack and a third-party cybersecurity firm was engaged to assist with the investigation and remediation efforts.

The forensic investigation confirmed on August 31, 2021, that the attackers gained access to parts of its network where patients’ protected health information was stored, and potentially accessed information such as names, dates of birth, lab test results, medical record numbers, Medicare numbers, and health insurance information. A subset of the individuals affected had their Social Security numbers exposed. The types of information exposed in the attack varied from patient to patient.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of up to 33,437 individuals was potentially compromised.

Nationwide Laboratory Services said it is possible that the attackers exfiltrated a limited number of files from its network prior to deploying ransomware to encrypt files; however, no evidence has been uncovered to indicate patient data has been or will be used for any unintended purposes. As a precaution, affected individuals are being encouraged to review their accounts and explanation of benefits statements for signs of fraudulent activity.

Nationwide Laboratory Services has offered 12 months of complimentary credit monitoring services to individuals whose Social Security numbers were stored on the affected systems.

The FBI recently issued a private industry notification about ransomware actors targeting companies that are involved in significant financial events such as mergers and acquisitions and are using exfiltrated data as leverage in their efforts to extort money from victims. There have been several cases where the attackers have threatened to release sensitive and potentially harmful information to negatively affect stock prices to encourage payment of the ransom.

The post Nationwide Laboratory Services Ransomware Attack Affects 33,000 Patients appeared first on HIPAA Journal.

Seneca Family of Agencies, a California provider of mental health, education, juvenile justice, placement, and permanency services, identified unauthorized activity within its computer systems on August 27, 2021. Action was immediately taken to secure its systems and prevent further unauthorized access, with the subsequent investigation confirming its systems were compromised on August 25.

While no evidence of actual or attempted misuse of information has been identified, it is possible protected health information was compromised. The types of information stored on the affected systems differed from patient to patient and may have included the following data elements: name, date of birth, Social Security number, address, phone number, email address, medical record number, treatment/diagnosis information, health insurance information, Medicare/Medicaid number, provider name, prescription information, driver’s license/state identification number, and/or digital signature.

Seneca Family of Agencies said, as a precaution, affected individuals are being offered credit monitoring and identity protection services at no cost. Additional security measures have now been implemented to better protect information stored on its systems.

According to the breach report submitted to the HHS’ Office for Civil Rights, the protected health information of 2,470 individuals may have been compromised.

PHI of 3,000 Individuals Potentially Compromised in Las Vegas Cancer Center Ransomware Attack

Las Vegas Cancer Center has announced it was the victim of a ransomware attack over the Labor Day weekend. The cyberattack was discovered on September 7, 2021, when the center re-opened.

The attackers succeeded in encrypting data on its network and, prior to using ransomware, may have exfiltrated the protected health information of current and former patients including names, addresses, dates of birth, Social Security numbers, medical record numbers, and health insurance information.

Las Vegas Cancer Center said it had implemented multiple cybersecurity measures to prevent unauthorized access prior to the attack. While patient data may have been exfiltrated, it was stored in a proprietary format so is not believed to have been accessed by the attackers. The cancer center also said no evidence of data theft was found nor was any ransom demand.

The post Cyberattacks Reported by Las Vegas Cancer Center and Seneca Family of Agencies appeared first on HIPAA Journal.

Baywood Medical Associates, doing business as Desert Pain Institute (DPI) in Mesa, AZ, has discovered unauthorized individuals gained access to parts of its computer network that contained the protected health information of patients.

The security breach was detected and stopped by DPI on September 13, 2021, and a third-party cybersecurity company was engaged to assist with the investigation and determine the nature and scope of the cyberattack. On October 15, 2021, the forensic investigators confirmed evidence was found indicating the attackers had accessed parts of its network where patients’ protected health information was stored.

A review of the files on systems accessible to the hackers releveled the following information may have been viewed or exfiltrated: Full names, addresses, dates of birth, Social Security numbers, tax identification numbers, driver’s license/state-issued identification card numbers, military identification numbers, financial account numbers, medical information, and health insurance policy number. The types of data potentially compromised varied from patient to patient.

From September 13 when the breach was detected until the date of issuing notifications, no evidence has been found to indicate any actual or attempted misuse of patient data; however, affected individuals have been advised to be vigilant against identity theft and fraud and to sign up for the complimentary credit monitoring services that are being provided.

DPI said security measures for its systems and servers have been enhanced, which includes new end-point monitoring tools to identify unauthorized activity.

The incident has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, but the breach notification provided to the Maine attorney general indicates the protected health information of 45,262 individuals was potentially compromised.

The post PHI of 45,262 Desert Pain Institute Patients Potentially Compromised in Cyberattack appeared first on HIPAA Journal.

Family of Woodstock (FOW), a New York provider of crisis intervention, information, prevention, and support services, has suffered a cyberattack in which the protected health information of 8,214 individuals was potentially compromised.

The cyberattack was detected on August 3, 2021, and rapid steps were taken to eject the attackers from its network and restore its systems and operations. Third-party forensic investigators were engaged to determine the nature and scope of the breach, with the initial phase of the investigation concluding on September 11, 2021.

FOW said the investigation confirmed the attackers had access to parts of its network that contained protected health information such as first and last names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, medical history, diagnosis, treatment, condition, and health insurance information. At the time of issuing notifications, no evidence had been found indicating any attempted or actual misuse of information.

FOW has implemented additional cybersecurity safeguards, is enhancing its policies, procedures, and protocols, and is providing additional cybersecurity training to the workforce.

Physical Therapy Center Notifies 6,500 Patients of PHI Exposure

Viverant PT, LLC, a Minneapolis, MN-based physical therapy center, is notifying 6,500 current and former patients about a March 2021 cyberattack that exposed their protected health information.

