Latest HIPAA News

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine.

The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible.

The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected device is powered down and generates the ransom note. The second stage of the malware, stage2.exe, is a file corruptor that runs in the memory and corrupts files based on hardcoded file extensions to prevent the files from being recovered.

The attacks have so far been conducted on targets in Ukraine, but there is a risk of much broader attacks. Wiper malware such as this has been used to attack organizations in Ukraine in the past and in much broader attacks worldwide. In 2017, the NotPetya wiper was used to attack organizations in Ukraine and was delivered in a supply chain attack via legitimate tax software. NotPetya attacks were also conducted globally causing major damage to IT systems and significant data loss. NotPetya is believed to have been used by a Russian hacking group known as Voodoo Bear/Sandworm.

The current theory of the Ukrainian government is the attacks are being conducted by an Advanced Persistent Threat (APT) group known to have strong links with Belarus. There is a legitimate concern that similar attacks may occur in the United States using Whispergate, especially on critical infrastructure organizations and companies with links to Ukraine.

CISA has issued an Insights bulletin providing information on steps that can be taken to protect against the malware threat and reduce the likelihood of a damaging cyber intrusion. The bulletin also includes guidance on how to quickly detect and respond to a potential intrusion, and how to maximize resilience to a destructive cyber threat.

The post CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks appeared first on HIPAA Journal.

HHS Releases Final Trusted Exchange Framework and Common Agreement

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has released the final version of its Trusted Exchange Framework and the Common Agreement (TEFCA) – a governance framework for nationwide health information exchange. Two previous versions of TEFCA have been released, the first in 2018 and the second in 2019, with the final version taking into consideration feedback provided by healthcare industry stakeholders. TEFCA was a requirement of the 21st Century Cures Act and has been 5 years in the making. The announcement this week sees the HHS finally move into the implementation phase of TEFCA.

The Trusted Exchange Framework is a set of non-binding foundational principles for health information exchange and outlines propositions for standardization, cooperation, privacy, security, access, equity, openness and transparency, and public health. The second component is the common agreement, which is a legal contract that a Qualified Health Information Network (QHIN) enters into with the ONC’s Recognized Coordinating Entity (RCE). The RCE, the Sequoia Project, is a body charged with developing, updating, and maintaining the Common Agreement and overseeing QHINs.

The framework promotes secure health information exchange across the United States and is intended to improve the interoperability of health information technology, including the electronic health record systems used by hospitals, health centers, and ambulatory practices, and health information exchange with federal government agencies, health information networks, public health agencies, and payers.

“The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road,” explained ONC in a press release. The Common Agreement supports multiple exchange purposes that are required to improve healthcare and should benefit a wide variety of healthcare entities. The Common Agreement operationalizes electronic health information exchange and provides easier ways for individuals and organizations to securely connect. TEFCA will also provide benefits to patients, such as allowing them to obtain access to their healthcare data through third parties that offer individual access services.

ONC’s RCE will sign a legal contract with each QHIN and entities will be able to apply to be designated as QHINs shortly. When designated as a QHIN they will be able to connect with each other and their participants will be able to participate in health information exchange across the country. ONC has released a QHIN Technical Framework which details the functional and technical requirements that QHINs will need to bring the new connectivity online. The HHS has also announced that the TEFCA Health Level Seven (HL7) Fast Healthcare Interoperability Resource (FHIR) Roadmap (TEFCA FHIR Roadmap) is now available, which explains how TEFCA will accelerate the adoption of FHIR-based exchange across the industry.

“Operationalizing TEFCA within the Biden Administration’s first year was a top priority for ONC and is critical to realizing the 21st Century Cures Act’s goal of a secure, nationwide health information exchange infrastructure,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “Simplified nationwide connectivity for providers, health plans, individuals, and public health is finally within reach. We are excited to help the industry reap the benefits of TEFCA as soon as they are able.”

ONC said its RCE will be hosting a series of public engagement webinars to provide further information on the Trusted Exchange Framework and the Common Agreement, which will explain how they work to help prospective QHINs determine whether to sign the Common Agreement

The post HHS Releases Final Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020.

2021 healthcare data breaches

Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009.

