Latest HIPAA News

Exploit Released ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the publication of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service.

The vulnerability has been dubbed PrintNightmare and is tracked as CVE-2021-34527. The flaw is due to the Windows Print Spooler service improperly performing privileged file operations. Microsoft says the flaw can be exploited by an authenticated user calling RpcAddPrinterDriverEx(). If exploited, an attacker would gain SYSTEM privileges and could execute arbitrary code and could install programs; view, change, or delete data; or create new accounts with full user rights.

The PoC exploit for the vulnerability was published by the Chinese security firm Sangfor. Typically, exploits for unpatched vulnerabilities are not released publicly until software developers have been notified about a flaw and sufficient time has been allowed for a patch to be released and applied by users.

In this case an error was made. Sangfor researchers published the PoC exploit in late June, as Microsoft had released a patch to fix the flaw on June 8, 2021. The patch fixed a Windows Print Spooler service vulnerability tracked as CVE-2021-1675, but did not fully fix the PrintNightmare vulnerability, which now has a second CVE code. The researchers deleted the exploit, but it had already been shared and remains in the public domain.

“Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable,” said the CERT Coordination Center.

It is not clear whether Microsoft will release a patch to fix the CVE-2021-34527 vulnerability on Patch Tuesday on July 13 or will issue an out-of-bad update in the next few days.

Microsoft has published two workarounds that will prevent the flaw from being exploited; however, applying those workarounds will affect printing. Exploitation can be prevented either by disabling the Print Spooler service using PowerShell commands or disabling inbound remote printing through Group Policy on all Domain Controllers and Active Directory admin systems. CISA recommends using the workarounds on all Domain Controllers and systems that are not required to print.

This is a good best practice regardless of the PrintNightmare flaw. If any Domain Controller or system is not required to print, the print Spooler Service should be disabled. This will prevent any future vulnerabilities in the Print Spooler service from being exploited.

The post Exploit Released ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability appeared first on HIPAA Journal.

NIST Publishes Critical Software Definition for U.S. Agencies

Posted by HIPAA Journal

President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security.

One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers.

The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from the public and private sector and multiple government agencies when defining what critical software actually is.

“One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government,” explained NIST. “The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software.”

NIST’s critical software definition is software or software dependencies that contain one or more of the following attributes:

  • Software designed to run with elevated privileges or used to manage privileges.
  • Software with direct or privileged access to networking or computer resources.
  • Software designed to control access to data or operational technology.
  • Software that performs a function critical to trust.
  • Software that operates outside of normal trust boundaries with privileged access.

The above definition applies to all software, whether it is integral to devices or hardware components, stand-alone software, or cloud-based software used for or deployed in production systems or used for operational purposes. That definition covers a broad range of software, including operating systems, hypervisors, security tools, access management applications, web browsers, network monitoring tools, and other software created by private companies and sold to federal agencies, or software developed internally by federal agencies for use within federal networks, including government off-the-shelf software.

NIST has recommended federal agencies should initially focus on implementing the requirements of the Executive Order on standalone, on-premises software that has critical security functions or has significant potential to cause harm if compromised. Next, federal agencies should move onto other categories of software, such as cloud-based software, software that controls access to data, and software components in operational technology and boot-level firmware.

NIST has published a list of EO-critical software, although CISA will publish a more comprehensive finalized list in the coming weeks.

The post NIST Publishes Critical Software Definition for U.S. Agencies appeared first on HIPAA Journal.

PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack

Posted by HIPAA Journal

Wolfe Eye Clinic, the operator of a network of eye health clinics throughout Iowa, has announced it was the victim of a ransomware attack on February 8, 2021. Hackers gained access to its systems and used ransomware to encrypt files. A ransom demand was issued for the keys to decrypt files, but the clinic refused to pay and opted to recover files from backups. As is now common in ransomware attacks, prior to file encryption the attackers exfiltrated data from Wolfe Eye Clinic systems.

Wolfe Eye Clinic explained in its substitute breach notification letter that immediate action was taken to secure its network environment and independent IT security and forensic investigators were engaged to determine the scope and extent of the security breach. Due to the scale and complexity of the attack, it took until May 28, 2021 for the full scope of the security breach to be determined and to identify the information compromised in the attack.

The forensic investigation concluded on June 8, 2021, when it was confirmed the attackers accessed and exfiltrated the data of current and former patients. The stolen protected health information included names, addresses, birth dates, Social Security numbers and, for some individuals, medical and health information.

