Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack
Oct13

350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack

Malborough, MA-based ReproSource Fertility Diagnostics has suffered a ransomware attack in which hackers gained access to systems containing the protected health information of approximately 350,000 patients. ReproSource is a leading laboratory for reproductive health that is owned by Quest Diagnostics. ReproSource discovered the ransomware attack on August 10, 2021 and promptly severed network connections to contained the incident. An investigation into the security breach confirmed the attack occurred on August 8. While it is possible that patient data was exfiltrated by the attackers prior to the deployment of ransomware, at this stage no evidence of data theft has been identified. A review of the files on the affected systems was completed on September 24 and revealed they contained the following types of protected health information: Names, phone numbers, addresses, email addresses, dates of birth, billing and health information (CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information), health insurance or group plan...

Read More
Premier Patient Health Care Alerts Patients About Insider Data Breach
Oct13

Premier Patient Health Care Alerts Patients About Insider Data Breach

Carrollton, TX-based Premier Patient Health Care has discovered the protected health information of 37,636 patients has been obtained by an unauthorized individual in an insider wrongdoing incident. Premier Patient Health Care is an Accountable Care Organization (ACO) that works with physicians to improve clinical outcomes under the Medicare Shared Savings Program (MSSP). The ACO and Premier Patient Health Care are operated and run by Premier Management Company, which is a business associate of many primary care physicians who are HIPAA-covered entities. On April 30, 2020, Wiseman Innovations, a technology vendor used by Premier Management Company, determined a former Premier Patient Health Care executive had accessed its computer system in July 2020 after the termination of employment and viewed and obtained a file containing patient data. A review of the file confirmed it contained the protected health information of patients of primary care physicians, including full names, age, date of birth, sex, race, county, state of residence, and ZIP code along with Medicare beneficiary...

Read More
Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach
Oct08

Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach. Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware. Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients. The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and...

Read More
Ransomware Deployed 2 Minutes After Hackers Gained Access to Johnson Memorial Health’s Network
Oct07

Ransomware Deployed 2 Minutes After Hackers Gained Access to Johnson Memorial Health’s Network

Johnson Memorial Health has announced it was the victim of a ransomware attack on October 1, 2021. The attack saw files encrypted which crippled its IT systems. Emergency protocols were immediately implemented and employees are manually recording patient information and writing prescriptions until systems can be restored. Ransomware gangs often gain access to systems days, weeks, or even months prior to deploying ransomware. During that time, they move laterally within networks to gain access to as many systems as possible before ransomware is deployed; however, not always. The attack on Johnson Memorial Healthcare occurred at lightning speed. According to Dr. David Dunkle, President and CEO of Johnson Memorial Health, the hackers gained access to its IT systems at 10:31 p.m. on Friday night and deployed ransomware 2 minutes later at 10:33 p.m. The hospital’s IT department detected abnormal activity around 10:40 p.m. the same evening and shut down its network at 10:45 p.m. to minimize the damage caused. A ransom demand was issued by the attackers, but Dunkie says no payment has...

Read More
Eskenazi Health Confirms Patient Data Was Stolen in August Ransomware Attack
Oct07

Eskenazi Health Confirms Patient Data Was Stolen in August Ransomware Attack

Indianapolis, IN-based Eskenazi Health has announced it was the victim of a ransomware attack that was detected on or around August 4, 2021. Suspicious activity was detected and the IT team immediately shut down systems to contain the attack. Emergency protocols were implemented, with staff reverting to pen and paper to record patient data. Without access to critical IT systems the decision was taken to go on diversion and ambulances were re-routed from Health & Hospital Corporation of Marion County to alternative facilities. An investigation was launched to determine the nature and extent of the attack. Eskenazi Health said the forensic investigation determined the hackers had first gained access to its systems on May 19, 2021 and disabled its security systems to ensure their presence in the network was not detected. The intrusion was only detected when ransomware was deployed and files started to be encrypted. The forensic investigators confirmed the attackers had been removed from its network and systems were secure. The initial investigation into the attack indicated...

Read More
Almost 54,000 Patients Affected by OSF HealthCare Ransomware Attack
Oct07

Almost 54,000 Patients Affected by OSF HealthCare Ransomware Attack

The Peoria, IL-based not-for-profit catholic health system OSF HealthCare has started notifying 53,907 patients about a cyberattack that was discovered on April 23, 2021. OSF HealthCare said upon discovery of the breach, steps were taken to prevent further unauthorized access and a third-party forensic investigator was engaged to conduct an investigation into the attack to determine the extent of the breach. The investigator confirmed the attackers first accessed its systems on March 7, 2021 and access remained possible until April 23, 2021. OSF HealthCare said the attackers accessed certain files on its system that related to patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center. On August 24 it was determined the following types of patient data may have been compromised: Names, contact information, dates of birth, Social Security numbers, driver’s license numbers, state/government ID numbers, treatment information, diagnosis information and codes, physician names, dates of service, hospital units, prescription information,...

Read More
Cyberattacks Reported by Schneck Medical Center and Epilepsy Foundation of Texas
Oct06

Cyberattacks Reported by Schneck Medical Center and Epilepsy Foundation of Texas

Schneck Medical Center in Seymour, IN has announced it was a victim of a cyberattack which has had an impact on organizational operations. The attack was detected on September 29, 2021 and an announcement was made the same day. In response to the attack, all IT systems within its facilities were suspended out of an abundance of caution, and third-party cybersecurity experts have been engaged to assist with the investigation and restore its IT system as quickly as possible. Schneck Medical Center said investigations into cyberattacks and the restoration of IT systems take time to fully resolve, but steps have been taken to minimize disruption to its systems. Schneck Medical Center said most medical services have not been affected by the attack and patients should arrive as normal for scheduled services and appointments. Patients will be notified individually if for any reason their appointment has had to be postponed as a result of the attack. “As a team of dedicated and caring medical professionals, we understand that healthcare is about people taking care of people. We remain...

Read More
Ransomware Attack on Florida Behavioral Health Service Provider Affects 19,000 Individuals
Oct01

Ransomware Attack on Florida Behavioral Health Service Provider Affects 19,000 Individuals

The Clearwater, FL-based non-profit behavioral health service provider Directions for Living was the victim of a ransomware attack on July 17, 2021. Upon detection of the attack, law enforcement was notified and third-party computer forensics experts were engaged to investigate the scope of the attack and assist with remediation efforts. The investigation concluded on August 30, 2021. A review of servers potentially accessed by the attackers confirmed they contained personal and protected health information of current and former clients, including names, addresses, dates of birth, Social Security numbers, diagnostic codes, claims information, insurance information, healthcare provider names, date of service, and certain health information. Directions for Living said its electronic medical record system was not affected and could not be accessed by the attackers and clients’ financial information was not stored on the affected servers. While personal and protected health information may have been accessed by unauthorized individuals, Directions for Living said no evidence has been...

Read More
PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack
Sep30

PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack

Lisle, IL-based Navistar Inc. has issued further notification letters to individuals affected by a security breach that was detected on May 20, 2021. The U.S. truck manufacturer immediately implemented its cybersecurity response plan when a potential breach of its information technology systems was detected, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the breach. On May 31, 2021, Navistar was informed that certain data had been extracted from its systems in the attack. The investigation into the data theft confirmed on August 20, 2021 that the exfiltrated files contained the protected health information of current and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. That information is understood to have been stolen prior to the discovery of the security breach on May 20. Navistar said the exfiltrated data potentially included names, addresses, dates of birth, and information related to participation on the health and insurance plans, which may have...

Read More
Data Breaches Reported by Horizon House and Samaritan Center of Puget Sound
Sep29

Data Breaches Reported by Horizon House and Samaritan Center of Puget Sound

Horizon House, Inc., a Philadelphia, PA-based provider of mental health and residential treatment services has announced its IT systems have been hacked and the protected health information of 27,823 individuals has potentially been compromised. Suspicious activity was detected in its computer systems on March 5, 2021. An investigation was launched to determine the nature and scope of the breach, which revealed an unauthorized individual had access to its systems between March 2 and March 5, 2021. A review of files stored on the compromised systems was completed around September 3, 2021. The files contained protected health information such names, addresses, Social Security numbers, driver’s license numbers, state identification card numbers, dates of birth, financial account information, medical claim information, medical record numbers, patient account numbers, medical diagnoses, medical treatment information, medical information, health insurance information, and medical claims information. All individuals affected by the incident have been notified and advised to monitor their...

Read More
PHI of 29,000 Patients Potentially Compromised in McAllen Surgical Specialty Center Ransomware Attack
Sep29

PHI of 29,000 Patients Potentially Compromised in McAllen Surgical Specialty Center Ransomware Attack

McAllen Surgical Specialty Center in Texas has started notifying patients about a ransomware attack that was detected on May 14, 2021. Third-party computer forensics specialists were engaged to investigate the breach and determine the nature and scope of the attack. The investigators determined unauthorized individuals had gained access to certain computers and servers on May 12, 2021 and deployed ransomware. Unauthorized access to its network was blocked on May 14. A comprehensive analysis was conducted to determine the servers and computers that had been affected, and which had potentially been accessed by the hackers. On July 22, it was determined patient data had potentially been compromised in the attack. The affected computers and servers contained a range of patient information, with the types of exposed data varying from patient to patient. Data potentially affected included names, addresses, Social Security numbers, dates of service, health insurance information, provider name, patient numbers, and medical record numbers. No evidence of data theft was identified and...

Read More
Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack
Sep28

Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack

Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information of 496,949 patients. On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information. HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing individual...

Read More
Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack
Sep27

Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack

While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack. Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted. While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents...

Read More
Data Breaches Reported by Vista Radiology, Indian Creek Foundation & Mankato Clinic
Sep27

Data Breaches Reported by Vista Radiology, Indian Creek Foundation & Mankato Clinic

Vista Radiology Reports Breach of the PHI of up to 3,634 Individuals Knoxville, TN-based Vista Radiology has notified 3,634 patients about a ransomware attack experienced on July 11, 2021 which took part of its network offline. A leading computer forensics firm was engaged to conduct a full investigation into the attack. And the initial investigation appeared to suggest the sole purpose of the attack was to encrypt its systems, and that data exfiltration was not involved. However, Vista Radiology was informed on July 15 that some evidence had been found that files or folders containing patient data had been accessed and viewed. The investigation confirmed files were encrypted in the evening of July 10 with a subset of those files accessed prior to encryption. The files that had been viewed only contained a limited amount of patient data and no significant amount of data were exfiltrated by the attackers. It was not possible to determine if the PHI of any specific patients had been accessed, so notification letters were sent to all patients potentially affected by the attack. The...

Read More
Vice Society Ransomware Gang Attacks United Health Centers of San Joaquin Valley
Sep27

Vice Society Ransomware Gang Attacks United Health Centers of San Joaquin Valley

The Vice Society ransomware gang claims to have conducted a ransomware attack on the California healthcare provider United Health Centers of San Joaquin Valley. United Health Centers operates more than 20 community health centers in Fresno, Kings, and Tulare counties. The Vice Society ransomware gang emerged mid-2021 and is believed to be a spin-off of the HelloKitty ransomware operation. The gang is known to use a variety of methods to gain access to victims networks, including exploiting vulnerabilities such as the PrintNightmare bugs. The gang is known for exfiltrating data from victims’ systems prior to the use of ransomware to encrypt files. Data are then published on its data leak site to pressure victims into paying the ransom. This attack appears to be no exception. Bleeping Computer reports it was notified on August 31, 2021 about the ransomware attack on United Health Centers by a trusted member of the cybersecurity community who said the healthcare provider’s entire network was shut down as a result of the attack. The cyberattack has yet to appear on the HHS’ Office for...

Read More
Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice
Sep24

Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice

Eastern Los Angeles Regional Center has discovered the email account of an employee has been accessed by an unauthorized individual. Suspicious activity was detected in the email account on July 15, 2021. A password reset was performed to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach. It was confirmed that the account was accessed for a limited period of time on July 15, 2021 and that the email account contained the protected health information of 12,921 individuals, including first and last names, Social Security numbers, ELARC-issued client identifier numbers, Tax ID numbers, medical histories, treatment or diagnosis information, and health insurance information. Eastern Los Angeles Regional Center said it found no evidence to suggest any information in the email account was exfiltrated or subjected to actual or attempted misuse. Additional technical safeguards have been implemented to further enhance the security of sensitive information and affected individuals have been offered 12 months of complimentary...

Read More
K and B Surgical Center & Healthpointe Medical Group Notify Patients About Hacking Incidents
Sep24

K and B Surgical Center & Healthpointe Medical Group Notify Patients About Hacking Incidents

K and B Surgical Center in Beverley Hills, CA has discovered an unauthorized individual gained access to its computer network. The security breach was detected on March 30, 2021, with the third-party forensic investigation confirming its network was compromised between March 25 and March 30. Upon discovery of the breach, steps were taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The investigation concluded on April 27, 2021 that the attacker gained access to parts of the network that contained the protected health information of patients. Data mining was performed on the affected servers to determine which types on information had been exposed and the patients that had been affected. K and B Surgical Center said in its September 3, 2021 breach notification letters that it took until July 27 to obtain a finalized list of affected patients. The types of information potentially accessed and/or exfiltrated included the following data elements: Names, addresses, phone numbers, driver’s license numbers,...

Read More
Ransomware Attacks Reported by Family Medical Center of Michigan & Buddhist Tzu Chi Medical Foundation
Sep23

Ransomware Attacks Reported by Family Medical Center of Michigan & Buddhist Tzu Chi Medical Foundation

Temperance, MI-based Family Medical Center of Michigan (FMC) has notified 21,988 patients about a July 2020 ransomware attack in which their protected health information was compromised. FMC said the attack appeared to have been conducted by a cybercriminal gang operating out of Ukraine. The attackers encrypted FMC’s financial files which prevented its employees from accessing patients’ financial information. A ransom demand of $30,000 in cryptocurrency was issued for the digital key to unlock the encrypted files. FMC said it worked with a third-party computer security firm – IDX – to investigate the breach and help secure its digital environment. IDX advised paying the ransom as part of a strategy to determine the scope of the attack. FMC CEO, Ed Larkins said it complied with the demand and paid the ransom a week after the attack occurred. The attackers took two weeks to send the key to decrypt files. The investigation into the attack confirmed only financial information was affected and patient medical records were not compromised in the attack. Patients affected by the attack...