2021 healthcare data breaches - records breached

Largest Healthcare Data Breaches in December 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware
Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware
Monongalia Health System, Inc. WV Healthcare Provider 398,164 Business Email Compromise/Phishing
BioPlus Specialty Pharmacy Services, LLC FL Healthcare Provider 350,000 Hacked network server
Florida Digestive Health Specialists, LLP FL Healthcare Provider 212,509 Business Email Compromise/Phishing
Daniel J. Edelman Holdings, Inc. IL Health Plan 184,500 Business associate hacking/IT incident
Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky KY Healthcare Provider 106,910 Compromised email account
Fertility Centers of Illinois, PLLC IL Healthcare Provider 79,943 Hacked network server
Bansley and Kiener, LLP IL Business Associate 50,119 Ransomware
Oregon Eye Specialists OR Healthcare Provider 42,612 Compromised email accounts
MedQuest Pharmacy, Inc. UT Healthcare Provider 39,447 Hacked network server
Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. NY Health Plan 20,579 Phishing
Loyola University Medical Center IL Healthcare Provider 16,934 Compromised email account
Bansley and Kiener, LLP IL Business Associate 15,814 Ransomware
HOYA Optical Labs of America, Inc. TX Business Associate 14,099 Hacked network server
Wind River Family and Community Health Care WY Healthcare Provider 12,938 Compromised email account
Ciox Health GA Business Associate 12,493 Compromised email account
A New Leaf, Inc. AZ Healthcare Provider 10,438 Ransomware

Causes of December 2021 Healthcare Data Breaches

18 data breaches of 10,000 or more records were reported in December, with the largest two breaches – two ransomware attacks – resulting in the exposure and potential theft of a total of 1,285,989 records. Ransomware continues to pose a major threat to healthcare organizations. There have been several successful law enforcement takedowns of ransomware gangs in recent months, the most recent of which saw authorities in Russia arrest 14 members of the notorious REvil ransomware operation, but there are still several ransomware gangs targeting the healthcare sector including Mespinoza, which the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about this month due to the high risk of attacks.

Phishing attacks continue to result in the exposure of large amounts of healthcare data. In December, email accounts were breached that contained the ePHI of 807,984 individuals. The phishing attack on Monongalia Health System gave unauthorized individuals access to email accounts containing 398,164 records.

8 of the largest breaches of the month involved compromised email accounts, two of which were business email compromise attacks where accounts were accessed through a phishing campaign and then used to send requests for changes to bank account information for upcoming payments.

Causes of December 2021 healthcare data breaches

Throughout 2021, hacking and other IT incidents have dominated the breach reports and December was no different. 82.14% of the breaches reported in December were hacking/IT incidents, and those breaches accounted for 91.84% of the records breached in December – 2,711,080 records. The average breach size was 58,937 records and the median breach size was 4,563 records. The largest hacking incident resulted in the exposure of the protected health information of 750,050 individuals.

The number of unauthorized access and disclosure incidents has been much lower in 2021 than in previous years. In December there were only 5 reported unauthorized access/disclosure incidents involving 234,476 records. The average breach size was 46,895 records and the median breach size was 4,109 records.

There were two reported cases of the loss of paper/films containing the PHI of 3,081 individuals and two cases of theft of paper/films containing the PHI of 2,129 individuals. There was also one breach involving the improper disposal of a portable electronic device containing the ePHI of 934 patients.

As the chart below shows, the most common location of breached PHI was network servers, followed by email accounts.

Location of breached PHUI in December 2021 healthcare data breaches

HIPAA Regulated Entities Reporting Data Breaches in December 2021

Healthcare providers suffered the most data breaches in December, with 36 breaches reported. There were 11 breaches reported by health plans, and 9 breaches reported by business associates. Six breaches were reported by healthcare providers (3) and health plans (3) that occurred at business associates. The adjusted figures are shown in the pie chart below.

December 2021 healthcare data breaches by HIPAA-regulated entity type

December 2021 Healthcare Data Breaches by U.S. State

Illinois was the worst affected state with 11 data breaches, four of which were reported by the accountancy firm Bansley and Kiener and related to the same incident – A ransomware attack that occurred in December 2020. the firm is now facing a lawsuit over the incident and the late notification to affected individuals – 12 months after the attack was discovered.

