Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Data Breaches Reported by University Pediatric Dentistry, OrthoNebraska, Michigan Avenue Immediate Care
Jul05

Data Breaches Reported by University Pediatric Dentistry, OrthoNebraska, Michigan Avenue Immediate Care

University Pediatric Dentistry in Buffalo, NY, has started notifying 6,843 patients that some of their protected health information has been exposed in an email security incident. The email system was immediately secured when the breach was detected with the forensic investigation confirming that two email accounts had been accessed by an unauthorized third party between January 12, 2022, and January 19, 2022. University Pediatric Dentistry said it learned on April 25, 2022, that emails and attachments in the compromised accounts contained patient data, and information had potentially been viewed or obtained. The compromised information included patient names, contact information, dates of birth, Social Security numbers, driver’s license numbers, government identification numbers, treatment and diagnosis information, provider names, medical record numbers, patient account numbers, prescription information, dates of service and/or health insurance information. A limited number of patients also had financial account information exposed. Individuals who had their Social Security...

Read More
657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company
Jul04

657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company

A major data breach has been reported by the Greeley, CO-based accounts receivable management company, Professional Finance Company Inc. (PFC) which is believed to have affected 657 of its healthcare provider clients. According to the PFC website, the company is one of the nation’s leading debt recovery agencies, and its client list includes many healthcare providers, retailers, financial organizations, and government agencies. According to the company’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on February 26, 2022; however, not in time to prevent some of its computer systems from being disabled. Third-party forensics specialists were engaged to investigate the breach and provide assistance with securing its environment. That investigation confirmed that an unauthorized third party had access to systems that contained information about patients of its healthcare provider clients, and files containing patient data were accessed. PFC said it sent notification letters to all affected healthcare provider clients on May 5, 2022, and has since...

Read More
Fitzgibbon Hospital, Diskriter, Christiana Spine Center Suffer Ransomware Attacks
Jun29

Fitzgibbon Hospital, Diskriter, Christiana Spine Center Suffer Ransomware Attacks

On June 25, 2022, a spokesperson for a threat group called DAIXIN Team contacted HIPAA Journal to share information about a ransomware attack and data theft incident at Fitzgibbon Hospital in Marshall, Missouri. A link was shared to a dark web resource where data stolen in the attack has been published. The published data includes database tables from the MEDITECH database, and sensitive documents containing patient data stolen from internal servers. In total, 40GB of data was stolen in the attack and included names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information. DAIXIN Team was previously not known to HIPAA Journal and appears to be a new ransomware group. Further information on the group and the attack has been obtained by databreaches.net and confirmed through a shared chat log that a representative for Fitzgibbon Hospital had made contact with DAIXIN Team to negotiate the ransom payment, but no payment has been made to date. There is currently no breach notice on the Fitzgibbon Hospital website,...

Read More
Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise
Jun29

Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise

Aliso Viejo-based Covenant Care California, an operator of skilled nursing facilities and a provider of home health services in California and Nevada, has announced that an unauthorized third party has gained access to its email system, and potentially viewed or obtained electronic protected health information. Suspicious activity was detected in an employee’s email account in February 2022, with the subsequent investigation confirming multiple employee email accounts had been accessed between February 24 and March 22, 2022. The accounts contained data related to its home health services, which were provided under the following names: Focus Health RehabFocus Home Health Elevate Health Group Choice Home Health San Diego Home Health A review of the accounts was completed on March 27, 2022, and confirmed protected health information was present in the email accounts, which for most individuals included names, medical information, and health insurance information. A subset of individuals also had their date of birth, Social Security number, driver’s license number, and/or other...

Read More
GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process
Jun28

GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process

The Government Accountability Office (GAO) has recommended that the Department of Health and Human Services (HHS) establish a feedback mechanism to improve the effectiveness of its data breach reporting process. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, called for the Secretary of the HHS to create and maintain a list of data breaches involving the unsecured protected health information of 500 or more individuals on its website. The HHS’ Office for Civil Rights (OCR) Breach Portal includes breaches of the personally identifiable protected health information (PHI), such as unauthorized access and disclosures, exposures, and the loss and theft of PHI. The number of reported data breaches has been increasing each year, with 2021 seeing 714 data breaches of 500 or more records reported to OCR. GAO explained in its report that between 2015 and 2021, the number of individuals affected by healthcare data breaches at healthcare providers, health plans, healthcare clearinghouses, and business...

Read More
Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records
Jun24

Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records

Texas Tech University Health Sciences Center has confirmed that the protected health information of 1,290,104 patients was compromised in a data breach at its electronic medical record vendor, Eye Care Leaders. Eye Care Leaders said it detected a breach on Dec. 4, 2021, and disabled the affected systems within 24 hours. Texas Tech University Health Sciences Center said it received the final results of the forensic investigation on April 19, 2022. The compromised information included the following data elements: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services. No evidence of data exfiltration was found. Over the past few weeks, the number of eye care providers known to have been affected by the Eye Care Leaders data breach has been growing. At least 23 eye care providers have confirmed they have been affected and the protected health information of more than 2 million patients is...

Read More
5 Security Breaches Reported in Which PHI was Potentially Compromised
Jun24

5 Security Breaches Reported in Which PHI was Potentially Compromised

Patient Information Potentially Compromised in Atrium Health Phishing Attack A phishing incident has been reported by Charlotte, NC-based Atrium Health that exposed the protected health information of 6,695 patients who used its home health service, Atrium Health at Home. On April 7, 2022, an employee responded to a phishing email and disclosed credentials for an email and messaging account. The breach was detected on April 8 and the unauthorized access was immediately blocked. Between April 7 and April 8, the unauthorized third party used the account to send other phishing emails, which suggests that obtaining patient information stored in the account was not the aim of the attack, although it was not possible to determine if any patient information was viewed or obtained. A review of the emails, messages and attachments in the account revealed they contained patients’ full names, home addresses, birth dates, health insurance information, and medical information (such as medical record number, dates of service, provider and facility and/or diagnosis and treatment information). A...

Read More
University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000
Jun23

University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000

University of Pittsburgh Medical Center has agreed to settle a class action data breach lawsuit and will make $450,000 available to cover claims from individuals who have suffered losses due to the theft and misuse of their protected health information. The data breach affected approximately 36,000 patients and saw their protected health information accessed and stolen by an unauthorized third party between April 2020 and June 2020. The breach occurred at UPMC’s legal counsel, Charles J. Hilton PC, (CJH), which provided billing-related services. The compromised data was stored within the firm’s email environment and included names, birth dates, Social Security numbers, financial information ID numbers, signatures, insurance information, and medical information. The data breach was detected in June 2020; however, notifications were not sent to affected individuals until December 2020. While many speculative lawsuits are filed against healthcare organizations and their business associates over the exposure of patient data, in this case, the plaintiff was defrauded soon after the...

Read More
5 HIPAA-Regulated Entities Announced Hacking Incidents that Exposed PHI
Jun22

5 HIPAA-Regulated Entities Announced Hacking Incidents that Exposed PHI

PHI of Almost 69,000 Individuals Compromised in Hacking Incident at Comstar Comstar, a Rowley, MA-based provider of ambulance billing, collection, ePCR Hosting, and client/patient services, has discovered an unauthorized third-party gained access to some of its servers which housed files that contained individuals’ personally identifiable and protected health information. Some of those files were confirmed as having been viewed. The substitute breach notice did not state when the breach occurred, but it was detected on or around March 26, 2022. A review of the affected files confirmed they contained information such as names, dates of birth, medical assessment and medication information, health insurance information, and Social Security numbers. Comstar said it already had strict security measures in place, a review has been conducted of its policies and procedures relating to data security, and measures will be taken to further protect against similar incidents in the future. No evidence of data theft or misuse of individuals’ information was identified; however, as a...

Read More
May 2022 Healthcare Data Breach Report
Jun21

May 2022 Healthcare Data Breach Report

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021. Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months. Largest Healthcare Data Breaches Reported in May 2022 In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but...

Read More
Central Florida Inpatient Medicine Security Incident Affects Almost 198,000 Patients
Jun20

Central Florida Inpatient Medicine Security Incident Affects Almost 198,000 Patients

Lake Mary, FL-based Central Florida Inpatient Medicine (CFIM) has recently discovered that the email account of an employee has been accessed by an unauthorized individual, who may have viewed emails and files containing patients’ protected health information. The substitute breach notice states that CFIM learned that the email account contained sensitive patient data on May 5, 2022; however, the email account was breached between August 21, 2021, and September 17, 2021. The delay in issuing notifications to affected individuals was due to “an extensive forensic investigation and comprehensive and time-consuming manual document review.” The review revealed the emails and attachments included information such as names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of Social Security numbers, driver’s license numbers, financial account information, and usernames and passwords were also exposed. CFIM said no evidence was found to...

Read More
Data Theft Incidents Reported at MCG Health, Choice Health, & Goodman Campbell Brain and Spine
Jun15

Data Theft Incidents Reported at MCG Health, Choice Health, & Goodman Campbell Brain and Spine

MCG Health Announces Data Theft Incident Affecting 1.1 Million Individuals MCG Health in Seattle, WA, a provider of patient care guidelines to healthcare providers and health plans, started notifying patients and members of MCG customers that an unauthorized party has obtained some of their protected health information. According to the breach notice on the MCG website, MCG determined on March 25, 2022, that an unauthorized individual had obtained data that matched data on its systems, including names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender. MCG Health has advised affected individuals to review their account statements and monitor their free credit reports for signs of misuse of their information. The substitute breach notice on the MCG Health website does not explain the nature of the attack, how much data was stolen, how MCG Health learned that data had been stolen, or when the data theft incident occurred. A lawsuit filed against MCG Health alleges hackers first gained access to its systems in...

Read More
Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI
Jun14

Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington. Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours. An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and...

Read More
700,000 Patients Affected by Yuma Regional Medical Center Ransomware Attack
Jun13

700,000 Patients Affected by Yuma Regional Medical Center Ransomware Attack

Yuma Regional Medical Center (YRMC) in Arizona has announced it was the victim of a ransomware attack in April in which the attackers obtained the protected health information (PHI) of 737,448 current and former patients. According to the recent YRMC announcement, the attack was detected on April 25, 2022, which affected some of its IT systems. YRMC said immediate action was taken to contain the attack, and systems were taken offline to prevent further unauthorized access. Law enforcement was notified, and a third-party computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The investigation confirmed that the attackers gained access to its systems between April 21 and April 25, 2022, and, prior to file encryption, a subset of files were exfiltrated from its systems. YRMC said it is working with security experts to bring its systems back online as quickly as possible. Throughout the attack, its facilities remained open and operated using established backup processes and downtime procedures, which did result in some...

Read More
Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan
Jun09

Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan

Aesto Health, a Birmingham, AL-based software company that provides solutions to help healthcare enterprises and medical providers exchange, organize, and protect patient information, has announced it recently experienced a cyberattack that caused disruption to certain internal IT systems. The security breach was detected on March 8, 2022, and steps were immediately taken to prevent further unauthorized access to its systems. A third-party computer forensics company was engaged to assist with the investigation, which confirmed that an unauthorized individual had access to the affected systems from December 25, 2021, to March 8, 2022. During that time frame, certain files were exfiltrated from a backup storage device, which include radiology reports from Osceola Medical Center (OMC) in Wisconsin. A review of the affected files confirmed they contained patients’ protected health information, including names, dates of birth, physician names, and report findings related to radiology imaging at OMC. No Social Security numbers or financial information were viewed or stolen, and OMC...

Read More
Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists
Jun09

Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists

Allaire Healthcare Group and Platinum Hospitalists have recently announced that an unauthorized individual has gained access to an employee email account and potentially viewed or copied patient data. PHI Potentially Compromised in Email Account Breach at Allaire Healthcare Group Freehold, NJ-based Allaire Healthcare Group, which runs five residential healthcare facilities in the tri-state area that provide subacute care, dementia care, and respite care, has discovered an unauthorized individual has gained access to the email account of one of its employees. Suspicious activity was detected in the employee’s email account on November 24, 2021. Prompt action was taken to secure the account and its email system and to prevent further unauthorized access. The forensic investigation confirmed the breach was limited to a single email account that was accessed by an unauthorized individual between November 10, 2021, and November 24, 2021. A programmatic and manual review of the affected email account was completed on March 18, 2022. The review confirmed the email account contained the...

Read More
2 Million Patients Affected by Shields Health Care Group Cyberattack
Jun07

2 Million Patients Affected by Shields Health Care Group Cyberattack

The protected health information of up to 2 million individuals has potentially been compromised in a Shields Health Care Group cyberattack. Massachusetts-based Shields Health Care Group provides ambulatory surgical center management and medical imaging services throughout New England. On March 28, 2022, suspicious activity was detected within its network. Immediate action was taken to secure its network and prevent further unauthorized access, and third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the security breach. The forensic investigation determined that an unauthorized actor had access to certain Shields systems between March 7, 2022, to March 21, 2022. Shields said a security alert had been triggered on March 18, 2022, which was investigated, but at the time it did not appear that there had been a data breach. It has since been confirmed that during that period of access, certain data was removed from its systems. Shields said it has not been made aware of any cases of actual or attempted misuse of patient...

Read More
Healthcare Ransomware Attacks Increased by 94% in 2021
Jun06

Healthcare Ransomware Attacks Increased by 94% in 2021

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare. 66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks. According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year. Paying the ransom may help healthcare...

Read More
FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital
Jun03

FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

In 2021, the Federal Bureau of Investigation (FBI) helped Boston Children’s Hospital mitigate a cyberattack by Iranian state-sponsored hackers before any damage could be caused. FBI Director, Christopher Wray, said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.” Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat. Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident...

