Harris County in Texas has discovered the personal and health information of thousands of individuals has been exposed online and was potentially accessed by unauthorized individuals.

Under Harris County’s legally required reporting obligations, information is provided to the Harris County Justice Administration Department which includes System Person Numbers, which are unique identifiers that are assigned to individuals by the Harris County jail system. In addition to those numbers, some limited health information is provided related to the medical care individuals received at the County’s Jail Clinic, which includes health histories, diagnoses, and/or prescription information.

The inadvertent disclosure of sensitive information was discovered by Harris County officials on July 9, 2021. Harris County determined that between March 15, 2021 and May 22, 2021, the above types of information were inadvertently made available on the Justice Administration Department’s website.

No names were included, nor any Social Security numbers or financial account information, but since unique identifiers were included, it may have been possible for individuals to be identified.  During the course of the investigation, no evidence was found to indicate the exposed information was accessed or downloaded by unauthorized individuals and no reports have been received that suggest any information has been misused.

Harris County is encouraging all affected individuals to review any statements they receive from their healthcare providers and to check them carefully and report any instances where healthcare services are listed that they have not received.

The investigation is ongoing, and a helpline has been set up for affected individuals to receive further information (1-855-545-2039). Harris County is also taking steps to enhance existing processes to prevent similar breaches in the future.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 26,000 individuals.

The post Harris County, TX: PHI of 26,000 Individuals Exposed Online appeared first on HIPAA Journal.

Email accounts containing the protected health information of 447,426 patients of Orlando Family Physicians in Florida have been accessed by an unauthorized individual.

Orlando Family Physicians said the first email account was compromised on April 15, 2021 as a result of an employee responding to a phishing email and disclosing their account credentials. Action was promptly taken to block unauthorized access, and an investigation was launched to determine the nature and extent of the breach.

Assisted by a leading cybersecurity forensics firm, Orlando Family Physicians determined that an additional three employee email accounts had also been subjected to unauthorized access. All four of the compromised email accounts had external access blocked within 24 hours of the initial unauthored account access.

Orlando Family Physicians determined on May 21, 2021, that the unauthorized individual potentially accessed emails in the account that contained patients’ protected health information. A review of the emails and attachments was conducted, and on July 9, 2021, Orlando Family Physicians was able to identify all affected individuals.

The email accounts contained the personal and protected health information of current patients, potential patients, employees, and other individuals. The types of information in the accounts varied from individual to individual and included one or more of the following types of data: Names, demographic information, diagnoses, provider names, prescriptions, health insurance information (Medicare beneficiary number or other subscriber identification number), patient account numbers, medical record numbers, and passport numbers.

The attack appears to have been conducted with the aim of committing financial fraud against the practice, rather than to obtain patient data; however, since unauthorized data access and exfiltration could not be ruled out, affected individuals have been advised to exercise caution and closely check their financial accounts and explanation of benefits statements for signs of fraudulent activity.

Orlando Family Physicians has enhanced its technical security measures following the breach and supplemental training on email security is being provided to the workforce.

The post More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians appeared first on HIPAA Journal.

Francisco J. Pabalan MD has reported a ransomware attack that has affected up to 50,000 patients of the Pabalan Eye Center in Riverside, CA.

The ransomware attack was discovered on March 3, 2021, with the investigation confirming the attack commenced on March 1. The attackers encrypted files on computers and servers that prevented access and patient data was ransomed. All affected computers and servers had been backed up prior to the attack, so it was possible to recover the encrypted data without having to pay the ransom.

The investigation found no evidence of data theft, with the attack appearing to only have been conducted to cause disruption to services in order to extort money from the practice. Following the attack, all computers and servers were formatted prior to operating systems and software being reinstalled, and patient data were then restored from backups.

Additional security measures have been implemented, including new anti-virus and anti-ransomware software, new data encryption technology, and a new Security Rule Risk Management Plan has been developed and put in place. New technical safeguards were introduced to bolster security, including new, secure VPN protected connections to servers, updated password policies, and additional training has been provided to the workforce to aid with the identification of security threats. Moving forward, periodic technical and nontechnical evaluations and updates will be conducted.

While it does not appear that financial information was obtained by the attackers, all affected patients have been advised to be vigilant and monitor their account statements and for any signs of identity theft or fraud. Protected health information potentially compromised in the incident includes scanned insurance forms, exam findings, imaging, diagnostic testing, and scanned past medical records.

Ransomware Attack Reported by Campbell, Conroy, O’Neill Law Firm

The Boston, MA-based law firm, Campbell, Conroy, O’Neill, has announced it suffered a ransomware attack on or around February 27, 2021.