Read More
U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals
Sep22

U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals

The U.S. Vision Inc. subsidiary, USV Optical Inc. has announced unauthorized individuals have gained access to certain servers and systems that contained patients’ protected health information.  The unauthorized access was detected on May 12, 2021, with the subsequent forensic investigation confirming the hackers had access to its systems for almost a month from April 20, 2021 to May 17, 2021, when its systems were secured. Third-party computer forensics specialists are continuing to investigate the breach to determine the full extent and scope of the intrusion but have concluded that unauthorized individuals potentially viewed and exfiltrated patient data in the attack. It has been confirmed that the following types of employee and patient data have been exposed: Names, eyecare insurance information, and eyecare insurance application and/or claims information. A subset of individuals may also have had the following data exposed: Address, date of birth, and/or other individual identifiers. No reports have been received to date of any cases of attempted or actual misuse of personal...

Read More
August 2021 Healthcare Data Breach Report
Sep21

August 2021 Healthcare Data Breach Report

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021. While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined. Largest Healthcare Data Breaches Reported in August 2021 Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks...

Read More
Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital
Sep21

Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital

Barlow Respiratory Hospital in Los Angeles, CA has announced it has suffered a ransomware attack on August 27, 2021. The attack was conducted by the Vice Society ransomware gang, which gained access to its network and electronic medical record system. Prior to using ransomware to encrypt files, the gang exfiltrated patient data, some of which has been posted on the gang’s dark web data leak site. Barlow Respiratory Hospital said while the attack affected several IT systems, the hospital was able to continue to operate under its emergency procedures and patient care was not interrupted. Upon detection of the security breach, law enforcement agencies were notified and a third-party cybersecurity firm was engaged to assist with the investigation and determine the scope of the data breach. The investigation into the attack is ongoing. While some ransomware operations have said they will not target healthcare providers, Vice Society does not fall into that category. The ransomware operation appeared in June 2021 and has already attacked multiple healthcare providers, including Eskenazi...

Read More
Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans
Sep21

Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans

The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor. The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days. The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack. The cyberattack was extensive and caused major disruption. Some IT systems...

Read More
Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients
Sep20

Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients

Wilmington, DE-based Simon Eye Management has suffered a breach of its email environment and hackers potentially gained access to the protected health information of 144,373 patients. Simon Eye identified suspicious activity in certain employee email accounts on or around June 8, 2021. Action was immediately taken to secure the accounts and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. Assisted by third -party security experts, Simon Eye determined that unauthorized individuals gained access to employee email accounts between May 12 and May 18, 2021. The incident was an attempted business email compromise (BEC) attack, where employee email accounts are compromised and used in a scam to trick employees into making fraudulent wire transfers, in this case through the manipulation of invoices. Simon Eye said none of the attackers’ attempts were successful. While gaining access to patient data did not appear to be the goal of the attackers, the email accounts they were able to access did contain patients’...

Read More
Stolen Laptop Contained the PHI of Dignity Health Patients
Sep17

Stolen Laptop Contained the PHI of Dignity Health Patients

Resource Anesthesiology Associates (RAA) of California has started notifying certain patients of Dignity Health’s Mercy Hospital Downtown and Mercy Hospital Southwest that some of their protected health information was stored on a laptop computer that was stolen. RAA of California provides anesthesiology services at the Dignity Health hospitals, which requires access to patient data. On July 8, the laptop was stolen from an RAA of California administrator. The theft was reported to law enforcement, but the device has not been recovered. RAA of California conducted an investigation to determine which patient information was stored on the device and could potentially be accessed. The review confirmed the following types of information were stored on the device: Names, addresses, dates of birth, provider names, dates of service, diagnoses and treatment information, health insurance information, and other information related to patients’ medical care. The laptop computer was protected with a password, which provides a degree of protection against unauthorized access. However, passwords...

Read More
1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI
Sep17

1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI

The Department of State Hospitals – Coalinga (DSH-C) in California has notified 1,738 patients that some of their protected health information has been impermissibly disclosed by a DSH-C employee. The United States District Court, Eastern District of California had made a request to be provided with DSH-C patient rosters in order to determine whether patients were eligible for a waiver of filing fees when filing a lawsuit. Those rosters were provided to a District Court Clerk by a DSH-C employee. The patient rosters contained information about patients that had not filed a lawsuit, and the rosters contained more information than was required by the District Court Clerk to determine eligibility for a waiver. The disclosure was therefore in violation of the HIPAA Rules. The rosters contained the following data elements: name, case number, birth date, legal commitment, admission date, unit number, and gender. DSH-C said it has no reason to believe the information was used for any reason other than for an eligibility determination for a public benefit provided by the Court. Upon...

Read More
36,500 Patients of Austin Cancer Centers Notified About PHI Exposure
Sep17

36,500 Patients of Austin Cancer Centers Notified About PHI Exposure

Austin Cancer Centers is alerting 36,503 patients about a security incident discovered on August 4, 2021 in which some of their protected health information was exposed. Unauthorized individuals were discovered to have gained access to computer systems and installed malware. To prevent further unauthorized access, computer systems were immediately shut down and law enforcement was notified. Since then, Austin Cancer Centers has worked with cybersecurity experts to learn about the exact nature and scope of the incident. Austin Cancer Centers said the malware has now been removed, systems have been restored and secured, and its facilities are open. The forensic investigation into the security breach confirmed hackers first gained access to its computer systems on July 21, and access remained possible until the breach was discovered on August 4. A comprehensive review was conducted to identify all files on the network that could possibly have been accessed in the attack. Those files were found to contain patient information such as names, addresses, dates of birth, insurance carrier...

Read More
Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data
Sep16

Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data

The personal data of individuals who took a COVID-19 test at a Walgreens pharmacy has been exposed over the Internet due to vulnerabilities in its COVID-19 test registration system. It is currently unclear how many individuals have been affected, although they could well number in the millions given the number of COVID-19 tests Walgreens has performed since April 2020. It is unclear when the vulnerabilities were introduced on the website, but they date back to at least March 2021 when they were discovered by Interstitial Technology PBC consultant Alejandro Ruiz. He identified a security error when a member of his family had a COVID-19 test performed at Walgreens. Ruiz contacted Walgreens to alert them to the data exposure, but claimed the company was not responsive. Ruiz spoke to Recode about the issue, which had the security flaws confirmed by two security experts. Recorde reported the issue to Walgreens, and the company said, “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate.” However, as of September 13, 2021 the...

Read More
Desert Wells Family Medicine Ransomware Attack Causes Permanent Loss of EHR Data
Sep15

Desert Wells Family Medicine Ransomware Attack Causes Permanent Loss of EHR Data

Queen Creek, AZ-based Desert Wells Family Medicine has started notifying 35,000 patients that their protected health information has been compromised in a recent ransomware attack. The attack occurred on May 21, 2021 and resulted in the encryption of data, including its electronic health record (EHR) system. All data had been backed up prior to the attack, but in addition to encrypting files, the attacker corrupted backup files which means all data contained in its EHR system prior to May 21 cannot be recovered. The types of data in the system, which may also have been obtained by the hackers in the incident, included patient names, addresses, dates of birth, billing account numbers, Social Security numbers, medical record numbers, and treatment information. Desert Wells said it has not found any evidence that suggests there has been any attempted or actual misuse of patient data, and the third-party computer forensics investigators found no evidence that patient data had been exfiltrated prior to file encryption, although it was not possible to rule out data theft with a high...

Read More
HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients
Sep15

HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients

The protected health information (PHI) of 116,898 patients of Waterville, MA-based HealthReach Community Health Centers has been potentially compromised in a third-party data breach. HealthReach Community Health Centers, which operates 11 community health centers in Central and Western Maine, discovered a worker at a third-party data storage facility had improperly disposed of hard drives that contained the data of patients. Under HIPAA, all electronic devices that contain PHI must be disposed of in a manner that ensures data on the devices cannot be read or reconstructed. This typically involves clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field), or destroying the media via disintegration, pulverization, melting, incineration, or shredding. In a data breach notice sent to the Maine Attorney General, HealthReach said patient data had been exposed on April 7 and it was notified about the improper disposal incident on May 7.  Upon discovery of the incident, HealthReach...

Read More
Jackson Health Investigating Nurse Social Media HIPAA Violation
Sep14

Jackson Health Investigating Nurse Social Media HIPAA Violation

Jackson Health has launched an investigation into a nurse social media violation after photographs of a baby with a birth defect were posted on Facebook. A nurse who worked in the neonatal intensive care unit at Jackson Memorial Hospital posted two photographs on Facebook of a baby with gastroschisis – a rare birth defect of the abdominal wall that can cause the intestines to protrude from the body. The photos were accompanied with the captions, “My night was going great then boom!” and “Your intestines posed (sic) to be inside not outside baby! #gastroschisis.” The disturbing images were posted on accounts belonging to Sierra Samuels. The posting of images of patients on social media without first obtaining authorization is a serious breach of patient privacy. Photographs of patients are classed as protected health information and posting images on social media platforms, even in closed Facebook groups, is a violation of the Health Insurance Portability and Accountability Act (HIPAA) unless prior authorization is obtained from the patient. HIPAA requires healthcare providers to...

Read More
OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
Sep13

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019. Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year. The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making...

Read More
Philadelphia Mental Health Service Provider Breach Affects 29,000 Patients
Sep10

Philadelphia Mental Health Service Provider Breach Affects 29,000 Patients

The Wedge Recovery Centers, a mental health service provider based in Philadelphia, Pennsylvania, discovered suspicious activity within the computer network on June 25, 2021 which indicated unauthorized individuals had breached the security defenses. Steps were immediately taken to block further access and an investigation was launched to determine the nature and scope of the breach. The investigation confirmed an unauthorized actor had gained access to its network on June 25, 2021; however, no evidence was uncovered during the course of the investigation to suggest any individual’s information had been subjected to actual or attempted misuse as a result of the security breach. A comprehensive review was conducted of all data potentially affected and that process is ongoing; however, it has now been confirmed that the following types of information were stored in files on parts of the network that were compromised: Name, address, date of birth, Social Security number, and treatment and health insurance information. The Wedge Recovery Centers have implemented additional technical...

Read More
TX: Denton County Discovers COVID-19 Application Leaked Data of 346,000 Individuals
Sep09

TX: Denton County Discovers COVID-19 Application Leaked Data of 346,000 Individuals

Denton County in Texas has discovered a vulnerability in a third-party provider application used in connection with individuals’ personal health information has potentially been exploited by unauthorized individuals. The application was used at COVID-19 vaccination clinics in the County, and contained information such as names, dates of birth, email addresses, phone numbers, and COVID-19 vaccination information. The vulnerability, discovered by Denton County officials on July 7, 2021, meant the information in the application database was accessible by anonymous users. When the flaw was discovered, the application was immediately shut down and an investigation was launched to determine the extent of the issue and whether any unauthorized individuals had exploited the flaw to gain access to sensitive data. Denton County confirmed that an error had been made configuring the application which exposed data to unauthorized individuals. While no evidence was found to indicate any actual or attempted misuse of individuals’ protected health information, it was not possible to rule out...

Read More
Data Breaches at Business Associates Affect LifeLong Medical Care & Beaumont Health Patients
Sep07

Data Breaches at Business Associates Affect LifeLong Medical Care & Beaumont Health Patients

LifeLong Medical Care, a Californian healthcare provider serving patients in Alameda, Contra Costa, and Marin Counties, has notified certain patients whose protected health information was impacted in a ransomware attack on the third-party vendor Netgain Technologies. The breach has been reported to the HHS’ Office for Civil Rights as involving the PHI of 115,448 patients. Netgain Technologies discovered a security breach on November 24, 2020 involving ransomware. An internal investigation into the breach determined on February 25, 2021 that the attackers had accessed and obtained files containing the information of its customers. The attackers first breached its systems on November 15, 2020. LifeLong Medical Care said it launched a comprehensive investigation into the breach and discovered on August 9, 2021 that the personal and protected health information of patients was accessed and/or exfiltrated from Netgain’s network. Affected patients had their full name compromised along with one or more of the following data elements: Social Security number, date of birth, patient...

Read More
CareATC Email Accounts Accessed by Unauthorized Individuals
Sep03

CareATC Email Accounts Accessed by Unauthorized Individuals

CareATC, a Tulsa, OK-based population health management company, has discovered the email accounts of two employees have been accessed by unauthorized individuals, who potentially gained access to the personal information of patients and employees. CareATC launched an investigation on June 29, 2021 when suspicious activity was detected in the email account of an employee. Third-party forensics specialists were engaged to assist with the investigation and determine the extent and scope of the security breach. That investigation revealed a second email account had also been compromised, with the two email accounts subject to unauthorized access between June 18 and June 29, 2021. Upon discovery of the compromised email accounts steps were taken to block any further unauthorized access, and a comprehensive review was conducted to determine which patient data had been exposed. The review was completed around August 11, 2021. For the majority of affected individuals – which include patients, employees, and dependents of patients and employees – the information in the compromised email...

Read More
Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals
Sep01

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021. Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers. While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data. “It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers...

Read More
655,000 DuPage Medical Group Patients Notified About PHI Breach
Sep01

655,000 DuPage Medical Group Patients Notified About PHI Breach

DuPage Medical Group, the largest independent physician group in the state of Illinois, has started notifying 655,384 patients about a security breach in which their personal and protected health information may have been compromised. DuPage Medical Group identified suspicious activity in its computer network on July 13, 2021 and engaged cyber forensic specialists to conduct an investigation to determine the full nature and scope of the breach. They determined unauthorized actors had gained access to its IT systems on July 12 and access remained possible until the breach was detected on July 13 and its network was secured. A comprehensive review was conducted of all files on the systems that were accessible to the hackers and, on August 17, 2021, DuPage Medical Group confirmed that files containing patient information had potentially been impacted. The types of information potentially compromised in the security breach varied from patient to patient and may have included the following data elements: Names, address­es, dates of birth, diag­no­sis codes, Cur­rent Pro­ce­dur­al...

Read More
San Andreas Regional Center Victim of Ransomware Attack
Aug30

San Andreas Regional Center Victim of Ransomware Attack

San Andreas Regional Center in San Jose, CA has started notifying patients that their PHI may have been compromised in a July 2021 ransomware attack. On July 5, its networks and servers were taken out of action as a result of the attack. Steps were rapidly taken to remediate the attack and third-party computer forensics experts were engaged to investigate the breach, determine how access to its systems was gained, and to discover the extent to which patient data had been affected. The initial investigation into the ransomware attack was concluded on August 2, 2021, when it was confirmed that the attackers had gained access to parts of the network where patients’ protected health information was stored and certain files stored on its servers that contained patient data had been exfiltrated by the attackers prior to the use of ransomware. It was not possible to determine any specific patient information that was stolen by the attackers. At the time of issuing notification letters to affected patients, San Andreas Regional Center had not identified any instances of attempted or actual...

