Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services
Nov24

Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services

Connecticut Department of Social Services (DSS) has reported a potential breach of the protected health information of 37,000 individuals as a result of a series of phishing attacks that occurred between July and December 2019. Several email accounts were compromised and were used to send spam emails to several DSS employees, the investigation of which confirmed the phishing attacks. A comprehensive investigation was conducted using state information technology resources and a third-party forensic IT firm, but no evidence was found to indicate the attackers had accessed patient information in the email accounts. According to the DSS breach notice, “Due to the large volume of emails involved and the nature of the phishing attack, the forensic efforts could not determine with certainty that the hackers did not access personal information.” Identity theft protection services have been offered to affected individuals as a precaution and steps have been taken to improve email security and better protect against phishing attacks in the future. More Than 92,000 Individuals Affected by...

Read More
Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands
Nov24

Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands

Three healthcare providers in New York, Florida, and Georgia have started notifying patients that some of their protected health information was potentially compromised in recent cyberattacks, two of which involved ransomware and one involving an unspecified computer virus. Four Winds Hospital, NY Four Winds Hospital in Katonah, NY, discovered files had been encrypted by ransomware on or around September 1, 2020. The attack prevented the hospital from accessing its computer systems and resulted in downtime of around two weeks while the attack was mitigated. Upon discovery of the attack, steps were immediately taken to prevent any further unauthorized system access and third-party cybersecurity experts were engaged to help identify the scope of the attack and whether patient data had been compromised. According to Four Winds Hospital’s substitute breach notice, “[The cybersecurity experts] obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified.” That suggest a ransom was paid, although that has not...

Read More
October 2020 Healthcare Data Breach Report
Nov23

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud. The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months. Largest Healthcare Data Breaches Reported in October 2020 Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware Presbyterian Healthcare Services...

Read More
HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center
Nov20

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative. In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records. The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer. The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that...

Read More
PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls
Nov18

PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls

People Incorporated Mental Health Services, a provider of integrated behavioral and mental health services in Minnesota, is notifying 27,500 patients that some of their protected health information was exposed in an email account breach between April 28, 2020 and May 4, 2020. Prompt action was taken to block further access to the email accounts and an investigation was launched to determine the nature and scope of the breach. Assisted by third-party cybersecurity experts, and after conducting a manual document review, People Incorporated discovered on September 8, 2020 that the email accounts contained patients’ personal and protected health information. While third party access to the email accounts had occurred, no evidence was found to indicate any information was stolen or has been misused. The PHI in the compromised accounts included names, dates of birth, addresses, treatment information, insurance information, and medical record numbers and, for a limited number of individuals, Social Security numbers, financial account information, health insurance information, and...

Read More
Ransomware Attacks Impact First Impressions Orthodontics, Kids First Dentistry & Orthodontics, and Hendrick Health Patients
Nov17

Ransomware Attacks Impact First Impressions Orthodontics, Kids First Dentistry & Orthodontics, and Hendrick Health Patients

First Impressions Orthodontics, a subsidiary of Professional Dental Alliance of Connecticut PLLC, experienced a ransomware attack on September 28, 2020 that potentially saw the protected health information of 23,000 patients accessed by the attackers. Backups were regularly performed and stored securely, so patient data could be recovered without having to pay the ransom. In addition to the 23,000 First Impressions Orthodontics patients, 5,000 patients of Kids First Dentistry & Orthodontics who had x-rays performed at First Impressions Orthodontics were also impacted by the breach. The types of data potentially compromised included names, addresses, telephone numbers, email addresses, contact telephone numbers, Social Security numbers, dental insurance numbers, dental records, dental images, service charge amounts, and payments received for services provided. Patients who only had their x-ray images compromised only had their name, date of birth, and insurance information exposed. Affected individuals were notified in accordance with HIPAA requirements, but no evidence of data...

Read More
North Dakota and Delaware State Departments Report Breaches of PHI
Nov17

North Dakota and Delaware State Departments Report Breaches of PHI

The North Dakota Department of Health, Department of Human Services, Cavalier County Health District, and other state agencies were impacted by a phishing attack that saw multiple employee email accounts compromised between November 23 and December 23, 2019. The breach investigation did not uncover any evidence to suggest protected health information was stolen or misused or that the attack was conducted in order to obtain patient information. An analysis of the compromised accounts revealed they contained names, dates of birth, addresses, medical diagnoses and treatment information, driver’s license numbers and mothers’ maiden name and, for a limited number of individuals, Social Security numbers and/or financial information. The breach report submitted to the HHS’ Office for Civil Rights indicates 35,416 individuals were affected by the breach. All individuals affected have been notified and those who had their Social Security number exposed have been offered free membership to credit monitoring services. North Dakota has since taken steps to improve email security to prevent...

Read More
Luxottica Data Breach Impacts 829,454 Individuals in the United States
Nov13

Luxottica Data Breach Impacts 829,454 Individuals in the United States

Luxottica, the world’s largest eyewear company, experienced a cyberattack that affected some of the websites operated by the company. Luxottica is the owner of eyewear brands such as Ray-Ban, Oakley, and Persol and produces designer eyewear for many well-known fashion brands. It also operates the EyeMed vision benefits company and partners with LensCrafters, Target Optical, EyeMed, Pearle Vision, and other eye care providers. Luxottica partners are provided with web-based appointment scheduling software that allows patients to book appointments with eye care providers online and by phone. According to a recent breach notification, the appointment scheduling application was hacked by unknown individuals on August 5, 2020 and the attackers potentially gained access to the personal and protected health information of patients of its eye care partners. Luxottica discovered the cyberattack on August 9, 2020 and immediately took steps to contain the breach. The subsequent investigation confirmed personal and protected health information were potentially accessed and acquired by the...

Read More
Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals
Nov11

Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals

Timberline Billing Service, LLC, a Des Moines, IA-based Medicaid billing company, has suffered a ransomware attack that resulted in the encryption and theft of data. An investigation into the attack revealed an unknown individual gained access to its systems between February 12, 2020 and March 4, 2020 and deployed ransomware. Prior to the encryption of files, some information was exfiltrated from its systems. Timberline’s clients include around 190 schools in Iowa. School districts in the state that have been impacted by the breach have now been notified. It is currently unclear exactly how many schools were affected and if the breach was limited to schools in Iowa. Timberline also has offices in Kansas and Illinois. The types of data potentially obtained by the attacker included names, dates of birth, Medicaid ID numbers, and billing information. A limited number of Social Security numbers were also potentially compromised. While data theft occurred, no reports have been received to indicate any data have been misused. The breach has been reported to the Department of Health and...

Read More
PHI Incidents Recently Reported by Healthcare Providers and Business Associates
Nov10

PHI Incidents Recently Reported by Healthcare Providers and Business Associates

A roundup of privacy and security incidents recently reported by HIPAA-covered entities and business associates that involved the exposure of disclosure of protected health information. Server Breach Impacts Patients of Northwest Eye Surgeons and Sight Partners Northwest Eye Surgeons LLC and Sight Partners LLC have started notifying 20,838 patients that some of their protected health information was stored on a server that was accessed by an unauthorized third party. The breach was detected on May 1, 2020 and an investigation was immediately launched to determine the extent and scope of the breach. A third-party cybersecurity firm was engaged to assist with the investigation, and the review of the affected server was completed on July 31, 2020. A different IT firm was then engaged on August 7, 2020 to identify all protected health information stored on the server to determine which patients were affected. The review revealed the server contained information such as patients’ names, dates of birth, Social Security numbers, driver’s license numbers, ID numbers, financial account and...

