Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access
Sep22

Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access

Montefiore Medical Center in Bronx, NY has fired an employee over the alleged theft of the protected health information of approximately 4,000 patients. Montefiore became aware of a potential internal data breach in July 2020 and launched an investigation into unauthorized medical record access. Montefiore had implemented a technology solution that monitors EHRs for inappropriate access, which identified the employee. The investigation confirmed that the employee had accessed medical records without any legitimate work reason between January 2018 and July 2020. Accessing the medical records of patients when there is no legitimate reason for doing so is a violation of HIPAA and hospital policies. Montefiore said criminal background checks are performed on all employees prior to being given a position at the medical center and Montefiore provides HIPAA training to all employees. The employee in question had received significant privacy and security training but had chosen to violate internal policies and HIPAA Rules. The investigation into the breach is ongoing and the matter has...

Read More
August 2020 Healthcare Data Breach Report
Sep22

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average. The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.     Largest Healthcare Data Breaches Reported in August 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud...

Read More
Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic
Sep21

Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2026 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data. Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security numbers,...

Read More
HIPAA Right of Access Failures Result in Five OCR HIPAA Fines
Sep16

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records. The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request. After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities. Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial...

Read More
Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs
Sep15

Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs

The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans. Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information. Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review. The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security...

Read More
Starling Physicians Email Breach Impacts 7,777 Patients
Sep14

Starling Physicians Email Breach Impacts 7,777 Patients

Rocky Hill, CT-based Starling Physicians has started notifying 7,777 patients that some of their protected health information was stored in email accounts that were found to have been accessed by an unauthorized individual. A breach of its email environment was detected on or around July 7, 2020. A comprehensive review was conducted to determine the extent of the breach and whether any patient data had been accessed. While evidence of PHI access was not found, it was not possible to rule out unauthorized data access. Emails and email attachments were found to include names along with some of the following data elements: Dates of birth, medical record numbers, patient account numbers, diagnostic information, healthcare provider information, prescription information, and treatment information. A small number of affected individuals also had their address, social security number, and/or Medicare/Medicaid ID number exposed. Starling Physicians is strengthening its cybersecurity defenses to prevent similar data security events in the future. Advocate Aurora Health Notifies 2,979...

Read More
Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack
Sep11

Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack

Falls Church, VA-based Inova Health System is one of the latest healthcare providers to confirm that it has been affected by the ransomware attack on Blackbaud. A backup of its donor database contained the information of 1,045,270 donors, patients, and prospective donors, which takes the total number of healthcare victims in the United States past 2.99 million. That total is also likely to grow as the deadline for reporting the breach to the HHS has not yet been reached. On July 16, 2020, Blackbaud issued notifications to its clients that it had suffered a ransomware attack. Unauthorized individuals gained access to its systems on February 7, 2020, with access possible until May 20, 2020 when the attack was detected when ransomware was deployed. Prior to the deployment of ransomware, certain data were exfiltrated from Blackbaud’s servers. While not all clients were affected, the attackers were able to obtain backups of fundraising databases of many of the firm’s clients. For most organizations, the breached data were limited to donor names, addresses, dates of birth, contact...

Read More
Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records
Sep11

Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records

Hennepin County Medical Center in Minneapolis is potentially facing legal action after several employees were discovered to have snooped on George Floyd’s medical records. Attorney Antonio Romanucci of Chicago-based law firm Romanucci & Blandin said he was informed that several employees of Hennepin County Medical Center had accessed George Floyd’s medical records on multiple occasions when there was no legitimate reason for doing so, in clear violation of hospital policies and the Health Insurance Portability and Accountability Act (HIPAA). Attorneys representing Hennepin County Medical Center notified the family of George Floyd that certain records relating to George Floyd had been inappropriately accessed by certain employees. Details about the types of records viewed by the employees, the individuals involved, and their positions at Hennepin County Medical Center were not disclosed. Antonio Romanucci and the family’s legal team issued a statement to the Star Tribune saying they are currently “exploring all remedies” to “make this right and make the family whole for...

Read More
Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack
Sep09

Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July that took its email and phone system out of action and limited its lab and radiology services. The cyberattack, which involved ransomware, took certain systems out of action for several weeks. It is now two months after the attack and the external email system is still not working. The clinic’s medical record system was not breached, so the data potentially viewed and/or obtained were limited. The attack was performed by an overseas adversary, according to a statement issued by the clinic. It is unclear whether the ransom was paid. The clinic said, “We followed the recommendations our cybersecurity firm made to us in consultation with the FBI.” The investigation into the breach confirmed that the attackers potentially accessed the protected health information of 85 patients, all of whom have now been notified. The types of information involved were EMR data downloaded in order to send claims to insurance companies. Separate breach notification letters were also sent to 308,000 patients. Those individuals...

Read More
PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack
Sep07

PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack

Imperium Health Management, a Louisville, KY-based provider of development services to Accountable Care Organizations (ACOs), is notifying 139,114 individuals that some of their protected health information was potentially compromised in a recent phishing attack. Imperium Health learned of the attack on April 23, 2020. The investigation revealed one email account was breached on April 21, 2020 and a second email account was breached on April 24, 2020 due to the employees responding to phishing emails. The emails contained links that appeared to be legitimate but directed the employees to a website where their email credentials were harvested. A review of the compromised email accounts revealed they contained protected health information such as patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information. Imperium Health was notified that the accounts contained PHI on June 18, 2020....

Read More
Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million
Sep04

Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million

The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days. Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation. Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach. The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals...

Read More
Assured Imaging Ransomware Attack Affects Almost 245,000 Patients
Sep04

Assured Imaging Ransomware Attack Affects Almost 245,000 Patients

Tucson, AZ-based Assured Imaging, a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services, has announced it has suffered a ransomware attack that resulted in the encryption of its medical record system. Assured Imaging discovered the attack on May 19, 2020 and worked quickly to stop any further unauthorized access and restore the encrypted data. Assisted by a third-party computer forensics firm, Assured Imaging investigated the ransomware attack to determine the scope of the breach. The investigation revealed an unauthorized individual gained access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated “limited data” prior to the deployment of ransomware. The forensic investigation confirmed data had been stolen but it was not possible to determine exactly what information was exfiltrated by the attackers. A review was conducted to identify all types of information that could potentially have been accessed. The compromised system was found to contain full names, addresses, dates of birth, patient IDs, facility used, treating...

Read More
56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack
Sep03

56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack

Northwestern Memorial HealthCare has discovered the personal information of individuals who had previously made donations to Northwestern Memorial HealthCare was potentially compromised in the recent Blackbaud ransomware attack. An unauthorized individual first gained access to Blackbaud systems on February 7, 2020, with the access possible until May 20,2020 when ransomware was deployed. Prior to the use of ransomware, the attacker may have accessed a backup of a database that contained names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information. The database also contained the Social Security numbers and/or financial/payment card information of 5 individuals. In total, the information of 55,983 Northwestern Memorial HealthCare donors was potentially compromised in the attack. Northwestern Memorial HealthCare is conducting a review of its third-party database storage vendors and its relationship with Blackbaud in order to prevent similar data breaches in the future. Names and Health...

Read More
Utah Pathology Services Email Breach Potentially Affects 112,000 Patients
Aug31

Utah Pathology Services Email Breach Potentially Affects 112,000 Patients

Utah Pathology Services has announced an unauthorized individual has gained access to the email account of an employee and attempted to redirect funds from Utah Pathology. The breach was detected promptly, the compromised email account was secured, and the attempted fraud was unsuccessful and did not involve any patient information. Independent IT and forensic investigators were engaged to assist with the investigation and help determine the extent of the breach. The investigation is ongoing, but it has now been confirmed that the compromised email account contained the personal and protected health information of 112,124 patients. The purpose of the attack appears to have been to redirect funds to an account under the control of the attacker, rather than to steal patient data; however, the possibility of data theft could not be ruled out and affected individuals are now being notified about the breach. The compromised email account contained the following types of information in addition to patient names: Gender, date of birth, mailing address, phone number, email address, health...

Read More
Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000
Aug28

Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000

A former nursing home employee has been accused of stealing the identities of dozens of nursing home residents and using their accounts to pay her bills. The woman, Anna Zur, 39, of Franklin Park, IL, previously worked in the corporate office of a care facility and abused her access rights to residents’ information to obtain documents and financial information, which she sent to a personal email account. She has been accused of stealing the identities of residents and using their accounts to purchase goods and services and pay her bills. The Palos Heights Police Department conducted a year-long investigation into cases of identity theft and fraud and issued a warrant for the woman’s arrest. She was taken into custody on August 26, 2020 and has been charged with felony counts of wire fraud and continuing a financial crimes enterprise. The woman has been linked to 35 cases of identity theft and is alleged to have defrauded individuals out of $25,000. Patient Data Stolen in Ventura Orthopedics Ransomware Attack The Californian healthcare provider Ventura Orthopedics has experienced a...

Read More
Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals
Aug26

Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals

Severna Park, MD-based Dynasplint Systems, a manufacturer of proprietary stretching devices to improve joint motion, has experienced a cyberattack in which personal and protected health information may have been accessed or stolen. The security breach occurred on May 16, 2020 and prevented employees from accessing computer systems. In a letter to the Iowa Attorney General, a lawyer representing Dynasplint explained that the company had suffered “an encryption attack” which prevented employees from accessing computer systems. Assisted by a digital forensics firm, Dynasplint Systems determined on June 4, 2020 that information such as names, addresses, dates of birth, Social Security numbers, and medical information may have been accessed and acquired by the attackers. The cyberattack was reported to the FBI and Dynasplint Systems is cooperating with the investigation to hold the individuals responsible accountable. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 102,800 individuals were potentially affected by...

Read More
AI Company Exposed 2.5 Million Patient Records Over the Internet
Aug21

AI Company Exposed 2.5 Million Patient Records Over the Internet

The personal and health information of more than 2.5 million patients has been exposed online, according to technology and security consultant Jeremiah Fowler. The records were discovered on July 7, 2020 in two folders that were publicly accessible over the Internet and required no passwords to access data. The folders were labeled as “staging data” and had been hosted by an artificial intelligence company called Cense AI, a company that provides SaaS-based intelligent process automation management solutions. The folders were hosted on the same IP address as the Cense website and could be accessed by removing the port from the IP address, which could be done by anyone with an Internet connection. The data could have been viewed, altered, or downloaded during the time it was accessible. An analysis of the data suggests it was collected from insurance companies and relate to individuals who had been involved in automobile accidents and had been referred for treatment for neck and spinal injuries. The data was quite detailed and included patient names, addresses, dates of birth,...

Read More
July 2020 Healthcare Data Breach Report
Aug19

July 2020 Healthcare Data Breach Report

July saw a major fall in the number of reported data breaches of 500 or more healthcare records, dropping below the 12-month average of 39.83 breaches per month. There was a 30.8% month-over-month fall in reported data breaches, dropping from 52 incidents in June to 36 in July; however, the number of breached records increased 26.3%, indicating the severity of some of the month’s data breaches.   1,322,211 healthcare records were exposed, stolen, or impermissibly disclosed in July’s reported breaches. The average breach size was 36,728 records and the median breach size was 6,537 records. Largest Healthcare Data Breaches Reported in July 2020 14 healthcare data breaches of 10,000 or more records were reported in July, with two of those breaches involving the records of more than 100,000 individuals, the largest of which was the ransomware attack on Florida Orthopaedic Institute which resulted in the exposure and potential theft of the records of 640,000 individuals. The other 100,000+ record breach was suffered by Behavioral Health Network in Maine. The breach was reported as...

Read More
R1 RCM Medical Collection Agency Suffers Ransomware Attack
Aug18

R1 RCM Medical Collection Agency Suffers Ransomware Attack

One of the largest medical debt collection agencies in the United States has suffered a ransomware attack. Chicago-based R1 RCM, formerly Accretive Health Inc., generated $1.18 billion in revenue in 2019 and works with more than 750 healthcare clients. It is currently unclear how many of its clients have been affected by the attack. The breach was recently reported by Brian Krebs of Krebs on Security. R1 RCM confirmed that it was attacked with ransomware and its systems were taken down in response to the attack. Recovery efforts are ongoing. No information has been released on the type of ransomware used in the attack and it is unclear if patient data was stolen prior to files being encrypted. Krebs spoke to a source close to the investigation who suggested the ransomware used in the attack was Defray. Defray ransomware is usually spread via malicious Word documents sent via email in small, targeted campaigns. The threat actors behind the ransomware have previously targeted education and healthcare verticals. In 2019, the medical debt collection agency, American Medical Collection...