Read More
48,000 Individuals Affected by Ransomware Attack on CarePointe ENT
Aug27

48,000 Individuals Affected by Ransomware Attack on CarePointe ENT

The Merrillville, IN-based ear, nose, and throat specialist, CarePointe ENT, has announced it suffered a ransomware attack on June 25, 2021 which resulted in the encryption of files on its network. Some of the files encrypted in the attack are known to include the personal and protected health information of its patients. It is common in ransomware attacks for sensitive data to be exfiltrated prior to the use of ransomware to encrypt files. The main purpose of data exfiltration is to pressure victims into paying the ransom. CarePointe said it believes the attack was conduced with the sole purpose of extorting money from the practice, not to steal patient data. No reports have been received which suggest any patient data have been misused as a result of the cyberattack, although after thoroughly investigating the attack it was not possible to rule out the possibility that patient data had been viewed by the attackers. CarePointe said it has taken steps to reduce the likelihood of further cyberattacks, with the additional measures implemented including enhanced its threat detection...

Read More
PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack
Aug27

PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack

Atlanta Allergy & Asthma has started notifying 9,851 patients about a January 2021 cyberattack in which their protected health information was exposed and potentially compromised. Atlanta Allergy & Asthma said its investigation into the breach determined hackers had access to its network between January 5 and January 13, 2021. Upon discovery of the breach, steps were immediately taken to kick the unauthorized individuals out of its network and mitigate against any potential harm. Atlanta Allergy & Asthma engaged third party cybersecurity professionals to determine the nature and scope of the breach, with the investigation confirming the attackers had access to parts of the network where documentation was stored that included protected health information. A comprehensive review was conducted of those documents. Atlanta Allergy & Asthma said it was confirmed on July 8, 2021 that the following types of information had potentially been compromised: Names, dates of birth, Social Security numbers, financial account numbers and/or routing numbers, diagnoses, treatment...

Read More
Metro Infectious Disease Consultants Reports 172,000-Record Data Breach
Aug26

Metro Infectious Disease Consultants Reports 172,000-Record Data Breach

Metro Infectious Disease Consultants is notifying 171,740 patients about an email security incident discovered on June 24, 2021. An unauthorized individual was found to have gained access to certain employees’ email accounts which contained the protected health information of patients. Upon discovery of the security breach, steps were immediately taken to secure the accounts to prevent further access and Metro Infectious Disease Consultants engaged a computer forensics firm to determine the extent and scope of the breach. The investigation confirmed the breach was confined to its email environment and that the compromised email accounts contained patient data such as names, addresses, dates of birth, account numbers, insurance information, prescription information, limited clinical information, Social Security numbers, and driver’s license numbers. The types of data in the account varied from individual to individual. Metro Infectious Disease Consultants has sent notification letters to all individuals affected by the breach and complimentary credit monitoring and identity theft...

Read More
South Florida Community Care Plan Notifies Patients About Insider Email Breach
Aug25

South Florida Community Care Plan Notifies Patients About Insider Email Breach

South Florida Community Care Plan has discovered a former employee sent internal documents containing the protected health information of plan members to a personal email account. The breach was discovered on June 21, 2021 during a review of the former employee’s email account. An investigation was launched into the unauthorized activity which determined on June 21, 2021 that the documents contained the following types of plan member information: Names, addresses, dates of birth, member identification numbers, primary care physician names, diagnoses, procedure billing codes, approved services, and/or procedure types. The sending of plan members’ information to personal email accounts is a violation of South Florida Community Care Plan policies; however, no evidence was found to indicate the information was sent outside the scope of the former employee’s employment. South Florida Community Care Plan said data security is one of its top priorities and steps were taken to prevent unauthorized data access and exfiltration. The employee’s email and login credentials were revoked at the...

Read More
Revere Health Phishing Attack Impacts 12,000 Patients
Aug25

Revere Health Phishing Attack Impacts 12,000 Patients

The U.S. Agency for International Development (USAID) was impersonated in phishing campaign that has resulted in the exposure of the protected health information of approximately 12,000 patients of the Utah healthcare provider Revere Health. The phishing attack was rapidly detected by the revere Health IT team, which quickly secured the mailbox to block unauthorized access. According to a breach notice published by Revere Health, the mailbox was only compromised for around 45 minutes on June 21, 2021. An investigation was launched into the breach to determine whether any information in the email account was viewed or downloaded. While it was not possible to tell whether emails in the account were accessed or exfiltrated, Revere Health said it has monitored the Internet and has found no instances of patient data being shared online. A review of emails and email attachments confirmed they contained the protected health information of patients of the Heart of Dixie Cardiology Department in St. George, which included medical record numbers, dates of birth, provider names, procedures,...

Read More
California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents
Aug25

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws. Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified. Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems
Aug23

HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems

In early August, a hacker made contact with Dissent of DataBreaches.net and claimed to have hacked into the systems of a HVAC vendor. Through that vendor the hacker claimed to have gained access to the networks of its clients, one of which was Boston Children’s Hospital. The company in question is Canton, MA-based ENE Systems. DataBreaches.net reported in a recent blog post that the hacker had attempted to extort money from the HVAC vendor but the ransom was not paid. The hacker still claimed to have access to the network of ENE Systems and those of its clients and told Dissent that he/she was not interested in causing harm to the hospital. DataBreaches.net was asked to reach out to the hospital and make it clear that its network had been breached through the HVAC vendor, in case the vendor had not communicated the breach to the hospital. DataBreaches.net was provided with screenshots as proof of the hack. While it was not confirmed whether the networks of other hospitals had been breached, ENE systems lists Brigham & Women’s Hospital and Mass General Hospital as its clients on...

Read More
Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online
Aug19

Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online

The personal information of 750,000 Hoosiers collected as part of a COVID-19 contact tracing survey conducted by the Indiana Department of Health has been exposed online and downloaded by a company not authorized to access the data. The survey included information such as names, addresses, dates of birth, emails, and information on gender, ethnicity and race. The Indiana Department of Health was notified about the unauthorized access on July 2, 2021 and immediately took steps to secure the data to prevent further unauthorized access. According to Tracy Barnes, the Chief Information Officer of the state of Indiana, the company that accessed and downloaded the data was a firm “that intentionally looks for software vulnerabilities, then reaches out to seek business.” Last week, the Indiana Department of Health obtained a signed “certificate of destruction” from the company confirming the downloaded data had been permanently destroyed and that no further copies of the data had been retained. The company also confirmed the downloaded data had not been disclosed to any other company or...

Read More
1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack
Aug19

1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack

Around 4 a.m. on Thursday June 17, 2021, St. Joseph’s/Candler (SJ/C) hospital system in Savannah, GA suffered a ransomware attack. Upon detection of suspicious network activity, SJ/C immediately took steps to isolate and secure its systems. The attack prevented access to computer systems and emergency protocols were implemented, with staff reverting to pen and paper to record patient data. SJ/C notified law enforcement about the security breach and launched an investigation. Assisted by third party cybersecurity firms, SJ/C determined the hackers first gained access to its systems on December 18, 2020 and continued to have access to those systems until June 17, 2021, when the ransomware was deployed. “Patient care operations continue at our facilities using established back-up processes and other downtime procedures,” explained SJ/C in a statement shortly after the attack was detected. “Our physicians, nurses and staff are trained to provide care in these types of situations and are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our...

Read More
Scripps Health Ransomware Attack Cost Increases to Almost $113 Million
Aug18

Scripps Health Ransomware Attack Cost Increases to Almost $113 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack. While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected. Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four...

Read More
Cyberattack Forces Memorial Health System to Divert Patients to Alternate Hospitals
Aug17

Cyberattack Forces Memorial Health System to Divert Patients to Alternate Hospitals

Marietta, OH-based Memorial Health System has been forced to divert emergency care patients due to a suspected ransomware attack. The cyberattack occurred in the early hours of Sunday morning, with the health system forced to shut down IT systems to contain the attack. Emergency protocols were implemented due to the lack of access to essential IT systems, and the staff has been working with paper charts. Memorial Health System operates three hospitals in Ohio and West Virginia, all of which have been affected by the attack. Since electronic health records were not accessible, patient safety was potentially put at risk, so the decision was taken to divert emergency patents. “We will continue to accept: STEMI, STROKE and TRAUMA patients at Marietta Memorial Hospital. Belpre and Selby are on diversion for all patients due to radiology availability. It is in the best interest of all other patients to be taken to the nearest accepting facility,” according to an August 15 press release. “If all area hospitals on are diversion, patients will be transported to the emergency department...

Read More
PHI of 47,000 Individuals Potentially Compromised in Electromed Inc. Data Breach
Aug17

PHI of 47,000 Individuals Potentially Compromised in Electromed Inc. Data Breach

Electromed Inc., a New Prague, MN-based developer and manufacturer of airway clearance devices, has announced it suffered a security breach in June 2021 in which unauthorized individuals gained access to certain IT systems. Electromed said unauthorized activity was detected in its IT systems on June 16, 2021 and steps were immediately taken to prevent further unauthorized access. An investigation was launched to determine the source and scope of the breach and third-party cybersecurity experts were engaged to assist with the investigation. Electromed determined the unauthorized third party accessed certain files that contained the personal and protected health information of its customers, as well as information of its employees and certain third-party contractors.  A comprehensive review was conducted of all files on the affected systems, which revealed they contained customers’ first and last names, mailing addresses, medical information, health insurance information and, for associates, Social Security numbers, driver’s license numbers, and financial account information. While...

Read More
UNM Health Data Breach Affects More than 637,000 Patients
Aug17

UNM Health Data Breach Affects More than 637,000 Patients

UNM Health has discovered an unauthorized third party gained access to its network and potentially viewed and exfiltrated files from its systems that contained patients’ protected health information. The security breach was discovered on June 4, 2021 and an investigation was immediately launched to determine the extent and scope of the breach. UNM Health determined its systems were accessed by the unauthorized third-party on May 2, 2021 and files containing the protected health information of its patients, including those of UNM Hospital, UNM Medical Group, Inc., and UNM Sandoval Regional Medical Center Inc. were potentially compromised. A comprehensive review of all files on the compromised parts of its network was conducted and it was confirmed they contained information such as names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, and some clinical information related to the healthcare services provided by UNM Health. The Social Security numbers of a limited number of patients were also potentially compromised in...

Read More
PHI of Employees Compromised in Cyberattack on Waste Management Firm
Aug16

PHI of Employees Compromised in Cyberattack on Waste Management Firm

USA Waste-Management Resources, LLC has started notifying certain employees, former employees, and dependents covered by its self-administered health plan that some of their personal and protected health information was compromised in a January 2021 cyberattack. Waste-Management Resources said suspicious activity was detected in its IT systems on January 21, 2021. An investigation was launched and, assisted by third party computer forensics specialists, Waste-Management Resources confirmed that an unauthorized individual had accessed its systems between January 21 and January 23, 2021 and that certain files were accessed and stolen in the attack. An extensive review was conducted to determine if any files stored on the compromised parts of its network contained any sensitive information. That process was completed on June 21, 2021. The review confirmed the following types of information had been exposed and have potentially been compromised: Names, Social Security numbers, taxpayer identification numbers, government ID numbers, state ID numbers, driver’s license numbers,...

Read More
University Medical Center of Southern Nevada Confirms PHI Compromised in June Cyberattack
Aug13

University Medical Center of Southern Nevada Confirms PHI Compromised in June Cyberattack

University Medical Center of Southern Nevada (UMC) has issued an update on a cyberattack it experienced in June 2021 and has now confirmed that some patient information was compromised in the attack. The cyberattack occurred on June 14, 2021 and was conducted by a “by a well-known group of cybercriminals that seek to use the information for commercial gain,” according to a July 29, 201 UMC press release. UMC explained that suspicious activity was detected within its IT environment and prompt action was taken to remove the attackers from its network. UMC said the breach was contained the on June 15, with the initial investigation suggesting the attackers had gained access to certain file servers; however, the prompt action taken by its IT Division meant there was no disruption to patient care or its clinical systems. Initially, UMC said it had no reason to believe any clinical systems were accessed by the attackers, although the investigation into the cyberattack was ongoing to establish the nature and scope of the cyberattack. The forensic investigation has now confirmed that...

Read More
Email Account Breaches Reported by A2Z Diagnostics and Vision for Hope
Aug11

Email Account Breaches Reported by A2Z Diagnostics and Vision for Hope

The New Jersey specialist diagnostic testing laboratory A2Z Diagnostics has started notifying patients that some of their protected health information was contained in employee email accounts that were accessed by unauthorized individuals. Upon discovery of the breach, email accounts were immediately secured and third-party cybersecurity consultants were engaged to investigate the breach and determine whether any emails or attachments had been accessed or obtained in the attack. A2Z Diagnostics learned on June 28, 2021 that the compromised accounts were breached between February 2, 2021 and April 2, 2021, and some of the accounts contained the personal and protected health information of individuals who had tests performed at its laboratory; however, no evidence was found that suggested any emails had actually been viewed or stolen in the attack. The types of information in the accounts varied from individual to individual and may have included full names in combination with one or more of the following types of information:  Social Security number, date of birth, driver’s...

Read More
Long Island Jewish Forest Hills Hospital Notifies Patients About Insider Breach
Aug09

Long Island Jewish Forest Hills Hospital Notifies Patients About Insider Breach

Long Island Jewish Forest Hills Hospital (LIJFH) has started notifying 10,333 patients about an insider data breach involving their medical records. LIJFH explained in its breach notification letters that an unauthorized medical record access incident came to light around January 24, 2020. LIJFH had been issued with a subpoena for documents in connection with a law enforcement investigation into a “No Fault” motor vehicle accident insurance scheme that referenced an LIJFH employee. A review was conducted of access logs relating to its medical record system and it was determined that the now former employee had improperly accessed the medical records of patients. While no evidence was found to indicate any patient information had been misused, or that the former employee was in any way involved in the insurance scheme, the decision was taken to issue notification letters. Notification letters were sent to all patients whose medical records had been accessed by the former employee during the period that the individual had access to patients’ medical records, irrespective of whether...

