Harvard Pilgrim Health Care Ransomware Victim Count Rises to 2.6 Million

Posted by Steve Alder

Harvard Pilgrim Health Care has confirmed that the information of 2,632,275 individuals was compromised in an April 2023 ransomware attack, increasing the previous total by 81,353. In updated notices submitted to the Attorneys General in California and Maine this month, Harvard Pilgrim Health Care explained that the attack was detected on April 17, 2023, and action was immediately taken to contain the threat and prevent further unauthorized access to its systems. Law enforcement and regulators were notified, and third-party cybersecurity experts were engaged to assist with its investigation and remediation efforts.

Harvard Pilgrim Health Care said the cybercriminal group behind the attack exfiltrated data from its systems between March 28, 2023, and April 17, 2023. The systems accessed by the attackers were used to service members, accounts, brokers, and providers, which contained names, Social Security numbers, and financial information. Harvard Pilgrim Health Care started notifying the affected individuals on May 23, 2023 and disclosed the breach to media organizations serving all 50 states. On June 15, individual notification letters started to be mailed to the affected individuals. As the investigation progressed it became clear that other individuals had been affected.  Harvard Pilgrim Health Care has offered complimentary credit monitoring and identity theft protection services to the affected individuals and has implemented additional cybersecurity safeguards to prevent similar breaches in the future.

Coleman Professional Services Inc. Reports Breach of Employee Email Accounts

Coleman Professional Services, Inc., an Ohio-based provider of behavioral health services, has reported a breach of its email environment. On December 14, 2023, Coleman learned that an unauthorized third party had gained access to several employee email accounts. The forensic investigation confirmed the accounts were accessed by an unauthorized third party between September 18, 2023, and October 31, 2023.

The forensic investigation could not confirm whether any patient data was viewed or acquired, but the review of the affected accounts confirmed that they contained the protected health information of 51,889 individuals. The types of information exposed varied from individual to individual and may have included first and last names, dates of birth, Social Security numbers, driver’s license numbers, financial information, and, in some cases, health information. Identity theft protection services have been offered to the affected individuals. Coleman has also taken additional steps to prevent unauthorized individuals from accessing its employee email accounts.

North Hill Communities Report Cyberattack and Data Breach

North Hill, including North Hill Communities, Inc., North Hill Home Health Care, Inc., North Hill Needham, Inc., Connected for Life, Inc., and the North Hill Employee Dental Plan, has confirmed that the personal and protected health information of up to 4,798 individuals was potentially compromised in a December 2023 cyberattack.

The attack was detected on December 26, 2023, and the forensic investigation confirmed that its network had been compromised by an unauthorized third party on December 19, 2023. North Hill said it was not possible to determine whether personal or protected health information was accessed or acquired but did determine that the compromised parts of its network contained sensitive data. The exposed data included names in combination with one or more of the following: date of birth, date of death (if applicable), address, Social Security number, phone number, admission date, health insurance information, medical record number, treatment dates, financial account/bank account number, driver’s license number, claims information, and medical information.

North Hill started notifying the affected individuals on February 14, 2023 and is covering the cost of Single Bureau Credit Monitoring/Single Bureau Credit. Additional security detection and monitoring solutions are being implemented to help prevent similar occurrences in the future.

Advarra Inc. Reports Email Account Breach

Advarra Inc., a provider of integrated research compliance solutions, has reported a breach of the personal and protected health information of 4,656 individuals. On October 26, 2023, Advarra identified suspicious activity in an employee email account. The investigation confirmed that a single account was breached on October 25, 2023, and company and personal information in the account was acquired by an unauthorized third party. That information included names and Social Security numbers. Advarra is unaware of any actual or attempted misuse of data but has offered the affected individuals complimentary credit monitoring and identity theft protection services as a precaution.

The post Harvard Pilgrim Health Care Ransomware Victim Count Rises to 2.6 Million appeared first on HIPAA Journal.

California AG Agrees $5 Million Settlement with Quest Diagnostics Over Improper Disposal of Waste; Patient Data

Posted by Steve Alder

California Attorney General Rob Bonta has announced that a $5 million settlement has been agreed with Quest Diagnostics to resolve allegations it illegally dumped hazardous and medical waste and disposed of the unredacted personal health information of patients in regular trash dumpsters. An investigation was conducted into the business practices of Quest Diagnostics that involved 30 inspections at four Quest Diagnostic Laboratories and several of its patient service centers in the state to determine if Quest Diagnostics was complying with California’s Hazardous Waste Control Law, Medical Waste Management Act, Unfair Competition Law, and civil laws that prohibit the disclosure of the personal health information of Californians.

