HIPAA Breach News

NCH Corporation and Others Announce Data Breaches

Posted by HIPAA Journal

Irving, TX-based NCH Corporation, an international marketer of maintenance products, has reported a suspected ransomware attack. Suspicious network activity was detected within its systems on March 5, 2021, “that caused certain systems in its network to become unavailable.”

Steps were taken to block further unauthorized access and restore its systems. The investigation revealed the attackers had access to certain parts of its network between March 2 and March 5, 2021 and during that time there was unauthorized access to certain files stored on its file servers. It was not possible to tell which files had been accessed, so notifications have been sent to all individuals whose information was potentially compromised. The review of the files was completed on June 29, 2021. The files contained the names of certain current and former employees and their dependents, along with Social Security numbers and driver’s license numbers.

Notification letters were sent on July 29, 2021 and affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 11,427 individuals were affected.

Renaissance Life & Health Insurance Co. Members Affected by Business Associate Ransomware Attack

A vendor used by Renaissance Life & Health Insurance Co. has suffered a ransomware attack in which the protected health information of some of its members was potentially compromised.

Renaissance Life & Health Insurance used Secure Administrative Solutions (SAS) for claims processing services. SAS detected unusual activity within its IT system on April 15, 2021 and immediately launched an investigation. On May 25, 2021, SAS learned that a limited amount of data may have been exfiltrated from its IT systems, including names, addresses, Social Security numbers, and agent license numbers.

The attackers had access to its IT systems between March 15 and April 15, 2021.While SAS did not specify the nature of the attack in its breach notifications, Renaissance Life & Health said ransomware was involved and SAS had received assurances that data exfiltrated in the attack had been destroyed by the attacker, suggesting the ransom may have been paid. SAS said in its notification letter that data were restored from clean backups.

SAS also said it “enforced a system-wide global password reset, implemented more strict password complexity requirements, and provided all users with new personal computers and training on updated network security protocols and procedures.”

Affected individuals have been offered credit monitoring and identity theft protection services for 12 months.

Insider Incident Affects Patients of TGH Urgent Care powered by Fast Track

Synergic Healthcare Solutions has notified 558 individuals about the potential theft of their protected health information by a former employee of Tampa General Urgent Care.

The breach occurred on September 9, 2020 when a former employee of Tampa General Urgent Care is alleged to have photographed patient information at TGH Urgent Care’s facility in Seminole, FL, which is partnered with Tampa General Hospital. The breach was discovered on November 6, 2020.

The former employee has been accused of taking photographs of patients’ driver’s licenses and credit card details. While the former employee is only believed to have taken photographs of the information of 3 patients, the decision was taken to notify all 558 patients whose charts had been accessed by the employee.

All individuals potentially affected have been offered complimentary credit monitoring services. TGH has since re-educated employees about privacy and security and the reporting of potential privacy violations.

Southwest Nebraska Public Health Department Discovers Exposure of COVID-19 Vaccination Information

Southwest Nebraska Public Health Department (SNPHD) has notified 13,500 individuals about the exposure of COVID-19 vaccine information over the Internet.

On May 18, 2021, SNPHD was made aware that data have been exposed on the SNPHD website. The information accessible on the website was limited to name, address, county, date of birth, date of vaccination, vaccination type, race and gender.

SNPHD contacted its web hosting company which confirmed that only one individual had accessed the data. SNPHD confirmed that the individual has worked closely with SNPHD and believes there is no cause for concern related to the file being accessed; however, individuals affected have been notified out of an abundance of caution.

The incident prompted SNPHD to provide its staff with additional training related to HIPAA, privacy, and confidentiality to ensure that an event like this does not occur again.

The post NCH Corporation and Others Announce Data Breaches appeared first on HIPAA Journal.

Gastroenterology Consultants Notifies Patients About January 2021 Ransomware Attack

Posted by HIPAA Journal

On January 10, 2021, Gastroenterology Consultants, PA suffered a ransomware attack that resulted in the encryption of sensitive data.  Yesterday, notifications were sent to patients potentially affected by the attack to inform them that their protected health information may have been accessed or compromised in the attack.