Read More
Dynamic Health Care Malware Attack Affects Multiple Nursing and Rehabilitation Facilities in Illinois
Aug09

Dynamic Health Care Malware Attack Affects Multiple Nursing and Rehabilitation Facilities in Illinois

Patients and staff members at several nursing and rehabilitation facilities in Illinois are being notified that some of their protected health information has potentially been compromised in a cyberattack on Dynamic Health Care, Inc. Dynamic Health Care provides consulting, administrative, and back office services to nursing and rehabilitation facilities in Illinois that require access to certain staff and patient data. On November 8, 2020, Dynamic Health Care discovered malware had been installed on certain computers within its network. An investigation was launched into the malware incident to determine the full nature and scope of the incident. Dynamic Health Care confirmed an unauthorized individual had accessed its network on or around November 8, 2020 and on January 7, 2021, it was determined that during the time that access to the network was possible, the attacker potentially viewed or acquired information about staff and nursing home residents at facilities including Woodbridge Nursing Pavilion, Waterfront Terrace, Bridgeview Health Care Center, Willow Crest Nursing...

Read More
NCH Corporation and Others Announce Data Breaches
Aug06

NCH Corporation and Others Announce Data Breaches

Irving, TX-based NCH Corporation, an international marketer of maintenance products, has reported a suspected ransomware attack. Suspicious network activity was detected within its systems on March 5, 2021, “that caused certain systems in its network to become unavailable.” Steps were taken to block further unauthorized access and restore its systems. The investigation revealed the attackers had access to certain parts of its network between March 2 and March 5, 2021 and during that time there was unauthorized access to certain files stored on its file servers. It was not possible to tell which files had been accessed, so notifications have been sent to all individuals whose information was potentially compromised. The review of the files was completed on June 29, 2021. The files contained the names of certain current and former employees and their dependents, along with Social Security numbers and driver’s license numbers. Notification letters were sent on July 29, 2021 and affected individuals have been offered complimentary credit monitoring and identity theft protection...

Read More
Gastroenterology Consultants Notifies Patients About January 2021 Ransomware Attack
Aug06

Gastroenterology Consultants Notifies Patients About January 2021 Ransomware Attack

On January 10, 2021, Gastroenterology Consultants, PA suffered a ransomware attack that resulted in the encryption of sensitive data.  Yesterday, notifications were sent to patients potentially affected by the attack to inform them that their protected health information may have been accessed or compromised in the attack. Gastroenterology Consultants, the largest partnership GI practice in Houston, TX, launched an investigation into the attack and took steps to remove the attackers from its network and restore affected data. A substitute breach notice was uploaded to the company website on March 19, 2021 advising patients about the attack. No evidence was found to indicate any patient data were accessed by the attacker or exfiltrated in the attack. Attacks such as this typically warrant breach notification letters, as while evidence of data theft may not be found, it is usually not possible to rule out unauthorized access to PHI with a high degree of certainty. In this case, Rather than identify the individual patients affected by the attack, the decision was taken to notify all...

Read More
UF Health Says PHI Potentially Compromised in May 2021 Cyberattack
Aug05

UF Health Says PHI Potentially Compromised in May 2021 Cyberattack

On May 31, 2021, UF Health Central Florida experienced a cyberattack that affected Leesburg Hospital and The Villages Hospital. The security breach was announced by UF Health within a few hours of the attack being detected, although at the time it was unclear whether any patient data had been compromised in the incident. An investigation into the breach was conducted which determined the attackers had access to its computer network between May 29 and May 31, 2021, and while unauthorized access to patient data was not confirmed, UF Health has now reported that some patient data may have been accessible. The exposed data included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, and limited treatment information. UF Health said its electronic medical records were not involved or accessed, and the breach did not affect its Gainesville or Jacksonville campuses. UF Health said it has no reason to believe any exposed data has been misused or disclosed; however, as a precaution against identity...

Read More
73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months
Aug05

73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months

Ransomware attacks have increased significantly during the past year, but phishing attacks continue to cause problems for businesses, according to a recent survey conducted by Arlington Research on behalf of security firm Egress. Almost three quarters (73%) of surveyed businesses said they had experienced a phishing related data breach in the past 12 months. The survey for the 2021 Insider Data Breach Report was conducted on 500 IT leaders and 3,000 employees in the United States and United Kingdom. The survey revealed 74% of organizations had experienced a data breach as a result of employees breaking the rules, something that has not been helped by the pandemic when many employees have been working remotely. More than half (53%) of IT leaders said remote work had increased risk, with 53% reporting an increase in phishing incidents in the past year. The increased risk from remote working is of concern, especially as many organizations plan to continue to support remote working or adopt a hybrid working model in the future. 50% of IT leaders believe remote/hybrid working will make...

Read More
Healthcare Industry has Highest Number of Reported Data Breaches in 2021
Aug05

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security. Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets. The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked...

Read More
Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital
Aug04

Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital

Academic HealthPlans, Inc. (AHP) has discovered an unauthorized individual has gained access to the email accounts of two employees following responses to phishing emails. AHP was alerted to a potential breach when suspicious activity was detected in its Microsoft Office 365 email environment. The affected accounts were secured, and an investigation was launched to determine the extent of the breach. On June 4, 2021, AHP determined that the email accounts were compromised as a result of phishing attacks between August 6, 2020 and August 24, 2020, and on October 2, 2020. The breach was limited to those two accounts and did not involve any other systems. A comprehensive and time-consuming programmatic and manual review was conducted to identify the individuals and information affected. That review confirmed that the email accounts contained information related to the student health plans AHP administers. The exposed data include student names, dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information. No...

Read More
Guidehouse Reports Breach Affecting Multiple Healthcare Provider Clients
Aug04

Guidehouse Reports Breach Affecting Multiple Healthcare Provider Clients

Ventura, CA-based Community Memorial Health System, Ithaca, NY-based Cayuga Medical Center, and Allentown, PA-based Lehigh Valley Health Network have been affected by a cyberattack at a vendor used by one a business associate. The three healthcare providers used Guidehouse for medical billing and collection services. On January 20, 2021, hackers gained access to the Accellion File Transfer Appliance (FTA) used by Guidehouse for transferring files to clients. For patients of Community Memorial Health System the files included sensitive patient information such as names, dates of birth, member ID addresses, and certain medical information. For Cayuga Medical Center patients, names, dates of birth, insurance account numbers, and certain medical information were potentially compromised. For Lehigh Valley Health Network, the potentially compromised data include names, medical record numbers, account numbers, dates of service, diagnosis and procedure names, billing or payer information and provider names. Guidehouse was notified about the cyberattack by Accellion in March 2021 and...

Read More
Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology
Aug03

Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology

Prestera Mental Health Center in West Virginia has started notifying 2,152 individuals about a security breach involving employee email accounts. On or around April 1, 2021, Prestera Center learned that certain employee email accounts had been subjected to unauthorized access between August 2020 and September 2020. While it was possible to confirm that there had been unauthorized access, it was not possible to tell whether any patient data had been viewed or acquired. A review was conducted to determine the types of information that were present in the email accounts and which individuals had been affected. The types of data in the account varied from individual to individual and may have included names, addresses, dates of birth, state identification card numbers, Social Security numbers, financial account information, medical information, and health insurance information. Upon discovery of the breach, prompt action was taken to secure the accounts to prevent any further unauthorized access. Policies and procedures have since been reviewed and updated, and additional safeguards...

Read More
Star Refining & Express MRI Report Phishing Attacks
Aug02

Star Refining & Express MRI Report Phishing Attacks

The Peachtree Corners, GA-based medical imaging center, Express MRI, has started notifying patients that some of their protected health information has been exposed in a historic data breach. Express MRI discovered on July 10, 2020 that an unauthorized individual had gained access to one of its email accounts and used that account to send unauthorized emails. The incident was investigated at the time, but it was determined that no patient information had been accessed. A secondary review of the security breach was conducted on June 10, 2021, and while no specific evidence was uncovered that indicated there had been unauthorized data access or data theft, Express MRI concluded that it was not actually possible to totally rule out unauthorized data access or exfiltration, therefore breach notification letters were warranted. A review of the compromised account confirmed the following information may have been accessed or acquired: Names, addresses, email addresses, dates of birth, patient ages, referring physician names, body part scanned, and whether the scan was related to a...

Read More
Harris County, TX: PHI of 26,000 Individuals Exposed Online
Aug02

Harris County, TX: PHI of 26,000 Individuals Exposed Online

Harris County in Texas has discovered the personal and health information of thousands of individuals has been exposed online and was potentially accessed by unauthorized individuals. Under Harris County’s legally required reporting obligations, information is provided to the Harris County Justice Administration Department which includes System Person Numbers, which are unique identifiers that are assigned to individuals by the Harris County jail system. In addition to those numbers, some limited health information is provided related to the medical care individuals received at the County’s Jail Clinic, which includes health histories, diagnoses, and/or prescription information. The inadvertent disclosure of sensitive information was discovered by Harris County officials on July 9, 2021. Harris County determined that between March 15, 2021 and May 22, 2021, the above types of information were inadvertently made available on the Justice Administration Department’s website. No names were included, nor any Social Security numbers or financial account information, but since unique...

Read More
More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians
Jul30

More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians

Email accounts containing the protected health information of 447,426 patients of Orlando Family Physicians in Florida have been accessed by an unauthorized individual. Orlando Family Physicians said the first email account was compromised on April 15, 2021 as a result of an employee responding to a phishing email and disclosing their account credentials. Action was promptly taken to block unauthorized access, and an investigation was launched to determine the nature and extent of the breach. Assisted by a leading cybersecurity forensics firm, Orlando Family Physicians determined that an additional three employee email accounts had also been subjected to unauthorized access. All four of the compromised email accounts had external access blocked within 24 hours of the initial unauthored account access. Orlando Family Physicians determined on May 21, 2021, that the unauthorized individual potentially accessed emails in the account that contained patients’ protected health information. A review of the emails and attachments was conducted, and on July 9, 2021, Orlando Family Physicians...

Read More
PHI Potentially Compromised in Ransomware Attacks on Eye Center and Law Firm
Jul30

PHI Potentially Compromised in Ransomware Attacks on Eye Center and Law Firm

Francisco J. Pabalan MD has reported a ransomware attack that has affected up to 50,000 patients of the Pabalan Eye Center in Riverside, CA. The ransomware attack was discovered on March 3, 2021, with the investigation confirming the attack commenced on March 1. The attackers encrypted files on computers and servers that prevented access and patient data was ransomed. All affected computers and servers had been backed up prior to the attack, so it was possible to recover the encrypted data without having to pay the ransom. The investigation found no evidence of data theft, with the attack appearing to only have been conducted to cause disruption to services in order to extort money from the practice. Following the attack, all computers and servers were formatted prior to operating systems and software being reinstalled, and patient data were then restored from backups. Additional security measures have been implemented, including new anti-virus and anti-ransomware software, new data encryption technology, and a new Security Rule Risk Management Plan has been developed and put in...

Read More
Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company
Jul30

Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company

The Los Angeles Fire Department has discovered the COVID-19 vaccination statuses of 4,900 employees has been accidentally exposed online. A list that included the full names of employees, dates of birth, employee numbers, and COVID-19 vaccination information (vaccination dates, doses, or declined vaccine) had been published on a website accessible to the public. During the time that the website was active, it was possible to visit the site and conduct searches of the database for names and employee numbers. The database was not password protected and no information had to be entered to authenticate users. If a wildcard search was conducted, a table was generated that listed the data of all 4,900 employees. The website – covid.lacofdems.com – had been privately registered and was linked to the Fire Department’s Emergency Medical Service’s bureau. The website, which had not been authorized, was created on April 29, 2021 and was deactivated on July 15, 2021. The website had reportedly been created to allow Department employees to retrieve lost vaccination information. Prior to...

Read More
The Average Cost of a Healthcare Data Breach is Now $9.42 Million
Jul29

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident. The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches. According to IBM, data breaches...

Read More
McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack
Jul28

McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack

McLaren Health Care Corporation (MHCC), the operator of 15 hospitals and over 100 primary care locations in Michigan and Ohio, has announced the protected health information of 64,600 of its cancer patients may have been compromised in a ransomware attack on vendor Elekta Inc. Elekta provides software and technology services to MHCC facilities in Macomb, Northern Michigan, Gaylord, Cheboygan, West Branch, Lapeer, Central and Bay City, which includes data storage. Between April 2 and April 20, 2021, Hackers had access to Elekta’s systems, exfiltrated data, then deployed ransomware to encrypt files. A ransom demand was issued, payment of which was required to decrypt data and prevent the exposure of data stolen in the attack. Elekta notified MHCC about the breach on May 17, 2021. While patient data was affected, Elekta said it has no reason to believe that any of the stolen information will be further disclosed or published online. However, as a precaution against identity theft and fraud, complimentary identity theft protection and credit monitoring services are being offered to...

Read More
Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare
Jul28

Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare

UC San Diego Health has discovered unauthorized individuals gained access to the email accounts of some of its employees and may have accessed or exfiltrated emails containing patient data. The email accounts were compromised as a result of employees responding to phishing emails and disclosing their email credentials. The email environment has now been secured and additional measures have been implemented to improve security. The investigation into the breach revealed the first email account was compromised on December 2, 2020, and others were compromised up until April 8, 2020. At this stage, no evidence has been found to indicate any emails or email attachments were subjected to unauthorized access between December 2020 and April 2021, and no reports have been received that suggest the protected health information (PHI) of patients has been misused; however, it was not possible to rule out unauthorized PHI access and data exfiltration. The investigation into the breach is ongoing to identify exactly what happened and the information that has been affected. Notification letters...

Read More
Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack
Jul27

Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack

A ransomware attack on Fort Myers, FL-based Florida Heart Associates that started around May 19, 2021 has caused serious and ongoing disruption to its services, with the medical practice only operating at around 50% capacity two months after the attack. Disruption is expected to continue for several more weeks, with the practice not expecting to fully recover until the end of next month or even early September. Prior to the use of ransomware, the attackers exfiltrated files containing the protected health information of 45,148 patients, including Social Security numbers, member identification numbers, birth dates, and health insurance information. A ransom demand was issued to ensure the deletion of stolen data and to provide the keys to decrypt data, but the decision was taken by the practice not to pay the attackers. The ransomware gang was ejected from the network, but not before much of its IT infrastructure was rendered inoperable. The investigation revealed its systems were first breached on May 9, 2021, with the hackers deploying ransomware on May 19, when staff were...