Read More
$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit
Nov09

$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit

A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG). FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services. A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the...

Read More
Healthcare Providers Affected by Email Account Breach at Payment Processing Vendor
Nov06

Healthcare Providers Affected by Email Account Breach at Payment Processing Vendor

Lafayette, LA-based Provider Health Services, Paragould-based Arkansas Methodist Medical Center, and Miami, FL-based lntelliRad Imaging have announced they have been affected by an email security breach at one of their business associates. All three entities have a lockbox service with IBERIABANK to collect and process payments. IBERIABANK uses Technology Management Resources, Inc. (TMR) as a third‐party lockbox service provider for capturing and processing payment data for the lockbox. TMR discovered on July 3, 2020 that one of its employee’s email accounts had been accessed by an unauthorized individual, and that individual may have accessed or exfiltrated images containing protected health information. TMR notified affected customers on August 21, 2020 and confirmed that the threat actor potentially viewed images of checks and other images that contained protected health information within the TMR’s iRemit application. The unauthorized access occurred between August 5, 2018 and May 31, 2020, with most of the activity occurring between February 2020 and May 2020. Provider Health...

Read More
Blackbaud SEC Filing Provides Further Information on Data Breach and Mitigation Costs
Nov05

Blackbaud SEC Filing Provides Further Information on Data Breach and Mitigation Costs

The number of victims reporting being impacted by the Blackbaud ransomware attack and data breach has continued to grow over the past few weeks, with the Department of Health and Human Services’ Office for Civil Rights breach portal continuing to list healthcare victims. Recent additions include Moffitt Cancer Center, OSF HealthCare System, and Geisinger, with those three entities reporting the incident as affecting a total of 276,600 individuals. While the total number of victims has not been disclosed by Blackbaud, at least 250 healthcare organizations, non-profits, and educational institutions are known to have been impacted, with healthcare organizations reporting the breach as affecting more than 10 million individuals. Unsurprisingly given the breach costs incurred by organizations and the number of individuals whose personal information has been exposed, Blackbaud is facing many class action lawsuits. At least 23 proposed class action lawsuits have been filed so far in the United States and Canada, according to its 2020 Q3 Quarterly Report filed with the U.S. Securities and...

Read More
Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks
Nov05

Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks

Redwood City, CA-based Ascend Clinical, a provider of ESRD laboratory testing for independent dialysis providers, has announced it suffered a phishing attack that led to a ransomware attack in May 2020. Unusual system activity and file encryption were detected on or around May 31, 2020. Prompt action was taken to isolate the affected systems and an investigation was launched to determine the nature and scope of the incident. Assisted by a third-party security firm, Ascend Clinical determined access to its systems was gained when an employee responded to a phishing email. Prior to the use of ransomware, the attackers accessed files that contained names, dates of birth, mailing addresses, and Social Security numbers. Steps have since been taken to strengthen its email security defenses to prevent similar attacks in the future. The breach report submitted to the HHS’ Office for Civil Rights indicates 77,443 individuals were affected by the incident. Alamance Skin Center Suffers Ransomware Attack The Greensboro-based health system, Cone Health, has suffered a ransomware attack that...

Read More
Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000
Nov04

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices. Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the ShopRite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY. In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes,...

Read More
Email Security Breaches Reported by Arkansas Otolaryngology Center and Centerstone
Nov04

Email Security Breaches Reported by Arkansas Otolaryngology Center and Centerstone

Centerstone, a provider of mental health and substance use disorder treatment services in Indiana, Illinois, Tennessee, and Florida, has discovered an employee’s email account has been accessed by an unauthorized individual. Unusual activity was detected in the email account and it was immediately secured. The investigation revealed the email account had been accessed between December 12, 2019 and December 16, 2019; however, it took until August 25, 2020 for the investigation to confirm that protected health information was contained within the account. The protected health information of patients was exposed in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers, state identification card numbers, medical diagnoses, treatment information, Medicaid and Medicare information, and health insurance information. The types of exposed data varied from patient to patient. Some employee information was also potentially compromised. Notification letters were sent to affected patients on Thursday, October 22, 2020 and information has been provided...

Read More
Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT
Nov02

Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case. An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules. During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative. While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health...

Read More
Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware
Oct29

Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware

Two more hospitals have experienced ransomware attacks that have taken their computer systems offline and have forced clinicians to switch to pen and paper to record patient information. Both ransomware attacks occurred on Tuesday, October 27, 2020, one on Sky Lakes Medical Center in Klamath Falls, OR and the other on St. Lawrence Health System in New York. Both attacks involved Ryuk ransomware. Sky Lakes Medical Center announced on Facebook that while its computer systems had been taken out of action, care continued to be provided to patients and its emergency and urgent care departments remained open and fully operational and most scheduled elective procedures were continuing as planned. At this stage, no evidence has been found to indicate any patient data were compromised in the attack; however, the investigation is still in the early stages. The attack on St. Lawrence Health System was detected several hours after the initial compromise. St. Lawrence Health System issued a statement saying its IT department had taken systems offline in an effort to contain the attack and...

Read More
Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches
Oct29

Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017. The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials. The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service. The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in...

Read More
Sonoma Valley Hospital Suffers Significant EHR Downtime Event
Oct28

Sonoma Valley Hospital Suffers Significant EHR Downtime Event

Sonoma Valley Hospital in California experienced a computer security incident on October 11, 2020 which took its computer systems offline and caused “a significant downtime event.” The hospital implemented its business continuity plan which allowed care to continue to be provided to patients while its computer systems were out of action. Throughout the incident its emergency department remained available and elective and necessary surgeries continued to be performed. The majority of diagnostic services continued without interruption, although the incident did cause disruption for some patients. The patient portal has remained available throughout, although new results have not been posted since October 11. An investigation into the incident was immediately launched and third-party cybersecurity experts were engaged to assist with the investigation and recovery efforts. No information on the exact cause of the incident have been released to date, including whether ransomware was involved, and it is not yet known if any patient data was compromised. Lycoming-Clinton Joinder Board...

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
Dickinson County Health Suffers Ransomware Attack
Oct21

Dickinson County Health Suffers Ransomware Attack

Michigan-based Dickinson County Health has suffered a malware attack that has taken its EHR system offline. The attack has forced the health system to adopt EHR downtime procedures and record patient data using pen and paper. The attack commenced on October 17, 2020 and disrupted computer systems at all its clinics and hospitals in Michigan and Wisconsin. Systems were shut down to contain the malware and third-party security experts have been retained to investigate the breach and restore its systems and data. While the attack caused considerable disruption, virtually all patient services remained fully operational. It is currently unclear whether patient data were accessed or stolen by the attackers. “We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” said Chuck Nelson, DCHS CEO. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.” 25,000 Individuals Potentially Impacted by Passavant Memorial Homes Security Breach...

Read More
Piedmont Cancer Institute Phishing Attack Impacts 5,000 Patients
Oct15

Piedmont Cancer Institute Phishing Attack Impacts 5,000 Patients

Piedmont Cancer Institute (PCI) in Atlanta, GA is notifying 5,226 patients that some of their protected health information may have been viewed or obtained by an unauthorized individual who gained access to the email account of one of its employees. Assisted by a third-party cybersecurity firm, PCI determined the email account was compromised for more than a month, with the unauthorized individual first accessing the account on April 5, 2020. The account was secured on May 8, 2020. A review of the compromised account concluded on August 8, 2020 and revealed it contained a variety of protected health information. In addition to names, affected patients had one or more of the following data elements exposed: date of birth, medical information such as diagnosis and treatment information, financial account information, and/or credit/debit card number. To prevent further breaches, PCI has implemented multi-factor authentication on its email accounts and has provided further training to the workforce on email security. Potential Data Breach Discovered by McLaren Oakland Hospital McLaren...