State Number of Breaches
Illinois 11
Indiana 5
Florida, Oklahoma, and Texas 4
Arizona 3
California, Georgia, Kansas, Michigan, New York, Oregon, Utah, and Virginia 2
Alabama, Colorado, Kentucky, Maryland, North Carolina, Rhode Island, Wisconsin, West Virginia, and Wyoming 1

HIPAA Enforcement Activity in December 2021

There were no further HIPAA penalties imposed by the HHS’ Office for Civil Rights in December. The year closed with a total of 14 financial penalties paid to OCR to resolve violations of the HIPAA Rules. 13 of the cases were settled with OCR, and one civil monetary penalty was imposed. 12 of the OCR enforcement actions were for violations of the HIPAA Right of Access.

The New Jersey Attorney General imposed a $425,000 financial penalty on Regional Cancer Care Associates, which covered three separate Hackensack healthcare providers – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC – that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland.

The New Jersey Attorney General and the New Jersey Division of Consumer Affairs investigated a breach of the email accounts of several employees between April and June 2019 involving the protected health information of 105,000 individuals and a subsequent breach when the breach notification letters were sent to affected individuals’ next of kin in error.

The companies were alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, failing to protect against reasonably anticipated threats to the security/integrity of patient data, a failure to implement security measures to reduce risks and vulnerabilities to an acceptable level, the failure to conduct an accurate and comprehensive risk assessment, and the lack of a security awareness and training program for all members of its workforce. The case was settled with no admission of liability. There were 4 HIPAA enforcement actions by state attorneys general in 2021. New Jersey was involved in 3 of those enforcement actions.

The post December 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA).

The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack.

In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs.

Accellion clients affected by the breach included banks, law firms, universities, and healthcare organizations. Many of the files belonging to healthcare organizations contained sensitive patient and health plan member data. Healthcare organizations affected by the breach include Health Net Community Solutions, Health Net of California, California Health & Wellness, Trinity Health, The University of California, Stanford University School of Medicine, University of Miami Health, Kroger, Trillium, Community Health Plan, Arizona Complete Health, CalViva Health, and Health Employees’ Pension Plan.

Following the attack, several lawsuits were filed against Accellion and its clients over the data breach. The class action lawsuit against Accellion alleged the company had failed to implement and maintain appropriate data security practices to protect the sensitive data of its clients, failed to detect security vulnerabilities in the Accellion FTA, failed to disclose its security practices were inadequate and failed to prevent the data breach. As a result of the attack, highly sensitive information was stolen, including names, contact information, dates of birth, Social Security numbers, driver’s license numbers, and healthcare data.

Accellion denied all of the allegations in the lawsuit and accepts no liability for the data breach. The company said in the settlement agreement that it is not responsible for managing, updating, and maintaining customers’ instances of the FTA software. Accellion also said the company does not collect any customer data, does not access the content of files shared or stored via the FTA solution, and provided no guarantees to customers that the FTA software was secure.

It is unclear how many individuals will be covered by the settlement, but the number is certainly in excess of 9.2 million individuals. Accellion will attempt to obtain up-to-date contact information for those individuals in order to send notices of the proposed settlement. The proposed settlement includes a cash fund of $8.1 million to cover claims, notices, administration costs, and service awards to affected users of the Accellion FTA. $4.6 million of the fund will be made available within 10 days, with the remainder made available within 10 days of the settlement being approved.

Affected individuals will be entitled to sign up for 24 months of three-bureau credit monitoring and insurance services, or receive reimbursement for documented losses up to a maximum value of $10,000, or receive a cash payment, which is expected to be in the region of $15 to $50. Accellion will also fully retire the Accellion FTA and take steps to ensure the security of its replacement Kiteworks solution. Those measures include increasing its bug bounty program, maintaining FedRAMP certification, employing individuals with responsibility for cybersecurity, providing cybersecurity training to its workforce, and undergoing regular assessments to confirm continued compliance with the cybersecurity measures outlined in the settlement.

The proposed settlement will resolve all claims against Accellion only. There are still lawsuits and settlements outstanding against clients affected by the breach. The supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed on behalf of the 3.8 million employees and customers affected by the breach.

The post Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit appeared first on HIPAA Journal.

Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory warning about the threat of Russian cyberattacks on critical infrastructure, including the healthcare, energy, government, and telecommunications sectors.

“CISA, the FBI, and NSA encourage the cybersecurity community – especially critical infrastructure network defenders – to adopt a heightened state of awareness and to conduct proactive threat hunting,” explained the agencies in the advisory.

