The State of Maine has confirmed that the protected health information of 453,894 individuals was stolen in the recent mass hacking of a zero-day vulnerability in Progress Software’s MoveIT Transfer solution. Progress Software released a patch to fix the vulnerability on May 31, 2023; however, the vulnerability had already been exploited. The State of Maine’s investigation confirmed that the vulnerability had been exploited between May 28, 2023, and May 29, 2023, and sensitive data had been stolen by the Clop hacking group.

The breach was limited to its MOVEit server, and no other systems were compromised. The Clop hacking group claimed they were only interested in hacking businesses and said they would delete all data stolen from governments; however, the State of Maine is urging all affected individuals to ignore those claims and take steps to protect themselves against fraud. The individuals affected may have been Maine residents, employees, or could have received services from or interacted with a state agency. Maine also participates in data sharing agreements with other organizations to enhance the services it offers to residents and the public.

The data exposed would depend on the interactions with state agencies. All affected individuals who had their Social Security numbers or taxpayer identification numbers stolen have been offered two years of complimentary credit monitoring and identity protection services.

Affinity Legacy Inc. Affected by MOVEit Hack

Affinity Legacy Inc., formerly known as Affinity Health Plan, Inc., has confirmed that it was affected by the recent MOVEit Transfer hacks. The breach occurred at one of its business associates, which provided claims processing services, and used the software solution for file transfers.

The vulnerability was exploited between May 30 and June 2, 2023, and on June 21, 2023, the vendor determined that certain files had been downloaded by the attackers that contained the protected health information of 5,538 individuals who were either Affinity Health Plan members prior to 2019, or EmblemHealth Medicare Advantage Plan members after 2019. The stolen data included names, mailing addresses, dates of birth, Social Security numbers, Medicare numbers and/or medical diagnosis codes. Complimentary personal identity and privacy protection services have been offered to the affected individuals.

The Charles Lea Center Suffers Ransomware Attack

The Charles Lea Center, a non-profit organization in Spartanburg County, SC, has recently notified 1,250 individuals that some of their personal information was compromised in a June 2023 ransomware attack. The incident was detected on June 19, 2023, when a portion of its network was encrypted. A ransom demand was issued, and the threat actor claimed to have exfiltrated a limited number of files from its systems.

While the forensic investigation could not determine the specific types of information that had been compromised, the file review confirmed on October 2, 2023, that the exposed files contained names, Social Security numbers, dates of birth, and some medical treatment information. The Charles Lea Center has offered the affected individuals complimentary credit monitoring services and has advised them to monitor their financial account statements regularly for signs of fraud. The Charles Lea Center said it had taken steps to ensure the privacy of data before the attack and will be augmenting those measures to further enhance security.

Detroit Chassis Health Plan Member Data Exposed

Detroit Chassis in Michigan, a provider of niche vehicle manufacturing solutions, was the victim of a sophisticated cyberattack that occurred on or around March 12, 2023. When the attack was detected, immediate action was taken to secure its systems and third-party cybersecurity experts were engaged to investigate. The investigation confirmed that the attackers had access to parts of its network that contained the data of 958 members of its health plan which was stored on an email server that was in the process of being decommissioned.

Detroit Chassis said, “While we believe there is a reasonable basis to conclude this information was not subject to unauthorized acquisition, we were unable to rule it out.” The server contained information such as names, addresses, dates of birth, Social Security numbers, driver’s licenses, financial account information, passport numbers, credit card numbers, state identification numbers, usernames and access information for non-financial accounts, medical information, health insurance numbers and information related to its employee prescription benefits plan.

Medical Records Stolen in Lakeview Healthcare System Break-in

Lakeview Healthcare System, a central Florida health system, had a break-in at its Fern Drive location in Leesburg on September 29, 2023.  The break-in occurred around 5 a.m. and the intruder stole three password-protected mobile devices and medical records that contained the protected health information of patients. The paper records included information such as names, addresses, diagnosis and treatment information, and billing information.

