HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Magellan Health Settles Class Action Data Breach Lawsuit for $1.43 Million
Sep29

Magellan Health Settles Class Action Data Breach Lawsuit for $1.43 Million

Magellan Health has agreed to settle a class action data breach lawsuit and will create a $1.43 million fund to cover claims from patients affected by the breach. The lawsuit – Dearing v. Magellan Health Inc. et al. – was filed in the Arizona Superior Court against Magellan Health Inc. and Magellan RX Management, LLC on behalf of patients whose protected health information was exposed in a May 2019 phishing attack. Unauthorized individuals gained access to emails and email attachments that contained patients’ protected health information, including names, Social Security numbers, and health information. Approximately 273,000 individuals were affected and had their protected health information exposed. The plaintiffs alleged the defendants failed to implement appropriate cybersecurity measures to prevent unauthorized access to sensitive patient data and had those safeguards been implemented, the data breach would have been prevented. The plaintiffs alleged the security failures were in violation of the Health Insurance Portability and Accountability Act, although the...

Read More
Physicians Business Office Reports Data Breach Affecting 196,573 Individuals
Sep29

Physicians Business Office Reports Data Breach Affecting 196,573 Individuals

Physicians Business Office (PBO), a Parkersburg, WV-based provider of medical practice management and administrative services, has recently disclosed a security incident that occurred in April 2022. PBO detected unusual activity within its network and took immediate steps to isolate the affected systems and prevent further unauthorized access. A third-party computer forensics company was engaged to determine the nature and scope of the breach and assist with the incident response. The forensic investigation confirmed files were present on the compromised systems that contained the protected health information of certain individuals, including names, home addresses, dates of birth, Social Security numbers, driver’s license numbers, medical treatment and diagnosis information, disability codes, prescription information, and health insurance account information. Those files were potentially accessed and may have been copied from its systems PBO said the review of the files on its systems took until June 30, 2022, and the affected healthcare provider clients were notified about the...

Read More
Humana Members Impacted by Choice Health Data Breach
Sep28

Humana Members Impacted by Choice Health Data Breach

Humana has recently announced that the protected health information of 22,767 individuals has potentially been compromised in a security incident and data breach at one of its business associates – Choice Health – which Human used to sell Medicare products on its behalf. On May 18, 2022, Choice Health learned that a Choice Health database was accessible over the Internet, with the investigation confirming the misconfiguration was caused by a third-party service provider. An unauthorized individual gained access to the database, removed certain database files, and threatened to publicly release the stolen data. The exposed database was detected by Choice Health on May 14, 2022, with the theft of database files identified on May 18. The unauthorized access and data theft occurred on or around May 7, 2022. Initially, it was thought that the breach was limited to Choice Health lead generation and marketing information; however, further investigations confirmed that the data of some of its carrier partners had also been compromised, including first and last names, Social...

Read More
Cyberattacks Reported by Wolfe Clinic, Reiter Affiliated Companies, & SERV Behavioral Health System
Sep27

Cyberattacks Reported by Wolfe Clinic, Reiter Affiliated Companies, & SERV Behavioral Health System

Wolfe Clinic, P.C in Iowa has recently confirmed that it was affected by the data breach at the electronic medical record provider, Eye Care Leaders. The attack exposed the protected health information of 542,776 current and former Wolfe Clinic patients. Wolfe Clinic used the myCare Integrity medical records platform, which was accessed by an unauthorized party on or around December 4, 2021, who deleted databases and system configuration files. A forensic investigation of the security incident was conducted but the deletion of files meant there was a lack of forensic evidence, so it was not possible to determine whether the PHI of Wolfe Clinic patients was accessed or acquired in the attack. Wolfe Clinic said names, addresses, birth dates, Social Security numbers, diagnostic information, and health insurance information were potentially compromised. At the time of issuing notifications, Wolfe Clinic had not received any reports of identity theft and fraud related to the Eye Care Leaders data breach. Affected individuals have been offered 12 months of complimentary credit monitoring...

Read More
Lubbock Heart & Surgical Hospital and NorthStar Healthcare Consulting Disclose Cyberattacks
Sep22

Lubbock Heart & Surgical Hospital and NorthStar Healthcare Consulting Disclose Cyberattacks

Lubbock Heart & Surgical Hospital in Texas has recently announced it was the victim of a hacking incident that resulted in disruption to the operations of some of its IT systems. The cyberattack was detected by the hospital on July 12, 2022, and immediate action was taken to contain the incident and prevent further unauthorized access, and forensics experts were engaged to determine the nature and scope of the attack. The investigation confirmed its systems were accessed by the attackers between July 11 and July 12, but it was not possible to determine if any files containing patient information had been accessed or copied from its systems. The files potentially accessed included patient information such as names, contact information, demographic information, dates of birth, Social Security numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and health insurance information. Lubbock Heart & Surgical Hospital said security safeguards and technical measures have been enhanced to prevent further...

Read More
Data Breaches Reported by Physicians’ Spine and Rehabilitation Specialists of Georgia and One Medical Inc.
Sep21

Data Breaches Reported by Physicians’ Spine and Rehabilitation Specialists of Georgia and One Medical Inc.

The Physicians’ Spine and Rehabilitation Specialists of Georgia (PSRSG) has notified 38,765 patients that some of their protected health information has potentially been compromised in a cyberattack that occurred on or around July 11, 2022. A team of external cybersecurity experts was engaged to assist with the investigation and remediation efforts, and its systems were successfully restored within a few days without causing any material delays to clinical care. PSRSG said numerous security measures had been implemented prior to the attack, but the attackers were able to circumvent those defenses. Steps have since been taken to enhance security to prevent similar breaches in the future. The forensic investigation confirmed the attacker had access to its systems for around a week before the intrusion was detected and blocked. It was not possible to determine which files were accessed or if any sensitive information was stolen in the attack, but the attacker claimed to have stolen sensitive data from its systems and threatened to release that information publicly. A review of the...

Read More
August 2022 Healthcare Data Breach Report
Sep19

August 2022 Healthcare Data Breach Report

For the third successive month, the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights has fallen, with 49 breaches of 500 or more records reported in August– well below the 12-month average of 58 breaches per month. The 25.75% percentage decrease from July 2022 was accompanied by a significant reduction in breached records, which dropped almost 30% month over month. Across the 45 data breaches, 3,741,385 healthcare records were exposed or impermissibly disclosed – well below the 5,135,953 records that were breached in August 2021, although slightly more than the 12-month average of 3,382,815 breached healthcare records per month. Largest Healthcare Data Breaches Reported in August 2022 18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in August 2022, which have been summarized in the table below. It should be noted that the exact nature of the data breach is not always reported by the breached entity, such as if ransomware was used to encrypt files. As the table...

Read More
New York Ambulance Service Discloses Ransomware Attack and 318K-Record Data Breach
Sep19

New York Ambulance Service Discloses Ransomware Attack and 318K-Record Data Breach

The New York Ambulance Service, Empress EMS (Emergency Medical Services), has confirmed it was the victim of a ransomware attack. The attack was detected on July 14, 2022, and resulted in files on certain systems being encrypted. According to the company’s website notification, steps were immediately taken to contain the incident and third-party forensics experts were engaged to investigate the attack. The forensic investigation revealed the attackers first gained access to its network on May 26, 2022, and copied “a small subset of files “on July 13, 2022. Ransomware was then deployed to encrypted files on the network. A comprehensive review of the affected files confirmed they contained protected health information such as names, insurance information, dates of service, and, for some individuals, Social Security numbers. Empress EMS has reported the data breach to the HHS’ Office for Civil Rights as affecting up to 318,558 patients. Empress EMS has notified all affected individuals and has advised them to monitor their healthcare statements for accuracy and said credit...

Read More
Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million
Sep15

Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million

Ambry Genetics has agreed to settle a class action lawsuit that stemmed from a breach of the protected health information of 232,772 patients. In April 2020, Ambry Genetics notified patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual over a two-day period in January 2020. Emails and attachments contained sensitive patient data such as names, diagnoses, and other medical information, with a subset of patients also having their Social Security numbers exposed. The investigation was not able to determine whether any information in the email account was exfiltrated by the attackers. A lawsuit was filed in the US District Court for the Central District of California shortly after notifications were issued that alleged Ambry Genetics had failed to implement reasonable safeguards to protect patient information and had not followed industry best practices for cybersecurity and, as a direct consequence of those failures, the protected health information of patients was compromised. The lawsuit also took...

Read More
Ransomware Attack on Medical Associates of the Lehigh Valley Affects 75K Patients
Sep14

Ransomware Attack on Medical Associates of the Lehigh Valley Affects 75K Patients

Medical Associates of the Lehigh Valley in Pennsylvania (MATLV) has announced that it recently fell victim to a sophisticated ransomware attack on its network. The attack was detected on July 3, 2022, and immediate action was taken to contain the attack and prevent further unauthorized access to its network. Third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the attack. MATLV said the investigation did not uncover any evidence indicating the misuse of patient information, but parts of the network that were accessed by the attackers contained files that included the protected health information of 75,628 individuals, which may have been viewed or exfiltrated in the attack. The files contained names, addresses, email addresses, birth dates, Social Security numbers, driver’s license numbers, state ID numbers, health insurance provider names, medical diagnoses, treatment information, medications, and lab results. The types of information exposed in the attack varied from patient to patient. Cybersecurity specialists...

Read More
Oakbend Medical Center Suffers Ransomware Attack
Sep13

Oakbend Medical Center Suffers Ransomware Attack

Over the Labor Day weekend, Oakbend Medical Center in Richmond, TX, suffered a ransomware attack. The attack started on Thursday, September 1, 2022, and saw files on its network encrypted. The medical center said its IT team took all systems offline to contain the attack, and the medical center operated under lockdown procedures while the attack was investigated by the Federal Bureau of Investigation (FBI), the Cyber-Defense Campus CYD), and the Fort Bend County Government Cyberteam. The internal IT team ensured that all patient-centric systems were secured, and cybersecurity experts from Microsoft, Dell, and Malware Protects were engaged to investigate the attack and assess the security of its systems. Once those systems were cleaned, work commenced on rebuilding those systems and restoring them in a controlled and systematic manner. Disruption is continuing to be experienced, and there have been temporary communication issues for patients, vendors, doctors, and administrators; however, at no point was patient safety at risk and the medical center continued to operate. In a...

Read More
Data Breaches Reported by Henderson & Walton Women’s Center & Genesis Health Care Inc.
Sep09

Data Breaches Reported by Henderson & Walton Women’s Center & Genesis Health Care Inc.

Birmingham, AL-based Henderson & Walton Women’s Center (HWWC) has recently notified 34,306 patients that some of their protected health information may have been compromised as a result of a hacker gaining access to the email account of one of its employees. HWWC said the forensic investigation of the data breach confirmed the attacker did not gain access to the email server and the breach was confined to the email account of one employee. HWWC did not disclose when the email account was compromised but said there was a delay in issuing notification letters due to the lengthy process of reviewing all emails in the account to determine the types of information and specific individuals that had been affected. That process concluded on June 24, 2022. HWWC said it had implemented encryption for all external emails, but the forensic investigation determined that stored emails may have been accessed. Those emails contained patient information such as names, dates of birth, Social Security numbers, medical information, health insurance information, driver’s license numbers, and state...

Read More
Michigan Law Firm and Medical Imaging Companies Confirm Breaches of Patient Information
Sep08

Michigan Law Firm and Medical Imaging Companies Confirm Breaches of Patient Information

The Michigan law firm, Warner Norcross and Judd LLP, has issued notification letters to 255,160 individuals advising them about an October 2021 security breach in which files containing their personal and protected health information were potentially accessed and exfiltrated from its systems. The breach was detected on October 22, 2021. The substitute breach notification does not state when, and for how long, unauthorized individuals had access to its systems. A digital forensics firm was engaged to investigate the nature and scope of the data breach and a programmatic and manual review was conducted on files on the affected parts of its network. The review confirmed that the files contained information such as names, dates of birth, Social Security numbers, driver’s license numbers, government-issued IDs, annual compensation amounts, benefit contribution information, credit card or debit card numbers, credit card or debit card PINs, financial account or routing numbers, passport numbers, patient account numbers, health information, and life insurance policy information....

Read More
PHI Compromised in Incidents at CorrectHealth, UF Health Shands, Peter Brasseler, & Gifted Healthcare
Sep01

PHI Compromised in Incidents at CorrectHealth, UF Health Shands, Peter Brasseler, & Gifted Healthcare

CorrectHealth Notifies 54,000 Patients About November 2021 Email System Breach Alpharetta, GA-based CorrectHealth is notifying patients about a breach of its email environment. The breach was detected on November 10, 2021, with the investigation confirming several employee email accounts had been accessed by an unauthorized individual. Legal counsel for CorrectHealth said the third-party forensic investigation of the data breach concluded on January 28, 2022, and confirmed patients’ protected health information was present in the breached email accounts. A comprehensive review of the affected accounts was conducted between March 2022 and July 2022 to determine the specific information that was affected, which confirmed names, addresses, and Social Security numbers had been exposed. CorrectHealth said it is unaware of any misuse of patient information. Notification letters were sent on August 25, 2022, and complimentary credit monitoring and identity theft protection services have been offered to affected individuals. In response to the breach, CorrectHealth has implemented...

Read More
OneTouchPoint Ransomware Victim Count Increases to 2.65 Million
Sep01

OneTouchPoint Ransomware Victim Count Increases to 2.65 Million

The number of individuals affected by the ransomware attack on the Hartland, WI-based mailing and printing vendor, OneTouchPoint, has now increased to 2,651,396 individuals, with Common Ground Healthcare Cooperative one of the latest organizations to confirm that it has been affected. Brookfield, WI-based Common Ground Healthcare Cooperative said 133,714 of its members were affected. OneTouchPoint said it discovered the attack on April 28, 2022, when files on its systems were encrypted. A forensic investigation was launched to determine the nature and scope of the security breach, which revealed its servers were compromised on April 27, 2022, and certain files containing sensitive data were accessed.  The review of those files confirmed on July 15, 2022, that they contained the sensitive information of current and former employees and data of its customers. Customers were notified about the attack on June 3, 2022. The breach involved employee information such as names, healthcare member IDs, and information provided during health assessments. Customers have reported the breach as...

Read More
Cyberattack and Data Destruction Reported by First Street Family Health
Aug31

Cyberattack and Data Destruction Reported by First Street Family Health

Salida, CO-based First Street Family Health has suffered a destructive cyberattack, in which files containing patient information were exfiltrated and then deleted from its systems. This method of attack is becoming more common, where data is stolen, deleted, and then threats are issued to publish or sell the data if payment is not made to the attackers, but files are not encrypted using ransomware. First Street Family Health said the attack was detected on July 16, 2022, with the investigation confirming that the attackers first gained access to its systems on July 5, 2022. The unauthorized access was blocked on July 16. The attackers deleted electronic medical records from June 28, 2021, to July 15, 2022, and while backups of those records had been made, the backups were also deleted so the information in those records has been lost. No evidence was found to indicate those records were stolen. Medical referral forms stored on the affected computer systems may have been viewed or acquired, but those records were successfully restored from backups. The breached records included...