Read More
Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy
Jun03

Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy

Alameda Health System in California, Capsule pharmacy in New York, and Aon PLC in Illinois have recently reported data breaches affecting a total of 56,290 individuals. Alameda Health System Notifying 90,000 Patients About PHI Breach Oakland, CA-based Alameda Health System has recently reported a data breach to the Department of Health and Human Services’ Office for Civil Rights that has affected up to 90,000 patients. Limited information has been released so far on the nature of the breach. Alameda Health System said suspicious activity was detected in the email accounts of certain employees with the investigation confirming several employee email accounts had been accessed by an unauthorized third party. The review of those accounts confirmed they contained the protected health information of patients, although it is currently unclear to what extent patient information has been compromised. Alameda Health System said no evidence has been found that suggests any information in the accounts has been viewed or removed. Notification letters will be sent to affected individuals...

Read More
PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx
Jun02

PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx

Allwell Behavioral Health Services in Zanesville, OH, has announced that a computer system used to store quality assurance information related to the treatment of patients has been accessed by an unauthorized individual. The unauthorized access was detected on March 5, 2022, with the subsequent forensic investigation determining the system was breached on March 2, 2022. The breach investigation concluded in late April and determined that it was likely that files containing sensitive information had been copied in the attack, although at the time of issuing notifications to affected individuals there had been no reports of any actual or attempted misuse of patient data. The types of information in the files varied from patient to patient and may have included information such as names, dates of birth, Social Security numbers, phone numbers, treatment activity, treatment provider, treatment date, treatment location, and payer information. According to the breach summary on the HHS’ Office for Civil Rights website, 29,972 patients have been affected. Complimentary identity theft...

Read More
Email Accounts Compromised at BJC HealthCare & Cooper University Health Care
May31

Email Accounts Compromised at BJC HealthCare & Cooper University Health Care

BJC HealthCare, a non-profit healthcare organization based in St. Louis, MO, has started notifying certain patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual. The investigation confirmed that a small number of email accounts of physicians and general practitioners had been accessed between March 4 and March 28, 2022. The forensic investigation did not determine whether emails and attachments had been viewed or copied, but unauthorized data access and theft could not be ruled out. A comprehensive review of the email accounts confirmed they contained names, dates of birth, medical record numbers, and clinical information such as performance dates, diagnoses, provider names, and/or treatment locations. A limited number of patients also had their health insurance information, driver’s license numbers, and/or Social Security numbers exposed. Individuals who had either their driver’s license number or Social Security number exposed can take advantage of the complimentary credit monitoring and identity...

Read More
New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing
May27

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

A class action lawsuit filed against NorthEast Radiology PC and Alliance HealthCare Services over a data breach that exposed the protected health information of more than 1.2 million individuals has been dismissed by a New York Federal Judge for lack of standing. The lawsuit was filed in July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose protected health information was exposed as a result of a misconfiguration of the companies’ Picture Archiving Communication System (PACS), which contained medical images and associated patient data. In late 2019, security researchers identified the exposed data and notified the affected companies, which included Northeast Radiology and its vendor, Alliance HealthCare Services. According to the lawsuit, more than 61 million medical images were exposed along with the sensitive data of 1.2 million patients. Northeast Radiology reported the breach to the HHS’ Office for Civil Rights as affecting 298,532 individuals. The lawsuit alleged the defendants had implemented inadequate security safeguards to ensure the privacy of...

Read More
Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server
May27

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer. Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services. In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion...

Read More
Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities
May26

Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities

Oswego County Opportunities (OCO) in New York has announced that a limited number of employee email accounts were recently accessed by an unknown actor. The security breach was identified when suspicious email activity was detected and the email accounts were immediately secured. Third-party cybersecurity experts were engaged to investigate the breach to determine the nature and scope of the attack, and what information, if any, had been accessed by the threat actor. It was not possible to determine if any emails in the account had been viewed or obtained but the review of the affected email accounts confirmed they contained the following types of information: names, addresses, Social Security numbers, driver’s license numbers, certain health information, and a very limited amount of credit card numbers. The accounts also contained some employee information and information about vendors with connections to OCO. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 7,766 individuals. OCO said it has modified its email settings and controls to provide...

Read More
SAC Health Theft Incident and Multiple Ransomware Attacks Reported
May25

SAC Health Theft Incident and Multiple Ransomware Attacks Reported

Social Action Community Health System (SAC Health) has recently notified 149,940 patients that documents containing their protected health information were stolen in a break-in at an off-site storage location where patient records were stored. The break-in was discovered on March 4, 2022, with the subsequent investigation confirming on April 22, 2022, that six boxes of paper documents had been stolen from the facility, which included files relating to patients served by SAC Health in 1997 and between 2006 and 2020. An analysis was conducted to determine which types of information were included in the files and concluded the documents may have contained information such as names, addresses, dates of birth, and diagnosis codes. Notification letters were sent to those individuals on May 3, 2022. SAC Health said it is unaware of any actual or attempted misuse of patient data as a result of the break-in; however, as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring services. SAC Health said it is conducting a review of...

Read More
Over 850,000 Individuals Affected by Partnership HealthPlan of California Cyberattack
May24

Over 850,000 Individuals Affected by Partnership HealthPlan of California Cyberattack

In March 2022, Partnership HealthPlan of California (PHC) announced that third-party forensic specialists had been engaged to help restore the functionality of its IT systems following a cyberattack. PHC has now confirmed in a breach notification to the Maine Attorney General that the protected health information of 854,913 current and former health plan members has potentially been stolen, making this one of the largest healthcare data breaches to be reported so far this year. According to the notification, the cyberattack was detected on or around March 19, 2022. Steps were immediately taken to contain the breach and an investigation was launched to determine the nature and scope of the attack. PHC said the forensic investigation uncovered evidence that the unauthorized party behind the cyberattack had removed files from the PHC network on or around March 19. The review of the affected files is ongoing, and while it has yet to be confirmed which specific types of protected health information were included in the affected files, notification letters are starting to be sent to...

Read More
April 2022 Healthcare Data Breach Report
May20

April 2022 Healthcare Data Breach Report

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records. Largest Healthcare Data Breaches in April 2022 22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its...

Read More
Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval
May19

Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval

A $9.76 million settlement proposed by Solara Medical Supplies to resolve a class action lawsuit related to a 2019 data breach has received preliminary approval from the court. Solara Medical Supplies, which provides products and services to help people manage their diabetes, was the victim of a phishing attack that saw employees’ Microsoft Office 365 email accounts accessed by unauthorized individuals between April 2, 2019, and June 20, 2019. The email accounts contained the protected health information of patients and sensitive employee information, including names, dates of birth, billing and claims information, health insurance information, medical information, financial account information and credit card numbers, Social Security numbers, driver’s license numbers, state ID numbers, and Medicare/Medicaid IDs. The breach was reported to the HHS’ Office for Civil Rights as affecting 114,007 individuals. Legal action was taken on behalf of the individuals affected by the breach, with the class including all individuals residing in the United States and its territories who were...

Read More
Parker-Hannifin Cyberattack Affects Almost 120,000 Health Plan Members
May19

Parker-Hannifin Cyberattack Affects Almost 120,000 Health Plan Members

Cleveland, OH-based Parker-Hannifin Corporation, a manufacturer of motion and control technologies, has recently announced that unauthorized individuals have gained access to some of its IT systems and may have acquired files containing the sensitive information of current and former employees, their dependents, and other individuals affiliated with the company. Suspicious activity was detected within its IT environment on March 14, 2022. The forensic investigation confirmed its systems were accessed by unauthorized individuals between March 11, 2022, and March 14, 2022. A comprehensive review of the affected files confirmed they contained information such as names, birth dates, addresses, Social Security numbers, driver’s license numbers, passport numbers, financial account information such as bank account and routing numbers, and online account usernames and passwords. Current and former members of the Parker Group Health Plan, or a health plan sponsored by an entity acquired by Parker, may also have had their enrollment information compromised, which includes health insurance...

Read More
AvosLocker Claims Credit for Christus Health Ransomware Attack
May17

AvosLocker Claims Credit for Christus Health Ransomware Attack

The Irving, TX-based nonprofit health system, Christus Health, which operates more than 600 healthcare facilities in Texas, Arkansas, Louisiana, and New Mexico, has announced it has recently identified suspicious activity in its computer systems and blocked an attempted cyberattack. The prompt action taken by the Christus IT team severely limited the scope of the attack and prevented the incident from impacting its patient care and clinical operations. Christus Health said it is working with third-party cybersecurity experts to investigate and determine the extent of the security breach. A relatively new ransomware threat group called AvosLocker has claimed credit for the attack. AvosLocker operates under the ransomware-as-a-service (RaaS) model and was first identified in July 2021. The threat group engages in double extortion tactics and is known to exfiltrate data prior to file encryption, then threatens to auction the stolen data if the ransom is not paid. The number of attacks conducted by Avosocker has been steadily growing, with data from Trend Micro indicating at least 30...

Read More
Cyberattacks Reported by Schneck Medical Center, NuLife Med, & FPS Medical Center
May17

Cyberattacks Reported by Schneck Medical Center, NuLife Med, & FPS Medical Center

The Manchester, NH-based medical equipment company, NuLife Med LLC, has recently announced it was the victim of a cyberattack in March 2022. Suspicious network activity was detected on or around March 11, 2022, and steps were immediately taken to prevent further unauthorized network access. An investigation was launched to determine the nature and scope of the attack and to allow its network and systems to be restored. The investigation confirmed that unauthorized individuals had accessed its network between March 9 and March 11, 2022, and potentially viewed and exfiltrated files from its systems. It was not possible to determine which files had been viewed or removed from its systems, nor the exact number of files that had been accessed or exfiltrated. Notification letters have therefore been sent to all individuals potentially affected. The review of the files revealed they mostly contained protected health information such as names, addresses, medical information, and/or health insurance information. A limited number of individuals have also had their Social Security numbers,...

Read More
Refuah Health Center Alerts 260K Patients About May 2021 Cyberattack
May16

Refuah Health Center Alerts 260K Patients About May 2021 Cyberattack

Refuah Health Center in New York has recently started notifying 260,740 patients about a security breach that occurred almost a year ago. According to the April 29, 2022, notification on the healthcare provider’s website, “We recently discovered unauthorized access to our network occurred between May 31, 2021, and June 1, 2021.” Upon discovery of the breach, an investigation was launched to determine the nature and scope of the attack, and a comprehensive review was then conducted of all documents that were potentially accessed. Refuah Health Center said it discovered on March 2, 2022, that the attackers had exfiltrated some files from its network that contained “a limited amount” of patients’ protected health information, including names in combination with one or more of the following data types: Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank/financial account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account...

Read More
Cyberattacks Reported by McKenzie Health System & Omnicell
May13

Cyberattacks Reported by McKenzie Health System & Omnicell

McKenzie Health System in Sandusky, MI, has recently started notifying 25,318 patients that some of their protected health information has been stolen in a recent security incident which has caused disruption to the operations of some of its systems. On March 11, 2022, suspicious activity was detected within its IT systems. Steps were immediately taken to secure those systems and a third-party investigator was engaged to determine the nature and scope of the security breach. The investigation determined that an unauthorized individual had gained access to its network and exfiltrated files. The analysis of those files confirmed on April 22, 2022, that they contained patient information such as names, contact information, demographic information, dates of birth, Social Security numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information. McKenzie Health System provided information on the steps that affected individuals should take to protect against the misuse of their personal...

Read More
Eye Care Leaders Hack Impacts Millions of Patients
May12

Eye Care Leaders Hack Impacts Millions of Patients

Unauthorized individuals have gained access to the systems of Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. On or around December 4, 2021, hackers gained access to its myCare Identity solution and deleted databases, systems configuration files, and data. Eye Care Leaders said its incident response team immediately stopped the unauthorized activity when the breach was detected and launched an investigation into the security breach. The investigation is ongoing, but notifications have now been sent to affected ophthalmology and optometry practices. While the investigation has not uncovered evidence to suggest the attackers viewed or exfiltrated sensitive data, the possibility of unauthorized data access and theft could not be ruled out. The types of information that have been exposed included patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices. The breach was confined to...

Read More
Hacking Incidents Reported by Illinois Gastroenterology Group & the Mental Health Center of Greater Manchester
May09

Hacking Incidents Reported by Illinois Gastroenterology Group & the Mental Health Center of Greater Manchester

Illinois Gastroenterology Group has recently announced that unauthorized individuals gained access to its computer environment and potentially accessed and exfiltrated sensitive patient data. The cyberattack was detected on October 22, 2021, when suspicious activity was identified within its computer network. Third-party cybersecurity specialists were engaged to investigate the attack and determine the nature and scope of the incident. On November 18, 2021, Illinois Gastroenterology learned that the parts of its systems that were accessed by unauthorized individuals contained patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information, payment card information, employer-assigned identification numbers, medical information, and biometric data. Illinois Gastroenterology said it was not possible to rule out unauthorized viewing or theft of files containing patient data, but at the time of issuing notification letters, no reports had been received to suggest any fraudulent misuse of the...

Read More
Email Security Incidents Reported by HealthPlex and Optima Dermatology
May09

Email Security Incidents Reported by HealthPlex and Optima Dermatology

Healthplex Inc., one of the largest providers of dental insurance in New York state, has announced that the email account of an employee was compromised in a phishing attack on November 24, 2021. Upon discovery of the breach, the email account was immediately secured to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach. On April 5, 2021, Healthplex confirmed that the email account contained the personal and protected health information of 89,955 individuals who had previously enrolled in its dental plans. The exposed information varied from individual to individual and may have included first and last names in combination with one or more of the following data types: Address, group name and number, member ID number, plan affiliation, date of birth, date of service, provider name, ADA codes and their description, billed/paid amounts, prescription drug names, Social Security number, banking information, credit card number, username and password for the member portal, email address, phone number, and driver’s license...