Read More
Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors
Aug18

Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors

The Brewer, ME-based 10-hospital integrated healthcare system, Northern Light Health Foundation, has announced it has been affected by the recent ransomware attack on Blackbaud Inc. The databases affected contained information about donors, potential donors, and individuals who may have attended a fundraising event in the past. Patient medical records were stored separately and were unaffected. The databases contained the records of 657,392 individuals. South Carolina-based Blackbaud is one of the world’s largest providers of education, administration, fundraising, and financial management software. A company as large as Blackbaud is naturally a target for cybercriminals. Blackbaud explained it encounters millions of attacks each month and its cybersecurity team successfully defends the company against those attacks, although in May 2020 one of those attacks succeeded. The ransomware attack could have been far worse. Blackbaud detected the ransomware attack quickly and took action to block the attack. Blackbaud was able to prevent the ransomware from fully encrypting its files, and...

Read More
Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed
Aug17

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories. Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community. Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data. Exposed PII and PHI in Public GitHub Repositories Jelle Ursem is an ethical security...

Read More
Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online
Aug17

Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online

A database containing the personal information of more than 3.1 million patients has been exposed online and was subsequently deleted by the Meow bot. Security researcher Volodymyr ‘Bob’ Diachenko discovered the database on July 13, 2020. The database required no password to access and contained information such as patients’ names, email addresses, phone numbers, and treatment locations. Diachenko set about trying to identify the owner of the database and found it had been created by a medical software company called Adit, which makes online booking and patient management software for medical and dental practices. Diachenko contacted Adit to alert the company to the exposed database but received no response. A few days later, Diachenko discovered the data had been attacked by the Meow bot. The Meow bot appeared in late July and scans the internet for exposed databases. Security researchers such as Diachenko conduct scans to identify exposed data and then make contact with the data owners to try to get the data secured. The role of the Meow bot is search and destroy. When exposed...

Read More
Protected Health Information of 129K Individuals Potentially Compromised in Behavioral Health Network Malware Attack
Aug14

Protected Health Information of 129K Individuals Potentially Compromised in Behavioral Health Network Malware Attack

Behavioral Health Network (BHN), the largest behavioral health service provider in Western Massachusetts, has announced that malware was downloaded onto its computer systems that prevented files from being accessed. The security breach was discovered on May 28, 2020 when staff were prevented from accessing files. An investigation was immediately launched to determine the extent of the attack and whether any data had been exfiltrated by the attacker. Around July 17, 2020, BHN determined that an unauthorized individual had gained access to its systems on May 26, two days before the malware was introduced. While it was not possible to determine whether any data had been stolen by the attacker prior to the deployment of the malware, the possibility of data theft could not be totally ruled out. No reports have been received to date indicating patient data has been misused. An analysis of the affected systems revealed the protected health information of 129,571 current and former patients was potentially compromised. The systems that were accessible to the attacker contained names,...

Read More
Data Breaches Reported by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center
Aug13

Data Breaches Reported by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center

University of Maryland Faculty Physicians Inc. (FPI) has suffered a phishing attack in which the protected health information of patients of University of Maryland Medical Center (UMMC) may have been accessed by unauthorized individuals. FPI is the faculty practice plan for University of Maryland School of Medicine affiliated physician practice groups and provides support to physicians and staff who provide services at UMMC locations. Following the discovery of the unauthorized accessing of an FPI email account, the account was secured and a comprehensive investigation was conducted to determine the nature and scope of the breach. On May 26, 2020, FPI determined the email account was accessed by an unauthorized individual between February 6, 2020 and February 11, 2020. The email account contained the protected health information of 33,896 individuals. The types of information in the account varied from patient to patient and may have included the following data types in addition to patient names: Date of birth, medical record number, and clinical information related to the care...

Read More
Ashley County Medical Center Nurse Terminated for Improper Medical Record Access
Aug12

Ashley County Medical Center Nurse Terminated for Improper Medical Record Access

A former employee of Ashley County Medical Center has been discovered to have accessed the medical records of 722 patients without authorization. Ashley County Medical Center launched an investigation into the HIPAA violation and determined the nurse had viewed limited patient data for reasons unrelated to the provision of care or treatment. Ashley County Medical Center does not believe any patient information was shared with a third party or accessed with a view to misusing the data. Patient information is believed to have been accessed out of curiosity. Ashley County Medical Center has a sanctions policy in place covering unauthorized medical record access, and in line with that policy the nurse was terminated for the HIPAA violation. “Patient privacy is an extremely serious matter and any failure to protect patient information will subject employees to disciplinary actions,” said Phillip Gilmore, Chief Executive Officer, ACMC. “We are continuing to take steps to report the actions of this employee, notify any additional patients whose information was viewed, continuing to...

Read More
Almost 20,000 Patients Affected by Owens Ear Center Ransomware Attack
Aug12

Almost 20,000 Patients Affected by Owens Ear Center Ransomware Attack

Owens Ear Center in Fort Worth, TX, suffered a ransomware attack on May 28, 2020 in which patient information was encrypted. The computer systems that were encrypted contained patients’ medical records, which included information such as names, addresses, dates of birth, health insurance information, health information, and Social Security numbers. Many ransomware attacks on healthcare organizations see healthcare data stolen before it is encrypted. These double extortion attacks require a ransom to be paid in order to decrypt files and prevent the sale or publication of the stolen data. Owens Ear Center investigated the attack and found no evidence to indicate patient information was accessed or copied prior to file encryption and believes this was solely an attempt to extort money from the practice and that the attackers were not interested in patient data. However, since unauthorized data access could not be ruled out, all affected patients have been notified and, out of an abundance of caution, have been offered complimentary identity theft protection services. Steps have since...

Read More
Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware
Aug11

Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware

Long Island City, NY-based Boyce Technologies Inc, which makes transport communication systems and recently switched its production facilities to produce ventilators for hospitals during the pandemic, has been attacked with DoppelPaymer ransomware. Data was stolen prior to file encryption and a sample of the stolen data has been published on the threat actor’s blog. The stolen data includes purchase orders, assignment forms, and other sensitive data. Boyce Technologies Inc. was approved by the FDA to manufacture ventilators and was producing around 300 machines a day. Those ventilators have been used in hospitals in New York and the company is now making ventilators for other areas. The ransomware attack has threatened the production of those ventilators and has potentially put lives at risk. Piedmont Orthpedics/OrthoAtlanta, a network of orthopedic and sports medicine centers in the greater Atlanta area, has been attacked by threat actors using Pysa (Mespinosa) ransomware. As with the attack on Boyce Technologies, prior to the encryption of files the threat actors exfiltrated...

Read More
Children’s Hospital Colorado Suffers Phishing Attack
Aug10

Children’s Hospital Colorado Suffers Phishing Attack

Children’s Hospital Colorado is notifying 2,553 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual between April 6-12, 2020. Credentials to access the account were obtained when an employee responded to a phishing email. The phishing attack was identified by the hospital on June 22, 2020 and the account was immediately secured. A review of the emails and email attachments in the account revealed they contained patient names, zip codes, dates of service, medical record numbers, and clinical diagnosis information. Steps have since been taken to harden email security defenses, platforms are being evaluated for educating staff on cybersecurity, and technical controls related to email are also being reviewed. Stolen Hoag Clinic Laptop Contained Unencrypted PHI On June 5, 2020, a laptop computer issued to an employee of the Hoag Clinic in Costa Mesa, CA was stolen from a vehicle parked in the worksite parking lot in Newport Beach. The theft was discovered the same day and law enforcement was...

Read More
PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center
Aug07

PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center

The Freeport, IL-based healthcare system FHN is notifying certain patients that some of their protected health information has potentially been obtained by an unauthorized individual who gained access to the email accounts of several employees between February 12 and February 13, 2020. FHN announced on April 20, 2020 that the investigation had confirmed that a breach occurred, but it took time to determine the information that may have been viewed or obtained. It was not possible to determine whether patient information contained in the accounts was viewed or obtained, but data access could not be ruled out. Affected individuals were notified on July 31, 2020. The compromised accounts contained names, dates of birth, health insurance information, medical record numbers, patient account numbers, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information. A limited number of Social Security numbers and driver’s license numbers were also potentially compromised. The PHI of 4,120 patients was exposed. Complimentary credit monitoring...

Read More
69,777 Patients Impacted by Allergy and Asthma Clinic of Fort Worth Hacking Incident
Aug06

69,777 Patients Impacted by Allergy and Asthma Clinic of Fort Worth Hacking Incident

Allergy and Asthma Clinic of Fort Worth has discovered an unauthorized individual gained access to its computer systems and potentially obtained patients’ billing information. The breach was detected on June 4, 2020 and steps were immediately taken to prevent further unauthorized access. The breach investigation revealed the hacker gained access to the network on May 20, 2020. A review of the compromised computer systems revealed the hacker potentially accessed files containing patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance information, and information regarding the reason for visits. Cybersecurity professionals were retained to conduct a review Allergy and Asthma Clinic of Fort Worth’s security measures and additional protections will be implemented, as appropriate, to strengthen network security to prevent further data breaches. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 69,777 individuals were affected by the breach. Chinese Hackers Targeted Biotech Firm Working...

Read More
PHI of Customers Stolen in Looting Incidents at Cub Pharmacies
Aug05

PHI of Customers Stolen in Looting Incidents at Cub Pharmacies

Another pharmacy chain has announced that the protected health information of some of its customers has been stolen by looters in late May during the period of civil unrest. Between May 27-30, 2020, 8 Cub pharmacies in the Minneapolis area were broken into and items were stolen, including paperwork containing the protected health information of its customers. Items taken from the pharmacies included locked safes that contained credit card authorization forms and prescriptions that had been processed and were awaiting collection. Binders containing printed records of past prescriptions and orders that were in the process of being prepared were taken from 6 of the pharmacies in Minneapolis and St. Paul. The information on the credit card forms included the cardholder name, credit card number, expiry date, and the amount of the transaction, but did not include the CVV code which is required to make purchases over the telephone. These forms only related to individuals who had arranged to have prescriptions delivered or mailed, not for customers who paid by credit card in person in a...

Read More
6,000 Patients Notified About Email Security Breach at Beaumont Health
Jul31

6,000 Patients Notified About Email Security Breach at Beaumont Health

Beaumont Health, the largest healthcare provider in Michigan, has started notifying approximately 6,000 patients that some of their protected health information has potentially been accessed by unauthorized individuals. On June 5, 2020, Beaumont Health learned that email accounts accessed by unauthorized individuals between January 3, 2020 and January 29, 2020 contained the protected health information including names, dates of birth, diagnoses, diagnosis codes, procedure and treatment information, type of treatment provided, prescription information, patient account numbers, and medical record numbers. While the email accounts were accessed by unauthorized individuals, no evidence was found to suggest emails or email attachments in the accounts were viewed or copied by the attackers and no reports have been received that suggest patient data has been misused. This is the second phishing-related breach to be announced by Beaumont Health this year. In April, Beaumont Health started notifying 112,211 individuals that some of their PHI was contained in email accounts that were...

Read More
PHI Compromised in CVS Pharmacy and Walgreens Break-ins
Jul29

PHI Compromised in CVS Pharmacy and Walgreens Break-ins

CVS Pharmacy is alerting certain patients that some of their personal and protected health information has been lost following several incidents at its pharmacies between May 27, 2020 and June 8, 2020. During that time frame, several of its pharmacies were affected by looting and vandalism incidents. Unauthorized individuals gained access to several of its stores and stole filled prescriptions from pharmacy waiting bins. Vaccine consent forms and paper prescriptions were also lost and potentially stolen in the incidents. The types of information compromised include names, addresses, dates of birth, medication names, prescriber information, and primary care provider information. No reports have been received to date to indicate there has been any misuse of customer information. CVS Pharmacy has reported the incidents to the HHS’ Office for Civil Rights collectively as affecting 21,289 individuals. Walgreens Reports Series of Break-ins and Theft of PHI Walgreens Pharmacy has reported similar incidents at its pharmacies over the same period. According to the breach notification sent...

Read More
OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures
Jul28

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules. Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017. The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates. OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI....

Read More
University of Utah Reports Phishing Attack Involving the PHI of up to 10,000 Patients
Jul28

University of Utah Reports Phishing Attack Involving the PHI of up to 10,000 Patients

The University of Utah has experienced a phishing attack that potentially involved the protected health information of up to 10,000 patients. This is the 4th data breach to be reported to the Department of Health and Human Services by the University of Utah in 2020. All four incidents are listed as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (1,909 individuals), April 3, 2020 (5,000 individuals), and March 21, 2020 (3,670 individuals). Unauthorized individuals gained access to employee email accounts between January 22, 2020 and May 22, 2020, according to the substitute breach notice on the University of Utah Health website. It is unclear at this stage if the latest breach report also involved access to employee email accounts in the same time frame. Kathy Wilets, Director of Public Relations at University of Utah Health provided a statement to databreaches.net in which she explained that the phishing incidents were being treated as separate incidents but may have been part of a coordinated campaign. She said the latest incident...

