Data breaches have recently been reported by Rebound Orthopedics & Neurosurgery, CCM Health, BlueCare Plus Tennessee, and Orsini Pharmaceutical Services.

Rebound Orthopedics & Neurosurgery

Rebound Orthopedics & Neurosurgery in Vancouver, WA, has recently announced that it fell victim to a cyberattack on February 2, 2024. The attack was detected on February 3 when its computer systems went offline, including its patient and scheduling portals, and the outage lasted for more than 2 weeks. Computer forensics specialists were engaged to investigate the incident and confirmed that an unknown and unauthorized actor had accessed its network and viewed or copied files that were stored on its systems. A detailed review has been conducted of those files which confirmed that they contained patient information although no evidence was found to indicate any information in those files has been misused.

It is currently unclear what information was involved, as that information was not present in the sample notice provided to the Montana Attorney General. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected. Rebound Orthopedics & Neurosurgery said additional security measures have been implemented to prevent similar incidents in the future and complimentary credit monitoring services have been offered to the affected individuals for 24 months.

CCM Health

CCM Health in Montevideo, MN, has recently notified 29,182 individuals about a network security incident that involved some of their personal and health information. In a March 12, 2024, breach notice, CCM Health explained that there had been unauthorized access to its network between April 3, 2023, and April 10, 2023, and an unauthorized third party may have accessed and removed files containing their sensitive information.

A comprehensive review was conducted of all files on the compromised parts of the network that confirmed they contained full names, date of birth, Social Security numbers, medical information, and health insurance information. The exposed health information included medical record numbers, patient account numbers, prescription information, healthcare provider names, medical diagnoses, diagnosis codes, treatment types, treatment locations, treatment dates, admission dates, discharge dates, and/or lab results.

The file review was completed on February 12, 2024, and notification letters have now been sent to the affected individuals. Single bureau credit monitoring/single bureau credit report/single bureau credit score services have been provided to the affected individuals at no charge

BlueCross BlueShield of Tennessee

BlueCross BlueShield of Tennessee, Inc. (BCBST) and Volunteer State Health Plan, Inc. which do business as BlueCare Plus Tennessee, have recently notified around 2,000 individuals about two security incidents that exposed their sensitive information.

BCBST said it identified suspicious login attempts to its member portal from outside the company on or around December 19, 2023. The attempts were made to log in using username and password combinations that came from an unknown source. The investigation found no evidence to suggest there had been a breach of BCBST systems, and it would appear that this was a credential stuffing attack, where username/password combinations that have been obtained in a third-party breach are used to try to log into accounts on other platforms.

The member portal was immediately disabled while the unauthorized activity was investigated, password security was enhanced, and third-party forensics experts were engaged to assist with the investigation. Between January 18 and January 24, 2024, BCBST learned that there had been a similar incident on August 7, 2023. The data potentially accessed in these two incidents included names, dates of birth, addresses, subscriber IDs, provider names, group numbers and names, plan information, medical information, claims information, and user IDs and passwords. For fewer than 1% of the affected individuals, financial information was also exposed. For individuals whose coverage ended more than two years ago the breached information only included IDs and passwords.

BCBST is implementing new login requirements and has notified the affected individuals and offered them identity monitoring services at no cost. They have also been asked to change their online account passwords when they sign in and to use a password that has not been used elsewhere. Two separate reports of data breaches have been logged by the HHS’ Office for Civil Rights that affected 1,251 and 790 individuals.

Orsini Pharmaceutical Services

Orsini Pharmaceutical Services in Illinois has recently discovered there has been unauthorized access to an employee’s email account. The breach was detected on January 10, 2024, and the investigation confirmed that a single email account was compromised between January 8 and January 10, 2024. The email account was reviewed to find out the types of information that had been exposed, which confirmed that the protected health information of 1,433 patients was present in the account, including names, addresses, dates of birth, medical record numbers, health insurance information, diagnoses, and/or prescription information.

Orsini Pharmaceutical Services did not find evidence to suggest that the attack was conducted to obtain patient data, but the possibility could not be ruled out. Additional safeguards and technical security measures have been put in place to further protect and monitor its systems, and the affected individuals have been notified and offered a complimentary 12-month membership to a credit monitoring service.

The post Data Breaches Reported by Rebound Orthopedics, CCM Health, BCBST & Orsini Pharmaceutical Services appeared first on HIPAA Journal.

On March 12, White House officials met with UnitedHealth Group, leaders at the Department of Health and Human Services, and industry groups to discuss the cyberattack at UHG-owned Change Healthcare, the disruption to healthcare services over the past 3 weeks, and mitigations to help patients and providers.

The Change Healthcare cyberattack was detected on February 21 – the timeline of events can be viewed here – and caused an outage that lasted for three weeks. The Blackcat ransomware group claimed responsibility for the attack. The attack caused massive disruption with providers unable to verify coverage, submit prior authorization requests, exchange clinical records, and be reimbursed for services.

UHG set up a financial assistance program to help providers who receive payments processed by Change Healthcare, who could apply for temporary funding through Optum Financial Services, and the Centers for Medicare and Medicaid Services (CMS) introduced flexibilities to help ease the financial strain on providers, including applications for advanced payment. Last week, 2 weeks after the attack, UHG was finally able to provide a timeline for bringing systems back online and this week confirmed that 99% of pharmacy and payment systems are now online.

The meeting was led by HHS Secretary Xavier Becerra and Deputy Secretary Andrea Palm, who were joined by White House Domestic Policy Advisor Neera Tanden, White House Deputy National Security Advisor (DNSA) for Cyber and Emerging Technologies Anne Neuberger, and others from the federal government. At the meeting, concrete actions were discussed to mitigate the harm caused to patients and providers.

Secretary Becerra and Domestic Policy Advisor Tanden stressed that the government and public sector must work together to help providers, many of whom are struggling to make payroll and deliver timely care to patients. They also stressed that insurers needed to help providers who are facing financial difficulties. During the meeting, industry groups discussed the problems faced by providers, the gaps in the response from payers, and how providers desperately need more immediate payment options, direct communications, and relaxed billing and claims processing requirements.

Payers were asked to provide assistance and committed to continued coordination. They also explained that they are working on further steps to reduce red tape, provide accessible funding opportunities through advanced payments, and other measures to address the cash flow issues that providers are experiencing. White House officials said they would be following up on the commitments made by payers at the meeting.

The interconnectedness of healthcare means a cyberattack on one entity can have far-reaching consequences, and with Change Healthcare processing 15 billion transactions annually and its systems touching the data of 1 in 3 patients in America, the fallout from the cyberattack has been immense. At the meeting, DNSA Neuberger stressed the urgent need to strengthen cybersecurity resilience across the sector, and the importance of all organizations implementing the HHS’s voluntary HPH Cybersecurity Performance Goals.  A readout of the meeting is available on the HHS website.

The post White House Meets with Healthcare Community to Discuss Change Healthcare Ransomware Attack Mitigations appeared first on HIPAA Journal.