Read More
Salusive Health Closes Business Following Cyberattack
May03

Salusive Health Closes Business Following Cyberattack

Salusive Health, the developer of the myNurse platform which helps physician practices streamline disease management, has experienced a cyberattack in which patient data was compromised. In its breach notification letters to patients, Salusive Health explained that it identified unauthorized activity within its computer network on March 7, 2022, and immediately implemented containment, mitigation, and restoration efforts, and engaged third-party cybersecurity experts to assist with those processes. The investigation confirmed that unauthorized individuals accessed the personal and protected health information of patients, including name, gender, home address, phone number, email address, date of birth, medical history, diagnosis and treatment information, dates of service, lab test results, prescription information, provider name, medical account number, health insurance policy and group plan number, group plan provider, and claim information. Salusive Health said it implemented additional security measures to prevent further breaches, has notified affected individuals and offered...

Read More
6 HIPAA-Regulated Entities Report Email Account Breaches and the Exposure of PHI
May02

6 HIPAA-Regulated Entities Report Email Account Breaches and the Exposure of PHI

6 data breaches have recently been reported by HIPAA-regulated entities that have collectively resulted in the exposure and potential theft of the protected health information of tens of thousands of individuals. La Casa de Salud, New York The Acacia Network, a New York City-based human services organization, has recently notified the HHS’ Office for Civil Rights about an email account breach that was detected on July 17, 2020. According to the breach notice on the Acacia Network website, email accounts were accessed for a limited time between June 6, 2020, and June 12, 2020. An investigation was immediately launched and a forensic firm was engaged to provide assistance, but it was not possible to determine if any emails or attachments had been viewed or copied. A review of the emails in the account revealed they contained patients’ names, Social Security numbers, driver’s license numbers, addresses, birthdates financial account numbers, medical record numbers, resident identification numbers, health insurance information, Medicare numbers, provider names, treatment, prescription,...

Read More
Up to 2,592,494 individuals Affected by Smile Brands Ransomware Attack
Apr28

Up to 2,592,494 individuals Affected by Smile Brands Ransomware Attack

Irvine, CA-based Smile Brands, a provider of support services for dental offices, has recently provided an update on the number of individuals affected by a ransomware attack that was discovered on April 24, 2021. The attackers gained access to parts of its system on April 23, 2021, that housed files that contained individuals protected health information, including names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, government-issued ID numbers, and health information. The breach was initially reported to the HHS’ Office for Civil Rights in June 2021 as affecting 1,200 individuals, but the breach report was later amended to indicate up to 199,683 individuals had been affected. However, in the latest update to the Maine attorney general, the breach has been reported as affecting up to 2,592,494 individuals. The initial notice to the Maine attorney general was submitted on October 8, 2021. Smile Brands said affected individuals have been offered a complimentary 12-month membership to a credit monitoring service, which includes...

Read More
American Dental Association and Tenet Healthcare Recovering from Cyberattacks
Apr27

American Dental Association and Tenet Healthcare Recovering from Cyberattacks

The American Dental Association (ADA) suffered a cyberattack on Friday and has been forced to take many of its systems offline. The ADA website is currently available and explains that “The ADA is experiencing technical difficulties,” and that work is underway to get its systems running smoothly. While the website does not provide any further information on the cause of the technical difficulties, emails have been sent to ADA members advising them about the cyberattack. The letters explain that parts of its network were taken offline and that Aptify, ADA email, the telephone system, and web chat have all been affected. Many of its online services are currently unavailable; however, details of the attack have not been shared at this time. The ADA said it has reported the cyberattack to law enforcement and it is investigating the nature and scope of the attack and is being assisted by third-party cybersecurity professionals. The investigation has not uncovered any evidence of data theft at this stage and the extent to which its members, dental practices, and other dental...

Read More
Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit
Apr26

Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit

A preliminary settlement has recently been approved by a California Federal court to resolve a consolidated class action lawsuit against Solara Medical Supplies. Solara Medical Supplies is a Chula Vista, California-based direct-to-consumer provider of medical devices and disposable medical products and a registered pharmacy. On June 28, 2019, Solara Medical identified suspicious activity in an employee email account. The subsequent investigation confirmed unauthorized individuals had gained access to multiple Office 365 email accounts between April 2, 2019, and June 20, 2019, as a result of employees responding to phishing emails. The forensic investigation confirmed that the sensitive information of 114,007 of its customers had been exposed and potentially stolen, including names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and financial information. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months. Four class action lawsuits were filed on behalf of the...

Read More
PHI Exposed in Security Incidents at Georgia Pines CSB & Ballad Health
Apr26

PHI Exposed in Security Incidents at Georgia Pines CSB & Ballad Health

Security incidents have recently been reported by Georgia Pines CSB and Ballard Health, which have involved the protected health information (PHI) of 28,295 individuals. Ballad Health Discovers Breach of Employee Email Account Ballard Health, an integrated community health improvement organization serving communities in the Appalachian Highlands in Northeast Tennessee, Southwest Virginia, Northwest North Carolina, and Southeast Kentucky, has recently discovered an unauthorized individual has accessed the email account of one of its employees. Suspicious activity was detected in the email account of an employee on or around January 13, 2022. The email account was immediately secured, and a forensic investigation was conducted to determine the nature and scope of the breach. On February 17, 2022, it was determined that the email account was accessed for a short period by an unauthorized individual who may have viewed or acquired information in the account. A review of the emails in the account confirmed on March 16, 2022, that they included the protected health information of 4,295...

Read More
Adaptive Health Integrations Data Breach Affects More than 510,000 Individuals
Apr20

Adaptive Health Integrations Data Breach Affects More than 510,000 Individuals

An Adaptive Health Integrations data breach has recently been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) that involved the protected health information (PHI) of 510,574 individuals. Adaptive Health Integrations is listed as a Williston, North Dakota-based provider of LIS software services and billing/revenue services to laboratories, physician offices, and other healthcare companies. The notification letters, a copy of which was found on the Montana Attorney General website, state that the company recently became aware that an unauthorized individual had gained access to its system on or around October 17, 2021, and may have accessed “a limited amount of data stored on our systems.” The letters explained that when the unauthorized access was discovered, the threat was immediately contained, and an investigation was launched. A comprehensive review of affected files was conducted, and that process was concluded on February 23, 2022. The notification letters state that credit monitoring, fraud consultation, and identity theft restoration...

Read More
March 2022 Healthcare Data Breach Report
Apr19

March 2022 Healthcare Data Breach Report

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month. However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months. Largest Healthcare Data Breaches in March 2022 In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals...

Read More
On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%
Apr19

On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%

Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network. Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access. While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients. All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several HIPAA...

Read More
Deaconess Health System and Blue Earth County Notify Patients About Insider Data Breaches
Apr18

Deaconess Health System and Blue Earth County Notify Patients About Insider Data Breaches

Indiana-based Deaconess Health System and Blue Earth County in Minnesota have notified individuals that sensitive personal information has been accessed by employees without authorization. Deaconess Health System Notifies Female Patients About Unauthorized Medical Record Access by Physician A physician formerly employed by Deaconess Health System in Evansville, IN, has been discovered to have accessed the medical records of female patients without authorization. On January 26, 2022, the unauthorized medical record access was discovered by Deaconess Health System during a routine audit of access logs. According to the law firm Ladendorf Law of Indianapolis, which spoke with six women who were notified about the privacy breach by Deaconess Health System, the unauthorized first occurred no later than June 2020. According to attorney Taylor Ivy, all six of the women said the first contact occurred in bars in the West Side of the city. The physician had approached them and started talking to them and obtained information about them during the encounter. It appears that the physician...

Read More
Email Account Breaches Reported by Newman Regional Health and Contra Costa County
Apr18

Email Account Breaches Reported by Newman Regional Health and Contra Costa County

Newman Regional Health (NRH), which operates a 25-bed critical access hospital in Emporia, KS, has recently started notifying 52,224 patients that unauthorized individuals have gained access to certain employee email accounts that contained protected health information. NRH explained on its website that a limited number of employee email accounts were accessed by unauthorized individuals over a period of 10 months in 2021 between January 26, 2021, and November 23, 2021. When the security breach was identified, prompt action was taken to secure the accounts and an investigation was launched to determine the extent and nature of the breach. NRH said a review of the emails in the compromised accounts confirmed on March 14, 2022, that the following types of patient information had been exposed: Names, dates of birth, medical record/ID numbers, addresses, phone numbers, e-mail addresses, and limited heath, treatment or insurance information, and for employees, information collected in connection with an individual’s receipt of services from or employment with NRH. A subset of...

Read More
Urgent Team Holdings Reports Breach of the PHI of 166,600 Individuals
Apr15

Urgent Team Holdings Reports Breach of the PHI of 166,600 Individuals

Urgent Team Holdings, which operates more than 70 urgent care and walk-in centers in Alabama, Arkansas, Georgia, Mississippi, and Tennessee, has recently notified 166,601 patients that some of their protected health information may have been obtained by unauthorized individuals in a November 2021 cyberattack. Urgent Team said it discovered its network had been compromised between November 12, 2021, and November 18, 2021. Assisted by third-party cybersecurity experts, Urgent Team discovered files may have been exfiltrated from its systems that contained the protected health information of patients. A comprehensive review of the files was completed on January 31, 2022, and confirmed they contained patients’ full names, dates of birth, and medical record numbers. While data theft may have occurred, no evidence of data exfiltration was identified and there have been no reports of any misuse of patient data. To improve security, Urgent Team has implemented multi-factor authentication and has added extra layers of security to its systems to reduce the risk of unauthorized access. A new...

Read More
SuperCare Health Sued Over 318,000-Record Data Breach
Apr15

SuperCare Health Sued Over 318,000-Record Data Breach

A lawsuit has been filed against the in-home respiratory care provider, SuperCare Health, over a cyberattack and data breach that was reported to the Department of Health and Human Services on March 28, 2022. The incident involved the exposure and potential theft of the protected health information of 318,400 patients, including names, addresses, birth dates patient account numbers, medical record numbers, health insurance information, testing, diagnostic, treatment, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed. SuperCare Health said unauthorized individuals had access to its network between July 23, 2021, to July 27, 2021, but did not disclose the nature of the cyberattack. It took SuperCare Health until February 4, 2022, to determine that the files potentially accessed in the attack contained patients’ PHI. Notification letters were sent on March 25, 2022, and according to the notice provided to the California Attorney General, credit monitoring and identity theft protection services were offered to...

Read More
Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches
Apr13

Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches

Resources for Human Development Reports Breach Affecting 46,673 Individuals The Philadelphia, PA-based national human services nonprofit organization, Resources for Human Development (RHD), has recently confirmed that a hard drive containing the protected health information of 46,673 individuals has been stolen. The theft occurred on or around January 27, 2022, and was discovered by RHD on February 16, 2022. The hard drive was used for its Point-to-Point program in Exton, PA, and contained information such as names, Social Security Numbers, drivers’ license numbers, financial account information, payment card information, dates of birth, prescription information, diagnosis information, treatment information, treatment providers, health insurance information, medical information, Medicare/Medicaid ID numbers, employer identification numbers, electronic signatures, usernames and passwords of clients and staff members. RHD said it engaged outside forensics specialists to investigate the extent of the breach and ensure the security of its offices and computer servers. Training has also...

Read More
Increase in Class Action Lawsuits Following Healthcare Data Incidents
Apr12

Increase in Class Action Lawsuits Following Healthcare Data Incidents

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector and resulted in cases of HIPAA violations. Ransomware Attacks Increased in 2021 Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022. Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an...

Read More
Cyberattack on SuperCare Health Affects 318,000 Patients
Apr07

Cyberattack on SuperCare Health Affects 318,000 Patients

SuperCare Health, a Downey, CA-based post-acute, in-home respiratory care provider serving the Western United States, has recently started notifying 318,379 patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals in a cyberattack that occurred in July 2021. In its March 25, 2022, breach notification letters, SuperCare Health explained that it identified unauthorized activity within its IT systems on July 27, 2021. Steps were immediately taken to secure its network and prevent further unauthorized access, and independent cybersecurity experts were engaged to investigate the nature and scope of the incident. The investigation determined that unauthorized individuals had access to parts of its network from July 23, 2021, to July 27, 2021, and that it was possible that files on the network were accessed that contained patients’ protected health information. A comprehensive review of the contents of the files was conducted, which determined on February 4, 2022, that they contained sensitive patient data such as...

Read More
OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals
Apr07

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits. The aim of the HIPAA Safe Harbor Act is to encourage HIPAA-regulated entities to implement cybersecurity best practices. The reward for organisations that have followed industry-standard security best practices for the 12 months prior to a data breach occurring is lower financial penalties for data breaches and less scrutiny by the HHS . Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments...

Read More
How to Report a HIPAA Violation Anonymously
Apr06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked
Apr01

Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked

Partnership Health Plan of California Recovering from Suspected Ransomware Attack The Fairfield, CA-based nonprofit managed care health plan, Partnership Health Plan of California (PHC), has suffered a cyberattack that has taken its IT systems out of action for more than a week. PHC started notifying regional healthcare clinics on March 21, 2022, that its IT systems were disrupted, along with its website and phone lines and that efforts were underway to restore its systems. A timeline for when IT systems would likely be restored was not provided. PHC did not state in its notifications what caused the outage, but it appears to have been a ransomware attack by the Hive ransomware operation. The Hive ransomware gang claimed responsibility for the cyberattack on its clear web and dark web sites and said 400 gigabytes of data was exfiltrated from PHC systems that included 850,000 unique records of name, SSNs, dates of birth, addresses, and other information. That claim has since been removed. PHC has yet to confirm whether ransomware was used and the extent to which plan members’ data...

