Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack

Posted by Steve Alder

The Colorado Department of Health Care Policy and Financing (HCPF), which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, has recently confirmed that the protected health information of 4,091,794 individuals was compromised. The attack occurred at IBM, one of its vendors, and involved the MOVEit Transfer application that was used by IBM for file transfers. HCPF said its own systems were not affected.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and the records of 46 million individuals are known to have been compromised.

HCPF said the breach involved the data of Health First Colorado and CHP+ users and included names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, addresses and other contact information, demographic/income information, health insurance information and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEIt server from May 27 to May 31, 2023.

Florida Healthy Kids, a provider of health and dental insurance to children in Florida was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Last month, Johns Hopkins Health System confirmed that it was investigating a cyberattack that impacted systems used by Johns Hopkins University and Johns Hopkins Health System, and the data breach was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System as affecting 2584 individuals and by Howard County General Hospital as affecting 2975 individuals. Johns Hopkins has now confirmed that its MOVEit server was attacked, and Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals and will be offering complimentary credit monitoring and identity theft protection services to those individuals.

The post Records of 4 Million Coloradans Compromised in MOVEit Transfer Attack appeared first on HIPAA Journal.

Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack

Posted by Steve Alder

Last month, Johns Hopkins Health System announced it was investigating a cyberattack and data breach, which was reported to the HHS’ Office for Civil Rights by Johns Hopkins Health System and Howard County General Hospital as affecting more than 5,500 individuals.

Hackers (Clop) exploited a zero day vulnerability in the MOVEit Transfer file transfer solution and exfiltrated data and attempted to extort money from the victims. The information security firm Kon Briefing has been tracking the incidents and reports that at least 670 organizations fell victim to the attacks and more than 41 million records are now confirmed as having been compromised. Johns Hopkins Medicine has now notified the HHS’ Office for Civil Rights that the protected health information of 310,405 individuals was compromised in the attack and said it is in the process of notifying those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Several other HIPAA-regulated entities have confirmed that they have been affected. Radius Global Solutions, a Minnesota-based HIPAA business associate that provides customer engagement and technology services, has confirmed that the protected health information of 600,794 individuals was compromised in the Clop MOVEit Transfer attacks, including names, dates of birth, Social Security numbers, treatment codes, treatment locations, health insurance provider names, and treatment payment histories. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The Colorado Department of Health Care Policy and Financing, which oversees the state’s Medicaid program and the Child Health Plan Plus (CHP+) program, was also affected. The protected health information of Health First Colorado and CHP+ users was compromised in the attack, including names, Social Security numbers, Medicaid and Medicare IUD numbers, birth dates, contact information, demographic/income information, health insurance information, and clinical and medical information, including diagnoses, conditions, lab results, medications, and other treatment information. 24 months of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident was reported to the Maine Attorney General as affecting up to 4,091,794 individuals.

The Indiana Family and Social Services Administration has recently confirmed that the state Medicaid enrollment broker, Maximus Health Services Inc., had its MOVEit server hacked and the protected health information of 744,000 Indiana Medicaid members was compromised including names, addresses, case numbers, and Medicaid numbers. Maximus handles the department’s communications with Medicaid recipients. The Clop group had access to its MOVEit server from May 27 to May 31, 2023. Florida Healthy Kids, a provider of health and dental insurance to children in Florida, was also impacted by the Maximus breach, although it is currently unclear how many individuals had their data compromised in the incident. Maximus said 24 months of complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Johns Hopkins Medicine Confirms More Than 310,400 Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records

Posted by Steve Alder

Vanderbilt University Medical Center is being investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) over the disclosure of the medical records of transgender patients to Tennessee Attorney General, Jonathan Skrmetti. VUMC provided the medical records of transgender patients to AG Skrmetti after receiving civil investigative demands for the data as part of an investigation into potential medical billing fraud. VUMC recently sent notifications to the affected patients informing them about the disclosure of their records, which started to be provided to AG Skrmetti in December last year.

The HIPAA Privacy Rule permits, but does not require, healthcare providers to disclose patients’ medical records for law enforcement purposes in certain circumstances, such as in response to an administrative request if the information being sought is relevant and material to a legitimate law enforcement inquiry. VUMC and AG Skrmetti both maintain that the disclosures were legal. AG Skrmetti said the records were requested in response to a run-of-the-mill investigation he was involved with. The investigation was launched in September 2022 after a VUMC doctor publicly described having manipulated medical billing codes to evade coverage limitations on gender-related treatments.

The medical record disclosures have been condemned by many members of the LGBTQ+ community. AG Skrmetti and other authorities in the state have expressed a hostile attitude regarding the rights of transgender individuals and a federal appeals panel recently approved a law in the state that bans hormone therapy and puberty blockers for transgender youth. There are fears that the information disclosed may be used against the patients. Two patients recently lawsuit against VUMC over the disclosures that alleges the records of 106 patients were provided to AG Skrmetti. Given the attitude of state authorities regarding transgender rights, the patients believe VUMC should have provided unidentified data – patient data that has had all personally identifiable information removed.

VUMC’s Chief Communications Officer, John Howser, recently confirmed that VUMC is assisting OCR with a civil rights investigation over the disclosures, although he did not provide any further information as the investigation is ongoing.

The post Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records appeared first on HIPAA Journal.