Read More
June 2020 Healthcare Data Breach Report
Jul24

June 2020 Healthcare Data Breach Report

The sharp drop in healthcare data breaches seen in May proved to be short lived, with June seeing a major increase in data breaches. In June, 52 breaches were reported by HIPAA covered entities and business associates. That represents an 85.71% month-over-month increase in reported breaches. The number of individuals impacted by healthcare data breaches changed little despite the large increase in breaches, with a month-over-month fall of 1.65% to 1,047,015 records, which is well above the 2020 monthly average of 896,374 breached records. Largest Healthcare Data Breaches in June 2020 The largest healthcare data breach reported by a single entity in June affected the Texas billing and collections agency, Benefit Recovery Specialists, Inc. (BRS) Malware was detected on its systems that potentially gave unauthorized individuals access to the protected health information of more than a quarter of a million people. There was, however, a much larger data breach reported in June that affected more than 365,000 individuals but was reported individually by each entity affected by the...

Read More
Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance
Jul24

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule. Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year. On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule. Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA...

Read More
Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge
Jul23

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing. Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised. A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services. Judge R. Austin Huffaker Jr. stated in his...

Read More
47,754 Individuals Impacted by Lorien Health Services Ransomware Attack
Jul21

47,754 Individuals Impacted by Lorien Health Services Ransomware Attack

Ellicott City, MD-based Lorien Health Services, which runs 9 assisted living facilities in Maryland, has announced it was the victim of a ransomware attack on June 6, 2020. Third party cybersecurity experts were retained to assist with the investigation and determine whether patient information had been accessed by the attackers. On June 10, 2020, it was confirmed that the attackers had accessed files containing residents’ names, addresses, dates of birth, diagnoses, treatment information, and Social Security numbers and some employee information. Some of that data was stolen in the attack. The attack was conducted by the operators of Netwalker ransomware. When Lorien Health Services refused to pay the ransom, a sample of the stolen data was published online. Lorien Health reported the breach to the FBI and the ransomware attack is being investigated. The breach report submitted to the Department of Health and Human Services indicates the compromised systems contained the protected health information of 47,754 individuals. Those individuals have been offered complimentary credit...

Read More
Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach
Jul20

Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach

The Pennsylvania physician-owned radiology practice, Quantum Imaging and Therapeutic Associates, has announced reports have been received about a non-physician employee who allegedly shared an x-ray of a male patient’s genitalia with members of a Facebook group. The sharing of medical images on social media networks, without patient consent, is a violation of patient privacy and HIPAA. Quantum issued a statement on Facebook confirming reports had been received about a privacy breach and said “Quantum is committed to respecting the privacy of its patients and is deeply disheartened by these reports,” no further information has been released about the breach pending the results of the investigation. The matter has been reported to Fairview Township police and an investigation has been launched, but no arrests have been made at this stage. Several individuals have commented on the Facebook post claiming the image could be viewed by ‘thousands’ of people. US HealthCenter Discovered Email Account Breach The health risk management corporation, US HealthCenter has discovered an email...

Read More
36,000 Members Affected by Central California Alliance for Health Email Breach
Jul16

36,000 Members Affected by Central California Alliance for Health Email Breach

The Central California Alliance for Health has discovered an unauthorized individual gained access to the email accounts of several employees and potentially viewed or copied information in emails and email attachments. The breach was detected on May 7, 2020 and prompt action was taken to secure the affected accounts. In each case, the accounts were accessed for a period of about one hour. A review of the compromised accounts revealed they contained a limited amount of protected health information of Central California Alliance for Health members such as Alliance Care management program records, dates of birth, claims information, demographic information, Medi-Cal ID numbers, referral information, and medical information. No financial information or Social Security numbers were compromised. Following the breach, a full password reset was performed for all email accounts, including those that were not compromised. Further training on email security has also been provided to employees. The breach has been reported to the Department of Health and Human Services’ Office for Civil...

Read More
Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed
Jul13

Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information. The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers. The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware. The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until...

Read More
Health Plan Member Portals Accessed Using Stolen Credentials
Jul08

Health Plan Member Portals Accessed Using Stolen Credentials

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members. The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information. An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals. The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have...

Read More
Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack
Jul03

Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack

Healthcare Fiscal Management Inc. (HFMI), a Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, has experienced a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by the attackers. An unauthorized individual gained access to HFMI systems on April 12, 2020 and deployed a ransomware payload the following day which encrypted data on its systems. The systems accessed by the attacker were found to contain the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020. In total, the data of approximately 58,000 patients may have been accessed and obtained by the attackers, although data access/theft could not be confirmed. The PHI stored on the compromised systems was limited to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and dates of service. HFMI had prepared for such...

Read More
30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks
Jul03

30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks

Claremont, NC-based Choice Health Management Services, a provider of rehabilitation services and operator of several nursing homes in North and South Carolina, has experienced an email security breach affecting employees, and current and former patients. The security breach was detected in late 2019 when suspicious activity was detected in the email accounts of some of its employees. An internal investigation was launched which determined on January 17, 2020 that the email accounts of 17 employees had been subjected to unauthorized access. Since it was not possible to determine which emails and/or email attachments had been opened by the attackers, a third-party firm was engaged to assist with the investigation. While the review concluded on March 27, 2020 that the compromised accounts contained sensitive information, it was unclear which facilities affected individuals had visited for treatment. It took until May 12, 2020 to tie those individuals to a particular facility. The compromised accounts contained a wide range of sensitive information including names, dates of birth,...

Read More
$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit
Jul02

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data. The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court. The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months. A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to...

Read More
Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected
Jul01

Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected

HIPAA Journal previously reported on an April 2020 ransomware attack on Magellan Health. Further information on the attack has now been released that shows the scale of the attack. The incident has now been listed on the HHS’ Office for Civil Rights breach portal as affecting 6 Magellan entities, each of which has reported the incident separately. Several other entities have also submitted breach reports confirming their patients and subscribers have also been affected. It is too early to tell exactly how many individuals have been affected by the ransomware attack, but the total as of July 1, 2020 exceeds 364,000, making the attack the third largest healthcare data breach to be reported in 2020. There may still be some entities that have yet to report the breach. Entities known to have been impacted by the breach are listed in the table below. Affected Entity Entity Type Individuals Affected Magellan Healthcare, Maryland Business Associate 50,410 Magellan Complete Care of Florida Health Plan 76,236 Magellan Rx Pharmacy Healthcare Provider 33,040 Magellan Complete Care of Virginia...

Read More
UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit
Jun30

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed. The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018. The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month...

Read More
Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care
Jun25

Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care

CHI St. Luke’s Health-Memorial Lufkin in Texas has started notifying patients that some of their protected health information may have been accessed by an unauthorized individual. St Luke’s threat management team investigated a security breach involving a network server on March 25, 2020. Third-party vendors conducted a forensic investigation and determined on April 23, 2020 that the email accounts of two employees may have been accessed by an unapproved outside party. The investigation did not uncover evidence confirming unauthorized PHI access or data theft, but the possibility could not be ruled out. The email accounts contained names, diagnosis information, dates of services, and facility account numbers. Based on the investigation, St. Luke’s does not believe patient data has been used inappropriately but has offered certain patients complimentary credit monitoring services through Experian as a precaution. The security breach was thoroughly investigated, data access logs were checked, and a threat intelligence analysis was performed. All passwords were reset across the...

Read More
Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach
Jun25

Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach

Landmark Hospital of Athens in Georgia has suspended three employees who are suspected of accessing, copying or disclosing patient records. The potential HIPAA breach may be linked to a lawsuit that was filed against the 42-bed hospital on June 22, 2020 by four nurses who allege the hospital has been falsifying COVID-19 test results in what they describe as a “COVID-19 coverup”. The nurses allege that five of their patients had tested positive for COVID-19 after displaying symptoms and after the positive result, the hospital administrator reordered COVID-19 tests for those patients. The nurses allege that for the retests, samples were intentionally collected without following proper sampling protocols. They claim that this was done deliberately to reduce the chance of a positive test result. The nurses, who are named as Jane Doe and John Doe in the lawsuit, are seeking immediate court intervention “to stop the hospital concealing and mishandling a COVID-19 outbreak in the facility.” The nurses also want the hospital to temporarily stop receiving and discharging patients. The nurses...

Read More
Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute
Jun24

Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute

North Shore Pain Management (NSPM) in Massachusetts has started notifying 12,472 patients that some of their protected health information has been stolen by hackers. The breach was detected on April 21, 2020 and the investigation confirmed that the attackers first gained access to its systems on April 16, 2020. The substitute breach notice on the NSPM website does not provide details about the nature of the attack, but Emsisoft and databreaches.net both reported the incident as a ransomware attack involving AKO ransomware. The gang responsible for the attack dumped 4GB of data stolen in the attack on their Tor site when the ransom demand was not paid. The dumped files contain a range of sensitive data on employees and patients. The NSPM breach notice confirms the files stolen in the attack contained patient names, dates of birth, health insurance information, account balances, financial information, diagnosis and treatment information, and for certain patients, ultrasound and MRI images. Social Security numbers were also obtained for patients whose SSN is used as their health...

Read More
American Medical Technologies Email Breach Affects 47,767 Patients
Jun24

American Medical Technologies Email Breach Affects 47,767 Patients

American Medical Technologies, a Irvine, CA-based provider of wound care solutions and medical supplies, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially accessed and copied the protected health information of some of its patients. The breach was identified on or around December 17, 2019 when suspicious activity was detected in the email account. The investigation confirmed the attacker potentially had access to protected health information such as names, medical record numbers, Social Security numbers, diagnosis information, health insurance policy numbers, subscriber numbers, medical histories, HIPAA account information, driver’s license/state identification numbers, and/or taxpayer ID numbers. No evidence was fund to suggest patient information was viewed or stolen in the attack, but unauthorized data access and data exfiltration could not be ruled out. A comprehensive analysis of the email accounts was conducted which was completed on May 14, 2020. The review revealed the account contained the PHI of 47,767...

Read More
May 2020 Healthcare Data Breach Report
Jun23

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.   Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has...

Read More
Hacker Arrested and Charged Over 2014 UPMC Cyberattack
Jun22

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

The United States Attorney’s Office of the Western District of Pennsylvania has announced a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC). UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers. The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency. Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity...

Read More
Breaches Reported by Hanger Clinic, Gateway Health, and Sunrise Treatment Center
Jun19

Breaches Reported by Hanger Clinic, Gateway Health, and Sunrise Treatment Center

Sunrise Treatment Center in Cincinnati, OH is alerting 3,660 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of an employee. The breach occurred on February 26, 2020 and was detected the following day. A forensic investigation of the breach was completed on April 15, 2020 and confirmed that the email account contained patient information such as first and last names, birth dates, descriptions of the treatment provided, medications, health plan numbers, account balances, treatment dates, and some Social Security numbers. While patient information may have been accessed, the purpose of the attack was to try to convince Sunrise employees to wire money to a foreign bank account. A fraudulent wire transfer was detected and blocked before any money left Sunrise accounts. Sunrise found no evidence to suggest patient information was accessed or obtained in the attack but, as a precaution, Sunrise has offered affected patients complimentary membership to credit monitoring services for 12...

Read More
Ransomware Attacks Reported by Rangely District Hospital and Electronic Waveform Lab
Jun16

Ransomware Attacks Reported by Rangely District Hospital and Electronic Waveform Lab

Rangely District Hospital in Colorado has started notifying patients that some of their protected health information was stored on parts of its network that were affected by an April 2020 ransomware attack. The ransomware attack was discovered on April 9, 2020 and steps were taken to contain the attack, but it was not possible to prevent the encryption of certain files, some of which contained patient information. Rangely District Hospital said the initial attack on its systems occurred on April 2, 2020, but ransomware was not deployed until April 9, 2020. The hospital reports that the encryption process was automated, and no evidence was found to suggest data was accessed or exfiltrated. The investigation indicates a foreign threat actor conducted the attack, but it was not possible to determine who was responsible. While patient data is not believed to be obtained, it was not possible to rule out unauthorized access. Files encrypted by the ransomware that could potentially have been viewed included the following types of personal and protected health information: Names, dates of...

Read More
Cano Health Discovers 2-Year Email Account Breach
Jun16

Cano Health Discovers 2-Year Email Account Breach

The Florida-based population health management company and healthcare provider Cano Health has discovered the email accounts of three employees have been accessed by an unauthorized individual who set up a mail forwarder on the email accounts that sent emails to external addresses. The breach was detected on April 13, 2020, but the investigation revealed the accounts were compromised two years previously, on or around May 18, 2018. All emails sent to and from the accounts between May 18, 2018 and April 13, 2020 are believed to have been obtained and have potentially been accessed. A review of the emails confirmed they contained personal and protected health information such as names, contact information, dates of birth, healthcare information, insurance information, social security numbers, government identification numbers and/or financial account numbers. Cano Health is in the process of notifying affected individuals and has advised them to regularly review their accounts and benefits statements for signs of fraudulent activity. Cano Health will be providing affected patients...

