ConsensioHealth Ransomware Attack Affects 61,000 Patients

Posted by Steve Alder

The Wisconsin-based medical billing service, ConsensioHealth, has recently notified 60,871 individuals about a July 2023 ransomware attack. The attack was discovered on July 3, 2023, when staff were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation and to help determine whether patient data was accessed or copied from its systems. The investigation confirmed that data had been stolen, and on November 7, 2023, it was confirmed that some of those files contained the data of patients of the following covered entities:

  • Emergency Medicine Specialists, S.C.
  • Ascension Wisconsin
  • Wisconsin Urgent Care
  • Kenosha Urgicare
  • Fox Valley Emergency Medicine
  • Dr. Linda Jingle
  • Woundcare Innovations of Golf Land

The impacted data varied from individual to individual and may have included the following data types: Name, address, date of birth, driver’s license or other state identification number, Social Security number, account access credentials, health insurance information, medical treatment and diagnosis information, medical treatment cost information, patient account number, Medicare or Medicaid number, healthcare provider information, and prescription information.

ConsensioHealth said its information security practices have been reviewed and updated and additional security measures have been implemented.

Southeastern Orthopaedic Specialists Data Incident Affects 35,500 Patients

Southeastern Orthopaedic Specialists in Greensboro, NC, have identified unauthorized access to its network and the potential theft of the protected health information of 35,533 patients.

The Southeastern Orthopaedic Specialists substitute breach notice is devoid of any meaningful information about the data incident, which is described as “a cybersecurity incident that impacted its IT systems.” The breach notice does not state when the breach occurred, when it was detected, for how long hackers had access to the network, whether there was access to patient data, if data was stolen, what types of data were exposed or stolen, or the nature of the attack.

The December 19, 2023, notice only states that no evidence of fraud or identity theft was identified, which may lead the affected individuals to believe that there is little risk; however, there is insufficient information in the notice to allow the affected individuals to gauge the level of risk they face. The breach was sufficiently severe to warrant providing the affected individuals with complimentary credit monitoring and identity theft protection services, and it is strongly advisable to take advantage of those services.

Data of Healthcare Clients Exposed in Burr & Forman Cyberattack

The Birmingham, Alabama Am Law 200 firm, Burr & Forman, has recently confirmed that it fell victim to a cyberattack in October 2023 which resulted in unauthorized access to client data, including two clients that are covered by HIPAA. Suspicious activity was detected on one of its laptops in October and the laptop was immediately isolated to prevent further access.

According to the law firm Constangy, Brooks, Smith & Prophete, which is representing Burr & Forman, the cyberattack was detected promptly and was rapidly contained but it was not possible to prevent unauthorized access to documents on its systems. On November 10, 2023, it was confirmed that there had been access to the data of its client Oceans Healthcare, and one other unnamed HIPAA-covered entity. In total the personal and protected health information of 19,893 individuals was exposed.

Burr & Forman was provided with personal information in connection with the legal services provided to its healthcare clients and that information included names, Social Security numbers, medical coding information, dates of service, and insurance information. In its substitute breach notification, Burr & Forman confirmed it is notifying the individuals affected and has provided resources to assist them, and has enhanced network security to prevent similar breaches in the future.

Sharp Health Plan Notifies Members About MOVEit Hack and Mismailing Incident

8,200 Sharp Health Plan members have recently been notified that some of their protected health information was compromised in a hacking incident at one of its business associates, Delta Dental. Delta Dental used the MOVEit Transfer file transfer solution, which was hacked by the Clop hacking group and data were exfiltrated between May 27 and May 30, 2023. Delta Dental’s investigation indicated in July 2023 that Sharp Health Plan member information may have been involved, and that was confirmed on November 17, 2023; however, it took until late December to determine which members had been affected. The stolen data was limited to members’ first and last names, Social Security numbers, dental provider names, health insurance, and treatment cost information. The affected individuals are being notified directly by Delta Dental.

Sharp Health Plan has also notified certain members about a mismailing incident that occurred on December 26, 2023. A system error in the software of the health plan’s mailing vendor resulted in members’ names being omitted from the envelopes. Without a name on the letters, other household members may have opened the letters. The letters listed the intended recipient’s name, address, behavioral health provider’s name, and that confirmed that the member visited the provider in 2023.

Rebekah Children’s Services Reports September 2023 Cyberattack

Rebekah Children’s Services in Gilroy, CA, identified suspicious activity on its network on September 5, 2023, and engaged a third-party forensics firm to investigate to determine the nature of the attack. The forensic investigation confirmed that hackers had gained access to parts of the network where protected health information was stored, and the file review confirmed that names, addresses, Social Security numbers, dates of birth, health information, health insurance information, treatment information, medications, and driver’s license numbers had potentially been obtained. Steps have been taken to improve security and the 2,805 affected individuals have been notified and offered complimentary access to single bureau credit monitoring services.

The post ConsensioHealth Ransomware Attack Affects 61,000 Patients appeared first on HIPAA Journal.