Lakeview Healthcare System said it has engaged in extensive remediation efforts to minimize the risk of similar incidents in the future, has reviewed its security policies and procedures, and has re-educated the workforce on data security and secure document storage. Physical security measures are being assessed at each location, including using more shred bins, upgrading physical locks, and implementing additional access controls to allow for faster and more precise termination of access.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,495 individuals.

The post State of Maine Reports 450,000-Record Data Breach appeared first on HIPAA Journal.

California Physicians’ Service, which does business as Blue Shield of California, has confirmed that it has been affected by the mass exploitation of a vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The breach has been reported to the HHS’ Office for Civil Rights in two separate breach reports, one involving the data of 636,848 Blue Shield of California plan members and another that has affected 26,523 Blue Shield of California or Blue Shield of California Promise Health Plan members.

The breach occurred at an unnamed vendor of Blue Shield of California that managed vision benefits. The vendor used the MOVEit Transfer solution to transfer large files as part of its contracted duties. A zero-day vulnerability in the MOVEIt Transfer solution was exploited between May 28, and May 31, 2023, and files were exfiltrated that included members’ names, birthdates, addresses, subscriber ID numbers, subscribers’ names, birthdates, Social Security numbers, group ID numbers, vision providers’ names, patient ID numbers, vision claims numbers, vision-related treatment and diagnosis information, and vision-related treatment cost information. The Clop hacking group claimed responsibility for the hacks.

Blue Shield of California said its own systems were not compromised. The breach was limited to the MOVEit Transfer server. Credit monitoring and identity restoration services have been offered to the affected individuals.

Wyoming County Community Health System Confirms March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has experienced a cybersecurity incident that has caused network disruption. The security breach was detected on March 28, 2023, and the subsequent forensic investigation determined that files had been exposed on that date and may have been accessed or acquired by unauthorized individuals. A review was then conducted of the files to determine the individuals and types of data involved, and that process was completed on November 8, 2023. The review confirmed up to 26,000 individuals had been affected and had some or all of the following information exposed: name, Social Security number, driver’s license/state identification number, date of birth, biometric data, medical information, health insurance information, and account number.

Notification letters were sent to the affected individuals on November 16, 2023. Wyoming County Community Health System said it has implemented additional measures to enhance network security and minimize the risk of a similar incident occurring in the future.

Westside Community Services Confirms Cyberattack and Data Theft

The San Francisco, CA-based social services organization, Westside Community Services, has notified 2,484 individuals about a security breach involving unauthorized access to its network between April 25, 2023, and May 1, 2023. Third-party cybersecurity professionals were engaged to conduct a forensic investigation and confirmed that files had been exfiltrated from its network. The document review was completed on October 16, 2023.

The stolen files included full names along with one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, passport numbers, other government identification numbers, financial account information, credit or debit card information, usernames and passwords associated with one or more online accounts, medical information (date of service, provider name, medical record number, patient number, medical history, surgical information, medication, and/or treatment information), and/or health insurance policy information. Westside Community Services said it continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information and will continue to do so.

Unauthorized Email Access Reported by Molina Healthcare of Iowa

Molina Healthcare of Iowa, Inc. says it discovered on November 22, 2023, that there had been unauthorized access to an employee email account between September 25 and 26, 2023. It was not possible to determine if any information in the email account was copied, but the review of the emails confirmed that they contained the protected health information of 1,647 Medicaid recipients. Those individuals have been notified about the breach by mail. Molina Healthcare of Iowa said the breach did not affect any members covered by other managed care organizations.

This is the third incident to affect Molina Healthcare of Iowa members this year. On May 31, 2023, Amerigroup inadvertently disclosed personal health information for 833 Iowa Medicaid members to 20 providers in explanation of payment notices; and on May 26, 2023, a Medicaid contractor confirmed there had been unauthorized access to its systems on March 6, 2023, which affected 233,000 Medicaid members.

Robeson Health Care Corporation Updates Data Breach Notice

Robeson Health Care Corporation has provided an update on a breach that was previously reported to the Maine Attorney General as affecting 15,045 individuals. The investigation has confirmed that a further 62,627 individuals have been affected. The incident has been previously covered by The HIPAA Journal in this post.

The post Hundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack appeared first on HIPAA Journal.