Read More
Spokane Regional Health District Announces Second Phishing Attack in 3 Months
Apr01

Spokane Regional Health District Announces Second Phishing Attack in 3 Months

Spokane Regional Health District (SRHD) in Washington has once again fallen victim to a phishing attack. For the second time this year, the health district has announced patient data has potentially been compromised after an employee responded to a phishing email. On March 24, 2022, SRHD announced that its IT department discovered a compromised email account, with the investigation recently confirming that the employee responded to a phishing email on February 24, 2022, and disclosed credentials that allowed the account to be accessed. Last week, SRHD confirmed that the email account contained the protected health information of 1,260 individuals. That information may have been ‘previewed’ by an unauthorized individual, although no evidence was found to suggest information had been accessed or downloaded. Information in the account included names, birth dates, service dates, source of referral, provider hospital name, diagnosing state, whether the patient had been located, date located, patient risk level, staging level, how medications were collected, test type, test result,...

Read More
CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters
Mar31

CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters

Email Account Breach Reported by Christie Clinic Christie Business Holdings Company, P.C., doing business as Christie Clinic, has recently announced a security incident involving an employee’s email account. The company’s breach notice did not say when the breach was discovered, but the forensic investigation confirmed on January 27, 2022, that the email account was accessed by an unauthorized individual between July 14, 2021, and August 19, 2021. Christie Clinic said the purpose of the attack appeared to be to intercept a business transaction between the clinic and a third-party vendor, rather than to obtain sensitive data from the email account, but it was not possible to determine to what extent emails in the account had been accessed. Christie Clinic said the investigation confirmed that the breach was limited to a single email account and no other systems or accounts were affected. The review of information in the account revealed on March 10, 2022, that the emails included protected health information such as names, addresses, Social Security numbers, medical information, and...

Read More
Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks
Mar30

Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks

Oklahoma City Indian Clinic and Law Enforcement Health Benefits Inc. have confirmed they were recent victims of cyberattacks, both of which involved the use of ransomware. Ransomware Attack Affects 85,282 Law Enforcement Health Benefits Members Law Enforcement Health Benefits, Inc. (LEHB) has recently announced that it was the victim of a ransomware attack that was detected on September 14, 2021. External cybersecurity professionals were engaged to assist with the investigation and remediation efforts, and a manual review of files on the affected parts of the network was conducted. That process concluded on February 25, 2022, when it was confirmed that files containing the personal and protected health information of plan members had been exfiltrated from its network. LEHB said the following types of information had been compromised: names, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, medical record numbers, patient account numbers, and diagnosis/treatment information. While it was confirmed that files...

Read More
OCR Announces 4 Financial Penalties to Resolve HIPAA Violations
Mar29

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed. OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving HIPAA violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients. “Between the rising pace of breaches of unsecured protected health information and continued cyber...

Read More
Email Incidents Reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada
Mar25

Email Incidents Reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada

Three email incidents have recently been reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada that have affected a total of 38,485 individuals. Phishing Attack on Ultimate Care Impacts 15,788 Individuals The Brooklyn, NY-based home care agency, Ultimate Care, has recently announced that a limited number of employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails. When the security breach was detected, rapid action was taken to secure its email environment and a forensic investigation was launched to determine the scope of the breach. The forensic investigation revealed the email accounts were accessed by unauthorized individuals between April 7, 2021, and June 2, 2021. A manual review of all emails in the accounts confirmed they contained names, along with one or more of the following types of information: Social Security numbers, driver’s license numbers, passport numbers, dates of birth, financial account information, credit or debit card information, medical information, health...

Read More
Horizon Actuarial Services Reports Data Theft and Extortion Incident
Mar25

Horizon Actuarial Services Reports Data Theft and Extortion Incident

Horizon Actuarial Services, Clinic of North Texas, and Parkland Community Health Plan have recently announced breaches of the protected health information of patients and plan members. Horizon Actuarial Services Reports Data Theft and Extortion Incident Horizon Actuarial Services (HAS) has recently announced a security breach and the theft of the personal data of members of benefits plans to whom it provides technical and actuarial consulting services, including the Local 295 IBT Employer Group Welfare Fund and the Major League Baseball Players Benefit Plan. HAS said it received an email on November 12, 2021, from a cyber actor who claimed to have stolen the personal data of plan members from its computer servers. Steps were immediately taken to secure its servers to prevent any further unauthorized access, and a computer forensics firm was engaged to investigate the potential security breach and determine the legitimacy of the email. HAS confirmed that two servers had been accessed between November 10 and 11, 2021, and files containing names, dates of birth, Social Security...

Read More
Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District
Mar24

Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District

Chelan Douglas Health District in East Wenatchee, WA, has announced it was the victim of a cyberattack in July 2021 in which the personal and protected health information of patients was exfiltrated from its systems. The breach notice uploaded to Chelan Douglas Health District website does not disclose when the breach was detected but says a third-party cybersecurity company was engaged to investigate the cyberattack and confirmed that its network was accessed by unauthorized individuals between July 2 and July 4, 2021. A representative for the health district said this was not a ransomware attack. The review of the files that were removed from its systems was completed on February 12, 2022, and confirmed the following types of patient data had been stolen: Names, Social Security numbers, dates of birth/death, financial account information, treatment information, diagnosis information, medical record/ patient numbers, and health insurance policy information. Notification letters started to be sent to affected individuals on March 15, 2022. Individuals who had their Social Security...

Read More
Data Breaches Reported by New Jersey Brain and Spine, Highmark Inc. and Dialyze Direct
Mar23

Data Breaches Reported by New Jersey Brain and Spine, Highmark Inc. and Dialyze Direct

New Jersey Brain and Spine (NJBS) has recently announced it was the victim of a cyberattack on or around November 16, 2021, that encrypted data on its network. NJBS said it immediately took steps to secure its network and engaged a computer forensic firm to investigate the security breach. While no evidence has been found to indicate there has been any misuse of patient data as a result of the attack, the forensics firm said the attacker may have accessed files containing patient data. A third party vendor was engaged to conduct a review of all files on its network that had potentially been accessed, and while the data mining process is ongoing, it has been confirmed that the files contained information such as names, addresses, dates of birth, email addresses, telephone numbers, social security numbers, financial account information, debit or credit card information, driver’s license numbers or other ID numbers, and medical information. Notification letters were sent to affected individuals on March 10, 2022. NJBS said that following the breach, several steps were taken to better...

Read More
February 2022 Healthcare Data Breach Report
Mar22

February 2022 Healthcare Data Breach Report

For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen. 46 healthcare data breaches of 500 or more records were reported to OCR in February – an 8% fall from January. February saw the lowest number of data breaches in the past 5 months. Even with the reduction in breaches, on average, more than 2 healthcare data breaches have been reported each day over the past 12 months. From March 1, 2021, to February 28, 2022, there have been 723 reported data breaches of 500 or more records. Across February’s 46 incidents, the records of 2,525,023 individuals were exposed or compromised – a 2.28% fall from the previous month – which is considerably lower than the 3,506,400 records that have been breached each month, on average, from March 1, 2021, to February 28, 2022. At least 42,076,805 healthcare records were exposed over that period. In February, the average breach size was 48,957 records and the median breach size was 7,014 records. Largest Healthcare Data Breaches Reported in February 2022 22 HIPAA-regulated entities...

Read More
JDC Healthcare Management Data Breach Affects More than 1 Million Texans
Mar21

JDC Healthcare Management Data Breach Affects More than 1 Million Texans

On March 17, 2022, Dallas, TX-based JDC Healthcare Management, which runs more than 70 Jefferson Dental & Orthodontics practices throughout the state of Texas, reported a security breach to the Office of the Attorney General of Texas that has affected more than 1 million Texans. As previously reported on this site, JDC Healthcare Management detected malware within its IT network on or around August 9, 2021, with the forensic investigation into the security breach confirming the malware was downloaded onto its systems on July 27, 2021. Further information on the data breach has now been obtained. JDC Healthcare Management explained that the malware gave unauthorized individuals access to its IT systems from July 27, 2021, to August 16, 2021, and its forensic investigation confirmed the attackers viewed or copied files on its systems that contained patients’ electronic protected health information (ePHI). JDC Healthcare Management explained in its March 2022 breach notification letters that the comprehensive review of the impacted files is ongoing, but it has been confirmed that...

Read More
Central Indiana Orthopedics & Duncan Regional Hospital Report 80K-Record Data Breaches
Mar17

Central Indiana Orthopedics & Duncan Regional Hospital Report 80K-Record Data Breaches

Cyberattacks have been reported by Duncan Regional Hospital in Oklahoma and Central Indiana Orthopedics that have affected a total of 170,084 individuals. Duncan Regional Hospital Duncan Regional Hospital has recently announced it was the victim of a cyberattack in January. The incident was detected on January 20, 2022, when suspicious activity was identified in some of its IT systems. All systems were immediately taken offline to prevent further unauthorized access and a third-party computer forensics firm was engaged to determine the nature and scope of the breach. Duncan Regional Hospital said the hackers did not gain access to its electronic medical record system but did access parts of the network where files containing patient data were stored. Those files contained patient names, addresses, phone numbers, dates of birth, Social Security numbers, appointment information such as dates of service and healthcare provider names, and limited treatment information. Steps have been taken to improve security and prevent further attacks, including an organization-wide password reset...

Read More
Capital Region Medical Center and Labette Health Announce Potential PHI Breaches
Mar14

Capital Region Medical Center and Labette Health Announce Potential PHI Breaches

Capital Region Medical Center (CRMC) in Jefferson City, MO has recently confirmed that patient information was accessed by unauthorized individuals in a December 2021 cyberattack that took its network and phone systems offline for several days. The attack was detected on December 17, 2021, when network systems were disrupted. An investigation was launched to determine the nature and scope of the breach, and a public announcement about the security incident was issued on December 23, 2021. It was initially unclear if patient information had been compromised but that has now been confirmed. CRMC said that at this stage of the investigation it does not appear that the attackers gained access to its electronic medical record database; however, the files accessed or potentially accessed by the attackers included information such as patient names, addresses, birth dates, medical information, and health insurance information. A subset of patients also had their Social Security numbers, driver’s license numbers, and/or financial account information exposed. That subset of patients has been...

Read More
South Denver Cardiology Associates Confirms Data Breach Affecting 287,000 Patients
Mar14

South Denver Cardiology Associates Confirms Data Breach Affecting 287,000 Patients

South Denver Cardiology Associates (SDCA) has recently announced it was the victim of a cyberattack in January 2022 in which files containing patient information were accessed and potentially stolen by hackers. Unusual network activity was detected on January 4, 2022, and the SDCA breach response process was immediately initiated. Systems were isolated from the network and shut down, with the investigation determining hackers had access to certain systems from January 2, 2022, to January 5, 2022. During that time, the hackers accessed certain files stored on its systems, some of which contained patients’ personal and protected health information. A comprehensive review of those files confirmed they contained patient names along with one or more of the following types of information: dates of birth, Social Security numbers, drivers’ license numbers, patient account numbers, health insurance information, and clinical information such as physician names, dates and types of service, and diagnoses. SDCA said the contents of medical records were unaffected, the patient portal was...

Read More
Logan Health Facing Class Action Lawsuit Over Data Breach
Mar11

Logan Health Facing Class Action Lawsuit Over Data Breach

Legal action is being taken against Logan Health and subsidiary, sister, and related entities over a data breach that occurred in 2021 and affected 213,543 Logan Health Medical Center patients. The class action lawsuit was filed in the U.S. District Court for the District of Montana Great Falls Division by law firm Heenan & Cook on behalf of plaintiff Allison Smeltz and all similarly affected individuals over the alleged failure of the health system to protect the plaintiff’s and class members’ sensitive personal information. The data breach in question was reported by Logan Health in February 2022, with its investigation confirming unauthorized individuals had access to its system between November 18, 2021, and November 22, 2021. Hackers gained access to a single file server housing files that contained patients’ protected health information such as names, contact information, insurance claim information, date(s) of service, medical bill account number, and health insurance informa­tion. Logan Health said it had found no evidence of misuse of patient data, offered affected...

Read More
Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021
Mar11

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021. The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net. Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020. The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a...

Read More
6 Healthcare Providers and Business Associates Report Hacks and Ransomware Attacks
Mar10

6 Healthcare Providers and Business Associates Report Hacks and Ransomware Attacks

A round-up of 6 cyberattacks that have recently been reported by healthcare providers and business associates that resulted in the exposure and possible theft of patients’ protected health information. Duncan Regional Hospital Duncan Regional Hospital in Oklahoma has announced that hackers gained access to its systems and potentially exfiltrated sensitive patient and employee information. The breach was detected on January 20, 2022, and immediate action was taken to secure its systems, and an independent computer forensics company was engaged to conduct a forensic investigation to determine the nature and scope of the breach. A review of the files on the affected parts of its system confirmed they contained patient information such as name, date of birth, Social Security number, limited treatment information, and medical appointment information such as date of service and name of providers. Employee data potentially accessed in the attack included personal information associated with W-2s, such as name, date of birth, address, and Social Security number. Duncan Regional...