The attackers encrypted certain files on its systems which prevented access, with the investigation suggesting the attacker had accessed files containing sensitive information in the attack. It was not possible to determine whether the threat actor viewed or obtained specific information relating to individuals.

The types of data in the files varied from individual to individual and included one or more of the following data elements: Names, dates of birth, driver’s license numbers, state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and online account credentials such as usernames and passwords.

Campbell, Conroy, O’Neill has conducted a review of policies and procedures and additional safeguards are being implemented to prevent further attacks. Individuals whose Social Security number was potentially compromised in the incident have been offered a complimentary 2-year membership to credit monitoring, fraud consultation, and identity theft restoration services.

The post PHI Potentially Compromised in Ransomware Attacks on Eye Center and Law Firm appeared first on HIPAA Journal.

The Los Angeles Fire Department has discovered the COVID-19 vaccination statuses of 4,900 employees has been accidentally exposed online.

A list that included the full names of employees, dates of birth, employee numbers, and COVID-19 vaccination information (vaccination dates, doses, or declined vaccine) had been published on a website accessible to the public. During the time that the website was active, it was possible to visit the site and conduct searches of the database for names and employee numbers. The database was not password protected and no information had to be entered to authenticate users. If a wildcard search was conducted, a table was generated that listed the data of all 4,900 employees.

The website – covid.lacofdems.com – had been privately registered and was linked to the Fire Department’s Emergency Medical Service’s bureau. The website, which had not been authorized, was created on April 29, 2021 and was deactivated on July 15, 2021. The website had reportedly been created to allow Department employees to retrieve lost vaccination information.

Prior to the deactivation, a reporter at the LA Times downloaded the data from the database. An investigation into the owner of the site showed it was hosted by a department employee and had not been secured using government software or infrastructure.

After learning about the breach and exposure of vaccine status information, several firefighters took to social media to complain about the privacy violation. The firefighter’s union, Local 1014, has called for a full investigation to be conducted into the breach.

Error at Mailing Vendor Sees Letters Sent to Incorrect MassHealth Members

New Bedford, MA-based Standard Modern Company, Inc. has notified 2,707 patients about an accidental disclosure of some of their personal information.

Standard Modern Company provides mailing services to the Massachusetts Executive Office of Health and Human Services. On May 24, 2021, Standard Modern Company was notified that certain MassHealth members had received letters that contained the information of other MassHealth members. All mailings were ceased while the incident was investigated, with the investigation confirming an internal program error had occurred that affected mailings between May 10, 2021 and May 18, 2021. The error caused incorrect labels to be generated on a limited number of mailed notices.

In each case, a letter containing a member name, identification number, last four digits of their Social Security Number, and their data of birth was sent to a different MassHealth member.

Standard Modern Company has stopped using the internal program that caused the error, and additional safeguards have now been implemented to strengthen its mailing procedures and prevent further errors.

Each of the 2,707 affected individuals only had limited information disclosed to one other member, and there have been no reported cases of misuse of any of the disclosed information. A phone line has been established for affected individuals to find out more about the breach and have their questions answered, and complimentary access to Triple Bureau Credit Monitoring and cyber monitoring services have been offered at no charge for 24 months.

Standard Modern Company was assisted by the Buffalo, NY-based privacy and security law firm Beckage PLLC when investigating and responding to the breach.

The post Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company appeared first on HIPAA Journal.

McLaren Health Care Corporation (MHCC), the operator of 15 hospitals and over 100 primary care locations in Michigan and Ohio, has announced the protected health information of 64,600 of its cancer patients may have been compromised in a ransomware attack on vendor Elekta Inc.

Elekta provides software and technology services to MHCC facilities in Macomb, Northern Michigan, Gaylord, Cheboygan, West Branch, Lapeer, Central and Bay City, which includes data storage.

Between April 2 and April 20, 2021, Hackers had access to Elekta’s systems, exfiltrated data, then deployed ransomware to encrypt files. A ransom demand was issued, payment of which was required to decrypt data and prevent the exposure of data stolen in the attack. Elekta notified MHCC about the breach on May 17, 2021.

While patient data was affected, Elekta said it has no reason to believe that any of the stolen information will be further disclosed or published online. However, as a precaution against identity theft and fraud, complimentary identity theft protection and credit monitoring services are being offered to affected individuals.

The types of data potentially compromised in the attack included full names, Social Security numbers, addresses, dates of birth, height & weight measurements, medical diagnoses, medical treatment details, appointment confirmations, and other information MHCC collected to provide health care services.

