A former employee of Huntington Hospital in New York has been charged with a criminal HIPAA violation over the unauthorized accessing of 13,000 patient records.

The employee worked the night shift at the hospital impermissibly accessed the medical records of patients between October 2018 and February 2019. The types of information viewed by the employee included demographic information such as names, dates of birth, telephone numbers, addresses, internal account numbers, medical record numbers, and clinical information including diagnoses, medications, lab test results, treatment information, and healthcare provider names. Huntington Hospital said it found no evidence to suggest Social Security numbers, insurance information, credit card numbers, and other payment-related information were accessed.

When the unauthorized access was discovered, the employee was immediately suspended while a comprehensive investigation was conducted. The investigation concluded on February 25, 2019, the employee was terminated for the HIPAA violation, and law enforcement was notified.

The hospital said all employees are provided with HIPAA training and are made aware of their responsibilities with respect to the protected health information of patients, and that its training program is ongoing. The hospital has security tools in place that monitor for unauthorized access and regular audits of access logs are conducted. The breach has prompted the hospital to improve its access controls and additional, targeted training has been provided to the workforce to reemphasize the importance of ensuring patient confidentiality.

Huntington Hospital recently issued a press release about the unauthorized access and has now sent breach notification letters to all affected individuals. While the HIPAA Breach Notification Rule requires notification letters to be sent to affected patients within 60 days of the discovery of a data breach, notifications can be delayed at the request of law enforcement. In this case, law enforcement requested the hospital delay issuing notifications so as not to impede the investigation. Law enforcement gave the hospital the go-ahead to issue breach notification letters this month.

While Social Security numbers and financial information are not believed to have been accessed, the hospital has offered affected individuals complimentary identity theft protection services for 12 months, or longer if required to do so by state laws.

The law enforcement investigation concluded the unauthorized access warranted criminal charges for the HIPAA violation.

Southwestern Vermont Medical Center Notifies Patients About Insider Data Breach

Southwestern Vermont Medical Center has issued notification letters to certain patients whose medical records were obtained by a former resident physician.

On or around September 16, 2021, the Bennington hospital discovered the former physician had copied portions of certain patients’ medical records and sent them to a personal email account in June 2021 prior to completing their residency. The theft of patient data has been reported to law enforcement and the hospital is assisting with the investigation. At this stage of the investigation it is unclear why the medical records were copied.

The types of information obtained by the physician varied from patient to patient and may have included one or more of the following types of protected health information: First and last name, date of birth, medical record number, treating provider name, summaries of care, and other limited information that was recorded to provide medical services to patients.

Southwestern Vermont Medical Center said it has not been made aware of any misuse of patient data; however, affected patients are being encouraged to monitor the statements they receive from their healthcare providers and insurers.

The post Former Huntington Hospital Employee Charged with Criminal HIPAA Violation appeared first on HIPAA Journal.

Retinal Consultants Medical Group, ACE Surgical Supply, and Three Rivers Regional Commission have recently reported cyberattacks in which the protected health information of patients may have been obtained by unauthorized individuals.

Retinal Consultants Medical Group Hacking Incident Affects 11,603 Patients

Vitreo-Retinal Medical Group Inc., dba Retinal Consultants Medical Group, says it was the victim of a sophisticated cyberattack that was detected on or around July 12, 2021 and caused a service disruption.

Vitreo-Retinal Medical Group engaged third-party cybersecurity consultants to help restore its systems and investigate the nature and scope of the attack. While the investigation confirmed unauthorized individuals had gained access to its computer network, it was not possible to tell if any protected health information was accessed or exfiltrated, although no reports have been received that suggest actual or attempted misuse of patient data.

A comprehensive manual and programmatic review of the affected systems confirmed the following types of protected health information had potentially been compromised: name, address, date of birth, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid information, treating physician name, health insurance information, and username/password. A limited number of Social Security numbers were also stored on the affected systems.

Vitreo-Retinal Medical Group says third-party cybersecurity experts have been assisting with a review of its security systems and additional measures will be implemented, as appropriate, to improve data security.

Affected individuals started to be notified on November 9, 2021, and complimentary credit monitoring services have been made available where required.