Read More
Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack
Oct14

Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack

Universal Health Services has confirmed that all 250 of its hospitals in the United States are back up and running after a suspected ransomware attack that knocked out its systems for 3 weeks. The attack started on or around September 27, 2020. All systems were brought back online by October 12. An update was posted on the UHS website this week saying, “With back-loading of data substantially complete at this point, hospitals are resuming normal operations.” While systems were down, clinicians were forced to work with pen and paper in order to continue providing care for patients and, at some locations, patients had to be diverted to alternate facilities to receive treatment. The health system reported the security breach as a malware attack which forced it to shut down its network; however, several insiders took to Reddit to voice their concerns and explain that this was a ransomware attack. Based on the data posted by those insiders, the attack appeared to have involved Ryuk ransomware. The operators of Ryuk ransomware are known to exfiltrate data prior to the...

Read More
228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack
Oct12

228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack

Legacy Community Health Services in Texas is alerting 228,009 patients about a data breach involving some of their protected health information (PHI). The PHI was stored in an email account that was accessed by an unauthorized individual. The breach was detected on July 29, 2020, one day after an employee responded to a phishing email and disclosed login credentials to the attacker. The account was immediately secured and a computer forensics firm was engaged to assist with the investigation. No evidence was found to indicate emails were viewed by the attacker or that electronic protected health information was stolen, although the possibility of data theft could not be totally discounted. The compromised email account contained patient names, dates of service, and health information related to care at Legacy, along with a limited number of Social Security numbers. Complimentary membership to a credit monitoring and identity protection service was been offered to individuals whose SSN was compromised. Email security has been reinforced since the attack and the staff has been...

Read More
OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative
Oct12

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost. HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received. By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost. Under the OCR HIPAA...

Read More
Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation
Oct09

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million. A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information. The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during...

Read More
Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization
Oct08

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization

Mayo Clinic has started notifying more than 1,600 patients that some of their protected health information has been viewed by a former employee without authorization. Mayo Clinic confirmed on August 5, 2020 that a licensed health care professional had accessed the records of patients when there was no legitimate reason for doing so. The employee was ending their employment with Mayo Clinic when the privacy breach was discovered and the individual no longer works at Mayo Clinic. The reason for accessing the medical records is not known and Mayo Clinic has not disclosed when the privacy breach occurred. Mayo Clinic explained that the access was limited in duration and no evidence was found to suggest any information was printed or retained by the employee. The types of information accessed included names, dates of birth, demographic information, medical record numbers, medical images, and clinical notes. No financial information or Social Security numbers were viewed. Mayo Clinic has reported the unauthorized access to the Rochester Police Department and the FBI, and the privacy...

Read More
OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure
Oct08

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records. On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights. OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018. SJHMC did respond to the requests and provided some, but not all, of the...

Read More
Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks
Oct06

Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks

Prairieville, LA-based Magnolia Pediatrics is notifying 12,861 patients that some of their protected health information has potentially been compromised in a ransomware attack that occurred on or around March 26, 2020. The ransomware attack was investigated by its IT vendor, LaCompuTech, which determined only its master boot record had been affected and patient information had not been accessed, encrypted or exported by the attackers. The IT vendor determined a HIPAA breach had not occurred and the incident therefore did not need to be reported to the HHS’ Office for Civil Rights and notification letters to patients were not warranted. However, OCR informed Magnolia Pediatrics on September 11, 2020 that the incident was a reportable data breach and patient notification letters were required. OCR explained that any hacker who was able to access the master boot record must have had full control of the server and therefore had access to any protected health information stored on that server. Protected health information stored on the server included patients’ names, addresses,...

Read More
Clinical Trial Software Provider Hit with Ransomware Attack
Oct05

Clinical Trial Software Provider Hit with Ransomware Attack

Philadelphia-based eResearchTechnology, a company that sells software that is used in clinical trials, including clinical trials of Covid-19 vaccines, was hit with a ransomware attack that has affected several of its clients, including at least one company running Covid-19 vaccine trials. The attack occurred on September 20, 2020 and forced some clinical trial researchers to switch to pen and paper to track their patients. While patient safety was never put at risk, the attack has had an effect on clinical trials and has slowed progress. IQVIA, the research organization running AstraZeneca’s Covid-19 vaccine trial was one of the organizations affected by the attack, although it is unclear to what extent, if any, the attack affected its Covid-19 vaccine trial. Bristol Myers Squibb, which is leading efforts to develop a rapid test for the virus, was also affected by the ransomware attack. Both firms explained that the effect was limited as they had backups which could be used to recover data. IQVIA issued a statement saying it was unaware of any confidential data related to clinical...

Read More
Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack
Oct02

Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack

On Wednesday, Blackbaud filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) that provided further information on the ransomware attack the company suffered in May 2020. Blackbaud explained that the forensic investigation into the breach has revealed further information was potentially compromised in the breach. For certain customers, unencrypted fields that were intended for Social Security numbers, bank account information, and usernames and passwords may also have been accessed by the hackers. Most of the customers affected by the breach did not have this additional information exposed, as the fields for sensitive information were encrypted and any data included in those fields would have been unreadable to the attackers. Blackbaud explained that any customers who may have had sensitive information exposed are being contacted and notified and additional support is being provided. Blackbaud explained in the SEC filing that the company was able to prevent the attackers from fully encrypting certain files but confirmed that prior to encryption a subset of data...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack
Oct01

PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack

Oaklawn Hospital in Marshall, MI, has started notifying 26,861 patients about a potential breach of their personal and health information. It is unclear when the breach was detected, but the forensic investigation revealed on July 28, 2020 that the email accounts of certain employees had been accessed by unauthorized third parties between April 14 and April 15, 2020. Access to the accounts was gained after employees responded to phishing emails and disclosed their email credentials. The breach was detected when suspicious emails were found in several employee email accounts. A comprehensive manual document review was conducted to identify any protected health information stored in the compromised email accounts. The compromised accounts were discovered to contain patient names along with dates of birth, medical information, and health insurance information. The Social Security numbers, driver’s license numbers, financial account information, and online login information of “a very limited” number of patients were also potentially compromised. The delay in issuing notification...

Read More
4 More U.S. Healthcare Providers Discover Email Account Breaches
Sep30

4 More U.S. Healthcare Providers Discover Email Account Breaches

Alameda Health System (AHS), an Alameda, CA-based provider of emergency, inpatient, outpatient, and wellness services in the East Bay area, has discovered an unauthorized individual temporarily gained access to the email account of an employee. AHS learned that the account was accessed for a brief period on April 8, 2020. The breach was discovered by AHS on June 17, 2020. Assisted by a leading forensic security firm, AHS determined that the following types of information were potentially compromised: names, dates of birth, medical record numbers, appointment dates, limited medical information, health insurance information, Social Security numbers and driver’s license numbers. AHS and the forensic investigators found no evidence to suggest any information was stolen or misused for the purpose of committing identity theft or fraud, but as a precaution, individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring and identity theft protection services. The breach report submitted to the HHS’ Office for Civil...

