Tech Etch, a Plymouth, MA-based manufacturer of precision-engineered thin metal components, flexible printed circuits, and EMI/RFI shielding, has announced it was the victim of a ransomware attack in which the personal and protected health information of current and former employees was potentially compromised.

Companies such as Tech Etch would not normally be required to comply with HIPAA; however, the company provides a health plan for its employees and, as such, is classed as a HIPAA-covered entity.

Tech Etch discovered the ransomware attack on August 25, 2021, with the investigation determining the attackers gained access to its network on August 20. Tech Etch engaged an external forensic cybersecurity team to assist with the breach investigation, help secure its network, and prevent any further unauthorized access. Tech Etch had viable backups that were unaffected and was able to restore all encrypted data without paying the ransom.

Multiple safeguards had been implemented to secure employees’ personal and protected health information, but despite those protections, some employee data may have been stolen. Tech Etch said no direct evidence of data staging or data exfiltration was identified and the investigation indicated the attackers had not accessed the HR servers where employee data were stored. The attackers did try to access data backups containing employee data, but the backups were encrypted by Tech Etch and could not be viewed. Some employee information, such as names, addresses, Social Security numbers, dates of birth, and personal health information, was present in its email environment and could have been accessed or exfiltrated.

Tech Etch has not found any evidence that any employee data has been acquired or misused and it does not appear that any employee data have been posted publicly.

Affected employees have been advised to monitor their credit reports, accounts, and explanation of benefits statements for signs of fraudulent activity and to immediately report any suspicious transactions if they are discovered.  Tech Etch has already taken steps to enhance its security systems to prevent further security incidents and will continue to review those protocols to ensure they remain effective.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights and the Massachusetts Attorney General. This post will be updated when it is known how many individuals have been affected.

UNC Hospitals Discovers Insider Breach and Data Theft

The protected health information of 719 patients of UNC Hospitals has been stolen by a former employee, who used the information for financial gain.

The Chapel Hill, NC-based healthcare provider discovered the unauthorized access on September 10, 2021. The employee in question was responsible for handling patients’ payments for services at several UNC Hospitals clinics and was provided with access to sensitive patient data to complete work duties.

The employee stole patients’ demographic information, financial information, Social Security numbers, copies of insurance cards, and patients’ driver’s licenses and used that information to fraudulently obtain goods and services.

Patients whose protected health information was accessed or misused by the former employee have been notified by mail and have been offered complimentary credit monitoring services for 12 months. The UNC Hospitals Police Department has launched a criminal investigation into the incident.

The post PHI of Employees Potentially Compromised in Tech Etch Ransomware Attack appeared first on HIPAA Journal.

Syracuse ASC, dba Specialty Surgery Center of Central New York, has started notifying 24,891 patients that some of their protected health information (PHI) was potentially accessed by unauthorized individuals who gained access to its computer systems.

The breach was identified by Syracuse ASC around March 31, 2021, and steps were immediately taken to secure its systems and prevent further unauthorized access. A third-party cybersecurity firm was engaged to assist with the forensic investigation, which concluded on April 30, 2021, and determined the hackers accessed parts of its systems that contained PHI.

A second investigation was conducted to determine which individuals’ PHI had been exposed. A list of individuals potentially affected by the incident was obtained on August 16, 2021, with the delay in issuing notifications due to a “substantial data validation process to verify the accuracy of the data.”

The file review confirmed names may have been compromised along with limited health information, but no evidence was found to indicate any actual or attempted misuse of data on the compromised systems.

Several steps have already been taken to improve IT security to prevent further data breaches, including updating its antivirus software and switching provider, locking down external websites, adding warning banners to emails from external sources, reconfiguring routers and closing unused ports and services, segregating the guest Wi-Fi network, updating switches and firewalls, upgrading operating systems on workstations, and providing further security awareness training to the workforce.

Computer Containing PHI Stolen from Advocate Lutheran General Hospital

A laptop computer containing the protected health information of patients of Advocate Lutheran General Hospital in Park Ridge, IL has been stolen.

The computer was stolen from the hospital on between 3:30 p.m. on September 22 and 06:30 a.m. on September 24, 2021. Upon discovery of the theft, technologies and processes were implemented to protect patient data and the laptop computer was remotely disabled; however, it is possible that in the short window of opportunity, data stored on the device could have been viewed. The hospital said it has found no evidence to indicate patient data was compromised.