Notification letters have started to be mailed to affected individuals and complimentary identity theft protection and credit monitoring services are being offered for 12 months through IDX. Wolfe Eye Clinic said it is implementing additional safeguards to prevent further attacks.

The attackers appear to have exfiltrated a large amount of data. KCCI Des Moines has reported the incident as affecting approximately 500,000 individuals, making this one of the most extensive ransomware attacks on a single healthcare provider to have been reported this year.

The post PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack appeared first on HIPAA Journal.

NIST Releases Draft Guidance for Ransomware Risk Management

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released a draft Cybersecurity Framework Profile for Ransomware Risk Management to help organizations prevent, respond and recover from ransomware attacks.

The Ransomware Profile is intended to be used by organizations that have adopted the NIST Cybersecurity Framework and want to improve their risk postures or any organization that has not yet adopted the Framework but wants to implement a risk management framework to meet ransomware threats. The Ransomware Profile can be used to identify and prioritize opportunities for improving their ransomware resistance.

The Ransomware Profile includes a series of steps that should be taken to prevent ransomware attacks and effectively manage ransomware risk. It should be used in conjunction with the NIST Cybersecurity Framework, other NIST guidance, and guidance issued by the Federal Bureau of Investigation and Department of Homeland Security.

The Ransomware Profile outlines basic measures that can be implemented to improve defenses against ransomware attacks. These include the use of antivirus software, ensuring scans are automatically conduced on emails and flash drives, keeping computers fully patched, blocking access to known ransomware sites, only permitting authorized apps to be used, restricting the use of personally owned devices, restricting the use of accounts with administrative privileges, avoiding the use of personal apps, and conducting security awareness training to warn employees about the risks of clicking links or opening files sent from unknown sources. These measures alone will help to significantly reduce ransomware risk.

Should a ransomware attack succeed, it is essential for organizations to be prepared as this will allow them to limit the damage caused and accelerate the recovery time. That requires an incident recovery plan, maintaining an up-to-date list of internal and external contacts for ransomware attacks, and ensuring a comprehensive backup and restoration strategy is implemented.

As is the case with the NIST Cybersecurity Framework, the Ransomware Profile is divided into five categories: Identify, Protect, Detect, Respond, and Recover. Each of those categories has several subcategories and selected informative references along with an explanation of how they apply to preventing and responding to ransomware attacks.

Identify is concerned with developing a thorough understanding of cybersecurity risks to systems, people, assets, data, and capabilities, which is essential for effective use of the Framework.

Protect involves implementing safeguards to prevent critical services from being disrupted to allow a business to continue to function – for example, implementing network segmentation to limit the ability of an attacker to move laterally and attack all systems.

Detect is concerned with implementing systems that can detect intrusions prior to the deployment of ransomware, including maintaining logs and conducting audits when anomalous activity is detected.

Respond is concerned with taking appropriate actions to contain a ransomware attack, with Recover concerned with implementing appropriate activities to restore capabilities and services that have been impacted by a ransomware attacks and taking steps to minimize the probability of future successful ransomware attacks to restore confidence among stakeholders.

NIST is accepting commends on the draft Ransomware Profile until July 9, 2021. After the revised Ransomware Profile is released, there will be a further comment period before the final Ransomware Profile is published.

The post NIST Releases Draft Guidance for Ransomware Risk Management appeared first on HIPAA Journal.

May 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

U.S. Healthcare Data Breaches - Past 12 Months

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

U.S. Healthcare Data Breaches - Records Breached in the Past 12 Months

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Involvement
20/20 Eye Care Network, Inc Business Associate 3,253,822 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
NEC Networks, LLC d/b/a CaptureRx Business Associate 1,656,569 Hacking/IT Incident Ransomware attack Yes
Orthopedic Associates of Dutchess County Healthcare Provider 331,376 Hacking/IT Incident Ransomware attack No
Rehoboth McKinley Christian Health Care Services Healthcare Provider 207,195 Hacking/IT Incident Ransomware attack No
Five Rivers Health Centers Healthcare Provider 155,748 Hacking/IT Incident Phishing attack No
SEIU 775 Benefits Group Business Associate 140,000 Hacking/IT Incident Unspecified hacking incident Yes
San Diego Family Care Healthcare Provider 125,500 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Hoboken Radiology LLC Healthcare Provider 80,000 Hacking/IT Incident Hacked medical imaging server No
CareSouth Carolina, Inc. Healthcare Provider 76,035 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Arizona Asthma and Allergy Institute Healthcare Provider 70,372 Hacking/IT Incident Ransomware attack No
New England Dermatology, P.C. Healthcare Provider 58,106 Improper Disposal Improper disposal of specimen bottles No
Sturdy Memorial Hospital Healthcare Provider 57,379 Hacking/IT Incident Ransomware attack No
LogicGate Business Associate 47,035 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
Lafourche Medical Group Healthcare Provider 34,862 Hacking/IT Incident Phishing attack No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group Healthcare Provider 34,203 Hacking/IT Incident Ransomware attack No
SAC Health Systems Healthcare Provider 28,128 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Monadnock Community Hospital Healthcare Provider 14,340 Hacking/IT Incident Unspecified hacking incident Yes
Community Access Unlimited Business Associate 13,813 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Westwood Obstetrics and Gynecology Healthcare Provider 12,931 Hacking/IT Incident Unspecified hacking incident Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