Read More
PHI of Over 500,000 Individuals Potentially Compromised in 4 Security Incidents
Mar09

PHI of Over 500,000 Individuals Potentially Compromised in 4 Security Incidents

Over 500,000 individuals have been affected by cyberattacks on Norwood Clinic, PracticeMax, Central Indiana Orthopedics, and an unauthorized electronic medical record incident at Ascension Michigan. Norwood Clinic The Birmingham, AL-based multi-specialty clinic, Norwood Clinic, has recently started notifying 228,103 individuals that some of their protected health information was accessed in a cyberattack that was detected on October 22, 2021. Upon detection of the breach, systems were immediately secured and third-party security experts were engaged to investigate the incident and determine the nature and scope of the breach. The investigation confirmed that an unauthorized individual gained access to a server that housed patient information such as names, contact information, birth dates, Social Security numbers, driver’s license numbers, limited health information, and/or health insurance policy numbers. While unauthorized data access was confirmed, it was not possible to determine the specific information that was accessed, or whether any patient information was acquired in the...

Read More
3 Email Security Incidents Reported Affecting More Than 111,000 Patients
Mar09

3 Email Security Incidents Reported Affecting More Than 111,000 Patients

Email account breaches have been reported by Montrose Regional Health, EPIC Pharmacy Network, and Acacia Network, and North Shore University Hospital has reported an incident involving a former employee accessing protected health information without authorization. Montrose Regional Health The Colorado-based health system Montrose Regional Health has recently started notifying 52,632 patients that some of their protected health information has been exposed when unauthorized individuals gained access to employee email accounts. Suspicious activity was detected in an employee’s email account prompting an immediate investigation. Assisted by a third-party cybersecurity company, Montrose Regional Health discovered multiple employee email accounts had been accessed by unauthorized individuals between August 2, 2021, and October 26, 2021. A review of the emails and attachments was conducted and it was confirmed on February 25, 2022, that the accounts contained names along with one or more of the following data types: inpatient/outpatient status, internal patient account number, service...

Read More
Healthcare Organizations Report Email Compromises, Hacking Incidents and Other ePHI Exposures
Mar04

Healthcare Organizations Report Email Compromises, Hacking Incidents and Other ePHI Exposures

A round-up of data breaches that have recently been reported by healthcare organizations that have involved the exposure or theft of individuals’ personal and protected health information. Catholic Health Services Reports Breach of Employee Email Accounts Miami Lakes, FL-based Catholic Health Services has discovered the email accounts of three Catholic Hospice employees have been accessed by unauthorized individuals. Assisted by a third-party computer forensics firm, Catholic Health Services determined on December 1, 2021, that the email accounts contained sensitive data including names, addresses, and one or more of the following data types: demographic information, Social Security numbers, medical information, and treatment history, diagnosis, and other health-related information. The breach was reported to the HHS’ Office for Civil Rights as affecting 14,986 individuals. Notifications have now been issued and breach victims have been offered complimentary credit monitoring and identity theft protection services, which include a $1, 000,000 identity theft insurance policy....

Read More
Monongalia Health System Suffers Another Major Data Breach
Mar03

Monongalia Health System Suffers Another Major Data Breach

West Virginia-based Monongalia Health System (Mon Health) has announced it was the victim of a cyberattack that has exposed patient, employee, and contractor data. This is the second major data breach to be reported by the health system in the past 12 months. Mon Health has confirmed that these two data breaches are separate incidents, although it is unclear at this stage if they are in any way related. The previous data breach was the result of a phishing attack that saw several employee email accounts compromised. Mon Health announced the breach on December 21, 2021, and said the security breach was discovered in July 2021 when a vendor reported not receiving a payment. The attackers used the compromised email accounts to divert a wire transfer. The investigation into the breach determined the email accounts were compromised between May 10, 2021, and August 15, 2021, and they contained the protected health information of 398,164 patients. In this incident, IT systems were not disrupted. According to the latest Mon Health press release, the latest breach was discovered on December...

Read More
OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture
Mar01

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry. 2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached. The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled. Pino also drew attention to the critical vulnerability...

Read More
PHI of 10,000 Individuals Exposed Due to Houston Health Department Portal Glitch
Mar01

PHI of 10,000 Individuals Exposed Due to Houston Health Department Portal Glitch

The Houston Health Department has recently announced that the personal information and COVID-19 test results of 10,291 individuals have been exposed online as a result of a technical issue with its portal. The issue allowed approximately 3,500 portal users to access the data of other individuals. The Houston Health Department said it detected the issue on January 6, 2022, and the portal was deactivated within 48 hours. Notification letters had to be delayed for several weeks while the portal issue was investigated to determine the full nature and scope of the incident. The health department confirmed that this was not a hacking incident, and it does not appear that any exposed information has been misused. The types of data that could have been viewed included names, addresses, dates of birth, email addresses, testing dates, and test results. While no Social Security numbers were compromised, affected individuals have been offered a complimentary 12-month membership to an identity theft protection service. Priority Health Confirms Breach of Member Portal Accounts The Michigan...

Read More
Four Healthcare Providers Hit with Ransomware Attacks
Mar01

Four Healthcare Providers Hit with Ransomware Attacks

Ransomware attacks have recently been reported by four healthcare providers across the country, which have collectively resulted in the exposure and potential theft of the protected health information of more than 49,000 individuals. Jax Spine & Pain Centers Jax Spine and Pain Centers in Jacksonville, FL has recently announced it was the victim of a ransomware attack that occurred on January 24, 2022. The attack was conducted on an inactive server that contained records of patients who had visited either its Jacksonville or St. Augustine locations prior to May 2018. Jacksonville Spine Center said the attackers claimed to have stolen files from the server and threatened to publish the stolen data if the ransom was not paid but did not say whether a payment was made to prevent the publication of the data. Monitoring software had been installed on the server which allowed the attack to be rapidly detected, and due to the prompt action taken in response to the breach, it was possible to prevent the encryption of data. As soon as the breach was detected the server was shut down, but...

Read More
Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks
Feb24

Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks

Two HIPAA-regulated entities have recently started notifying individuals whose protected health information was potentially compromised in cyberattacks that occurred more than 12 months ago, including one where it took 18 months to notify affected individuals that their protected health information had been accessed and potentially acquired. Comprehensive Health Services Notifies 106,752 Patients About September 2020 Cyberattack Comprehensive Health Services, a Cape Canaveral, FL-based provider of workforce medical services and subsidiary of Acuity International, has recently announced it was the victim of a cyberattack that was detected on September 30, 2020. The security incident came to light after multiple fraudulent wire transfers had been made from its accounts. Third-party forensics experts were engaged to determine the extent of the security incident, secure its digital environment, identify how the attacker gained access to its systems, and whether any sensitive data had been exfiltrated from those systems. Comprehensive Health Services explained in its breach notification...

Read More
Logan Health Medical Center Cyberattack Affects More Than 213,000 Patients
Feb24

Logan Health Medical Center Cyberattack Affects More Than 213,000 Patients

Logan Health Medical Center in Kalispell, MT, has recently started notifying certain patients that hackers gained access to a file server that housed patient information in “a highly sophisticated criminal attack.” A security breach of its information technology systems was detected on November 22, 2021, with the initial investigation confirming a hacker had breached its security defenses. Third-party forensic investigators were retained to conduct an investigation to determine the nature and scope of the attack and on January 5, 2022, it was confirmed that certain files on its systems that contained patient information had been accessed. The intrusion was limited to a single file server and its electronic medical records were not compromised. A review of the files on the affected server revealed they contained patient information including names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance informa­tion. The...

Read More
January 2022 Healthcare Data Breach Report
Feb22

January 2022 Healthcare Data Breach Report

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020. The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.   Largest Healthcare Data Breaches in January 2022 18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach...

Read More
Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach
Feb22

Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach

Seattle, WA-based Sea Mar Community Health Centers is facing a class action lawsuit over a cyberattack in which the protected health information of 688,000 individuals was compromised. The breach came to light in June 2021 when files stolen in the attack were posted on the Marketo dark web leak site. Databreaches.net spotted the leaked data on the Marketo data leak site in June 2021 and contacted Sea Mar. In October 2021, Sea Mar sent notification letters to affected individuals and explained that the hackers gained access to its network between December 2020 and March 2021 and exfiltrated sensitive data including names, addresses, Social Security numbers, dates of birth, and health information. The data breach was reported to the HHS’ Office for Civil Rights the same month as affecting 688,000 current and former patients. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months. According to Databreaches.net, the threat group behind the attack claimed to have stolen 3TB of data from Sea Mar. There may also have been a...

Read More
PHI of 521,000 Individuals Compromised in Security Breach at Morley Companies
Feb16

PHI of 521,000 Individuals Compromised in Security Breach at Morley Companies

Morley Companies, a Saignaw, MI-based provider of business services, has recently announced it was the victim of a cyberattack that started on August 1, 2021, that prevented access to data in its information systems. Rapid action was taken to isolate the affected systems and a leading cybersecurity firm was engaged to investigate and determine the nature and scope of the security incident. In addition to encrypting data on its systems, the attackers exfiltrated certain data from its systems. A comprehensive review was conducted of all files on its systems that could have been accessed by the attackers, and Morley Companies then started collecting contact information for those individuals to allow notification letters to be sent. Morley Companies said that process was completed in early 2022, and notification letters started to be sent to affected individuals on February 1, 2022. The forensic investigation confirmed the following types of information were potentially accessed and/or stolen in the cyberattack: Names, addresses, Social Security numbers, birthdates, client...

Read More
15,000 Patients Affected by Philadelphia FIGHT Community Health Centers Cyberattack
Feb16

15,000 Patients Affected by Philadelphia FIGHT Community Health Centers Cyberattack

Philadelphia FIGHT Community Health Centers has recently announced it was the victim of a cyberattack on November 30, 2021. Third-party forensic investigators were engaged to determine the nature and scope of the breach. The investigation confirmed its electronic medical record system and other clinical systems were not compromised in the attack; however, on January 13, 2022, Philadelphia FIGHT discovered the attacker had accessed non-clinical systems that housed files containing the protected health information of around 15,000 patients. It was not possible to determine if the attacker viewed or obtained any patient information, although no reports have been received that suggest any patient information has been misused. The information potentially compromised in the attack included names, dates of birth, Social Security numbers, medical diagnoses, treatment information, and health insurance information. Philadelphia FIGHT said a review of security protocols is being conducted and security measures will be enhanced to prevent further cyberattacks. Vendor Email Account Breach...

Read More
Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital
Feb16

Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital

Family Christian Health Center (FCHC) in Illinois has announced it was the victim of a ransomware attack in November 2021 that compromised the protected health information of 31,000 patients. The attack was detected on November 30, 2021, with the investigation indicating the attackers first gained access to its IT systems on or around November 18, 2021. The attackers compromised FCHC’s old dental system which contained the PHI of patients who had received dental services prior to August 31, 2020. The system contained patients’ names, birth dates, insurance card numbers, driver’s license numbers, and copies of patients’ insurance cards and driver’s licenses. FCHC said information about the dental care provided, credit card numbers, and the Social Security numbers of affected dental patients were not affected. The PHI of non-dental patients who received healthcare services between December 5, 2016, and August 31, 2020, was also compromised and included names, birthdates, addresses, insurance identification numbers, and Social Security numbers. FCHC worked with external IT vendors to...

Read More
CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation
Feb15

CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation

CaptureRx has proposed a $4.75 million settlement to resolve claims related to a 2021 data breach that affected approximately 2.4 million patients of its healthcare provider clients. CaptureRx is a healthcare administrative service provider that helps hospitals manage their 340B drug discount programs. On February 6, 2021, CapturRx discovered unauthorized individuals had gained access to its network and used ransomware to encrypt its files. On March 19, 2021, CaptureRx determined files containing patient data had been compromised, and affected clients started to be notified on March 30, 2021. CaptureRx publicly announced the data breach but did not initially disclose how many individuals had been affected. The breach was reported to the HHS’ Office for Civil Rights in May 2021 by CaptureRx as affecting 1,656,569 individuals, although several of its healthcare provider clients reported the breach themselves. Several class action lawsuits were proposed that alleged CaptureRX was negligent for failing to implement and maintain appropriate safeguards to protect patient data and other...

Read More
Hackers Gained Access to Files Containing the PHI of 115,670 South Shore Hospital Patients
Feb15

Hackers Gained Access to Files Containing the PHI of 115,670 South Shore Hospital Patients

Chicago’s South Shore Hospital has started notifying 115,670 current and former patients about a December 2021 cyberattack on its network. Suspicious activity was identified on its network on December 10, 2021, and prompt action was taken to contain the incident. Emergency protocols were implemented to ensure care could continue to be safely provided to patients. South Shore Hospital engaged a team of third-party computer forensics experts to investigate the security breach and determine whether patient information was accessed or stolen. The investigation confirmed the attackers gained access to parts of its network where files were stored that contained the protected health information of patients and employee data, including names, addresses, dates of birth, Social Security numbers, health insurance information, medical information, diagnoses, health insurance policy numbers, Medicare/Medicaid information, and financial information. South Shore Hospital said it will be implementing additional security measures to better protect its network against cyberattacks, including...

Read More
Hacking Incidents Reported by AccelHealth and Pace Center for Girls
Feb10

Hacking Incidents Reported by AccelHealth and Pace Center for Girls

Brownwood, Texas-based Cross Timbers Health Clinics, operating under the brand AccelHealth, suffered a ransomware attack on December 15, 2021, which prevented the Federally Qualified Health Center from accessing certain files and folders on its network. AccelHealth engaged third-party forensics specialists to investigate the security breach who determined unauthorized individuals first gained access to its network on December 9, 2021. During the 6 days when network access was possible, the attackers may have viewed or acquired files containing patient information. A comprehensive review of all files on the compromised parts of the network revealed they contained the protected health information of 48,126 patients, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, health insurance information, medical record numbers, and treatment and diagnosis information. No evidence was found of data exfiltration and, at the time of issuing notification letters, no reports had been received to suggest any actual or...

