Florida County Drug Screening Lab Exposed Sensitive Data Online for 4 Years
A misconfiguration of an internal website portal used by a Florida county drug screening lab exposed sensitive information online for a period of more than four years. St. Lucie County’s drug screening lab (SLC Lab) provides drug testing services for employment, court cases, and other purposes. The configuration error was discovered on October 13, 2021, and the issue was immediately corrected. Assisted by third-party cybersecurity professionals, the country determined on December 28, 2021, that the configuration error occurred on June 2, 2017. From June 2, 2017, to October 13, 2021, sensitive data were accessible to certain portal users, including full names, dates of birth, Social Security numbers, and limited information related to the type of drug test performed and the result of the lab test. While sensitive data were exposed via the web portal for 4 years, SLC Lab said it has not been notified about any cases of improper use of any of the exposed information and is unaware of any cases of identity theft or fraud as a result of the portal misconfiguration. SLC Lab did not...
Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack
Marietta Area Health Care Inc., doing business as Memorial Health System, is facing a class action lawsuit over a cyberattack and data breach that was detected by Memorial Health System on August 14, 2021. The investigation into the attack confirmed the attackers first gained access to company servers on or around July 10, 2021, and installed malware on its systems. Unauthorized access remained possible until August 15, 2021. The breach notification letters state Memorial Health System learned on September 17, 2021, that the threat actor potentially accessed or acquired information from its systems. The review of the affected systems was completed on November 1, 2021, and affected individuals were notified on January 12, 2022, and were offered a 12-month complimentary membership to a credit monitoring service. The breach notice submitted to the Maine attorney general indicates the personal information of 216,478 was potentially accessed by the attackers. The lawsuit was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health...
Settlement Reached in Excellus Class Action Data Breach Lawsuit
Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015. The attack involved the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers. The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the...
New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach
The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents. The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers,...
Email Breaches Reported by University of Arkansas for Medical Sciences and Sacramento County
Email-related breaches of protected health information (PHI) have recently been reported by the University of Arkansas for Medical Sciences and Sacramento County University of Arkansas for Medical Sciences (UAMS) Employee HIPAA Violation The University of Arkansas for Medical Sciences (UAMS) has started sending notification letters to hundreds of patients to alert them to a HIPAA violation involving some of their PHI. On November 29, 2021, UAMS discovered an employee had sent emails from her UAMS email account to a personal Gmail account that contained attachments that included patients’ PHI. UAMS said the emails were sent on November 15, 2021, while the individual was still employed by UAMS. The emails included billing statements that had been sent to UAMS for reimbursement and Excel spreadsheets used by UAMS for internal billing compliance and auditing purposes. No clinical documents, medical records, financial information, or Social Security numbers were included in the attachments, but they did contain PHI such as names, hospital account numbers, medical record numbers, dates...