Read More
MU Health Care Phishing Attack Impacts 5,000 Patients
Sep29

MU Health Care Phishing Attack Impacts 5,000 Patients

University of Missouri Health Care (MU Health Care) has experienced a phishing attack that saw several employee email accounts compromised between May 4 and May 6, 2020. An investigation into the breach revealed the compromised email accounts contained patient information including names, account numbers, dates of birth, health insurance information, Social Security numbers, and driver’s license numbers. MU Health Care has notified all patients affected by the attack and has offered individuals whose Social Security number was potentially compromised complimentary credit monitoring services. No reports have been received that suggest any patient information has been misused. A breach report submitted to the HHS Office for Civil Rights shows indicates 189,736 individuals may have been impacted. Data Leaked Following University Hospital SunCrypt Ransomware Attack University Hospital, a teaching hospital in Newark, NJ, has experienced a ransomware attack involving SunCrypt ransomware. The attack occurred in September 2020. Prior to the use of ransomware, the attackers exfiltrated...

Read More
Universal Health Services Ransomware Attack Cripples IT Systems Across United States
Sep29

Universal Health Services Ransomware Attack Cripples IT Systems Across United States

Universal Health Services (UHS), a King of Prussia, PA-based health system with more than 400 healthcare facilities in the United States and UK, has suffered a major security breach that has seen its IT systems crippled. The Fortune 500 healthcare provider has more than 90,000 employees and serves around 3.5 million patients each year. According to a statement published on its website, the company “experienced an information technology security incident in the early morning hours of September 27, 2020.” Upon discovery of the breach, UHS “suspended user access to its information technology applications related to operations located in the United States.” UHS has implemented information security and emergency protocols and is working closely with its security partners to mitigate the attack and restore its IT operations as quickly as possible. The cyberattack crippled its IT systems, leaving affected hospitals without access to their computer and phone systems. UK facilities were unaffected by the attack. The attack forced UHS to redirect ambulances to other healthcare providers and...

Read More
OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross
Sep28

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals. Mountainlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access
Sep22

Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access

Montefiore Medical Center in Bronx, NY has fired an employee over the alleged theft of the protected health information of approximately 4,000 patients. Montefiore became aware of a potential internal data breach in July 2020 and launched an investigation into unauthorized medical record access. Montefiore had implemented a technology solution that monitors EHRs for inappropriate access, which identified the employee. The investigation confirmed that the employee had accessed medical records without any legitimate work reason between January 2018 and July 2020. Accessing the medical records of patients when there is no legitimate reason for doing so is a violation of HIPAA and hospital policies. Montefiore said criminal background checks are performed on all employees prior to being given a position at the medical center and Montefiore provides HIPAA training to all employees. The employee in question had received significant privacy and security training but had chosen to violate internal policies and HIPAA Rules. The investigation into the breach is ongoing and the matter has...

Read More
August 2020 Healthcare Data Breach Report
Sep22

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average. The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.     Largest Healthcare Data Breaches Reported in August 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud...

Read More
Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic
Sep21

Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a $1.5 million settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2016 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data. Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security...

Read More
HIPAA Right of Access Failures Result in Five OCR HIPAA Fines
Sep16

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records. The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request. After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities. Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial...

Read More
Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs
Sep15

Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs

The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans. Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information. Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review. The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security...

Read More
Starling Physicians Email Breach Impacts 7,777 Patients
Sep14

Starling Physicians Email Breach Impacts 7,777 Patients

Rocky Hill, CT-based Starling Physicians has started notifying 7,777 patients that some of their protected health information was stored in email accounts that were found to have been accessed by an unauthorized individual. A breach of its email environment was detected on or around July 7, 2020. A comprehensive review was conducted to determine the extent of the breach and whether any patient data had been accessed. While evidence of PHI access was not found, it was not possible to rule out unauthorized data access. Emails and email attachments were found to include names along with some of the following data elements: Dates of birth, medical record numbers, patient account numbers, diagnostic information, healthcare provider information, prescription information, and treatment information. A small number of affected individuals also had their address, social security number, and/or Medicare/Medicaid ID number exposed. Starling Physicians is strengthening its cybersecurity defenses to prevent similar data security events in the future. Advocate Aurora Health Notifies 2,979...

Read More
Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack
Sep11

Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack

Falls Church, VA-based Inova Health System is one of the latest healthcare providers to confirm that it has been affected by the ransomware attack on Blackbaud. A backup of its donor database contained the information of 1,045,270 donors, patients, and prospective donors, which takes the total number of healthcare victims in the United States past 2.99 million. That total is also likely to grow as the deadline for reporting the breach to the HHS has not yet been reached. On July 16, 2020, Blackbaud issued notifications to its clients that it had suffered a ransomware attack. Unauthorized individuals gained access to its systems on February 7, 2020, with access possible until May 20, 2020 when the attack was detected when ransomware was deployed. Prior to the deployment of ransomware, certain data were exfiltrated from Blackbaud’s servers. While not all clients were affected, the attackers were able to obtain backups of fundraising databases of many of the firm’s clients. For most organizations, the breached data were limited to donor names, addresses, dates of birth, contact...

Read More
Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records
Sep11

Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records

Hennepin County Medical Center in Minneapolis is potentially facing legal action after several employees were discovered to have snooped on George Floyd’s medical records. Attorney Antonio Romanucci of Chicago-based law firm Romanucci & Blandin said he was informed that several employees of Hennepin County Medical Center had accessed George Floyd’s medical records on multiple occasions when there was no legitimate reason for doing so, in clear violation of hospital policies and the Health Insurance Portability and Accountability Act (HIPAA). Attorneys representing Hennepin County Medical Center notified the family of George Floyd that certain records relating to George Floyd had been inappropriately accessed by certain employees. Details about the types of records viewed by the employees, the individuals involved, and their positions at Hennepin County Medical Center were not disclosed. Antonio Romanucci and the family’s legal team issued a statement to the Star Tribune saying they are currently “exploring all remedies” to “make this right and make the family whole for...

Read More
Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack
Sep09

Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July that took its email and phone system out of action and limited its lab and radiology services. The cyberattack, which involved ransomware, took certain systems out of action for several weeks. It is now two months after the attack and the external email system is still not working. The clinic’s medical record system was not breached, so the data potentially viewed and/or obtained were limited. The attack was performed by an overseas adversary, according to a statement issued by the clinic. It is unclear whether the ransom was paid. The clinic said, “We followed the recommendations our cybersecurity firm made to us in consultation with the FBI.” The investigation into the breach confirmed that the attackers potentially accessed the protected health information of 85 patients, all of whom have now been notified. The types of information involved were EMR data downloaded in order to send claims to insurance companies. Separate breach notification letters were also sent to 308,000 patients. Those individuals...

Read More
PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack
Sep07

PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack

Imperium Health Management, a Louisville, KY-based provider of development services to Accountable Care Organizations (ACOs), is notifying 139,114 individuals that some of their protected health information was potentially compromised in a recent phishing attack. Imperium Health learned of the attack on April 23, 2020. The investigation revealed one email account was breached on April 21, 2020 and a second email account was breached on April 24, 2020 due to the employees responding to phishing emails. The emails contained links that appeared to be legitimate but directed the employees to a website where their email credentials were harvested. A review of the compromised email accounts revealed they contained protected health information such as patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information. Imperium Health was notified that the accounts contained PHI on June 18, 2020....

Read More
Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million
Sep04

Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million

The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days. Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation. Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach. The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals...