Read More
February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements
Feb08

February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements

The Government Accountability Office (GAO) has launched a rapid response survey of healthcare organizations and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) seeking feedback on their experiences reporting data breaches to the Secretary of the Department of Health and Human Services (HHS). The questionnaire was initially due to remain open until 4 p.m. EST on Friday, February 4, 2022., but the deadline has now been extended by a week to February 11, 2022. The survey is being conducted through Survey Monkey and can be accessed here. Congress requested the GAO review the number of data breaches reported to the HHS since 2015, and the survey seeks to identify some of the challenges, if any, faced by covered entities and business associates in meeting the data breach reporting requirements of the HHS. The GAO will also determine what efforts the HHS has made to address any breach reporting issues and improve the data breach reporting process. The survey is being distributed by the Health-ISAC, Health Sector Coordinating Council (HSCC)...

Read More
Data Breaches Reported by Suncoast Skin Solutions, Raveco Medical, South City Hospital, and the Colorado DHS
Feb07

Data Breaches Reported by Suncoast Skin Solutions, Raveco Medical, South City Hospital, and the Colorado DHS

Suncoast Skin Solutions, a network of 22 surgical, medical, and cosmetic dermatological care clinics in Florida, has recently started notifying 57,730 patients about a ransomware attack that was discovered on July 14, 2021. Suncoast said when the cyberattack was detected, prompt action was taken to prevent the encryption of all of its systems and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. On October 14, 2021, the cybersecurity firm concluded its investigation and Suncoast conducted a preliminary review of its systems to determine if they contained any patient information. That process was completed on November 8, 2021, and a third-party vendor was engaged to review all affected files to determine the specific individuals whose information may have been compromised. Suncoast has now confirmed that the following types of data were potentially viewed by the attackers: names, dates of birth, clinical information, doctor’s notes, and other limited treatment information. Suncoast said it is unaware of...

Read More
Taylor Regional Hospital Still Recovering from January Cyberattack
Feb07

Taylor Regional Hospital Still Recovering from January Cyberattack

Taylor Regional Hospital in Campbellsville, KY has suffered a cyberattack that has resulted in its IT and phone systems being taken offline. The cyberattack was reported by the hospital on January 24, 2021, and the hospital is still experiencing outages with certain computer systems and phone lines. Temporary phone lines have been set up to allow patients to contact the hospital while the cyberattack is resolved. Cyberattacks such as this often involve ransomware, but no details have been released so far about the exact nature of the cyberattack, nor when its IT systems are expected to be restored. At this early stage, it is unclear if any patient information has been accessed or stolen by attackers. A notice on the hospital’s website explains that quality care continues to be provided to patients and it is working as quickly as possible to safely bring its IT systems back online. Patients are encouraged not to delay seeking medical care; however, without access to IT systems, patients have been asked to bring lists of their medication with them to any appointments that have...

Read More
PHI of 138K Individuals Exposed in 3 Email Security Incidents
Feb04

PHI of 138K Individuals Exposed in 3 Email Security Incidents

Hackers have gained access to email accounts containing protected health information (PHI) at Injured Workers Pharmacy, iRise Florida Spine and Joint Institute, and Volunteers of America Southwest California. Injured Workers Pharmacy Andover, MA-based Injured Workers Pharmacy has recently reported a data breach to the Maine Attorney General that was discovered on or around May 11, 2021, when suspicious activity was detected in an employee email account. The account was immediately secured and third-party computer forensics specialists were engaged to investigate the breach. The investigation revealed 7 email accounts had been compromised between January 16, 2021, and May 12, 2021. Third-party data review specialists were engaged to check the emails and attachments in the compromised accounts, which confirmed they contained the protected health information of 75,771 individuals such as names, addresses, and Social Security numbers. After the review, Injured Workers Pharmacy validated the results, and that process was completed on or around December 14, 2021. Notification letters...

Read More
RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach
Feb04

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals. The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA. RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals....

Read More
Data Breaches Reported by Jefferson Health and Allegheny Health Network Home Infusion
Feb03

Data Breaches Reported by Jefferson Health and Allegheny Health Network Home Infusion

Allegheny Health Network Home Infusion Patients Affected by Ransomware Attack on Vendor Pittsburgh, PA-based Allegheny Health Network Home Infusion has been notified about a ransomware attack on one of its vendors, Vantage Healthcare Network, Inc. On October 17, 2021, Vantage detected suspicious activity within its network and engaged a third-party cybersecurity firm to investigate the security breach. AHN Home Infusion was informed on November 22, 2021, that the systems accessed by the ransomware gang contained patient data, some of which had been exfiltrated by the attackers prior to file encryption. AHN Home Infusion conducted its own investigation alongside Vantage to determine which patients had been affected, and the types of information that had been compromised and has confirmed the following types of information had potentially been accessed or exfiltrated in the attack: Names, billing information, nurse’s notes, patient referral information, prescriptions, treatment and therapy records, medical device orders, scheduling information, and a small number of Social Security...

Read More
Former South Georgia Medical Center Employee Arrested Over 41K-Record Data Breach
Feb02

Former South Georgia Medical Center Employee Arrested Over 41K-Record Data Breach

The Hospital Authority of Valdosta and Lowndes County Georgia has recently reported a data breach involving the unauthorized copying of patient data by a former employee of South Georgia Medical Center. On November 12, 2021, security software generated an alert indicating an employee had downloaded data from the hospital’s systems onto a USB drive. The investigation confirmed the downloaded data included patients’ names, dates of birth, and test results. The breach was recently reported to the Department of Health and Human Services’ Office for Civil Rights as involving the protected health information of 41,692 individuals. The employee had been provided with access to patient data in order to complete work duties, but no authorization was given to copy patient data and remove it from the hospital. The employee left employment at the hospital on November 11, 2021. South Georgia Medical Center said no data was erased from its systems and the copied files have now been recovered. The data theft incident was reported to law enforcement and the Lowndes County Sheriff’s Office...

Read More
Concerning Healthcare Data Breach Reporting Trend
Feb01

Concerning Healthcare Data Breach Reporting Trend

The HIPAA Breach Notification Rule calls for data breach notifications to be issued to the Secretary of the HHS “without unnecessary delay” and no later than 60 days after the date of discovery of a data breach. The same time frame applies to issuing notification letters to affected individuals. There has been a trend in recent years for HIPAA-regulated entities to wait the full 60 days from the date of discovery of the breach to issue notifications to affected individuals and the HHS, but recently growing numbers have taken the date of discovery as the date when the breach investigation has been completed, or even the date when the full review of impacted documents is finished. In some cases, notifications have been issued many months after the initial system breach was detected. There may be valid reasons for a delay in reporting, such as a request from law enforcement to delay making a cyberattack or data theft incident public to avoid interfering with the law enforcement investigation; however, it is rare for individual notifications to mention these law enforcement requests....

Read More
Cyberattacks and Data Theft Incidents Reported by Medical Healthcare Solutions and Advocates Inc.
Jan31

Cyberattacks and Data Theft Incidents Reported by Medical Healthcare Solutions and Advocates Inc.

Advocates Inc., a Massachusetts-based nonprofit provider of support services for individuals experiencing life challenges such as addiction, autism, brain injury, intellectual disabilities, mental health, and behavioral health, has announced it recently experienced a sophisticated cyberattack and data theft incident. Advocates was informed on October 1, 2021, that an unauthorized individual had gained access to its network and copied files containing the sensitive data of patients and employees. A leading cybersecurity firm was engaged to assist with the investigation, which revealed an unknown individual had accessed its network and copied files over a four-day period between September 14, 2021, and September 18, 2021. The files contained names, addresses, dates of birth, Social Security numbers, health insurance information, client ID numbers, diagnoses, and treatment information. After confirming the individuals affected, Advocate collected up-to-date contact information to allow written notices to be provided, hence the delay in issuing notification letters. The cyberattack was...

Read More
Data Breaches Reported by Houston Area Community Services, County of Kings, and NYU Langone Health
Jan28

Data Breaches Reported by Houston Area Community Services, County of Kings, and NYU Langone Health

Data breaches have recently been reported by Houston Area Community Services, County of Kings in California, and NYU Langone Health. Avenue 360 Health and Wellness Reports Breach of Employee Email Accounts Houston Area Community Services, Inc., doing business as Avenue 360 Health and Wellness, has discovered an unauthorized individual has gained access to the email accounts of certain employees and may have viewed or obtained the protected health information of 12,186 individuals. Avenue 360 Health and Wellness said its investigation determined the email accounts were compromised between January 15, 2021, and April 2, 2021. A third-party vendor that specializes in the analysis of security incidents such as this was engaged to assist with the investigation. A comprehensive review was conducted of all emails and attachments in the account. On November 9, 2021, Avenue 360 discovered the account contained names, medical record numbers, health insurance information, birthdates, diagnoses, clinical and treatment information, and prescription information. A limited number of individuals...

Read More
Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack
Jan27

Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack

Marietta Area Health Care Inc., doing business as Memorial Health System, is facing a class action lawsuit over a cyberattack and data breach that was detected by Memorial Health System on August 14, 2021. The investigation into the attack confirmed the attackers first gained access to company servers on or around July 10, 2021, and installed malware on its systems. Unauthorized access remained possible until August 15, 2021. The breach notification letters state Memorial Health System learned on September 17, 2021, that the threat actor potentially accessed or acquired information from its systems. The review of the affected systems was completed on November 1, 2021, and affected individuals were notified on January 12, 2022, and were offered a 12-month complimentary membership to a credit monitoring service. The breach notice submitted to the Maine attorney general indicates the personal information of 216,478 was potentially accessed by the attackers. The lawsuit was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health...

Read More
Settlement Reached in Excellus Class Action Data Breach Lawsuit
Jan26

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015. The attack involved the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers. The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the...

Read More
New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach
Jan25

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents. The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers,...

Read More
Email Breaches Reported by University of Arkansas for Medical Sciences and Sacramento County
Jan25

Email Breaches Reported by University of Arkansas for Medical Sciences and Sacramento County

Email-related breaches of protected health information (PHI) have recently been reported by the University of Arkansas for Medical Sciences and Sacramento County University of Arkansas for Medical Sciences (UAMS) Employee HIPAA Violation The University of Arkansas for Medical Sciences (UAMS) has started sending notification letters to hundreds of patients to alert them to a HIPAA violation involving some of their PHI. On November 29, 2021, UAMS discovered an employee had sent emails from her UAMS email account to a personal Gmail account that contained attachments that included patients’ PHI. UAMS said the emails were sent on November 15, 2021, while the individual was still employed by UAMS. The emails included billing statements that had been sent to UAMS for reimbursement and Excel spreadsheets used by UAMS for internal billing compliance and auditing purposes. No clinical documents, medical records, financial information, or Social Security numbers were included in the attachments, but they did contain PHI such as names, hospital account numbers, medical record numbers, dates...

Read More
What are the Penalties for HIPAA Violations?
Jan23

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to HIPAA covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA...

Read More
Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack
Jan21

Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack

Ohio-based Memorial Health System has recently confirmed the ransomware attack it experienced in August 2021 potentially involved the protected health information of 216,478 patients. The ransomware attack forced the health system to divert certain patients to other facilities and cancel some appointments to ensure patient safety. The attack was announced shortly after the breach, which occurred on August 14, 2021. The investigation revealed its network was first breached on July 10, 2021. The incident was reported to the HHS’ Office for Civil Rights promptly, although at the time it was not known how many individuals had been affected. Memorial Health System discovered patient data may have been involved on or around September 17, 2021, then followed a comprehensive review of all affected files. On November 1, 2021, the scope of the incident was determined but it took until December 9, 2021, to confirm the individuals affected and the specific types of data involved, hence the delay in issuing notifications. Written notices were sent to affected individuals on or around January...

Read More
4 Healthcare Providers and Health Plans Report Phishing-Related PHI Breaches
Jan20

4 Healthcare Providers and Health Plans Report Phishing-Related PHI Breaches

Email accounts containing the protected health information (PHI) of thousands of patients have been compromised at Loyola University Medical Center, Advent Health Partners, Signature Healthcare Brockton Hospital, and Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E has recently notified 20,579 individuals about an email security incident that resulted in the exposure of sensitive data. On December 21, 2021, suspicious activity was detected in an employee email account. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the nature and scope of the breach. The investigation determined on October 25, 2021, that the email account had been accessed by an unauthorized individual between May 11, 2021, and August 2, 2021, as a result of the employee responding to a phishing email. A manual review of the emails and attachments confirmed they contained the following types...

Read More
Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack
Jan19

Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack

A Minnesota network of family medicine practices started notifying almost 200,000 patients that some of their personal and protected health information was potentially compromised in a cyberattack on a business associate more than a year ago. Entira Family Clinics explained in the notification letters, which were sent to affected individuals on January 13, 2022, that the breach occurred at Netgain Technologies, which provides hosting and cloud IT solutions to companies in the healthcare and accounting sectors. Entira Family Clinics used Netgain’s services for hosting and email. The healthcare provider said the information potentially compromised included names, addresses, Social Security numbers, and medical histories. In the notification letters, Entira said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.” The...