Gastroenterology Consultants, the largest partnership GI practice in Houston, TX, launched an investigation into the attack and took steps to remove the attackers from its network and restore affected data. A substitute breach notice was uploaded to the company website on March 19, 2021 advising patients about the attack. No evidence was found to indicate any patient data were accessed by the attacker or exfiltrated in the attack.

Attacks such as this typically warrant breach notification letters, as while evidence of data theft may not be found, it is usually not possible to rule out unauthorized access to PHI with a high degree of certainty. In this case, Rather than identify the individual patients affected by the attack, the decision was taken to notify all patients whose PHI was potentially compromised. The breach report submitted to the Maine Attorney General indicates 162,163 breach notifications have been sent.

“After undertaking an extensive data mining process to determine specifically whether any patient or employee had any sensitive Personal Information or Personal Health Information exposed, we, unfortunately, learned that the time and effort to manually review thousands of documents was not cost-effective,” explained Gastroenterology Consultants in its breach notification. “Therefore, although there is no evidence of any unauthorized use of patient or employee data, we have determined it best to issue mail notifications to all employees and patients detailing the specific type of information potentially exposed.”

The files potentially compromised had been prepared by employees to facilitate patient processing. The documents contained some personal health information, with fewer than 50 having their Social Security numbers compromised. Those individuals have been offered free credit monitoring services, as have employees whose sensitive data were potentially accessed.

The post Gastroenterology Consultants Notifies Patients About January 2021 Ransomware Attack appeared first on HIPAA Journal.

UF Health Says PHI Potentially Compromised in May 2021 Cyberattack

Posted by HIPAA Journal

On May 31, 2021, UF Health Central Florida experienced a cyberattack that affected Leesburg Hospital and The Villages Hospital. The security breach was announced by UF Health within a few hours of the attack being detected, although at the time it was unclear whether any patient data had been compromised in the incident.

An investigation into the breach was conducted which determined the attackers had access to its computer network between May 29 and May 31, 2021, and while unauthorized access to patient data was not confirmed, UF Health has now reported that some patient data may have been accessible. The exposed data included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, and limited treatment information.

UF Health said its electronic medical records were not involved or accessed, and the breach did not affect its Gainesville or Jacksonville campuses. UF Health said it has no reason to believe any exposed data has been misused or disclosed; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services. UF Health said it is taking steps to prevent further attacks, including enhancing the security of its electronic systems and improving protections for sensitive data.

UF Health has not publicly disclosed whether the cyberattack involved ransomware, although some local media outlets have reported ransomware was involved and the attackers demanded a $5 million ransom.

Eskenazi Health Reports Attempted Ransomware Attack

Indianapolis, IN-based Eskenazi Health is dealing with an attempted ransomware attack. The attack occurred in the early hours of August 4, 2021 but Eskenazi Health said its monitoring systems functioned as they should and proactively shut down its network to contain the attack.

Eskenazi Health switched to emergency procedures and the decision was taken to divert ambulances to other facilities to ensure patient safety. Eskenazi Health is currently working to bring its systems back online. At this stage its monitoring systems suggest patient and employee data were not compromised in the attack.

Sandford Health Victim of Cyberattack

Sioux Falls, SD-based Sandford Health says it was the victim of an August 3, 2021 cyberattack which it is working to resolve.  Sanford President and CEO Bill Gassen confirmed its IT Team took aggressive measures in response to the attempted cyberattack and everything is being done to minimize disruption and providing exceptional care to patients remains its number one priority.

No further details have been released about the exact nature of the incident, but at this stage it does not appear that the information of patients, residents, or employees has been compromised. Leading IT security experts have been engaged and are assisting with the breach response and investigation and further information will be released as and when it becomes available.

The post UF Health Says PHI Potentially Compromised in May 2021 Cyberattack appeared first on HIPAA Journal.

73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months

Posted by HIPAA Journal

Ransomware attacks have increased significantly during the past year, but phishing attacks continue to cause problems for businesses, according to a recent survey conducted by Arlington Research on behalf of security firm Egress. Almost three quarters (73%) of surveyed businesses said they had experienced a phishing related data breach in the past 12 months.