The post PHI of 24,891 Specialty Surgery Center of Central New York Patients Potentially Compromised appeared first on HIPAA Journal.

Anthem health plan members with End Stage Kidney Disease who are enrolled in the VillageHealth program have been notified that some of their protected health information has potentially been compromised in a ransomware attack.

VillageHealth helps Anthem plan members through care coordination between the dialysis center, nephrologists, and providers and shares the results with Anthem via its vendor, PracticeMax.

PracticeMax, a provider of business management and information technology solutions to healthcare organizations, identified the attack on May 1, 2021. The investigation revealed the attackers gained access to its systems on April 17, 2021, with access possible until May 5, 2021. PracticeMax said it regained access to its IT systems the following day.

A forensic investigation of the attack confirmed one server was affected that contained protected health information (PHI) which may have been accessed and acquired by the attackers.

The investigation into the attack concluded on August 19, 2021, and confirmed the following types of data had been exposed: First and last name, date of birth, address, phone number, Anthem member ID number, and clinical data relating to kidney care services received. Financial information and Social Security numbers were not compromised.

PracticeMax says it has conducted a review of its policies and procedures and has implemented additional safeguards to block future attacks, including rebuilding systems, using additional endpoint security solutions, and enhancing its firewalls. Affected individuals have been offered complimentary credit monitoring services for 24 months.

UMass Memorial Health Alerts Patients About Phishing Attack

UMass Memorial Health has discovered unauthorized individuals gained access to the email accounts of some of its employees as a result of responses to phishing emails. The phishing attack was discovered on August 25, 2021 when suspicious activity was identified in its email environment.

Authorized access to the accounts was immediately blocked and a forensic investigation was launched, with assistance provided by a third-party computer forensics firm. The investigation confirmed the email accounts were breached between June 24, 2020 and January 7, 2021, and during that time, the attackers had access to protected health information stored in the accounts.

While no evidence was found that indicated emails were viewed or obtained by the attackers, the possibility could not be ruled out. A review of the PHI in the accounts was completed on August 25, 2021. The exposed information includes names, Social Security numbers, driver’s license numbers, and financial account information. UMass Memorial Health said complimentary credit monitoring and identity theft protection services have been offered to affected individuals. UMass Memorial said it is enhancing email security and will be re-educating the workforce on email best practices.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.

The post Data Breaches Reported by PracticeMax and UMass Memorial Health appeared first on HIPAA Journal.

University Hospital Newark (NY) has discovered the protected health information of thousands of patients has been acquired by a former employee, who accessed the information without authorization over the course of a year. That information was subsequently disclosed to other individuals who were also not authorized to view the information.

Insider breaches such as this are fairly common, although what makes this case stand out is when the access occurred. In its substitute breach notice, University Hospital Newark said the unauthorized access occurred between January 1, 2016, and December 31, 2017.

The former employee had been provided with access to patient data to complete work duties but had exceeded the authorized use of that access and had viewed patient data not pertinent to job functions. The types of information viewed and obtained by the individual included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to care patients received at University Hospital. University Hospital said the matter has been reported to law enforcement and a criminal investigation into the unauthorized access and disclosure is ongoing.

University Hospital said it started mailing notification letters to affected individuals on October 11, 2021, and has offered those individuals complimentary identity theft and credit monitoring services for 12 months. University Hospital said steps have been taken to reduce the risk of further data breaches of this nature, including a review of internal policies and procedures and further training for the workforce on patient privacy. The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 8, 2021 as affecting 9,329 patients.

Employees often access and disclose PHI to identity thieves, although the nature of the data obtained suggests that may not be the case in this instance. University Hospital has not disclosed the reason for the access or how the breach was discovered, only that the former employee accessed the PHI of patients who visited the emergency department and received treatment for injuries sustained in a motor vehicle accident between 2016 and 2017.