Read More
Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients
Jan19

Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients

Roanoke, VA-based Jefferson Surgical Clinic has started notifying patients that some of their protected health information has potentially been compromised in a cyberattack that was detected on June 5, 2021. According to the breach notification letter provided to the Maine Attorney General, the attacker gained access to parts of the network that contained patient data such as names, birth dates, Social Security numbers, and health and treatment information.  Jefferson Surgical Clinic promptly notified the Federal Bureau of Investigation about the breach and engaged third-party cybersecurity and forensics specialists to assist with the investigation. The investigation uncovered no evidence to suggest any patient data has been or will be misused as a result of the security breach; however, as a precaution against identity theft and fraud, Jefferson Surgical Clinic has offered affected individuals 12 months of complimentary credit monitoring and identity theft protection services. The Maine Attorney General was notified that the parts of the network accessed by the attacker contained...

Read More
December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit
Jan17

Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack. In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs....

Read More
Online Pharmacy Notifies 105,000 Patients About Cyberattack and Potential Theft of PHI
Jan14

Online Pharmacy Notifies 105,000 Patients About Cyberattack and Potential Theft of PHI

The Auburndale, FL-based digital pharmacy and health app developer Ravkoo has started notifying 105,000 patients that some of their sensitive personal information has been exposed and potentially obtained by an unauthorized individual. Ravkoo hosts its online prescription portal on Amazon Web Services (AWS). The portal was targeted in a cyberattack that was detected on September 27, 2021. Upon discovery of the security breach, steps were immediately taken to secure the portal and third-party cybersecurity experts were engaged to assist with the forensic investigation, mitigation, restoration, and remediation efforts. The investigation confirmed sensitive patient data had been exposed and may have been compromised, including names, addresses, phone numbers, certain prescription information, and limited medical data. Ravkoo said the impacted portal did not contain any Social Security numbers, which are not maintained in the affected portal. The forensic investigation did not uncover any evidence that indicated information contained within the portal has been or will be misused....

Read More
EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach
Jan14

EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach

QRS, a Tennessee-based healthcare technology services company and EHR vendor, is facing a class action lawsuit over an August 2021 cyberattack in which the protected health information (PHI) of almost 320,000 patients was exposed and potentially stolen. The investigation into the data breach confirmed a hacker had gained access to one of its dedicated patient portal servers between August 23 and August 26, 2021, and viewed and possibly obtained files containing patients’ PHI. Sensitive data stored on the server included patients’ names, addresses, birth dates, usernames, medical information, and Social Security numbers. QRS started sending notification letters to affected individuals in late October and offered identity theft protection services to individuals who had their Social Security number exposed. On January 3, 2022, Matthew Tincher, a Frankfurt, KY resident, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS. The lawsuit alleges QRS was negligent for failing to reasonably secure, monitor, and maintain the PHI...

Read More
Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack
Jan14

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack. A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022. According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors. Stewart said he...

Read More
PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised
Jan12

PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised

Anthem Inc. has alerted 2,003 members that some of their protected health information has potentially been viewed or obtained by an unauthorized individual who gained access to the network of one of its business associates. Anthem works with the Atlanta, GA-based insurance broker OneDigital, which provides support for individuals enrolled in group health plans to help them procure and manage their health insurance. OneDigital had been provided with the protected health information of certain members to assist them or their current or former employer to obtain and manage their health insurance plan. On November 24, 2021, Anthem was notified by OneDigital about a network server hacking incident that occurred in January 2021. Anthem said the investigation into the breach did not uncover any direct evidence of unauthorized viewing or theft of protected health information, but those activities could not be ruled out. The types of data stored on the compromised systems included names, addresses, dates of birth, healthcare provider names, health insurance numbers, group numbers, dates and...

Read More
Over 30 Healthcare Providers Affected by CIOX Health Data Breach
Jan11

Over 30 Healthcare Providers Affected by CIOX Health Data Breach

The health information management services provider CIOX Health has suffered a data breach that has affected at least 32 healthcare providers. In July 2021, CIOX Health discovered an unauthorized individual had gained access to the email of an employee in the customer service department. The email account was immediately secured, with the subsequent investigation confirming the email account had first been accessed by an unauthorized individual on June 24, 2021, and access remained possible until the security breach was detected on July 2, 2021. The CIOX Health breach investigation confirmed that the incident was confined to a single employee email account, with the review of the contents of the email account determining on September 24, 2021, that it contained emails and attachments that included the protected health information of some of its healthcare provider clients such as names, dates of birth, provider names, dates of service, and the Social Security numbers, driver’s license numbers,  health insurance information, and/or treatment information of a very limited number of...

Read More
Millennium Eye Care Says Ransomware Gang Stole a Large Amount of Patient Data
Jan10

Millennium Eye Care Says Ransomware Gang Stole a Large Amount of Patient Data

Millennium Eye Care, a Freehold, NJ-based provider of ophthalmology services, announced on December 22, 2021, that hackers recently gained access to its computer network and used ransomware to encrypt files in an attempt to extort money from the practice. It is unclear when the attack occurred from its breach notification letters, but Millennium Eye Care said it discovered on November 14, 2021, that the attackers had exfiltrated “a large amount of data” prior to encrypting files. The files obtained in the attack included a range of protected health information including names and Social Security numbers. Millennium Eye Care said it has increased network security measures to reduce the risk of further attacks and has provided additional cybersecurity training to the workforce to help them recognize external attacks. Affected individuals have been notified by mail and have been provided with information on the steps they can take to protect against identity theft and fraud. Identity theft protection services are being provided free of charge and affected patients will also be covered...

Read More
BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach
Jan07

BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach

A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen. Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered. Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost....

Read More
How Should You Respond to an Accidental HIPAA Violation?
Jan06

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois
Jan06

Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois

Fertility Centers of Illinois (FCI) has recently notified 79,943 current and former patients that some of their protected health information may have been viewed or obtained by unauthorized individuals. FCI identified suspicious network activity on February 1, 2021, and took prompt action to secure its systems. Independent forensic investigators were then engaged to determine the nature and scope of the security breach. FCI had implemented security measures to keep patient data secure, and those measures ensured its electronic medical record system could not be accessed; however, the attackers were found to have accessed administrative files and folders. A review of those files confirmed on August 27, 2021, that they contained a range of patient data including names in combination with one or more of the following types of information: Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification...

Read More
Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General
Jan05

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan. RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers. RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach...

Read More
What are the HIPAA Breach Notification Requirements?
Jan04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information (PHI) is discovered. HIPAA training for staff must also include the procedures for reporting breaches of unsecured PHI. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of...

Read More
Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach
Jan04

Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach

A major data breach has been announced by Florida’s Broward Health involving the personal and protected health information of more than 1.35 million individuals. The data breach occurred on October 15, 2021, when a hacker gained access to the Broward Health network through the office of a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services. Broward Health discovered and blocked the intrusion on October 19, 2021, and a password reset was performed for all employees to prevent further unauthorized access. Assisted by a third-party cybersecurity company, Broward Health conducted a comprehensive investigation to determine the nature and scope of the breach. The investigation confirmed the attacker had access to parts of the network where employee and patient information were stored, including sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial/bank account information, health insurance information, medical histories, health conditions,...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach
Jan03

Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach

Nampa, Idaho-based Saltzer Health has started notifying certain patients that some of their protected health information (PHI) has been exposed in an email account breach that was detected on June 1, 2021. The investigation revealed an unauthorized individual had access to an employee’s email account between May 25, 2021, and June 1, 2021. Saltzer Health was unable to find evidence indicating the attacker viewed or exfiltrated emails from the account, but it was not possible to rule the possibility of unauthorized PHI access and data theft. The investigation confirmed the breach was confined to a single email account and no other systems were affected. Assisted by third-party specialists, Saltzer Health conducted a comprehensive review of the email account to determine which patients had been affected. The review was completed on September 21, 2021, and revealed the following types of patient data were stored in the account: Names, contact information, state identification numbers, driver’s license numbers, medical record numbers, medical histories, diagnoses, treatment...

Read More
The Most Common HIPAA Violations You Should Avoid
Jan02

The Most Common HIPAA Violations You Should Avoid

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Largest Healthcare Data Breaches of 2021
Dec30

Largest Healthcare Data Breaches of 2021

The largest healthcare data breaches of 2021 rank as some of the worst of all time. In this post, we summarize some of the most serious data breaches to be reported in what has turned out to be another record-breaking year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches. It has also been a particularly bad year in terms of the number of breached healthcare records. Across the 686 2021 healthcare data breaches, 44,993,618 healthcare records have been exposed or stolen, which makes 2021 the second-worst year in terms of breached healthcare records. There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million...

Read More
Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists
Dec29

Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists

The Bradenton, FL-based gastroenterology healthcare provider Florida Digestive Health Specialists (FDHS) has recently started notifying more than 212,000 patients that some of their protected health information has been exposed in a December 2020 cyberattack. Notification letters were sent to affected individuals on December 27, 2021, by attorney Jason M. Schwent of Clark Hill. The letters explain that suspicious activity was detected in an employee email account on December 16, 2020, which involved an unauthorized individual sending emails from that account. This was a business email compromise attack where access to an internal email account is gained, usually via a phishing email, and the account is then used to impersonate an employee to convince other individuals to make fraudulent wire transfers. In this case, on December 21, 2020, FDHS determined a fraudulent transfer of funds had been made to an unknown bank account. FDHS engaged the services of Clark Hill and a third-party cybersecurity firm to investigate the cyberattack. The investigation confirmed a limited number of...

Read More
Patient Data Stolen in Cyberattack on the Medical Review Institute of America
Dec29

Patient Data Stolen in Cyberattack on the Medical Review Institute of America

The Medical Review Institute of America (MRoiA) suffered a suspected ransomware attack in November 2021 in which sensitive patient data were stolen. MRoiA is provided with patient data by HIPAA-covered entities as part of the clinical peer review process of healthcare services. In a data breach notice provided to the Vermont attorney general, MRoiA said it was the victim of a sophisticated cyberattack that was detected on November 9, 2021. Third-party cybersecurity experts were immediately engaged to conduct a forensic investigation to determine the nature and scope of the attack and to assist with its remediation efforts, including restoring its systems and operations. On November 12, 2021, MRoiA discovered the attackers had exfiltrated sensitive data, including patients’ electronic protected health information (ePHI). MRoiA did not state in the breach notification letter whether ransomware was involved, although the attack has the hallmarks of a double-extortion ransomware attack. MRoiA said on November 16, 2021, it received assurances that the stolen data were retrieved and...

Read More
HIPAA Enforcement by State Attorneys General
Dec28

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases...

Read More
Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures
Dec27

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December. The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files. Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims. While the attack was detected in December 2020, it...

Read More
Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impact More Than 355,000 Patients
Dec24

Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impact More Than 355,000 Patients

A hacker gained access to the IT network of Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services and accessed files containing sensitive patient data. The intrusion was detected on November 11, 2021, and steps were immediately taken to remove the hacker from its network. Assisted by a third-party computer forensics firm, BioPlus determined its IT environment was compromised on October 25, 2021, and the hacker was removed from its systems on November 11. The investigation confirmed files containing the protected health information of certain patients had been accessed, but it was not possible to rule out the possibility that the hacker accessed the PHI of all of its patients. The decision was therefore taken to notify all 350,000 current and former patients about the breach. Files that were accessible to the hacker included patient names, dates of birth, addresses, medical record numbers, current/former health plan member ID numbers, claims information, diagnoses, and/or prescription information. Some patients also had their Social Security number exposed. Notification...

Read More
PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack
Dec23

PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack

Morgantown, WV-based Monongalia Health System has started notifying almost 400,000 patients that some of their protected health information (PHI) may have been obtained by unauthorized individuals in a recent cyberattack. The security incident came to light when one of its vendors reported not receiving a July 2021 payment that had left Monongalia Health’s accounts. The investigation into the incident confirmed this was a business email compromise (BEC) attack. The attacker had used a phishing email to obtain the credentials for a Monongalia Health contractor’s email account, which was used to send a request to Monongalia Health to have the bank account details for an upcoming payment changed to an account controlled by the attacker. Monongalia Health said the investigation revealed several Monongalia Health email accounts had been compromised as a result of employees responding to phishing emails, and emails and email attachments in those accounts contained patients’ protected health information. The purpose of the attack appears to have solely been to obtain funds from Monongalia...

Read More
Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare
Dec22

Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare

Paducah, KY-based Southern Orthopaedic Associates (SOA), doing business as the Orthopaedic Institute of Western Kentucky, has started notifying 106,910 patients about a breach of some of their protected health information. SOA detected unauthorized activity in an employee email account on or around July 7, 2021. Steps were immediately taken to secure the account and an investigation was launched to determine the nature and scope of the breach. Assisted by a third-party computer forensics company, SOA determined that several employee email accounts had been compromised between June 24, 2021, and July 8, 2021; however, it was not possible to tell which, if any, emails in the account had been accessed. A comprehensive review was conducted of all emails and attachments in the compromised accounts to determine if they contained any protected health information. The review was completed on October 21, 2021, and confirmed the accounts contained patient names and Social Security numbers. Notification letters were sent to affected individuals starting on December 12, 2021. SOA has offered a...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos
Dec17

Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos

The number of healthcare providers affected by the recent ransomware attack on Kronos has been growing over the past few days. 7 healthcare providers have now confirmed they have been affected by the attack. Kronos is a Lowell, MA-based workforce management and human capital management solution provider that many healthcare organizations use for payroll, scheduling, and other services. On December 11, 2021, Kronos discovered unusual activity in its systems deployed within the Kronos Private Cloud. Steps were immediately taken to investigate the activity and block any unauthorized access. It was rapidly determined to be a ransomware attack, that affected parts of its cloud environment where Ultimate Kronos Group (UKG) solutions are deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling. UKG said it engaged a leading cyber security firm to assess and mitigate the attack and the investigation into the breach is ongoing. The affected solutions remain offline and Kronos has strongly suggested its clients should evaluate and implement...

