Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach

Posted by Steve Alder

Postmeds, Inc., a company that does business as Truepill and fulfills mail order prescriptions for pharmacies, has recently announced that it has suffered a massive data breach that has affected 2,364,359 individuals. According to the company’s breach notice, an unauthorized third party gained access to files used for pharmacy management and fulfillment services. The forensic investigation confirmed the unauthorized access occurred between August 30, 2023, and September 1, 2023, and the exposed files were found to contain information such as names, medication types, and, for certain patients, demographic information and prescribing physician names. Highly sensitive information such as Social Security numbers were not compromised, as Postmeds does not receive that information.

Postmeds said it has enhanced its security protocols and technical safeguards in response to the incident and has provided its workforce with additional cybersecurity training to raise awareness of cybersecurity threats. Affected individuals started to be notified about the breach by mail on October 30, 2023.

A breach of this magnitude was certain to result in class action lawsuits, the first of which has already been filed in the U.S. District Court for the Northern District of California. The lawsuit, Rossi, et al. v. Postmeds Inc. d/b/a Truepill, names John Rossi, Michael Thomas, and Marissa Porter as plaintiffs, who are represented by attorneys Kyle McLean, Mason Barney, and Tyler Bean of Siri and Glimstad LLP. The lawsuit alleges Truepill failed to implement appropriate systems to prevent unauthorized access to patient data. The lawsuit claims the plaintiffs and class members have been placed at significant risk of identity theft and other forms of personal, social, and financial harm, and that the elevated risks will be present for a lifetime.

Class action lawsuits are commonly filed after healthcare data breaches and seek damages due to negligence, breach of contract, and invasion of privacy. It is not sufficient to allege violations of federal or state laws, as a concrete injury must have been caused as a result of those violations for the lawsuit to be granted standing.

The post Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach appeared first on HIPAA Journal.

Ransomware Gangs Hit Debt Collection Firm and Mental Healthcare Provider

Posted by Steve Alder

Ransomware attacks have been announced by Financial Asset Management Systems and The Harris Center for Mental Health. Munsen Healthcare is investigating a cyberattack on Munsen Healthcare Otsego Hospital, and St. Bernards Healthcare has confirmed that patient information was compromised in a MOVEit Transfer hack.

The Harris Center for Mental Health Recovering from a Ransomware Attack

The Harris Center for Mental Health in Texas has recently fallen victim to a ransomware attack. The incident was detected on November 7, 2023, when staff members were prevented from accessing files. The network was immediately shut down to limit the harm caused, and cybersecurity consultants were engaged to assist with the recovery and investigation.

The Harris Center for Mental Health said it is continuing to provide care to patients; however, the lack of access to electronic systems has inevitably led to delays. At this stage of the investigation, it is unclear whether patient data has been compromised.

This is the second major incident to affect The Harris Center for Mental Health this year. A service provider used the MOVEit Transfer tool, a vulnerability in which was exploited to provide unauthorized access to sensitive data in May 2023. The protected health information of 599,367 individuals was stolen in the attack.

Ransomware Attack on Financial Asset Management Systems Affects 165,000 Patients

Financial Asset Management Systems (FAMS), a business management consultancy and debt collection firm, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 164,796 patients. In its substitute breach notice, FAMS said it experienced a “network disruption” incident, which prevented access to certain files on its network. The forensic investigation and review of the exposed files was completed on August 31, 2023, and confirmed that the exposed information included names, billing account numbers, costs paid, balances due, and the name of the affected FAMS client. The affected individuals started to be notified on October 20, 2023, and credit monitoring and identity theft protection services have been offered to the affected individuals.

Munsen Healthcare Otsego Hospital Investigating Cyberattack

Munsen Healthcare has confirmed that it is investigating a cyberattack on Munsen Healthcare Otsego Hospital in Gaylord, MI. Munsen Healthcare said computer systems were shut down in response to the security incident and a third-party cybersecurity company has been engaged to conduct a forensic investigation to determine the nature and scope of the attack.

Details about the nature of the attack, such as if this was a ransomware/extortion incident, have not been publicly disclosed, and it has yet to be determined if patient data has been exposed or obtained.

Business Associate Data Breach Affects 89,500 St. Bernards Healthcare Patients

Jonesboro, AR-based St. Bernards Healthcare, Inc., a health system serving northeast Arkansas and southeast Missouri, has recently announced that the protected health information of 89,556 patients has been exposed in a data breach at one of its third-party vendors.

St. Bernards Healthcare contracted with Welltok Inc. to provide an online contact management platform. The platform was used to communicate important notices and communications through its subsidiary, Tea Leaves Health LLC. Welltok used Progress Software’s MOVEit Transfer product, a zero-day vulnerability in which was patched on May 31, 2023; however, the vulnerability had already been exploited on May 30. Welltok discovered it had been affected by the mass exploitation of the vulnerability on July 26, 2023, and its investigation revealed on August 11, 2023, that sensitive data was exfiltrated in the attack.

St. Bernards Healthcare was notified about the breach by Welltok on September 14, 2023, and was told about the full scope of the breach on October 18, 2023. The information stolen in the attack included names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, patient identification numbers, health insurance information, providers’ names, and medical treatment/diagnosis information. Welltok started to notify the affected individuals on November 13, 2023.

The post Ransomware Gangs Hit Debt Collection Firm and Mental Healthcare Provider appeared first on HIPAA Journal.