The Foleck Center in Virginia and Mountain Dermatology Specialists in Colorado have discovered unauthorized access to employee email accounts and the exposure of patient data.

The Foleck Center Discovers Forwarding Rule on Employee Email Account

The Foleck Center, a provider of cosmetic, implant, and general dentistry services in Norfolk, Hampton, and Virginia Beach, has recently notified 6,965 patients that some of their protected health information has been acquired by an unauthorized individual.

On October 26, 2023, The Foleck Center was made aware that one of its employees had a forwarding rule on their email account that sent emails to a Gmail account. The Foleck Center contacted its managed IT service provider, which performed a forensic investigation. Rather than this being a HIPAA violation by the employee, the forensic investigation revealed that an unauthorized third party had gained access to the email account and set up the forwarding rule on September 4, 2023.

Copies of all emails sent to the employee’s account between September 4, 2023, and October 31, 2023, were forwarded to the Gmail account. The Gmail account had not been sent up by the employee or anyone else at The Foleck Center. The IT company secured the account and implemented additional safeguards to prevent mailbox rules from being set up for external forwarding.

While it was possible to tell which emails had been forwarded between September 4, 2023, and October 31, 2023, it was not possible to determine if any other emails in the account had been read or copied. All emails were reviewed to check which patient data had been exposed or stolen, and all individuals whose PHI was present in the account were notified. The information exposed varied from individual to individual and may have included names, addresses, dates of birth, employer name and address, dates and office locations of treatment/appointments, employer name and address, our patient and system ID numbers, and insurance information. A limited number of patients also had their Social Security numbers and/or driver’s licenses exposed.

The Foleck Center said it already provides HIPAA and security awareness training for employees several times a year, and additional training is now being provided to improve password and network security further.

Email Account Breach Reported by Mountain Dermatology Specialists

Mountain Dermatology Specialists in Edwards and Dillion, CO, has also recently reported an email account breach that was detected on October 26, 2023. An unauthorized individual gained access to the email account of one of its employees and used the account to send phishing emails to contacts within the mailbox.

The forensic investigation confirmed there had been unauthorized access to the email account between October 24, 2023, and October 26, 2023. A review of the emails in the account confirmed that the protected health information of 2,705 patients was exposed, including full names, addresses, dates of birth, phone numbers, email addresses, dates of treatment, types of treatment, conditions/diagnoses, medications, health insurance information, and cost/billing information/amount paid. A limited number of individuals also had their Social Security numbers and/or compensation/benefits information exposed.

Mountain Dermatology Specialists said it has implemented additional technical safeguards, performed password resets, and reinforced security awareness training for the workforce.

The post Email Accounts Compromised at The Foleck Center, Mountain Dermatology Specialists appeared first on HIPAA Journal.

Parathon by JDA eHealth Systems, a revenue cycle management company in Naperville, Illinois, has recently notified state attorneys general that it suffered a cyberattack on July 27, 2023. In its December 22, 2023, notification to the Montana Attorney General, Parathon explained that unauthorized individuals were able to access the protected health information of patients of its clients. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: address, date of birth, and/or protected health information, including but not limited to diagnosis, claims information, and health insurance information.

The notification does not state whether files were encrypted in the attack, but Parathon said data was stolen and a ransom payment was demanded. Parathon said, “We have taken all efforts possible to mitigate any further exposure of your personal information and related identity theft.” The Akira threat group claimed responsibility for the attack and added Parathan to its data leak site but has since removed the listing which suggests the ransom was paid. Akira claimed to have stolen 560GB of data.

In its breach notification letters, Parathon said, “We are committed to doing everything we can to protect the privacy and security of the personal information in our care.” Additional safeguards have been implemented, security measures have been enhanced to better protect the data in its systems, and Parathon has reviewed its policies and procedures relating to data security. Parathon said it has found no evidence to indicate any misuse of the stolen data, but as a precaution, has offered three complimentary services to the affected individuals: single bureau credit monitoring, single bureau credit report, and single bureau credit score, which are being provided by Cyberscout.

It is unclear how many clients were affected. The HIPAA Journal has been able to confirm that one of the affected clients is NorthShore University Health System. While state attorneys general have been notified, the incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

31,000 Individuals Affected by Cyberattack on Eye Physicians of Central Florida

Eye Physicians of Central Florida, PLLC, has recently announced that the protected health information of 31,189 patients has been exposed and potentially stolen in a recent cyberattack. Eye Physicians of Central Florida, a division of Florida Pediatric Associates, identified suspicious network activity on November 5, 2023. Steps were immediately taken to prevent further unauthorized access to its systems and a forensic investigation was launched to determine the nature and scope of the incident.

The investigation confirmed there had been unauthorized access to parts of its network where patient information was stored. At the time of issuing notification letters to the affected individuals on December 6, 2023, no evidence had been found to indicate any actual or attempted misuse of patient data; however, out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The types of data exposed included names, addresses, dates of birth, medical diagnosis and treatment information, provider names, patient ID numbers, procedure codes, dates of service, treatment cost information, financial account information, state ID, health insurance information, and/or prescription information.

Eye Physicians of Central Florida said it is reviewing its current policies and procedures related to data security and will make improvements, as necessary to harden security.

The post Parathon by JDA eHealth Systems Confirms July 2023 Cyberattack appeared first on HIPAA Journal.