The survey for the 2021 Insider Data Breach Report was conducted on 500 IT leaders and 3,000 employees in the United States and United Kingdom. The survey revealed 74% of organizations had experienced a data breach as a result of employees breaking the rules, something that has not been helped by the pandemic when many employees have been working remotely. More than half (53%) of IT leaders said remote work had increased risk, with 53% reporting an increase in phishing incidents in the past year.

The increased risk from remote working is of concern, especially as many organizations plan to continue to support remote working or adopt a hybrid working model in the future. 50% of IT leaders believe remote/hybrid working will make it harder to prevent data breaches from malicious email attacks. There appears to be a disconnect, as only 61% of employees believe they are less likely or equally likely to cause a data breach when working from home.

Phishing attacks are naturally bad for organizations but there is also a human cost. In 23% of organizations, employees who fell for a phishing email that resulted in a data breach were either fired or voluntarily left after the incident.

“Organizations are being bombarded by sophisticated phishing attacks. Hackers are crafting highly targeted campaigns that use clever social engineering tricks to gain access to organizations’ most sensitive data, as well as leapfrog into their supply chain. Phishing is also the most common entry point for ransomware, with potentially devastating consequences,” said Egress VP of Threat Intelligence Jack Chapman. “Remote working has also made employees even more vulnerable. With many organizations planning for a remote or hybrid future, phishing is a risk that must remain central to any security team’s plans for securing their workforce.”

The survey revealed an astonishing 94% of businesses had experienced an insider data breach in the past year. 84% of IT leaders said human error was the leading cause of insider breaches, although 28% said malicious insider breaches were their biggest fear.

89% of insider incidents had repercussions for the employees in question; however, an overwhelming majority (97%) of employees said they would report a breach they had caused, which is reassuring considering 55% of IT leaders said they rely on employees to alert them to security incidents.

The post 73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months appeared first on HIPAA Journal.

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Posted by HIPAA Journal

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security.

Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets.

The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked sector with 194 reported incidents, followed by information with 180 data breaches.

The report shows there have been significant shifts in data breach trends in 2021. While data breaches have declined globally and have remained fairly constant in the United States, there has been a marked increase in ransomware attacks. Risk Based Security recorded 352 ransomware attacks in the first 6 months of 2021 and, if that pace continues, the number of attacks will be significantly higher than 2020.

Ransomware attacks are extremely costly in healthcare due to the long period of downtime, and without access to medical records patient safety is put at risk. This is of course known to ransomware gangs. The reliance on access to data and the high cost of downtime increases the probability of the ransom being paid.

In 2020, data breaches started to take longer to be reported and that trend has continued in 2021. This is in part due to the increase in ransomware attacks, which can take longer to investigate, but even taking that into account there were many cases when breach notifications took an unusually long time to be issued and that has started to attract attention from regulators.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” said Inga Goddijn, Executive Vice President at Risk Based Security. “The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

The majority of reported breaches (67.97%) were hacking incidents, with only 100 (5.66%) due to viruses, and just 45 email incidents (2.55%). There were 76 web breaches reported (4.30%); however, they resulted in the highest number of records being breached.

Data breaches that exposed access credentials such as email addresses and passwords have remained consistent with other years, with email addresses exposed in 40% of breaches and passwords in 33%. The majority of reported breaches in 2021 were the result of external threat actors (78.66%), with 13.75% caused by insiders. Out of the confirmed insider breaches, the majority were accidental (58.85%), with 18.52% caused by malicious insiders.

Risk Based Security also notes that breach severity is increasing. Large numbers of data breaches have been reported in 2021 that involved sensitive data, which is a particularly worrying trend.

The post Healthcare Industry has Highest Number of Reported Data Breaches in 2021 appeared first on HIPAA Journal.

Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital

Posted by HIPAA Journal

Academic HealthPlans, Inc. (AHP) has discovered an unauthorized individual has gained access to the email accounts of two employees following responses to phishing emails.