Read More
Everett & Hurite Ophthalmic Association Email Breach Impacts 34,000 Patients
Jun10

Everett & Hurite Ophthalmic Association Email Breach Impacts 34,000 Patients

The Everett & Hurite Ophthalmic Association (EHOA), a team of ophthalmology specialists serving Pittsburgh, PA & Warrendale, PA, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially viewed patient information. EHOA became aware of a breach on March 23, 2020 when suspicious activity was detected in the employee’s email account. After securing the account, third party forensic specialists were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, which was breached between February 25, 2020 and March 25, 2020. A comprehensive review of emails and attachments in the account revealed they contained the protected health information of 34,113 patients. The majority of patients had their names included in an internal report that was used for reporting to the HHS’ Centers for Medicare and Medicaid Services (CMS). For certain individuals, their Social Security number, financial data, health insurance details, date of birth, and health and treatment...

Read More
University of Utah Health Suffers Further Phishing Attack
Jun09

University of Utah Health Suffers Further Phishing Attack

University of Utah Health has suffered another phishing attack, with the latest incident resulting in the exposure of the protected health information (PHI) of 2,700 patients. This is the third phishing incident to be reported to the HHS’ Office for Civil Rights by the University of Utah this year. The previous incidents were reported on March 21 and April 3 and affected 3,670 and 5,000 patients respectively. In the latest attack, an unauthorized individual gained access to employee email accounts between April 6 and May 22, 2020 as a result of responses to phishing emails. The email accounts were promptly secured, and an investigation was launched to determine whether the attackers gained access to patients’ PHI. It was not possible to tell whether PHI was accessed or exfiltrated, but the accounts did contain a limited amount of PHI which was potentially accessed. An analysis of emails and attachments in the compromised accounts revealed they contained names, medical record numbers, dates of birth, and some clinical information related to the medical services received at...

Read More
$107,000 Stolen from Kentucky Employees’ Health Plan Members in Two Recent Cyberattacks
Jun08

$107,000 Stolen from Kentucky Employees’ Health Plan Members in Two Recent Cyberattacks

The Commonwealth of Kentucky Personnel Cabinet has announced that two data breaches occurred between late April and Early May. The attacks resulted in the exposure of the protected health information of around 1,000 members of the Kentucky Employees’ Health Plan. The first attack occurred between April 21 and April 27 and a second occurred in mid-May. In both cases, the attackers used stolen credentials to gain access to accounts. In the first attack, legitimate credentials were used to gain access to StayWell systems. StayWell is a third-party vendor that manages a well-being and incentive portal for health plan members. Through the portal, plan members are empowered to take care of their health and lead healthier lifestyles. Plan members who meet their health goals by completing certain actions and challenges are rewarded with points that can be exchanged for gift cards. The first cyberattack was detected and investigated by StayWell, the Commonwealth Office of Technology, and the Kentucky Personnel Cabinet. It was determined that while the attackers gained access to the portal,...

Read More
St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records
Jun05

St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records

St Joseph Health System in North Central Indiana is alerting patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals. The breach did not happen at St Joseph Health, but at one of its business associates. Central Files Inc, a secure record storage facility in South Bend, IN, was contracted to securely store patient records in compliance with federal and state regulations and to destroy certain records in accordance with HIPAA Rules. Central Files Inc. has now permanently closed but was required to continue to store patient records until an alternative secure records facility could be located. Between April 1 and April 9, 2020, several healthcare groups affiliated with St Joseph Health System were notified that confidential records containing information patient information had been dumped in a location in the South Bend area at some point prior to April 1, 2020. The records discovered at the site were in poor condition. According to the substitute breach notification on the St Joseph Health System website, the...

Read More
Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack
Jun04

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year. Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks. Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to...

Read More
Kaiser Permanente Discovers 8-Year Employee HIPAA Breach
Jun03

Kaiser Permanente Discovers 8-Year Employee HIPAA Breach

The Oakland, CA-based healthcare provider, Kaiser Permanente, has discovered a former employee accessed the radiology records of thousands of patients without authorization over a period of 8 years. The privacy breach was discovered in late March and the employee was placed on administrative leave while an internal investigation was conducted. Kaiser Permanente was unable to find any legitimate work reason for the employee accessing the records and determined that the access fell outside of the scope of the employee’s job functions. The first instance of unauthorized access occurred in 2012 and the employee continued to access radiology records until her actions were discovered in March 2020. The employee worked as an imaging technician in the radiology department and has now been fired over the HIPAA violation. While unauthorized accessing of protected health information was confirmed, Kaiser Permanente found no evidence to suggest that patient information was copied or was used to commit fraud or any criminal activities. The breach was reported to the Department of Health and...

Read More
Mat-Su Surgical Associates Suffer Ransomware Attack
May28

Mat-Su Surgical Associates Suffer Ransomware Attack

Palmer, AK-based Mat-Su Surgical Associates has announced they were the victim of a ransomware attack in March, 2020. The attack was discovered on March 16 when staff were locked out of their computer systems. A team of independent computer forensics investigators were engaged to assess the nature and scope of the attack and determine whether any patient data had been accessed or stolen by the attackers. It was not possible to determine whether the attacker had exfiltrated data or viewed patient information prior to encryption, but the investigators could not rule out unauthorized data access. The attacker was determined to have gained access to parts of its computer system that contained the protected health information of 13,146 patients. The information potentially compromised in the attack included the names of current and former patients of Valley Surgical Associates and Mat-Su Surgical Associates, along with addresses, diagnoses, treatment information, lab test results, health insurance information, Social Security numbers, and other information related to the medical care...

Read More
Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches
May22

Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches

District Medical Group (DMG), an integrated medical group serving patients in Arizona, has started notifying 10,190 patients that some of their protected health information has potentially been compromised. On March 11, 2020, DMG discovered an unauthorized individual had gained access to the email accounts of some of its employees as a result of responses to phishing emails. A password reset was immediately performed to prevent further unauthorized access and a leading cybersecurity firm was engaged to investigate the breach. The investigation revealed a limited number of email accounts were compromised between February 4, 2020 and February 10, 2020. An analysis of emails and attachments in the breached accounts revealed they contained patient information such as names, medical record numbers, medical information, and health insurance information. A limited number of Social Security numbers were also potentially compromised. No evidence was uncovered that suggested the emails were opened or copied by the attackers. Affected patients have been advised to be vigilant and monitor...

Read More
April 2020 Healthcare Data Breach Report
May20

April 2020 Healthcare Data Breach Report

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month. While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached. Largest Healthcare Data Breaches in April 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email...

Read More
Mille Lacs Health System Phishing Attack Impacts 10,600 Patients
May19

Mille Lacs Health System Phishing Attack Impacts 10,600 Patients

Onamia, MN-based Mille Lacs Health System has experienced a phishing attack that exposed the protected health information of more than 10,000 patients. Phishing emails were sent to some of its employees containing links that directed them to a website that requested their email credentials. A small number of employees were fooled by the scam. Mille Lacs Health System learned about the phishing attack on November 14, 2020 and launched an investigation to determine the extent of the breach. On February 24, 2020, it was confirmed that the stolen email credentials were used by the attacker to access email accounts between August 26, 2019 and January 7, 2020. A review of the compromised email accounts was completed on April 22, 2020 and confirmed that patient information may have been accessed. Information potentially compromised includes first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and for certain individuals, Social Security numbers.  No evidence was found to suggest patient information...

Read More
Management and Network Services Notifies 30,132 Patients About PHI Breach
May15

Management and Network Services Notifies 30,132 Patients About PHI Breach

Management and Network Services (MNS), LLC, a Dublin, OH-based provider of administrative support services to post-acute healthcare providers, has discovered the email accounts of some of its employees have been compromised. In a May 4, 2020 breach notification letter, MNS explained that it learned on or around August 21, 2019 that several employee email accounts had been subjected to unauthorized access between April and July of 2019. The analysis of the email accounts recently revealed five accounts contained the protected health information of patients of its clients. The information in emails and email attachments varied from individual to individual and may have included the following data elements: name, medical treatment information, diagnosis information/codes, medication information, dates of service, insurance provider, health insurance number, date of birth, and Social Security number. A limited number of individuals also had their driver’s license number, State ID card number, and/or financial account information exposed. MNS has taken steps to improve email security...

Read More
Data Stolen in Magellan Health Ransomware Attack
May13

Data Stolen in Magellan Health Ransomware Attack

The Fortune 500 company Magellan Health has announced it experienced a ransomware attack in April that resulted in the encryption of files and theft of some employee information. The ransomware attack was detected by Magellan Health on April 11, 2020 when files were encrypted on its systems. The investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6. The attacker had fooled the employee by impersonating a client of Magellan Health. Magellan Health engaged the cybersecurity firm Mandiant to assist with the investigation into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and exfiltrated a subset of that data prior to the encryption of files. The attacker also downloaded malware that was used to steal login credentials. The data stolen by the hacker related to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited...

Read More
Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners
May08

Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners

Saint Francis Healthcare Partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email system. The attack occurred on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially compromised.  The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial information or Social Security numbers were compromised. The investigation uncovered no evidence to suggest patient information was accessed, stolen, or misused. Steps have now been taken to improve data security practices and all affected patients have been notified by...

Read More
Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations
May07

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months. The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed. No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital. This is not the first incident of...

Read More
Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility
May06

Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility

Several healthcare providers have been affected by an unusual data breach at Waupaca, WI-based STAT Informatics Solutions, LLC. STAT provides secure medical records services to several healthcare providers which includes scanning paper files so they can be added to hospital medical record systems. On March 3, 2020, a STAT facility in Lebanon, TN was hit by a tornado, which caused extensive damage to the building and some of the records stored in the facility. STAT notified all affected clients the same day, and representatives of those healthcare providers visited the site to assist with locating and securing medical records in the facility. To limit the potential for unauthorized access, a tall fence was erected around the building while the medical records were located and secured. Two security guards were also posted on site 24/7 to prevent unauthorized individuals from accessing the building. The majority of the medical records were found in the remnants of the building, but the records were determined to be unsalvageable and have now been securely destroyed. While it is...

Read More
Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals
May06

Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals

BJC Healthcare has announced that the email accounts of three of its employees have been accessed by an unauthorized individual after the employees responded to phishing emails. Suspicious activity was detected in the email accounts on March 6, 2020 and the accounts were immediately secured. A leading computer forensics firm was engaged to conduct an investigation which revealed the three accounts had only been accessed for a limited period of time on March 6. It was not possible to tell if patient data was viewed or obtained by the attacker. A review of the accounts revealed they contained the data of patients at 19 BJC and affiliated hospitals. Protected health information in emails and attachments varied from patient to patient and may have included the following data elements: Patients’ names, medical record numbers, patient account numbers, dates of birth, and limited treatment and/or clinical information, which included provider names, visit dates, medications, diagnoses, and testing information. The health insurance information, Social Security numbers, and driver’s license...

Read More
Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches
May01

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months. LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach. A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data. Raymond Eugenio holds shares in LabCorp which lost value as a...

Read More
Ransomware Attackers Claim Three More Healthcare Victims
Apr29

Ransomware Attackers Claim Three More Healthcare Victims

Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. The attack resulted in several IT systems being taken out of action, including its Meditech electronic medical record system, which has been rendered inoperable. The attack is currently being investigated and assistance is being provided by a third-party computer forensics firm. Parkview Medical Center is currently working around the clock to bring its systems back online and recover the encrypted data. In the meantime, medical services continue to be offered to patients, who remain the number one priority. Staff have switched to pen and paper to record patient information until systems can be brought back online. Despite not having access to important systems, the medical center says the level and quality of care provided to patients has not changed. A spokesperson for the medical center said, “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as...

Read More
233,000 Patients Notified About PHI Breach at Genetic Testing Lab
Apr28

233,000 Patients Notified About PHI Breach at Genetic Testing Lab

Ambry Genetics, an Aliso Viejo, CA-based genetic testing laboratory, is notifying 232,772 individuals that some of their protected health information was exposed as a result of a recent email security breach. At almost 233,000 records, this is the second largest healthcare data breach to be reported in 2020. Ambry Genetics discovered an unauthorized individual gained access to an employee’s email account between January 22 and January 24, 2020 and potentially viewed and obtained the protected health information of its customers. The security team and third-party computer forensics experts were unable to determine if any information in the compromised accounts was accessed or stolen, but no reports have been received to suggest any personal information has been misused. The email accounts were reviewed and found to contain information such as names, medical information, and other information related to the services provided by Ambry Genetics. A small number of individuals also had their Social Security number exposed. Ambry Genetics has taken steps to enhance security and further...

Read More
March 2020 Healthcare Data Breach Report
Apr24

March 2020 Healthcare Data Breach Report

March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records. In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records. Largest Healthcare Data Breaches in March 2020 The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients. A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed. The third largest data breach of the month was reported by Brandywine Urology Consultants, which...

