Howard University College of Dentistry discovered on September 3, 2021, that unauthorized individuals had gained access to its network and used ransomware to encrypt files. An announcement was made by the university shortly after the attack that it had been forced to cancel online and hybrid classes while its systems were restored, and that a nationally recognized computer forensics firm had been engaged to investigate the incident to determine the extent of the attack and whether sensitive information was accessed or stolen.

On September 24, 2021, the university determined that a system that housed patients’ dental records was affected by the attack. No specific evidence of unauthorized access or data exfiltration was found, although dental records were encrypted. The encrypted records related to dental visits between October 5, 2019, and September 3, 2021, and included information such as names, contact information, dates of birth, dental record numbers, health insurance information, dental history information, and for a limited number of patients, Social Security numbers.

The university has notified all affected patients by mail and has advised them to monitor their account statements for any sign of fraudulent activity and said it has further enhanced its cybersecurity measures to better protect against future cyberattacks and data breaches.

Howard University College of Dentistry recently reported the incident to the HHS’ Office for Civil Rights that affected up to 80,915 patients.

Great Plains Manufacturing Health Plan Members Affected by Cyberattack

Kansas-based Great Plains Manufacturing has notified 4,110 employees that some of their protected health information has potentially been compromised in a cyberattack that was discovered on October 11, 2021.

The investigation confirmed unauthorized individuals first gained access to its systems on September 28, 2021, and access remained possible until October 11, 2021, when the breach was detected, and the hackers were ejected from its network. A review of the affected file server revealed on November 1, 2021, that files had been accessed that contained information such as names, dates of birth, Social Security numbers, health insurance numbers, and members’ health plan selection.

The breach only affected employees and their dependents who were covered by the Great Plains Manufacturing, Inc. Employee’s Beneficiary Association Trust health plan. Notifications were sent to affected individuals on December 1, 2021, and all affected individuals have been offered complimentary identity theft monitoring services for 12 months.

The post Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients appeared first on HIPAA Journal.

The University of Houston College of Optometry has discovered an unauthorized individual from outside the United States gained access to the network of an affiliated eye clinic and stole information contained in the clinic’s database.

The Community Eye Clinic in Fort Worth, TX, is managed and administered by UH College of Optometry. Security staff identified the intrusion at 9 a.m. on September 13, 2021, the morning after the breach occurred. The IT security team immediately took steps to secure the system, further defensive safeguards have been implemented to better protect patient data, and its monitoring and alerts have been enhanced. A review has also been conducted of the clinic’s IT protocols and procedures to ensure that industry-standard practices are followed.

The files obtained by the attacker related to patients who received treatment at the Community Eye Clinic between May 22, 2013, and September 13, 2021. The information in the database included names, dates of birth, contact information, government ID numbers, health insurance information, passport numbers, Social Security numbers, driver’s license numbers, and diagnosis and treatment information. No financial information was stored in the database and no College of Optometry or University of Houston network systems were affected.

The 18,500 affected individuals have been advised to monitor their accounts and explanation of benefits statements for signs of fraudulent activity, to check their credit reports, and to consider placing a security fraud alert on their credit reports.

Phishing Attack on Valley Mountain Regional Center Affects 17,197 Patients

Stockton, CA-based Valley Mountain Regional Center (VMRC) has started notifying 17,197 patients that some of their protected health information was stored in email accounts that were accessed by unauthorized individuals.

VMRC detected phishing emails in its mailboxes on September 15, 2021, and took steps to remove all copies of the messages from its email system; however, the subsequent investigation into the phishing attack revealed 14 employees had clicked the links and disclosed credentials which allowed their email accounts to be accessed.

A comprehensive review of the contents of the affected mailboxes confirmed they contained names, addresses, dates of birth, state-issued client identifier numbers, telephone numbers, personal e-mail addresses, diagnoses, medications, other potential unique identifiers, and dates of service.

VMRC said it found no evidence to suggest any information in the email accounts was accessed, acquired, or misused; however, affected individuals have been advised to monitor their accounts and credit reports for unusual activity.

The post Data Breaches Reported by UH College of Optometry and Valley Mountain Regional Center appeared first on HIPAA Journal.

On October 11, 2021, Perkasie, PA-based TriValley Primary Care discovered ransomware had been installed on its networks and servers, which contained the protected health information of some of its patients. Action was quickly taken to secure its systems and prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation.

