Patient Data Stolen from Livanova in October 2023 Ransomware Attack

Posted by Steve Alder

The medical device manufacturer Livanova, the Massachusetts community behavioral health center Aspire Health Alliance, and Santa Rosa Behavioral Healthcare Hospital in California have experienced ransomware attacks that exposed patient data.

Livanova, London, UK

Livanova, a UK-headquartered medical device manufacturer specializing in cardiac surgery and neuromodulation devices, has suffered a ransomware attack that disrupted portions of its IT systems. The ransomware attack was discovered on November 19, 2023, and the forensic investigation confirmed that hackers gained access to its network on October 26, 2023. The LockBit ransomware group claimed responsibility for the attack.

Livanova announced in a SEC filing in November that it was dealing with a cyberattack; however, it was initially unclear to what extent patient data was involved. On April 10, 2024, Livanova confirmed that the personal and protected health information of U.S. patients had been exfiltrated from its systems in the attack. In an April 25, 2024, announcement, Livanova said the investigation is ongoing however it has been determined that information such as names, contact information, dates of birth, Social Security numbers, health insurance information, and medical information such as diagnoses, conditions, treatment information, prescription information, medical record number, device serial numbers, and physician names were involved.

The affected individuals have been advised to monitor their credit reports and account statements and to be alert to unsolicited communications involving personal information. Livnova has arranged for complimentary identity protection and credit monitoring services to be provided to the affected U.S. patients. It is currently unclear how many individuals have been affected. In a February 2024 earnings call, the company confirmed that the company had incurred costs of around $2.6 million in Q4, 2023, as a result of the attack.

Aspire Health Alliance, Massachusetts

Aspire Health Alliance, a state-designated community behavioral health center with facilities in Quincy, Braintree, and Marshfield in Massachusetts, has notified 17,490 individuals about a cyberattack that was detected on September 13, 2023. Suspicious activity was identified within its computer network and a third-party forensic investigation confirmed that its systems had been accessed by an unauthorized third party that acquired certain files and data stored on its network.

A comprehensive review was conducted to determine the types of data involved, and that process was completed on February 26, 2024, when it was confirmed that personal and protected health information was involved. The types of data varied from individual to individual and may have included names, other personal identifiers, and Social Security numbers. While data was exposed or acquired, no reports have been received to indicate any patient data has been misused. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were impacted, and additional security measures have been implemented to reduce the risk of a similar incident occurring in the future.

Santa Rosa Behavioral Healthcare Hospital, California

Santa Rosa Behavioral Healthcare Hospital, part of the Northern California Behavioral Health System (NCBHS), has fallen victim to a cyberattack that disrupted some of its IT systems. The attack was detected on January 28, 2024, and a third-party forensic investigation confirmed that an unauthorized third party accessed its network between January 27, 2024, and January 28, 2024. During that time, files containing patient data were accessed or acquired.

The file review confirmed that the following types of information had been exposed or stolen: names, dates of birth, medical record numbers, services received, dates of services, treating physician, and for some patients, Social Security numbers and/or driver’s license numbers. Affected patients have been advised to monitor the statements they receive from their healthcare providers and health insurers and report any services they haven’t received. Individuals whose Social Security or driver’s license numbers were involved have been offered complimentary identity theft protection services. The incident has been reported to regulators but is not yet shown on the Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Data Stolen from Livanova in October 2023 Ransomware Attack appeared first on HIPAA Journal.

Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients

Posted by Steve Alder

Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers serving the Green Bay, Marinette, and Niagara communities in Wisconsin, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that involved the protected health information of 13,055 patients.

On February 27, 2024, Bay Oral identified suspicious activity in an employee’s email account. The password for the account was immediately changed to prevent further unauthorized access and a third-party cybersecurity firm was engaged to investigate the incident. The forensic investigation confirmed that an unauthorized individual had installed software and gained access to an employee’s email account on January 18, 2024.

The review of the emails and attachments confirmed that patients’ protected health information had been exposed. The types of information involved included names, addresses, email addresses, dates of birth, Social Security numbers, insurance card numbers, credit card numbers, banking account information, x-rays, patient health history forms, patient visit summaries, medical history questionnaires, and other types of patient health information that had been shared via email. The investigation could not determine if the unauthorized individual viewed or copied emails or attachments in the account.