Read More
PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks
Apr21

PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks

Aurora Medical Center-Bay Area in Marinette, WI is notifying 27,137 patients that some of their protected health information has been exposed as a result of a January 1, 2020 phishing attack. Several employees responded to the messages and disclosed their email account credentials, which gave the attackers access to their email accounts. The breach was discovered by the medical center on January 9, 2020. A password reset was immediately performed to prevent any further account access and the security breach was reported to law enforcement. An internal investigation was launched to determine what information was accessed by the attackers, which revealed emails and attachments in the accounts contained the protected health information of patients. Aurora Medical Center has not received any reports indicating there has been any misuse of patient information, but it was not possible to rule out data theft. A review of the emails in the accounts revealed they contained a range of PHI. The information varied from patient to patient and may have included names, first and last names,...

Read More
Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach
Apr20

Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach

Michigan’s largest healthcare system, Beaumont Health, has announced that unauthorized individuals have gained access to the email accounts of some of its employees and potentially viewed or obtained patient information stored in emails and email attachments. On March 29, 2020, Beaumont Health learned that the email account breach, which occurred almost 10 months ago, resulted in the exposure and potential theft of patient information. The investigation of the breach revealed the email accounts were accessed by unauthorized individuals between May 23, 2019 and June 3, 2019. A forensic investigation was performed to determine the extent and scope of the breach, along with a manual review of all emails in the compromised accounts. That review has taken some time to complete, hence the delay in issuing breach notification letters. The breached email accounts were discovered to contain the protected health information of around 5% of its 2.3 million patients, which is around 112,000 individuals. The types of information exposed and potentially stolen varied from patient to patient and...

Read More
Washington University School of Medicine Breach Impacts 14,795 Oncology Patients
Apr15

Washington University School of Medicine Breach Impacts 14,795 Oncology Patients

Washington University School of Medicine is notifying 14,795 oncology patients that some of their protected health information was stored in an email account that was breached in January 2020. An unauthorized individual gained access to the email account of a research supervisor in the Division of Oncology between January 12, 2020 and January 13, 2020 as a result of a response to a phishing email. Upon discovery of the breach, immediate action was taken to secure the account and prevent further unauthorized access and a third-party computer forensics firm was engaged to assist with the investigation. A painstaking review of emails and email attachments in the account revealed they contained the following patient information: Names, dates of birth, medical record numbers, patient account numbers, limited treatment and/or clinical information, including diagnoses, provider names, and lab test results. Certain patients also had their health insurance information and/or Social Security numbers exposed. Affected individuals are now being notified about the breach and individuals whose...

Read More
PHI of 16,600 Patients Potentially Compromised in Ransomware Attack on Andrews Braces
Apr14

PHI of 16,600 Patients Potentially Compromised in Ransomware Attack on Andrews Braces

The Sparks, NV orthodontics practice, Andrews Braces, has experienced a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day. The practice hired a third-party forensic investigator to assess the scope and extent of the attack and determine whether patient information had been accessed or exfiltrated prior to encryption. While it is not uncommon for ransomware attacks to involve data theft, the investigation did not uncover any evidence to suggest data had been obtained by the attackers. This appeared to be an automated attack with the sole aim of encrypting data to extort money from the practice. The practice regularly backed up patient data and stored its backups securely, so it was possible to restore the encrypted files without paying the ransom. Data theft is not suspected but the possibility could not be ruled out, so notification letters have been sent to all affected patients. The types of data which could potentially have...

Read More
Phishing Attacks Reported by Hartford Healthcare and Saint Francis Ministries
Apr14

Phishing Attacks Reported by Hartford Healthcare and Saint Francis Ministries

The Saint Francis Ministries health system has announced that the email account of one of its employees was accessed by an unauthorized individual, who may have obtained patient information. The breach was identified on December 19, 2019 when suspicious activity was detected in an employee’s email account.  A third-party computer forensics firm was engaged to investigate the breach and determined on February 12, 2020 that the account was subjected to unauthorized access between December 13, 2020 and December 20, 2019. It was not possible to tell if the attacker accessed emails containing patient information or downloaded any email data, but no reports have been received to suggest any patient information has been misused. A review of the affected accounts was completed on March 24, 2020 which revealed that the following information was potentially compromised: Name, date of birth, Social Security number, driver’s license number, state ID number, bank/financial account number, credit or debit card number, diagnosis, treatment information, prescription information, provider name,...

Read More
Ransomware Attack Potentially Impacts More Than 113,000 Patients of Brandywine Urology Consultants
Apr10

Ransomware Attack Potentially Impacts More Than 113,000 Patients of Brandywine Urology Consultants

Delaware-based Brandywine Urology Consultants has announced it experienced a ransomware attack on January 25, 2020 that resulted in the encryption of files on its servers and computers. The scope of the attack was limited and the practice’s electronic medical record system was not affected. No medical records were exposed or compromised in the attack. The practice acted quickly and took steps to isolate the attack and reduce the harm caused. After securing its systems, a complete scan was performed to ensure no malicious software or code remained and it was determined that the attack had been completely neutralized. A third-party security company was engaged to thoroughly investigate the attack and determine whether the attackers had gained access to or stole patient information. While many ransomware gangs conduct manual attacks and steal data prior to deploying their ransomware payload, the investigation suggests this was an automated attack that was conducted with the sole purpose of encrypting files to extort money from the practice. The investigation into the attack is ongoing...

Read More
PHI Exposed in Phishing Attacks on Healthcare Resource Group and Confido
Apr08

PHI Exposed in Phishing Attacks on Healthcare Resource Group and Confido

The pharmacy benefits consulting firm Confido has started notifying 3,600 of its clients’ employees, members, and their dependents, that some of their personal information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account. The email account breach was detected on December 12, 2020 and an investigation was launched to determine the scale and scope of the breach. Assisted by a third-party security firm, Confido determined on January 17, 2020 that an unauthorized individual had access to the email account for a period of two weeks between November 29, 2019 and December 12, 2019. It was not possible to determine if information in the email account was downloaded, but the possibility could not be ruled out. A comprehensive review of the email account revealed it contained names, dates of birth, health insurance information, Social Security numbers, prescription information, treatment information, and clinical information such as diagnoses and provider names. Individuals affected by the breach were notified on February 10, 2020....

Read More
35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach
Apr03

35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach

The Otis R. Bowen Center for Human Services, an Indiana-based provider of mental health and addiction recovery healthcare services, has announced that unauthorized individuals have gained access to the email accounts of two of its employees. It is unclear when the email account breaches occurred and for how long unauthorized individuals had access to the email accounts. In its website substitute breach notification, The Otis R. Bowen Center said an independent digital forensic investigation revealed on January 28, 2020 that PHI had potentially been accessed as a result of the attack. The review of the accounts has now been completed to determine which patients have been affected and those individuals have been individually notified by main. No mention was made about the types of information that were potentially compromised. The Otis R. Bowen Center said the investigation did not uncover any evidence to suggest that any PHI had been misused as a result of the breach but, out of an abundance of caution, affected individuals have been offered complimentary membership to credit...

Read More
Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics
Apr01

Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics

Stockdale Radiology in California has announced that patient data has been compromised as a result of a ransomware attack on January 17, 2020. An internal investigation confirmed that the attackers gained access to patients’ first and last names, addresses, refund logs, and personal health information, including doctor’s notes. Stockdale Radiology said a limited number of patient files were publicly exposed by the attackers.  Stockdale Radiology also discovered on January 29, 2020, that further patient information may have been accessed, but has not been publicly disclosed. Systems were immediately shut down to prevent any further unauthorized data access and a third-party computer forensics firm was engaged to investigate the breach and determine how access was gained and who was affected. The FBI was immediately notified about the attack and arrived at Stockdale Radiology within 30 minutes. The FBI investigation into the breach is ongoing. In response the attack, Stockdale Radiology has conducted a review of internal data management and its security protocols and has taken steps...

Read More
California Business Associate Reports Potential Breach of Upwards of 70,000 Records
Mar27

California Business Associate Reports Potential Breach of Upwards of 70,000 Records

Stephan C Dean, the co-owner of the California record storage firm Surefile, reported a hacking/IT incident to the HHS’ Office for Civil Rights (OCR) on March 4, 2020 as impacting upwards of 70,000 individuals. Stephan Dean and his wife have been engaged in a long running legal dispute with Kaiser Permanente over the return and deletion of electronic files containing patient information. Kaiser Permanente has been trying to get the files permanently deleted; however, Stephan Dean insists that Kaiser Permanente owes him money for services rendered. The on-and-off legal action was eventually dropped, but the emails were never returned or deleted. Surefile worked with Kaiser Permanente and was provided with paper copies of medical records in 2008. When the agreement between Surefile and Kaiser Permanente ended, Stephan Dean returned the paper copies of the medical records to Kaiser Permanente; however, emails containing patient information that were sent to Stephan Dean by Kaiser Permanente remained on his computer. Stephan Dean filed a complaint with OCR over alleged HIPAA violations...

Read More
Hawaii Pacific Health Discovers 5-Year Insider Data Breach
Mar25

Hawaii Pacific Health Discovers 5-Year Insider Data Breach

Hawaii Pacific Health has discovered an employee of Straub Medical Center in Honolulu has been snooping on the medical records of patients over a period of more than 5 years. Hawaii Pacific Health discovered the unauthorized access on January 17, 2020 and launched an investigation. An analysis of access logs revealed the employee first started viewing patient records in November 2014 and continued to do so undetected until January 2020. During that time, the employee viewed the medical records of 3,772 patients. After concluding the investigation, the employee was terminated. Affected patients had received treatment at Straub Medical Center, Kapiolani Medical Center for Women & Children, Pali Momi Medical Center, or Wilcox Medical Center. The types of information that the employee could have viewed included patients’ first and last names, telephone numbers, addresses, email addresses, dates of birth, race/ethnicity, religion, medical record numbers, primary care provider information, dates of service, appointment types and related notes, hospital account numbers, department...

Read More
February 2020 Healthcare Data Breach Report
Mar24

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records. Largest Healthcare Data Breaches in February 2020 The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in. The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents. Name of Covered Entity...

Read More
Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk
Mar23

Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk

The Minnesota-based senior care provider LifeSprk is notifying 9,000 of its clients that some of their protected health information was potentially compromised as a result of a November 2019 phishing attack. On January 17, 2020, Lifesprk discovered an unauthorized individual had gained access to the email account of one of its employees. The account was immediately secured and a third-party cybersecurity firm was engaged to investigate the breach. The cybersecurity firm determined that a limited number of employee email accounts were compromised from November 5 through November 7, 2019. For the majority of affected individuals, information in the compromised accounts was limited to names, medical record numbers, health insurance information, and some health information. Certain patients also had financial information and/or their Social Security number exposed. The investigation into the breach is ongoing. To date, no evidence of data theft or misuse of protected health information has been found. Affected patients started to be notified on March 17, 2020. The delay in sending...

Read More
Roundup of Recent Healthcare Data Breaches
Mar20

Roundup of Recent Healthcare Data Breaches

A roundup of healthcare data breaches and security incidents recently reported to the HHS’ Office for Civil Rights and by media. Texas Network of Walk-in Clinics Attacked with Maze Ransomware AffordaCare Urgent Care Clinic, a network of walk-in clinics in Texas, has been attacked by the Maze ransomware gang. According to a recent report on DataBreaches.net, the hackers stole 40GB of data prior to encrypting files. Some of the stolen data was published online when AffordaCare refused to pay the ransom. The published data included patient contact details, medical histories, diagnoses, billing information, health insurance information, and employee payroll data. It is currently unclear how many patients have been affected as the breach has not yet appeared on the HHS’ Office for Civil Rights breach portal. Tandem Diabetes Care Patients Notified About Phishing Attack Tandem Diabetes Care, Inc. in San Diego, CA has been targeted by cybercriminals who gained access to the email accounts of a limited number of its employees between January 17, 2020 and January 20, 2020. The attack was...

Read More
University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack
Mar09

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies. The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare. UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States. UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer...

Read More
53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months
Mar09

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past, and 53% have experienced a breach of protected health information in the past 12 months. The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry. Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%). Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only...

Read More
Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches
Mar06

Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches

Relational Insurance Inc., an insurance brokerage firm doing business as Relation Insurance Services of Georgia (RISG), experienced an email security breach in August 2019. An unauthorized individual was discovered to have gained access to the email account of an employee and potentially viewed or copied emails containing protected health information (PHI). The breach was detected on August 15, 2019 when suspicious activity was detected in the email account. A third-party computer forensics firm assisted with the investigation and determined the account was accessed by an unauthorized individual between August 14 and August 15. On August 16, 2019, RISG determined the account contained PHI; however, it took until December 13, 2019 for a full review of the account to be completed to determine which individuals had been affected and exactly what information was potentially compromised. The account was found to contain a wide range of information, which differed from individual to individual. The breached PHI may have included: Name, address, telephone number, email address, date of...