FTC Prohibits Data Broker from Selling Sensitive Location Data

Posted by Steve Alder

The Federal Trade Commission (FTC) has announced its first settlement with a data broker over the sale of the precise geolocation data of consumers. Under the terms of the settlement, X-Mode Social is prohibited from selling or sharing sensitive location data with third parties unless it obtains consent from consumers or de-identifies the data.

Virginia-based X-Mode Social, now Outlogic LLC, works with app developers and provides a software development kit (SDK) that can be integrated into smartphone apps that allows data to be collected via the apps, including precise geolocation data. Precise geolocation data can identify where an individual lives and works, the residences of friends and family members, and other locations they visit. Some of those locations may be highly sensitive, such as places of worship, domestic violence centers, addiction treatment centers, places offering services to the LGBTQIA+ community, and reproductive health facilities. If precise geolocation data is collected that confirms consumers’ visits to sensitive locations such as reproductive health clinics and places of worship, they could face discrimination, physical violence, emotional distress, and other harms. Sen Ron Wyden determined that X-Mode had sold sensitive location data to U.S. military contractors in 2020, and another customer, a private clinical research company, paid X-Mode for access to consumer information that included visits to medical facilities, pharmacies, and specialty infusion centers across Columbus, Ohio, according to the FTC complaint.

FTC Alleges X-Mode Social Engaged in Unfair and Deceptive Practices

The FTC launched an investigation to determine whether the data broker had engaged in unfair or deceptive acts or practices. The FTC alleged that X-Mode sold raw data to third parties that did not have sensitive locations removed. X-Mode is also alleged to have failed to implement reasonable and appropriate safeguards against downstream use of that data. In addition to purchasing geolocation data from third-party apps, X-Mode also has its own apps – Drunk Mode and Walk Against Humanity. The FTC alleges users of those apps were not fully informed about how precise geolocation data would be used.

According to the FTC, X-Mode did not have policies and procedures in place to remove sensitive locations from its raw data before it was sold, and users of its own apps were not informed about who would receive their data, and safeguards were not put in place to ensure that they could honor requests by users to opt out of the tracking of movements and the serving of personalized advertisements.  The FTC alleged these failures constituted violations of section 5 of the FTC Act.

“With this action, the commission rejects the premise so widespread in the data broker industry that vaguely worded disclosures can give a company free license to use or sell people’s sensitive location data,”  said FTC chair Lina M. Khan.

Settlement Reached to Resolve FTC Complaint

Under the terms of the settlement, X-Mode and Outlogic are required to implement a program for maintaining a comprehensive list of sensitive locations and that information cannot be shared, sold, or transferred unless consent is obtained from consumers. X-Mode and Outlogic are also prohibited from using location data when they cannot determine if a consumer has provided consent.

X-Mode and Outlogic must develop a supplier program to ensure that all companies it purchases data from are obtaining consent from consumers covering the collection, sale, and use of data, and all precise geolocation data that indicates visits to sensitive locations that has been collected without consent must be deleted or destroyed, unless the data has been de-identified.

X-Mode and Outlogic are also required to implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people, such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual.

Consumers must also be provided with a simple and easy-to-find method of withdrawing their consent to collect and use their location data and request that data be deleted, and also provide a clear and concise way for consumers to request that any businesses or individuals that have been provided with personal data remove location data from commercial databases.

Outlogic’s public relations firm provided a statement in response to the FTC complaint and settlement. “We disagree with the implications of the FTC press release. After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities. Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products.”

The agreement will be published in the Federal Register and comments will be accepted for 30 days, after which the FTC will decide whether to make the proposed consent order final.

The post FTC Prohibits Data Broker from Selling Sensitive Location Data appeared first on HIPAA Journal.

What is the OIG Stark Law?

Posted by Steve Alder

The OIG Stark Law is the section of the Social Security Act that prohibits physicians from referring Medicare and Medicaid patients to a non-exempted “designated health service” when the physician or an immediate family member has a financial interest in the service. The Law is named after Congressman Fortney “Pete” Stark who introduced the original “Ethics in Patient Referrals” bill in 1988.

The background to the OIG Stark Law is that, in 1972, Congress added an Anti-Kickback Statute to the Social Security Act in order to combat fraud and abuse in the Medicare and Medicaid programs. The Statute prohibits anyone from “knowingly and willfully receiving or paying anything of value to influence the referral of federal health care program business [to a particular healthcare provider]”.

The penalties for violating the Anti-Kickback Statute are up to five years in prison, criminal fines of up to $25,000, civil monetary penalties of up to $50,000, and – since 1977 – being included on the HHS OIG Exclusions List. Under the Civil Monetary Penalties Law, physicians who pay or accept kickbacks can be fined up to $50,000 per kickback plus three times the amount of the remuneration.

Self-Referral Loophole Closed by Stark

To circumnavigate the Statute, some physicians “self-referred” patients to health services in which they or a family member had a financial interest either through ownership, investment, or reimbursement (i.e., “consulting fees”). To close this loophole, Congressman Stark introduced the “Ethics in Patient Referrals” bill in 1988, prohibiting providers of Medicare services from accepting referrals from physicians with an ownership interest or other compensation arrangement.