Patients of The Cancer Center at Greenwood Leflore Hospital (CCGLH) in Mississippi have also been notified about the ransomware attack as a precautionary measure to prevent identity theft and fraud.

CCGLH was also notified by Elekta on May 17 about the ransomware attack and was told that patient data had been encrypted; however, Elekta’s forensic investigation determined there was no interactive access to the PHI and the PHI of CCGLH patients was not downloaded or transferred from the database. However, it was not possible to totally rule out the possibility of unauthorized data access and PHI theft.

The same types of information were impacted as MHCC and complimentary access to identity monitoring, fraud consultation, and identity theft restoration services is also being provided to CCGLH patients. It is currently unclear exactly how many CCGLH patients have been affected.

The post McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack appeared first on HIPAA Journal.

UC San Diego Health has discovered unauthorized individuals gained access to the email accounts of some of its employees and may have accessed or exfiltrated emails containing patient data. The email accounts were compromised as a result of employees responding to phishing emails and disclosing their email credentials.

The email environment has now been secured and additional measures have been implemented to improve security. The investigation into the breach revealed the first email account was compromised on December 2, 2020, and others were compromised up until April 8, 2020.

At this stage, no evidence has been found to indicate any emails or email attachments were subjected to unauthorized access between December 2020 and April 2021, and no reports have been received that suggest the protected health information (PHI) of patients has been misused; however, it was not possible to rule out unauthorized PHI access and data exfiltration.

The investigation into the breach is ongoing to identify exactly what happened and the information that has been affected. Notification letters will be sent to all affected individuals once the forensic investigation is completed. The full review of affected email accounts is expected to take until September. Individual notifications will be issued no later than September 30, 2021. Affected individuals will be offered a complimentary membership to credit monitoring services for 12 months.

UC San Diego Health explained in its substitute breach notice that the following types of information were contained in the compromised email accounts: full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.

Community members have been warned to be vigilant and to monitor their financial accounts and explanation of benefits statements for signs of identity theft or other fraudulent activity.

UnitedHealthcare Reports Breach Affecting 2,330 Plan Members

The health plan provider UnitedHealthcare has announced the protected health information of 2,330 plan members has been exposed in a phishing attack on one of its insurance brokers – Academic HealthPlans, Inc. (AHP).

AHP identified suspicious activity in its email system on June 21, 2021. Steps were immediately taken to block further unauthorized access and an investigation was launched to determine the nature and extent of the breach. AHP determined that two employee email accounts had been compromised after the employees responded to phishing emails and that email accounts were subject to unauthorized access between August 6, 2020 and August 24, 2020 and on October 2, 2020. The security breach was limited to the Microsoft 365 cloud-based email system.

A review of the email accounts revealed they contained names, member identification numbers, Social Security Numbers, credit/debit card information, dates of birth, addresses, plan information, and claim information. Notification letters were sent to affected individuals on July 20, 2021 and a complimentary 2-year membership to identity theft protection services has been offered to affected individuals. AHP found no evidence suggesting emails in the account had been viewed or acquired.

The post Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare appeared first on HIPAA Journal.

A ransomware attack on Fort Myers, FL-based Florida Heart Associates that started around May 19, 2021 has caused serious and ongoing disruption to its services, with the medical practice only operating at around 50% capacity two months after the attack. Disruption is expected to continue for several more weeks, with the practice not expecting to fully recover until the end of next month or even early September.

Prior to the use of ransomware, the attackers exfiltrated files containing the protected health information of 45,148 patients, including Social Security numbers, member identification numbers, birth dates, and health insurance information. A ransom demand was issued to ensure the deletion of stolen data and to provide the keys to decrypt data, but the decision was taken by the practice not to pay the attackers. The ransomware gang was ejected from the network, but not before much of its IT infrastructure was rendered inoperable.

The investigation revealed its systems were first breached on May 9, 2021, with the hackers deploying ransomware on May 19, when staff were prevented from accessing files. The attack took its IT systems and phone lines out of action, with the phones having only just been brought back online.

Florida Heart Associates CEO Todd Rauchenberger said the practice is still providing care to patients and is now taking walk-in appointments. In addition to having to work without telephones and limited access to IT systems, the practice has lost many members of staff. With the reduction in staff, patients are feeling the effect. Fox4 News reports that patients have not been able to reach the practice by telephone to make appointments, and it has been difficult for many patients to get appointments with a doctor.

Florida Heart Associates has already notified patients about the breach and the exposure of their personal and health information and said it will be implementing additional measures to improve security moving forward, including technical safeguards and reviewing and updating policies and procedures with respect to data privacy and security.

The post Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack appeared first on HIPAA Journal.