The Ottumwa Fire Department in Iowa has recently fired employees for alleged violations of the HIPAA Rules and other misconduct. The City of Ottumwa launched an investigation of three members of the fire department, two of whom have been terminated and one left the department in lieu of termination for “behaviors that violated department rules, safe practices, and the values and standards of the City of Ottumwa”.

The city engaged the law firm, Dentons Davis Brown, to investigate allegations of misconduct, which included sexual activity while on duty, disclosures of sensitive information to unauthorized individuals, and allowing unauthorized individuals to ride in fire vehicles.

Firefighters Derek Fye and Dillon McPherson were discovered to have violated the HIPAA rules by divulging patient information obtained by the fire department when responding to incidents, which included medical histories, conditions, and other information. Captain Bill Keith was similarly fired for HIPAA violations, allowing unauthorized individuals to ride in fire vehicles, failing to report instances of employee misconduct, and failing to adequately lead those under his command. Kye and Keith are entitled to request a hearing.

Brigham and Women’s Hospital Exposed Patient Data Over the Internet

Brigham and Women’s Hospital in Boston, MA, has alerted 987 patients about the impermissible disclosure of some of their protected health information. According to the notification letters, the data of patients who participated in a research study/quality improvement project has been exposed online. Graphs had been created as part of the study/project to share with others within the healthcare community using a data analytics tool called Tableau.

The graphs, which only included high-level and summary information, were accidentally posted to the public version of the Tableau tool; however, a link was included that, if clicked, allowed access to sensitive information including names, addresses, medical record numbers, dates of birth, email addresses, and phone numbers. Clinical information that could have been accessed included diagnoses, lab results, medications, and procedures. The exposed data varied from individual to individual. Affected individuals were notified on August 4, 2023.

For the research study, the data was published on the tool on February 25, 2018, and for the quality improvement project, on January 14, 2023. The publicly accessible link was discovered on June 8, 2023, and was removed on June 13. The research study data was accessible between February 25, 2018 – June 13, 2023, and the quality improvement project data was exposed between January 14, 2023 – June 13, 2023.

IVF Michigan Notifies Patients About February 2023 Ransomware Attack

IVF Michigan has recently notified 9,383 patients that some of their protected health information was compromised in a February 25, 2023, ransomware attack. IVF Michigan, which includes Ohio Fertility Centers, said its security software detected the attack almost immediately and disconnected systems from the internet and shut them down. IVF Michigan learned of the breach on February 28.  The incident was investigated by its security services vendor and it was determined that files had been accessed and were likely exfiltrated; however, no evidence has been found to indicate any misuse of patient data.

The files potentially obtained in the attack included names, addresses, zip codes, birth dates, driver’s license numbers, Social Security numbers, diagnoses, conditions, lab results, medications, treatment information, claims information, and credit card/bank account numbers. The information involved varied from individual to individual.

Jefferson County Health Center Reports Hacking Incident

Jefferson County Health Center in Fairfield, IA, has discovered unauthorized individuals gained access to its network between April 24, 2023, and May 30, 2023, and may have obtained files containing patients’ protected health information. The breach was detected on May 30, 2023, when suspicious activity was identified within its network.

While unauthorized network access was confirmed, evidence of data theft was not found; however, it is possible that sensitive data was stolen in the attack such as names, medical histories, diagnoses, medical treatment information, and health insurance information. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ottumwa Fire Department Fires Employees for Misconduct and HIPAA Violations appeared first on HIPAA Journal.

Four more entities have confirmed they were affected by the mass hacks of the MOVEit Transfer file transfer solution and had protected health information stolen.

Missouri Department of Social Services

The Missouri Department of Social Services (DSS) has confirmed that the data of Medicaid recipients was compromised in the recent mass MOVEit hacks by the Clop threat group. Clop conducted hundreds of attacks starting on May 27, 2023, that exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution – CVE-2023-34362. More than 610 companies, organizations, and other entities were attacked and had data stolen.

According to the Missouri DSS, the attack occurred at IBM Consulting. The Missouri DSS said that when it was made aware of the incident it disconnected the MOVEit servers from internal IT systems and launched an investigation into the breach. The DSS confirmed that no DSS systems were breached, only the MOVEit server, which contained data such as names, department client numbers, birth dates, benefit eligibility status/coverage, and medical claims information. It is currently unclear exactly how many Medicaid recipients were affected. The DSS said all Missouri Medicaid recipients are being notified about the breach as a precaution.

Omaha Health Insurance Company

The Omaha Health Insurance Company (OHIC), part of Mutual of Omaha, has reported a security breach at a third-party vendor that exposed the records of individuals who were enrolled in the Medicare Part D Prescription Drug Plan, which was issued by Mutual of Omaha Rx.

The vendor discovered the security breach on June 21, 2023, and notified OHIC about the breach on June 22, 2023. The OHIC investigation confirmed that sensitive data was downloaded by the threat group between May 30, 2023, and June 2, 2023. The exposed data included names, dates of birth, Social Security numbers, claims information, banking information, billing information, and treatment information. Affected individuals have been offered complimentary credit monitoring services. The vendor was not named in the notification sent to the state attorney general.

IU Health

IU Health in Indianapolis has confirmed that patient data was compromised in the mass MOVEit Transfer hacks. The incident occurred at a third-party claims processor, TMG Health. IU Health was notified about the breach on June 22, 2023, and was informed that IU Health Plan data was compromised, including names, member ID numbers, plan effective dates, and for some individuals, bank account information. IU Health Plans notified the affected members on August 4, 2023, and offered complimentary credit monitoring services.  It is currently unclear how many plan members were affected.

Hillsborough County, IA

Hillsborough County in Florida has reported a breach of the protected health information of 70,636 patients to the HHS’ Office for Civil Rights. The county learned about the MOVEit Transfer incident on breach on June 1, 2023, and determined on June 22, 2023, that the compromised data included individuals who received care through Hillsborough County Health Care Services. That information included names, Social Security numbers, dates of birth, home addresses, medical conditions, diagnoses, and disability codes. Certain vendors were notified that some employee data may have been compromised. The affected vendors will notify their employees directly.

The post Missouri Department of Social Services Confirms Medicaid Recipients’ Data Compromised in MOVEit Hacks appeared first on HIPAA Journal.