Read More
EmergeOrtho & General Health System Victims of Ransomware Attacks
Aug29

EmergeOrtho & General Health System Victims of Ransomware Attacks

EmergeOrtho, a North Carolina orthopedic practice, has recently notified 68,661 patients that some of their protected health information has been accessed by unauthorized individuals. According to EmergeOrtho’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on May 18, 2022. The forensic investigation confirmed that the threat actors behind the attack had accessed files containing patients’ protected health information. A comprehensive review of all affected files confirmed on August 19, 2022, that they contained information such as first and last names, addresses, Social Security numbers, and, for certain individuals, date of birth. No medical records, treatment information, or financial information was compromised in the attack and no evidence has been identified that suggests any of the affected information has been specifically misused. EmergeOrtho said leading IT specialists were engaged to confirm the security of its network environment, steps will continue to be taken to enhance the security of its systems, and additional monitoring tools...

Read More
PHI Exposed in Cyberattacks on Methodist McKinney Hospital and Columbia River Mental Health Services
Aug25

PHI Exposed in Cyberattacks on Methodist McKinney Hospital and Columbia River Mental Health Services

Methodist McKinney Hospital in Texas has recently announced that its systems have been accessed by unauthorized individuals who removed files containing sensitive data from its systems. The security incident was detected on July 5, 2022, and a third-party cybersecurity firm was engaged to investigate the nature and scope of the incident. The investigation confirmed that the attackers had access to its systems between May 20, 2022, and July 7, 2022, and during that time, files were exfiltrated that contained patient data. The preliminary investigation has confirmed that the files contained names, addresses, Social Security numbers, birth dates, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information. The investigation into the security breach is ongoing and a detailed review of all affected files has been initiated to determine the patients affected. The breach is known to have affected patients of Methodist McKinney Hospital, Methodist Allen Surgical Center, and Methodist Craig Ranch Surgical...

Read More
Data Breaches Reported by the New Jersey Department of Health, Onyx Technologies & San Diego American Indian Health Center
Aug25

Data Breaches Reported by the New Jersey Department of Health, Onyx Technologies & San Diego American Indian Health Center

Onyx Technologies, a Largo, MD-based provider of Information Technology and Consulting Services and a vendor of Independent Care Health Plan (iCare), has recently notified 96,814 health plan members that some of their protected health information has potentially been compromised. On June 28, 2022, Onyx discovered its computer systems had been accessed by unauthorized individuals, who may have gained access to the protected health information of iCare members, including names, birth dates, addresses, phone numbers, iCare member ID numbers, Medicare ID Numbers, dates of service, and provider names. Onyx said that a review of its computer systems was immediately conducted, a security firm was engaged to assist with the investigation, and access to its systems was regained on July 7, 2022. Onyx said, “a server may have been removed or accessed beginning on March 29, 2022, and ending on June 28, 2022. On July 15, 2022, the security firm found that some information related to individuals may have been accessed.” Onyx said it found no evidence to suggest any of the affected information...

Read More
California Department of Corrections and Rehabilitation Hack Exposed Sensitive Data
Aug23

California Department of Corrections and Rehabilitation Hack Exposed Sensitive Data

The California Department of Corrections and Rehabilitation (CDCR) has recently discovered that unauthorized individuals have gained access to one of its information systems. The compromised system contained medical information on all individuals who had been tested for COVID-19 between June 2020 and January 2022, including staff members, visitors, and other individuals, although not inmates. The information related to COVID-19 tests included name, personal address, telephone number, email, date of birth, and COVID-19 testing results. Files on the system also included the mental health information of inmates in the Mental Health Services Delivery System dating back to 2008, as well as the information of individuals on parole who were in substance use disorder treatment programs. Some of the exposed data included Social Security Numbers, driver’s license numbers, and trust account information. The data of inmates included name, CDCR number, mental health treatment, mental health history, and mental health diagnosis, and information in the Trust, Restitution, Accounting, and Canteen...

Read More
July 2022 Healthcare Data Breach Report
Aug22

July 2022 Healthcare Data Breach Report

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month. For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021. Largest Healthcare Data Breaches in July 2022 In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can...

Read More
Cyberattacks Reported by Independent Case Management & Conifer Health Solutions
Aug18

Cyberattacks Reported by Independent Case Management & Conifer Health Solutions

Conifer Health Solutions Discovers Email Account Breach Conifer Health Solutions, a Frisco, TX-based provider of revenue cycle management and other administrative services to healthcare providers, has recently discovered that an unauthorized third-party gained access to a Microsoft Office 365 hosted business email account. The breach was detected during an internal review, with the subsequent investigation determining the email account was compromised on January 20, 2022. The breach was confined to a single email account, which was separate from its internal network and systems. The review of the email account was conducted between June 13 and August 3 and determined it contained the protected health information of 134,948 individuals, including full names, dates of birth, addresses, Social Security numbers, financial account information, medical and treatment information, health insurance information, and billing and claims information. The breach is known to have affected patients of at least 6 hospitals in Texas. Steps were immediately taken to prevent further unauthorized...

Read More
Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit
Aug17

Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit

Florida Orthopaedic Institute has proposed a $4 million settlement to resolve claims from patients affected by a 2020 data breach. In April 2020, Musculoskeletal Institute, dba Florida Orthopaedic Institute, discovered an unauthorized third party had gained access to a server that contained patients’ protected health information (PHI) and used ransomware to encrypt files. The forensic investigation determined the PHI of 640,000 individuals had been exposed and potentially stolen in the attack, including names, contact information, birth dates, Social Security numbers, health insurance information, medical information, and other types of data. Notifications were sent to affected individuals in July 2020 and a 12-month membership to a credit monitoring service was offered to affected individuals. Shortly after sending notifications, a lawsuit – Stoll et al. v. Musculoskeletal Institute- was filed in the U.S. District Court for the Middle District of Florida that alleged Florida Orthopaedic Institute was “lackadaisical, cavalier, reckless, or in the very least, negligent” with...

Read More
Ransomware Attack on New York Billing Company Affects 942K Individuals
Aug17

Ransomware Attack on New York Billing Company Affects 942K Individuals

Practice Resources, a Syracuse, NY, provider of billing and other professional services, has suffered a data breach involving the records of 942,138 individuals. According to the breach notification sent to the California Attorney General, Practice Resources was the victim of a ransomware attack on April 12, 2022. Assisted by third-party digital forensics experts, Practice Resources determined that there had been unauthorized access to parts of the network where the protected health information of its clients was stored and the attackers may have infiltrated that information prior to file encryption. A review of the documents potentially affected by the attack confirmed they contained information such as names, addresses, dates of treatment, health plan numbers, and medical record numbers. Practice Resources has offered affected individuals a complimentary membership to an identity theft protection and credit monitoring service. Practice Resources said it has issued notification letters to affected individuals on behalf of 28 clients that were affected by the data breach. Achieve...

Read More
United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack
Aug16

United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack

In August 2021, the Vice Society ransomware operation published data on its data leak site that had allegedly been obtained in a ransomware attack on United Health Centers of San Joaquin Valley.  On August 31, 2021, Bleeping Computer was made aware of the data leak and made multiple attempts to notify United Health Centers. Databreaches.net was also made aware of the data breach and similarly attempted to notify United Health Centers on multiple occasions. HIPAA Journal reported on the incident in September 2021. Almost a year on and individuals whose protected health information was exposed or stolen in the attack have been notified by United Health Centers. The breach notification provided to the California Attorney General on August 12, 2022, explains that technical difficulties were experienced by United Health Centers on August 28, 2021, which caused disruption to its computer systems. Steps were immediately taken to secure its network and systems, and an investigation was launched to determine the nature of the incident. United Health Centers said it discovered on September...

Read More
Novant Health Notifies 1.36 Million Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal
Aug16

Novant Health Notifies 1.36 Million Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal

Novant Health has recently notified 1,362,296 patients about a breach of their protected health information due to the incorrect configuration of Meta Pixel code on its patient portal. Code Snippet Sending Sensitive Patient Data to Meta Earlier this year, an investigation conducted by The Markup into the use of Meta Pixel code on healthcare providers’ websites revealed 33 of the top 100 hospitals in the United States had included Meta Pixel code on their websites, and 7 of those hospitals had added the code to their password-protected patient portals. The 7 hospitals discovered by The Markup to have installed Meta Pixel on their patient portals were Community Health Network, FastMed, Edward-Elmhurst Health, Piedmont, Renown Health, WakeMed, and Novant Health. Meta Pixel is a snippet of JavaScript code that is used to track website visitors, and the information gathered is sent to Meta (Facebook), which may be used to serve targeted ads. Meta claims that organizations that use Meta Pixel are not supposed to send sensitive data. If Meta discovers it has been sent sensitive data by...

Read More
Data Breach Affects 120,000 Priority Health Plan Members
Aug12

Data Breach Affects 120,000 Priority Health Plan Members

The Michigan-based health plan provider, Priority Health, has confirmed that it has been affected by a data breach at a business associate, the law firm Warner Norcross & Judd (WNJ). WNJ identified suspicious network activity on October 22, 2021. Steps were immediately taken to prevent further unauthorized access and a digital forensics firm was engaged to assist with the investigation. That investigation confirmed that the attackers had gained access to parts of its network that contained the protected health information of approximately 120,000 members of Priority Health’s health plans. The affected information included names, pharmacy claim information from certain prescriptions filled in 2012, including drug names, prescription filling dates, and insurance provider names. WNJ said it found no evidence of misuse of plan members’ information, but the possibility of data theft could not be ruled out. WNJ said Priority Health was notified about the breach n June 6, 2022 – Almost 8 months after the security incident was detected. PHI Exposed in Attempted BEC Attack on Living...

Read More
1H 2022 Healthcare Data Breach Report
Aug11

1H 2022 Healthcare Data Breach Report

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021. Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches. The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a...

Read More
Zenith American Solutions Reports Mailing Error that Exposed SSNs of 37,000 Individuals
Aug10

Zenith American Solutions Reports Mailing Error that Exposed SSNs of 37,000 Individuals

Zenith American Solutions, a third-party administrator for the Sound Health and Wellness Trust, has recently notified individuals about a mailing error that exposed individuals’ Social Security numbers. According to the breach notification, a mailing was sent to individuals on June 24, 2022, advising them to complete their Personal Health Assessments or Health Profiles to enroll in the 2023 Health Reimbursement Account. The file used for printing the mailing labels included individuals’ full Social Security numbers, which were printed in full on the mailing labels along with full names, postal addresses, and unique ID numbers. The mailing labels also indicated an individual had enrolled in the Sound Health and Wellness Trust. Zenith American Solutions said it has implemented new quality control procedures to ensure there are no similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. The breach was reported to the HHS’ Office for Civil Rights as affecting 37,146...

Read More
Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K
Aug09

Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K

Salinas Valley Memorial Healthcare System in California has agreed to settle a class action lawsuit for $340,000 to resolve claims from patients affected by a breach of its email environment in 2020. Between April 30, 2020, and June 5, 2020, unauthorized individuals gained access to the email accounts of four employees and a contractor following responses to phishing emails. Prompt action was taken to secure its email environment, but during the 5-week period of compromise, the attacker(s) had access to emails containing sensitive patient information including names, hospital account numbers, medical record numbers, dates of service, and other information. Legal action was taken against Salinas Valley by a patient affected by the data breach. The plaintiff alleged that Salinas Valley acted unlawfully by failing to prevent the attack, did not fulfill its legal obligations to safeguard the personal and protected health information of the plaintiff and class members, and violated the California Confidential Medical Information Act, Civil Code §§ 56 et seq. Salinas Valley maintains it...

Read More
Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group
Aug08

Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group

Further information has been released on two cyberattacks on healthcare organizations: Goodman Campbell Brain and Spine and Behavioral Health Group. Goodman Campbell Brain and Spine Notifies 363,000 Patients About Public Release of PHI on Dark Web Carmel, IN-based Goodman Campbell Brain and Spine has started notifying 363,000 current and former patients that some of their protected health information was stolen prior to data being encrypted with ransomware and some of the stolen data has been published on the gang’s dark web data leak site. The cyberattack was discovered by Goodman Campbell on May 20, 2022, and a third-party digital forensics firm was engaged to determine the nature and scope of the breach. The investigation confirmed that the electronic medical record system was not affected, but files containing patients’ protected health information had been exfiltrated from its systems. The stolen files contained information such as names, birthdates, addresses, telephone numbers, email addresses, medical record numbers, patient account numbers, diagnosis and treatment...

Read More
First Choice Community Healthcare Data Breach Affects 101,000 Patients
Aug05

First Choice Community Healthcare Data Breach Affects 101,000 Patients

First Choice Community Healthcare in Albuquerque, NM, has started notifying certain patients that an unauthorized individual gained access to its network and potentially stole patient data. In a substitute breach notification, First Choice explained that unusual activity was detected within its technological environment on March 27, 2022. A third-party cybersecurity firm was engaged to conduct a forensic investigation and determine the nature and scope of the breach. While it was not possible to confirm if any files had been accessed or exfiltrated, the possibility could not be ruled out. A comprehensive review of the affected files was completed on June 3, 2022, which confirmed that the following information had potentially been compromised: names, Social Security numbers, First Choice patient ID number, diagnosis, and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth, and provider information. Affected individuals were notified about the breach by mail on August 1, 2022, and...

Read More
Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million
Aug04

Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million

Dental Care Alliance has agreed to settle a class action lawsuit filed in response to a data breach that affected more than 1.7 million individuals. A fund of $3 million has been created to cover claims from individuals affected by the breach. Dental Care Alliance, LLC, is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices across 20 states. Dental Care Alliance said its systems were compromised on September 18, 2020, the breach was detected on October 11, 2020, and was contained on October 13, 2020. The forensic investigation confirmed that names, addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, payment card information, and health insurance information had potentially been compromised. Individuals were notified about the breach in December 2020. The breach report submitted to the HHS’ Office for Civil Rights initially indicated 1,004,304 individuals had been affected, but it was later amended to 1,723,375 individuals. Dental Care Alliance said no specific evidence of data...

Read More
Healthback Holdings Email Security Breach Affects 21,000 Individuals
Aug04

Healthback Holdings Email Security Breach Affects 21,000 Individuals

The Oklahoma City home health provider, Healthback Holdings, has started notifying 21,114 individuals that some of their protected health information has potentially been viewed or obtained by unauthorized individuals. Unusual activity was detected within its email environment on June 1, 2022. A third-party cybersecurity firm was engaged to assist with the investigation and confirmed that a limited number of employee email accounts had been accessed by an unauthorized third party between October 5, 2021, and May 15, 2022, as a result of responses to phishing emails. It was not possible to tell which emails, if any, had been viewed, nor if any information in the accounts had been stolen. Notification letters were therefore sent to all individuals whose protected health information was present in the affected email accounts. The exposed information varied from individual to individual and may have included names, health insurance information, Social Security numbers, and clinical information. Complimentary credit monitoring and identity theft protection services are being provided to...

