Pan-American Life Insurance Group Reports 105,000-Record Data Breach

Posted by Steve Alder

Pan-American Life Insurance Group, Inc. (PALIG) has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023.

PALIG was notified about the vulnerability by Progress Software and immediately disabled to software until the patch could be applied. The patch was applied, and steps were taken to improve the security of its systems. At the same time, an investigation was launched to determine if the vulnerability had been exploited, and that proved to be the case. On October 5, 2023, PALIG determined that files had been removed from the MOVEit server that contained the protected health information of 105,387 individuals, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

PALIG has now notified those individuals and has offered complimentary credit monitoring services. PALIG has also confirmed that steps have been taken to further improve security and ensure the security of third-party transfer tools.

Bellin Health Notifies Patients About October Cyberattack

Bellin Health has recently announced that an unauthorized third party gained access to its internal systems and may have viewed or acquired the information of patients who purchased home care equipment between 2006 and 2013. Unauthorized activity was detected within its computer systems on October 27, 2023. Its IT security team immediately took steps to contain the activity and launched an investigation to determine the nature and scope of the unauthorized activity.

Assisted by third-party cybersecurity experts, Bellin Health determined that a cyber actor gained access to a folder containing archived scanned documents that contained patient names in combination with one or more of the following: address, phone number, date of birth, and/or health information related to home care equipment. A limited number of documents also included Social Security numbers.

Bellin Health said it has strengthened system security and will continue investing in cybersecurity. The breach was reported to the HHS’ Office for Civil Rights as affecting 20,790 individuals. Patients whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Clay County, Minnesota Suffered a Ransomware Attack in October

Clay County in Minnesota announced on December 22, 2023, that it fell victim to a ransomware attack in October. The unauthorized activity was detected in its electronic document management system on October 27, 2023, and the forensic investigation revealed there had been unauthorized access between October 23, 2023, and October 26, 2023, when ransomware was used to encrypt files.

The investigation confirmed that access had been gained to names in combination with one or more of the following: address, date of birth, Social Security number, information regarding services provided by Clay County Social Services (locations of service, dates of service, client identification number or unique identifier), insurance identification number, and insurance or billing information.

Clay County officials confirmed that they have taken several steps to improve security, including implementing multifactor authentication for remote access to the compromised CaseWorks application, updating procedures for external access by vendors, implementing tools to enhance detection and accelerate the response to cyber incidents, and implementing enhanced technical security measures for the CaseWorks application.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Pan-American Life Insurance Group Reports 105,000-Record Data Breach appeared first on HIPAA Journal.

Retina Group of Washington Data Breach Affects 456,000 Patients

Posted by Steve Alder

Almost 456,000 individuals have been affected by a Retina Group of Washington data breach and have started receiving notifications, 9 months after the breach occurred.

On December 22, 2023, Retina Group of Washington, PLLC, filed a breach report with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that involved the protected health information of 455,935 individuals. Notification letters started to be mailed the same day.

According to the notification letters, Retina Group of Washington started experiencing difficulty accessing information on some of its systems on March 26, 2023. An investigation was launched, and the Federal Bureau of Investigation (FBI) was notified, and it was determined that the file access problems were due to a cyberattack.

Retina Group of Washington did not state the cause of the cyberattack but the wording of the letters suggests this was a ransomware attack. In the notification letters, Retina Group of Washington said the investigation into the cyberattack is still ongoing, but it has been confirmed that patient data was stolen in the attack.

The types of information involved include names, addresses, telephone numbers, email addresses, dates of birth, demographic information, Social Security numbers, Driver’s license numbers, medical record numbers, health information, payment information, and health insurance information.

Retina Group of Washington said it has not identified any attempted or actual misuse of patient data and will continue to implement additional procedures and security measures to strengthen the security of its systems.