Read More
Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case
Jul27

Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case

Overlake Hospital Medical Center in Bellevue, WA has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance information, and health data. The breach in question was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees, with one of the email accounts compromised between December 6, 2019 and December 9, 2019, and the others compromised for several hours on December 9. The investigation did not uncover evidence of data theft or misuse of patient data, but it was not possible to rule unauthorized access to protected health information (PHI) and the exfiltration of data. The PHI of up to 109,000 patients was contained in the compromised email accounts. Affected individuals were notified starting on February 4, 2020 and Overlake Hospital Medical Center took several steps to improve security, including implementing multi-factor authentication, changing email...

Read More
Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity
Jul26

Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity

Oklahoma Heart Hospital has started notifying certain patients about a privacy incident in which paperwork containing limited patient information was accidentally donated to charity. A former employee had made handwritten notes which contained the protected health information of a limited number of patients during the course of that individual’s employment at Oklahoma Heart Hospital between 2011 and 2014. Some of the former employee’s personal possessions were donated to charity in May 2021, with the handwritten notes accidentally included in the donated items. Oklahoma Heart Hospital was contacted by the individual who found the notes and arrangements were immediately made to collect the paperwork. The documents were then cataloged to identify the patients involved and the types of information that had been exposed. The notes included information such as patients’ names, medical record numbers, OHH visit numbers, dates of birth, ages, admit dates, genders, and clinical information consisting of diagnosis, lab results, medications and/or treatment information. No information was...

Read More
UNC Health and Nebraska DHHS Report Phishing Attacks
Jul26

UNC Health and Nebraska DHHS Report Phishing Attacks

The Nebraska Department of Health and Human Services has announced a security incident involving the protected health information of clients of Aging Partners, a department of the City of Lincoln. The breach was discovered by the Lincoln Information Services Department on May 25, 2021. Employees had responded to phishing emails and disclosed credentials to their email accounts, which contained more than 46,000 emails. Assisted by a computer forensics company, it was determined that the email account was accessed by an unauthorized individual between May 18 and May 21. A review of the emails in the account confirmed some contained patient information such as names, addresses, dates of birth, phone numbers, Social Security numbers, dates of service, type/amount of service, and some health information such as diagnoses, care assessments, and medication lists. Emails also contained bank account numbers or other financial information of a limited number of individuals. 6,600 of the emails included the PHI of Aging Partners’ clients, although only 1,513 individuals have been affected....

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
June 2021 Healthcare Data Breach Report
Jul21

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year. While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June. More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month. Largest Healthcare Data Breaches in June 2021 There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare...

Read More
Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association
Jul20

Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association

The medical payment billing service provider MultiPlan has announced a breach of its email environment. On January 27, 2021, suspicious activity was identified in the email account of one of its employees. Action was immediately taken to terminate unauthorized access and the employee’s email credentials were changed. MultiPlan immediately launched an investigation to determine the nature and scope of the breach, with assistance provided by forensics experts. The investigation confirmed that the main purpose of the attack was to divert wire transfers from MultiPlan customers looking to pay invoices. The email account was compromised and used by the attacker to communicate with those customers regarding billing, and to attempt to divert payments to an account under their control. While protected health information does not appear to have been targeted in the attack, the compromised email account was found to contain the protected health information of 214,956 individuals. That information could have been viewed or obtained by the attacker between December 23, 2020 and January 27,...

Read More
Advocate Aurora Health, Jefferson Health, and Intermountain Healthcare Affected by Elekta Ransomware Attack
Jul20

Advocate Aurora Health, Jefferson Health, and Intermountain Healthcare Affected by Elekta Ransomware Attack

Three more healthcare providers have announced they have been affected by the recent ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc. Elekta provides a cloud-based mobile application called SmartClinic, which is used by healthcare providers to access patient information for cancer treatments. Cybercriminals gained access to Elekta’s systems between April 2, 2021 and April 20, 2021 exfiltrated the SmartClinic database prior to deploying ransomware and encrypting files. The database contained the personal and protected health information (PHI) of patients of 42 healthcare systems in the United States. Elekta notified affected customers in May 2021. Advocate Aurora Health has recently announced that 68,000 of its patients across 7 sites in Illinois have been affected by the attack. The following types of PHI were acquired by the ransomware gang: names, addresses, dates of birth, height and weight measurements, Social Security numbers, driver’s license numbers, diagnosis information, treatment information, and appointment confirmations....

Read More
Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI
Jul19

Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI

Sierra Nevada Primary Care Physicians in California is alerting 1,717 patients about an incident involving the theft of some of their protected health information, including names and credit card information. On May 20, 2021, Sierra Nevada Primary Care Physicians was notified by the District Attorney’s office that two envelopes containing receipts from the practice had been found in the vehicle of a suspect. The receipts were for payments made by patients between January 1, 2019 and March 20, 2019. For individuals who paid in person at the front desk using a debit or credit card, the receipts contained the individual’s name, name of the practice, amount charged, and the last four digits of the card number. Receipts for payments made by individuals using a debit card or credit card by mail or over the phone included that individual’s name, debit/credit card number, expiry date, CVV code, signature, practice name, and amount charged. The District Attorney confirmed that the two envelopes and receipts were recovered and the perpetrators were arrested. Sierra Nevada Primary Care...

Read More
Lake County Health Department Notifies 25,000 Patients About Two Data Breaches
Jul19

Lake County Health Department Notifies 25,000 Patients About Two Data Breaches

The Lake County Health Department in Illinois has announced it has suffered two data breaches that potentially involved the personal and protected health information of around 25,000 patients. The first breach occurred in 2019 when a Lake County Health employee sent an unencrypted email from their work email account to an internal employee’s personal email account. The email had an attached spreadsheet of medical record requests dating from December 2016 to June 2019. The requests had been made through a third-party company which handled release of information requests for the Lake County Health Department. The spreadsheet included the names of 24,241 patients along with dates relevant to the vendor. Lake County Health discovered the breach on July 22, 2019; however, it took until July 2021 for notification letters to be sent to affected patients. The reason for the delay of almost two years was due to Lake County Health officials not believing notification letters were required, as no personal health information had been compromised; however, the Department of Health and Human...

Read More
30,000 Florida Blue Members Impacted by Brute Force Attack on Member Portal
Jul16

30,000 Florida Blue Members Impacted by Brute Force Attack on Member Portal

The protected health information of up to 30,063 members of Florida Blue (Blue Cross and Blue Shield of Florida) may have been viewed or obtained by unauthorized individuals in a brute force attack on the Florida Blue online member portal. Starting on June 8, 2021, unknown individuals conducted a brute force campaign using a large database of user identifiers and corresponding passwords that was available from online sources in an attempt to gain access to the portal. The database appears to have been compiled from data breaches at third party companies where username and password combinations had been compromised. Florida Blue reports that some of those automated attempts were successful and the attacker gained access to information contained in online member accounts. This information typically included names, contact information, claims information, payment information, health insurance policy information, and other personal information. While access to accounts was gained, Florida Blue found no evidence to suggest any information in those accounts was removed by the attacker....

Read More
Cyberattack on Florida Heart Associates Potentially Affects 45,000 Patients
Jul15

Cyberattack on Florida Heart Associates Potentially Affects 45,000 Patients

Florida Heart Associates is notifying 45,148 patients about a recent security breach in which their personal and protected health information may have been compromised. The security breach was detected on or around May 19, 2021, when unusual activity was spotted within certain networked computers. Steps were immediately taken to contain the breach and secure personal information and an investigation was launched to determine the nature and scope of the breach. Florida Heart Associates determined that its computer network was breached between May 9 and May 19, 2021. Security systems had been implemented prior to the breach which limited the impact of the intrusion; however, it is possible that the attackers gained access to servers on which patient information was stored. The impacted servers contained names, member identification numbers, dates of birth, Social Security numbers, and health insurance information, all of which may have been accessed. Florida Heart Associates said in its substitute breach notice that no indications have been received to suggest any information on the...

Read More
Over 200,000 Individuals Potentially Affected by ClearBalance Phishing Attack
Jul14

Over 200,000 Individuals Potentially Affected by ClearBalance Phishing Attack

San Diego, CA-based ClearBalance, a loan provider that helps patients spread the cost of their hospital bills, was the victim of a phishing attack on March 8, 2021 where employees were tricked into disclosing their login credentials. ClearBalance identified the email security breach on April 26, 2021 when the attacker attempted to make a fraudulent wire transfer. Steps were immediately taken to secure the email environment and prevent further unauthorized access, and the attempted wire transfer failed. No funds were transferred to the attacker’s account. A third-party computer forensic investigator was engaged to investigate the breach and to determine whether the attacker accessed or obtained any sensitive data. The investigator confirmed that the breach was limited to the email environment and no other systems were affected and that the unauthorized individual had been ejected from email accounts the day the breach was detected. The attacker was not able to gain access to the database that hosts the medical record systems of any healthcare providers; however, some sensitive data...

Read More
Wisconsin Dermatology Practice Reports Data Breach Affecting 2.41 Million Individuals
Jul12

Wisconsin Dermatology Practice Reports Data Breach Affecting 2.41 Million Individuals

Manitowoc, WI-based Forefront Management, LLC and Forefront Dermatology, S.C. discovered on June 4, 2021 that unauthorized individuals had gained access to its network and potentially viewed private and confidential employee and patient information. The affected systems were immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack. On June 24, 2021, Forefront determined that certain files stored on its network had been accessed and potentially obtained which contained the personal information of a limited number of Forefront employees, including their names and Social Security numbers. The investigation revealed its network was first breached on May 28, 2021 and access remained possible until June 4, 2021. During the course of the investigation, Forefront determined the unauthorized individual also accessed files that included the personal and protected health information of a limited number of current and former Forefront patients. Patient information potentially compromised in the attack...

Read More
Coastal Family Health Center Cyberattack Affects 62,000 Patients
Jul09

Coastal Family Health Center Cyberattack Affects 62,000 Patients

Coastal Family Health Center (CFHC), the fourth largest community health center in Mississippi, has started notifying patients about a May 13, 2021 cyberattack that involved some of their protected health information. CFHC said hackers attempted to shut down its computer operations; however, that attempt failed and CFHC was able to continue treating patients and providing services to the community. An investigation was immediately launched into the incident to determine how the attack occurred and whether any sensitive patient information was accessed by the hackers. On June 4, 2021 the investigation revealed some files accessed by the attackers contained the protected health information of patients, including names, addresses, Social Security numbers, health insurance information, and health and treatment information. Independent cybersecurity professionals were engaged to assist with improving the security of its systems and policies and procedures have been changed to prevent further breaches in the future. After determining current mailing addresses, notification letters were...

Read More
Ransomware Attacks Reported by 5 HIPAA Covered Entities and Business Associates
Jul07

Ransomware Attacks Reported by 5 HIPAA Covered Entities and Business Associates

Professional Business Systems, Inc. operating as Practicefirst Medical Management Solutions and PBS Medcode Corp, a provider of medical management services involving data processing for healthcare providers, has suffered a ransomware attack in which files containing patient information were obtained by the attackers. The ransomware attack was identified on December 30, 2020, and its systems were promptly shut down in an effort to contain the attack. Third-party cybersecurity experts were engaged to investigate the incident and law enforcement was notified. Practicefirst has not confirmed whether the ransom was paid but did say it received assurances from the attacker that the files copied from its systems have been destroyed and were not further disclosed. There have been no identified cases of misuse of patient information; however, all affected individuals have been advised to monitor their accounts for any sign of fraudulent activity. The types of patient information contained in the files differed from patient to patient and may have included the following data elements:  name,...

Read More
UW Health Discovers 4-Month Breach of Its MyChart Portal
Jul07

UW Health Discovers 4-Month Breach of Its MyChart Portal

University of Wisconsin Hospitals and Clinics Authority has reported a breach of its Epic MyChart portal which has affected 4,318 UW Health patients. Unusual activity was detected in the portal and an investigation was launched on April 20, 2021, to determine the nature and extent of the breach. The investigation ran until May 4, 2021, and determined unauthorized individuals had access to the portal for a period of around 4 months, with dates of access ranging from December 27, 2020 to April 13, 2021. UW Health said the individual had viewed the MyChart patient portal homepage which displays clinical information such as hospital admission dates, appointment reminders, care team, subject lines of messages from providers, and prompts to view new test results. Pages were also accessed that included some patient appointment and admission dates, demographic information such as names, addresses, phone numbers, and email addresses, health insurance and claims information, diagnoses, medications, and test results. Notification letters were sent to affected patients starting on June 18,...

Read More
PHI of Veterans with PTSD Potentially Compromised in OSU Data Breach
Jul06

PHI of Veterans with PTSD Potentially Compromised in OSU Data Breach

An Ohio State University (OSU) pilot program to help veterans recover from Post Traumatic Stress Disorder (PTSD) and other mental health issues was breached and the personal information of patients has been compromised, according to a recent NBC4 Investigates Report. The (OSU) Veterans Neuromodulation Operation Wellness (NOW) pilot program was shut down permanently on June 15, 2021, but prior to the closure, a data breach occurred. OSU explained in its notification letters to affected individuals that the breach was detected on April 24, 2021, and occurred between January 25, 2021, and March 4, 2021. NBC4 Investigates spoke with one veteran who received a June 14, 2021, notification letter from the Office of Compliance and Integrity informing him that his name, address, Social Security number, and medical history may have been compromised. It is currently unclear how many individuals have been affected by the breach. The Veterans Now Program was paused in March 2021 for a week, with the program’s lead doctor placed on leave. The program was then re-started without the lead doctor...

Read More
PHI Exposed in Email Incidents at Discovery Practice Management, One Medical, and Peoples Community Health Clinic
Jul06

PHI Exposed in Email Incidents at Discovery Practice Management, One Medical, and Peoples Community Health Clinic

Discovery Practice Management Notifies Individuals About June 2020 Email Incident Discovery Practice Management, a provider of administrative support services to Authentic Recovery Center and Cliffside Malibu facilities in California, has announced that unauthorized individuals gained access to the email environment it maintains for those facilities. Suspicious email activity was detected in the email environment on July 31, 2020. An investigation was launched which revealed there had been unauthorized logins to staff email accounts at both facilities between June 22, 2020 and June 26, 2020. The accounts were immediately secured and a third-party cybersecurity firm was engaged to investigate the breach but it was not possible to confirm whether protected health information in the accounts was viewed or exfiltrated. Protected health information potentially compromised included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license number,...

Read More
Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies
Jul05

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide. The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure. It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed. Fast Response Limited Extent of the Attack...