12,122 Individuals Affected by Cyberattack on ACE Surgical Supply

Brockton, MA-based ACE Surgical Supply has discovered its IT environment was accessed by an unauthorized individual who may have viewed or obtained the protected health information of 12,122 individuals.

Its systems were accessed on June 29, 2021, and the breach was detected the same day. The investigation confirmed the affected systems contained personal information along with financial account numbers, debit/credit card information, and information that could potentially allow accounts to be accessed.

ACE Surgical Supply said affected individuals have been offered credit monitoring and identity theft protection services for 24 months at no cost.

Three Rivers Regional Commission Ransomware Attack Impacts 2,000 Patients

The Griffin, GA-based regional planning organization, Three Rivers Regional Commission, has discovered the protected health information of around 2,000 individuals may have been obtained by unauthorized individuals in a ransomware attack.

The attack was detected on July 20, 2021, when employees were prevented from accessing its computer systems. Assisted by third-party cybersecurity experts, Three Rivers Regional Commission determined the attacker gained access to its systems between July 18, 2021 and July 20, 2021 and prior to the use of ransomware, exfiltrated files containing sensitive data.

The forensic investigation is ongoing and notification letters will be sent to affected individuals when their identities and contact information have been determined. At this stage, the following types of information are believed to have been obtained in the attack: Name, address, driver’s license number, Social Security number, and medical information, including diagnosis and treatment information, lab test results, medications, and Medicare/Medicaid identification numbers.

Three Rivers Regional Commission said it is implementing additional administrative and technical safeguards to further secure the information in its systems.

The post Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply appeared first on HIPAA Journal.

Perkasie, PA-based TriValley Primary Care has started notifying 57,596 patients that some of their personal and protected health information has potentially been compromised.

Suspicious activity was detected in its IT environment on October 11, 2021. Steps were immediately taken to secure its systems and prevent further unauthorized access, and third-party forensic experts were engaged to conduct an investigation to determine the nature and scope of the cyberattack.

The investigation into the breach concluded on November 4 and while no evidence of actual or attempted misuse of patient data was identified, unauthorized access and potential theft of protected health information could not be ruled out. As such, affected patients have been advised to be vigilant against identity theft and fraud, and complimentary credit monitoring services have been provided to affected individuals.

A review of the files on the affected systems confirmed the following types of patient data may have been compromised: First and last name, gender, home address, phone number, email address, date of birth, Social Security number, health insurance policy/group plan number, group plan provider, claim information, medical history, diagnosis, treatment information, dates of service, lab test results, prescription information, provider name, medical account number, and other information contained in medical records.

TriValley Primary Care said it is working with cybersecurity experts to improve its cybersecurity policies, procedures, and protocols to reduce the risk of further data breaches and the workforce is being provided with additional cybersecurity training.

The post PHI of 57,000 Patients Potentially Compromised in TriValley Primary Care Cyberattack appeared first on HIPAA Journal.

The Albuquerque, NM-based health insurance agency True Health New Mexico has started notifying certain health plan members about the exposure and potential theft of some of their protected health information.

A data security incident was detected on October 5, 2021, and steps were immediately taken to secure its IT systems. The internal incident response team launched an investigation and third-party cybersecurity defense firms were engaged to assist with the forensic investigation.

The investigation revealed an unauthorized individual had gained access to its IT systems in early October and may have viewed or exfiltrated files that contained protected health information such as names, dates of birth, ages, home addresses, email addresses, insurance information, medical information, Social Security numbers, health account member IDs, provider information, and date(s) of service.

True Health New Mexico said at the time of issuing notification letters, no evidence had been found of misuse of members’ information; however, as a precaution against identity theft and fraud, affected individuals have been offered credit monitoring and identify theft protection services at no cost.

The cyberattack has been reported to law enforcement and a criminal investigation has been launched. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 62,983 individuals.

Educators Mutual Insurance Association

Murray, UT-based Educators Mutual Insurance Association (EMIA) has discovered an unauthorized individual had access to its computer network between July 29, 2021, and August 10, 2021, and may have viewed or obtained the protected health information of some of its members.