In addition to immediately securing the email account, Bay Oral has taken several other steps to prevent similar incidents in the future. They include changing IT companies, implementing a 24/7 protection and monitoring solution, and implementing new policies and procedures to ensure that patients’ protected health information is not stored in email accounts.

Bay Oral said it is unaware of any reports of fraud or identity theft at the time of issuing notifications. The affected patients have been advised to be vigilant for incidents of fraud and identity theft by regularly reviewing their credit reports, credit statements, bank accounts, and other financial accounts for unauthorized activity.

The post Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients appeared first on HIPAA Journal.

Which Section of the OSH Act Prevents Employers Discriminating Against Employees?

Posted by Steve Alder

Section 11(c) of the OSH Act prevents employers discriminating against employees when they exercise their rights to engage in a protected activity as defined by the Occupational Safety and Health Act. However, before filing an 11(c) complaint with OSHA, it is important to understand what activities are protected and what OSHA defines as discrimination.

One of the goals of the Occupational Safety and Health Act (OSH Act) is to involve workers in workplace safety and health (§1977.1(c)). To achieve this goal, the OSH Act encourages employers to create workplace environments in which employees feel comfortable asking questions, voicing concerns, or reporting injuries and illnesses without fear of discrimination.

If employers fail to create a suitable environment, and are not responsive to employees’ concerns, the OSH Act gives employees the right to escalate their concerns to the Occupational Safety and Health Administration (OSHA). Section 11(c) of the OSH Act prevents employers discriminating against employees when they exercise this right – and several others.

What Employee Rights are Protected Activities?

The OSH Act does not define protected activities as these can vary according to industry and State OSHA Plan. However, in guidance relating to how the OSH Act prevents employers discriminating against employees, the protected activities listed include:

  • Asking questions about safety or health matters.
  • Voicing concerns about safety or health in the workplace.
  • Reporting a work-related injury or illness.
  • Requesting safety or illness data sheets.
  • Requesting copies of OSHA standards or regulations.
  • Filing a safety or health complaint with OSHA.
  • Participating in an on-site OSHA inspection.

If an employee experiences an “unfavorable employment action” after engaging in a protected activity that they would not have experienced but for engaging in a protected activity, they can file a whistleblower complaint with OSHA. To qualify for investigation, the complaint must be filed within 30 days (longer for some State OSHA Plans) and allege one of the following:

  • The employee was fired or laid off for engaging in a protected activity.
  • There was a failure to hire an applicant or to rehire a former employee.
  • The employee was denied overtime or there was a reduction in pay or hours.
  • The employee was demoted or reassigned – affecting their prospects for promotion.
  • The employee was disciplined, threatened, or intimidated by – on the instruction of – the employer.

How to File an OSHA 11(c) Complaint

If an employee believes they have been discriminated against, they can file an OSHA 11(c) complaint online by visiting www.whistleblowers.gov/complaint_page. It is also possible to file an OSHA 11(c) complaint by phone on 1-800-321-6742, or in person by visiting the closest OSHA regional or area office. OSHA 11(c) complaints cannot be filed anonymously.

If the OSHA 11(c) complaint is upheld, OSHA will attempt to facilitate a voluntary agreement to correct the discrimination and pay “relief”. The amount of relief may depend on the nature and length of the discrimination, and could include reinstatement, back pay with interest, compensation for expenses the employee has incurred, and damages for emotional distress.

If it is not possible to facilitate a voluntary agreement, the Department of Labor will pursue relief on behalf of the employee, costs, and punitive damages via the U.S. District Court. As this can be expensive for employers, it is not only important for employers to know which section of the OSH Act prevents employers discriminating against employees, but how Section 11(s) of the OSH Act prevents employers discriminating against employees.

Related Content

OSHA and HIPAA Compliance

OSHA Compliance Checklist

Submit an OSHA Complaint

OSHA Section 11(c) Compliance

How Does OSHA Enforce its Standards?

The post Which Section of the OSH Act Prevents Employers Discriminating Against Employees? appeared first on HIPAA Journal.