The breach was detected on March 9, 2021, when suspicious emails were sent from an employee’s email account. The email account was immediately secured and steps were taken to address and contain the breach. A comprehensive review was conducted of its email environment, which confirmed only one email account had been breached but that it contained a wide range of sensitive data.

No evidence was found to indicate any attempted or actual misuse of patient data, but the possibility of data theft could not be ruled out. Viverant said the types of data in the account varied from individual to individual and may have included the following data elements: name, address, date of birth, Social Security number, driver’s license number, medical record number, date of service, diagnostic/treatment information, credit/debit card number with password or security code, health insurance information, financial account number with or without password or routing number, medications, username with security questions and answers, vehicle identification number (VIN), and digital signature.

Viverant said a leading security firm was engaged to assist with the investigation and response to the attack, and additional measures have been implemented to improve the security of its systems and practices. They include changing passwords, implementing more robust authentication, conducting further training of the workforce, and retaining national privacy and security experts to assist with ongoing security. Viverant said complimentary credit monitoring services have been offered to affected individuals.

The post Cyberattacks Reported by Family of Woodstock and Viverant appeared first on HIPAA Journal.

The protected health information of more than 650,000 patients of Community Medical Centers (CMC) in California has potentially been obtained by hackers.

CMC is a not-for-profit network of community health centers that serve patients in the San Joaquin, Solano, and Yolo counties in Northern California. CMC identified suspicious activity in its computer systems on October 10, 2021, and shut down its systems to prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach, with assistance provided by third-party cybersecurity experts.

The forensic investigation confirmed that unauthorized individuals had gained access to parts of its network where protected health information was stored, including first and last names, mailing addresses, dates of birth, Social Security numbers, demographic information, and medical information.

Due to the sensitive nature of the exposed data, CMC is offering complimentary identity theft protection, identity theft resolution, and credit monitoring services to affected individuals. CMC said it has confirmed its systems are now secure, policies and procedures have been reviewed and updated to improve security, and data management policies have been reviewed and updated.

Law enforcement has been notified about the breach, as have appropriate state attorneys general and the Department of Health and Human Services.

The breach report submitted to the Maine attorney general indicates the protected health information of 656,047 individuals was potentially compromised.

Professional Healthcare Management Discloses Ransomware Attack

Memphis, TN-based Professional Healthcare Management (PMH) has started notifying certain patients that some of their protected health information has potentially been compromised in a September 2021 ransomware attack.

The attack was detected on September 14 and action was quickly taken to secure its servers and workstations. Assisted by third-party cybersecurity and incident response experts, PMH was able to quickly secure and restore its systems and operations. An investigation was conducted to determine the nature and scope of the breach which determined the personal and protected health information of patients may have been accessed and obtained by the attackers.

The breach investigation is ongoing but, at this stage, no evidence of data theft or misuse of patient data has been identified; however, notification letters are now being sent to affected individuals and the incident has been reported to the HHS’ Office for Civil Rights.

PMH said the following types of patient information were potentially compromised: first and last names, Social Security numbers, health insurance information (Medicaid number, Medicare number, and insurance identification number), prescription name(s), and diagnosis code(s).

Additional safeguards are being implemented to improve IT security, cybersecurity policies, protocols, and procedures are being updated, and additional cybersecurity training has been provided to the workforce.

The post More than 650K Patients of Community Medical Centers Notified About Hacking Incident appeared first on HIPAA Journal.

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed.

Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21.

While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed.

Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters have been sent to affected individuals. Out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Network monitoring tools have now been enhanced and its systems will be regularly audited for unauthorized activity.

Throckmorten County Memorial Hospital Discovers Malware Infection

Throckmorten County Memorial Hospital in Texas has discovered unauthorized individuals gained access to parts of its computer network that contained the personal information of 3,136 employees and patients.

An intrusion was detected on September 7, 2021, which involved unauthorized access to systems and the installation of malware. A forensic investigation determined its network was breached on August 25, 2021, and access remained possible until September 7.

A review of the affected systems confirmed they contained patient information such as first and last name, address, date of birth, gender, date(s) of service, diagnoses, current procedural terminology code, medical condition, medication, and details of hospital visits. Employee data potentially compromised included name, wage history, Social Security number, payroll information, and filing information.

Throckmorten County Memorial Hospital said affected individuals have been offered a complimentary membership to a credit monitoring service and will be protected by an identity theft and fraud insurance policy. Notifications about the security breach were delayed to allow time for the malware to be removed and security to be improved, as providing notifications earlier would have left its network vulnerable to other threat actors.

The post Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital appeared first on HIPAA Journal.

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed.

Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21.

While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed.

Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters have been sent to affected individuals. Out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Network monitoring tools have now been enhanced and its systems will be regularly audited for unauthorized activity.

Throckmorten County Memorial Hospital Discovers Malware Infection

Throckmorten County Memorial Hospital in Texas has discovered unauthorized individuals gained access to parts of its computer network that contained the personal information of 3,136 employees and patients.

An intrusion was detected on September 7, 2021, which involved unauthorized access to systems and the installation of malware. A forensic investigation determined its network was breached on August 25, 2021, and access remained possible until September 7.

A review of the affected systems confirmed they contained patient information such as first and last name, address, date of birth, gender, date(s) of service, diagnoses, current procedural terminology code, medical condition, medication, and details of hospital visits. Employee data potentially compromised included name, wage history, Social Security number, payroll information, and filing information.

Throckmorten County Memorial Hospital said affected individuals have been offered a complimentary membership to a credit monitoring service and will be protected by an identity theft and fraud insurance policy. Notifications about the security breach were delayed to allow time for the malware to be removed and security to be improved, as providing notifications earlier would have left its network vulnerable to other threat actors.

The post Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital appeared first on HIPAA Journal.