The breach was detected by EMIA on August 23, 2021, with the subsequent investigation confirming malware had been installed on its network. A review of the files on the parts of the compromised system revealed they contained protected health information such as names, addresses, dates of birth, clinical information, health insurance identification numbers, driver’s license numbers, and Social Security numbers. Full financial numbers of members are not believed to have been exposed.

A third-party cybersecurity firm has been engaged to conduct a forensic investigation, which is still ongoing. While no evidence of attempted or actual misuse of patient data has been found, affected individuals have been advised to remain vigilant against instances of identity theft.

EMIA says it will continue to regularly audit its system to identify unauthorized network activity and will be enhancing its network monitoring tools.

The post Data Breaches Reported by True Health New Mexico & Educators Mutual Insurance Association appeared first on HIPAA Journal.

NorthCare, an Oklahoma City, OK-based mental health clinic, was the victim of a ransomware attack in June 2021 in which patients protected health information may have been compromised.

NorthCare identified suspicious network activity on June 1, 2021, when ransomware was used to encrypt files. The investigation into the attack confirmed its network was breached on May 29, 2021. The attackers rapidly deployed ransomware to prevent access to files and demanded payment of a ransom for the keys to decrypt files.

Steps were immediately taken to contain the attack and while it was not possible to prevent file encryption, it was possible to restore its systems and data from backups without paying the ransom.

The parts of the network accessed by the attackers contained patients’ protected health information. While data exfiltration was not confirmed, NorthCare is assuming the attackers accessed patient data. The types of data potentially compromised in the attack included full names, addresses, dates of birth, medical diagnoses, and Social Security numbers.

Following the attack, third-party forensics experts were engaged to assist with the investigation and remediation efforts, the Federal Bureau of Investigation was notified, and NorthCare has been working with technical experts to improve the security of its systems and limit network access.

Since protected health information was potentially accessed and obtained, NorthCare has offered identity monitoring, fraud consultation, and identity theft restoration services to affected individuals for 12 months at no cost.

The breach notification sent to the Maine attorney general indicates the protected health information of 127,883 patients was potentially compromised.

The post PHI of 127,000 NorthCare Patients Potentially Compromised in Ransomware Attack appeared first on HIPAA Journal.

Lakeshore Bone & Joint Institute, an orthopedic practice in Indiana, has experienced a breach of its Microsoft Office 365 environment, which included emails and attachments that contained the protected health information of certain patients.

Unusual activity was detected in an employee email account on July 7, 2021. Steps were immediately taken to prevent further unauthorized access and a cybersecurity and digital forensic firm was retained to investigate the breach and assist with remediation efforts.

The breach investigation confirmed that an unauthorized individual had gained access to a single employee email account. A review of the account was completed on October 21, 2021, and revealed the following types of patient information may have been viewed or acquired in the attack:

Date of birth, treatment information, diagnosis, provider name, MRN/patient ID, health insurance information, treatment cost information, and, for certain individuals, Social Security numbers.

Individuals whose Social Security numbers were potentially compromised have been offered a 12-month membership to identity theft monitoring services at no cost.

The breach report submitted to the Maine attorney general indicates 23,627 individuals have potentially been affected by the breach.

PHI Potentially Compromised in Putnam County Memorial Hospital Ransomware Attack

Putnam County Memorial Hospital has started notifying 6,916 individuals about a July 2021 cyberattack in which protected health information was potentially compromised.

The attack was detected on July 18, 2021, when the staff was prevented from accessing ceratin computer systems and files. A forensic investigation confirmed an unauthorized individual had gained access to its network at some point between July 16 and July 18, deployed a variety of network reconnaissance tools to identify systems and data of interest, then used ransomware to encrypt files.

The forensic investigation confirmed the parts of the network accessed by the attacker included patient and employee data including names, addresses, Social Security numbers, physician-patient assessments and records, patient authorizations, and lab and radiology reports. Financial information is not believed to have been compromised.

Following the breach, new security measures were implemented to better protect patient data. Complimentary credit monitoring services have been offered to affected individuals for 12 months at no cost. Those services include darknet and clearnet monitoring, quick cash scan, fraud consultation and identity theft restoration services, and identity theft insurance.