Read More
Assured Imaging Ransomware Attack Affects Almost 245,000 Patients
Sep04

Assured Imaging Ransomware Attack Affects Almost 245,000 Patients

Tucson, AZ-based Assured Imaging, a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services, has announced it has suffered a ransomware attack that resulted in the encryption of its medical record system. Assured Imaging discovered the attack on May 19, 2020 and worked quickly to stop any further unauthorized access and restore the encrypted data. Assisted by a third-party computer forensics firm, Assured Imaging investigated the ransomware attack to determine the scope of the breach. The investigation revealed an unauthorized individual gained access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated “limited data” prior to the deployment of ransomware. The forensic investigation confirmed data had been stolen but it was not possible to determine exactly what information was exfiltrated by the attackers. A review was conducted to identify all types of information that could potentially have been accessed. The compromised system was found to contain full names, addresses, dates of birth, patient IDs, facility used, treating...

Read More
56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack
Sep03

56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack

Northwestern Memorial HealthCare has discovered the personal information of individuals who had previously made donations to Northwestern Memorial HealthCare was potentially compromised in the recent Blackbaud ransomware attack. An unauthorized individual first gained access to Blackbaud systems on February 7, 2020, with the access possible until May 20,2020 when ransomware was deployed. Prior to the use of ransomware, the attacker may have accessed a backup of a database that contained names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information. The database also contained the Social Security numbers and/or financial/payment card information of 5 individuals. In total, the information of 55,983 Northwestern Memorial HealthCare donors was potentially compromised in the attack. Northwestern Memorial HealthCare is conducting a review of its third-party database storage vendors and its relationship with Blackbaud in order to prevent similar data breaches in the future. Names and Health...

Read More
Utah Pathology Services Email Breach Potentially Affects 112,000 Patients
Aug31

Utah Pathology Services Email Breach Potentially Affects 112,000 Patients

Utah Pathology Services has announced an unauthorized individual has gained access to the email account of an employee and attempted to redirect funds from Utah Pathology. The breach was detected promptly, the compromised email account was secured, and the attempted fraud was unsuccessful and did not involve any patient information. Independent IT and forensic investigators were engaged to assist with the investigation and help determine the extent of the breach. The investigation is ongoing, but it has now been confirmed that the compromised email account contained the personal and protected health information of 112,124 patients. The purpose of the attack appears to have been to redirect funds to an account under the control of the attacker, rather than to steal patient data; however, the possibility of data theft could not be ruled out and affected individuals are now being notified about the breach. The compromised email account contained the following types of information in addition to patient names: Gender, date of birth, mailing address, phone number, email address, health...

Read More
Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000
Aug28

Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000

A former nursing home employee has been accused of stealing the identities of dozens of nursing home residents and using their accounts to pay her bills. The woman, Anna Zur, 39, of Franklin Park, IL, previously worked in the corporate office of a care facility and abused her access rights to residents’ information to obtain documents and financial information, which she sent to a personal email account. She has been accused of stealing the identities of residents and using their accounts to purchase goods and services and pay her bills. The Palos Heights Police Department conducted a year-long investigation into cases of identity theft and fraud and issued a warrant for the woman’s arrest. She was taken into custody on August 26, 2020 and has been charged with felony counts of wire fraud and continuing a financial crimes enterprise. The woman has been linked to 35 cases of identity theft and is alleged to have defrauded individuals out of $25,000. Patient Data Stolen in Ventura Orthopedics Ransomware Attack The Californian healthcare provider Ventura Orthopedics has experienced a...

Read More
Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals
Aug26

Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals

Severna Park, MD-based Dynasplint Systems, a manufacturer of proprietary stretching devices to improve joint motion, has experienced a cyberattack in which personal and protected health information may have been accessed or stolen. The security breach occurred on May 16, 2020 and prevented employees from accessing computer systems. In a letter to the Iowa Attorney General, a lawyer representing Dynasplint explained that the company had suffered “an encryption attack” which prevented employees from accessing computer systems. Assisted by a digital forensics firm, Dynasplint Systems determined on June 4, 2020 that information such as names, addresses, dates of birth, Social Security numbers, and medical information may have been accessed and acquired by the attackers. The cyberattack was reported to the FBI and Dynasplint Systems is cooperating with the investigation to hold the individuals responsible accountable. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 102,800 individuals were potentially affected by...

Read More
AI Company Exposed 2.5 Million Patient Records Over the Internet
Aug21

AI Company Exposed 2.5 Million Patient Records Over the Internet

The personal and health information of more than 2.5 million patients has been exposed online, according to technology and security consultant Jeremiah Fowler. The records were discovered on July 7, 2020 in two folders that were publicly accessible over the Internet and required no passwords to access data. The folders were labeled as “staging data” and had been hosted by an artificial intelligence company called Cense AI, a company that provides SaaS-based intelligent process automation management solutions. The folders were hosted on the same IP address as the Cense website and could be accessed by removing the port from the IP address, which could be done by anyone with an Internet connection. The data could have been viewed, altered, or downloaded during the time it was accessible. An analysis of the data suggests it was collected from insurance companies and relate to individuals who had been involved in automobile accidents and had been referred for treatment for neck and spinal injuries. The data was quite detailed and included patient names, addresses, dates of birth,...

Read More
July 2020 Healthcare Data Breach Report
Aug19

July 2020 Healthcare Data Breach Report

July saw a major fall in the number of reported data breaches of 500 or more healthcare records, dropping below the 12-month average of 39.83 breaches per month. There was a 30.8% month-over-month fall in reported data breaches, dropping from 52 incidents in June to 36 in July; however, the number of breached records increased 26.3%, indicating the severity of some of the month’s data breaches.   1,322,211 healthcare records were exposed, stolen, or impermissibly disclosed in July’s reported breaches. The average breach size was 36,728 records and the median breach size was 6,537 records. Largest Healthcare Data Breaches Reported in July 2020 14 healthcare data breaches of 10,000 or more records were reported in July, with two of those breaches involving the records of more than 100,000 individuals, the largest of which was the ransomware attack on Florida Orthopaedic Institute which resulted in the exposure and potential theft of the records of 640,000 individuals. The other 100,000+ record breach was suffered by Behavioral Health Network in Maine. The breach was reported as...

Read More
R1 RCM Medical Collection Agency Suffers Ransomware Attack
Aug18

R1 RCM Medical Collection Agency Suffers Ransomware Attack

One of the largest medical debt collection agencies in the United States has suffered a ransomware attack. Chicago-based R1 RCM, formerly Accretive Health Inc., generated $1.18 billion in revenue in 2019 and works with more than 750 healthcare clients. It is currently unclear how many of its clients have been affected by the attack. The breach was recently reported by Brian Krebs of Krebs on Security. R1 RCM confirmed that it was attacked with ransomware and its systems were taken down in response to the attack. Recovery efforts are ongoing. No information has been released on the type of ransomware used in the attack and it is unclear if patient data was stolen prior to files being encrypted. Krebs spoke to a source close to the investigation who suggested the ransomware used in the attack was Defray. Defray ransomware is usually spread via malicious Word documents sent via email in small, targeted campaigns. The threat actors behind the ransomware have previously targeted education and healthcare verticals. In 2019, the medical debt collection agency, American Medical Collection...

