ConsensioHealth Ransomware Attack Affects 61,000 Patients

Posted by Steve Alder

The Wisconsin-based medical billing service, ConsensioHealth, has recently notified 60,871 individuals about a July 2023 ransomware attack. The attack was discovered on July 3, 2023, when staff were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation and to help determine whether patient data was accessed or copied from its systems. The investigation confirmed that data had been stolen, and on November 7, 2023, it was confirmed that some of those files contained the data of patients of the following covered entities:

  • Emergency Medicine Specialists, S.C.
  • Ascension Wisconsin
  • Wisconsin Urgent Care
  • Kenosha Urgicare
  • Fox Valley Emergency Medicine
  • Dr. Linda Jingle
  • Woundcare Innovations of Golf Land

The impacted data varied from individual to individual and may have included the following data types: Name, address, date of birth, driver’s license or other state identification number, Social Security number, account access credentials, health insurance information, medical treatment and diagnosis information, medical treatment cost information, patient account number, Medicare or Medicaid number, healthcare provider information, and prescription information.

ConsensioHealth said its information security practices have been reviewed and updated and additional security measures have been implemented.

Southeastern Orthopaedic Specialists Data Incident Affects 35,500 Patients

Southeastern Orthopaedic Specialists in Greensboro, NC, have identified unauthorized access to its network and the potential theft of the protected health information of 35,533 patients.

The Southeastern Orthopaedic Specialists substitute breach notice is devoid of any meaningful information about the data incident, which is described as “a cybersecurity incident that impacted its IT systems.” The breach notice does not state when the breach occurred, when it was detected, for how long hackers had access to the network, whether there was access to patient data, if data was stolen, what types of data were exposed or stolen, or the nature of the attack.

The December 19, 2023, notice only states that no evidence of fraud or identity theft was identified, which may lead the affected individuals to believe that there is little risk; however, there is insufficient information in the notice to allow the affected individuals to gauge the level of risk they face. The breach was sufficiently severe to warrant providing the affected individuals with complimentary credit monitoring and identity theft protection services, and it is strongly advisable to take advantage of those services.

Data of Healthcare Clients Exposed in Burr & Forman Cyberattack

The Birmingham, Alabama Am Law 200 firm, Burr & Forman, has recently confirmed that it fell victim to a cyberattack in October 2023 which resulted in unauthorized access to client data, including two clients that are covered by HIPAA. Suspicious activity was detected on one of its laptops in October and the laptop was immediately isolated to prevent further access.

According to the law firm Constangy, Brooks, Smith & Prophete, which is representing Burr & Forman, the cyberattack was detected promptly and was rapidly contained but it was not possible to prevent unauthorized access to documents on its systems. On November 10, 2023, it was confirmed that there had been access to the data of its client Oceans Healthcare, and one other unnamed HIPAA-covered entity. In total the personal and protected health information of 19,893 individuals was exposed.

Burr & Forman was provided with personal information in connection with the legal services provided to its healthcare clients and that information included names, Social Security numbers, medical coding information, dates of service, and insurance information. In its substitute breach notification, Burr & Forman confirmed it is notifying the individuals affected and has provided resources to assist them, and has enhanced network security to prevent similar breaches in the future.

Sharp Health Plan Notifies Members About MOVEit Hack and Mismailing Incident

8,200 Sharp Health Plan members have recently been notified that some of their protected health information was compromised in a hacking incident at one of its business associates, Delta Dental. Delta Dental used the MOVEit Transfer file transfer solution, which was hacked by the Clop hacking group and data were exfiltrated between May 27 and May 30, 2023. Delta Dental’s investigation indicated in July 2023 that Sharp Health Plan member information may have been involved, and that was confirmed on November 17, 2023; however, it took until late December to determine which members had been affected. The stolen data was limited to members’ first and last names, Social Security numbers, dental provider names, health insurance, and treatment cost information. The affected individuals are being notified directly by Delta Dental.

Sharp Health Plan has also notified certain members about a mismailing incident that occurred on December 26, 2023. A system error in the software of the health plan’s mailing vendor resulted in members’ names being omitted from the envelopes. Without a name on the letters, other household members may have opened the letters. The letters listed the intended recipient’s name, address, behavioral health provider’s name, and that confirmed that the member visited the provider in 2023.