Based on the breach notifications, it does not appear that credit monitoring and identity theft protection services are being offered. Affected patients have been told to “remain vigilant against incidents of identity theft and fraud, to review their account and explanation of benefits statements, and to monitor their free credit reports for suspicious activity and to detect errors.” Retina Group of Washington also suggests placing a credit freeze on accounts.

The post Retina Group of Washington Data Breach Affects 456,000 Patients appeared first on HIPAA Journal.

FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years

Posted by Steve Alder

Rite Aid has been banned from using facial recognition technology for security surveillance for five years as part of a settlement with the Federal Trade Commission (FTC), which determined the pharmacy chain failed to mitigate potential risks to consumers from misidentification.

Between 2012 and 2020, Rite Aid used artificial intelligence-based facial recognition technology in hundreds of its stores to identify customers who may have been engaged in shoplifting or other problematic behaviors. While the system correctly identified many individuals who had engaged in these behaviors, the system also recorded thousands of false positives, where the facial recognition technology incorrectly matched individuals with others who had previously been identified as shoplifters or had engaged in other problematic behaviors. The misidentified individuals were then erroneously accused of wrongdoing by Rite Aid employees.

The FTC found that the facial recognition technology was more likely to record false positives in communities that were predominantly Black or Asian, compared to plurality-White communities, indicating bias in the technology and heightened risks to certain consumers because of race or gender. According to the FTC, Rite Aid contracted with two technology firms to build a database of images and videos of “persons of interest,” who were thought to have engaged in shoplifting or other problematic behaviors in Rite Aid stores, and that database was used for the AI-based facial recognition system. Tens of thousands of images and videos were collected along with names and background information, including background criminal data. Many of the images in the database were of low quality and had been collected from store security cameras, the mobile devices of employees, and in some cases, from news stories. “The technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States”, according to the FTC.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

Rite Aid was alleged to have failed to consider and mitigate risks to consumers from misidentification, failed to take into account the limitations of the technology and the high risk of misidentifying Black and Asian individuals, did not properly test, assess, measure, document, or inquire about the accuracy of the technology before deployment, failed to prevent low-quality images from being fed into the system, failed to monitor or test the accuracy of the technology after deployment, and failed to adequately train employees tasked with operating the technology and flag that it could generate false positives.

The FTC also said Rite Aid violated a previous 2010 data security order with the FTC that resolved a complaint that Rite Aid failed to protect the medical privacy of customers and employees, which required Rite Aid to implement a comprehensive information security program. As an example, the FTC alleged that Rite Aid conducted many security assessments of service providers orally and did not obtain or possess backup documentation of those assessments, including those that were considered by Rite Aid to be high-risk.

Rite Aid has been ordered to delete or destroy all photos and videos of consumers used in connection with the operation of the facial recognition or analysis system within 45 days, and within 60 days, to identify all third parties that received photos or videos as part of the facial recognition and analysis and instruct them to also delete the photos and videos.

In addition to the ban on facial recognition technology, Rite Aid is prohibited from using any automated biometric security or surveillance system that is not otherwise prohibited by the order unless a comprehensive automated biometric security or surveillance system monitoring program is established and maintained to identify and address risks that could result in physical, financial, or reputational harm to consumers, stigma, or severe emotional distress.

Rite Aid must also notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system, and must investigate and respond to consumer complaints about actions taken against them based on automated biometric security or surveillance system.

Rite Aid said it is pleased to have reached an agreement with the FTC which means the company can put the matter behind it; however, said, “We fundamentally disagree with the facial recognition allegations in the agency’s complaint.” Rite Aid also explained that the allegations related to a facial recognition technology pilot program that was deployed in a limited number of stores. “Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the Company’s use of the technology began.” All parties have agreed to the consent order but it has yet to be approved by a judge.

The post FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years appeared first on HIPAA Journal.

Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach

Posted by Steve Alder

More than half a dozen lawsuits have been filed against the Fred Hutchinson Cancer Center over a cyberattack and data breach that occurred over the Thanksgiving weekend. Unauthorized individuals gained access to its network where patient data was stored and removed files containing names, contact information, medical information, and Social Security numbers. The Hunters International hacking group claimed responsibility for the attack, and when the Fred Hutchinson Cancer Center refused to pay the ransom demand, they turned their attention to patients and started contacting them directly demanding payment of $50 to have their stolen data deleted. The hacking group claimed to have stolen the data of 800,000 patients.

Class action lawsuits are commonly filed after large data breaches, and it was inevitable that the affected individuals would take legal action given that they had been directly threatened by the individuals behind the attack. The lawsuits make similar claims, and it is therefore likely that they will be consolidated into a single class action lawsuit. The most common claims are that the Fred Hutchinson Cancer Center was negligent by failing to implement reasonable and appropriate safeguards to protect its internal networks and patient data against unauthorized access and that the breach occurred as a result of those security failures.

One of the lawsuits – Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – was filed in the Superior Court of the State of Washington in King County, and claims that the plaintiffs believed that the defendants had implemented and maintained reasonable and appropriate security practices due to the representations of the defendants, when that was not the case. Both of the named plaintiffs claim they first learned about the data breach when they were contacted directly by the hackers and threatened with the public release/sale of their sensitive data. They claim that the Fred Hutchinson Cancer Center failed to issue prompt notifications to allow them to take steps to protect themselves against identity theft and fraud.

The lawsuit claims the plaintiffs and class members now face grave and lasting consequences from the attack and have suffered injury and damages including a substantial and imminent risk of identity theft and medical identity theft, loss of confidentiality of highly sensitive PII/PHI, deprivation of the value of PII/PHI, and overpayment for services that did not include adequate data security, and other harms. In addition to negligence, the lawsuit alleges negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and a violation of the Washington Consumer Protection Act. The lawsuit seeks a jury trial and actual, statutory, and punitive damages, restitution, disgorgement, and nominal damages, and equitable, injunctive, and declaratory relief. Another lawsuit, Shawna Arneson v. Fred Hutchinson Cancer Center, was filed in the same court and makes similar claims, and alleges the actions of Fred Hutchinson Cancer Center violated HIPAA.

A third lawsuit – Doe v. Fred Hutchinson Cancer Center et al – was filed in the US District Court for the Western District of Washington by John Doe, the father of Jack Doe, and similarly situated individuals. Other defendants named in the lawsuit include UW School of Medicine, UW Medical Center, Harborview Medical Center, Valley Medical Center, UW Physicians, UW Neighborhood Clinics (dba UW Medicine Primary Care), Airlift Northwest, and Children’s University Medical Group.

Jack Doe received healthcare services from UW Medicine but was never a patient of the Fred Hutchinson Cancer Center; however, his data was shared with the Fred Hutchinson Cancer Center as both health systems work together to advance cancer research. The lawsuit alleges that the defendants failed to implement appropriate cybersecurity measures and failed to protect patients from “a flood of extortionary threats by cybercriminals.” The lawsuit alleges long-standing security failures, as the Fred Hutchinson Cancer Center also failed to prevent a breach of an employee email account in March 2022. The lawsuit seeks a jury trial and an award of damages, relief, and restitution.

Fred Hutchinson Cancer Center Data Breach Lawsuits

  • Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – The plaintiffs are represented by Alexander F. Strong of Stobaugh & Strong P.C., Ben Barnow, Anthony L. Parkhill, and Riley W. Prince of Barnow and Associates.
  • Doe v. Fred Hutchinson Cancer Center et al – The plaintiffs and class are represented by Turke & Strauss LLP.
  • Shawna Arneson v. Fred Hutchinson Cancer Center – The plaintiffs are represented by Kim D. Stephens & Cecily C. Jordan of Tousley Brain Stephens PLLC.

The post Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach appeared first on HIPAA Journal.