The Iowa Department of Health and Human Services has announced there have been three separate breaches of the protected health information of Iowa Medicaid recipients in the past two months – two hacking incidents and an impermissible disclosure, all three of which involved third-party contractors.

The largest breach was at the Medicaid contractor, MCNA Dental, which resulted in the exposure and potential theft of 233,834 Iowa Medicaid recipients. The MCNA Dental data breach impacted more than 8.9 million individuals across the country. An unauthorized third party gained access to MCNA Dental’s systems on February 26, 2023, the breach was detected on March 6, 2023, and the unauthorized access was blocked the following day. The LockBit ransomware gang claimed responsibility for the attack and potentially obtained names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information, Medicare/Medicaid ID numbers, group plan names and numbers, and information related to the dental and orthodontic care provided. MCNA Dental has offered affected individuals complimentary credit monitoring services.

The Iowa Department of Health and Human Services has also confirmed a breach of the protected health information of Iowa Medicaid recipients due to an error at Amerigroup. Explanation of payment notices containing the information of 833 Iowa Medicaid recipients were sent to 20 providers in error. Names, addresses, Social Security numbers, and health insurance were impermissibly disclosed. Amerigroup is sending notification letters to those individuals.

Another breach was confirmed in April at one of its contractors, Telligen, Inc., which performs annual assessments for Medicaid members to ensure they are receiving the correct level of care. Telligen subcontracted part of that work to Independent Living Systems (ILS), where the data breach occurred in June and July 2022. The protected health information of approximately 20,800 Medicaid members was compromised in the attack. In total, more than 4 million individuals were affected by the ILS data breach.

South Jersey Behavioral Health Resources Victim of Two Security Breaches

South Jersey Behavioral Health Resources (SJBHR) in Camden, NJ, an Inperium affiliate that provides residential, outpatient, adult partial care, telehealth/telecounseling, and homeless services, has recently announced two breaches of the protected health information of patients in quick succession.

The first incident was a business email compromise/phishing attack. An employee received a request for an Accounts Receivable Report from what appeared to be the legitimate account of a member of the SJBHR fiscal office. An email was sent in response that included patient names, dates of service, types of service, and billing codes. The breach was detected the following day. Additional training was provided to all staff members in response to the incident to help them identify and avoid email scams in the future.

A few days later, on April 5, 2023, SJBHR was the victim of a ransomware attack that resulted in files being encrypted on certain computer systems. The forensic investigation confirmed the attackers gained access to its systems on April 3, 2023. No evidence was found to indicate access to or the theft of patient data, but the systems compromised in the attack included files containing names, contact information, Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, treating/referring physician names, health insurance information, subscriber numbers, medical history information, and diagnosis/treatment information.

In response to the ransomware attack, policies and procedures have been reviewed and additional data security measures have been implemented. SJBHR does not believe the two incidents are related. Neither incident is showing on the HHS’ Office for Civil Rights data breach portal at present, so it is unclear how many individuals have been affected.

The post Multiple Data Breaches Reported by Iowa Medicaid and South Jersey Behavioral Health Resources appeared first on HIPAA Journal.

Alvaria Inc. (formerly Aspect Software, Inc.), a provider of call center and customer experience software technology to large enterprises, has recently confirmed that it fell victim to a ransomware attack on a limited portion of its network.

There is a trend for breach notification letters to only contain the bare minimum information to meet regulatory requirements; however, Alvaria breach notifications include comprehensive details about the attack including the name of the ransomware group responsible. The company has also confirmed that sensitive information was stolen, some of which was released on the Hive group’s dark web data leak site, which helps victims of the breach accurately assess the level of risk they face.

Alvaria explained that the ransomware attack occurred on November 28, 2022, and steps were immediately taken to contain the attack and prevent further unauthorized access to its network. An investigation was launched and a third-party digital forensics company was engaged to investigate the scope of the attack and determine if protected health information had been exposed or compromised. On December 21, 2022, while the incident was still being investigated, Alvaria learned that the Hive group had published sensitive corporate files on its dark web data leak site. Alvaria confirmed that the files released by the group did not contain any personal data but it was not possible to determine if employment-related files were accessed or acquired in the attack.

Alvaria explained in the notification letters that the Department of Justice confirmed on January 26, 2023, that a coordinated law enforcement operation had successfully dismantled the Hive Ransomware operation, resulting in the group’s infrastructure being seized. Alvaria said, “Law enforcement has not indicated whether these employment-related files had been acquired,” and no evidence has been found to indicate any actual or attempted misuse of the information contained in the employment-related files.

Those files contained names, government-issued identification numbers such as Social Security numbers and passport numbers, financial account information, health insurance information, and/or tax-related information. Individuals potentially affected have been notified, and Alvaria has confirmed that employees are already provided with credit monitoring, dark web monitoring, and fraud remediation services through Allstate Identity Protection as part of their employment.

The incident has been reported to the HHS’ Office for Civil Rights in 13 individual reports, involving a total of 12,404 records.

The post Alvaria Confirms November 2022 Hive Ransomware Attack appeared first on HIPAA Journal.