Rebekah Children’s Services Reports September 2023 Cyberattack

Rebekah Children’s Services in Gilroy, CA, identified suspicious activity on its network on September 5, 2023, and engaged a third-party forensics firm to investigate to determine the nature of the attack. The forensic investigation confirmed that hackers had gained access to parts of the network where protected health information was stored, and the file review confirmed that names, addresses, Social Security numbers, dates of birth, health information, health insurance information, treatment information, medications, and driver’s license numbers had potentially been obtained. Steps have been taken to improve security and the 2,805 affected individuals have been notified and offered complimentary access to single bureau credit monitoring services.

The post ConsensioHealth Ransomware Attack Affects 61,000 Patients appeared first on HIPAA Journal.

FTC Prohibits Data Broker from Selling Sensitive Location Data

Posted by Steve Alder

The Federal Trade Commission (FTC) has announced its first settlement with a data broker over the sale of the precise geolocation data of consumers. Under the terms of the settlement, X-Mode Social is prohibited from selling or sharing sensitive location data with third parties unless it obtains consent from consumers or de-identifies the data.

Virginia-based X-Mode Social, now Outlogic LLC, works with app developers and provides a software development kit (SDK) that can be integrated into smartphone apps that allows data to be collected via the apps, including precise geolocation data. Precise geolocation data can identify where an individual lives and works, the residences of friends and family members, and other locations they visit. Some of those locations may be highly sensitive, such as places of worship, domestic violence centers, addiction treatment centers, places offering services to the LGBTQIA+ community, and reproductive health facilities. If precise geolocation data is collected that confirms consumers’ visits to sensitive locations such as reproductive health clinics and places of worship, they could face discrimination, physical violence, emotional distress, and other harms. Sen Ron Wyden determined that X-Mode had sold sensitive location data to U.S. military contractors in 2020, and another customer, a private clinical research company, paid X-Mode for access to consumer information that included visits to medical facilities, pharmacies, and specialty infusion centers across Columbus, Ohio, according to the FTC complaint.

FTC Alleges X-Mode Social Engaged in Unfair and Deceptive Practices

The FTC launched an investigation to determine whether the data broker had engaged in unfair or deceptive acts or practices. The FTC alleged that X-Mode sold raw data to third parties that did not have sensitive locations removed. X-Mode is also alleged to have failed to implement reasonable and appropriate safeguards against downstream use of that data. In addition to purchasing geolocation data from third-party apps, X-Mode also has its own apps – Drunk Mode and Walk Against Humanity. The FTC alleges users of those apps were not fully informed about how precise geolocation data would be used.

According to the FTC, X-Mode did not have policies and procedures in place to remove sensitive locations from its raw data before it was sold, and users of its own apps were not informed about who would receive their data, and safeguards were not put in place to ensure that they could honor requests by users to opt out of the tracking of movements and the serving of personalized advertisements.  The FTC alleged these failures constituted violations of section 5 of the FTC Act.

“With this action, the commission rejects the premise so widespread in the data broker industry that vaguely worded disclosures can give a company free license to use or sell people’s sensitive location data,”  said FTC chair Lina M. Khan.

Settlement Reached to Resolve FTC Complaint

Under the terms of the settlement, X-Mode and Outlogic are required to implement a program for maintaining a comprehensive list of sensitive locations and that information cannot be shared, sold, or transferred unless consent is obtained from consumers. X-Mode and Outlogic are also prohibited from using location data when they cannot determine if a consumer has provided consent.

X-Mode and Outlogic must develop a supplier program to ensure that all companies it purchases data from are obtaining consent from consumers covering the collection, sale, and use of data, and all precise geolocation data that indicates visits to sensitive locations that has been collected without consent must be deleted or destroyed, unless the data has been de-identified.

X-Mode and Outlogic are also required to implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people, such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual.

Consumers must also be provided with a simple and easy-to-find method of withdrawing their consent to collect and use their location data and request that data be deleted, and also provide a clear and concise way for consumers to request that any businesses or individuals that have been provided with personal data remove location data from commercial databases.

Outlogic’s public relations firm provided a statement in response to the FTC complaint and settlement. “We disagree with the implications of the FTC press release. After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities. Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products.”

The agreement will be published in the Federal Register and comments will be accepted for 30 days, after which the FTC will decide whether to make the proposed consent order final.

The post FTC Prohibits Data Broker from Selling Sensitive Location Data appeared first on HIPAA Journal.