The forensic investigation concluded on November 4, 2021, but it was not possible to tell exactly when unauthorized individuals first gained access to its systems nor whether any specific patient information was viewed or obtained by the attackers. At the time of issuing notification letters to affected individuals, TriValley Primary Care was unaware of any actual or attempted misuse of patient data.

As a precaution against identity theft and fraud, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. TriValley Primary Care said it has taken action to prevent further security breaches, including implementing additional technical safeguards, strengthening its existing cybersecurity infrastructure, and providing further security awareness training to the workforce.  External cybersecurity consultants have been engaged to assist with improving its policies, procedures, and protocols to further strengthen its security posture.

The breach was reported to the HHS’ Office for Civil Rights as affecting 57,468 patients.

45,000 Individuals Affected by Medsurant Health Ransomware Attack

Pennsylvania-based Medsurant Holdings has reported a ransomware attack to the HHS’ Office for Civil Rights that has affected up to 45,000 Medsurant Health patients.

Medsurant said it received an email from the attacker on September 30, 2021, stating sensitive data had been accessed and exfiltrated from its systems. An investigation was launched to determine whether files had been subjected to unauthorized access and to determine if the claims of data theft were true. According to the notice on the Medsurant website, the investigation confirmed the threat actor had access to its systems between September 23 and November 12. Some files on its systems were encrypted in the attack, but they have successfully been restored.

A review is currently being conducted to determine which files were accessed and stolen and to identify all affected patients. Notification letters will be sent to affected individuals when the review is complete and once contact information has been verified.

At this stage, the types of information believed to have been stolen include full names, addresses, diagnoses, medical conditions, dates of birth, claims information, and Social Security numbers. Medsurant is unaware of any attempted or actual misuse of patient data at the time of publishing the notice.

Existing policies and procedures are being reviewed and will be updated as necessary and further technical and administrative safeguards will be implemented to better protect the information stored in its systems.

The post Ransomware Attacks Reported by TriValley Primary Care and Medsurant Health appeared first on HIPAA Journal.

Seattle, WA-based Sound Generations has announced that unauthorized individuals have gained access to its internal systems and have used ransomware to encrypt files.

Sound Generations is a nonprofit that helps older adults and adults with disabilities obtain free to low-cost healthcare resources. The organization is the largest provider of comprehensive services for aging adults in King County, WA.

According to the substitute breach notification letter uploaded to its website, unauthorized individuals accessed its systems and encrypted data on July 18, 2021, and again on September 18, 2021. In both cases, the unauthorized access was promptly terminated and both incidents were investigated by a third-party forensics firm to determine the nature and scope of the security breaches; however, it was not possible to tell if any protected health information was viewed or obtained by the attackers.

An internal review of the affected systems confirmed the protected health information of 103,576 individuals was stored on the affected systems. That information included demographic and health information, including names, addresses, phone numbers, email addresses, dates of birth, and whether or not an individual has health insurance. Health histories and health conditions may have been exposed if that information was provided to Sound Generations and individuals who participated in the EnhanceFitness program may also have had their health insurance number exposed.

Sound Generations said it has received no indication that any of the information stored on its systems has been used by any person to commit fraud, but all affected individuals should exercise caution and monitor their accounts and explanation of benefits statements for signs of fraudulent activity.

Sound Generations says it has significantly enhanced its cybersecurity controls as a result of the recent attacks

The post Sound Generations Reports Two Ransomware Attacks Affecting Over 100,000 Individuals appeared first on HIPAA Journal.

Three healthcare providers have recently reported security breaches involving the email accounts of employees, resulting in the exposure and potential theft of the protected health information of more than 40,000 individuals.

Saltzer Health

Saltzer Health identified a breach of its email environment on June 1, 2021. Steps were promptly taken to prevent further unauthorized access, with the subsequent investigation confirming an unauthorized individual had accessed the account between May 25, 2021, and June 1, 2021. It was not possible to tell if any patient information was accessed or exfiltrated, but a comprehensive review of the account by third-party specialists confirmed it contained the protected health information of 15,650 patients.