The bill’s proposals for prohibiting referrals to clinical laboratories were adopted in the Omnibus Budget Reconciliation 1990. Three years later, the OIG Stark Law was extended to include designated health services other than clinical laboratories and patients covered by Medicaid as well as Medicare. Since 2001, the Centers for Medicare and Medicaid Services (CMS) has published regulations in the Federal Register to implement and revise provisions of the OIG Stark Law.

What does the OIG Stark Law Cover?

The OIG Stark Law covers physician “self-referrals” to designated health services when the service is billed to Medicare or Medicaid, and a financial relationship exists between the physician (or an immediate family member) and the health service. In such cases, not only is the referral a violation of the OIG Stark Law, but it is also a violation if the health service subsequently files a claim for payment – directly or indirectly – with a federal health care program. Designated health care services are:

  • Clinical laboratory services.
  • Physical therapy services.
  • Occupational therapy services.
  • Outpatient speech-language pathology services.
  • Radiology and certain other imaging services.
  • Radiation therapy services and supplies.
  • Durable medical equipment and supplies.
  • Parenteral and enteral nutrients, equipment, and supplies.
  • Prosthetics, orthotics, and prosthetic devices and supplies.
  • Home health services.
  • Outpatient prescription drugs.
  • Inpatient and outpatient hospital services

Exemptions and Advisory Opinions

In 2003, Congress authorized the Secretary of HHS to promulgate regulations exempting physician self-referrals from the OIG Stark law provided certain conditions are met and provided the referral is in the patient’s best interests. Since 2003, the list of exemptions has grown to include (but is not limited to) in-office ancillary services, indirect physician compensation (i.e., to a group practice rather than to an individual), self-referrals in rural areas, and compliance training.

The conditions that have to be met for an exemption to qualify as such are that there must be a written agreement in place, any compensation paid to a referring physician must not be based on the volume of referrals, and the amount of compensation must be commercially reasonable. If physicians or health services are unsure of whether a referral relationship qualifies as an exemption, they can apply to CMS for an advisory opinion. To date, CMS has published nineteen advisory opinions.

Penalties for OIG Stark Law Violations

Violations of the OIG Stark Law are civil violations, so there are no criminal penalties for violations of the law. However, because the law is linked to the Anti-Kickback Statute, the civil penalties for OIG Stark Law violations are substantial. Self-referring physicians can be fined $15,000 for each service they knew or should have known was provided in violation of the OIG Stark Law, with a potential fine of $100,000 if it is proven they deliberately attempted to circumnavigate the Anti-Kickback Statute.

The health service that benefitted from the self-referral will have to refund payments improperly collected, plus three times the amount if the payment was received from Medicare. Both the physician and the health service can also be added to the HHS OIG Exclusion List or required to comply with an OIG Integrity Agreement. For these reasons, if you have any doubts a referral may be in violation of the OIG Stark Law, it is recommended you seek professional compliance advice.

The post What is the OIG Stark Law? appeared first on HIPAA Journal.

Multiple Threat Groups Exploiting Ivanti VPN/NAS Zero-Days

Posted by Steve Alder

Urgent action is required to fix two zero day flaws in Ivanti Connect Secure VPN and Policy Secure NAS appliances. The vulnerabilities were discovered by researchers at Volexity and were disclosed by Avanti last week. While they have been exploited in the wild since December 2023 by an Advanced Persistent Threat group, the attacks have been highly targeted and at the time of the disclosure, fewer than 20 customers had been attacked but the situation has now changed. On January 11, 2023, multiple threat actors started mass exploiting the flaws in indiscriminate attacks on businesses of all sizes across multiple sectors.

Ivanti will be releasing patches to fix the flaws starting in the week of January 22, 2024, and final patches will be released in the week of February 19, 2024; however, there is a workaround that can prevent exploitation of the flaws until the patches are released Any HIPAA-regulated entity that uses one of the vulnerable products should ensure that the workaround is implemented immediately given the extent to which the flaws are being exploited.

The vulnerabilities are CVE-2023-46805, an authentication bypass flaw (CVSS 8.2) that is present in of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure, and CVE-2024-21887, a command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure 9.x, 22.x and Ivanti Policy Secure. The authentication bypass flaw allows an unauthenticated remote attacker to bypass security controls and access restricted resources, and the command injection flaw allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

The initial attacks were conducted by an unknown APT group that downloaded malware tool kits for espionage purposes. The latter attacks have been conducted by multiple threat actors. One actor has already attacked hundreds of appliances and backdoored targets’ systems using a GIFTEDVISITOR webshell variant. According to Volexity, as of January 14, 2023, more than 1,700 ICS VPN appliances had been compromised with the webshell.

In addition to applying the mitigation measures, customers have been advised to run the Ivanti Integrity Checker Tool to identify signs of compromise.

The post Multiple Threat Groups Exploiting Ivanti VPN/NAS Zero-Days appeared first on HIPAA Journal.