Read More
Fast Track Urgent Care Confirms 258,411 Individuals Affected by 2021 PracticeMax Ransomware Attack
Aug03

Fast Track Urgent Care Confirms 258,411 Individuals Affected by 2021 PracticeMax Ransomware Attack

Fast Track Urgent Care, a network of urgent healthcare clinics in Florida, has confirmed that 258,411 individuals have had their protected health information exposed and potentially stolen in a ransomware attack on billing and practice management vendor, PracticeMax. PracticeMax said it identified suspicious activity within its network on May 1, 2021, and confirmed that ransomware was installed on its network. The billing vendor was able to recover the data on its system on May 6, 2021, with the investigation into the breach confirming that its systems had been compromised between April 17 and May 5, 2021. A server used by PracticeMax and several email accounts were affected and data on its systems was encrypted. The breach affected several of its healthcare clients, including Anthem Inc and Humana. The two health insurance firms confirmed they had been affected in late February 2022, with PracticeMax publicly reporting the breach in the fall of 2021. Fast Track Urgent Care said it was first notified about the ransomware attack by PracticeMax on May 10, 2021, but at that stage of...

Read More
326,278 Aetna ACE Members Affected by Ransomware Attack at Mailing Vendor
Aug03

326,278 Aetna ACE Members Affected by Ransomware Attack at Mailing Vendor

The health insurer Aetna ACE is one of the latest healthcare organizations to announce it has been affected by a ransomware attack on a mailing vendor, which involved the protected health information of 326,278 plan members. Aetna said the breach was limited to individuals insured under Aetna ACE, and that no protected health information of individuals served by Aetna or CVS Health was involved. The ransomware attack affected OneTouchPoint, which provides printing and mailing services for U.S. companies, including billing vendors used by healthcare organizations. OneTouchPoint is provided with contact information and limited other data types to provide its contracted services. On April 28, 2022, OneTouchPoint discovered files had been encrypted on its systems, with the unauthorized access occurring the previous day on April 27, 2022. Third-party cybersecurity specialists were engaged to investigate the security incident and completed the investigation on June 1, 2022, but were unable to determine which specific files were exfiltrated from its systems. Affected customers were...

Read More
Data Breaches Reported by Allegheny Health Network, St. Luke’s Health System, & Goldsboro Podiatry
Aug02

Data Breaches Reported by Allegheny Health Network, St. Luke’s Health System, & Goldsboro Podiatry

St. Luke’s Health System in Boise, ID, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 31,573 patients. The breach occurred in May 2022 at Kaye-Smith, the health system’s billing vendor, and affected patients that were billed that month. The breach was discovered in June 2022 and was reported to St. Luke’s Health System on July 6, 2022. Unauthorized individuals gained access to systems at Kaye-Smith, which contained information such as patient names, insured names, addresses, phone numbers, ID numbers, dates of birth, descriptions of services, amounts billed, outstanding balances, payment due dates, account statuses, and the last five digits of Social Security numbers. Kaye-Smith is investigating the breach and is working with the FBI to better understand how the breach happened. St. Luke’s Health System said it is no longer working with the billing vendor. The investigation to date has not uncovered any evidence to suggest there has been any misuse of patient data. Affected individuals have been offered a complimentary...

Read More
Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites
Aug01

Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements. Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted....

Read More
96 Senior Living and Healthcare Facilities Affected by Avamere Data Breach
Jul29

96 Senior Living and Healthcare Facilities Affected by Avamere Data Breach

A major data breach has been reported that has affected dozens of healthcare, rehabilitation, and senior living facilities in Oregon, Washington, Nevada, Utah, Colorado, and Arizona, which are operated by companies that are part of the Wilsonville, OR-based group, Avamere Holdings. Between January 19, 2022, and March 17, 2022, an unauthorized individual gained access to a third-party-hosted network that was used by Avamere Health Services, LLC. Avamere Health Services is a business associate of the Avamere Holdings group of companies and provides information technology services. The forensic investigation of the data breach confirmed that the individuals behind the attack exfiltrated files from its systems that contained the information of employees and patients, including names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information. The exact nature of the cyberattack was not disclosed in the substitute...

Read More
IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million
Jul28

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020. The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services. Summary of 2022...

Read More
Recent Hacks, Malware, and Device Theft Incidents Affect 208,000 Individuals
Jul26

Recent Hacks, Malware, and Device Theft Incidents Affect 208,000 Individuals

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state Attorneys General. Californian EHR Vendor Reports Breach of 77,652 Records Further information has been obtained on a data breach reported to the HHS’ Office for Civil Rights on June 2, 2022, by Clinivate, a Pasadena, CA-based provider of EHR solutions for behavioral health agencies and schools. According to a breach notification to the California Attorney General, unusual activity was detected in its digital environment on March 23, 2022. A forensic investigation confirmed that an unauthorized third party had gained access to its network, and on May 25, 2022, it was determined that files containing the protected health information of individuals were accessed by that third party between March 12, 2022, and March 21, 2022. The files included the protected health information of 77,652 individuals, including names, medical record numbers, health plan beneficiary numbers, treatment information, diagnosis information, other medical information, and information about payments for...

Read More
Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022
Jul25

Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022

A cyberattack and data breach cost Tenet Healthcare $100 million in lost revenue and mitigation costs in Q2, 2022. Dallas, TX-based Tenet Healthcare is one of the largest healthcare providers in the United States, running 65 hospitals and more than 450 healthcare facilities across the United States through its brands and subsidiaries. In April 2022, Tenet experienced a cyberattack that caused major disruption to its IT systems and acute care operations for several weeks. The attack forced the staff forced to work with pen and paper during the recovery period, and at least one of the affected hospitals had to temporarily divert ambulances to other facilities. The attack also disrupted its phone system, with doctors forced to leave the premises to make phone calls. The cyberattack affected at least two hospitals and started on April 20, 2022. Tenet did not publicly release details of the attack, such as if it involved ransomware. According to Tenet’s Q2 2022 earnings report, the attack has had a $100 million unfavorable EBITDA (earnings before interest, taxes, depreciation, and...

Read More
Benson Health Notifies 28,913 Patients About May 2021 Data Breach
Jul22

Benson Health Notifies 28,913 Patients About May 2021 Data Breach

Benson Health in North Carolina has recently started notifying 28,913 patients that some of their protected health information was potentially accessed or acquired in a cyberattack that was detected on May 5, 2021. Benson Health said an investigation was immediately launched when the breach was detected, and a specialist cybersecurity and data privacy law firm and third-party forensic specialists were engaged to assist with the investigation. The investigation confirmed that a data set had been exposed and was potentially stolen by the attacker. Data mining experts were retained to perform a comprehensive review of the affected information, which confirmed on July 7, 2022, that the dataset included names, birth dates, Social Security numbers, and health and treatment information. Notification letters were sent to affected individuals on July 12, 2021, more than 14 months after the data breach was first detected. Affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge for 12 months. Business...

Read More
Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers
Jul21

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk. The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly...

Read More
The Methodist Hospitals, Inc. Settles Class Action Data Breach Lawsuit for $425,000
Jul21

The Methodist Hospitals, Inc. Settles Class Action Data Breach Lawsuit for $425,000

The Methodist Hospitals Inc. has agreed to settle a class action lawsuit and has created a fund of $425,000 to cover claims from victims of a 2019 data breach that affected almost 70,000 current and former patients. The Gary, IN-based healthcare provider reported an email security incident to the HHS’ Office for Civil Rights on April 4, 2019, that resulted in the exposure and potential theft of the protected health information of 68,039 patients. The investigation confirmed hackers gained access to two employee email accounts between March 13, 2019, and July 8, 2019, following responses to phishing emails and potentially exfiltrated patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare/Medicaid numbers, usernames, passwords, treatment and diagnosis information, and payment card information. A lawsuit – Jones v. The Methodist Hospitals, Inc. – was filed in the Harris County District Court in Texas in the wake of the data breach that alleged The Methodist Hospitals was negligent for failing to adequately protect...

Read More
June 2022 Healthcare Data Breach Report
Jul20

June 2022 Healthcare Data Breach Report

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month. The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022). For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months. While huge numbers of...

Read More
BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack
Jul20

BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack

BJC HealthCare has agreed to settle a class action lawsuit to resolve claims it failed to adequately protect patient data from phishing attacks. The nonprofit St. Louis-based hospital system reported a breach of its email system to the HHS’ Office for Civil Rights on May 5, 2020, that affected 287,876 individuals. The investigation confirmed that three email accounts had been compromised in March 2020 as a result of responses to phishing emails. While data theft could not be determined, the affected email accounts contained the protected health information of patients of 19 of its hospitals, including names, birth dates, health insurance information, Social Security numbers, driver’s license, and healthcare data. The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, originally included 10 counts against the defendants and survived two motions to dismiss, with the lawsuit allowed to proceed on 8 of the 10 counts: unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability,...

Read More
Oklahoma State University Settles HIPAA Case with OCR for $875,000
Jul15

Oklahoma State University Settles HIPAA Case with OCR for $875,000

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals. The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach...

Read More
Carolina Behavioral Health Alliance Reports Breach of the PHI of 130,000 Health Plan Members
Jul14

Carolina Behavioral Health Alliance Reports Breach of the PHI of 130,000 Health Plan Members

The Winston-Salem, NC-based managed behavioral health organization, Carolina Behavioral Health Alliance (CBHA), the administrator of behavioral health benefits for Wake Forest University and Wake Forest Baptist Medical Center, has recently announced it was the victim of a ransomware attack. The attack was detected on March 20, 2022, and resulted in computer systems being disabled. The forensic investigation of the incident confirmed the attackers had to its systems between March 19 and March 20 and may have viewed or obtained the sensitive data of 130,000 health plan members and their dependents, including names, addresses, health plan ID numbers, genders, and Social Security numbers. To date, no reports have been received to indicate there has been any actual or attempted misuse of patient data. CBHA said it has implemented additional safeguards to better protect the data of health plan members in the future and has offered affected individuals access to single bureau credit monitoring, credit reporting, and credit score services for 24 months. ATC Healthcare Announces Email Data...

Read More
Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit
Jul14

Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit

Tenet Healthcare and Baptist Health are facing a class action lawsuit over a recently reported data breach that affected 1.2 million patients. The breach was detected on April 20, 2022, with the forensic investigation confirming an unauthorized third-party had accessed the IT networks of Baptist Medical Center or Resolute Health Hospital between March 31 and April 24, 2022, and removed files containing sensitive patient data. The information potentially compromised included names, addresses, Social Security numbers, health insurance information, medical information, and billing and claims data. Tenet Healthcare issued a public notification about the cyberattack and data breach on April 26, 2022, while the investigation into the breach was ongoing. Notifications were sent to affected individuals in mid-June, less than two months after the discovery of the cyberattack. Affected individuals were offered complimentary credit monitoring and identity theft protection services. The lawsuit was filed in Dallas County and names Texas resident, Troy Contreras, as the lead plaintiff. The...

Read More
Associated Eye Care Partners Issues Notifications About December 2020 Data Breach
Jul12

Associated Eye Care Partners Issues Notifications About December 2020 Data Breach

Montana-based Associated Eye Care Partners (AECP) has recently started notifying patients that their private health information was compromised in a data breach at a business associate that was detected in early December 2020. The data breach in question occurred at Netgain Technologies, which provided managed IT services to many organizations in the healthcare sector. Netgain Technologies experienced a ransomware attack in which files containing sensitive data were stolen. Netgain paid the ransom to prevent any further disclosure of the stolen data and received assurances from the ransomware gang that the stolen data had been deleted. Netgain Technologies notified affected healthcare clients in January 2021, and those entities started to issue notification letters to affected patients over the next couple of months. While some affected healthcare clients took longer to issue notifications, it has now been 18 months since Netgain started notifying affected clients. According to the AEC notification letter – dated July 8, 2022 – “Upon notification by Netgain to AEC, we worked...

Read More
Patient Information Compromised at Phoenixville Hospital, Family Practice Center, and Southwest Health Center
Jul11

Patient Information Compromised at Phoenixville Hospital, Family Practice Center, and Southwest Health Center

Phoenixville Hospital Fires Employee for HIPAA Violation Phoenixville Hospital in Pennsylvania has recently fired an employee for accessing the medical records of patients without authorization. According to the hospital operator, Tower Health, the unauthorized access was discovered during a routine audit of medical record access logs. An employee was discovered to have accessed the medical records of 934 patients without authorization between October 2021 and May 2022, when there was no legitimate work reason for viewing those records. When the privacy violation was discovered, the employee was immediately suspended pending an internal investigation and was later fired for the HIPAA breach. The employee viewed names, addresses, dates of birth, appointment dates, diagnoses, vital sign information, medications, test results, and physicians’ notes. Some of the accessed records included partial Social Security numbers and health insurance information. Tower Health said additional training has been provided to the workforce regarding patient privacy and the accessing of medical...

Read More
Health Aid of Ohio Settles Class Action Data Breach Lawsuit
Jul11

Health Aid of Ohio Settles Class Action Data Breach Lawsuit

Health Aid of Ohio has agreed to settle a class action lawsuit to resolve claims that it failed to protect the sensitive personal information of its customers. Health Aid of Ohio is a Parma, OH-based full-service home medical equipment provider. On February 19, 2021, Health Aid discovered hackers had gained access to its network and viewed and removed files containing sensitive customer information. The files contained information such as name, telephone number, Social Security number, date of birth, medical diagnosis, insurance information, and the type of equipment that was delivered or repaired. Notifications were issued to affected customers in May 2021. The data breach affected 141,149 individuals. A lawsuit was filed on behalf of affected individuals, which alleged Health Aid had failed to implement reasonable cybersecurity measures to ensure the confidentiality of customer data. The lawsuit alleged negligence, unjust enrichment, invasion of privacy, and other claims. Health Aid admitted no wrongdoing but decided to settle the lawsuit to resolve all claims related to the data...

Read More
Security Breaches Reported by Benefit Plan Administrators and The People Concern
Jul08

Security Breaches Reported by Benefit Plan Administrators and The People Concern

Roanoke, VA-based Benefit Plan Administrators Inc., has recently notified 3,775 individuals that an unauthorized individual gained access to its network and removed files that contained some of their protected health information. It is unclear from the breach notification letters when the incident occurred, but the forensic investigation concluded on March 15, 2022, and the notification letters were sent to affected individuals on or around June 15. Benefit Plan Administrators said the following types of information were in the files that were removed from its systems: full names, addresses, dates of birth, Social Security numbers, gender classification, claims information, medications information, and medical diagnosis/conditions information. The breach was reported to the HHS’ Office for Civil Rights as four separate incidents. Employees of Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc. are known to have been affected. No evidence was found to indicate any of the removed information has been misused. Complimentary credit monitoring services...