The agencies have shared details of the tactics, techniques, and procedures (TTPs) commonly used by Russian state-sponsored advanced persistent threat (APT) actors to gain persistent access to networks for espionage and destructive cyberattacks.

Russian APT actors use a variety of methods to breach perimeter defenses including spear phishing, brute force attacks against accounts and networks with weak security, and the exploitation of unpatched vulnerabilities, and have previously targeted vulnerable Citrix, Pulse Secure, F5 Big-IP, and VMWare products, FortiGate VPNs, Microsoft Exchange, Cisco Router, and Oracle WebLogic Servers.

Russian APT actors have extensive cyber capabilities and are known to conduct highly sophisticated attacks and maintain a long-term presence in compromised networks and cloud environments, with initial access, often gained using legitimate credentials. Custom malware is often deployed on operational technology (OT) and industrial control systems (ICS) and the malware is used to exfiltrate sensitive data.

All critical infrastructure entities have been advised to closely monitor their networks and systems for signs of malicious activity and take steps to improve their cybersecurity defenses. Security professionals have been advised to create and maintain a cyber incident response plan and follow cybersecurity best practices for identity and access management.

Centralized log collection and monitoring will make it easier to investigate and detect threats in a timely manner. Security teams should search for network and host-based artifacts, review authentication logs for signs of multiple failed login attempts across different accounts, and investigate login failures using valid usernames. It is also recommended to implement security solutions capable of behavioral analysis to identify suspicious network and account activity.

It is important to implement network segmentation as this will help to limit lateral movement within compromised networks and subnetworks if the perimeter defenses are breached. Regular backups should be performed, and backups should be tested to make sure data recovery is possible. Backups should be stored offline and should not be accessible from the systems where the data resides.

If suspicious activity is detected, affected systems should be isolated from the network, backup data should be secured by taking it offline, and data and artifacts should be collected. In the event of a cyberattack, critical infrastructure entities should consider engaging a third-party cybersecurity firm to assist with response and recovery. Any attack should be reported to the FBI and CISA.

While Russian APT actors have previously concentrated their efforts on attacks on utilities, government, and defense, there is a significant threat of attacks on the healthcare and pharmaceutical sectors as a result of the COVID-19 pandemic. Russian state-sponsored APT actors continue to seek intellectual property related to COVID-19 research, vaccines, treatments, and testing, along with any clinical research data supporting those areas.

The agencies have also issued a reminder that the Department of State is running a Rewards for Justice Program, which provides a reward of up to $10 million for information about foreign actors who are engaging in malicious cyber activities, in particular cyberattacks against U.S. critical infrastructure organizations.

The post Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors appeared first on HIPAA Journal.

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan.

RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers.

RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach notice that it has implemented additional security measures to prevent further data breaches.

In the days following the mailing of notification letters, the office of the Rhode Island attorney general received a high number of calls from individuals who had received a notification letter who had no direct connection to RIPTA informing them that their personal and health information had been compromised in the data breach. Several complaints were also made to the Rhode Island American Civil Liberties Union (ACLU).

On December 28, 2021, Steve Brown, Executive Director of the Rhode Island ACLU, wrote to Scott Avedisian, CEO of RIPTA seeking answers about the data breach and why the personal data of individuals with no relationship whatsoever with RIPTA had been notified about the breach. Brown also said in the letter that “The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it.”

The public notice on the RIPTA website made two references to a breach of RIPTA health plan data, specifically stating the breach involved “the personal information of our health plan” and “files pertaining to RIPTA’s health plan.” Brown said the letters are “extremely misleading and seriously downplays the extensive nature of the breach.” Brown said all of the complainants said they had never been employed by RIPTA and some even said they had never even ridden on a RIPTA bus.

Further, the breach notice submitted to the HHS’ Office for Civil Rights indicates 5,015 health plan members were affected, when the notification letters stated the breach affected 17,378 individuals in Rhode Island, which raises the question of why RIPTA was storing the data of an additional 12,363 individuals.

Brown also pointed out that the notification letters explained the breach was detected on August 5, 2021, yet it took RIPTA two and a half months to identify the individuals that had been affected, and then a further two months for notification letters to be issued.

RIPTA senior executive Courtney Marciano explained to the Providence Journal that the files obtained by the hackers included the data of individuals with no connection to RIPTA because RIPTA’s previous health insurance provider had sent files that contained the personal and health data of individuals with no connection to RIPTA. RIPTA had previously used UnitedHealthcare for its group health plan but then switched to Horizon BlueCross/Blue Shield of Rhode Island. The files sent to RIPTA by UnitedHealthcare allegedly contained details of health claims of all state employees.