Read More
6 Healthcare Organizations Discover PHI Has Potentially Been Compromised
Mar05

6 Healthcare Organizations Discover PHI Has Potentially Been Compromised

Six possible data breaches have been reported by healthcare organizations in the past few days that may have resulted in an impermissible disclosure of patient data. 8,701 patients are known to have been affected by the breaches. Harris Health System Notifies Patients About Potential Privacy Breach Houston, TX-based Harris Health System has notified 2,298 patients that some of their protected health information (PHI) has been exposed. On December 30, 2019, two envelopes were sent to Ben Taub Hospital to be scanned and archived in the Harris Health electronic medical record system, but the envelopes were lost in transit. The envelopes contained 143 sheets which are believed to include data from patients who visited Gulfgate Health Center for medical services between December 9, 2019 and December 27, 2019. The sheets contained information such as names, dates of birth, addresses, telephone numbers, test results, diagnoses, health insurance information, medical information, provider information, and Social Security numbers. Since it was not possible to determine which patients were...

Read More
Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI
Mar04

Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI

Walgreens has started notifying customers that some of their protected health information may have been accessed by other individuals as a result of an error in the personal secure messaging feature of the Walgreens mobile app. The secure messaging feature allows registered customers to receive SMS prescription refill notifications and deals and coupons. An undisclosed error in the app was identified that allowed certain information in its database to be viewed by other customers. Affected customers have been advised that one or more personal messages may have been viewed by other individuals between January 9, 2020 and January 15, 2020. The personal messages included patients’ first and last names, drug name and prescription number, store number, and shipping address. Walgreens said health-related information was only exposed for a limited number of affected customers. The messages did not include any Social Security numbers or financial information. According to a breach notice submitted to the California Attorney General on Friday, the error was detected by Walgreens on January...

Read More
Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval
Mar04

Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim. On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach. A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that...

Read More
HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020
Mar03

HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation. Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach in November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until Dr. Porter paid the company $50,000. The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI,...

Read More
Tennessee Orthopaedic Alliance Phishing Attack Impacts Over 81,000 Patients
Feb27

Tennessee Orthopaedic Alliance Phishing Attack Impacts Over 81,000 Patients

Phishing attacks have recently been reported by Tennessee Orthopaedic Alliance, Jefferson Dental Care Healthcare Management, and Munson Healthcare. 81,146 Patients Affected by Tennessee Orthopaedic Alliance Phishing Attack Tennessee Orthopaedic Alliance (TOA) has discovered unauthorized individuals have gained access to the email accounts of two employees. TOA became aware of the breach on October 18, 2019 when unusual activity was detected in an employee’s email account. The account was immediately secured, and third-party computer forensics experts were engaged to investigate the breach. The investigation revealed a second email account had also been compromised and the accounts were accessed by unauthorized individuals between August 16, 2019 and October 14, 2019. TOA determined on January 3, 2019 that the compromised email accounts contained names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, diagnostic information, treatment information, and treatment costs. Patients were notified about the breach on February 14, 2019....

Read More
Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources
Feb26

Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources

Rady Children’s Hospital-San Diego, the largest children’s hospital in California, discovered a security breach on January 3, 2020 in which the protected health information of certain patients was potentially accessed by an unauthorized individual. A computer used by the radiology department had been remotely accessed by an unauthorized individual via an open internet port. A digital forensics firm was engaged to investigate the breach and determined that the computer was compromised on June 20, 2019 and access remained possible until the port was closed on January 3, 2020. An analysis of the compromised device revealed on February 5, 2020 that names and genders of patients were potentially compromised along with the type and date of imaging studies and, for some patients, their date of birth, medical record number, referring physician’s name, and/or a description of the imaging study. No financial information, Social Security numbers, diagnoses, or medical images were compromised. Complimentary credit monitoring services have been offered to affected patients. Rady Children’s...

Read More
Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company
Feb26

Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company

The Lake Success, NY-based home health company, Personal Touch Home Care (PTHC), has started notifying patients that a recent ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc., has potentially seen some of their protected health information compromised. Crossroads informed PTHC on December 1, 2019 that the ransomware attack affected its Pennsylvania data center where PTHC’s electronic medical records were hosted. The ransomware attack prevented patient records from being accessed for a few days. While the EHR system was down, staff at PTHC switched to emergency protocols and used pen and paper to record patient information. The encrypted data has now been recovered. It is unclear whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were affected. The compromised medical records contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment information. PTHC is...

Read More
Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group
Feb25

Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group

The Albany, NY-based accounting, tax, and advisory firm, BST & Co. CPAs LLC, has experienced a Maze ransomware attack that has affected patients of the New York medical group, Community Care Physicians P.C. The Maze ransomware gang is one of a handful of threat groups that steal data from victims prior to deploying their ransomware payload. A threat is then issued to publish the stolen data if the ransom is not paid. Some of the data stolen in the attack has since been published by the gang, including names, dates of birth, addresses, contact telephone numbers, and Social Security numbers of BST employees. BST has issued a statement saying a computer virus was detected on December 7, 2019 which prevented access to its files. In addition to internal data, some information related to local clients was also potentially compromised, including Community Care Physicians. A leading computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The forensics experts determined the virus was active on the network from December 4,...

Read More
NRC Health Recovering from Ransomware Attack
Feb24

NRC Health Recovering from Ransomware Attack

NRC Health, a provider of patient survey services and software to more than 9,000 healthcare organizations, including 75% of the largest hospital systems in the United States and Canada, experienced a ransomware attack on February 11, 2020 that affected some of its computer systems. NRC Health immediately took steps to limit the harm caused and shut down its entire environment, including its client-facing portals. A leading computer forensic investigation firm was engaged to determine the nature and extent of the attack and the incident has been reported to the Federal Bureau of Investigation. According to the NRC Health website, the data of more than 25 million healthcare consumers in the United States and Canada is collected by NRC Health every year. Patient surveys conducted by NRC Health on behalf of its clients allow them to prove that patients are satisfied with the services they have received. That information is important for helping to improve patient care and also for determining how much Medicare reimbursement healthcare providers receive under the Affordable Care Act....

Read More
Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI
Feb24

Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI

Two communication errors have been reported by HIPAA-covered entities in the past few days, which have resulted in the impermissible disclosure of 5,339 patients’ personal and protected health information (PHI). Mercy Health Physician Partners Southwest Discovers Impermissible Disclosure of PHI Mercy Health Physician Partners Southwest in Byron Center, MI, started sending breach notification letters to patients on February 10, 2019 informing them that a third-party vendor contracted to Mercy Health made an error with a recent mailing. Mercy Health had provided the mailing vendor with a list of 3,164 names and addresses to send letters to patients informing them about the recent departure of a physician. An error in the mailing resulted in names being mismatched with addresses and 2,487 patients were sent a letter addressed to a different patient. No other sensitive information was disclosed. During the breach investigation it was discovered that there was no business associate agreement (BAA) in place with the vendor. The provision of the patient list was therefore an impermissible...

Read More
January 2020 Healthcare Data Breach Report
Feb21

January 2020 Healthcare Data Breach Report

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day. As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches compared to December 2019. While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years. Largest Healthcare Data Breaches in January 2020 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information PIH Health CA Healthcare Provider...

Read More
Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts
Feb21

Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle. A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes. Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health. According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any...

Read More
2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents
Feb20

2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents

According to the 2020 Protenus Breach Barometer report, there were 572 healthcare data breaches of 500 or more records in 2019 and at least 41.4 million patient records were breached. That represents a 13.7% annual increase in the number of reported breaches and a 174.5% increase in the number of breached records. The final total for 2019 is likely to be considerably higher, as the number of individuals affected by 91 of those breaches is not known, including two major breaches that have yet to be reported that affected more than 500 dental offices throughout the United States. The 2020 Protenus Breach Barometer report, produced in conjunction with databreaches.net, was compiled from breaches reported to the HHS’ Office for Civil Rights, the media, and other sources. The report shows a dramatic rise in the number of hacking incidents in 2019, which were up 49% from 2018. 58% of all reported breaches in 2019 were hacking/IT incidents and at least 36,911,960 records were exposed or stolen in those breaches. “It appears hacking incidents, particularly ransomware incidents, are on the...

Read More
PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack
Feb20

PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack

Bellevue, WA-based Overlake Medical Center & Clinics is notifying 109,000 patients that some of their personal and protected health information has potentially been compromised as a result of a December 2019 phishing attack. The phishing attack was detected on December 9, 2019 and a password reset was performed to prevent further unauthorized access. Overlake determined that one email account was compromised on December 6, 2019 and access remained possible until December 9 when the account was secured. Further email accounts were compromised on December 9, but access was only possible for a few hours. A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake. No Social Security numbers or financial information was compromised. The investigation uncovered no evidence of data theft and no reports have been received to suggest patient data has been misused. Steps have now been...

Read More
MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident
Feb19

MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident

MyEyeDr. Optometry of Colorado P.C, a network of vision care offices, is notifying 1,475 Colorado residents that some of their protected health information was potentially compromised prior to a recent ransomware attack. Certain MyEyeDr. systems were accessed by the attacker on December 11, 2019 and ransomware was downloaded and deployed. Steps were immediately taken by MyEyeDr. to prevent further unauthorized access and restore all affected records. The ransom was not paid. While it was possible to restore the majority of encrypted data, some files could not be recovered and remain encrypted. A third-party computer forensics firm was engaged to investigate the attack and determine whether any data had been stolen prior to file encryption. The forensics firm found no evidence to suggest data had been exfiltrated and the attack is believed to have only involved file encryption with a view to extorting money from MyEyeDr. A review of the affected systems revealed they contained patient information such as names, dates of birth, diagnoses, clinical information, and treatment...

Read More
Wise Health System Notifies 66,934 Patients of Phishing Attack
Feb18

Wise Health System Notifies 66,934 Patients of Phishing Attack

Wise Health System in Decatur, TX, is notifying 66,934 patients that some of their protected health information was potentially compromised in a phishing attack that occurred on March 14, 2019. Wise Health System previously reported the phishing attack to the Department of Health and Human Services’ Office for Civil Rights on July 13, 2019 as having affected 35,899 individuals. That total has now been updated following the completion of a data audit. The data audit commenced in June 2019 and has only just been completed. New notifications started to be sent to affected patients on February 13, 2020. In March 2019, several employees responded to phishing emails and disclosed their account credentials. The attackers used those credentials to access the Employee Kiosk and attempted to reroute payroll direct deposits. Wise Health System reports that attempts were made to reroute approximately 100 direct deposit payments. Security protocols required two checks to be issued to employees following a change to direct deposit information. This security measure was key to identifying the...

Read More
Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital
Feb14

Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital

On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group affiliated with Boston Children’s Hospital, experienced a malware attack that caused a system outage which prevented its 500+ pediatricians, nurse practitioners, and physician assistants from accessing patient data and scheduling calendars. PPOC has approximately 200 servers, 11 of which were impacted by the attack. IT teams at PPOC and Boston Children’s Hospital worked swiftly to contain the malware and the affected servers have now been quarantined. Servers unaffected by the attack were shut down as a precautionary measure. Boston Children’s Hospital issued a statement confirming its systems were unaffected by the attack. Patients were advised to reschedule non-urgent appointments as health records cannot be accessed until the malware is removed and the servers are brought back online. Children’s Hospital issued a statement on Wednesday saying progress was being made restoring the servers, but it was still unclear how long the recovery process would take. PPOC has...

Read More
2019 Healthcare Data Breach Report
Feb13

2019 Healthcare Data Breach Report

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018. As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009. 37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019. Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen. Largest Healthcare Data Breaches of 2019 The table below shows the largest healthcare data breaches of 2019, based on the entity...

Read More
Hospital Sisters Health System Email Breach Impacts 16,167 Patients
Feb12

Hospital Sisters Health System Email Breach Impacts 16,167 Patients

Hospital Sisters Health System has recently discovered an email security breach in August 2019 potentially resulted in unauthorized individuals gaining access to access emails and email attachments containing the protected health information of 16,167 patients. Hospital Sisters Health System is a 15-hospital health system serving patients in Illinois and Wisconsin. Between August 6, 2019 and August 9, 2019, unauthorized individuals gained access to the email accounts of several employees. Prompt action was taken to secure the affected email accounts by changing passwords and a leading computer forensic firm was retained to investigate the breach and determine whether the compromised accounts contained patient information. On December 2, 2019, Hospital Sisters Health System was informed that patient information had potentially been accessed by the attackers. The compromised email accounts were found to contain patient names, birth dates, and a limited amount of clinical information. Some patients also had their health insurance information, Social Security number, and/or driver’s...