Read More
Patient Privacy Violated in Incidents at VCU Health and Cheyenne Regional Medical Center
Jul08

Patient Privacy Violated in Incidents at VCU Health and Cheyenne Regional Medical Center

A lengthy privacy violation has been detected by Virginia Commonwealth University Health System (VCU Health) that potentially started on January 4, 2006. According to the substitute breach notification on the VCU Health website, transplant donor information had been included in the medical records of certain transplant recipients, and transplant recipient information had also been included in the medical records of transplant donors. When donors, recipients of transplants, or their representatives logged into the patient portal to view their medical records, they would have been able to view information about the donor/recipient. It is also possible that the information was provided to individuals who exercised their right under HIPAA to obtain a copy of their health information. In each case, the exposed information was not accessible to the public, only to specific transplant donors and recipients. The privacy issue was detected by VCU Health on February 7, 2022, with the subsequent investigation confirming that additional information may also have been viewable, which included...

Read More
Data Breaches Reported by University Pediatric Dentistry, OrthoNebraska, Michigan Avenue Immediate Care
Jul05

Data Breaches Reported by University Pediatric Dentistry, OrthoNebraska, Michigan Avenue Immediate Care

University Pediatric Dentistry in Buffalo, NY, has started notifying 6,843 patients that some of their protected health information has been exposed in an email security incident. The email system was immediately secured when the breach was detected with the forensic investigation confirming that two email accounts had been accessed by an unauthorized third party between January 12, 2022, and January 19, 2022. University Pediatric Dentistry said it learned on April 25, 2022, that emails and attachments in the compromised accounts contained patient data, and information had potentially been viewed or obtained. The compromised information included patient names, contact information, dates of birth, Social Security numbers, driver’s license numbers, government identification numbers, treatment and diagnosis information, provider names, medical record numbers, patient account numbers, prescription information, dates of service and/or health insurance information. A limited number of patients also had financial account information exposed. Individuals who had their Social Security...

Read More
657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company
Jul04

657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company

A major data breach has been reported by the Greeley, CO-based accounts receivable management company, Professional Finance Company Inc. (PFC) which is believed to have affected 657 of its healthcare provider clients. According to the PFC website, the company is one of the nation’s leading debt recovery agencies, and its client list includes many healthcare providers, retailers, financial organizations, and government agencies. According to the company’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on February 26, 2022; however, not in time to prevent some of its computer systems from being disabled. Third-party forensics specialists were engaged to investigate the breach and provide assistance with securing its environment. That investigation confirmed that an unauthorized third party had access to systems that contained information about patients of its healthcare provider clients, and files containing patient data were accessed. PFC said it sent notification letters to all affected healthcare provider clients on May 5, 2022, and has since...

Read More
Fitzgibbon Hospital, Diskriter, Christiana Spine Center Suffer Ransomware Attacks
Jun29

Fitzgibbon Hospital, Diskriter, Christiana Spine Center Suffer Ransomware Attacks

On June 25, 2022, a spokesperson for a threat group called DAIXIN Team contacted HIPAA Journal to share information about a ransomware attack and data theft incident at Fitzgibbon Hospital in Marshall, Missouri. A link was shared to a dark web resource where data stolen in the attack has been published. The published data includes database tables from the MEDITECH database, and sensitive documents containing patient data stolen from internal servers. In total, 40GB of data was stolen in the attack and included names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information. DAIXIN Team was previously not known to HIPAA Journal and appears to be a new ransomware group. Further information on the group and the attack has been obtained by databreaches.net and confirmed through a shared chat log that a representative for Fitzgibbon Hospital had made contact with DAIXIN Team to negotiate the ransom payment, but no payment has been made to date. There is currently no breach notice on the Fitzgibbon Hospital website,...

Read More
Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise
Jun29

Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise

Aliso Viejo-based Covenant Care California, an operator of skilled nursing facilities and a provider of home health services in California and Nevada, has announced that an unauthorized third party has gained access to its email system, and potentially viewed or obtained electronic protected health information. Suspicious activity was detected in an employee’s email account in February 2022, with the subsequent investigation confirming multiple employee email accounts had been accessed between February 24 and March 22, 2022. The accounts contained data related to its home health services, which were provided under the following names: Focus Health RehabFocus Home Health Elevate Health Group Choice Home Health San Diego Home Health A review of the accounts was completed on March 27, 2022, and confirmed protected health information was present in the email accounts, which for most individuals included names, medical information, and health insurance information. A subset of individuals also had their date of birth, Social Security number, driver’s license number, and/or other...

Read More
GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process
Jun28

GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process

The Government Accountability Office (GAO) has recommended that the Department of Health and Human Services (HHS) establish a feedback mechanism to improve the effectiveness of its data breach reporting process. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, called for the Secretary of the HHS to create and maintain a list of data breaches involving the unsecured protected health information of 500 or more individuals on its website. The HHS’ Office for Civil Rights (OCR) Breach Portal includes breaches of the personally identifiable protected health information (PHI), such as unauthorized access and disclosures, exposures, and the loss and theft of PHI. The number of reported data breaches has been increasing each year, with 2021 seeing 714 data breaches of 500 or more records reported to OCR. GAO explained in its report that between 2015 and 2021, the number of individuals affected by healthcare data breaches at healthcare providers, health plans, healthcare clearinghouses, and business...

Read More
Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records
Jun24

Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records

Texas Tech University Health Sciences Center has confirmed that the protected health information of 1,290,104 patients was compromised in a data breach at its electronic medical record vendor, Eye Care Leaders. Eye Care Leaders said it detected a breach on Dec. 4, 2021, and disabled the affected systems within 24 hours. Texas Tech University Health Sciences Center said it received the final results of the forensic investigation on April 19, 2022. The compromised information included the following data elements: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services. No evidence of data exfiltration was found. Over the past few weeks, the number of eye care providers known to have been affected by the Eye Care Leaders data breach has been growing. At least 23 eye care providers have confirmed they have been affected and the protected health information of more than 2 million patients is...

Read More
5 Security Breaches Reported in Which PHI was Potentially Compromised
Jun24

5 Security Breaches Reported in Which PHI was Potentially Compromised

Patient Information Potentially Compromised in Atrium Health Phishing Attack A phishing incident has been reported by Charlotte, NC-based Atrium Health that exposed the protected health information of 6,695 patients who used its home health service, Atrium Health at Home. On April 7, 2022, an employee responded to a phishing email and disclosed credentials for an email and messaging account. The breach was detected on April 8 and the unauthorized access was immediately blocked. Between April 7 and April 8, the unauthorized third party used the account to send other phishing emails, which suggests that obtaining patient information stored in the account was not the aim of the attack, although it was not possible to determine if any patient information was viewed or obtained. A review of the emails, messages and attachments in the account revealed they contained patients’ full names, home addresses, birth dates, health insurance information, and medical information (such as medical record number, dates of service, provider and facility and/or diagnosis and treatment information). A...

Read More
University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000
Jun23

University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000

University of Pittsburgh Medical Center has agreed to settle a class action data breach lawsuit and will make $450,000 available to cover claims from individuals who have suffered losses due to the theft and misuse of their protected health information. The data breach affected approximately 36,000 patients and saw their protected health information accessed and stolen by an unauthorized third party between April 2020 and June 2020. The breach occurred at UPMC’s legal counsel, Charles J. Hilton PC, (CJH), which provided billing-related services. The compromised data was stored within the firm’s email environment and included names, birth dates, Social Security numbers, financial information ID numbers, signatures, insurance information, and medical information. The data breach was detected in June 2020; however, notifications were not sent to affected individuals until December 2020. While many speculative lawsuits are filed against healthcare organizations and their business associates over the exposure of patient data, in this case, the plaintiff was defrauded soon after the...

Read More
5 HIPAA-Regulated Entities Announced Hacking Incidents that Exposed PHI
Jun22

5 HIPAA-Regulated Entities Announced Hacking Incidents that Exposed PHI

PHI of Almost 69,000 Individuals Compromised in Hacking Incident at Comstar Comstar, a Rowley, MA-based provider of ambulance billing, collection, ePCR Hosting, and client/patient services, has discovered an unauthorized third-party gained access to some of its servers which housed files that contained individuals’ personally identifiable and protected health information. Some of those files were confirmed as having been viewed. The substitute breach notice did not state when the breach occurred, but it was detected on or around March 26, 2022. A review of the affected files confirmed they contained information such as names, dates of birth, medical assessment and medication information, health insurance information, and Social Security numbers. Comstar said it already had strict security measures in place, a review has been conducted of its policies and procedures relating to data security, and measures will be taken to further protect against similar incidents in the future. No evidence of data theft or misuse of individuals’ information was identified; however, as a...

Read More
May 2022 Healthcare Data Breach Report
Jun21

May 2022 Healthcare Data Breach Report

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021. Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months. Largest Healthcare Data Breaches Reported in May 2022 In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but...

Read More
Central Florida Inpatient Medicine Email Security Incident Reported
Jun20

Central Florida Inpatient Medicine Email Security Incident Reported

Lake Mary, FL-based Central Florida Inpatient Medicine (CFIM) has recently discovered that the email account of an employee has been accessed by an unauthorized individual, who may have viewed emails and files containing patients’ protected health information. The substitute breach notice states that CFIM learned that the email account contained sensitive patient data on May 5, 2022; however, the email account was breached between August 21, 2021, and September 17, 2021. The delay in issuing notifications to affected individuals was due to “an extensive forensic investigation and comprehensive and time-consuming manual document review.” The review revealed the emails and attachments included information such as names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of Social Security numbers, driver’s license numbers, financial account information, and usernames and passwords were also exposed. CFIM said no evidence was found to...

Read More
Data Theft Incidents Reported at MCG Health, Choice Health, & Goodman Campbell Brain and Spine
Jun15

Data Theft Incidents Reported at MCG Health, Choice Health, & Goodman Campbell Brain and Spine

MCG Health Announces Data Theft Incident Affecting 1.1 Million Individuals MCG Health in Seattle, WA, a provider of patient care guidelines to healthcare providers and health plans, started notifying patients and members of MCG customers that an unauthorized party has obtained some of their protected health information. According to the breach notice on the MCG website, MCG determined on March 25, 2022, that an unauthorized individual had obtained data that matched data on its systems, including names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender. MCG Health has advised affected individuals to review their account statements and monitor their free credit reports for signs of misuse of their information. The substitute breach notice on the MCG Health website does not explain the nature of the attack, how much data was stolen, how MCG Health learned that data had been stolen, or when the data theft incident occurred. A lawsuit filed against MCG Health alleges hackers first gained access to its systems in...

Read More
Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI
Jun14

Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington. Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours. An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and...

Read More
700,000 Patients Affected by Yuma Regional Medical Center Ransomware Attack
Jun13

700,000 Patients Affected by Yuma Regional Medical Center Ransomware Attack

Yuma Regional Medical Center (YRMC) in Arizona has announced it was the victim of a ransomware attack in April in which the attackers obtained the protected health information (PHI) of 737,448 current and former patients. According to the recent YRMC announcement, the attack was detected on April 25, 2022, which affected some of its IT systems. YRMC said immediate action was taken to contain the attack, and systems were taken offline to prevent further unauthorized access. Law enforcement was notified, and a third-party computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The investigation confirmed that the attackers gained access to its systems between April 21 and April 25, 2022, and, prior to file encryption, a subset of files were exfiltrated from its systems. YRMC said it is working with security experts to bring its systems back online as quickly as possible. Throughout the attack, its facilities remained open and operated using established backup processes and downtime procedures, which did result in some...

Read More
Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan
Jun09

Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan

Aesto Health, a Birmingham, AL-based software company that provides solutions to help healthcare enterprises and medical providers exchange, organize, and protect patient information, has announced it recently experienced a cyberattack that caused disruption to certain internal IT systems. The security breach was detected on March 8, 2022, and steps were immediately taken to prevent further unauthorized access to its systems. A third-party computer forensics company was engaged to assist with the investigation, which confirmed that an unauthorized individual had access to the affected systems from December 25, 2021, to March 8, 2022. During that time frame, certain files were exfiltrated from a backup storage device, which include radiology reports from Osceola Medical Center (OMC) in Wisconsin. A review of the affected files confirmed they contained patients’ protected health information, including names, dates of birth, physician names, and report findings related to radiology imaging at OMC. No Social Security numbers or financial information were viewed or stolen, and OMC...

Read More
Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists
Jun09

Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists

Allaire Healthcare Group and Platinum Hospitalists have recently announced that an unauthorized individual has gained access to an employee email account and potentially viewed or copied patient data. PHI Potentially Compromised in Email Account Breach at Allaire Healthcare Group Freehold, NJ-based Allaire Healthcare Group, which runs five residential healthcare facilities in the tri-state area that provide subacute care, dementia care, and respite care, has discovered an unauthorized individual has gained access to the email account of one of its employees. Suspicious activity was detected in the employee’s email account on November 24, 2021. Prompt action was taken to secure the account and its email system and to prevent further unauthorized access. The forensic investigation confirmed the breach was limited to a single email account that was accessed by an unauthorized individual between November 10, 2021, and November 24, 2021. A programmatic and manual review of the affected email account was completed on March 18, 2022. The review confirmed the email account contained the...

Read More
2 Million Patients Affected by Shields Health Care Group Cyberattack
Jun07

2 Million Patients Affected by Shields Health Care Group Cyberattack

The protected health information of up to 2 million individuals has potentially been compromised in a Shields Health Care Group cyberattack. Massachusetts-based Shields Health Care Group provides ambulatory surgical center management and medical imaging services throughout New England. On March 28, 2022, suspicious activity was detected within its network. Immediate action was taken to secure its network and prevent further unauthorized access, and third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the security breach. The forensic investigation determined that an unauthorized actor had access to certain Shields systems between March 7, 2022, to March 21, 2022. Shields said a security alert had been triggered on March 18, 2022, which was investigated, but at the time it did not appear that there had been a data breach. It has since been confirmed that during that period of access, certain data was removed from its systems. Shields said it has not been made aware of any cases of actual or attempted misuse of patient...

Read More
Healthcare Ransomware Attacks Increased by 94% in 2021
Jun06

Healthcare Ransomware Attacks Increased by 94% in 2021

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare. 66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks. According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year. Paying the ransom may help healthcare...

Read More
FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital
Jun03

FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

In 2021, the Federal Bureau of Investigation (FBI) helped Boston Children’s Hospital mitigate a cyberattack by Iranian state-sponsored hackers before any damage could be caused. FBI Director, Christopher Wray, said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.” Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat. Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident...