The reason for the delay in issuing notifications was explained as being due to the labor-intensive process of determining which individuals had been affected and verifying contact information, and also sorting through the files to determine which claims were for current or former RIPTA employees.

Rhode Island Attorney General Peter Neronha told The Providence Journal that he will be opening an investigation into the data breach to determine if any state laws have been violated, such as the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights may also choose to investigate UnitedHealthcare over the apparent impermissible disclosure of the PHI of state employees to RIPTA. The OCR breach portal has no corresponding breach report from UnitedHealthcare.

The post Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General appeared first on HIPAA Journal.

Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach

The year has started with a major breach report from Broward Health in Florida, which has recently started notifying more than 1.3 million patients and employees about a data breach that occurred on October 15, 2021. A hacker gained access to the Broward Health network through the office a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services.

Broward Health discovered and blocked the intrusion on October 19, 2021, and a password reset was performed for all employees to prevent further unauthorized access. Assisted by a third-party cybersecurity company, Broward Health conducted a comprehensive investigation to determine the nature and scope of the breach.

The investigation confirmed the attacker had access to parts of the network where employee and patient information were stored, including sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial/bank account information, health insurance information, medical histories, health conditions, treatment and diagnosis information, medical record numbers, and driver’s license numbers. Broward Health said some data was exfiltrated from its systems.

The cyberattack was reported to the Department of Justice which requested Broward Health delay sending breach notification letters to affected individuals so as not to interfere with the law enforcement investigation.

Broward Health has taken steps to improve security and prevent similar incidents in the future, which include implementing multifactor authentication for all users of its systems and setting minimum-security requirements for all devices not managed by Broward Health’s information technology department with access to its network. Those security requirements will take effect this January.

Broward Health has not received any reports that indicate patient or employee data have been misused, but as a precaution against identity theft and fraud, affected individuals have been offered a complimentary 2-year membership to the Experian IdentityWorksSM service, which includes identity theft protection, detection, and resolution services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal but has been reported to the Maine Attorney General as potentially affecting 1,357,879 patients.

The post Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2021

The largest healthcare data breaches of 2021 rank as some of the worst of all time. In this post, we summarize some of the most serious data breaches to be reported in what has turned out to be another record-breaking year.

The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches.

It has also been a particularly bad year in terms of the number of breached healthcare records. Across the 686 2021 healthcare data breaches, 44,993,618 healthcare records have been exposed or stolen, which makes 2021 the second-worst year in terms of breached healthcare records.

There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals. Almost three-fourths of the year’s breaches (73.9%) were hacking or other IT incidents.

The Largest Healthcare Data Breaches of 2021

Each of the data breaches below involved the personal and protected health information of more than 1,000,000 individuals. All of these data breaches were hacking incidents where unauthorized individuals gained access to healthcare networks where electronic healthcare data were stored.

Accellion FTA Hack – At Least 3.51 Million Records

The largest healthcare data breach was a hacking incident involving the firewall vendor Accellion. Four vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) were exploited and more than 100 companies were affected, including at least 11 U.S. healthcare organizations. The Accellion FTAs were used for transferring files too large to be sent via email. The attack was conducted by a threat actor linked to the Clop ransomware gang.  Ransomware was not used in the attack, but sensitive data were stolen, ransom demands issued, and stolen data were leaked on the Clop ransomware gang’s leak site.

The Accellion FTA hack does not appear as a single incident on the HHS’ Office or Civil Rights breach portal as each affected healthcare organization reported the breach separately. In total, the protected health information of at least 3.51 million individuals is believed to have been stolen.

Florida Healthy Kids Corporation – 3.5 Million Records

The largest healthcare data breach of 2021 to be reported to the HHS’ Office for Civil Rights by a HIPAA-covered entity was a hacking incident at the Florida health plan, Florida Healthy Kids Corporation (FHKC). The breach was reported in January 2021 and was due to the failure of a security vendor to apply patches to fix multiple vulnerabilities on the FHKC website over a period of 7 years.

Hackers had access to the website for several years, and potentially stole highly sensitive information such as Social Security numbers and financial information. Some of the data on the website was also tampered with. The analysis of the breach revealed the personal and protected health information of 3.5 million individuals was exposed.