AHP was alerted to a potential breach when suspicious activity was detected in its Microsoft Office 365 email environment. The affected accounts were secured, and an investigation was launched to determine the extent of the breach. On June 4, 2021, AHP determined that the email accounts were compromised as a result of phishing attacks between August 6, 2020 and August 24, 2020, and on October 2, 2020. The breach was limited to those two accounts and did not involve any other systems.

A comprehensive and time-consuming programmatic and manual review was conducted to identify the individuals and information affected. That review confirmed that the email accounts contained information related to the student health plans AHP administers.

The exposed data include student names, dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information. No evidence was found that suggested any emails or attachments in the accounts were actually viewed.

Affected health plans and self-insured universities were notified between June 21, 2021 and July 7, 2021, and AHP started sending notification letters to affected individuals on June 29, 2021. AHP has offered eligible individuals complimentary credit monitoring and identity theft protection services

Extensive training has been provided to employees to help them identify phishing emails and other threats and existing security measures have been enhanced.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,330 individuals.

Wayne County Hospital in Iowa Notifies 2,016 Patients About Phishing Attack

Wayne County Hospital in Corydon, IA is alerting 2,016 patients about the potential theft of some of their protected health information. On March 22, 2021, the hospital became aware of a breach of its email environment. Email accounts were immediately secured to prevent further unauthorized access and a third-party cybersecurity company was engaged to investigate the breach and determine the extent of the attack.

The investigation revealed unauthorized individuals had gained access to email accounts as a result of employees responding to phishing emails. The compromised email accounts contained names, addresses, Social Security numbers, driver’s license numbers, financial account information, treatment or procedure information, medical provider or facility names, diagnoses, medications, medical record numbers, insurance information, and dates of service. There have been no reports of misuse of patient data to date.

Wayne County Hospital said appropriate steps will be taken to prevent similar breaches in the future.

The post Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital appeared first on HIPAA Journal.

Multiple Healthcare Providers Affected by Breach at Vendor Used by Billing and Collection Company

Posted by HIPAA Journal

This month, Ventura, CA-based Community Memorial Health System and Ithaca, NY-based Cayuga Medical Center, and Allentown, PA-based Lehigh Valley Health Network have announced that the protected health information of some of their patients has been potentially compromised in a cyberattack that affected one of its vendors.

The three healthcare providers used Guidehouse for medical billing and collection services. On January 20, 2021, hackers gained access to the Accellion File Transfer Appliance (FTA) used by Guidehouse for transferring files to clients. For patients of Community Memorial Health System the files included sensitive patient information such as names, dates of birth, member ID addresses, and certain medical information. For Cayuga Medical Center patients, names, dates of birth, insurance account numbers, and certain medical information were potentially compromised. For Lehigh Valley Health Network, the potentially compromised data include names, medical record numbers, account numbers, dates of service, diagnosis and procedure names, billing or payer information and provider names.

Guidehouse was notified about the cyberattack by Accellion in March 2021 and immediately stopped using the FTA service.  Leading cybersecurity experts were engaged to assist with the investigation and breach response, and affected customers were notified about the breach on May 21, 2021.

Guidehouse sent breach notification letters to affected individuals on July 16, 2021. The delay in issuing notifications was due to the time it took to identify the individuals affected and to confirm contact details.

While certain data were obtained by the hackers in the attack, Guidehouse said it is unaware of any cases of misuse of the stolen data. However, as a precaution against identity theft and fraud, affected individuals have been offered a complimentary membership to the Experian IdentityWorks credit monitoring service for 24 months.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many patients of the three healthcare providers have been affected.

Several other healthcare organizations in the United States have been affected by the Accellion FTA cyberattack, including Kroger Pharmacy, Trillium Health Plan, Health Net, Trinity Health, Arizona Complete Health, Centene Corp, and Stanford Medicine.

The post Multiple Healthcare Providers Affected by Breach at Vendor Used by Billing and Collection Company appeared first on HIPAA Journal.

Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology

Posted by HIPAA Journal

Prestera Mental Health Center in West Virginia has started notifying 2,152 individuals about a security breach involving employee email accounts. On or around April 1, 2021, Prestera Center learned that certain employee email accounts had been subjected to unauthorized access between August 2020 and September 2020.