Read More
Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy
Jun03

Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy

Alameda Health System in California, Capsule pharmacy in New York, and Aon PLC in Illinois have recently reported data breaches affecting a total of 56,290 individuals. Alameda Health System Notifying 90,000 Patients About PHI Breach Oakland, CA-based Alameda Health System has recently reported a data breach to the Department of Health and Human Services’ Office for Civil Rights that has affected up to 90,000 patients. Limited information has been released so far on the nature of the breach. Alameda Health System said suspicious activity was detected in the email accounts of certain employees with the investigation confirming several employee email accounts had been accessed by an unauthorized third party. The review of those accounts confirmed they contained the protected health information of patients, although it is currently unclear to what extent patient information has been compromised. Alameda Health System said no evidence has been found that suggests any information in the accounts has been viewed or removed. Notification letters will be sent to affected individuals...

Read More
PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx
Jun02

PHI Potentially Compromised in Security Incidents at Allwell Behavioral Health Services and WellDyneRx

Allwell Behavioral Health Services in Zanesville, OH, has announced that a computer system used to store quality assurance information related to the treatment of patients has been accessed by an unauthorized individual. The unauthorized access was detected on March 5, 2022, with the subsequent forensic investigation determining the system was breached on March 2, 2022. The breach investigation concluded in late April and determined that it was likely that files containing sensitive information had been copied in the attack, although at the time of issuing notifications to affected individuals there had been no reports of any actual or attempted misuse of patient data. The types of information in the files varied from patient to patient and may have included information such as names, dates of birth, Social Security numbers, phone numbers, treatment activity, treatment provider, treatment date, treatment location, and payer information. According to the breach summary on the HHS’ Office for Civil Rights website, 29,972 patients have been affected. Complimentary identity theft...

Read More
Email Accounts Compromised at BJC HealthCare & Cooper University Health Care
May31

Email Accounts Compromised at BJC HealthCare & Cooper University Health Care

BJC HealthCare, a non-profit healthcare organization based in St. Louis, MO, has started notifying certain patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual. The investigation confirmed that a small number of email accounts of physicians and general practitioners had been accessed between March 4 and March 28, 2022. The forensic investigation did not determine whether emails and attachments had been viewed or copied, but unauthorized data access and theft could not be ruled out. A comprehensive review of the email accounts confirmed they contained names, dates of birth, medical record numbers, and clinical information such as performance dates, diagnoses, provider names, and/or treatment locations. A limited number of patients also had their health insurance information, driver’s license numbers, and/or Social Security numbers exposed. Individuals who had either their driver’s license number or Social Security number exposed can take advantage of the complimentary credit monitoring and identity...

Read More
New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing
May27

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

A class action lawsuit filed against NorthEast Radiology PC and Alliance HealthCare Services over a data breach that exposed the protected health information of more than 1.2 million individuals has been dismissed by a New York Federal Judge for lack of standing. The lawsuit was filed in July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose protected health information was exposed as a result of a misconfiguration of the companies’ Picture Archiving Communication System (PACS), which contained medical images and associated patient data. In late 2019, security researchers identified the exposed data and notified the affected companies, which included Northeast Radiology and its vendor, Alliance HealthCare Services. According to the lawsuit, more than 61 million medical images were exposed along with the sensitive data of 1.2 million patients. Northeast Radiology reported the breach to the HHS’ Office for Civil Rights as affecting 298,532 individuals. The lawsuit alleged the defendants had implemented inadequate security safeguards to ensure the privacy of...

Read More
Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server
May27

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer. Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services. In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion...

Read More
Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities
May26

Email Incidents Reported by Washington University School of Medicine & Oswego County Opportunities

Oswego County Opportunities (OCO) in New York has announced that a limited number of employee email accounts were recently accessed by an unknown actor. The security breach was identified when suspicious email activity was detected and the email accounts were immediately secured. Third-party cybersecurity experts were engaged to investigate the breach to determine the nature and scope of the attack, and what information, if any, had been accessed by the threat actor. It was not possible to determine if any emails in the account had been viewed or obtained but the review of the affected email accounts confirmed they contained the following types of information: names, addresses, Social Security numbers, driver’s license numbers, certain health information, and a very limited amount of credit card numbers. The accounts also contained some employee information and information about vendors with connections to OCO. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 7,766 individuals. OCO said it has modified its email settings and controls to provide...

Read More
SAC Health Theft Incident and Multiple Ransomware Attacks Reported
May25

SAC Health Theft Incident and Multiple Ransomware Attacks Reported

Social Action Community Health System (SAC Health) has recently notified 149,940 patients that documents containing their protected health information were stolen in a break-in at an off-site storage location where patient records were stored. The break-in was discovered on March 4, 2022, with the subsequent investigation confirming on April 22, 2022, that six boxes of paper documents had been stolen from the facility, which included files relating to patients served by SAC Health in 1997 and between 2006 and 2020. An analysis was conducted to determine which types of information were included in the files and concluded the documents may have contained information such as names, addresses, dates of birth, and diagnosis codes. Notification letters were sent to those individuals on May 3, 2022. SAC Health said it is unaware of any actual or attempted misuse of patient data as a result of the break-in; however, as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring services. SAC Health said it is conducting a review of...

Read More
Over 850,000 Individuals Affected by Partnership HealthPlan of California Cyberattack
May24

Over 850,000 Individuals Affected by Partnership HealthPlan of California Cyberattack

In March 2022, Partnership HealthPlan of California (PHC) announced that third-party forensic specialists had been engaged to help restore the functionality of its IT systems following a cyberattack. PHC has now confirmed in a breach notification to the Maine Attorney General that the protected health information of 854,913 current and former health plan members has potentially been stolen, making this one of the largest healthcare data breaches to be reported so far this year. According to the notification, the cyberattack was detected on or around March 19, 2022. Steps were immediately taken to contain the breach and an investigation was launched to determine the nature and scope of the attack. PHC said the forensic investigation uncovered evidence that the unauthorized party behind the cyberattack had removed files from the PHC network on or around March 19. The review of the affected files is ongoing, and while it has yet to be confirmed which specific types of protected health information were included in the affected files, notification letters are starting to be sent to...

Read More
April 2022 Healthcare Data Breach Report
May20

April 2022 Healthcare Data Breach Report

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records. Largest Healthcare Data Breaches in April 2022 22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its...

Read More
Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval
May19

Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval

A $9.76 million settlement proposed by Solara Medical Supplies to resolve a class action lawsuit related to a 2019 data breach has received preliminary approval from the court. Solara Medical Supplies, which provides products and services to help people manage their diabetes, was the victim of a phishing attack that saw employees’ Microsoft Office 365 email accounts accessed by unauthorized individuals between April 2, 2019, and June 20, 2019. The email accounts contained the protected health information of patients and sensitive employee information, including names, dates of birth, billing and claims information, health insurance information, medical information, financial account information and credit card numbers, Social Security numbers, driver’s license numbers, state ID numbers, and Medicare/Medicaid IDs. The breach was reported to the HHS’ Office for Civil Rights as affecting 114,007 individuals. Legal action was taken on behalf of the individuals affected by the breach, with the class including all individuals residing in the United States and its territories who were...

Read More
Parker-Hannifin Cyberattack Affects Almost 120,000 Health Plan Members
May19

Parker-Hannifin Cyberattack Affects Almost 120,000 Health Plan Members

Cleveland, OH-based Parker-Hannifin Corporation, a manufacturer of motion and control technologies, has recently announced that unauthorized individuals have gained access to some of its IT systems and may have acquired files containing the sensitive information of current and former employees, their dependents, and other individuals affiliated with the company. Suspicious activity was detected within its IT environment on March 14, 2022. The forensic investigation confirmed its systems were accessed by unauthorized individuals between March 11, 2022, and March 14, 2022. A comprehensive review of the affected files confirmed they contained information such as names, birth dates, addresses, Social Security numbers, driver’s license numbers, passport numbers, financial account information such as bank account and routing numbers, and online account usernames and passwords. Current and former members of the Parker Group Health Plan, or a health plan sponsored by an entity acquired by Parker, may also have had their enrollment information compromised, which includes health insurance...

Read More
AvosLocker Claims Credit for Christus Health Ransomware Attack
May17

AvosLocker Claims Credit for Christus Health Ransomware Attack

The Irving, TX-based nonprofit health system, Christus Health, which operates more than 600 healthcare facilities in Texas, Arkansas, Louisiana, and New Mexico, has announced it has recently identified suspicious activity in its computer systems and blocked an attempted cyberattack. The prompt action taken by the Christus IT team severely limited the scope of the attack and prevented the incident from impacting its patient care and clinical operations. Christus Health said it is working with third-party cybersecurity experts to investigate and determine the extent of the security breach. A relatively new ransomware threat group called AvosLocker has claimed credit for the attack. AvosLocker operates under the ransomware-as-a-service (RaaS) model and was first identified in July 2021. The threat group engages in double extortion tactics and is known to exfiltrate data prior to file encryption, then threatens to auction the stolen data if the ransom is not paid. The number of attacks conducted by Avosocker has been steadily growing, with data from Trend Micro indicating at least 30...

Read More
Cyberattacks Reported by Schneck Medical Center, NuLife Med, & FPS Medical Center
May17

Cyberattacks Reported by Schneck Medical Center, NuLife Med, & FPS Medical Center

The Manchester, NH-based medical equipment company, NuLife Med LLC, has recently announced it was the victim of a cyberattack in March 2022. Suspicious network activity was detected on or around March 11, 2022, and steps were immediately taken to prevent further unauthorized network access. An investigation was launched to determine the nature and scope of the attack and to allow its network and systems to be restored. The investigation confirmed that unauthorized individuals had accessed its network between March 9 and March 11, 2022, and potentially viewed and exfiltrated files from its systems. It was not possible to determine which files had been viewed or removed from its systems, nor the exact number of files that had been accessed or exfiltrated. Notification letters have therefore been sent to all individuals potentially affected. The review of the files revealed they mostly contained protected health information such as names, addresses, medical information, and/or health insurance information. A limited number of individuals have also had their Social Security numbers,...

Read More
Refuah Health Center Alerts 260K Patients About May 2021 Cyberattack
May16

Refuah Health Center Alerts 260K Patients About May 2021 Cyberattack

Refuah Health Center in New York has recently started notifying 260,740 patients about a security breach that occurred almost a year ago. According to the April 29, 2022, notification on the healthcare provider’s website, “We recently discovered unauthorized access to our network occurred between May 31, 2021, and June 1, 2021.” Upon discovery of the breach, an investigation was launched to determine the nature and scope of the attack, and a comprehensive review was then conducted of all documents that were potentially accessed. Refuah Health Center said it discovered on March 2, 2022, that the attackers had exfiltrated some files from its network that contained “a limited amount” of patients’ protected health information, including names in combination with one or more of the following data types: Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank/financial account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account...

Read More
Cyberattacks Reported by McKenzie Health System & Omnicell
May13

Cyberattacks Reported by McKenzie Health System & Omnicell

McKenzie Health System in Sandusky, MI, has recently started notifying 25,318 patients that some of their protected health information has been stolen in a recent security incident which has caused disruption to the operations of some of its systems. On March 11, 2022, suspicious activity was detected within its IT systems. Steps were immediately taken to secure those systems and a third-party investigator was engaged to determine the nature and scope of the security breach. The investigation determined that an unauthorized individual had gained access to its network and exfiltrated files. The analysis of those files confirmed on April 22, 2022, that they contained patient information such as names, contact information, demographic information, dates of birth, Social Security numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information. McKenzie Health System provided information on the steps that affected individuals should take to protect against the misuse of their personal...

Read More
Eye Care Leaders Hack Impacts Millions of Patients
May12

Eye Care Leaders Hack Impacts Millions of Patients

Unauthorized individuals have gained access to the systems of Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. On or around December 4, 2021, hackers gained access to its myCare Identity solution and deleted databases, systems configuration files, and data. Eye Care Leaders said its incident response team immediately stopped the unauthorized activity when the breach was detected and launched an investigation into the security breach. The investigation is ongoing, but notifications have now been sent to affected ophthalmology and optometry practices. While the investigation has not uncovered evidence to suggest the attackers viewed or exfiltrated sensitive data, the possibility of unauthorized data access and theft could not be ruled out. The types of information that have been exposed included patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices. The breach was confined to...

Read More
Hacking Incidents Reported by Illinois Gastroenterology Group & the Mental Health Center of Greater Manchester
May09

Hacking Incidents Reported by Illinois Gastroenterology Group & the Mental Health Center of Greater Manchester

Illinois Gastroenterology Group has recently announced that unauthorized individuals gained access to its computer environment and potentially accessed and exfiltrated sensitive patient data. The cyberattack was detected on October 22, 2021, when suspicious activity was identified within its computer network. Third-party cybersecurity specialists were engaged to investigate the attack and determine the nature and scope of the incident. On November 18, 2021, Illinois Gastroenterology learned that the parts of its systems that were accessed by unauthorized individuals contained patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information, payment card information, employer-assigned identification numbers, medical information, and biometric data. Illinois Gastroenterology said it was not possible to rule out unauthorized viewing or theft of files containing patient data, but at the time of issuing notification letters, no reports had been received to suggest any fraudulent misuse of the...

Read More
Email Security Incidents Reported by HealthPlex and Optima Dermatology
May09

Email Security Incidents Reported by HealthPlex and Optima Dermatology

Healthplex Inc., one of the largest providers of dental insurance in New York state, has announced that the email account of an employee was compromised in a phishing attack on November 24, 2021. Upon discovery of the breach, the email account was immediately secured to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach. On April 5, 2021, Healthplex confirmed that the email account contained the personal and protected health information of 89,955 individuals who had previously enrolled in its dental plans. The exposed information varied from individual to individual and may have included first and last names in combination with one or more of the following data types: Address, group name and number, member ID number, plan affiliation, date of birth, date of service, provider name, ADA codes and their description, billed/paid amounts, prescription drug names, Social Security number, banking information, credit card number, username and password for the member portal, email address, phone number, and driver’s license...

Read More
Salusive Health Closes Business Following Cyberattack
May03

Salusive Health Closes Business Following Cyberattack

Salusive Health, the developer of the myNurse platform which helps physician practices streamline disease management, has experienced a cyberattack in which patient data was compromised. In its breach notification letters to patients, Salusive Health explained that it identified unauthorized activity within its computer network on March 7, 2022, and immediately implemented containment, mitigation, and restoration efforts, and engaged third-party cybersecurity experts to assist with those processes. The investigation confirmed that unauthorized individuals accessed the personal and protected health information of patients, including name, gender, home address, phone number, email address, date of birth, medical history, diagnosis and treatment information, dates of service, lab test results, prescription information, provider name, medical account number, health insurance policy and group plan number, group plan provider, and claim information. Salusive Health said it implemented additional security measures to prevent further breaches, has notified affected individuals and offered...