Read More
Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit
Jul05

Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has agreed to settle a class action lawsuit filed by victims of a 2.96 million-record data breach discovered in 2019. The investigation into the data breach was completed on April 24, 2019. Dominion National determined unauthorized individuals gained access to its servers which contained the personal and protected health information of health plan customers. Initially, the breach was thought to have affected 122,000 health plan members, but further investigations showed the protected health information of 2,964,778 individuals had potentially been compromised.  The investigation revealed the breach had started as early as August 25, 2010, with the types of data accessible including names, dates of birth, email addresses, member ID numbers, group numbers, subscriber numbers, and Social Security numbers. Individuals who enrolled online through the Dominion National website may also have had their bank account and routing number exposed. Providers were also affected...

Read More
Northwestern Memorial HealthCare and Renown Health Affected by Elekta Cyberattack
Jul02

Northwestern Memorial HealthCare and Renown Health Affected by Elekta Cyberattack

Chicago, IL-based Northwestern Memorial HealthCare and Reno, NV-based Renown Health have been affected by a cyberattack on one of their business associates. The data breach was discovered by Stockholm-based Elekta, which provides a software platform used for clinical radiotherapy treatment for cancer and brain disorders. Elekta issued a statement confirming its first-generation cloud-based storage system was accessed by unauthorized individuals, which affected a subset of customers in North America. Elekta has been working with law enforcement and third-party cybersecurity experts to determine exactly how the breach occurred and the nature and scope of the attack. Elekta started notifying affected healthcare providers in April 2021. Elekta’s investigation revealed its systems were compromised between April 2, 2021 and April 20, 2021. During that time the attackers accessed and exfiltrated a copy of a database that contained the information of oncology patients. The breach was confined to Elekta’s systems. The systems of its healthcare provider clients were not accessed at any...

Read More
University Medical Center of Southern Nevada Suffers REvil Ransomware Attack
Jul02

University Medical Center of Southern Nevada Suffers REvil Ransomware Attack

University Medical Center of Southern Nevada (UMC) has suffered a ransomware attack in which patient data was stolen. The medical center confirmed it identified suspicious activity within the hospital network in mid-June and took immediate action to contain the threat and restrict access to its servers. The investigation into the cyberattack is continuing and law enforcement has been notified. At this stage it appears that the attackers targeted a server that was used to store patient data. The investigation is still in the early stages, but UMC said it appears that clinical systems were not affected. UBM said it is working with the Las Vegas Metropolitan Police Department, the FBI, and third-party cybersecurity experts to determine the exact origin and scope of the breach. Any cyberattack that causes disruption to hospital operations has potential to result in considerable harm to patients. This is especially true for an attack on UMC, which runs the only Level 1 trauma center in Nevada. UMC said the fast action of its IT department helped to contain the breach, but that response...

Read More
Email Data Breaches Reported by UofL Health and Jawonio
Jun29

Email Data Breaches Reported by UofL Health and Jawonio

UofL Health has started notifying 42,465 patients that some of their protected health information (PHI) was sent to an incorrect external email address. The Louisville, KY healthcare system sent notification letters to affected patients on June 7, 2021 advising them about the exposure of some of their PHI. UofL Health was contacted the following day by the owner of the external domain and was provided with technical evidence that showed the emails had not been viewed by anyone and had been permanently deleted. Some patients whose PHI was exposed were offered complimentary identity theft protection services. While it has now been confirmed that PHI had not been viewed and is no longer accessible, UofL Health said any patient who was offered identity theft protection services will still be able to sign up for them free of charge. “We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner,” said UofL Health in a website notice to its patients. UofL Health did not state in its breach notice...

Read More
Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years
Jun29

Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years

A former employee of Aultman Health Foundation accessed 7,300 patient records without authorization for almost 12 years before the HIPAA violation was discovered. The employee was provided with access to patient records to fulfil duties related to coordinating patient care but was discovered to have accessed patient records when there was no legitimate work reason for doing so. The types of information accessed included patient names, addresses, dates of birth, health insurance information, diagnosis and treatment information, and Social Security numbers. Aultman said it suspended the employee’s access to patient records as soon as the privacy violation was uncovered, and an investigation was immediately launched to determine the nature and scope of the HIPAA violation. The investigation revealed the employee accessed patient records without authorization from September 14, 2009 until April 26, 2021. The employee was terminated for violating HIPAA and hospital policies. Aultman has started notifying patients whose records were viewed. Patient’s whose Social Security number was...

Read More
Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation
Jun25

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend. Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties. Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so. Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed. Bacor...

Read More
Maximus Reports Breach Affecting 334,000 Medicaid Healthcare Providers
Jun24

Maximus Reports Breach Affecting 334,000 Medicaid Healthcare Providers

Ohio Medicaid has announced that its data manager, Maximus Corp, has experienced a data breach in which the personal information of Medicaid healthcare providers has been compromised. Maximus is a global provider of government health data services. Through the provision of those services the company had been provided with the personal information of Medicaid healthcare providers. On May 19, 2021, Maximus discovered a server that contained personal information provided to the Ohio Department of Medicaid (ODM) or to a Managed Care Plan had been accessed by unauthorized individuals between May 17 and May 19, 2021. Upon discovery of the breach, Maximus took the server offline to prevent any further unauthorized access and a leading third-party cybersecurity firm was engaged to assist with the investigation. The cybersecurity firm confirmed that the breach was confined to an application on the server and no other servers, applications, or systems were affected. No evidence was found to indicate any information within the application has been misused, although data theft could not be...

Read More
PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack
Jun24

PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack

Wolfe Eye Clinic, an operator of a network of eye health clinics throughout Iowa, has announced it was the victim of a ransomware attack on February 8, 2021. Hackers gained access to its systems and used ransomware to encrypt files. A ransom demand was issued for the keys to decrypt files, but the clinic refused to pay and opted to recover files from backups. As is now common in ransomware attacks, prior to file encryption the attackers exfiltrated data from Wolfe Eye Clinic systems. Wolfe Eye Clinic explained in its substitute breach notification letter that immediate action was taken to secure its network environment and independent IT security and forensic investigators were engaged to determine the scope and extent of the security breach. Due to the scale and complexity of the attack, it took until May 28, 2021 for the full scope of the security breach to be determined and to identify the information compromised in the attack. The forensic investigation concluded on June 8, 2021, when it was confirmed the attackers accessed and exfiltrated the data of current and former...

Read More
PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates
Jun24

PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates

The Georgia fertility clinic Reproductive Biology Associates has announced it suffered a ransomware attack in April in which files containing the personal and protected health information of approximately 38,000 patients were exfiltrated by the attackers. The attackers gained access to a file server containing embryology data on April 7, 2021, and ransomware was used to encrypt files on April 16, 2021. The files contained the PHI of patients of Reproductive Biology Associates and its affiliate My Egg Bank North America, which included full names, addresses, Social Security numbers, laboratory test results, and information related to the handling of human tissue. The investigation into the attack concluded on June 7, 2021. While it has not been officially confirmed whether the ransom was paid, Reproductive Biology Associates said the attackers have deleted all data stolen in the attack and all encrypted data have now been recovered. Reproductive Biology Associates has been monitoring online and dark web sites for signs of misuse or misappropriation of the stolen data and will...

Read More
Prominence Health Plan Data Breach Impacts up to 45,000 Individuals
Jun23

Prominence Health Plan Data Breach Impacts up to 45,000 Individuals

The Nevada health insurer Prominence Health Plan has announced it suffered a security breach on November 30, 2020 in which hackers potentially obtained the protected health information of some of its plan members. The data breach was discovered on April 22, 2021 and steps were immediately taken to prevent further unauthorized access, including changing the credentials used by the attacker to gain access to its network. While Prominence Health Plan has not confirmed whether this was a ransomware attack, all affected plan member data has been restored from backups. The incident involved audio recordings of phone calls to the Prominence call center along with PDF files that included provider claim forms and letters to patients advising them about claim approvals and denials. The audio files typically included full names, dates of birth, and member ID numbers, while the PDF files contained a member’s name, date of birth, sex, member ID number, mailing address, and claim code. The files included PHI of individuals who had been members between 2010 and 2020. Approximately 45,000...

Read More
San Juan Regional Medical Center Data Breach Affects 68,792 Patients
Jun23

San Juan Regional Medical Center Data Breach Affects 68,792 Patients

San Juan Regional Medical Center has recently notified tens of thousands of its patients about a security breach that occurred in the fall of 2020. The Farmington, NM medical center discovered its network had been accessed by an unauthorized individual on September 8, 2020. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the breach. The forensic investigation revealed the attacker exfiltrated files between September 7th and 8th, with a manual review of those files confirming they contained the protected health information of 68,792 patients. The types of information in the files varied from patient to patient and included names in combination with one or more of the following date elements: Dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers. While data theft was confirmed, no evidence has been found to indicate any of...

Read More
South Texas Health System and Atricure Report Email Incidents
Jun21

South Texas Health System and Atricure Report Email Incidents

South Texas Health System has notified 6,761 individuals about an accidental disclosure of some of their protected health information. South Texas Health System provides discharge instructions after patients receive medical care in its hospitals. Part of that process involves an employee generating and emailing a monthly report that identifies patients that have been discharged from its hospital emergency departments. South Texas Health System discovered on April 8, 2021 that an email with an attached November 2020 report was sent to an incorrect email address on April 7. Steps were taken to try to identify the recipient and get the email deleted, but that individual remains unknown and it is unclear whether the email has been opened, viewed, or deleted. The email attachment contained a list of patients discharged from its hospital emergency departments in November 2020, which included names, internal hospital visit numbers, date and time of discharge, whether discharge instructions were provided, and information about where the patients were discharged. The nature of the data in...

Read More
May 2021 Healthcare Data Breach Report
Jun18

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67. May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months. Largest Healthcare Data Breaches Reported in April 2021 As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by...

Read More
NorthWest Congenital Heart Care Reports Theft of Device Containing PHI of 1,166 Patients
Jun17

NorthWest Congenital Heart Care Reports Theft of Device Containing PHI of 1,166 Patients

Washington-based NorthWest Congenital Heart Care is alerting 1,166 patients that some of their protected health information has been acquired by an unauthorized individual. On May 7, 2021, an unauthorized third party entered the office of a single NWCHC physician and stole an external hard drive that was used for data backups. The theft was reported to law enforcement, but the hard drive has not been recovered. A review of the data backups revealed they contained patient information such as names, dates of birth, ages, medical and treatment information, dates of service, location of service, physician names, services requested, procedures performed, diagnosis codes, diagnosis and treatment descriptions, medical record numbers and, for one individual, health insurance information. To reduce the risk of future data breaches, NorthWest Congenital Heart Care will be eliminating the use of external hard drives for data backups. Superior HealthPlan Members Affected by Accellion Data Breach 2,781 members of Superior HealthPlan in Texas have been notified that some of their protected...

Read More
Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach
Jun16

Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach

Arizona Asthma and Allergy Institute has issued breach notification letters to 70,372 patients who received services between October 1, 2015 and June 15, 2020. According to the breach notice, a range of their personal and protected health information including names, patient ID numbers, provider names, health insurance information, and treatment cost information was exposed online under the name of a different organization for a brief period in September 2020. After being alerted about the exposed data, a third-party forensics company was engaged to investigate the breach. The investigation concluded on March 8, 2021 and confirmed that protected health information had been exposed. According to databreaches.net, which contacted Arizona Asthma and Allergy Institute to alert them about the breach, this was a ransomware attack by the Maze ransomware operation. Sensitive data obtained in the breach had been posted to the Maze Group’s data leak site for a short period in September under the name Medical Management Inc. Stillwater Medical Center Investigation Security Breach Stillwater...

Read More
SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals
Jun16

SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals

A benefits administrator for home healthcare and nursing home workers, Service Employees International Union 775 (SEIU 775) Benefits Group, has experienced a cyberattack that resulted in the deletion of sensitive data. IT staff detected anomalies within SEIU 775’s data systems on or around April 4, 2021, which included the deletion of certain data. An investigation was launched into the malicious activity, led by third-party cybersecurity experts and forensic consultants. The investigation confirmed that its systems had been hacked and the data of unknown individuals had been deleted, including personally identifiable and protected health information. While information was deleted, no evidence was found to indicate any PII or PHI was viewed or acquired by the attackers and there have been no reported cases of misuse of data. Data potentially compromised included names, addresses, and demographic data along with Social Security numbers and potentially health plan eligibility information. Upon discovery of the malicious activity, steps were immediately taken to prevent further...

Read More
Five Rivers Health Centers Phishing Attack Affects Almost 156,000 Patients
Jun11

Five Rivers Health Centers Phishing Attack Affects Almost 156,000 Patients

Ohio-based Five Rivers Health Centers has notified 155,748 patients that some of their protected health information was stored in email accounts that have been accessed by an unauthorized individual following a phishing attack. It is unclear when the breach was discovered, but Five Rivers Health Centers reports that following an extensive forensic investigation into the cyberattack and a manual document review, it discovered on March 31, 2021, that the breached email accounts contained patients’ personal and health information. The forensic investigation confirmed that the email accounts had been breached between April 1, 2020, and June 2, 2020. Notification letters were sent to affected patients on May 28, 2021 – More than a year after the first email accounts were breached. The types of protected health information in emails and attachments varied from patient to patient and may have included one or more of the following data elements:  Name, address, date of birth, medical record number, patient account number, diagnoses, treatment and/or clinical information, test results, lab...

Read More
Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach
Jun10

Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach

The Louisville, KY-based health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action over a data breach discovered in late December 2020. On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky over the mishandling of Humana insurance plan members’ medical records. Humana had contracted with Cotiviti to handle medical records requests to send to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted some of the work to Visionary Medical Systems Inc. According to the lawsuit, an employee of Visionary Medical Systems uploaded the private and confidential medical records of Humana members to a personal Google Drive account in order to provide medical coding training as part of a “personal coding business endeavor.” The medical records were copied to the Google Drive account between October 12 and December 16, 2020, and that account was publicly accessible. The actions of the employee violated HIPAA and the terms of the business associate agreement. Visionary...

Read More
Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients
Jun08

Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients

Lafourche Medical Group, a Louisiana-based urgent care center operator, has notified 34,862 patients about a security breach that potentially involved some of their protected health information. On March 30, 2021, Lafourche Medical Group learned that an external accountant had responded to a phishing email that spoofed one of the owners of Lafourche Medical Group and disclosed login credentials to the attacker. The compromised credentials were used to gain access to the group’s Microsoft 365 environment. A third-party IT company was engaged to assist with the investigation, but found no evidence to suggest its on-premise systems or cloud-based electronic medical record system were compromised; however, the credentials could have been used to view or download data from its Microsoft 365 environment, which contained some patient information. “Due to the size of the email system, we are unable to identify all potential patient information that may have been contained in the system,” explained Lafourche Medical Group in its substitute breach notice. Clinical information was not...

