HealthEquity has confirmed a breach of its SharePoint data, which included protected health information. Data breaches have also been reported by Kairos Health Arizona and Ambulnz.

HealthEquity

HealthEquity, a Draper, UT-based financial technology and business services company, has suffered a cyberattack that has exposed protected health information. HealthEquity provides health savings account (HSA) services and other consumer-directed benefits solutions, including health reimbursement arrangements (HRAs), and manages millions of HSAs, HRAs, and other benefit accounts.

HealthEquity explained in an 8-K filing with the Securities and Exchange Commission (SEC) that it recently identified anomalous behavior in a business partner’s device, and said the initial investigation indicates that the device had been compromised and was used to access members’ information. No malware was found on its systems and business operations were unaffected, and while the company is still evaluating the financial impact of the incident, it does not believe that the incident will have any material effect on its business or financial results.

The breach was detected on March 25, 2024, and immediate action was taken to prevent further unauthorized access. A forensic investigation was launched to determine the extent of the breach, which revealed an unauthorized actor accessed and exfiltrated HealthEquity’s SharePoint data. Its transactional systems, where integrations occur, were not affected. HealthEquity has started notifying the affected partners, clients, and members and is offering complimentary credit monitoring and identity theft protection services. The extent of the breach and the types of information involved has bot yet been publicly disclosed.

Kairos Health Arizona

Kairos Health Arizona, an employee benefits pool serving public entity employers in Arizona, has discovered that there has been unauthorized access to member data by a former third-party vendor. An investigation was launched which determined that between November 2, 2023, and March 29, 2024, the vendor accessed and downloaded information from a Kairos database.

A review was conducted to determine the types of data involved and confirmed that the downloaded data included names, insurance identification numbers, claims/coverage information, and health information. No Social Security numbers, driver’s license numbers, or financial account information were accessed or downloaded. Notification letters have now been sent to the 14,364 affected individuals and steps have been taken to enhance the security of its network, internal systems, and applications to prevent similar incidents in the future.

Ambulnz

Ambulnz, a subsidiary of DocGo that provides medical transportation and ambulance services, has discovered the protected health information of 4,742 patients has been exposed and potentially stolen in a cyberattack that was detected on April 22, 2024. The forensic investigation confirmed that a threat actor first accessed its network on April 21, 2024, and access was blocked the following day; however, the attack was not detected in time to prevent the threat actor from downloading patient data from its network. The stolen files included names, plus one or more of the following: dates of birth, address, medical record number, patient account number, health insurance identification number, and/or diagnosis and treatment information. A limited number of patients also had their Social Security numbers and/or driver’s license numbers stolen.

The post Protected Health Information Stolen in HealthEquity SharePoint Breach appeared first on The HIPAA Journal.

The Mount Kisco Surgery Center, doing business as the Ambulatory Surgery Center of Westchester in New York, has recently notified 22,139 patients that some of their protected health information has been exposed and potentially stolen.

Suspicious activity was detected in an employee’s email account on November 3, 2023, and after securing the account, a forensic investigation was launched to determine the nature and scope of the activity. The investigation confirmed that the unauthorized third party had access to the account from October 23, 2023, to November 3, 2023, and that the account contained patient data.

A comprehensive review was then initiated to determine the individuals affected and the types of data involved. That process was completed on May 30, 2024, and then address information was verified. The affected individuals were notified by mail on June 26, 2024. The types of data involved varied from patient to patient and included names in combination with one or more of the following: Social Security number, driver’s license number, state identification number, date of birth, medical information, including diagnosis information, treatment information, and prescription information, and health insurance information, including claim information and health insurance number.

At the time of issuing notifications, no reports had been received to suggest there had been any misuse of patient data. Mount Kisco Surgery Center said it has enhanced network security to prevent similar breaches in the future.

Mobile Medical Response Warns Patients About PHI Breach

Mobile Medical Response, a Michigan-based provider of medical transportation and ambulance services, has announced that there has been an impermissible disclosure of patient information at one of its business associates. Mobile Medical Response contracted with CBM Services to provide collections services. CMB Services had issued a check to Mobile Medical Response, which an unauthorized individual attempted to cash.

When checks are issued to Mobile Medical Response by CMB Services, they are accompanied by a statement of accounts that includes the names of individuals to whom the payments relate. The statements include names, identify individuals as having received transportation services from Mobile Medical Response, and potentially include other information.

Mobile Medical Response has confirmed that addresses, dates of birth, Social Security numbers, driver’s license/state identification numbers, financial account information, payment card information, patient record information, medical diagnosis/condition information, medical treatment information, and health insurance information were not impermissibly disclosed.

Mobile Medical Response is currently investigating the incident to determine the full name, scope, and impact of the event. In the meantime, the breach has been reported as affecting 500 individuals. The total will be updated when the investigation has been completed.

The post Email Breach Affects 22,000 Ambulatory Surgery Center of Westchester Patients appeared first on The HIPAA Journal.

Providence Mission Heritage Endocrinology and Samaritan Health Services have identified unauthorized access to patient data by former employees.

Providence Mission Heritage Endocrinology

In May 2024, Providence Mission Heritage Endocrinology in Mission Viejo, CA, discovered an insider breach that involved unauthorized access to clinical records. Providence launched an investigation into the activity and confirmed that the unauthorized access had been ongoing for more than three years. The first instance occurred on December 15, 2020, and it continued until May 15, 2024. The nature of the access was not disclosed; however, Providence said there is an active investigation by the California Department of Insurance.

The review confirmed that only names, State IDs, driver’s license numbers, and health insurance coverage information were accessed. Social Security numbers were not accessed; however, as a precaution, credit monitoring and identity protection services have been offered to the affected individuals for 12 months at no cost. Cambria Haydon, Chief Privacy Officer, Providence has advised the affected patients to take advantage of those services.

The incident has been reported to the California Attorney General; however, it is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Samaritan Health Services

Samaritan Health Services in Oregon has announced that a physician who worked at its Lebanon Community Hospital may have accessed the protected health information of patients without authorization. An investigation was launched in November 2023, when unauthorized access was suspected.

The investigation involved a review of access logs to patient records, interviews with patients and employees, and a written attestation from the physician. While many of the records accessed by the physician were for legitimate purposes, Samaritan was unable to verify the purpose of the physician’s record access for 1,296 individuals.

Samaritan is confident that if the medical records of those individuals were accessed, it was not for malicious purposes and there are no indications that any patient data will be misused; however, as a precaution, the affected individuals have been advised to monitor their account statements and credit reports closely and should immediately report any unusual activity to the appropriate financial institution.

The post Insider Breaches Reported by Providence Mission Heritage Endocrinology & Samaritan Health Services appeared first on The HIPAA Journal.