The review was completed on September 21, 2021, and confirmed the email account contained the following types of information: Names, contact information, medical record numbers, patient identification numbers, driver’s license/state identification numbers, medical histories, diagnoses, treatment information, physician information, prescription information, health insurance information, and a limited number of Social Security numbers and financial account information. All affected individuals have now been notified by mail.

Boulder Neurosurgical and Spine Associates

Boulder Neurosurgical and Spine Associates in Colorado detected a breach of an employee email account on September 21, 2021. The email account was immediately secured, and third-party cybersecurity experts were engaged to assist with the investigation.

A comprehensive review of emails and attachments in the breached account confirmed protected health information had been exposed, although it was not possible to tell if any PHI had been viewed or obtained by unauthorized individuals. The compromised PHI included names, dates of birth, and medical records, but no addresses or Social Security numbers were exposed. The breach has been reported to the HHS’ Office for Civil Rights as affecting 21,450 individuals.

Region IV Area Agency on Aging

Region IV Area Agency on Aging in Michigan (AAA4) discovered on or around September 30, 2021, that an unauthorized individual had gained access to the email account of one of its employees as a result of a response to a phishing email. The purpose of the cyberattack was to try to get the employee’s paychecks diverted.

While this appears to be the sole aim of the attacker, the email account contained the PHI of 3,171 individuals and included names, addresses, dates of birth, social security numbers, insurance information, phone numbers, and medical conditions.

AAA4 said it found no evidence to suggest any PHI had been obtained or misused, but all affected individuals have been advised to exercise caution and monitor their accounts and explanation of benefits statements for suspicious activity. AAA4 said it has taken steps to prevent further phishing attacks, including providing additional training to the workforce.

The post PHI of 40,000 Individuals Exposed in Email Account Breaches appeared first on HIPAA Journal.

Planned Parenthood has recently confirmed it was a recent victim of a ransomware attack in October that affected its Los Angeles branch.

According to the announcement, a ransomware gang gained access to the network between October 9, 2021, and October 17, 2021, and deployed ransomware to encrypt files. A ransom demand was then issued, payment of which was required to obtain the keys to decrypt data. Prior to using ransomware, certain files were exfiltrated from its systems and were used as leverage to get Planned Parenthood to pay the ransom. It is currently unclear if the ransom was paid but, at the time of writing, the stolen files do not appear to have been published on any ransomware gang’s data leak site.

The ransomware attack was detected by Planned Parenthood Los Angeles on October 17, 2021, and steps were immediately taken to secure its network and investigate the security breach. When it was confirmed that files had been stolen, a review was conducted to determine the types of information that had been compromised.  On November 4, 2021, it was confirmed that some of the stolen files contained patient information.

The types of information contained in the files varied from patient to patient and may have included names, addresses, dates of birth, diagnosis, health insurance information, and medical information, including details of the procedures that had been performed and any prescriptions provided. The cyberattack has been reported to law enforcement and the investigation into the security breach is ongoing.

A spokesperson for Planned Parenthood Los Angeles said around 400,000 patients have potentially been affected and will be notified by mail and advised of the steps they can take to prevent misuse of their information. Planned Parenthood said there are no indications that any stolen patient information has been misused to date.

Planned Parenthood has taken steps to augment its existing security measures to prevent further cyberattacks, including enhancing monitoring of its network and hiring additional staff members to bolster its cybersecurity team.

“The type of data that bad actors exfiltrated from Planned Parenthood victims is extremely dangerous in the hands of criminals. PII like addresses and dates of birth is one thing, but coupled with clinical information – that can be disastrous. Tying these kinds of sensitive medical data back to individuals can open them up to fraudulent medical scams and also fraudulent insurance claims,” said Paul Laudanski, head of threat intelligence at email security firm Tessian.

This is not the first time Planned Parenthood has experienced a cyberattack. Patient infomation was stolen in a hacking incident that affected its Metropolitan Washington branch in 2020, and hacktivists breached its systems in 2015 and obtained the names and addresses of hundreds of its patients.

The post 400,000 Patients Potentially Affected by Planned Parenthood Ransomware Attack appeared first on HIPAA Journal.

Sacramento, CA-based One Community Health has recently notified patients that its systems were compromised between April 19 and April 20, 2021. An unauthorized individual was discovered to have gained access to systems containing the personal and protected health information of certain employees and patients.