The inspections included reviews of the contents of compactors and dumpsters at Quest facilities which found hundreds of containers of chemicals including reagents and bleach, and electronic waste and batteries. The dumpsters also contained medical waste such as specimen containers that included blood and urine, hazardous waste such as flammable liquids, solvents, and batteries, and unredacted medical information.

Quest Diagnostics was notified about the findings of the inspections and hired an independent environmental auditor to review its waste disposal policies and procedures, which have now been modified. Staff training on the updated policies and procedures has been provided across its four laboratories and more than 600 patient service centers in the state to ensure full compliance with California laws.

“Quest takes patient privacy and the protection of the environment very seriously and has made significant investments to implement industry best practices to ensure hazardous waste, medical waste, and confidential patient information are disposed of properly,” said a spokesperson for Quest Diagnostics. “These include investing in technologies for treatment of biological waste, secured destruction of patient information, programs to maximize recycling efforts and minimize waste-to-landfill disposal, waste-to-energy recovery of non-recyclable wastes, and enhanced waste audit and inspection measures to ensure continued compliance with applicable laws.”

The settlement includes $3,999,500 in civil monetary penalties, $700,000 in costs, and $300,000 for a Supplemental Environmental Project to support environmental training and enforcement in California, and injunctive relief requiring Quest Diagnostics to maintain an environmental compliance program and hire a third-party waste auditor to conduct annual audits and report on its status. The civil monetary penalties will be divided between 10 California counties. The investigation was a collaboration between the office of Attorney General Bonta and the District Attorney’s offices in Alameda, Los Angeles, Monterey, Orange, Sacramento, San Bernardino, San Joaquin, San Mateo, Ventura, and Yolo counties.

“Quest Diagnostics’ illegal disposal of hazardous and medical waste and patient information put families and communities at risk and endangered our environment,” said Attorney General Rob Bonta. “Let today’s settlement send a clear message that my office will hold corporations, including medical services providers, accountable for violations of state environmental and privacy laws. I appreciate the partnership of the district attorneys’ offices across our state that led to this critical settlement.”

Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals were also investigated over their waste disposal practices and were similarly found to have improperly disposed of hazardous waste, medical waste, and patient information, in violation of state laws. The case was settled for $49 million last September.

The post California AG Agrees $5 Million Settlement with Quest Diagnostics Over Improper Disposal of Waste; Patient Data appeared first on HIPAA Journal.

NIST Finalizes HIPAA Security Rule Implementation Guidance

Posted by Steve Alder

The National Institute of Standards and Technology (NIST) has published the final version of its guidance on implementing the HIPAA Security Rule. The document, Special Publication 800-66r2: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, was developed by NIST in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and guides HIPAA-covered entities and business associates through conducting a risk analysis to identify risks and vulnerabilities to electronic protected health information. The document also identifies activities that HIPAA-regulated entities should consider as part of their information security program and offers guidance on achieving and maintaining compliance with the HIPAA Security Rule and improving cybersecurity posture.

The HIPAA Security Rule sets minimum standards for security and has been in effect since April 2005. Despite being in effect for more than 2 decades, HIPAA-regulated entities are still struggling with compliance. Both sets of HIPAA audits conducted by OCR in 2011 and 2016/2017 identified widespread noncompliance with the HIPAA Security Rule. The second phase of HIPAA audits showed compliance had improved since the first phase of audits, but none of the 63 audited entities achieved the top rating of 1 for risk analysis. A rating of 1 indicates the entity is fully compliant with the goals and objectives of the risk analysis standard of the HIPAA Security Rule. The majority (41) achieved a rating of 3 or 4, meaning minimal or negligible efforts have been put into compliance with the standard. It was worse for risk management, with 44 of the 63 audited entities receiving a 4 or 5 rating. A rating of 5 means the entity did not provide OCR with evidence of a serious attempt to comply with the risk management standard of the HIPAA Security Rule.

While compliance with the HIPAA Security Rule should have improved in the 7 years since the last round of HIPAA audits, the number of healthcare data breaches now being reported suggests otherwise. In 2017, 368 data breaches of 500 or more records were reported to OCR, and 5,131,289 healthcare records were breached. In 2023, 725 data breaches were reported, and more than 133 million records were breached. Hackers have increased their attacks on the healthcare sector in recent years but the number of successful attacks strongly suggests that HIPAA-regulated entities are not fully complying with the risk analysis and risk management provisions of the HIPAA Security Rule.

In February 2023, OCR announced that it is seeking feedback on its audit program which suggests that the HIPAA audit program is about to be resurrected. With OCR in desperate need of funding, the next round of audits may also result in fines for noncompliance. HIPAA-regulated entities should therefore consume the guidance and apply the recommendations to their information security programs.

The post NIST Finalizes HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.