Read More
6 HIPAA-Regulated Entities Report Email Account Breaches and the Exposure of PHI
May02

6 HIPAA-Regulated Entities Report Email Account Breaches and the Exposure of PHI

6 data breaches have recently been reported by HIPAA-regulated entities that have collectively resulted in the exposure and potential theft of the protected health information of tens of thousands of individuals. La Casa de Salud, New York The Acacia Network, a New York City-based human services organization, has recently notified the HHS’ Office for Civil Rights about an email account breach that was detected on July 17, 2020. According to the breach notice on the Acacia Network website, email accounts were accessed for a limited time between June 6, 2020, and June 12, 2020. An investigation was immediately launched and a forensic firm was engaged to provide assistance, but it was not possible to determine if any emails or attachments had been viewed or copied. A review of the emails in the account revealed they contained patients’ names, Social Security numbers, driver’s license numbers, addresses, birthdates financial account numbers, medical record numbers, resident identification numbers, health insurance information, Medicare numbers, provider names, treatment, prescription,...

Read More
Up to 2,592,494 individuals Affected by Smile Brands Ransomware Attack
Apr28

Up to 2,592,494 individuals Affected by Smile Brands Ransomware Attack

Irvine, CA-based Smile Brands, a provider of support services for dental offices, has recently provided an update on the number of individuals affected by a ransomware attack that was discovered on April 24, 2021. The attackers gained access to parts of its system on April 23, 2021, that housed files that contained individuals protected health information, including names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, government-issued ID numbers, and health information. The breach was initially reported to the HHS’ Office for Civil Rights in June 2021 as affecting 1,200 individuals, but the breach report was later amended to indicate up to 199,683 individuals had been affected. However, in the latest update to the Maine attorney general, the breach has been reported as affecting up to 2,592,494 individuals. The initial notice to the Maine attorney general was submitted on October 8, 2021. Smile Brands said affected individuals have been offered a complimentary 12-month membership to a credit monitoring service, which includes...

Read More
American Dental Association and Tenet Healthcare Recovering from Cyberattacks
Apr27

American Dental Association and Tenet Healthcare Recovering from Cyberattacks

The American Dental Association (ADA) suffered a cyberattack on Friday and has been forced to take many of its systems offline. The ADA website is currently available and explains that “The ADA is experiencing technical difficulties,” and that work is underway to get its systems running smoothly. While the website does not provide any further information on the cause of the technical difficulties, emails have been sent to ADA members advising them about the cyberattack. The letters explain that parts of its network were taken offline and that Aptify, ADA email, the telephone system, and web chat have all been affected. Many of its online services are currently unavailable; however, details of the attack have not been shared at this time. The ADA said it has reported the cyberattack to law enforcement and it is investigating the nature and scope of the attack and is being assisted by third-party cybersecurity professionals. The investigation has not uncovered any evidence of data theft at this stage and the extent to which its members, dental practices, and other dental...

Read More
Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit
Apr26

Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit

A preliminary settlement has recently been approved by a California Federal court to resolve a consolidated class action lawsuit against Solara Medical Supplies. Solara Medical Supplies is a Chula Vista, California-based direct-to-consumer provider of medical devices and disposable medical products and a registered pharmacy. On June 28, 2019, Solara Medical identified suspicious activity in an employee email account. The subsequent investigation confirmed unauthorized individuals had gained access to multiple Office 365 email accounts between April 2, 2019, and June 20, 2019, as a result of employees responding to phishing emails. The forensic investigation confirmed that the sensitive information of 114,007 of its customers had been exposed and potentially stolen, including names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and financial information. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months. Four class action lawsuits were filed on behalf of the...

Read More
PHI Exposed in Security Incidents at Georgia Pines CSB & Ballad Health
Apr26

PHI Exposed in Security Incidents at Georgia Pines CSB & Ballad Health

Security incidents have recently been reported by Georgia Pines CSB and Ballard Health, which have involved the protected health information (PHI) of 28,295 individuals. Ballad Health Discovers Breach of Employee Email Account Ballard Health, an integrated community health improvement organization serving communities in the Appalachian Highlands in Northeast Tennessee, Southwest Virginia, Northwest North Carolina, and Southeast Kentucky, has recently discovered an unauthorized individual has accessed the email account of one of its employees. Suspicious activity was detected in the email account of an employee on or around January 13, 2022. The email account was immediately secured, and a forensic investigation was conducted to determine the nature and scope of the breach. On February 17, 2022, it was determined that the email account was accessed for a short period by an unauthorized individual who may have viewed or acquired information in the account. A review of the emails in the account confirmed on March 16, 2022, that they included the protected health information of 4,295...

Read More
Adaptive Health Integrations Data Breach Affects More than 510,000 Individuals
Apr20

Adaptive Health Integrations Data Breach Affects More than 510,000 Individuals

An Adaptive Health Integrations data breach has recently been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) that involved the protected health information (PHI) of 510,574 individuals. Adaptive Health Integrations is listed as a Williston, North Dakota-based provider of LIS software services and billing/revenue services to laboratories, physician offices, and other healthcare companies. The notification letters, a copy of which was found on the Montana Attorney General website, state that the company recently became aware that an unauthorized individual had gained access to its system on or around October 17, 2021, and may have accessed “a limited amount of data stored on our systems.” The letters explained that when the unauthorized access was discovered, the threat was immediately contained, and an investigation was launched. A comprehensive review of affected files was conducted, and that process was concluded on February 23, 2022. The notification letters state that credit monitoring, fraud consultation, and identity theft restoration...

Read More
March 2022 Healthcare Data Breach Report
Apr19

March 2022 Healthcare Data Breach Report

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month. However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months. Largest Healthcare Data Breaches in March 2022 In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals...

Read More
On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%
Apr19

On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%

Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network. Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access. While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients. All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several HIPAA...

Read More
Deaconess Health System and Blue Earth County Notify Patients About Insider Data Breaches
Apr18

Deaconess Health System and Blue Earth County Notify Patients About Insider Data Breaches

Indiana-based Deaconess Health System and Blue Earth County in Minnesota have notified individuals that sensitive personal information has been accessed by employees without authorization. Deaconess Health System Notifies Female Patients About Unauthorized Medical Record Access by Physician A physician formerly employed by Deaconess Health System in Evansville, IN, has been discovered to have accessed the medical records of female patients without authorization. On January 26, 2022, the unauthorized medical record access was discovered by Deaconess Health System during a routine audit of access logs. According to the law firm Ladendorf Law of Indianapolis, which spoke with six women who were notified about the privacy breach by Deaconess Health System, the unauthorized first occurred no later than June 2020. According to attorney Taylor Ivy, all six of the women said the first contact occurred in bars in the West Side of the city. The physician had approached them and started talking to them and obtained information about them during the encounter. It appears that the physician...

Read More
Email Account Breaches Reported by Newman Regional Health and Contra Costa County
Apr18

Email Account Breaches Reported by Newman Regional Health and Contra Costa County

Newman Regional Health (NRH), which operates a 25-bed critical access hospital in Emporia, KS, has recently started notifying 52,224 patients that unauthorized individuals have gained access to certain employee email accounts that contained protected health information. NRH explained on its website that a limited number of employee email accounts were accessed by unauthorized individuals over a period of 10 months in 2021 between January 26, 2021, and November 23, 2021. When the security breach was identified, prompt action was taken to secure the accounts and an investigation was launched to determine the extent and nature of the breach. NRH said a review of the emails in the compromised accounts confirmed on March 14, 2022, that the following types of patient information had been exposed: Names, dates of birth, medical record/ID numbers, addresses, phone numbers, e-mail addresses, and limited heath, treatment or insurance information, and for employees, information collected in connection with an individual’s receipt of services from or employment with NRH. A subset of...

Read More
Urgent Team Holdings Reports Breach of the PHI of 166,600 Individuals
Apr15

Urgent Team Holdings Reports Breach of the PHI of 166,600 Individuals

Urgent Team Holdings, which operates more than 70 urgent care and walk-in centers in Alabama, Arkansas, Georgia, Mississippi, and Tennessee, has recently notified 166,601 patients that some of their protected health information may have been obtained by unauthorized individuals in a November 2021 cyberattack. Urgent Team said it discovered its network had been compromised between November 12, 2021, and November 18, 2021. Assisted by third-party cybersecurity experts, Urgent Team discovered files may have been exfiltrated from its systems that contained the protected health information of patients. A comprehensive review of the files was completed on January 31, 2022, and confirmed they contained patients’ full names, dates of birth, and medical record numbers. While data theft may have occurred, no evidence of data exfiltration was identified and there have been no reports of any misuse of patient data. To improve security, Urgent Team has implemented multi-factor authentication and has added extra layers of security to its systems to reduce the risk of unauthorized access. A new...

Read More
SuperCare Health Sued Over 318,000-Record Data Breach
Apr15

SuperCare Health Sued Over 318,000-Record Data Breach

A lawsuit has been filed against the in-home respiratory care provider, SuperCare Health, over a cyberattack and data breach that was reported to the Department of Health and Human Services on March 28, 2022. The incident involved the exposure and potential theft of the protected health information of 318,400 patients, including names, addresses, birth dates patient account numbers, medical record numbers, health insurance information, testing, diagnostic, treatment, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed. SuperCare Health said unauthorized individuals had access to its network between July 23, 2021, to July 27, 2021, but did not disclose the nature of the cyberattack. It took SuperCare Health until February 4, 2022, to determine that the files potentially accessed in the attack contained patients’ PHI. Notification letters were sent on March 25, 2022, and according to the notice provided to the California Attorney General, credit monitoring and identity theft protection services were offered to...

Read More
Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches
Apr13

Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches

Resources for Human Development Reports Breach Affecting 46,673 Individuals The Philadelphia, PA-based national human services nonprofit organization, Resources for Human Development (RHD), has recently confirmed that a hard drive containing the protected health information of 46,673 individuals has been stolen. The theft occurred on or around January 27, 2022, and was discovered by RHD on February 16, 2022. The hard drive was used for its Point-to-Point program in Exton, PA, and contained information such as names, Social Security Numbers, drivers’ license numbers, financial account information, payment card information, dates of birth, prescription information, diagnosis information, treatment information, treatment providers, health insurance information, medical information, Medicare/Medicaid ID numbers, employer identification numbers, electronic signatures, usernames and passwords of clients and staff members. RHD said it engaged outside forensics specialists to investigate the extent of the breach and ensure the security of its offices and computer servers. Training has also...

Read More
Increase in Class Action Lawsuits Following Healthcare Data Incidents
Apr12

Increase in Class Action Lawsuits Following Healthcare Data Incidents

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector and resulted in cases of HIPAA violations. Ransomware Attacks Increased in 2021 Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022. Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an...

Read More
Cyberattack on SuperCare Health Affects 318,000 Patients
Apr07

Cyberattack on SuperCare Health Affects 318,000 Patients

SuperCare Health, a Downey, CA-based post-acute, in-home respiratory care provider serving the Western United States, has recently started notifying 318,379 patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals in a cyberattack that occurred in July 2021. In its March 25, 2022, breach notification letters, SuperCare Health explained that it identified unauthorized activity within its IT systems on July 27, 2021. Steps were immediately taken to secure its network and prevent further unauthorized access, and independent cybersecurity experts were engaged to investigate the nature and scope of the incident. The investigation determined that unauthorized individuals had access to parts of its network from July 23, 2021, to July 27, 2021, and that it was possible that files on the network were accessed that contained patients’ protected health information. A comprehensive review of the contents of the files was conducted, which determined on February 4, 2022, that they contained sensitive patient data such as...

Read More
OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals
Apr07

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits. The aim of the HIPAA Safe Harbor Act is to encourage HIPAA-regulated entities to implement cybersecurity best practices. The reward for organisations that have followed industry-standard security best practices for the 12 months prior to a data breach occurring is lower financial penalties for data breaches and less scrutiny by the HHS . Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments...

Read More
How to Report a HIPAA Violation Anonymously
Apr06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked
Apr01

Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked

Partnership Health Plan of California Recovering from Suspected Ransomware Attack The Fairfield, CA-based nonprofit managed care health plan, Partnership Health Plan of California (PHC), has suffered a cyberattack that has taken its IT systems out of action for more than a week. PHC started notifying regional healthcare clinics on March 21, 2022, that its IT systems were disrupted, along with its website and phone lines and that efforts were underway to restore its systems. A timeline for when IT systems would likely be restored was not provided. PHC did not state in its notifications what caused the outage, but it appears to have been a ransomware attack by the Hive ransomware operation. The Hive ransomware gang claimed responsibility for the cyberattack on its clear web and dark web sites and said 400 gigabytes of data was exfiltrated from PHC systems that included 850,000 unique records of name, SSNs, dates of birth, addresses, and other information. That claim has since been removed. PHC has yet to confirm whether ransomware was used and the extent to which plan members’ data...

Read More
Spokane Regional Health District Announces Second Phishing Attack in 3 Months
Apr01

Spokane Regional Health District Announces Second Phishing Attack in 3 Months

Spokane Regional Health District (SRHD) in Washington has once again fallen victim to a phishing attack. For the second time this year, the health district has announced patient data has potentially been compromised after an employee responded to a phishing email. On March 24, 2022, SRHD announced that its IT department discovered a compromised email account, with the investigation recently confirming that the employee responded to a phishing email on February 24, 2022, and disclosed credentials that allowed the account to be accessed. Last week, SRHD confirmed that the email account contained the protected health information of 1,260 individuals. That information may have been ‘previewed’ by an unauthorized individual, although no evidence was found to suggest information had been accessed or downloaded. Information in the account included names, birth dates, service dates, source of referral, provider hospital name, diagnosing state, whether the patient had been located, date located, patient risk level, staging level, how medications were collected, test type, test result,...

Read More
CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters
Mar31

CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters

Email Account Breach Reported by Christie Clinic Christie Business Holdings Company, P.C., doing business as Christie Clinic, has recently announced a security incident involving an employee’s email account. The company’s breach notice did not say when the breach was discovered, but the forensic investigation confirmed on January 27, 2022, that the email account was accessed by an unauthorized individual between July 14, 2021, and August 19, 2021. Christie Clinic said the purpose of the attack appeared to be to intercept a business transaction between the clinic and a third-party vendor, rather than to obtain sensitive data from the email account, but it was not possible to determine to what extent emails in the account had been accessed. Christie Clinic said the investigation confirmed that the breach was limited to a single email account and no other systems or accounts were affected. The review of information in the account revealed on March 10, 2022, that the emails included protected health information such as names, addresses, Social Security numbers, medical information, and...

Read More
Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks
Mar30

Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks

Oklahoma City Indian Clinic and Law Enforcement Health Benefits Inc. have confirmed they were recent victims of cyberattacks, both of which involved the use of ransomware. Ransomware Attack Affects 85,282 Law Enforcement Health Benefits Members Law Enforcement Health Benefits, Inc. (LEHB) has recently announced that it was the victim of a ransomware attack that was detected on September 14, 2021. External cybersecurity professionals were engaged to assist with the investigation and remediation efforts, and a manual review of files on the affected parts of the network was conducted. That process concluded on February 25, 2022, when it was confirmed that files containing the personal and protected health information of plan members had been exfiltrated from its network. LEHB said the following types of information had been compromised: names, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, medical record numbers, patient account numbers, and diagnosis/treatment information. While it was confirmed that files...