20/20 Eye Care Network, Inc – 3,253,822 Records

20/20 Eye Care Network, a Florida-based provider of eye and ear care services, exposed the personal and protected health information of 3,253,822 individuals as a result of a misconfigured Amazon Web Services S3 cloud storage bucket. In January 2021, 20/20 Eye Care Network discovered an unauthorized individual accessed the exposed storage bucket and downloaded some data, which may have included Social Security numbers, dates of birth, and health insurance information. The attacker then deleted the data in the bucket.

NEC Networks, LLC dba CaptureRx – At Least 2.42 Million Records

Texas-based NEC Networks, doing business as CaptureRx, was the victim of the largest healthcare ransomware attack of 2021. Prior to the use of ransomware to encrypt files, the attackers exfiltrated files containing the personal and protected health information of its healthcare provider clients. The breach was reported by NEC Networks as affecting 1,656,569 patients of its healthcare provider clients, but several clients reported the breach separately. In total, at least 2.42 million individuals were affected.

Forefront Dermatology, S.C. – 2,413,553 Records

The Wisconsin-based healthcare provider, Forefront Dermatology, discovered in June 2021 that unauthorized individuals had gained access to its network and potentially viewed and potentially obtained private and confidential employee and patient information, including names and Social Security numbers.

The investigation confirmed the personal and protected health information of 4,431 individuals had been compromised, but the systems accessed by the attacker contained the records of 2,413,553 individuals, all of whom may have been affected.

Eskenazi Health – 1,515,918 Records

The Indiana-based healthcare provider Eskenazi Health suffered a ransomware attack in August conducted by the Vice ransomware gang. Prior to encrypting files, the attackers exfiltrated files containing the personal and protected health information of 1,474,284 patients, including Social Security numbers, passport numbers, driver’s licenses, photographs, pharmacy records, and financial information, some of which were leaked on the group’s data leak site when the ransom was not paid.

The Kroger Co. – 1,474,284 Records

The Ohio-based grocery chain and pharmacy operator, the Kroger Company, was one of the companies worst affected by the exploitation of vulnerabilities in its Accellion File Transfer Appliance (FTA).  Kroger said the internal investigation revealed fewer than 1% of its customers were affected – 1,474,284 individuals. Names, contact information, Social Security numbers, insurance claim information, prescription information, and some medical history information was stolen in the attack. Lawsuits were filed in response to the breach, which Kroger settled for $5 million.

St. Joseph’s/Candler Health System, Inc. – 1,400,000 Records

Georgia-based St. Joseph Candler Health System was another 2021 healthcare ransomware attack victim. The ransomware attack occurred in June; however, hackers had first breached its network 6 months previously. During those 6 months, the attackers had access to the sensitive data of 1,400,000 patients, including names, date of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information. Two class action lawsuits were filed in the wake of the breach alleging negligence for failing to prevent the attack and for failing to discover the breach for 6 months.

University Medical Center Southern Nevada – 1,300,000 Records

The Nevada-based healthcare provider University Medical Center Southern Nevada suffered a ransomware attack conducted by the REvil ransomware gang. The attackers allegedly issued a ransom demand of $12 million for the keys to unlock encrypted files and to prevent any misuse of stolen data. The gang potentially stole the personal and protected health information of 1,300,000 patients, and some of that information was posted to the gang’s data leak site, including names, dates of birth, Social Security numbers, passports, and health histories.

American Anesthesiology, Inc. – 1,269,074 Records

New York-based American Anesthesiology, Inc. was affected by a phishing attack on one of its business associates, MEDNAX. Employees responded to the phishing emails and disclosed their credentials, which provided the attackers with access to email accounts containing the protected health information of 1,269,074 patients. The attack did not appear to have been conducted to steal patient data, instead, the attackers were trying to divert payroll to their accounts.

Professional Business Systems, Inc. dba Practicefirst Medical Management Solutions and PBS Medcode Corp – 1,210,688 Records

The New York practice management company, Professional Business Systems, doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp., was the victim of an attempted ransomware attack. Prior to attempting to encrypt data, the attackers exfiltrated files containing the names, addresses, driver’s license numbers, Social Security numbers, email addresses, and tax identification numbers of employees and patients of its healthcare provider clients. In total, the protected health information of 1,210,688 individuals was potentially stolen.

