Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers serving the Green Bay, Marinette, and Niagara communities in Wisconsin, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that involved the protected health information of 13,055 patients.

On February 27, 2024, Bay Oral identified suspicious activity in an employee’s email account. The password for the account was immediately changed to prevent further unauthorized access and a third-party cybersecurity firm was engaged to investigate the incident. The forensic investigation confirmed that an unauthorized individual had installed software and gained access to an employee’s email account on January 18, 2024.

The review of the emails and attachments confirmed that patients’ protected health information had been exposed. The types of information involved included names, addresses, email addresses, dates of birth, Social Security numbers, insurance card numbers, credit card numbers, banking account information, x-rays, patient health history forms, patient visit summaries, medical history questionnaires, and other types of patient health information that had been shared via email. The investigation could not determine if the unauthorized individual viewed or copied emails or attachments in the account.

In addition to immediately securing the email account, Bay Oral has taken several other steps to prevent similar incidents in the future. They include changing IT companies, implementing a 24/7 protection and monitoring solution, and implementing new policies and procedures to ensure that patients’ protected health information is not stored in email accounts.

Bay Oral said it is unaware of any reports of fraud or identity theft at the time of issuing notifications. The affected patients have been advised to be vigilant for incidents of fraud and identity theft by regularly reviewing their credit reports, credit statements, bank accounts, and other financial accounts for unauthorized activity.

The post Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients appeared first on HIPAA Journal.

Los Angeles County Department of Health Services’ employees were targeted in a recent phishing campaign, and almost 2,800 Catholic Medical Center patients have been affected by a data breach at one of its vendors.

Los Angeles County Department of Health Services Phishing Attack

The Los Angeles County Department of Health Services was recently targeted in a phishing campaign that saw 23 employees tricked into disclosing their email account credentials after clicking a hyperlink in an email that appeared to have been sent by a trusted sender. The email accounts were accessed by an unauthorized third party between February 19, 2024, and February 20, 2024.

The Department of Health Services said the attack was reported to law enforcement which recommended delaying notifying the affected individuals so as not to interfere with the investigation. Notification letters have now been mailed to the affected individuals who have been provided with information on the steps they can take in response to the breach. The types of data exposed varied from individual to individual and may have included one or more of the following: first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.

The Department of Health Services has sent awareness notifications to all members of the workforce reminding them to be vigilant when opening emails, has enhanced its training regarding identifying and responding to phishing emails, and has implemented further controls to minimize the risk of further successful attacks.

The breach has been reported to the HHS Office for Civil Rights but is not yet showing on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Catholic Medical Center Patients Affected by Email Breach at Business Associate

Almost 2,800 patients of Catholic Medical Center (CMC) in New Hampshire have been affected by a data breach at one of its vendors, the accounts receivable management service provider Lamont Hanley & Associates. Lamont Hanley & Associates notified CMC on March 6, 2024, that there had been unauthorized access to an employee’s email account. The breach was detected on June 20, 2023, and it was determined that patient data may have been accessed or acquired by the unauthorized third party, although no specific evidence of data access or data theft was identified.

The account contained the protected health information of 2,792 CMC patients, including names, Social Security numbers, dates of birth, medical and claim information, health insurance information, individual identification information, and financial account information. Lamont Hanley & Associates is offering complimentary credit monitoring services to eligible individuals and has taken steps to improve security to prevent similar breaches in the future.

The post Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts appeared first on HIPAA Journal.

Email accounts have been compromised at the University of Wisconsin Hospitals and Clinics Authority and the Medical Home Network in Illinois.

University of Wisconsin Hospitals and Clinics Authority Email Account Breach

The University of Wisconsin Hospitals and Clinics Authority (UW Health) recently provided an update on a security incident that was detected in late 2023. Suspicious activity was detected in an employee’s email account and the password was immediately changed to prevent further unauthorized access. A third-party cybersecurity firm was engaged to investigate the breach and it was determined on January 5, 2024, that the email account had been accessed by an unauthorized individual at various times between Sep. 20, 2023, and Dec. 5, 2023. Some of the emails in the account were viewed, and data may have been stolen.

The account was reviewed to determine the individuals affected and the types of information that had been exposed. The review was completed on February 9, 2024, and confirmed that the account contained names, dates of birth, medical record numbers, and clinical information, such as dates of service, provider names, and diagnoses. The emails did not contain any Social Security numbers, health insurance ID numbers, or financial information. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 85,902 individuals.

The affected individuals have now been notified and while UW Health has not found any evidence of misuse of patient data, patients have been advised to exercise caution regarding any emails they receive that claim to be from UW Health or other healthcare providers, and to monitor their billing statements and to report any charges for services that have not been received. UW Health also said users of the UW Health MyChart portal have been targeted in the past with scams through the use of fraudulent websites and has urged all patients to be vigilant when callers or emails request personal information. Scammers may claim to be UW Health employees when contacting people by phone, may send phishing emails using stolen UW Health logos, or may send phishing text messages requesting login credentials or linking to malicious URLs.

Medical Home Network Email Environment Compromised

MHNU Corporation, which does business as Medical Home Network (MHN) in Illinois, has recently notified 681 individuals about the exposure of some of their protected health information. Suspicious activity was identified in MHN’s email environment on or around October 11, 2023. After securing its email accounts, independent cybersecurity experts were engaged to investigate and determine the cause of the activity. The forensic investigation confirmed that an unauthorized actor gained access to the email accounts of two employees between October 4, 2023, and October 12, 2023, and emails and attached files may have been viewed or acquired.

On April 12, 2024, MHN learned that the protected health information of current and former members of CountyCare, Wellness West, and NeueHealth were stored in the compromised accounts. Those companies were notified about the incident on February 16, 2024, and MHN coordinated with the companies to effectuate notification to the affected individuals. MHN said the breached information included first and last names, patient IDs, phone numbers, dates of birth, and medical information; however, no evidence of misuse of that information had been identified at the time of issuing notifications. MHN said it takes privacy and security seriously and has taken steps to prevent similar incidents in the future.

The post Email Accounts Compromised at UW Health and Medical Home Network appeared first on HIPAA Journal.