May 2021 U.S. Healthcare Data Breaches - Causes

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 U.S. Healthcare Data Breaches- location of breached PHI

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

May 2021 healthcare data breaches by covered entity type

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State No. Reported Data Breaches
Texas 6
New York & Ohio 5
California, Illinois, West Virginia 4
Mississippi & Missouri 3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma 2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin 1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Houston Hospital Workers’ Lawsuit over Vaccine Mandate Dismissed by Federal Judge

Posted by HIPAA Journal

Many U.S. employers have implemented a policy that requires their workers to be vaccinated against COVID-19, including several major healthcare systems and hospitals. These policies are in line with the guidance issued by the U.S. Equal Employment Opportunity Commission last month, which confirmed that U.S. employers are within their rights to require their employees to be vaccinated, with certain exceptions such as on medical or religious grounds.

Houston Methodist Hospital in Texas introduced its vaccine mandate to ensure patients were protected against COVID-19 and set a June 7, 2021 deadline for employees to be vaccinated. While the majority of workers at Houston Methodist Hospital have been or have agreed to receive a COVID-19 vaccine, On Monday June 7, a walkout was staged by a small minority of workers over the vaccine requirements. On Tuesday, the hospital took the decision to suspend 178 workers without pay over their refusal to be inoculated.

A lawsuit was brought by 117 of those workers, with lead plaintiff, Jennifer Bridges, claiming that if she is dismissed for refusing the vaccine it would constitute wrongful termination. Bridges maintains that the vaccines, which have been granted emergency use authorizations by the Food and Drug Administration, are experimental and dangerous. All three of the vaccines covered by the emergency use declarations have undergone clinical trials and a post market study and have been determined to be safe.

On Saturday, U.S. District Judge Lynn N. Hughes in the Southern District of Texas issued a ruling that upheld the hospital’s vaccination requirement. Judge Hughes said the decision to require employees to be vaccinated against COVID-19 was consistent with the hospital’s public policy and rejected claims of the plaintiffs that the vaccines were experimental and dangerous.

“The hospital’s employees are not participants in a human trial,” said Judge Hughes in his ruling. “Methodist is trying to do their business of saving lives without giving [patients] the Covid-19 virus. It is a choice made to keep staff, patients and their families safer.”

The judge explained in the ruling that under Texas law, employers are within their rights to require employees to be vaccinated. There are laws to protect employees against wrongful termination, but in cases such as this, employees would only be protected against termination for refusing to commit an act that carries criminal penalties.

“Our employees and physicians made their decisions for our patients, who are always at the center of everything we do,” said Houston Methodist Hospital Chief Executive, Dr. Marc Bloom in a statement. “We can now put this behind us and continue our focus on unparalleled safety, quality, service and innovation… All our employees have now met the requirements of the vaccine policy and I couldn’t be prouder of them.”

The hospital confirmed that 24,947 employees had been fully vaccinated, 285 workers were not vaccinated due to medical or religious exemptions, and 332 employees were granted deferrals for pregnancy or other reasons.

Once the suspension period expires on June 21, 2021, termination procedures will be implemented for all employees who have still not been vaccinated. The lawyers representing the plaintiffs plan to appeal the ruling.

The post Houston Hospital Workers’ Lawsuit over Vaccine Mandate Dismissed by Federal Judge appeared first on HIPAA Journal.

HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has urged President Biden to provide further funding and support to improve the cybersecurity posture of the healthcare sector to improve resilience to cyberattacks.

