Risk and Compliance Firm Reports Breach of 47,035 Records
The risk and compliance firm LogicGate has identified a security incident in which the protected health information of 47,035 individuals has potentially been compromised. LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform. The Risk Cloud Platform is used by companies to identify and manage compliance risks and meet data protection and security standards. All backup files stored in AWS S3 buckets are encrypted, but the attacker was able to use the credentials to decrypt data. The backup files contained customer data that had been uploaded to their Risk Cloud environment prior to February 23, 2021. LogicGate said it did not identify any decrypt events associated with customers’ stored attachments. It is currently unclear whether any customer data was exfiltrated by the attacker and no details have been released about how the credentials were obtained. Hoboken Radiology Alerts Patients to...
Ransomware Attacks Affect Sturdy Memorial Hospital and UF Health
Sturdy Memorial Hospital in Attleboro, MA is notifying 57,379 patients about a computer security incident that occurred on February 9, 2021 in which patient data was stolen. According to the hospital’s breach notice, an unauthorized individual gained access to its systems but the hospital secured those systems later that day. The individual demanded a ransom payment to prevent the exposure/sale of data stolen in the attack. The hospital took the decision to pay the ransom and received assurances all stolen data would be permanently destroyed and would not be further disclosed. It is unclear whether this was simply a data theft incident or whether ransomware had been used in the attack. Third party computer forensics experts were engaged to investigate the breach, and a review was conducted to determine what patient data was compromised. The review was completed on April 21, 2021 and all affected individuals started to be notified on May 28, 2021. Sturdy Memorial Hospital said that in addition to its own patients, some patient data from other healthcare provider partners –...
147,000 Patients Affected by Scripps Health Ransomware Attack
Scripps Health, the second largest healthcare provider in San Diego, has started sending breach notification letters to 147,267 patients to inform them that some of their personal and health information was stolen in a May 1, 2021 ransomware attack. The attack forced Scripps Health to adopt its EHR downtime procedures with its systems offline. Staff at its medical offices and hospitals were forced to work with paper charts while systems were restored and data was recovered. That process has taken almost a month, during which time access to important patient information such as test results was prevented. Scripps Health only regained the ability to create new records last week when the MyScripps patient portal was brought back online. The attack affected many of the healthcare provider’s care sites and caused disruption to operations at two of its four hospitals. Scripps Health took the decision to divert some critical patients to other facilities, with all four of its main hospitals placed on emergency care diversion for stroke, heart attack, and trauma patients. Some non-urgent...
Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case
The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019. DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received. In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into...
More than 3.2 Million Individuals Affected by 20/20 Hearing Care Network Data Breach
The 20/20 Hearing Care Network has started notifying millions of current and former members that some of their protected health information (PHI) has potentially been compromised and/or deleted. On January 11, 2021, suspicious activity was detected in its AWS cloud storage environment. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the security breach. Third party forensics experts assisted with the investigation and confirmed that S3 buckets hosted in AWS had been accessed, data in those buckets downloaded, and then all data in the S3 buckets was deleted. The forensic investigation confirmed in late February that some of the data downloaded and deleted from the storage environment included PHI for some or all health plan members for whom records were held. While data theft was confirmed, it was not possible to tell exactly which information had been accessed or removed from the S3 buckets. The types of data potentially obtained in the attack included names, Social Security numbers, dates of...