Read More
OCR Announces 4 Financial Penalties to Resolve HIPAA Violations
Mar29

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed. OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving HIPAA violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients. “Between the rising pace of breaches of unsecured protected health information and continued cyber...

Read More
Email Incidents Reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada
Mar25

Email Incidents Reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada

Three email incidents have recently been reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada that have affected a total of 38,485 individuals. Phishing Attack on Ultimate Care Impacts 15,788 Individuals The Brooklyn, NY-based home care agency, Ultimate Care, has recently announced that a limited number of employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails. When the security breach was detected, rapid action was taken to secure its email environment and a forensic investigation was launched to determine the scope of the breach. The forensic investigation revealed the email accounts were accessed by unauthorized individuals between April 7, 2021, and June 2, 2021. A manual review of all emails in the accounts confirmed they contained names, along with one or more of the following types of information: Social Security numbers, driver’s license numbers, passport numbers, dates of birth, financial account information, credit or debit card information, medical information, health...

Read More
Horizon Actuarial Services Reports Data Theft and Extortion Incident
Mar25

Horizon Actuarial Services Reports Data Theft and Extortion Incident

Horizon Actuarial Services, Clinic of North Texas, and Parkland Community Health Plan have recently announced breaches of the protected health information of patients and plan members. Horizon Actuarial Services Reports Data Theft and Extortion Incident Horizon Actuarial Services (HAS) has recently announced a security breach and the theft of the personal data of members of benefits plans to whom it provides technical and actuarial consulting services, including the Local 295 IBT Employer Group Welfare Fund and the Major League Baseball Players Benefit Plan. HAS said it received an email on November 12, 2021, from a cyber actor who claimed to have stolen the personal data of plan members from its computer servers. Steps were immediately taken to secure its servers to prevent any further unauthorized access, and a computer forensics firm was engaged to investigate the potential security breach and determine the legitimacy of the email. HAS confirmed that two servers had been accessed between November 10 and 11, 2021, and files containing names, dates of birth, Social Security...

Read More
Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District
Mar24

Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District

Chelan Douglas Health District in East Wenatchee, WA, has announced it was the victim of a cyberattack in July 2021 in which the personal and protected health information of patients was exfiltrated from its systems. The breach notice uploaded to Chelan Douglas Health District website does not disclose when the breach was detected but says a third-party cybersecurity company was engaged to investigate the cyberattack and confirmed that its network was accessed by unauthorized individuals between July 2 and July 4, 2021. A representative for the health district said this was not a ransomware attack. The review of the files that were removed from its systems was completed on February 12, 2022, and confirmed the following types of patient data had been stolen: Names, Social Security numbers, dates of birth/death, financial account information, treatment information, diagnosis information, medical record/ patient numbers, and health insurance policy information. Notification letters started to be sent to affected individuals on March 15, 2022. Individuals who had their Social Security...

Read More
Data Breaches Reported by New Jersey Brain and Spine, Highmark Inc. and Dialyze Direct
Mar23

Data Breaches Reported by New Jersey Brain and Spine, Highmark Inc. and Dialyze Direct

New Jersey Brain and Spine (NJBS) has recently announced it was the victim of a cyberattack on or around November 16, 2021, that encrypted data on its network. NJBS said it immediately took steps to secure its network and engaged a computer forensic firm to investigate the security breach. While no evidence has been found to indicate there has been any misuse of patient data as a result of the attack, the forensics firm said the attacker may have accessed files containing patient data. A third party vendor was engaged to conduct a review of all files on its network that had potentially been accessed, and while the data mining process is ongoing, it has been confirmed that the files contained information such as names, addresses, dates of birth, email addresses, telephone numbers, social security numbers, financial account information, debit or credit card information, driver’s license numbers or other ID numbers, and medical information. Notification letters were sent to affected individuals on March 10, 2022. NJBS said that following the breach, several steps were taken to better...

Read More
February 2022 Healthcare Data Breach Report
Mar22

February 2022 Healthcare Data Breach Report

For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen. 46 healthcare data breaches of 500 or more records were reported to OCR in February – an 8% fall from January. February saw the lowest number of data breaches in the past 5 months. Even with the reduction in breaches, on average, more than 2 healthcare data breaches have been reported each day over the past 12 months. From March 1, 2021, to February 28, 2022, there have been 723 reported data breaches of 500 or more records. Across February’s 46 incidents, the records of 2,525,023 individuals were exposed or compromised – a 2.28% fall from the previous month – which is considerably lower than the 3,506,400 records that have been breached each month, on average, from March 1, 2021, to February 28, 2022. At least 42,076,805 healthcare records were exposed over that period. In February, the average breach size was 48,957 records and the median breach size was 7,014 records. Largest Healthcare Data Breaches Reported in February 2022 22 HIPAA-regulated entities...

Read More
JDC Healthcare Management Data Breach Affects More than 1 Million Texans
Mar21

JDC Healthcare Management Data Breach Affects More than 1 Million Texans

On March 17, 2022, Dallas, TX-based JDC Healthcare Management, which runs more than 70 Jefferson Dental & Orthodontics practices throughout the state of Texas, reported a security breach to the Office of the Attorney General of Texas that has affected more than 1 million Texans. As previously reported on this site, JDC Healthcare Management detected malware within its IT network on or around August 9, 2021, with the forensic investigation into the security breach confirming the malware was downloaded onto its systems on July 27, 2021. Further information on the data breach has now been obtained. JDC Healthcare Management explained that the malware gave unauthorized individuals access to its IT systems from July 27, 2021, to August 16, 2021, and its forensic investigation confirmed the attackers viewed or copied files on its systems that contained patients’ electronic protected health information (ePHI). JDC Healthcare Management explained in its March 2022 breach notification letters that the comprehensive review of the impacted files is ongoing, but it has been confirmed that...

Read More
Central Indiana Orthopedics & Duncan Regional Hospital Report 80K-Record Data Breaches
Mar17

Central Indiana Orthopedics & Duncan Regional Hospital Report 80K-Record Data Breaches

Cyberattacks have been reported by Duncan Regional Hospital in Oklahoma and Central Indiana Orthopedics that have affected a total of 170,084 individuals. Duncan Regional Hospital Duncan Regional Hospital has recently announced it was the victim of a cyberattack in January. The incident was detected on January 20, 2022, when suspicious activity was identified in some of its IT systems. All systems were immediately taken offline to prevent further unauthorized access and a third-party computer forensics firm was engaged to determine the nature and scope of the breach. Duncan Regional Hospital said the hackers did not gain access to its electronic medical record system but did access parts of the network where files containing patient data were stored. Those files contained patient names, addresses, phone numbers, dates of birth, Social Security numbers, appointment information such as dates of service and healthcare provider names, and limited treatment information. Steps have been taken to improve security and prevent further attacks, including an organization-wide password reset...

Read More
Capital Region Medical Center and Labette Health Announce Potential PHI Breaches
Mar14

Capital Region Medical Center and Labette Health Announce Potential PHI Breaches

Capital Region Medical Center (CRMC) in Jefferson City, MO has recently confirmed that patient information was accessed by unauthorized individuals in a December 2021 cyberattack that took its network and phone systems offline for several days. The attack was detected on December 17, 2021, when network systems were disrupted. An investigation was launched to determine the nature and scope of the breach, and a public announcement about the security incident was issued on December 23, 2021. It was initially unclear if patient information had been compromised but that has now been confirmed. CRMC said that at this stage of the investigation it does not appear that the attackers gained access to its electronic medical record database; however, the files accessed or potentially accessed by the attackers included information such as patient names, addresses, birth dates, medical information, and health insurance information. A subset of patients also had their Social Security numbers, driver’s license numbers, and/or financial account information exposed. That subset of patients has been...

Read More
South Denver Cardiology Associates Confirms Data Breach Affecting 287,000 Patients
Mar14

South Denver Cardiology Associates Confirms Data Breach Affecting 287,000 Patients

South Denver Cardiology Associates (SDCA) has recently announced it was the victim of a cyberattack in January 2022 in which files containing patient information were accessed and potentially stolen by hackers. Unusual network activity was detected on January 4, 2022, and the SDCA breach response process was immediately initiated. Systems were isolated from the network and shut down, with the investigation determining hackers had access to certain systems from January 2, 2022, to January 5, 2022. During that time, the hackers accessed certain files stored on its systems, some of which contained patients’ personal and protected health information. A comprehensive review of those files confirmed they contained patient names along with one or more of the following types of information: dates of birth, Social Security numbers, drivers’ license numbers, patient account numbers, health insurance information, and clinical information such as physician names, dates and types of service, and diagnoses. SDCA said the contents of medical records were unaffected, the patient portal was...

Read More
Logan Health Facing Class Action Lawsuit Over Data Breach
Mar11

Logan Health Facing Class Action Lawsuit Over Data Breach

Legal action is being taken against Logan Health and subsidiary, sister, and related entities over a data breach that occurred in 2021 and affected 213,543 Logan Health Medical Center patients. The class action lawsuit was filed in the U.S. District Court for the District of Montana Great Falls Division by law firm Heenan & Cook on behalf of plaintiff Allison Smeltz and all similarly affected individuals over the alleged failure of the health system to protect the plaintiff’s and class members’ sensitive personal information. The data breach in question was reported by Logan Health in February 2022, with its investigation confirming unauthorized individuals had access to its system between November 18, 2021, and November 22, 2021. Hackers gained access to a single file server housing files that contained patients’ protected health information such as names, contact information, insurance claim information, date(s) of service, medical bill account number, and health insurance informa­tion. Logan Health said it had found no evidence of misuse of patient data, offered affected...

Read More
Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021
Mar11

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021. The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net. Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020. The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a...

Read More
6 Healthcare Providers and Business Associates Report Hacks and Ransomware Attacks
Mar10

6 Healthcare Providers and Business Associates Report Hacks and Ransomware Attacks

A round-up of 6 cyberattacks that have recently been reported by healthcare providers and business associates that resulted in the exposure and possible theft of patients’ protected health information. Duncan Regional Hospital Duncan Regional Hospital in Oklahoma has announced that hackers gained access to its systems and potentially exfiltrated sensitive patient and employee information. The breach was detected on January 20, 2022, and immediate action was taken to secure its systems, and an independent computer forensics company was engaged to conduct a forensic investigation to determine the nature and scope of the breach. A review of the files on the affected parts of its system confirmed they contained patient information such as name, date of birth, Social Security number, limited treatment information, and medical appointment information such as date of service and name of providers. Employee data potentially accessed in the attack included personal information associated with W-2s, such as name, date of birth, address, and Social Security number. Duncan Regional...

Read More
PHI of Over 500,000 Individuals Potentially Compromised in 4 Security Incidents
Mar09

PHI of Over 500,000 Individuals Potentially Compromised in 4 Security Incidents

Over 500,000 individuals have been affected by cyberattacks on Norwood Clinic, PracticeMax, Central Indiana Orthopedics, and an unauthorized electronic medical record incident at Ascension Michigan. Norwood Clinic The Birmingham, AL-based multi-specialty clinic, Norwood Clinic, has recently started notifying 228,103 individuals that some of their protected health information was accessed in a cyberattack that was detected on October 22, 2021. Upon detection of the breach, systems were immediately secured and third-party security experts were engaged to investigate the incident and determine the nature and scope of the breach. The investigation confirmed that an unauthorized individual gained access to a server that housed patient information such as names, contact information, birth dates, Social Security numbers, driver’s license numbers, limited health information, and/or health insurance policy numbers. While unauthorized data access was confirmed, it was not possible to determine the specific information that was accessed, or whether any patient information was acquired in the...

Read More
3 Email Security Incidents Reported Affecting More Than 111,000 Patients
Mar09

3 Email Security Incidents Reported Affecting More Than 111,000 Patients

Email account breaches have been reported by Montrose Regional Health, EPIC Pharmacy Network, and Acacia Network, and North Shore University Hospital has reported an incident involving a former employee accessing protected health information without authorization. Montrose Regional Health The Colorado-based health system Montrose Regional Health has recently started notifying 52,632 patients that some of their protected health information has been exposed when unauthorized individuals gained access to employee email accounts. Suspicious activity was detected in an employee’s email account prompting an immediate investigation. Assisted by a third-party cybersecurity company, Montrose Regional Health discovered multiple employee email accounts had been accessed by unauthorized individuals between August 2, 2021, and October 26, 2021. A review of the emails and attachments was conducted and it was confirmed on February 25, 2022, that the accounts contained names along with one or more of the following data types: inpatient/outpatient status, internal patient account number, service...

Read More
Healthcare Organizations Report Email Compromises, Hacking Incidents and Other ePHI Exposures
Mar04

Healthcare Organizations Report Email Compromises, Hacking Incidents and Other ePHI Exposures

A round-up of data breaches that have recently been reported by healthcare organizations that have involved the exposure or theft of individuals’ personal and protected health information. Catholic Health Services Reports Breach of Employee Email Accounts Miami Lakes, FL-based Catholic Health Services has discovered the email accounts of three Catholic Hospice employees have been accessed by unauthorized individuals. Assisted by a third-party computer forensics firm, Catholic Health Services determined on December 1, 2021, that the email accounts contained sensitive data including names, addresses, and one or more of the following data types: demographic information, Social Security numbers, medical information, and treatment history, diagnosis, and other health-related information. The breach was reported to the HHS’ Office for Civil Rights as affecting 14,986 individuals. Notifications have now been issued and breach victims have been offered complimentary credit monitoring and identity theft protection services, which include a $1, 000,000 identity theft insurance policy....

Read More
Monongalia Health System Suffers Another Major Data Breach
Mar03

Monongalia Health System Suffers Another Major Data Breach

West Virginia-based Monongalia Health System (Mon Health) has announced it was the victim of a cyberattack that has exposed patient, employee, and contractor data. This is the second major data breach to be reported by the health system in the past 12 months. Mon Health has confirmed that these two data breaches are separate incidents, although it is unclear at this stage if they are in any way related. The previous data breach was the result of a phishing attack that saw several employee email accounts compromised. Mon Health announced the breach on December 21, 2021, and said the security breach was discovered in July 2021 when a vendor reported not receiving a payment. The attackers used the compromised email accounts to divert a wire transfer. The investigation into the breach determined the email accounts were compromised between May 10, 2021, and August 15, 2021, and they contained the protected health information of 398,164 patients. In this incident, IT systems were not disrupted. According to the latest Mon Health press release, the latest breach was discovered on December...

Read More
OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture
Mar01

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry. 2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached. The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled. Pino also drew attention to the critical vulnerability...