In a recent letter addressed to President Biden and copied to Senate and House party leaders, the HSCC called for more funds to help the healthcare sector deal with cyber threats, improved collaboration between the healthcare industry and government, and for the government to provide a roadmap for making improvements to the cybersecurity readiness of the healthcare sector.

Under the American Rescue Plan, the government has made funding available to modernize federal information technology systems to improve resilience against future cyberattacks. $9 billion will be invested to help the U.S. launch major new IT and cybersecurity shared services at the Cyber Security and Information Security Agency (CISA) and the General Services Administration, and $690 million has been made available to CISA to bolster cybersecurity across federal civilian networks; however, none of that funding has been made available to directly help the healthcare sector, even though the healthcare sector has been heavily targeted by cyber actors prior to and during the pandemic.

According the HSCC, the healthcare sector is currently stretched to its limits to meet its clinical and public health obligations. The healthcare industry has faced relentless cybersecurity threats that have grown in magnitude and complexity year after year, and the situation has become far worse during the pandemic. Those threats, including ransomware, have targeted the technology integral to patient care.

Cyberattacks such as the ransomware attack on Colonial Pipeline threaten national security, but these attacks are also placing patient safety at risk. The attacks can result in denial of service, corruption of data on medical devices, and data manipulation that can have a direct implication for clinical operations, patient care, and public health.

“In assessing how the American Rescue Plan, coupled with the recently released Executive Order on Improving the Nation’s Cybersecurity, can measurably strengthen the security and resiliency of the healthcare system and patient safety, we request an enhanced strategic planning process within the administration that will complement the ongoing cybersecurity partnership between the HSCC, the Department of Health and Human Services and other essential government partners,” said HSCC in the letter. “As you lead the nation out of the pandemic, put more Americans back to work and increase their access to health insurance, the ability of the healthcare sector to deter cyber threats is imperative for the nation to maintain public health and global competitiveness beyond the pandemic.”

The post HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector appeared first on HIPAA Journal.

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019.

DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received.

In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into potential noncompliance with the HIPAA Right of Access (45 C.F.R. § 164.524) over the alleged refusal to provide the patient’s mother with the records she requested.

OCR determined the failure to provide the requested records was in violation of the HIPAA Right of Access. As a result of OCR’s investigation, DELC finally provided the child’s mother with a copy of the requested records in May 2021, almost two years after the initial request had been made.

In addition to the financial penalty of $5,000, DELC has agreed to a corrective action plan that includes reviewing and updating policies and procedures for providing individuals with access to PHI and privacy training for the workforce on individual access to PHI. DELC will be monitored by OCR for 2 years to ensure compliance with the Right of Access provisions of the HIPAA Privacy Rule.

“It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records,” said Acting OCR Director Robinsue Frohboese.  “Covered entities owe it to their patients to provide timely access to medical records.”

The post Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case appeared first on HIPAA Journal.

More than 3.2 Million Individuals Affected by 20/20 Hearing Care Network Data Breach

Posted by HIPAA Journal

The 20/20 Hearing Care Network has started notifying millions of current and former members that some of their protected health information (PHI) has potentially been compromised and/or deleted.

On January 11, 2021, suspicious activity was detected in its AWS cloud storage environment. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the security breach. Third party forensics experts assisted with the investigation and confirmed that S3 buckets hosted in AWS had been accessed, data in those buckets downloaded, and then all data in the S3 buckets was deleted.

The forensic investigation confirmed in late February that some of the data downloaded and deleted from the storage environment included PHI for some or all health plan members for whom records were held. While data theft was confirmed, it was not possible to tell exactly which information had been accessed or removed from the S3 buckets. The types of data potentially obtained in the attack included names, Social Security numbers, dates of birth, member ID numbers, and health insurance information.

Starting on or around May 28, 2021, notification letters were sent to all individuals potentially affected. As a precaution against misuse of member information, certain affected individuals have been offered complimentary credit monitoring and identity theft protection services.

20/20 said in its breach notice that while data theft was confirmed, it does not believe there has been any misuse of member data. The report filed with the Maine Attorney General classes this incident as ‘insider wrongdoing’.

Following the breach, 20/20 conducted a robust review of policies and procedures and has taken steps to improve security to prevent similar breaches in the future.

The breach has been reported to the Maine Attorney General as affecting up to 3,253,822 individuals, making this one of the largest healthcare data breaches to be discovered this year.

The post More than 3.2 Million Individuals Affected by 20/20 Hearing Care Network Data Breach appeared first on HIPAA Journal.