Ransomware Attacks Reported by 4 Healthcare Providers

Posted by Steve Alder

Ransomware attacks have been reported by Canopy Children’s Solutions, the Sleep Management Institute, the Epilepsy Foundation of Metro New York, and Hapy Bear Surgery Center.

Canopy Children’s Solutions

Mississippi Children’s Home Services, Inc., Mississippi Children’s Home Society, and CARES Center, Inc., which do business as Canopy Children’s Solutions, have notified 19,190 individuals about a ransomware attack that was detected on April 4, 2023.

Encrypted files were discovered on its systems and the forensic investigation confirmed that an unknown threat actor accessed certain files on its network and may have exfiltrated some of those files on April 4, 2023. A comprehensive and time-consuming review was conducted to determine the individuals affected and the types of data involved, and that process was completed on October 13, 2023. It then took until March 8, 2024, to review and verify the affected information and obtain up-to-date contact information. Canopy said it was a time-intensive process as, “Canopy has different relationships with the potentially impacted individuals, such an employer, health care provider or educator, that necessitated looking for addresses in several different databases.”

The information exposed varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, medical information, and health insurance information. Consumer notifications were mailed on April 11, 2024. The breach notice submitted to the Maine Attorney General indicates that 19,190 individuals were affected, including 5 Maine residents.

Sleep Management Institute

The Sleep Management Institute in Cincinnati, OH, has recently announced a ransomware incident that occurred on February 5, 2024. The investigation into the attack is ongoing; however, it has been confirmed that patient data was exposed in the attack. The forensic investigation confirmed that an unauthorized third party had access to its network between January 27, 2024, and February 6, 2024, and may have accessed some or all of the following:

Name, address, date of birth, Social Security Number or taxpayer identification number, driver’s license number or other government-issued identification number, passport number, financial account information, payment card information, username and other credential information, digital signature, biometric data, mother’s maiden name, IRS-issued pin number, clinical or treatment information, medical provider name(s), medical procedure information, health insurance information, prescription information, and any other information on an individual that was created, used, or disclosed in the course of providing health care services.

These types of information were exposed but it has yet to be determined which specific types of information were exposed for each affected individual. Notification letters will be sent to all potentially affected individuals, and in the interim to meet breach reporting requirements, the HHS’ Office for Civil Rights has been told that at least 500 individuals have been affected. The total will be updated when the actual number of affected individuals is known.

Steps taken in response to the incident to improve security include updates to network configurations and firewalls, the deployment of a 24/7 managed detection and response solution, adding content filtering on all devices, installing intrusion prevention systems and advanced malware protection to monitor and prevent malicious network traffic, and implementing a more secure VPN protocol.

The Epilepsy Foundation of Metro New York

The Epilepsy Foundation of Metro New York has fallen victim to a ransomware attack involving unauthorized access/exfiltration of patient data. The forensic investigation confirmed that its electronic medical record system was not accessed in the attack; however, an unauthorized individual gained access to other systems on or around November 8, 2022, although it was not possible to tell if those files containing patient information were accessed.

A review of the affected files was completed on October 12, 2023, and confirmed that they contained information such as names, Social Security numbers, dates of birth, individual medical information, driver’s license or other government IDs, and health insurance information. The breach was reported to the HHS’ Office for Civil Rights on April 8, 2024, and individual notification letters have now been sent. The OCR breach report indicates that 3,852 individuals were affected.

Hapy Bear Surgery Center

Hapy Bear Surgery Center, a pediatric dental clinic in Tulare, CA, has fallen victim to a cyberattack that affected the functionality and availability of some of its IT systems. The attack occurred on December 27, 2023, and the forensic investigation confirmed on March 8, 2024, that the threat actor responsible had access to files that contained patient data.

The review of the affected files was completed on March 19, 2024, and confirmed that full names, addresses, medical information, health insurance information, Social Security numbers, and driver’s license numbers had been exposed. While those types of data were exposed and may have been stolen, Hapy Bear Surgery Center is unaware of any actual or attempted misuse of the data.

In response to the attack, Hapy Bear Surgery Center replaced its firewall systems and engaged a managed cybersecurity services provider to oversee its digital environment. The affected individuals have now been notified and have been offered single bureau credit monitoring/single bureau credit report/single bureau credit score services at no cost. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many people have been affected.

The post Ransomware Attacks Reported by 4 Healthcare Providers appeared first on HIPAA Journal.