Read More
PHI Exposed Due to Sunshine Behavioral Health Group Amazon AWS S3 Bucket Misconfiguration
Feb11

PHI Exposed Due to Sunshine Behavioral Health Group Amazon AWS S3 Bucket Misconfiguration

Portland, OR-based Sunshine Behavioral Health Group, a network of drug an alcohol addiction treatment facilities in California, Colorado, and Texas, has experienced a breach of sensitive patient information. An Amazon AWS S3 bucket was misconfigured which allowed files containing patient billing information to be accessed over the internet. An individual discovered the breach and reported it to Dissent at Databreaches.net. Dissent verified the data and contacted Sunshine Behavioral Health on September 4, 2019 to report the breach and ensure the S3 bucket was secured. Dissent reports that the exposed S3 bucket contained approximately 93,000 files, although that did not correspond to 90,000 patients. A notification about the data breach was sent by ID Experts to the Vermont Attorney General which explains the error was identified on September 4, 2019. The report states that steps were taken to prevent the records from being accessed by unauthorized individuals and further actions were taken on November 14, 2019 to remove the records from general internet access. On December 23, 2019,...

Read More
Slew of Email Security Breaches Reported by Healthcare Organizations
Feb10

Slew of Email Security Breaches Reported by Healthcare Organizations

A further 5 healthcare data breaches of 500 or more records have recently been reported by HIPAA-covered entities and their business associates. Email Account Breach Reported by Shields Health Solutions Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals and other covered entities, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed/copied protected health information. Suspicious activity was detected in the email account of an employee on October 24, 2019. Assisted by a cybersecurity firm, Shields Health Solutions determined an unauthorized individual accessed the account between October 22 and October 24, 2019. The breach was confined to a single email account. The email account contained messages and attachments that included patient names, dates of birth, medical record numbers, provider names, clinical information, prescription information, insurer names, and limited claims information. No evidence was uncovered that suggests patient information was accessed or...

Read More
Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach
Feb07

Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach

Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks. GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members. Health Share’s policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers. The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals have been offered...

Read More
New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks
Feb04

New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks

Village Center for Care dba VillageCare Rehabilitative and Nursing Center (VRNC) and Village Senior Services Corporation dba VillageCareMAX (VCMAX) have fallen victim to a business email compromise (BEC) attack. BEC attacks involve the impersonation of an executive, either using the executive’s genuine email account compromised in a previous attack or by spoofing the executive’s email address. An unauthorized individual, pretending to be member of the executive team, requested sensitive information on VRNC patients and VCMAX members. Believing the request to be legitimate, the employee responded and provided the information as requested. VCMAX and VRNC were alerted to a potential BEC attack on or around December 30, 2019. The investigation confirmed the request was not genuine and sensitive information on VRNC patients and VCMAX members had been impermissibly disclosed. The information sent via email included the names and Medicaid ID numbers of 2,645 VCMAX members and first and last names, dates of birth, insurance provider names, and Insurance ID numbers of 674 VRNC patients....

Read More
Malware Attack Results in Corruption of Medical Records: 30,000 Patients Affected
Feb03

Malware Attack Results in Corruption of Medical Records: 30,000 Patients Affected

On November 21, 2019, Fondren Orthopedic Group, an association of private orthopedic surgery practitioners in Houston and the surrounding areas, experienced a cyberattack that affected certain parts of its IT system. In a substitute breach notice posted on its website, the incident was described as a malware attack that damaged the medical records of certain patients. Prompt action was taken to contain the infection and its systems were restored; however, the medical records corrupted by the malware could not be recovered and have been permanently lost. The corrupted records included patients’ names, addresses, telephone numbers, health insurance information, and diagnosis and treatment information. All patients affected by the incident were current or former patients of Dr. K. Matthew Warnock. Third party forensic investigators were engaged to assist with the investigation and found no evidence of unauthorized data access or exfiltration of data. Fondren Orthopedic Group is reviewing data security policies and procedures and will be enhancing its security protocols to improve...

Read More
Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health
Feb03

Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health

Manchester Ophthalmology in Connecticut has experienced a cyberattack in which the attackers may have gained access to patient information.  The eye care provider became aware of the cyberattack on November 25, 2019 when employees noticed unusual activity on the network. Assisted by a third-party technology firm, it was determined later that day that hackers had gained access to its systems and attempted to deploy ransomware. Access was first gained to the network on November 22, 2019 and continued until November 25. The investigation found no evidence to suggest any patient information was accessed or downloaded by the attackers, but during the investigation it was determined that certain patient information had not been backed up and could not be recovered. The types of data lost included names, patient-created medical histories, and details of the care those patients received at Manchester Ophthalmology. Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any sign of fraudulent use of their information. Manchester...

Read More
Website Error Exposed Personal and Health Data of LabCorp Patients
Jan30

Website Error Exposed Personal and Health Data of LabCorp Patients

Researchers at TechCrunch have identified a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the researchers found a flaw in the part of the system that pulled patient files from the back-end system. The flaw allowed patient data to be accessed without requiring a password and the web address was visible to search engines. Google had cached only one document containing the health data of a patient, but by changing the document number in the web address the researchers were able to open other documents containing patient health information. The researchers examined a small selection of files to see what types of data had been exposed. The documents mostly contained information about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal information such as names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers. TechCrunch researchers...

Read More
Iowa Department of Human Services Notifies 4,784 Patients About Improper Disposal Incident
Jan27

Iowa Department of Human Services Notifies 4,784 Patients About Improper Disposal Incident

The Iowa Department of Human Services has announced that the protected health information of 4,784 individuals has accidentally been exposed. On November 25, 2019, a member of staff disposed of documents containing the protected health information of Dallas County clients in a regular garbage dumpster, instead of sending the records for shredding. By the time the improper disposal incident was discovered, the dumpster had been emptied. An investigation was launched which revealed the custodial employee who disposed of the paperwork was unaware that the documents contained confidential information. It was not possible to determine exactly which patients were affected, so notification letters were sent to all individuals potentially impacted by the breach. The documents likely contained information such as names, dates of birth, mailing addresses, driver’s license numbers, Social Security numbers, disability information, medical information, banking and wage information, receipt of Medicaid, mental health information, provider names, prescriptions, and substance abuse and illegal...

Read More
Beaumont Health Discovers 20-Month Insider Breach
Jan27

Beaumont Health Discovers 20-Month Insider Breach

Beaumont Health, a not-for-profit 8-hospital health system based in Southfield, MI, has discovered a former employee has accessed the medical records of patients without authorization and is understood to have shared protected health information with another individual. An internal investigation was launched when it was discovered medical records had been accessed without authorization. A review of the former employee’s access logs revealed the unauthorized access first occurred on February 1, 2017 and continued until October 22, 2019. The breach was discovered in December 2018. Beaumont Health said its internal investigation determined on December 10, 2019 that the medical records of 1,182 patients were accessed over a period of 20 months. The information potentially obtained and disclosed included names, addresses, contact telephone numbers, dates of birth, email addresses, health insurance information, reason why medical care was sought, and Social Security numbers. The individual to whom the information was believed to have been disclosed was affiliated with a personal injury...

Read More
Nearly 200,000 Patients Impacted by PIH Health Phishing Attack
Jan24

Nearly 200,000 Patients Impacted by PIH Health Phishing Attack

PIH Health, a 2-hospital nonprofit healthcare network based in Whittier, CA, has started notifying nearly 200,000 patients about a potential breach of their personal and protected health information in June 2019. On June 18, 2019, PIH Health discovered the email accounts of certain employees had been accessed by unauthorized individuals as a result of a targeted phishing attack on its employees. The email accounts were immediately secured and an investigation was launched to determine the nature and extent of the breach. PIH Health engaged leading cybersecurity experts to assist with the investigation and was notified on October 2, 2019, that the email accounts were subject to unauthorized access between June 11, 2019 and June 18, 2019. The email accounts were then reviewed by the same cybersecurity experts to determine whether they contained any patient information. The review was completed on November 12, 2019. PIH Health then attempted to obtain up to date contact information for current and former patients affected by the breach. Notifications were sent by mail to those...

Read More
December 2019 Healthcare Data Breach Report
Jan21

December 2019 Healthcare Data Breach Report

There were 38 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in December 2019, an increase of 8.57% from November 2019. While the number of breaches increased, there was a major reduction in the number of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the median breach size was 3,650 records. It has been a particularly bad year for healthcare data breaches. 2019 was the second worst ever year for healthcare data breaches in terms of the number of patients impacted by breaches. 41,232,527 healthcare records were exposed, stolen, or impermissibly disclosed in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years combined. The number of reported data breaches also increased 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That makes 2019 the worst every year in terms of the number...

Read More
Phishing Attack Reported by Adventist Health Sonora
Jan20

Phishing Attack Reported by Adventist Health Sonora

Adventist Health Sonora in California has discovered an unauthorized individual has gained access to the email account of a hospital associate and potentially viewed patient information. The email account breach was detected by Adventist Health Sonora’s information security team on September 30, 2019. Immediate action was taken to secure the compromised Office 365 account and an investigation was launched to determine the extent of the breach. The investigation confirmed that access to the Office 365 account was gained following a response to a phishing email and that it was an isolated incident. No other email accounts or systems were affected. The purpose of the attack appears to have been to redirect invoice payments and defraud the hospital and its vendors, rather than to obtain sensitive patient information. According to Adventist Health Sonora, a comprehensive review of the affected account revealed on October 14, 2019 that the account contained the protected health information of 2,653 patients. The types of information exposed included names, dates of birth, medical record...

Read More
Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack
Jan17

Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack

Health Quest, now part of Nuvance Health, has discovered the phishing attack it experienced in July 2018 was more extensive than previously thought. Several employees were tricked into disclosing their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A leading cybersecurity firm was engaged to assist with the investigation and determine whether any patient information had been compromised. In May 2019, Quest Health learned that the protected health information of 28,910 patients was contained in emails and attachments in the affected accounts and notification letters were sent to those individuals. The compromised accounts contained patient names, contact information, claims information, and some health data. A secondary investigation of the breach revealed on October 25, 2019 that another employee’s email account was compromised which contained protected health information. According to the substitute breach notification on the Quest Health website, the compromised information varied from patient to patient, but may have...

Read More
44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners
Jan17

44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners

The Portland, ME-based healthcare provider InterMed is notifying 33,000 patients that some of their protected health information has potentially been compromised as a result of a phishing attack. The attack was detected on September 6, 2019. An internal investigation confirmed that the account was compromised on September 4 and the attackers had access to the account until September 6, 2019. A leading national computer forensic firm was engaged to investigate the breach and discovered a further three email accounts had also been compromised between September 7 and September 10, 2019. A comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or attachments, if any, had been viewed by the attackers. The types of information in the compromised accounts varied from patient to patient and may have included patients’ names, dates of birth, health insurance information, and some clinical information. A “very limited” number of patients also had their Social Security number exposed. InterMed started mailing breach notification...

Read More
Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients
Jan16

Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients

SouthEast Eye Specialist (SEES) Group in Franklin, TN, is notifying 13,000 patients that some of their protected health information has been exposed as a result of a recent phishing attack. It is unclear from the SEES Group’s substitute breach notice when the phishing attack occurred, but on November 1, 2019, SEES Group determined patient information was contained in email accounts that were accessed by unknown individuals. The breach was discovered when the IT department identified suspicious activity in some employee email accounts. A third-party computer forensics company was retained to assist with the investigation and determine whether any emails or email attachments containing patient information had been viewed or copied by the attackers. The investigation uncovered no evidence to suggest that patient information was viewed or obtained by unauthorized individuals, but it was not possible to rule out the possibility that patient information had been compromised. A painstaking analysis of all emails in the affected accounts revealed they contained information on patients...

Read More
Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack
Jan15

Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack

A California healthcare provider was attacked with ransomware and two weeks on and its medical record system is still out of action. Enloe Medical Center in Chico, CA, discovered the attack on January 2, 2020. Its entire network was encrypted, including its electronic medical record (EMR) system, which prevented staff from accessing patient information. Emergency protocols were immediately implemented to ensure care could still be provided to patients and only a limited number of elective medical procedures had to be rescheduled. The attack also affected the telephone system which was taken out of action on the day of the attack. The telephone system was restored the following day but its EMR system is still out of action and employees are continuing to rely on pen and paper for recording patient data. While there were some cancelled appointments in the first week after the attack, Enloe Medical Center says care is being provided to patients without delay while work continues to restore its systems. No information has been released on the type of ransomware involved, but the...

Read More
Ransomware Attacks Reported by Florida and Texas Healthcare Providers
Jan10

Ransomware Attacks Reported by Florida and Texas Healthcare Providers

It is becoming increasingly common for threat actors to use ransomware to encrypt files to prevent data access, but also to steal data and threaten to publish or sell on the stolen data if the ransom is not paid. This new tactic is intended to increase the likelihood of victims paying the ransom. The Center for Facial Restoration in Miramar, FL, is one of the latest healthcare providers to experience such an attack. Richard E. Davis MD FACS of The Center for Facial Restoration received a ransom demand on November 8, 2019 informing him that his clinic’s server had been breached and data had been stolen. The attacker said the data could be publicly exposed or traded with third parties if the ransom was not paid. Dr. Davis filed a complaint with the FBI’s Cyber Crimes Center and met with the FBI agents investigating the attack. After the attack occurred, Dr. Davis was contacted by around 15-20 patients who had also been contacted by the attacker and issued with a ransom demand. The patients were told that their photographs and personal data would be published if the ransom demand was...