A comprehensive forensic investigation was conducted by a third-party cybersecurity firm to determine the nature and scope of the attack, and One Community Health was notified on October 6, 2021, that the attacker had exfiltrated files from its network that included full names and one or more of the following data elements: Address, other demographic information, telephone number, email address, date of birth, Social Security number, driver’s license number, insurance information, diagnosis information, and treatment information.

Notification letters started to be sent to all affected patients on November 22, 2021. There have been no reported cases of identity theft or fraud; however, complimentary credit monitoring services have been offered to affected individuals as a precaution against identity theft and fraud.

One Community Health said it has been working with cybersecurity experts to augment its defenses against cyberattacks, and has improved endpoint detection, email security, and has signed up for 24×7 managed detection response.

Email Error by Eye Care Product Manufacturer Results in PHI Disclosure

Alcon, a provider of eye care products, has discovered an email error that resulted in the disclosure of certain patients’ protected health information to healthcare providers not authorized to view the information.

On October 5, 2021, Alcon emailed patients’ protected health information to healthcare providers to facilitate billing. The emails were supposed to only contain information about each healthcare providers’ patients; however, a technical error meant the emails contained the information of patients of other healthcare providers.

The emails contained a limited amount of information about patients who had recently received an Alcon intraocular lens implant, namely, first and last names, device serial numbers, dates of implant, and treating physician names.

All healthcare providers who received the email were contacted and told to delete the email and Alcon has reviewed and updated its policies and procedures to prevent similar breaches in the future. Due to the nature of the information disclosed and the entities that received the information, Alcon does not believe any patient information will be used inappropriately.

The post One Community Health Patients Notified About April 2021 Cyberattack and Data Theft appeared first on HIPAA Journal.

Sarasota MRI, Consociate Health, and Upstate Homecare have recently notified regulators and patients about security incidents involving personal and protected health information.

Upstate Homecare Notifies 5,100 Patients About Ransomware Attack

The Albany, NY-based home healthcare provider, Upstate Healthcare, has notified 5,114 patients about a recent ransomware attack in which patient data was stolen.

It is unclear from the breach notification letters when the attack occurred; however, an investigation conducted by a third-party cybersecurity firm determined on November 4, 2021, that patient data had been stolen and posted to a data leak website on the darknet.

The stolen data included full names, dates of birth, addresses, telephone numbers, email addresses, driver’s license numbers, bank account information, Social Security numbers, treatment information physicians’ names, patient ID numbers, and Medicare/Medicaid numbers.

Following the attack, Upstate Healthcare performed a comprehensive review of its security measures and has implemented additional safeguards to better protect its systems and data against future attacks. Affected individuals were notified on November 24, 2021, and have been offered complimentary access to identity theft monitoring and restoration services.

Sarasota MRI Notifies Patients About Potential PHI Exposure

Florida-based Sarasota MRI has started notifying certain patients about the potential exposure of some of their protected health information. In late July 2020, Sarasota MRI was contacted by a third-party, unaffiliated cybersecurity firm and was notified that one of its servers had been misconfigured, which allowed information on the server to be accessed.

The server in question was determined not to be in use and data had been migrated to a different server. Further, a review of the server uncovered no evidence to suggest it had been accessed by unauthorized individuals, other than the security company that detected the misconfiguration.

However, since it was not possible to rule out the exposure of individuals’ names, dates of birth, medical records, and medical images, affected individuals are now being notified. According to the breach notification letter sent to the Vermont attorney general on November 12, 2021, Sarasota moved quickly to correct the misconfiguration and conducted an investigation into a potential breach, and has taken steps to ensure the security of its systems.

Consociate Health Discovers Breach at Employee Benefits Plan Administrator

Consociate Health, a provider of employee benefits programs and plan administration services, has recently completed a 10-month investigation into a data breach involving the protected health information of 982 individuals. The investigation revealed the breach only affected the PHI of individuals from January 1, 2014, through December 31, 2015.

The types of exposed data included names, addresses, dates of birth, diagnosis codes, medical record numbers, health insurance information, medical record information, and Social Security numbers.

No evidence was found to indicate any PHI has been misused but, as a precaution, affected individuals have been offered complimentary access to identity theft monitoring services for 12 months.

The post Sarasota MRI, Consociate Health, & Upstate Homecare Notify Patients About Data Breaches appeared first on HIPAA Journal.