Pan-American Life Insurance Group Data Breach Affects 200,000 Individuals

Posted by Steve Alder

Pan-American Life Insurance Group MoveIT Data Breach

The Pan-American Life Insurance Group in Louisiana has confirmed that it was one of the victims of the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in late May 2023 by the Clop hacking group. Progress Software released a patch to fix the previously unknown vulnerability on May 31, 2023; however, by that time the Clop hacking group had already mass exploited the flaw to gain access MOVEit servers. More than 2,600 organizations worldwide are now known to have been affected and between 78 and 83 million individuals have had their data stolen in the attacks.

The Pan-American Life Insurance Group said it immediately stopped using the MOVEit Transfer tool for file transfers when it was notified about the vulnerability and hired a cybersecurity firm to determine if the flaw had been exploited. The investigation confirmed that files had indeed been stolen. A review of those files was initiated, and on October 5, 2023, it was confirmed that they contained personal and protected health information, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

The Pan-American Life Insurance Group has arranged for the affected individuals to be provided with 24 months of complimentary credit monitoring and identity theft protection services. The breach was reported to the HHS’ Office for Civil Rights in two separate breach reports that affected 105,387 and 94,807 individuals.

Dameron Hospital Investigating Cyberattack

Dameron Hospital in Stockton, CA, has confirmed that it recently suffered a cyberattack that has affected some of its network systems. The lack of critical systems has caused disruption and some procedures have been rescheduled until all systems are brought back online; however, a spokesperson for the hospital confirmed that its patient care operations and emergency department are continuing to function as normal. An investigation has been launched to determine the nature and scope of the incident and to whether any patient data has been exposed or stolen. Further information will be released as the investigation progresses.

Hunters International Claim Responsibility for Cyberattack on Covenant Care

Covenant Care, a provider of skilled nursing, residential care, and home healthcare in California and Nevada, appears to have experienced a cyberattack involving data theft. The Hunters International hacking group has added Covenant Care to its data leak site has been adding patient data to that site, indicating Covenant Care has refused to pay the ransom. Covenant Care has not confirmed whether the hacking group’s claims are genuine.

Covenant Care is no stranger to data breaches, having fallen victim to multiple phishing attacks in the past 5 years, including one in 2019 that affected 7,858 patients and another in 2022 that involved the PHI of 23,093 patients. In response to the 2019 attack, the HHS’ Office for Civil Rights issued technical assistance to help Covenant Care with its security management process.

The post Pan-American Life Insurance Group Data Breach Affects 200,000 Individuals appeared first on HIPAA Journal.

Missouri Attorney General Files Lawsuit in Response to WU Refusal to Provide Transgender Patients’ Records

Posted by Steve Alder

The Missouri Attorney General has filed a counterclaim in response to a lawsuit filed by Washington University (WU) over the legal basis of civil investigative demands for documentation about medical procedures performed on transgender patients. WU is refusing to provide records from its Transgender Center that contain patient information, which the Missouri Attorney General claims are essential to the investigation.

Missouri Attorney General, Andrew Bailey, issued civil investigative demands for documentation in February 2023 pursuant to an investigation of the Washington University Transgender Center, including records of patients who received treatment. The investigation was initiated in response to allegations by a whistleblower that the clinic had administered experimental drugs, puberty blockers, and cross-sex hormones without sufficient assessments and also pressured parents into giving consent. WU strongly denies the allegations.

Washington University complied with the investigative demand and provided documentation but did not provide patient records as it did not believe the Missouri Attorney General had the legal authority to demand the records. The Attorney General claimed that he had the authority to request the records under the Missouri Merchandising Practices Act (MMPA); however, WU argues that the MMPA is a consumer protection law concerning deceptive advertising and the investigation appears to be into medical decision-making at the Transgender Center. In its lawsuit, Washington University asked a St. Louis Circuit Court judge to confirm if the Attorney General has the authority to request the records and, if not, to narrow AG Bailey’s investigative demands.

In the counterclaim, AG Bailey claims that WU initially agreed to comply with the investigative demand and then later changed its position, claiming that the federal Health Insurance Portability and Accountability Act (HIPAA) prohibits the disclosure of patient data. In the counterclaim, AG Bailey asked for the court to rule on whether HIPAA prohibits the disclosure of PHI in response to civil investigative demands. With respect to the documentation sent by Washington University, the documents were not downloaded before the link expired, and after issuing requests to resend, received a file that could not be opened. When the file was resent it contained heavily redacted information, with patient data unviewable.

The counterclaim answers the question about the legality of the demand and claims that the investigation concerns whether the Transgender Center was “boosting patient volume by falsely advertising compliance with Endocrine Society, World Professional Association for Transgender Health (WPATH) and similar group guidelines while in fact sharply deviating from those guidelines,” and that “Inducing a person to purchase gender transition services through unfair or deceptive practices leads to life-altering physical consequences.”

The Attorney General claims that the consumer-protection statute grants “extraordinarily broad authority,” including investigating medical malpractice issues. The Attorney General claims the requested documents are essential to the investigation and will reveal whether children underwent irreversible procedures without proper parental consent. AG Bailey seeks an order from the court for the documentation to be provided within 20 days.

The Missouri Attorney General has also claimed that the Biden administration has been quietly interfering with the investigation and alleges that WU changed its position on providing the records after a federal probe. Initially, WU agreed to provide the records, then, after the probe, claimed providing those records violated HIPAA.

The post Missouri Attorney General Files Lawsuit in Response to WU Refusal to Provide Transgender Patients’ Records appeared first on HIPAA Journal.