Other Large Healthcare Data Breaches Reported in 2021

The table below shows the U.S. healthcare data breaches reported to the HHS’ Office for Civil Rights in 2021 that affected between 500,000 and 1,000,000 million individuals. At least 10 of the 15 breaches below are known to be ransomware attacks.

Name of Covered Entity State Entity Type Individuals Affected Type of Breach Breach Cause
Personal Touch Holding Corp. New York Business Associate 753,107 Hacking/IT Incident Ransomware
Oregon Anesthesiology Group, P.C. Oregon Healthcare Provider 750,500 Hacking/IT Incident Ransomware
UF Health Central Florida Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware
Sea Mar Community Health Centers Washington Healthcare Provider 688,000 Hacking/IT Incident Unspecified hacking incident involving data theft
Health Net Community Solutions California Health Plan 686,556 Hacking/IT Incident Accellion FTA data theft and extortion attack
Community Medical Centers, Inc. California Healthcare Provider 656,047 Hacking/IT Incident Unspecified hacking incident
DuPage Medical Group, Ltd. Illinois Healthcare Provider 655,384 Hacking/IT Incident Ransomware
Hendrick Health Texas Healthcare Provider 640,436 Hacking/IT Incident Ransomware
UNM Health New Mexico Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident involving data theft
Trinity Health Michigan Business Associate 586,869 Hacking/IT Incident Accellion FTA data theft and extortion attack
Utah Imaging Associates, Inc. Utah Healthcare Provider 582,170 Hacking/IT Incident Unspecified hacking incident
Texas ENT Specialists Texas Healthcare Provider 535,489 Hacking/IT Incident Ransomware
Wolfe Clinic, P.C. Iowa Healthcare Provider 527,378 Hacking/IT Incident Ransomware
Health Net of California California Health Plan 523,709 Hacking/IT Incident Accellion FTA data theft and extortion attack
State of Alaska Department of Health & Social Services Alaska Health Plan 500,000 Hacking/IT Incident Hack by nation-state espionage group

The post Largest Healthcare Data Breaches of 2021 appeared first on HIPAA Journal.

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches.

The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month.

Largest Healthcare Data Breaches Reported in November 2021

In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The average breach size in November was 34,862 records and the median breach size was 5,403 records.

The worst breach of the month saw the protected health information of 582,170 individuals exposed when hackers gained access to the network of Utah Imaging Associates. Planned Parenthood also suffered a major data breach, with hackers gaining access to its network and exfiltrating data before using ransomware to encrypt files.

Sound Generations, a non-profit that helps older adults and adults with disabilities obtain low-cost healthcare services, notified patients about two ransomware attacks that had occurred in 2021, which together resulted in the exposure and potential theft of the PHI of 103,576 individuals.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Cause of Breach
Utah Imaging Associates, Inc. Healthcare Provider 582,170 Hacking/IT Incident Network Server Unspecified hacking incident
Planned Parenthood Los Angeles Healthcare Provider 409,759 Hacking/IT Incident Network Server Ransomware attack
The Urology Center of Colorado Healthcare Provider 137,820 Hacking/IT Incident Network Server Unspecified hacking incident
Sound Generations Business Associate 103,576 Hacking/IT Incident Network Server Two ransomware attacks
Mowery Clinic LLC Healthcare Provider 96,000 Hacking/IT Incident Network Server Malware infection
Howard University College of Dentistry Healthcare Provider 80,915 Hacking/IT Incident Electronic Medical Record, Network Server Ransomware attack
Sentara Healthcare Healthcare Provider 72,121 Hacking/IT Incident Network Server Unspecified hacking incident at a business associate
Ophthalmology Associates Healthcare Provider 67,000 Hacking/IT Incident Electronic Medical Record, Network Server Unspecified hacking incident
Maxim Healthcare Group Healthcare Provider 65,267 Hacking/IT Incident Email Phishing attack
True Health New Mexico Health Plan 62,983 Hacking/IT Incident Network Server Unspecified hacking incident
TriValley Primary Care Healthcare Provider 57,468 Hacking/IT Incident Network Server Ransomware attack
Broward County Public Schools Health Plan 48,684 Hacking/IT Incident Network Server Ransomware attack
Consociate, Inc. Business Associate 48,583 Hacking/IT Incident Network Server  
Doctors Health Group, Inc. Healthcare Provider 47,660 Hacking/IT Incident Network Server Patient portal breach at business associate (QRS Healthcare Solutions)
Baywood Medical Associates, PLC dba Desert Pain Institute Healthcare Provider 45,262 Hacking/IT Incident Network Server Unspecified hacking incident
Medsurant Holdings, LLC Healthcare Provider 45,000 Hacking/IT Incident Network Server Ransomware attack
One Community Health Healthcare Provider 39,865 Hacking/IT Incident Network Server Unspecified hacking incident
Educators Mutual Insurance Association Business Associate 39,317 Hacking/IT Incident Network Server Malware infection
Victory Health Partners Healthcare Provider 30,000 Hacking/IT Incident Network Server Ransomware attack
Commission on Economic Opportunity Business Associate 29,454 Hacking/IT Incident Network Server Hacked public claimant portal