The post Data Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital appeared first on HIPAA Journal.

The protected health information of 1,271,642 individuals has been exposed and potentially stolen in two healthcare hacking incidents that were recently been reported to the Department of Health and Human Services’ Office for Civil Rights.

PHI of 688,000 Individuals Compromised in Sea Mar Community Health Centers Hack

Sea Mar Community Health Centers is a nonprofit community-based provider of health, human, housing, educational, and cultural services to underserved communities in Washington state.

On June 24, 2021, Sea Mar learned sensitive data had been exfiltrated from its IT systems by an unauthorized individual. Assisted by a leading third-party cybersecurity firm, Sea Mar determined its systems had been accessed between December 2020 and March 2021. According to the breach notice posted on its website, a review was conducted of the information potentially stolen from its network, which confirmed the following data types had been stolen:

Name, address, Social Security number, date of birth, client identification number, diagnostic and treatment information, insurance information, claims information, and/or images associated with dental treatment.

Sea Mar said the process of collecting the contact information required to issue notification letters to affected individuals was completed on August 30, 2021. Two months after obtaining the contact information, notification letters were sent to affected individuals. The notification sent to the Maine Attorney General indicates breach notification letters were sent between October 29, 2021, and November 5, 2021.

Sea Mar said it is not aware of any evidence of the misuse of information stolen in the incident, but has offered credit monitoring, identity theft protection, and fraud consultation services to individuals whose Social Security number was involved.

No mention is made in the breach notification letters about the stolen data being listed for sale on Marketo. Marketo is a darknet marketplace where stolen data are offered for sale. Marketo is not a ransomware-affiliated marketplace, although data stolen in ransomware attacks have previously been listed for sale on the site, including the data stolen in the Navistar ransomware attack.

The post on Marketo claims 3TB of data were exfiltrated in the attack, including emails, photographs, contact information, and photographs of agreements. The date of notification provided by Sea Mar corresponds with the date DataBreaches.net notified Sea Mar of the listing on Marketo.

Utah Imaging Associates Reports 583,643-Record Data Breach

On November 3, 2021, Utah Imaging Associates reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 583,643 individuals. The breach has been listed as a hacking/IT incident involving PHI stored on a network server.

There is currently no mention of the data breach on the Utah Imaging Associates’ website, the breach has not been covered by the media at this stage, and the incident has not appeared on the websites of state attorneys general that publish breach summaries, so the nature of the Utah Imaging Associates data breach is currently unclear.

This post will be updated with further information as and when it becomes available.

The post PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches appeared first on HIPAA Journal.

Southern Ohio Medical Center (SOMC) Diverts in Portsmouth, OH, is recovering from a cyberattack that occurred on the morning of Thursday, November 18, 2021. The attack forced the hospital to go on diversion and direct ambulances to other healthcare facilities. The hospital also had to cancel some appointments and outpatient services.

“This morning, an unauthorized third-party gained access to SOMC’s computer servers in what appears to be a targeted cyberattack. We are working with federal law enforcement and Internet security firms to investigate this incident” explained SOMC in a Facebook post on Thursday. “Patient care and safety remain our top priority as we work to resolve this situation as quickly as possible. While this does not impact our ability to provide care to current inpatients, we are presently diverting ambulances to other hospitals.”

The 248-bed not-for-profit hospital came off diversion on Friday morning, although it has not yet been able to return to full operations. Law enforcement has been informed and a third-party cybersecurity company has been engaged to investigate the breach and determine the nature and scope of the attack.

The attack took its electronic medical record system offline, with staff forced to revert to pen and paper to record patient information. Outpatient medical imaging, cancer care services, cardiovascular testing, cardiac catheterization, sleep lab, and outpatient surgery and rehab have all experienced disruption due to the lack of access to computer systems and data.

No information has been provided on the nature of the cyberattack and whether ransomware was involved. At such an early stage of the investigation, it is unclear if any patient information was accessed or exfiltrated from the affected servers during the attack.

The hospital said it will continue to assess the situation and will be providing updates as and when they are available.

The post Southern Ohio Medical Center Diverts Ambulances Due to Cyberattack appeared first on HIPAA Journal.