277,000 Santa Clara Family Health Plan Members Affected by GoAnywhere Hack

Posted by HIPAA Journal

Data breaches have recently been announced by Santa Clara Family Health Plan, United Steelworkers Local 286, Robeson Health Care Corporation, Two Rivers Public Health Department, and NewBridge Services.

Santa Clara Family Health Plan Confirmed as Victim of Clop GoAnywhere Hack

Santa Clara Family Health Plan has confirmed the 276,993-record data breach reported to the HHS’ Office for Civil Rights on March 30, 2023, was due to the hacking of Fortra’s GoAnywhere MFT solution by the Clop ransomware group. The group exploited a previously unknown (zero-day) vulnerability, exfiltrated data, but did not encrypt files. 130 organizations fell victim to the attacks over a 10-day period in late January/early February this year.

The incident affected NationsBenefits, which provides supplemental benefits administration services to several health plans, including Santa Clara Family Health Plan. NationsBenefits learned of the attack on February 7, 2023, and was informed by Fortra that the attack occurred on or around January 30, 2023. On February 13, 2023, NationsBenefits confirmed that the data compromised in the attack included protected health information such as name, address, phone number, gender, date of birth, health insurance number, medical ID number, Social Security number, date(s) of service, medical device or product purchased, and provider/caregiver name. NationsBenefits said it has stopped using the GoAnywhere solution and is implementing a range of additional measures to strengthen security.

United Steelworkers Local 286 Security Breach Affects Almost 38,000 Health Plan Members

United Steelworkers Local 286 has discovered an unauthorized individual gained access to an employee email account that included the protected health information of 37,965 members of its health plan. The email account breach was detected on February 13, 2023, and the forensic investigation confirmed the email account was accessed between June 16, 2022, and July 18, 2022.

A manual document review confirmed the account contained full names, Social Security numbers, dates of birth, financial account numbers, driver’s license and/or state identification numbers, passport numbers, financial account numbers, medical treatment information, medical record numbers, biometric information, and health insurance information.

No evidence of misuse of plan member data has been uncovered; however, as a precaution against identity theft and fraud, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. United Steelworkers Local 286 said security measures were in place and are continually evaluated and modified to ensure the privacy and security of employee data.

Two Rivers Public Health Department Reports Microsoft 365 Account Breach

Two Rivers Public Health Department (TRPHD) in Nebraska has recently confirmed that the protected health information of 15,168 patients was stored in an employee Office365 account that was accessed by an unauthorized third party.

TRPHD said suspicious activity was detected within its server infrastructure on November 9, 2022. The initial investigation conducted by a third-party IT firm concluded that patient data had not been compromised; however, out of an abundance of caution, an external forensic investigation firm was engaged to fully investigate the security breach and confirmed that an Office 365 account was accessed by an unauthorized individual between September 14, 2022, through November 8, 2022. The review of the account confirmed it contained protected health information, although the press release issued did not state what types of information had been exposed.

TRPHD said the document review was completed on March 15, 2023, and notifications were mailed to affected individuals on April 14, 2023. Additional security measures have been implemented to better secure its systems against unauthorized access.

Robeson Health Care Corporation Discovers Malware Infection

Robeson Health Care Corporation in Pembroke, NC, has reported a data breach to the Maine Attorney General that has affected up to 15,045 individuals. According to the notification, malware was detected within its network on February 21, 2023. The subsequent forensic investigation confirmed that an unauthorized third party had access to its systems between February 17, 2023, and February 21, 2023.

While evidence of data theft was not found, it could not be ruled out. The document review confirmed the following types of information were exposed: name, address, Social Security number, date of birth, treatment information/diagnosis, treating physician, medical record number, patient ID number, Medicare/Medicaid number, prescription information, health insurance information, and treatment costs. Notifications were mailed on April 21, 2023, and complimentary credit monitoring and identity theft protection services have been offered. Security has been enhanced to prevent similar incidents in the future, including implementing multi-factor authentication for all users.

NewBridge Services Hacking Incident Affects 1,457 Individuals

The Pequannock, NJ-based counseling service provider, NewBridge Services, said an unauthorized individual gained access to its systems and potentially accessed and obtained the protected health information of 1,457 individuals. The security breach was detected on January 26, 2023, when certain systems were disrupted. The forensic investigation confirmed on January 28, 2023, that protected health information had been exposed, although no evidence was found of actual or attempted misuse of that information.

The exposed information included names, Social Security numbers, dates of birth, treatment information, provider information, prescription information, payment information, and health insurance information. Written notifications were mailed to affected individuals on April 17, 2023, and security has been augmented to prevent similar incidents in the future.

The post 277,000 Santa Clara Family Health Plan Members Affected by GoAnywhere Hack appeared first on HIPAA Journal.

Former Methodist Hospital Employees Plead Guilty to Criminal HIPAA Violations

Posted by HIPAA Journal

Five former Methodist Hospital employees have pleaded guilty to criminal violations of HIPAA for accessing and disclosing the information of patients to a third party for financial gain. The former hospital workers were contacted by Roderick Harvey, 41, of Memphis, and were paid to provide him with the names and telephone numbers of patients who had been involved in motor vehicle accidents. The data collected by Harvey was then sold to personal injury attorneys and chiropractors.

The HIPAA Privacy Rule prohibits healthcare workers from accessing patient data unless there is a valid work reason for doing so, and disclosures of patient data to third parties are not permitted unless there is a valid reason for the disclosure (treatment, payment, business operations) unless consent is obtained from the patient. Accessing and disclosing patient information for financial gain without the consent of the patients is a criminal offense.

Between November 2017 and December 2020, Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 31, Melanie Russell, 41, and Adrianna Taber, 26, violated HIPAA and provided Harvey with patient information. The former employees were terminated for the HIPAA violations, and along with Harvey, were indicted by a federal grand jury in November 2022. Harvey faced a conspiracy charge and seven counts of obtaining patient information with the intent to sell it for financial gain. The former Methodist Hospital employees were separately charged for violating HIPAA.

Harvey pled guilty to the conspiracy charge on April 21, 2023, and will be sentenced on August 1, 2023. Harvey faces up to five years in jail, a fine of up to $250,000, and three years of supervised release. Dandridge, Taylor, Thompson, Russell, and Taber each face a maximum of one year in jail, $50,000 fine, and one year of supervised release and will be sentenced on five separate dates between April 25, 2023, and June 21, 2023.

The post Former Methodist Hospital Employees Plead Guilty to Criminal HIPAA Violations appeared first on HIPAA Journal.