Read More
Over 535,000 Individuals Affected by Ransomware Attack on Texas ENT Specialists
Dec17

Over 535,000 Individuals Affected by Ransomware Attack on Texas ENT Specialists

Texas Ear, Nose & Throat Specialists P.A. (Texas ENT Specialists) has recently announced it was the victim of a cyberattack that was detected on October 19, 2021. When the attack was detected, prompt action was taken to prevent further unauthorized system access and a third-party cybersecurity firm was engaged to investigate and determine the nature and extent of the attack. The forensic investigation revealed the attackers first gained access to its systems on August 9, 2021, and between then and August 15, files were copied and exfiltrated from its systems. A review of those files confirmed they contained the protected health information (PHI) of 535,489 patients, including names, dates of birth, medical record numbers, and procedure codes. A subset of individuals also had their Social Security numbers stolen; however, its electronic medical record system was unaffected. Texas ENT Specialists mailed notification letters to affected individuals on December 10, 2021. Patients who had their Social Security number stolen have been offered complimentary membership to Experian’s...

Read More
Almost 50,000 Health Plan Members Affected by Ransomware Attack on Broward County Public Schools
Dec15

Almost 50,000 Health Plan Members Affected by Ransomware Attack on Broward County Public Schools

In March 2021, ransomware was used in an attack on Broward County Public Schools in Florida and files were encrypted. The investigation into the breach revealed access to the school network was first gained by unauthorized individuals on November 12, 2020, with the ransomware deployed on March 6, 2021. The attack was detected on March 7, 2021. The hackers demanded a ransom payment of $40 million for the keys to decrypt files, which was later reduced to $10, million but the school district refused to pay. Initially, it did not appear that any sensitive data had been obtained in the attack, but on April 19, 2021, it was discovered that some files stored on its systems had been stolen when they were released publicly on the Conti ransomware gang’s data leak website. Schools are not usually covered by the Health Insurance Portability and Accountability Act (HIPAA), so HIPAA breach notifications are not required when student records are compromised; however, in this case, the school district is a HIPAA-covered entity as it operates a self-insured health plan. On June 8, 2021, it was...

Read More
Chicago Accountancy Firm Discovers Data was Stolen in December 2020 Ransomware Attack
Dec15

Chicago Accountancy Firm Discovers Data was Stolen in December 2020 Ransomware Attack

The Chicago, IL-based accountancy firm Bansley and Kiener LLP has announced it was the victim of a December 2020 ransomware attack that saw certain files within its systems encrypted. The attack only caused temporary disruption, and it was possible to restore all encrypted systems from backups and rapidly return to normal operations. The attack occurred on December 10, 2020, and the subsequent investigation into the incident found no evidence of data theft and confirmed that the breach had been fully contained. However, Bansley and Kiener said in a December 3, 2021 data breach notification letter that the firm learned on May 24, 2021, that the attackers had exfiltrated some files from its systems, and those files contained sensitive client information. A third-party cybersecurity firm was engaged to assist with the subsequent investigation and while it was not possible to confirm the specific types of information that had been accessed and exfiltrated, on August 24, 2021, the investigation confirmed the names and Social Security numbers of some individuals may have been obtained by...

Read More
PHI of 750,000 Patients of Oregon Anesthesiology Recovered Following Ransomware Attack
Dec14

PHI of 750,000 Patients of Oregon Anesthesiology Recovered Following Ransomware Attack

On July 11, 2021, Oregon Anesthesiology Group discovered it was the victim of a ransomware attack. Files on its systems had been encrypted which prevented access to its servers and patient data. Following the attack, its IT infrastructure was reconstructed and offline data backups were used to promptly restore the affected files. A digital forensics firm was engaged to investigate the breach and it was confirmed that patient and employee information had been compromised, with the affected parts of its network found to contain files that included names, addresses, dates of service, diagnosis and procedure codes and descriptions, medical record numbers, insurance provider names, and insurance ID numbers. Employee data potentially compromised in the attack included names, addresses, Social Security numbers, and other information contained in W-2 forms. The forensic investigation revealed that once the hackers had gained access to its network, they data-mined administrator credentials which allowed them to access encrypted data on its network. The FBI told Oregon Anesthesiology Group...

Read More
Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients
Dec10

Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients

Howard University College of Dentistry discovered on September 3, 2021, that unauthorized individuals had gained access to its network and used ransomware to encrypt files. An announcement was made by the university shortly after the attack that it had been forced to cancel online and hybrid classes while its systems were restored, and that a nationally recognized computer forensics firm had been engaged to investigate the incident to determine the extent of the attack and whether sensitive information was accessed or stolen. On September 24, 2021, the university determined that a system that housed patients’ dental records was affected by the attack. No specific evidence of unauthorized access or data exfiltration was found, although dental records were encrypted. The encrypted records related to dental visits between October 5, 2019, and September 3, 2021, and included information such as names, contact information, dates of birth, dental record numbers, health insurance information, dental history information, and for a limited number of patients, Social Security numbers. The...

Read More
Data Breaches Reported by UH College of Optometry and Valley Mountain Regional Center
Dec08

Data Breaches Reported by UH College of Optometry and Valley Mountain Regional Center

The University of Houston College of Optometry has discovered an unauthorized individual from outside the United States gained access to the network of an affiliated eye clinic and stole information contained in the clinic’s database. The Community Eye Clinic in Fort Worth, TX, is managed and administered by UH College of Optometry. Security staff identified the intrusion at 9 a.m. on September 13, 2021, the morning after the breach occurred. The IT security team immediately took steps to secure the system, further defensive safeguards have been implemented to better protect patient data, and its monitoring and alerts have been enhanced. A review has also been conducted of the clinic’s IT protocols and procedures to ensure that industry-standard practices are followed. The files obtained by the attacker related to patients who received treatment at the Community Eye Clinic between May 22, 2013, and September 13, 2021. The information in the database included names, dates of birth, contact information, government ID numbers, health insurance information, passport numbers,...

Read More
Ransomware Attacks Reported by TriValley Primary Care and Medsurant Health
Dec08

Ransomware Attacks Reported by TriValley Primary Care and Medsurant Health

On October 11, 2021, Perkasie, PA-based TriValley Primary Care discovered ransomware had been installed on its networks and servers, which contained the protected health information of some of its patients. Action was quickly taken to secure its systems and prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation. The forensic investigation concluded on November 4, 2021, but it was not possible to tell exactly when unauthorized individuals first gained access to its systems nor whether any specific patient information was viewed or obtained by the attackers. At the time of issuing notification letters to affected individuals, TriValley Primary Care was unaware of any actual or attempted misuse of patient data. As a precaution against identity theft and fraud, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. TriValley Primary Care said it has taken action to prevent further security breaches, including implementing additional technical safeguards,...

Read More
Sound Generations Reports Two Ransomware Attacks Affecting Over 100,000 Individuals
Dec07

Sound Generations Reports Two Ransomware Attacks Affecting Over 100,000 Individuals

Seattle, WA-based Sound Generations has announced that unauthorized individuals have gained access to its internal systems and have used ransomware to encrypt files. Sound Generations is a nonprofit that helps older adults and adults with disabilities obtain free to low-cost healthcare resources. The organization is the largest provider of comprehensive services for aging adults in King County, WA. According to the substitute breach notification letter uploaded to its website, unauthorized individuals accessed its systems and encrypted data on July 18, 2021, and again on September 18, 2021. In both cases, the unauthorized access was promptly terminated and both incidents were investigated by a third-party forensics firm to determine the nature and scope of the security breaches; however, it was not possible to tell if any protected health information was viewed or obtained by the attackers. An internal review of the affected systems confirmed the protected health information of 103,576 individuals was stored on the affected systems. That information included demographic and health...

Read More
PHI of 40,000 Individuals Exposed in Email Account Breaches
Dec07

PHI of 40,000 Individuals Exposed in Email Account Breaches

Three healthcare providers have recently reported security breaches involving the email accounts of employees, resulting in the exposure and potential theft of the protected health information of more than 40,000 individuals. Saltzer Health Saltzer Health in Idaho identified a breach of its email environment on June 1, 2021. Steps were promptly taken to prevent further unauthorized access, with the subsequent investigation confirming an unauthorized individual had accessed the account between May 25, 2021, and June 1, 2021. It was not possible to tell if any patient information was accessed or exfiltrated, but a comprehensive review of the account by third-party specialists confirmed it contained the protected health information of 15,650 patients. The review was completed on September 21, 2021, and confirmed the email account contained the following types of information: Names, contact information, medical record numbers, patient identification numbers, driver’s license/state identification numbers, medical histories, diagnoses, treatment information, physician information,...

Read More
400,000 Patients Potentially Affected by Planned Parenthood Ransomware Attack
Dec03

400,000 Patients Potentially Affected by Planned Parenthood Ransomware Attack

Planned Parenthood has recently announced it was the victim of a ransomware attack in October that affected its Los Angeles branch. According to the announcement, a ransomware gang gained access to the network between October 9, 2021, and October 17, 2021, and deployed ransomware to encrypt files. A ransom demand was then issued, payment of which was required to obtain the keys to decrypt data. Prior to using ransomware, certain files were exfiltrated from its systems and were used as leverage to get Planned Parenthood to pay the ransom. It is currently unclear if the ransom was paid but, at the time of writing, the stolen files do not appear to have been published on any ransomware gang’s data leak site. The ransomware attack was detected by Planned Parenthood Los Angeles on October 17, 2021, and steps were immediately taken to secure its network and investigate the security breach. When it was confirmed that files had been stolen, a review was conducted to determine the types of information that had been compromised.  On November 4, 2021, it was confirmed that some of the stolen...

Read More
HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations
Dec01

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records. The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified. The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the...

Read More
One Community Health Patients Notified About April 2021 Cyberattack and Data Theft
Nov29

One Community Health Patients Notified About April 2021 Cyberattack and Data Theft

Sacramento, CA-based One Community Health has recently notified patients that its systems were compromised between April 19 and April 20, 2021. An unauthorized individual was discovered to have gained access to systems containing the personal and protected health information of certain employees and patients. A comprehensive forensic investigation was conducted by a third-party cybersecurity firm to determine the nature and scope of the attack, and One Community Health was notified on October 6, 2021, that the attacker had exfiltrated files from its network that included full names and one or more of the following data elements: Address, other demographic information, telephone number, email address, date of birth, Social Security number, driver’s license number, insurance information, diagnosis information, and treatment information. Notification letters started to be sent to all affected patients on November 22, 2021. There have been no reported cases of identity theft or fraud; however, complimentary credit monitoring services have been offered to affected individuals as a...

Read More
Sarasota MRI, Consociate Health, & Upstate Homecare Notify Patients About Data Breaches
Nov29

Sarasota MRI, Consociate Health, & Upstate Homecare Notify Patients About Data Breaches

Sarasota MRI, Consociate Health, and Upstate Homecare have recently notified regulators and patients about security incidents involving personal and protected health information. Upstate Homecare Notifies 5,100 Patients About Ransomware Attack The Albany, NY-based home healthcare provider, Upstate Healthcare, has notified 5,114 patients about a recent ransomware attack in which patient data was stolen. It is unclear from the breach notification letters when the attack occurred; however, an investigation conducted by a third-party cybersecurity firm determined on November 4, 2021, that patient data had been stolen and posted to a data leak website on the darknet. The stolen data included full names, dates of birth, addresses, telephone numbers, email addresses, driver’s license numbers, bank account information, Social Security numbers, treatment information physicians’ names, patient ID numbers, and Medicare/Medicaid numbers. Following the attack, Upstate Healthcare performed a comprehensive review of its security measures and has implemented additional safeguards to better protect...

Read More
Former Huntington Hospital Employee Charged with Criminal HIPAA Violation
Nov25

Former Huntington Hospital Employee Charged with Criminal HIPAA Violation

A former employee of Huntington Hospital in New York has been charged with a criminal HIPAA violation over the unauthorized accessing of 12,925 patient records. The employee worked the night shift at Huntington Hospital during which time he impermissibly accessed patients’ medical records over 4 months between October 2018 and February 2019. The types of information viewed by the employee included demographic information such as names, dates of birth, telephone numbers, addresses, internal account numbers, medical record numbers, and clinical information including diagnoses, medications, lab test results, treatment information, and healthcare provider names. Huntington Hospital said it found no evidence to suggest Social Security numbers, insurance information, credit card numbers, and other payment-related information were accessed. When the unauthorized access was discovered, the employee was immediately suspended while a comprehensive investigation was conducted. The investigation concluded on February 25, 2019, the employee was terminated for the HIPAA violation, and law...

Read More
Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply
Nov25

Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply

Retinal Consultants Medical Group, ACE Surgical Supply, and Three Rivers Regional Commission have recently reported cyberattacks in which the protected health information of patients may have been obtained by unauthorized individuals. Retinal Consultants Medical Group Hacking Incident Affects 11,603 Patients Vitreo-Retinal Medical Group Inc., dba Retinal Consultants Medical Group, says it was the victim of a sophisticated cyberattack that was detected on or around July 12, 2021 and caused a service disruption. Vitreo-Retinal Medical Group engaged third-party cybersecurity consultants to help restore its systems and investigate the nature and scope of the attack. While the investigation confirmed unauthorized individuals had gained access to its computer network, it was not possible to tell if any protected health information was accessed or exfiltrated, although no reports have been received that suggest actual or attempted misuse of patient data. A comprehensive manual and programmatic review of the affected systems confirmed the following types of protected health information had...

Read More