While it was possible to confirm that there had been unauthorized access, it was not possible to tell whether any patient data had been viewed or acquired.

A review was conducted to determine the types of information that were present in the email accounts and which individuals had been affected. The types of data in the account varied from individual to individual and may have included names, addresses, dates of birth, state identification card numbers, Social Security numbers, financial account information, medical information, and health insurance information.

Upon discovery of the breach, prompt action was taken to secure the accounts to prevent any further unauthorized access. Policies and procedures have since been reviewed and updated, and additional safeguards have been implemented to improve email security.

Notification letters have been sent to affected individuals and a complimentary membership to the TransUnion Interactive MyTrueIdentity credit monitoring service has been offered.

This is the second email account breach to have been reported in the past few months. On December 31, 2020, Prestera Center reported an email account breach involving patient names, dates of birth, medical record and/or patient account numbers, diagnostic information, healthcare provider information, prescription and/or treatment information and, in some instances, addresses, social security numbers and Medicare/Medicaid ID numbers. It is unclear if these two incidents are related.

Wisconsin Institute of Urology Says PHI Potentially Compromised in Email Security Incident

Wisconsin Institute of Urology (WIU) has discovered the email account of an employee has been accessed by an unauthorized individual. WIU was alerted to the breach on or around May 26, 2021 when suspicious activity was detected in the email account. The account was immediately secured by changing the password and an investigation was launched to determine the nature and extent of the breach.

It was confirmed on June 9, 2021 that an unauthorized individual had used the employee’s credentials to access the account; however, no reports have been received about any cases of misuse of patient data.

A time intensive review was conducted to identify all individuals whose protected health information was contained in emails and email attachments. That review revealed the email account contained PHI such as names, dates of birth, medical treatment and/or medical diagnosis information, health insurance information and, for a limited number of individuals, Social Security numbers.

It is currently unclear how many individuals have been affected. This post will be updated as and when further information is made available.

The post Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology appeared first on HIPAA Journal.

Star Refining & Express MRI Report Phishing Attacks

Posted by HIPAA Journal

The Peachtree Corners, GA-based medical imaging center, Express MRI, has started notifying patients that some of their protected health information has been exposed in a historic data breach. Express MRI discovered on July 10, 2020 that an unauthorized individual had gained access to one of its email accounts and used that account to send unauthorized emails. The incident was investigated at the time, but it was determined that no patient information had been accessed.

A secondary review of the security breach was conducted on June 10, 2021, and while no specific evidence was uncovered that indicated there had been unauthorized data access or data theft, Express MRI concluded that it was not actually possible to totally rule out unauthorized data access or exfiltration, therefore breach notification letters were warranted.

A review of the compromised account confirmed the following information may have been accessed or acquired: Names, addresses, email addresses, dates of birth, patient ages, referring physician names, body part scanned, and whether the scan was related to a workers’ compensation claim or motor vehicle accident investigation. No other patient data were present in the compromised email accounts.

Express MRI said it took, “significant and immediate steps” to respond to the incident, including assembling a team of highly qualified experts to reinforce the security of its information systems and implement additional safeguards to prevent further breaches.

Star Refining Phishing Attack Affects 1,910 Individuals

Adelda Health, Inc. dba Star Refining, has discovered the personal information of 1,910 individuals has potentially been viewed or obtained by unauthorized individuals who gained access to the email accounts of several of its employees following responses to phishing emails.

The breach was detected by the West Palm Beach, FL-based dental refining company on April 29, 2021 and a third-party computer forensics firm was engaged to ensure the incident was fully remediated and to determine the nature and scope of the breach.

A review of the compromised email accounts revealed they contained sensitive data such as first and last names, mailing addresses, driver’s license numbers, Social Security numbers, and credit card/financial information; however, no evidence was found that indicated emails containing that information were viewed or acquired during the time the accounts were accessible. The first of the accounts were discovered to have been accessed on April 12, 2021.

Notifications started to be sent to affected individuals on July 22, 2021. Complimentary Experian Identity Works credit monitoring and identity theft protection services have been offered to affected individuals.

The post Star Refining & Express MRI Report Phishing Attacks appeared first on HIPAA Journal.