Read More
Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors
Aug18

Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors

The Brewer, ME-based 10-hospital integrated healthcare system, Northern Light Health Foundation, has announced it has been affected by the recent ransomware attack on Blackbaud Inc. The databases affected contained information about donors, potential donors, and individuals who may have attended a fundraising event in the past. Patient medical records were stored separately and were unaffected. The databases contained the records of 657,392 individuals. South Carolina-based Blackbaud is one of the world’s largest providers of education, administration, fundraising, and financial management software. A company as large as Blackbaud is naturally a target for cybercriminals. Blackbaud explained it encounters millions of attacks each month and its cybersecurity team successfully defends the company against those attacks, although in May 2020 one of those attacks succeeded. The ransomware attack could have been far worse. Blackbaud detected the ransomware attack quickly and took action to block the attack. Blackbaud was able to prevent the ransomware from fully encrypting its files, and...

Read More
Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed
Aug17

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories. Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community. Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data. Exposed PII and PHI in Public GitHub Repositories Jelle Ursem is an ethical security...

Read More
Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online
Aug17

Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online

A database containing the personal information of more than 3.1 million patients has been exposed online and was subsequently deleted by the Meow bot. Security researcher Volodymyr ‘Bob’ Diachenko discovered the database on July 13, 2020. The database required no password to access and contained information such as patients’ names, email addresses, phone numbers, and treatment locations. Diachenko set about trying to identify the owner of the database and found it had been created by a medical software company called Adit, which makes online booking and patient management software for medical and dental practices. Diachenko contacted Adit to alert the company to the exposed database but received no response. A few days later, Diachenko discovered the data had been attacked by the Meow bot. The Meow bot appeared in late July and scans the internet for exposed databases. Security researchers such as Diachenko conduct scans to identify exposed data and then make contact with the data owners to try to get the data secured. The role of the Meow bot is search and destroy. When exposed...

Read More
Protected Health Information of 129K Individuals Potentially Compromised in Behavioral Health Network Malware Attack
Aug14

Protected Health Information of 129K Individuals Potentially Compromised in Behavioral Health Network Malware Attack

Behavioral Health Network (BHN), the largest behavioral health service provider in Western Massachusetts, has announced that malware was downloaded onto its computer systems that prevented files from being accessed. The security breach was discovered on May 28, 2020 when staff were prevented from accessing files. An investigation was immediately launched to determine the extent of the attack and whether any data had been exfiltrated by the attacker. Around July 17, 2020, BHN determined that an unauthorized individual had gained access to its systems on May 26, two days before the malware was introduced. While it was not possible to determine whether any data had been stolen by the attacker prior to the deployment of the malware, the possibility of data theft could not be totally ruled out. No reports have been received to date indicating patient data has been misused. An analysis of the affected systems revealed the protected health information of 129,571 current and former patients was potentially compromised. The systems that were accessible to the attacker contained names,...

Read More
Data Breaches Reported by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center
Aug13

Data Breaches Reported by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center

University of Maryland Faculty Physicians Inc. (FPI) has suffered a phishing attack in which the protected health information of patients of University of Maryland Medical Center (UMMC) may have been accessed by unauthorized individuals. FPI is the faculty practice plan for University of Maryland School of Medicine affiliated physician practice groups and provides support to physicians and staff who provide services at UMMC locations. Following the discovery of the unauthorized accessing of an FPI email account, the account was secured and a comprehensive investigation was conducted to determine the nature and scope of the breach. On May 26, 2020, FPI determined the email account was accessed by an unauthorized individual between February 6, 2020 and February 11, 2020. The email account contained the protected health information of 33,896 individuals. The types of information in the account varied from patient to patient and may have included the following data types in addition to patient names: Date of birth, medical record number, and clinical information related to the care...

Read More
Ashley County Medical Center Nurse Terminated for Improper Medical Record Access
Aug12

Ashley County Medical Center Nurse Terminated for Improper Medical Record Access

A former employee of Ashley County Medical Center has been discovered to have accessed the medical records of 722 patients without authorization. Ashley County Medical Center launched an investigation into the HIPAA violation and determined the nurse had viewed limited patient data for reasons unrelated to the provision of care or treatment. Ashley County Medical Center does not believe any patient information was shared with a third party or accessed with a view to misusing the data. Patient information is believed to have been accessed out of curiosity. Ashley County Medical Center has a sanctions policy in place covering unauthorized medical record access, and in line with that policy the nurse was terminated for the HIPAA violation. “Patient privacy is an extremely serious matter and any failure to protect patient information will subject employees to disciplinary actions,” said Phillip Gilmore, Chief Executive Officer, ACMC. “We are continuing to take steps to report the actions of this employee, notify any additional patients whose information was viewed, continuing to...

Read More
Almost 20,000 Patients Affected by Owens Ear Center Ransomware Attack
Aug12

Almost 20,000 Patients Affected by Owens Ear Center Ransomware Attack

Owens Ear Center in Fort Worth, TX, suffered a ransomware attack on May 28, 2020 in which patient information was encrypted. The computer systems that were encrypted contained patients’ medical records, which included information such as names, addresses, dates of birth, health insurance information, health information, and Social Security numbers. Many ransomware attacks on healthcare organizations see healthcare data stolen before it is encrypted. These double extortion attacks require a ransom to be paid in order to decrypt files and prevent the sale or publication of the stolen data. Owens Ear Center investigated the attack and found no evidence to indicate patient information was accessed or copied prior to file encryption and believes this was solely an attempt to extort money from the practice and that the attackers were not interested in patient data. However, since unauthorized data access could not be ruled out, all affected patients have been notified and, out of an abundance of caution, have been offered complimentary identity theft protection services. Steps have since...

Read More
Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware
Aug11

Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware

Long Island City, NY-based Boyce Technologies Inc, which makes transport communication systems and recently switched its production facilities to produce ventilators for hospitals during the pandemic, has been attacked with DoppelPaymer ransomware. Data was stolen prior to file encryption and a sample of the stolen data has been published on the threat actor’s blog. The stolen data includes purchase orders, assignment forms, and other sensitive data. Boyce Technologies Inc. was approved by the FDA to manufacture ventilators and was producing around 300 machines a day. Those ventilators have been used in hospitals in New York and the company is now making ventilators for other areas. The ransomware attack has threatened the production of those ventilators and has potentially put lives at risk. Piedmont Orthpedics/OrthoAtlanta, a network of orthopedic and sports medicine centers in the greater Atlanta area, has been attacked by threat actors using Pysa (Mespinosa) ransomware. As with the attack on Boyce Technologies, prior to the encryption of files the threat actors exfiltrated...

Read More
Children’s Hospital Colorado Suffers Phishing Attack
Aug10

Children’s Hospital Colorado Suffers Phishing Attack

Children’s Hospital Colorado is notifying 2,553 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual between April 6-12, 2020. Credentials to access the account were obtained when an employee responded to a phishing email. The phishing attack was identified by the hospital on June 22, 2020 and the account was immediately secured. A review of the emails and email attachments in the account revealed they contained patient names, zip codes, dates of service, medical record numbers, and clinical diagnosis information. Steps have since been taken to harden email security defenses, platforms are being evaluated for educating staff on cybersecurity, and technical controls related to email are also being reviewed. Stolen Hoag Clinic Laptop Contained Unencrypted PHI On June 5, 2020, a laptop computer issued to an employee of the Hoag Clinic in Costa Mesa, CA was stolen from a vehicle parked in the worksite parking lot in Newport Beach. The theft was discovered the same day and law enforcement was...