On November 5, 2021, University Hospital reported another insider breach to the HHS’ Office for Civil Rights that affected 10,067 individuals. The breach involved the same data types as the previously reported breach and was also linked to individuals involved in road traffic accidents. The unauthorized access occurred between January 1, 2018, and December 31, 2019 and involved the PHI of individuals involved in motor vehicle accidents between 2018 and 2019. University Hospital did not say if this was the same individual but confirmed a criminal investigation is ongoing and the individual concerned is no longer employed at University Hospital. Notification letters were sent to affected individuals starting November 5, 2021.

In August this year, Long Island Jewish Forest Hills Hospital in New York notified more than 10,000 patients whose PHI was impermissibly accessed and disclosed between August 23, 2016, and October 31, 2017. The breach similarly impacted patients who had visited the emergency department after a motor vehicle accident. That breach came to light when a subpoena was received as part of a “No Fault” motor vehicle accident insurance scheme.

In January 2020, Beaumont Health announced an impermissible access and disclosure incident also involving the PHI of patients who were involved in a motor vehicle accident between February 1, 2017, and October 22, 2019. The former employee was believed to have disclosed the PHI to an affiliated personal injury lawyer.

The post University Hospital Newark Notifies More Than 19,000 Individuals About Historic Insider Theft appeared first on HIPAA Journal.

Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group, has notified tens of thousands of patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021.

Professional Dental Alliance says the breach occurred at its vendor North American Dental Management. Steps were immediately taken to secure the affected accounts and prevent further unauthorized access. An investigation was launched which revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails.

The investigation into the breach uncovered no evidence of attempted or actual misuse of patient data, with the investigators concluding the breach was likely limited to credential harvesting. A comprehensive review of the affected email accounts confirmed they contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information. Professional Dental Alliance says the electronic dental record system and dental images were not accessed.

While it appears that protected health information was not stolen, affected individuals have been advised to exercise caution and review their credit reports and account statements and be vigilant for signs of misuse of their data.  Professional Dental Alliance says affected individuals are being offered complimentary membership to credit monitoring and identity theft protection services for two years.

The breach has been reported to the DHS’ Office for Civil Rights by each covered entity affected.  At least 125,760 patients are known to have had their protected health information exposed

The post Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients appeared first on HIPAA Journal.

Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group, has notified tens of thousands of patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021.

Professional Dental Alliance says the breach occurred at its vendor North American Dental Management. Steps were immediately taken to secure the affected accounts and prevent further unauthorized access. An investigation was launched which revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails.

The investigation into the breach uncovered no evidence of attempted or actual misuse of patient data, with the investigators concluding the breach was likely limited to credential harvesting. A comprehensive review of the affected email accounts confirmed they contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information. Professional Dental Alliance says the electronic dental record system and dental images were not accessed.

While it appears that protected health information was not stolen, affected individuals have been advised to exercise caution and review their credit reports and account statements and be vigilant for signs of misuse of their data.  Professional Dental Alliance says affected individuals are being offered complimentary membership to credit monitoring and identity theft protection services for two years.

The breach has been reported to the DHS’ Office for Civil Rights by each covered entity affected.  At least 125,760 patients are known to have had their protected health information exposed

The post Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients appeared first on HIPAA Journal.

Malborough, MA-based ReproSource Fertility Diagnostics has suffered a ransomware attack in which hackers gained access to systems containing the protected health information of approximately 350,000 patients.

ReproSource is a leading laboratory for reproductive health that is owned by Quest Diagnostics. ReproSource discovered the ransomware attack on August 10, 2021 and promptly severed network connections to contained the incident. An investigation into the security breach confirmed the attack occurred on August 8.

While it is possible that patient data was exfiltrated by the attackers prior to the deployment of ransomware, at this stage no evidence of data theft has been identified.

A review of the files on the affected systems was completed on September 24 and revealed they contained the following types of protected health information:

Names, phone numbers, addresses, email addresses, dates of birth, billing and health information (CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information), health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians. A small subset of individuals may have had driver’s license number, passport number, Social Security number, financial account number, and/or credit card number exposed.

Notification letters are now being sent to affected individuals by Quest Diagnostics.  Complimentary credit monitoring and protection services are being provided to affected individuals, who will also be protected by a $1,000,000 identity theft insurance policy.

ReproSource said additional safeguards have been implemented to protect against ransomware and other cyber threats, including additional monitoring and detection tools.

The post 350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack appeared first on HIPAA Journal.