Email Incidents Reported by Randolph Health & Rutgers Robert Wood Johnson Medical School

Posted by Steve Alder

Randolph Health and Rutgers Robert Wood Johnson Medical School have recently reported email incidents involving the unauthorized access/disclosure of patient information.

Randolph Health

American Healthcare Systems LLC, doing business as Randolph Health in North Carolina, discovered a compromised employee email account on February 14, 2024. The email account was immediately secured to prevent further unauthorized access and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, and the review of the account confirmed that files were present that contained the protected health information of 899 patients.

The exposed data included full names, dates of birth, medical record numbers, health insurance identification numbers, and diagnosis codes. Randolph Health said it was not possible to tell if any of those files were accessed or acquired, so notification letters were sent to all potentially affected individuals. Randolph Health said it is committed to maintaining the privacy of personal information and has taken additional steps to improve security and will continue to evaluate its security practices.

Rutgers Robert Wood Johnson Medical School

Rutgers Robert Wood Johnson Medical School in New Brunswick, NJ, has identified an email incident involving the protected health information of 543 patients. On February 1, 2024, the medical school discovered a former employee had emailed patient data from their work email account to a personal email account. Several files had been emailed that included spreadsheets containing patient data, including patient names, medical record numbers, treatment information, and prescription information. The information was sent to the personal email account on January 19, 2024.

The affected individuals were notified by mail on April 1, 2024, and the matter has been reported to law enforcement for investigation and appropriate action. The affected individuals have been advised to monitor the statements they received from their healthcare providers and health insurance plan for any services that were not received, and if they are found, to report it to the relevant provider or health plan.

The post Email Incidents Reported by Randolph Health & Rutgers Robert Wood Johnson Medical School appeared first on HIPAA Journal.

Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack

Posted by Steve Alder

Cyberattacks have been reported by Cattaraugus-Allegany Board of Cooperative Education Services and the Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA. Highmark has discovered a database error that resulted in letters being mailed to incorrect addresses.

Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack Affects 15,203 Medical Plan Members

Cattaraugus-Allegany Board of Cooperative Education Services (CABOCES) in southwestern New York has fallen victim to “a sophisticated cyberattack… that caused some of its internal tools, software, and servers to become temporarily unavailable.” CABOCES engaged third-party cybersecurity experts who confirmed that an unauthorized third party had access to its systems between July 5, 2023, and July 20, 2023. During that time, the attacker had access to the data of current and former employees who were members of the AC Schools Medical Health Plan.

The review of the affected files confirmed that they contained names, Social Security numbers, financial account information, driver’s license numbers, passport information, medical information, and/or health insurance information. Notifications started to be mailed to the 15,203 affected individuals on April 4, 2024.

Highmark Discovers Database Error Caused Letters to be Sent to Previous Addresses

Highmark has discovered that an August 2023 database update resulted in care and case management letters to members’ previous addresses. The error was identified and corrected in February 2024, letters; however, between August 2023 and February 2024, letters were inadvertently mailed to individuals’ previous addresses. The error only affected individuals who previously had a change of address – 5,356 individuals.

The letters included the individual’s name and Highmark identification number, and depending on the type of letter sent, may also have included a reference number, employer group name and number, date of birth, a service date range, a service or procedure code and description, medication name and dosage, and the provider or facility name.  Notification letters were sent to the affected individuals on April 2, 2024.

Highmark said the error has been fixed and additional controls have been implemented to prevent similar incidents in the future, including database changes to maintain the accuracy of member addresses, flags for the current active address, and validation checks to make sure that members have only one active address loaded to the database.

North Carolina Dental Practice Suffers Ransomware Attack

The Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA, has recently announced that her practice was hit with a sophisticated ransomware attack on January 24, 2024. Upon detection, the network was immediately secured to prevent further unauthorized access, and third-party cybersecurity specialists were engaged to investigate the incident.

The investigation uncovered evidence that portions of patient files were subject to unauthorized access. While it has not yet been possible to determine exactly what information was accessed or copied from the network, the exposed files contained names and one or more of the following types of information: address, phone number, email address, date of birth, Social Security Number, driver’s license/state ID number, financial account information, treatment/diagnosis information, prescription information, provider name, medical record/case number, Medicare/Medicaid ID number, health insurance information, and treatment cost.

Notification letters will shortly be mailed to the affected individuals once up-to-date address information has been obtained. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 1,797 individuals.

The post Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack appeared first on HIPAA Journal.