Read More
PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center
Aug07

PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center

The Freeport, IL-based healthcare system FHN is notifying certain patients that some of their protected health information has potentially been obtained by an unauthorized individual who gained access to the email accounts of several employees between February 12 and February 13, 2020. FHN announced on April 20, 2020 that the investigation had confirmed that a breach occurred, but it took time to determine the information that may have been viewed or obtained. It was not possible to determine whether patient information contained in the accounts was viewed or obtained, but data access could not be ruled out. Affected individuals were notified on July 31, 2020. The compromised accounts contained names, dates of birth, health insurance information, medical record numbers, patient account numbers, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information. A limited number of Social Security numbers and driver’s license numbers were also potentially compromised. The PHI of 4,120 patients was exposed. Complimentary credit monitoring...

Read More
69,777 Patients Impacted by Allergy and Asthma Clinic of Fort Worth Hacking Incident
Aug06

69,777 Patients Impacted by Allergy and Asthma Clinic of Fort Worth Hacking Incident

Allergy and Asthma Clinic of Fort Worth has discovered an unauthorized individual gained access to its computer systems and potentially obtained patients’ billing information. The breach was detected on June 4, 2020 and steps were immediately taken to prevent further unauthorized access. The breach investigation revealed the hacker gained access to the network on May 20, 2020. A review of the compromised computer systems revealed the hacker potentially accessed files containing patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance information, and information regarding the reason for visits. Cybersecurity professionals were retained to conduct a review Allergy and Asthma Clinic of Fort Worth’s security measures and additional protections will be implemented, as appropriate, to strengthen network security to prevent further data breaches. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 69,777 individuals were affected by the breach. Chinese Hackers Targeted Biotech Firm Working...

Read More
PHI of Customers Stolen in Looting Incidents at Cub Pharmacies
Aug05

PHI of Customers Stolen in Looting Incidents at Cub Pharmacies

Another pharmacy chain has announced that the protected health information of some of its customers has been stolen by looters in late May during the period of civil unrest. Between May 27-30, 2020, 8 Cub pharmacies in the Minneapolis area were broken into and items were stolen, including paperwork containing the protected health information of its customers. Items taken from the pharmacies included locked safes that contained credit card authorization forms and prescriptions that had been processed and were awaiting collection. Binders containing printed records of past prescriptions and orders that were in the process of being prepared were taken from 6 of the pharmacies in Minneapolis and St. Paul. The information on the credit card forms included the cardholder name, credit card number, expiry date, and the amount of the transaction, but did not include the CVV code which is required to make purchases over the telephone. These forms only related to individuals who had arranged to have prescriptions delivered or mailed, not for customers who paid by credit card in person in a...

Read More
6,000 Patients Notified About Email Security Breach at Beaumont Health
Jul31

6,000 Patients Notified About Email Security Breach at Beaumont Health

Beaumont Health, the largest healthcare provider in Michigan, has started notifying approximately 6,000 patients that some of their protected health information has potentially been accessed by unauthorized individuals. On June 5, 2020, Beaumont Health learned that email accounts accessed by unauthorized individuals between January 3, 2020 and January 29, 2020 contained the protected health information including names, dates of birth, diagnoses, diagnosis codes, procedure and treatment information, type of treatment provided, prescription information, patient account numbers, and medical record numbers. While the email accounts were accessed by unauthorized individuals, no evidence was found to suggest emails or email attachments in the accounts were viewed or copied by the attackers and no reports have been received that suggest patient data has been misused. This is the second phishing-related breach to be announced by Beaumont Health this year. In April, Beaumont Health started notifying 112,211 individuals that some of their PHI was contained in email accounts that were...

Read More
PHI Compromised in CVS Pharmacy and Walgreens Break-ins
Jul29

PHI Compromised in CVS Pharmacy and Walgreens Break-ins

CVS Pharmacy is alerting certain patients that some of their personal and protected health information has been lost following several incidents at its pharmacies between May 27, 2020 and June 8, 2020. During that time frame, several of its pharmacies were affected by looting and vandalism incidents. Unauthorized individuals gained access to several of its stores and stole filled prescriptions from pharmacy waiting bins. Vaccine consent forms and paper prescriptions were also lost and potentially stolen in the incidents. The types of information compromised include names, addresses, dates of birth, medication names, prescriber information, and primary care provider information. No reports have been received to date to indicate there has been any misuse of customer information. CVS Pharmacy has reported the incidents to the HHS’ Office for Civil Rights collectively as affecting 21,289 individuals. Walgreens Reports Series of Break-ins and Theft of PHI Walgreens Pharmacy has reported similar incidents at its pharmacies over the same period. According to the breach notification sent...

Read More
OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures
Jul28

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules. Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017. The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates. OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI....

Read More
University of Utah Reports Phishing Attack Involving the PHI of up to 10,000 Patients
Jul28

University of Utah Reports Phishing Attack Involving the PHI of up to 10,000 Patients

The University of Utah has experienced a phishing attack that potentially involved the protected health information of up to 10,000 patients. This is the 4th data breach to be reported to the Department of Health and Human Services by the University of Utah in 2020. All four incidents are listed as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (1,909 individuals), April 3, 2020 (5,000 individuals), and March 21, 2020 (3,670 individuals). Unauthorized individuals gained access to employee email accounts between January 22, 2020 and May 22, 2020, according to the substitute breach notice on the University of Utah Health website. It is unclear at this stage if the latest breach report also involved access to employee email accounts in the same time frame. Kathy Wilets, Director of Public Relations at University of Utah Health provided a statement to databreaches.net in which she explained that the phishing incidents were being treated as separate incidents but may have been part of a coordinated campaign. She said the latest incident...

Read More
June 2020 Healthcare Data Breach Report
Jul24

June 2020 Healthcare Data Breach Report

The sharp drop in healthcare data breaches seen in May proved to be short lived, with June seeing a major increase in data breaches. In June, 52 breaches were reported by HIPAA covered entities and business associates. That represents an 85.71% month-over-month increase in reported breaches. The number of individuals impacted by healthcare data breaches changed little despite the large increase in breaches, with a month-over-month fall of 1.65% to 1,047,015 records, which is well above the 2020 monthly average of 896,374 breached records. Largest Healthcare Data Breaches in June 2020 The largest healthcare data breach reported by a single entity in June affected the Texas billing and collections agency, Benefit Recovery Specialists, Inc. (BRS) Malware was detected on its systems that potentially gave unauthorized individuals access to the protected health information of more than a quarter of a million people. There was, however, a much larger data breach reported in June that affected more than 365,000 individuals but was reported individually by each entity affected by the...

Read More
Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance
Jul24

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule. Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year. On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule. Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA...

Read More
Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge
Jul23

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing. Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised. A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services. Judge R. Austin Huffaker Jr. stated in his...

Read More
47,754 Individuals Impacted by Lorien Health Services Ransomware Attack
Jul21

47,754 Individuals Impacted by Lorien Health Services Ransomware Attack

Ellicott City, MD-based Lorien Health Services, which runs 9 assisted living facilities in Maryland, has announced it was the victim of a ransomware attack on June 6, 2020. Third party cybersecurity experts were retained to assist with the investigation and determine whether patient information had been accessed by the attackers. On June 10, 2020, it was confirmed that the attackers had accessed files containing residents’ names, addresses, dates of birth, diagnoses, treatment information, and Social Security numbers and some employee information. Some of that data was stolen in the attack. The attack was conducted by the operators of Netwalker ransomware. When Lorien Health Services refused to pay the ransom, a sample of the stolen data was published online. Lorien Health reported the breach to the FBI and the ransomware attack is being investigated. The breach report submitted to the Department of Health and Human Services indicates the compromised systems contained the protected health information of 47,754 individuals. Those individuals have been offered complimentary credit...