Causes of November 20021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in November, accounting for 50 of the reported breaches. Ransomware continues to be extensively used in attacks on healthcare providers and their business associates, with the attacks often seeing sensitive patient data stolen and posted on data leak sites. The theft of patient data in these attacks also makes lawsuits more likely. Planned Parenthood, for example, was hit with a class action lawsuit a few days after mailing notification letters to affected patients.

2,327,353 healthcare records were exposed or stolen across those hacking incidents, which is 98.18% of all records breached in November. The average breach size for those incidents was 42,316 records and the median breach size was 11,603 records.

There were 11 unauthorized access/disclosure breaches in November – half the number of unauthorized access/disclosure breaches reported in October. Across those breaches, 37,646 records were impermissibly accessed or disclosed. The average breach size was 3,422 records and the median breach size was 1,553 records. There were also two reported cases of theft of portable electronic devices containing the electronic protected health information of 5,601 individuals.

November Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 50 reported breaches, with four of those breaches occurring at business associates but were reported by the healthcare provider. 8 data breaches were reported by health plans, 3 of which occurred at business associates, and business associates self-reported 10 data breaches. The pie chart below shows the breakdown of breaches based on where the breach occurred.

Geographic Distribution of November Healthcare Data Breaches

Healthcare data breaches of 500 or more records were reported by HIPAA-regulated entities in 32 states and the District of Columbia.

State Number of Reported Data Breaches
California & New York 7
Maryland & Pennsylvania 4
Colorado, Kentucky, Ohio, & Utah 3
Illinois, Indiana, Michigan, Minnesota, New Mexico, Tennessee, Texas, Virginia, and the District of Columbia 2
Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Kansas, Massachusetts, Missouri, Nebraska, New Hampshire, New Jersey, North Carolina, Oregon, South Carolina, and Washington 1

HIPAA Enforcement Activity in November 2021

There was a flurry of HIPAA enforcement activity in November with financial penalties imposed by federal and state regulators. The HHS’ Office for Civil Rights announced a further 5 financial penalties to resolve alleged violations of the HIPAA Right of Access. In all cases, the healthcare providers had failed to provide patients with a copy of their requested PHI within a reasonable period of time after a request was received.

Covered Entity Penalty Penalty Type Alleged Violation
Rainrock Treatment Center LLC (dba Monte Nido Rainrock)

 

$160,000

 

Settlement HIPAA Right of Access
Advanced Spine & Pain Management $32,150

 

Settlement HIPAA Right of Access
Denver Retina Center $30,000

 

Settlement HIPAA Right of Access
Wake Health Medical Group

 

$10,000

 

Settlement HIPAA Right of Access
Dr. Robert Glaser

 

$100,000 Civil Monetary Penalty HIPAA Right of Access

The New Jersey Attorney General and the Division of Consumer Affairs announced in November that a settlement had been reached with two New jersey printing firms – Command Marketing Innovations, LLC and Strategic Content Imaging LLC – to resolve violations of HIPAA and the New Jersey Consumer Fraud Act. The violations were uncovered during an investigation into a data breach involving the PHI of 55,715 New Jersey residents.

The breach was due to a printing error that saw the last page of one individual’s benefit statement being attached to the benefit statement of another individual.  The Division of Consumer Affairs determined the companies failed to ensure confidentiality of PHI, did not implement sufficient PHI safeguards and failed to review security measures following changes to procedures. A financial penalty of $130,000 was imposed on the two firms, and $65,000 was suspended and will not be payable provided the companies address all the security failures identified during the investigation.

The post November 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.