Read More
Risk and Compliance Firm Reports Breach of 47,035 Records
Jun04

Risk and Compliance Firm Reports Breach of 47,035 Records

The risk and compliance firm LogicGate has identified a security incident in which the protected health information of 47,035 individuals has potentially been compromised. LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform. The Risk Cloud Platform is used by companies to identify and manage compliance risks and meet data protection and security standards. All backup files stored in AWS S3 buckets are encrypted, but the attacker was able to use the credentials to decrypt data. The backup files contained customer data that had been uploaded to their Risk Cloud environment prior to February 23, 2021. LogicGate said it did not identify any decrypt events associated with customers’ stored attachments. It is currently unclear whether any customer data was exfiltrated by the attacker and no details have been released about how the credentials were obtained. Hoboken Radiology Alerts Patients to...

Read More
Ransomware Attacks Affect Sturdy Memorial Hospital and UF Health
Jun04

Ransomware Attacks Affect Sturdy Memorial Hospital and UF Health

Sturdy Memorial Hospital in Attleboro, MA is notifying 57,379 patients about a computer security incident that occurred on February 9, 2021 in which patient data was stolen. According to the hospital’s breach notice, an unauthorized individual gained access to its systems but the hospital secured those systems later that day. The individual demanded a ransom payment to prevent the exposure/sale of data stolen in the attack. The hospital took the decision to pay the ransom and received assurances all stolen data would be permanently destroyed and would not be further disclosed. It is unclear whether this was simply a data theft incident or whether ransomware had been used in the attack. Third party computer forensics experts were engaged to investigate the breach, and a review was conducted to determine what patient data was compromised. The review was completed on April 21, 2021 and all affected individuals started to be notified on May 28, 2021. Sturdy Memorial Hospital said that in addition to its own patients, some patient data from other healthcare provider partners –...

Read More
147,000 Patients Affected by Scripps Health Ransomware Attack
Jun03

147,000 Patients Affected by Scripps Health Ransomware Attack

Scripps Health, the second largest healthcare provider in San Diego, has started sending breach notification letters to 147,267 patients to inform them that some of their personal and health information was stolen in a May 1, 2021 ransomware attack. The attack forced Scripps Health to adopt its EHR downtime procedures with its systems offline. Staff at its medical offices and hospitals were forced to work with paper charts while systems were restored and data was recovered. That process has taken almost a month, during which time access to important patient information such as test results was prevented. Scripps Health only regained the ability to create new records last week when the MyScripps patient portal was brought back online. The attack affected many of the healthcare provider’s care sites and caused disruption to operations at two of its four hospitals. Scripps Health took the decision to divert some critical patients to other facilities, with all four of its main hospitals placed on emergency care diversion for stroke, heart attack, and trauma patients. Some non-urgent...

Read More
Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case
Jun02

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019. DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received. In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into...

Read More
More than 3.2 Million Individuals Affected by 20/20 Hearing Care Network Data Breach
Jun02

More than 3.2 Million Individuals Affected by 20/20 Hearing Care Network Data Breach

The 20/20 Hearing Care Network has started notifying millions of current and former members that some of their protected health information (PHI) has potentially been compromised and/or deleted. On January 11, 2021, suspicious activity was detected in its AWS cloud storage environment. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the security breach. Third party forensics experts assisted with the investigation and confirmed that S3 buckets hosted in AWS had been accessed, data in those buckets downloaded, and then all data in the S3 buckets was deleted. The forensic investigation confirmed in late February that some of the data downloaded and deleted from the storage environment included PHI for some or all health plan members for whom records were held. While data theft was confirmed, it was not possible to tell exactly which information had been accessed or removed from the S3 buckets. The types of data potentially obtained in the attack included names, Social Security numbers, dates of...

Read More
Ransomware Attacks Affect Community Access Unlimited and CareSouth Carolina Patients
May28

Ransomware Attacks Affect Community Access Unlimited and CareSouth Carolina Patients

Hartsville, SC-based CareSouth Carolina has notified 76,035 patients that some of their protected health information has potentially been compromised in a ransomware attack on its IT vendor, Netgain Technologies. CareSouth Carolina was informed by Netgain on January 14, 2021 that the company had experienced a ransomware attack in December 2020, and the attackers had access to servers containing patient data from late November, some of which was exfiltrated prior to the use of ransomware. On April 13, 2021, Netgain provided CareSouth Carolina with a copy of the data that was potentially compromised. CareSouth Carolina conducted a review of the data and on April 27, 2021 confirmed the dataset included patient names, date of birth, address, diagnosis/conditions, lab results, medications, and other clinical information. For a small number of patients, Social Security numbers were involved. The attackers issued a ransom demand to Netgain and threatened to sell the stolen data if payment was made. Netgain took the decision to pay the ransom and received assurances that the stolen data...

Read More
4 More Healthcare Organizations Announce Patients Affected by Recent Ransomware Attacks
May27

4 More Healthcare Organizations Announce Patients Affected by Recent Ransomware Attacks

In the wake of the ransomware attack on Colonial Pipeline, some ransomware gangs such as REvil and Avaddon claimed that they have implemented new rules that require their affiliates to obtain authorization prior to attacking a target, and that attacks on healthcare organizations had been banned. However, many ransomware-as-a-service operations have not implemented restrictions and healthcare providers are still being targeted. Recently, 4 more healthcare organizations have been confirmed as falling victim to attacks. San Diego Family Care San Diego Family Care (SDFC) in California has confirmed it has been affected by a ransomware attack in December 2020. SDFC and its business associate Health Center Partners of Southern California (HCP) were impacted by a ransomware attack on their information technology hosting provider, Netgain Technologies. Netgain Technologies reportedly paid a $2.3 million ransom to obtain the keys to unlock the encrypted files and notified SDFC and HCP on January 20, 2021 that the protected health information of their patients had been compromised. SDFC and...

Read More
ZocDoc Says Programming Error Resulted in Exposure of Patient Data
May26

ZocDoc Says Programming Error Resulted in Exposure of Patient Data

ZocDoc, a New York-based provider of a platform that allows prospective patients book appointments with doctors and dentists, has discovered a bug in its software that allowed patient data to be accessed by medical and dental practices when access should have been restricted. The investigation revealed programming errors had occurred that meant from August 2020 until the errors were discovered and corrected, certain past and current practice staff members had access the provider portal, when their accounts should have been either decommissioned, deleted, or been limited. In all cases, the individuals who could have accessed patient data improperly were healthcare providers and are therefore bound to maintain the privacy and security of patient data. ZocDoc said there is no evidence to suggest there have been any further disclosures of patient data. Patient data potentially accessed included names, email addresses, phone numbers, appointment histories with the practice, insurance information, Social Security numbers, and medical information provided by individuals in connection with...

Read More
Rehoboth McKinley Christian Health Care Services Notifies Patients about February 2021 Ransomware Attack
May21

Rehoboth McKinley Christian Health Care Services Notifies Patients about February 2021 Ransomware Attack

Gallup, NM-based Rehoboth McKinley Christian Health Care Services (RMCHCS) has announced it was the victim of a ransomware attack in February 2021 in which patient data was exfiltrated. The Conti ransomware gang struck in February and stole a range of sensitive data, including job application data, background check information, staff reports, and the protected health information of patients. A sample of the stolen files was uploaded to the Conti data leak site to pressure the healthcare provider into paying the ransom. The data is no longer listed on the leak site, but it is unclear whether the ransom was paid. RMCHCS discovered on February 16, 2021 that patient data had been stolen by the ransomware group. RMCHSC engaged a third-party computer forensics firm to investigate the attack and determined the attackers exfiltrated data between January 21 and February 5, 2021. A review of the files potentially accessed by the hackers was completed on April 30, 2021 and notification letters were sent to those individuals. RMCHCS said the data potentially accessed included names, addresses,...

Read More
Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals
May21

Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals

Health Plan of San Joaquin (HPSJ), a non-profit Medi-Cal managed care provider based in French Camp, CA, has discovered an unauthorized individual has gained access to its email system and potentially accessed or obtained sensitive data. A potential email breach was suspected on or around October 12, 2020 when anomalous activity was identified in the email system. HPSJ determined on October 23, 2020 that multiple employee email accounts had been remotely accessed by an unauthorized individual. A password reset was performed on all affected email accounts to prevent further access, and the investigation confirmed that unauthorized access to email accounts occurred between September 26, 2020 and October 12, 2020. Following any email system breach, all emails in the compromised accounts must be checked to determine whether they contain any sensitive data. That can be a labor-intensive and time-consuming process. In this case, the process involved a programmatic and painstaking manual review, which revealed that the compromised email accounts contained the protected health information...

Read More
New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years
May21

New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years

New England Dermatology has started notifying 58,106 patients about the exposure of some of their protected health information. In an April 30, 2021 breach notice, New England Dermatology explained the privacy breach was due to the improper disposal of specimen bottles by its in-house pathology laboratory. The lab should have been sending the specimen bottles for shredding or incineration since the specimen bottles had printed labels that included patient data covered by the HIPAA Rules; however, they were discarded as regular trash. The information on the bottles included patients’ first and last names, birth dates, dates of specimen collection, name of provider who took the specimen, and body part from which the specimen was taken. No other information was included on the labels. The regular trash, including the specimen bottles, was collected by a waste contractor that serviced the building and was sent to landfill. The improper disposal dated back to February 4, 2011 and continued until the HIPAA violation was discovered on March 31, 2021. Any individual whose specimen(s) was...

Read More
PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online
May20

PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online

Arizona Asthma and Allergy Institute in Peoria, AZ has discovered the protected health information of up to 50,000 patients has been temporarily exposed online and could potentially have been accessed by an unauthorized individual. The affected patient data had been exposed for a brief period in September 2020 under the name of a different organization. Upon discovery of the security incident, a third-party computer forensics firm was engaged to investigate and determine the scope of the security breach and the extent to which patient data had been affected. The investigation confirmed on March 8, 2021 that the types of data exposed included first and last names, patient identification numbers, provider names, health insurance information, and treatment cost information. Affected patients had received medical services from the Arizona Asthma and Allergy Institute between October 1, 215 and June 15, 2020. While the exposure of data was confirmed, no evidence was found to indicate any patient data has been misused; however, affected patients have been advised to monitor their...

Read More
UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled
May19

UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled

A lawsuit filed against Universal Health Services (UHS) following a 2020 data breach has been allowed to proceed; however, only for one of the patients named on the lawsuit. UHS operates around 400 hospitals and care centers in the United States and the United Kingdom. In September 2020, UHS suffered a ransomware attack in which sensitive data was exfiltrated. The Ryuk ransomware gang threatened to release the stolen data on a leak site if the ransom was not paid, although the UHS investigation found no evidence of any data misuse. The attack affected all 400 UHS care sites and caused significant disruption, with IT systems finally being brought back online a month after the attack. UHS was forced to postpone some scheduled appointments as a result of the attack. A lawsuit was filed in the U.S. District Court, Eastern District of Pennsylvania by the law firm Morgan & Morgan naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. Two of the...

Read More
April 2021 Healthcare Data Breach Report
May18

April 2021 Healthcare Data Breach Report

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month. High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021. Largest Healthcare Data Breaches Reported in April 2021 There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents. Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies,...

Read More
140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised
May17

140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised

SEIU 775 Benefits Group in Washington has notified approximately 140,000 of its members that some of their protected health information has been exposed. Around April 4, 2020, SEIU 775 Benefits Group’s IT team detected anomalous activity within the group’s data systems, including the apparent deletion of certain data files. Third party digital forensics experts were engaged to assist with the investigation and confirmed that systems had been accessed by an unauthorized individual who deleted certain files that contained personally identifiable and protected health information. The forensics experts found no evidence to indicate any protected health information was downloaded or viewed and no reports have been received that suggest there has been any misuse of PHI. The types of information potentially accessed was limited to names, addresses, and Social Security numbers, with health plan eligibility or enrollment information also potentially compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll for 12...

Read More
Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall
May14

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data. In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic. To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR. 2020 saw an 11% increase in phishing attacks, with cases of misrepresentation...

Read More
Records of 200,000 Military Veterans Exposed Online
May13

Records of 200,000 Military Veterans Exposed Online

A database containing the personal and protected health information of almost 200,000 U.S. military veterans has been discovered to be accessible online by security researcher Jeremiah Fowler. The database was identified on April 18, 2021 and a review identified references to a company called United Valor Solutions. Jacksonville, NC-based United Valor Solutions is a contractor of the Department of Veterans Affairs (VA) that provides disability evaluation services for the VA and other government agencies. The database – which contained veterans’ names, dates of birth, contact information, medical information, appointment information, unencrypted passwords, and billing information – could be accessed without a password. The database could have been viewed and downloaded by anyone and information in the database altered or deleted. Fowler notified United Valor Solutions about the exposed data breach. The company replied the following day confirming the exposed database had been reported to its contractors and public access had been shut down. It is unclear for how long the...

Read More
University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years
May12

University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years

University of Florida Health Shands has discovered a former employee has accessed the medical records of 1,562 patients without authorization. The HIPAA violations were discovered on April 7, 2021 and the employee’s access to medical records was immediately terminated pending an investigation. The investigation confirmed the employee had been accessing patient medical records without a work reason for doing so from March 30, 2019 to April 6, 2021. The types of information that could have been viewed included names, addresses, phone numbers, birth dates, and lab test results, but no Social Security numbers, financial information, or health insurance information was compromised. University of Florida Health Shands does not believe any PHI has been stolen or further disclosed; however, out of an abundance of caution, affected individuals have been offered one year of complimentary credit monitoring services. Third Party Breach Affects St. Paul’s PACE Patients Community Eldercare of San Diego, dba St. Paul’s PACE, has been affected by a breach at one of its vendors. PeakTPA is a...

Read More
Ransomware Attack on New York Medical Group Impacts 330K Patients
May11

Ransomware Attack on New York Medical Group Impacts 330K Patients

The New York medical group practice, Orthopedic Associates of Dutchess County, has announced the protected health information of certain patients was potentially stolen in a recent cyberattack. The security incident was detected on March 5, 2021 when suspicious activity was identified in its systems. An investigation into the incident confirmed its systems had been accessed by unauthorized individuals on or around March 1, 2021. The attackers gained access to certain systems and encrypted files and issued a ransom demand for the keys to unlock the encrypted files. The attackers claimed they had stolen sensitive data prior to the encryption of files, although it was not possible to determine which files had been stolen. A review of the systems accessed by the attackers revealed they contained files that included protected health information such as names, addresses, contact telephone numbers, email addresses, emergency contact information, diagnoses, treatment information, medical record numbers, health insurance information, payment details, dates of birth, and Social Security...