Read More
Alomere Health Phishing Attack Impacts 49,351 Patients
Jan09

Alomere Health Phishing Attack Impacts 49,351 Patients

Alomere Health in Alexandria, MN is notifying almost 50,000 patients that some of their protected health information was potentially accessed by unauthorized individuals as a result of a phishing attack. Alomere Health learned about the phishing attack on November 6, 2019 and launched an internal investigation which confirmed the account was accessed by an unauthorized individual between October 31 and November 1, 2019. A computer forensics company was engaged to assist with the investigation and discovered on November 10, 2019 that a second email account had been breached on November 6. A comprehensive review of the compromised accounts revealed some emails and email attachments contained protected health information. The types of information potentially compromised in the attack varied from patient to patient and may have included the following data elements: Names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, and/or diagnosis information. A limited number of Social Security numbers and driver’s license numbers were also...

Read More
Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack
Jan09

Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack

Portland, OR-based Native American Rehabilitation Association of the Northwest, Inc., (NARA), a provider of education, physical and mental health services and substance abuse treatment services to native Americans, is alerting certain individuals about a malware infection that has potentially allowed unauthorized individuals to gain access to their protected health information. NARA reports that the attack occurred on November 4, 2019. The malware initially bypassed security systems but was detected later that afternoon. The threat was contained by November 5, 2019 and all passwords on email accounts were reset by November 6. The malware was determined to be the Emotet Trojan: A credential stealer that can also exfiltrate emails and email attachments. It is therefore possible that the attackers obtained emails and attachments in the compromised accounts, some of which included protected health information. According to a NARA press release issued on January 3, 2020, the forensic investigation confirmed that the protected health information of 344 individuals was either accessed by...

Read More
HIPAA Enforcement in 2019
Jan02

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 saw two civil monetary penalties issued and settlements were reached with 8 entities, one fewer than 2018. In 2019, the average financial penalty was $1,227,400. Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued. This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR...

Read More
North Ottawa Community Health System Discovers 3-Year Insider Breach
Dec30

North Ottawa Community Health System Discovers 3-Year Insider Breach

North Ottawa Community Health System (NOCH) has discovered an employee at North Ottawa Community Hospital in Grand Haven, MI, accessed the medical records of patients without authorization over a period of 3 years. The matter was brought to the attention of the health system on October 15 by another employee. An investigation into the alleged inappropriate access was launched on October 17 and the employee was suspended pending the outcome of the investigation. NOCH confirmed on November 25, 2019 that the employee had accessed the medical records of 4,013 patients without any legitimate work reason for doing so between May 2016 and October 2019. There appeared to be no discernible pattern to the unauthorized access. Patient records appeared to have been accessed at random. No evidence was found to suggest that any patient information was stolen. NOCH believes the employee was accessing patient information out of curiosity. The types of information potentially accessed included names, dates of birth, Social Security numbers, Medicare and Medicaid numbers, health insurance...

Read More
Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access
Dec30

Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access

Ann & Robert H. Lurie Children’s Hospital of Chicago, a pediatric specialty hospital in Chicago, IL, has discovered a former employee accessed the medical records of certain patients without a legitimate work reason for doing so. The unauthorized access occurred between September 10, 2018 and September 22, 2019. The hospital learned of the HIPAA violation on November 15, 2019 and immediately terminated the employee’s access to all patient information while the incident was investigated. The employee was subsequently disciplined for the violation of HIPAA and hospital policies and was terminated. The employee was unable to view full Social Security numbers, financial information, or health insurance information. The only types of information that could have been viewed were names, addresses, dates of birth, diagnoses, appointment dates, medical procedures, and other limited medical information. The breach notice published on the hospital’s website makes no mention of the reason why the former employee was accessing patient information, but the hospital says there is no reason to...

Read More
New Mexico Hospital Discovers Malware on Imaging Server
Dec26

New Mexico Hospital Discovers Malware on Imaging Server

Roosevelt General Hospital in Portales, New Mexico has discovered malware on a digital imaging server used by its radiology department. The malware potentially allowed cybercriminals to gain access to the radiological images of around 500 patients. The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server to prevent further unauthorized access and block communications with the attackers’ command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected. The investigation into the breach did not uncover any evidence to suggest protected health information and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out. The investigation into the security breach is continuing but the hospital’s IT department has confirmed that the breach was limited to the imaging...

Read More
Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches
Dec24

Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches

The State of Colorado is notifying 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error. The error occurred on a Colorado Department of Human Services mailing of Notices to Reapply for food and cash assistance programs. The error came to light on November 6, 2019. The investigation revealed 10,879 Notice to Reapply forms had been sent which contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms. The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed. Affected individuals were notified about the error on November 10, 2019 and have been advised to either shred the incorrect notices or take them to their local county human services’ office for secure disposal. The risk of misuse of PHI is...

Read More
November 2019 Healthcare Data Breach Report
Dec20

November 2019 Healthcare Data Breach Report

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day. 600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.   Largest Healthcare Data Breaches in November 2019 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email Saint Francis Medical Center Healthcare...

Read More
CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries
Dec19

CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries

The Centers for Medicare and Medicaid Services (CMS) has discovered a bug in its Blue Button 2.0 API exposed the protected health information of around 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily suspended while the CMS completes a comprehensive code review. The CMS has not produced a timeline for when the Blue Button 2.0 service will be resumed. On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated. The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined 30 applications have been impacted by the bug. The Blue Button platform is used by Medicare beneficiaries to authorize third-party applications, services, and research programs to access their claims data. A CMS identity management system verifies user...

Read More
Email Security Breaches Reported by Conway Medical Center and Equinox Inc.
Dec19

Email Security Breaches Reported by Conway Medical Center and Equinox Inc.

The email accounts of several employees of Conway Medical Center in South Carolina have been accessed by unauthorized individuals. The phishing attack was detected on October 7, 2019 and affected email accounts were immediately secured to prevent further unauthorized access. External cybersecurity experts were engaged to investigate the breach and determine whether patient information had been viewed or acquired. The investigators determined that the first email accounts were compromised in or before July 2019. It took until November 20, 2019 for the investigators to confirm that the protected health information of patients had been exposed as each email had to be checked to determine whether it contained PHI and if it had been accessed. That was largely a manual process. The way the email accounts were accessed meant emails may have synchronized with the attacker’s computer and could have been automatically downloaded. Those emails contained names, addresses, Social Security numbers, dates of birth, phone numbers, dates of admission, discharge dates, CMC account numbers, amount...

Read More
Tidelands Health Recovering from Malware Attack
Dec19

Tidelands Health Recovering from Malware Attack

Tidelands Health in Georgetown, SC, is working round the clock to restore its computer systems after the discovery of malware on its network on December 12, 2019. The attack has forced the healthcare provider to shut down parts of its network and implement emergency protocols. Staff have been using paper records for patients while the malware is removed and systems are restored and brought back online. Patients are being seen and quality care is still being provided, although a limited number of non-emergency appointment have had to be rescheduled, according to Tidelands Health spokesperson, Dawn Bryant. The type of malware involved has not been disclosed, although Tidelands Health has said no data was lost and patient information was not compromised. Third-party cybersecurity experts have been engaged to investigate the attack, remove the malware, and restore its systems. That is a time-consuming, methodical process as the stability and integrity of every system must be thoroughly assessed before it is possible to bring each back online. Stolen Children’s Hope Alliance...

Read More
Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure
Dec17

Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure

Truman Medical Centers, the largest provider of inpatient and outpatient services in Kansas City, MO, has discovered the protected health information of 114,466 patients was stored on an unencrypted laptop computer that was stolen from the vehicle of one of its employees. The laptop was protected with a password, but it is possible that the password could be cracked and data on the device accessed. At the time of issuing the notifications, Truman Medical Centers has not uncovered any evidence to suggest that any patient information has been accessed by unauthorized individuals or has been misused. The types of information on the laptop varied from patient to patient and may have included patient names along with one or more of the following types of information: Dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance information, and limited medical and treatment information, such as diagnoses, dates of service, and provider names. The theft occurred on July 18, 2019, but it took until October 29, 2019 to determine that patient...

Read More
Hackensack Meridian Health Recovering from Ransomware Attack
Dec16

Hackensack Meridian Health Recovering from Ransomware Attack

Hackensack Meridian Health, the largest health network in New Jersey, has announced it experienced a cyberattack last week that saw ransomware deployed on its network. The attack saw files encrypted and took its network offline for two days. Without access to computer systems and medical records, Hackensack Meridian Health was forced to cancel non-emergency medical procedures and doctors and nurses had to switch to pen and paper to allow care to continue to be provided to patients. The attack was detected quickly, law enforcement and regulators were immediately notified, and cybersecurity experts were consulted to determine the best course of action. The health network initially announced that it was experiencing external technical issues so as not to interfere with the investigation but confirmed later in the week that the incident was a ransomware attack. When ransomware is deployed, files need to be restored from backups and systems may need to be rebuilt. That process can take several weeks. In order to prevent continued disruption to patient services, the decision was taken to...

Read More
$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures
Dec13

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule. In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information. The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access...

Read More
Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients
Dec13

Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients

On November 5, 2019 The Cancer Center of Hawaii in Oahu was attacked with ransomware. The attack forced the Cancer Center to shut down its network servers, which meant it was temporarily prevented from providing radiation therapy to patients at Pali Momi Medical Center and St. Francis’ hospital in Liliha. While patient services experienced some disruption, no patient information is believed to have been accessed by the attackers. The forensic investigation into the breach is ongoing but all data stored on its radiology machines has been recovered and its network is now fully operational. It is unclear for how long its network was down and no information has been released so far on the types of patient information that may have been accessed. The Cancer Center has notified the FBI about the breach and will report the incident to appropriate authorities, if the forensic investigators confirm that patient data may have been accessed. The breach was confined to the Cancer Center’s systems. Pali Momi Medical Center and St. Francis’ hospital were unaffected by the attack as their patient...

Read More
Patients Notified of Phishing Attack at Cheyenne Regional Medical Center
Dec12

Patients Notified of Phishing Attack at Cheyenne Regional Medical Center

Cheyenne Regional Medical Center in Wyoming has recently learned that patient information may have been compromised as a result of a phishing attack discovered in April. The medical center was alerted to a potential security breach following the detection of suspicious activity related to employee payroll accounts on or around April 5, 2019. Around a week later, the medical center learned that employee email accounts had been compromised. The investigation revealed the attackers had gained access to employee email accounts between March 27, 2019 and April 8, 2019. The aim of the attack appears to have been to access employee payroll information, although patient information contained in email accounts may also have been accessed. The types of information potentially accessed varied from patient to patient and may have included names, dates of birth, Social Security numbers, driver’s license numbers, dates of service, provider names, medical record numbers, patient identification numbers, medical information, diagnoses, treatment information, and health insurance information. A very...

Read More
Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital
Dec11

Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital

Evans, CO-based Sunrise Community Health has discovered the email accounts of several employees were compromised as a result of employees responding to phishing emails. The email accounts were accessed by unauthorized individuals between September 11, 2019 and November 22, 2019. Assisted by third party computer forensics experts, Sunrise Community Health determined on November 5, 2019 that the compromised email accounts contained the protected health information of certain patients. The types of data present in the email accounts varied from patient to patient and may have included names, dates of birth, Sunrise patient ID numbers, Sunrise provider names, dates of service, types of clinical examinations performed, the results of those examinations, diagnoses, medication names, and names of health insurance carriers. Sunrise Community Health does not believe the aim of the attack was to obtain patient information, but the possibility of unauthorized data access and data theft could not be ruled out. The attackers appeared to be targeting invoice and payroll information. The...

Read More
Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices
Dec09

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed on their networks. The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom. In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware. Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to...

Read More
Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients
Dec06

Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) has announced it has been attacked with ransomware and that the protected health information of up to 80,000 patients was potentially compromised in the attack. The attack was detected on September 23, 2019. The IT team responded and isolated the affected server and took steps to restore the encrypted data. It is unclear whether the ransom was paid or if the IT team was able to restore the server from backups. Assisted by computer forensics experts, SEMOMS determined that the affected server contained names and X-ray images and that the server had been accessed by an unauthorized individual. No evidence was uncovered to suggest any patient information was accessed or exfiltrated by the attackers, but the possibility of unauthorized ePHI access and data theft could not be discounted. Consequently, notification letters have been sent to all individuals whose protected health information was potentially compromised. Healthcare Administrative Partners Phishing Attack Impacts 17,693 Patients Healthcare Administrative...

Read More