Read More
PHI of 10,000 Individuals Exposed Due to Houston Health Department Portal Glitch
Mar01

PHI of 10,000 Individuals Exposed Due to Houston Health Department Portal Glitch

The Houston Health Department has recently announced that the personal information and COVID-19 test results of 10,291 individuals have been exposed online as a result of a technical issue with its portal. The issue allowed approximately 3,500 portal users to access the data of other individuals. The Houston Health Department said it detected the issue on January 6, 2022, and the portal was deactivated within 48 hours. Notification letters had to be delayed for several weeks while the portal issue was investigated to determine the full nature and scope of the incident. The health department confirmed that this was not a hacking incident, and it does not appear that any exposed information has been misused. The types of data that could have been viewed included names, addresses, dates of birth, email addresses, testing dates, and test results. While no Social Security numbers were compromised, affected individuals have been offered a complimentary 12-month membership to an identity theft protection service. Priority Health Confirms Breach of Member Portal Accounts The Michigan...

Read More
Four Healthcare Providers Hit with Ransomware Attacks
Mar01

Four Healthcare Providers Hit with Ransomware Attacks

Ransomware attacks have recently been reported by four healthcare providers across the country, which have collectively resulted in the exposure and potential theft of the protected health information of more than 49,000 individuals. Jax Spine & Pain Centers Jax Spine and Pain Centers in Jacksonville, FL has recently announced it was the victim of a ransomware attack that occurred on January 24, 2022. The attack was conducted on an inactive server that contained records of patients who had visited either its Jacksonville or St. Augustine locations prior to May 2018. Jacksonville Spine Center said the attackers claimed to have stolen files from the server and threatened to publish the stolen data if the ransom was not paid but did not say whether a payment was made to prevent the publication of the data. Monitoring software had been installed on the server which allowed the attack to be rapidly detected, and due to the prompt action taken in response to the breach, it was possible to prevent the encryption of data. As soon as the breach was detected the server was shut down, but...

Read More
Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks
Feb24

Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks

Two HIPAA-regulated entities have recently started notifying individuals whose protected health information was potentially compromised in cyberattacks that occurred more than 12 months ago, including one where it took 18 months to notify affected individuals that their protected health information had been accessed and potentially acquired. Comprehensive Health Services Notifies 106,752 Patients About September 2020 Cyberattack Comprehensive Health Services, a Cape Canaveral, FL-based provider of workforce medical services and subsidiary of Acuity International, has recently announced it was the victim of a cyberattack that was detected on September 30, 2020. The security incident came to light after multiple fraudulent wire transfers had been made from its accounts. Third-party forensics experts were engaged to determine the extent of the security incident, secure its digital environment, identify how the attacker gained access to its systems, and whether any sensitive data had been exfiltrated from those systems. Comprehensive Health Services explained in its breach notification...

Read More
Logan Health Medical Center Cyberattack Affects More Than 213,000 Patients
Feb24

Logan Health Medical Center Cyberattack Affects More Than 213,000 Patients

Logan Health Medical Center in Kalispell, MT, has recently started notifying certain patients that hackers gained access to a file server that housed patient information in “a highly sophisticated criminal attack.” A security breach of its information technology systems was detected on November 22, 2021, with the initial investigation confirming a hacker had breached its security defenses. Third-party forensic investigators were retained to conduct an investigation to determine the nature and scope of the attack and on January 5, 2022, it was confirmed that certain files on its systems that contained patient information had been accessed. The intrusion was limited to a single file server and its electronic medical records were not compromised. A review of the files on the affected server revealed they contained patient information including names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance informa­tion. The...

Read More
January 2022 Healthcare Data Breach Report
Feb22

January 2022 Healthcare Data Breach Report

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020. The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.   Largest Healthcare Data Breaches in January 2022 18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach...

Read More
Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach
Feb22

Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach

Seattle, WA-based Sea Mar Community Health Centers is facing a class action lawsuit over a cyberattack in which the protected health information of 688,000 individuals was compromised. The breach came to light in June 2021 when files stolen in the attack were posted on the Marketo dark web leak site. Databreaches.net spotted the leaked data on the Marketo data leak site in June 2021 and contacted Sea Mar. In October 2021, Sea Mar sent notification letters to affected individuals and explained that the hackers gained access to its network between December 2020 and March 2021 and exfiltrated sensitive data including names, addresses, Social Security numbers, dates of birth, and health information. The data breach was reported to the HHS’ Office for Civil Rights the same month as affecting 688,000 current and former patients. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months. According to Databreaches.net, the threat group behind the attack claimed to have stolen 3TB of data from Sea Mar. There may also have been a...

Read More
PHI of 521,000 Individuals Compromised in Security Breach at Morley Companies
Feb16

PHI of 521,000 Individuals Compromised in Security Breach at Morley Companies

Morley Companies, a Saignaw, MI-based provider of business services, has recently announced it was the victim of a cyberattack that started on August 1, 2021, that prevented access to data in its information systems. Rapid action was taken to isolate the affected systems and a leading cybersecurity firm was engaged to investigate and determine the nature and scope of the security incident. In addition to encrypting data on its systems, the attackers exfiltrated certain data from its systems. A comprehensive review was conducted of all files on its systems that could have been accessed by the attackers, and Morley Companies then started collecting contact information for those individuals to allow notification letters to be sent. Morley Companies said that process was completed in early 2022, and notification letters started to be sent to affected individuals on February 1, 2022. The forensic investigation confirmed the following types of information were potentially accessed and/or stolen in the cyberattack: Names, addresses, Social Security numbers, birthdates, client...

Read More
15,000 Patients Affected by Philadelphia FIGHT Community Health Centers Cyberattack
Feb16

15,000 Patients Affected by Philadelphia FIGHT Community Health Centers Cyberattack

Philadelphia FIGHT Community Health Centers has recently announced it was the victim of a cyberattack on November 30, 2021. Third-party forensic investigators were engaged to determine the nature and scope of the breach. The investigation confirmed its electronic medical record system and other clinical systems were not compromised in the attack; however, on January 13, 2022, Philadelphia FIGHT discovered the attacker had accessed non-clinical systems that housed files containing the protected health information of around 15,000 patients. It was not possible to determine if the attacker viewed or obtained any patient information, although no reports have been received that suggest any patient information has been misused. The information potentially compromised in the attack included names, dates of birth, Social Security numbers, medical diagnoses, treatment information, and health insurance information. Philadelphia FIGHT said a review of security protocols is being conducted and security measures will be enhanced to prevent further cyberattacks. Vendor Email Account Breach...

Read More
Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital
Feb16

Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital

Family Christian Health Center (FCHC) in Illinois has announced it was the victim of a ransomware attack in November 2021 that compromised the protected health information of 31,000 patients. The attack was detected on November 30, 2021, with the investigation indicating the attackers first gained access to its IT systems on or around November 18, 2021. The attackers compromised FCHC’s old dental system which contained the PHI of patients who had received dental services prior to August 31, 2020. The system contained patients’ names, birth dates, insurance card numbers, driver’s license numbers, and copies of patients’ insurance cards and driver’s licenses. FCHC said information about the dental care provided, credit card numbers, and the Social Security numbers of affected dental patients were not affected. The PHI of non-dental patients who received healthcare services between December 5, 2016, and August 31, 2020, was also compromised and included names, birthdates, addresses, insurance identification numbers, and Social Security numbers. FCHC worked with external IT vendors to...

Read More
CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation
Feb15

CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation

CaptureRx has proposed a $4.75 million settlement to resolve claims related to a 2021 data breach that affected approximately 2.4 million patients of its healthcare provider clients. CaptureRx is a healthcare administrative service provider that helps hospitals manage their 340B drug discount programs. On February 6, 2021, CapturRx discovered unauthorized individuals had gained access to its network and used ransomware to encrypt its files. On March 19, 2021, CaptureRx determined files containing patient data had been compromised, and affected clients started to be notified on March 30, 2021. CaptureRx publicly announced the data breach but did not initially disclose how many individuals had been affected. The breach was reported to the HHS’ Office for Civil Rights in May 2021 by CaptureRx as affecting 1,656,569 individuals, although several of its healthcare provider clients reported the breach themselves. Several class action lawsuits were proposed that alleged CaptureRX was negligent for failing to implement and maintain appropriate safeguards to protect patient data and other...

Read More
Hackers Gained Access to Files Containing the PHI of 115,670 South Shore Hospital Patients
Feb15

Hackers Gained Access to Files Containing the PHI of 115,670 South Shore Hospital Patients

Chicago’s South Shore Hospital has started notifying 115,670 current and former patients about a December 2021 cyberattack on its network. Suspicious activity was identified on its network on December 10, 2021, and prompt action was taken to contain the incident. Emergency protocols were implemented to ensure care could continue to be safely provided to patients. South Shore Hospital engaged a team of third-party computer forensics experts to investigate the security breach and determine whether patient information was accessed or stolen. The investigation confirmed the attackers gained access to parts of its network where files were stored that contained the protected health information of patients and employee data, including names, addresses, dates of birth, Social Security numbers, health insurance information, medical information, diagnoses, health insurance policy numbers, Medicare/Medicaid information, and financial information. South Shore Hospital said it will be implementing additional security measures to better protect its network against cyberattacks, including...

Read More
Hacking Incidents Reported by AccelHealth and Pace Center for Girls
Feb10

Hacking Incidents Reported by AccelHealth and Pace Center for Girls

Brownwood, Texas-based Cross Timbers Health Clinics, operating under the brand AccelHealth, suffered a ransomware attack on December 15, 2021, which prevented the Federally Qualified Health Center from accessing certain files and folders on its network. AccelHealth engaged third-party forensics specialists to investigate the security breach who determined unauthorized individuals first gained access to its network on December 9, 2021. During the 6 days when network access was possible, the attackers may have viewed or acquired files containing patient information. A comprehensive review of all files on the compromised parts of the network revealed they contained the protected health information of 48,126 patients, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, health insurance information, medical record numbers, and treatment and diagnosis information. No evidence was found of data exfiltration and, at the time of issuing notification letters, no reports had been received to suggest any actual or...

Read More
February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements
Feb08

February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements

The Government Accountability Office (GAO) has launched a rapid response survey of healthcare organizations and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) seeking feedback on their experiences reporting data breaches to the Secretary of the Department of Health and Human Services (HHS). The questionnaire was initially due to remain open until 4 p.m. EST on Friday, February 4, 2022., but the deadline has now been extended by a week to February 11, 2022. The survey is being conducted through Survey Monkey and can be accessed here. Congress requested the GAO review the number of data breaches reported to the HHS since 2015, and the survey seeks to identify some of the challenges, if any, faced by covered entities and business associates in meeting the data breach reporting requirements of the HHS. The GAO will also determine what efforts the HHS has made to address any breach reporting issues and improve the data breach reporting process. The survey is being distributed by the Health-ISAC, Health Sector Coordinating Council (HSCC)...

Read More
Data Breaches Reported by Suncoast Skin Solutions, Raveco Medical, South City Hospital, and the Colorado DHS
Feb07

Data Breaches Reported by Suncoast Skin Solutions, Raveco Medical, South City Hospital, and the Colorado DHS

Suncoast Skin Solutions, a network of 22 surgical, medical, and cosmetic dermatological care clinics in Florida, has recently started notifying 57,730 patients about a ransomware attack that was discovered on July 14, 2021. Suncoast said when the cyberattack was detected, prompt action was taken to prevent the encryption of all of its systems and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. On October 14, 2021, the cybersecurity firm concluded its investigation and Suncoast conducted a preliminary review of its systems to determine if they contained any patient information. That process was completed on November 8, 2021, and a third-party vendor was engaged to review all affected files to determine the specific individuals whose information may have been compromised. Suncoast has now confirmed that the following types of data were potentially viewed by the attackers: names, dates of birth, clinical information, doctor’s notes, and other limited treatment information. Suncoast said it is unaware of...

Read More
Taylor Regional Hospital Still Recovering from January Cyberattack
Feb07

Taylor Regional Hospital Still Recovering from January Cyberattack

Taylor Regional Hospital in Campbellsville, KY has suffered a cyberattack that has resulted in its IT and phone systems being taken offline. The cyberattack was reported by the hospital on January 24, 2021, and the hospital is still experiencing outages with certain computer systems and phone lines. Temporary phone lines have been set up to allow patients to contact the hospital while the cyberattack is resolved. Cyberattacks such as this often involve ransomware, but no details have been released so far about the exact nature of the cyberattack, nor when its IT systems are expected to be restored. At this early stage, it is unclear if any patient information has been accessed or stolen by attackers. A notice on the hospital’s website explains that quality care continues to be provided to patients and it is working as quickly as possible to safely bring its IT systems back online. Patients are encouraged not to delay seeking medical care; however, without access to IT systems, patients have been asked to bring lists of their medication with them to any appointments that have...

Read More
PHI of 138K Individuals Exposed in 3 Email Security Incidents
Feb04

PHI of 138K Individuals Exposed in 3 Email Security Incidents

Hackers have gained access to email accounts containing protected health information (PHI) at Injured Workers Pharmacy, iRise Florida Spine and Joint Institute, and Volunteers of America Southwest California. Injured Workers Pharmacy Andover, MA-based Injured Workers Pharmacy has recently reported a data breach to the Maine Attorney General that was discovered on or around May 11, 2021, when suspicious activity was detected in an employee email account. The account was immediately secured and third-party computer forensics specialists were engaged to investigate the breach. The investigation revealed 7 email accounts had been compromised between January 16, 2021, and May 12, 2021. Third-party data review specialists were engaged to check the emails and attachments in the compromised accounts, which confirmed they contained the protected health information of 75,771 individuals such as names, addresses, and Social Security numbers. After the review, Injured Workers Pharmacy validated the results, and that process was completed on or around December 14, 2021. Notification letters...

Read More
RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach
Feb04

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals. The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA. RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals....

Read More
Data Breaches Reported by Jefferson Health and Allegheny Health Network Home Infusion
Feb03

Data Breaches Reported by Jefferson Health and Allegheny Health Network Home Infusion

Allegheny Health Network Home Infusion Patients Affected by Ransomware Attack on Vendor Pittsburgh, PA-based Allegheny Health Network Home Infusion has been notified about a ransomware attack on one of its vendors, Vantage Healthcare Network, Inc. On October 17, 2021, Vantage detected suspicious activity within its network and engaged a third-party cybersecurity firm to investigate the security breach. AHN Home Infusion was informed on November 22, 2021, that the systems accessed by the ransomware gang contained patient data, some of which had been exfiltrated by the attackers prior to file encryption. AHN Home Infusion conducted its own investigation alongside Vantage to determine which patients had been affected, and the types of information that had been compromised and has confirmed the following types of information had potentially been accessed or exfiltrated in the attack: Names, billing information, nurse’s notes, patient referral information, prescriptions, treatment and therapy records, medical device orders, scheduling information, and a small number of Social Security...

Read More