Read More
CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients and 1,919,938 Individuals
May07

CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients and 1,919,938 Individuals

NEC Networks, dba CaptureRx, a San Antonio, TX-based provider of 340B administrative services to healthcare providers, has suffered a ransomware attack in which files containing the protected health information of customers’ patients were stolen. The security breach was detected on February 19, 2021, with the investigation confirming unauthorized individuals had accessed and acquired files containing sensitive data on February 6, 2021. A review of those files was completed on March 19, 2021 and affected healthcare provider clients were notified between March 30 and April 7, 2021. CaptureRx has since been working with the affected healthcare providers to notify all individuals affected. The types of data exposed and acquired by the attackers was limited to names, dates of birth, prescription information and, for a limited number of patients, medical record numbers. CaptureRx had security systems in place to ensure the privacy and security of healthcare data, but the attackers had managed to bypass those protections. Following the attack, policies and procedures were reviewed and...

Read More
Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause
May06

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years. In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware. This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors. Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption,...

Read More
Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians
May05

Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians

Lawmakers in the Commonwealth of Pennsylvania are calling for an investigation into a data breach involving the contact tracing information of 72,000 Pennsylvanians after it was discovered that sensitive information was being shared via unauthorized channels without the necessary security protections. Insight Global is an Atlanta-based firm that has been assisting the Commonwealth of Pennsylvania with COVID-19 contact tracing during the pandemic. Several individuals employed by Insight Global were discovered to have created and shared unauthorized copies of documents with each other in the course of conducting their contact tracing duties. Documents and spreadsheets were shared via non-secure channels such as personal Google accounts, which meant sensitive data were sent to servers outside the control of the state or Insight Global. Insight Global announced the breach on April 29, 2021 and said in its substitute breach notice that the data related to contract tracing of individuals between September 2020 and April 21, 2021. An investigation into the breach has been launched and...

Read More
Ransomware Attack on Scripps Health Disrupts Patient Care
May04

Ransomware Attack on Scripps Health Disrupts Patient Care

The San Diego-based healthcare provider Scripps Health suffered a cyberattack on May 1, 2021 which forced it to take its information technology systems offline. Scripps Health operates four hospitals in the San Diego area and has been able to continue to provide care to patients; however, stroke, heart attack, and trauma patients seeking emergency treatment at all four of its hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were diverted to alternative facilities as a precautionary measure. Scripps Health issued a statement confirming its outpatient urgent care centers, Scripps HealthExpress locations, and emergency departments do remain open, and staff are continuing to care for patients. While information technology systems are down, including its online portal, Scripps Health is operating on established backup processes and is using offline documentation methods. Patient safety has not been put at risk. It is unclear when it will be possible to bring systems back online, so the decision has been taken to postpone some patient appointments for Monday and later this...

Read More
Health Aid of Ohio Security Incident Affects up to 141,00 Individuals
May04

Health Aid of Ohio Security Incident Affects up to 141,00 Individuals

Health Aid of Ohio, a Parma, OH-based full-service home medical equipment provider, has discovered unauthorized individuals gained access to its systems and exfiltrated some files from its network. The breach was detected on February 19, 2021 when suspicious network activity was detected. Action was quickly taken to eject the attackers from the network and secure all patient data. An investigation into the breach confirmed that files were accessed and exfiltrated from Health Aid’s systems, but it was not possible to determine exactly which files had been removed from its systems. It is possible that some of the exfiltrated files contained the protected health information of VA plan members. That information potentially included names, addresses, telephone numbers, and details of the type of equipment delivered to houses or was repaired in individuals’ homes. The protected health information of individuals who received services through their insurance carrier or healthcare provider included names, telephone numbers, dates of birth, Social Security numbers, insurance information,...

Read More
Californian Healthcare Provider Discovers Patient Data was Exposed on the Internet for Over a Year
Apr30

Californian Healthcare Provider Discovers Patient Data was Exposed on the Internet for Over a Year

Doctors Medical Center of Modesto (DCM) in California has discovered a contractor used by a former vendor accidentally exposed patient data over the Internet. DCM had contracted with the SaaS platform provider Medifies to provide virtual waiting room services. On April 2, 2021, DCM discovered the data of some of its patients was accessible over the Internet. DCM contacted Medifies about the exposed data and the issue was corrected the same day and the data was secured. The investigation into the breach confirmed an error had been made when performing a software update which allowed the data to be accessed via the Internet. The error was made by a Medifies software development contractor. The software update that made the information accessible occurred in December 2019, which meant patient data had been exposed online for more than a year, during which time it is possible that it was found and viewed by unauthorized individuals. No evidence was found to suggest any of the exposed information was viewed by unauthorized individuals. The exposed data varied from patient to patient and...

Read More
Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack
Apr29

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual. Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area. The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information. Patients affected by the breach were notified by mail starting October...

Read More
PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack
Apr29

PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack

An unauthorized individual gained access to the email account of an employee of River Springs Health Plans and installed malware which potentially allowed the contents of the email account to be exfiltrated. The employee responded to the phishing email on September 14, 2020. The malware was detected and removed the following day and the email account was secured. A leading forensics firm was retained to assist with the investigation and determine whether any sensitive information was accessed or obtained by the attackers. No evidence was found which suggested any member data had been exfiltrated, but data theft could not be ruled out. A comprehensive review of the affected account revealed on February 17, 2021 that the protected health information of 31,195 River Springs Health Plans members was stored in the email account. The types of information in the account varied from individual to individual and may have included the following information: First and last names, dates of birth, member ID, Medicare ID, Medicaid ID, Social Security number, and references to medical information...

Read More
Wyoming Department of Health Announces GitHub Data Breach Affecting 1/4 of Wyomingites
Apr28

Wyoming Department of Health Announces GitHub Data Breach Affecting 1/4 of Wyomingites

The Wyoming Department of Health (WDH) has discovered the protected health information of 164,021 individuals has been accidentally exposed online due to an error by a member of its workforce. On March 10, 2021, WDH discovered an employee had uploaded files containing medical test result data to private and public repositories on the software development platform GitHub. While security controls are in place to protect users’ privacy, an error by the employee meant the data could potentially have been accessed by individuals unauthorized to view the information from January 8, 2021. In total 53 files were uploaded to the platform that included COVID-19 and influenza test result data, along with one file that contained breath alcohol test results. The exposed information included patient IDs, dates of birth, addresses, dates of service, and test results. The COVID-19 test result data had been reported to WDH for Wyoming residents, although the tests themselves may have been performed anywhere in the United States between January 2020 and March 2021. The alcohol test results related...

Read More
Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks
Apr28

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%). While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang. The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site. These attacks show that file encryption is not always necessary, with the threat of publication...

Read More
Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals
Apr27

Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals

The protected health information of 153,013 individuals has potentially been compromised in an email security breach at HME Specialists LLC, dba Home Medical Equipment Holdco. HME Specialists discovered suspicious activity in its email system and immediately secured all affected accounts and engaged a specialist cybersecurity company to conduct a forensic investigation to determine the extent and nature of the breach. The cybersecurity firm confirmed on March 11, 2021 that certain compromised email accounts contained protected health information and that the accounts had been accessed by unauthorized individuals between June 24 and July 14, 2020. The accounts contained information such as names, dates of birth, diagnosis and/or other clinical information, along with limited Social Security numbers, driver’s license numbers, credit card numbers, account information and usernames and passwords. No specific evidence was found to suggest any information in the compromised accounts was acquired by the attackers or has been misused. Affected individuals for whom a current address was...

Read More
Radiation Treatments Disrupted After Cyberattack on Software Vendor
Apr27

Radiation Treatments Disrupted After Cyberattack on Software Vendor

The Swedish oncology and radiology system provider Elekta is recovering from a cyberattack that forced it to take its first-generation cloud-based storage system offline on April 20, 2021. While the company has confirmed it has suffered a security breach, details about the exact nature of the attack have yet to be released. It is unclear what type of malware was used in the attack, but ransomware is suspected. The cloud-based storage system was taken offline to contain the threat. Elekta said only a subset of customers in the United States that use its software have been affected and are experiencing a service outage as a result of the cloud-based systems being taken offline. Elekta is in the process of migrating those customers to its new Microsoft Azure cloud and the company is working around the clock to complete that process. All affected customers have been notified; however, few details about the incident have been made public so as not to compromise the internal and law enforcement investigations, but Elekta reports that the threat has now been fully contained....

Read More
Manquen Vance Email Breach Impacts 7,018 Patients
Apr26

Manquen Vance Email Breach Impacts 7,018 Patients

The Michigan-based group health plan broker and consultancy firm Manquen Vance – formerly Cornerstone Municipal Advisory Group – is alerting 7,018 individuals about a potential breach of their personal and health information. An investigation was launched on November 16, 2020 when the firm identified suspicious activity in the email account of an employee. Manquen Vance determined that the account was accessed by unauthorized individuals between November 1 and 16. No other email accounts were compromised. While it is possible that emails and attachments containing sensitive information were viewed or copied, no specific evidence was found to suggest that was the case. The delay in issuing notifications was due to the time-consuming process of checking every email in the account for sensitive information. That process was completed on February 2, 2021 and confirmed that members’ names, health insurance information, and Social Security numbers had potentially been compromised. Manquen Vance has since taken steps to improve email security to prevent similar breaches in the...

Read More
Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians
Apr21

Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians

The American College of Emergency Physicians (ACEP) has started alerting certain members that some of their personal information was stored on a server that was accessed by unauthorized individuals. In addition to providing professional organizational services to its members, management services are provided by ACEP to organizations such as the Emergency Medicine Foundation (EMF), Society for Emergency Medicine Physician Assistants (SEMPA), and the Emergency Medicine Residents’ Association (EMRA). The breach concerns data related to those organizations. Affected individuals had made a purchase from or donated to EMF, SEMPA, or EMRA. A breach was detected on September 7, 2020 when unusual activity was identified in its systems. A server had been compromised that contained the login details for its SQL database servers, and those databases contained members’ information. While no evidence was found to indicate the credentials were used to access the databases, it was not possible to rule out unauthorized access. The information exposed was for the dates April 8, 2020 to September 21,...

Read More
March 2021 Healthcare Data Breach Report
Apr19

March 2021 Healthcare Data Breach Report

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates. The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February. Largest Healthcare Data Breaches Reported in March 2021 The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates. Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server Health Net of California Health Plan 523,709 Hacking/IT...

Read More
Montefiore Medical Center Fires Employee for Unauthorized Record Access
Apr15

Montefiore Medical Center Fires Employee for Unauthorized Record Access

Montefiore Medical Center has discovered another employee has accessed patient information with no legitimate work reason for doing so. The New York hospital announced in February 2020 that an employee had been discovered to have accessed medical records without authorization for 5 months in 2020, and another employee was found to have obtained the PHI of approximately 4,000 patients between January 2018 and July 2020. The latest discovery involved an employee accessing the records of patients without authorization for more than a year. The breach was identified by Montefiore’s FairWarning software, which monitors records for inappropriate access. When unauthorized medical record access was discovered, the employee was suspended pending an investigation. A review of record access confirmed that the employee had accessed records with no legitimate work reason for doing so between January 2020 and February 2021. The types of information accessed varied from patient to patient and included first and last names, medical record numbers, addresses, emails, dates of birth, and the last...

Read More
PHI of More than 200,000 Washington D.C. Health Plan Members Stolen by Hackers
Apr13

PHI of More than 200,000 Washington D.C. Health Plan Members Stolen by Hackers

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) is alerting its members about a cyberattack in which their protected health information was stolen. CHPDC, formerly called Trusted Health Plans, detected a breach of its computer systems on January 28, 2021. The Washington D.C-based health plan took immediate steps to isolate the affected computers and secure its network to prevent further unauthorized access and the cybersecurity firm CrowdStrike was hired to investigate the breach. CrowdStrike confirmed that protected health information was exfiltrated by the attackers, who were most likely a foreign cybercriminal group. CHPDC said anyone who has been an enrollee of CHPDC has been affected, as well as current and former employees. The types of data stolen included full names, addresses, telephone numbers, dates of birth, Social Security numbers, Medicaid numbers, medical information, claims information, and a limited amount of clinical information. The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights...

Read More
221,000 Total Health Care Members Impacted by Email Account Breach
Apr13

221,000 Total Health Care Members Impacted by Email Account Breach

Total Health Care Inc., a Detroit, MI-based health plan, has discovered unauthorized individuals have gained access to several employee email accounts that contained sensitive personal information of health plan members and physician partners. Upon discovery of the breach, the email accounts were immediately secured to prevent further unauthorized access and security experts were engaged to conduct a forensic investigation to determine the nature and scope of the breach. The investigation confirmed that the breach was limited to email accounts, which were accessed by unauthorized individuals between December 16, 2020 and February 5, 2021. No evidence was found to suggest any protected health information was viewed or misused, but unauthorized access could not be ruled out. A review of the emails in the accounts revealed they contained names, addresses, dates of birth, member IDs, claims information, and Social Security numbers. Due to the sensitive nature of data in the accounts, affected individuals have been offered free credit monitoring services for up to two years through...

Read More
Adventist Health Physicians Network Fined $40,000 for Privacy Breach
Apr12

Adventist Health Physicians Network Fined $40,000 for Privacy Breach

Adventist Health Physicians Network in Simi Valley, California has been ordered to pay $40,000 in civil momentary penalties by the Ventura County District Attorney as part of a civil privacy settlement to resolve a patient privacy case that affected 3,797 patients. The privacy breach occurred in 2018 and involved an impermissible disclosure of physical documents containing private and confidential medical data. The Simi Valley hospital had used a storage facility Simi Valley for storing physical patient records; however, when payments stopped being to the storage facility, the hospital lost access to the storage unit and the contents were put up for sale at a public auction in October 2018. The individual who bought the contents of the storage unit at the auction discovered boxes of paperwork in the unit that contained the sensitive medical data of patients of Adventist Health. The hospital was notified, and the files were promptly collected and secured. Adventist Health conducted an investigation into the incident and was satisfied that none of the information in the storage unit...

Read More