Read More
Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach
Jul20

Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach

The Pennsylvania physician-owned radiology practice, Quantum Imaging and Therapeutic Associates, has announced reports have been received about a non-physician employee who allegedly shared an x-ray of a male patient’s genitalia with members of a Facebook group. The sharing of medical images on social media networks, without patient consent, is a violation of patient privacy and HIPAA. Quantum issued a statement on Facebook confirming reports had been received about a privacy breach and said “Quantum is committed to respecting the privacy of its patients and is deeply disheartened by these reports,” no further information has been released about the breach pending the results of the investigation. The matter has been reported to Fairview Township police and an investigation has been launched, but no arrests have been made at this stage. Several individuals have commented on the Facebook post claiming the image could be viewed by ‘thousands’ of people. US HealthCenter Discovered Email Account Breach The health risk management corporation, US HealthCenter has discovered an email...

Read More
36,000 Members Affected by Central California Alliance for Health Email Breach
Jul16

36,000 Members Affected by Central California Alliance for Health Email Breach

The Central California Alliance for Health has discovered an unauthorized individual gained access to the email accounts of several employees and potentially viewed or copied information in emails and email attachments. The breach was detected on May 7, 2020 and prompt action was taken to secure the affected accounts. In each case, the accounts were accessed for a period of about one hour. A review of the compromised accounts revealed they contained a limited amount of protected health information of Central California Alliance for Health members such as Alliance Care management program records, dates of birth, claims information, demographic information, Medi-Cal ID numbers, referral information, and medical information. No financial information or Social Security numbers were compromised. Following the breach, a full password reset was performed for all email accounts, including those that were not compromised. Further training on email security has also been provided to employees. The breach has been reported to the Department of Health and Human Services’ Office for Civil...

Read More
Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed
Jul13

Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information. The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers. The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware. The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until...

Read More
Health Plan Member Portals Accessed Using Stolen Credentials
Jul08

Health Plan Member Portals Accessed Using Stolen Credentials

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members. The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information. An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals. The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have...

Read More
Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack
Jul03

Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack

Healthcare Fiscal Management Inc. (HFMI), a Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, has experienced a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by the attackers. An unauthorized individual gained access to HFMI systems on April 12, 2020 and deployed a ransomware payload the following day which encrypted data on its systems. The systems accessed by the attacker were found to contain the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020. In total, the data of approximately 58,000 patients may have been accessed and obtained by the attackers, although data access/theft could not be confirmed. The PHI stored on the compromised systems was limited to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and dates of service. HFMI had prepared for such...

Read More
30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks
Jul03

30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks

Claremont, NC-based Choice Health Management Services, a provider of rehabilitation services and operator of several nursing homes in North and South Carolina, has experienced an email security breach affecting employees, and current and former patients. The security breach was detected in late 2019 when suspicious activity was detected in the email accounts of some of its employees. An internal investigation was launched which determined on January 17, 2020 that the email accounts of 17 employees had been subjected to unauthorized access. Since it was not possible to determine which emails and/or email attachments had been opened by the attackers, a third-party firm was engaged to assist with the investigation. While the review concluded on March 27, 2020 that the compromised accounts contained sensitive information, it was unclear which facilities affected individuals had visited for treatment. It took until May 12, 2020 to tie those individuals to a particular facility. The compromised accounts contained a wide range of sensitive information including names, dates of birth,...

Read More
$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit
Jul02

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data. The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court. The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months. A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to...

Read More
Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected
Jul01

Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected

HIPAA Journal previously reported on an April 2020 ransomware attack on Magellan Health. Further information on the attack has now been released that shows the scale of the attack. The incident has now been listed on the HHS’ Office for Civil Rights breach portal as affecting 6 Magellan entities, each of which has reported the incident separately. Several other entities have also submitted breach reports confirming their patients and subscribers have also been affected. It is too early to tell exactly how many individuals have been affected by the ransomware attack, but the total as of July 1, 2020 exceeds 364,000, making the attack the third largest healthcare data breach to be reported in 2020. There may still be some entities that have yet to report the breach. Entities known to have been impacted by the breach are listed in the table below. Affected Entity Entity Type Individuals Affected Magellan Healthcare, Maryland Business Associate 50,410 Magellan Complete Care of Florida Health Plan 76,236 Magellan Rx Pharmacy Healthcare Provider 33,040 Magellan Complete Care of Virginia...

Read More
UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit
Jun30

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed. The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018. The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month...

Read More
Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care
Jun25

Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care

CHI St. Luke’s Health-Memorial Lufkin in Texas has started notifying patients that some of their protected health information may have been accessed by an unauthorized individual. St Luke’s threat management team investigated a security breach involving a network server on March 25, 2020. Third-party vendors conducted a forensic investigation and determined on April 23, 2020 that the email accounts of two employees may have been accessed by an unapproved outside party. The investigation did not uncover evidence confirming unauthorized PHI access or data theft, but the possibility could not be ruled out. The email accounts contained names, diagnosis information, dates of services, and facility account numbers. Based on the investigation, St. Luke’s does not believe patient data has been used inappropriately but has offered certain patients complimentary credit monitoring services through Experian as a precaution. The security breach was thoroughly investigated, data access logs were checked, and a threat intelligence analysis was performed. All passwords were reset across the...

Read More
Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach
Jun25

Georgia Hospital Accused of Falsification of COVID-19 Test Results Suspends Employees Over Suspected HIPAA Breach

Landmark Hospital of Athens in Georgia has suspended three employees who are suspected of accessing, copying or disclosing patient records. The potential HIPAA breach may be linked to a lawsuit that was filed against the 42-bed hospital on June 22, 2020 by four nurses who allege the hospital has been falsifying COVID-19 test results in what they describe as a “COVID-19 coverup”. The nurses allege that five of their patients had tested positive for COVID-19 after displaying symptoms and after the positive result, the hospital administrator reordered COVID-19 tests for those patients. The nurses allege that for the retests, samples were intentionally collected without following proper sampling protocols. They claim that this was done deliberately to reduce the chance of a positive test result. The nurses, who are named as Jane Doe and John Doe in the lawsuit, are seeking immediate court intervention “to stop the hospital concealing and mishandling a COVID-19 outbreak in the facility.” The nurses also want the hospital to temporarily stop receiving and discharging patients. The nurses...

Read More
Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute
Jun24

Ransomware Attacks Reported by North Shore Pain Management & Florida Orthopaedic Institute

North Shore Pain Management (NSPM) in Massachusetts has started notifying 12,472 patients that some of their protected health information has been stolen by hackers. The breach was detected on April 21, 2020 and the investigation confirmed that the attackers first gained access to its systems on April 16, 2020. The substitute breach notice on the NSPM website does not provide details about the nature of the attack, but Emsisoft and databreaches.net both reported the incident as a ransomware attack involving AKO ransomware. The gang responsible for the attack dumped 4GB of data stolen in the attack on their Tor site when the ransom demand was not paid. The dumped files contain a range of sensitive data on employees and patients. The NSPM breach notice confirms the files stolen in the attack contained patient names, dates of birth, health insurance information, account balances, financial information, diagnosis and treatment information, and for certain patients, ultrasound and MRI images. Social Security numbers were also obtained for patients whose SSN is used as their health...

Read More
American Medical Technologies Email Breach Affects 47,767 Patients
Jun24

American Medical Technologies Email Breach Affects 47,767 Patients

American Medical Technologies, a Irvine, CA-based provider of wound care solutions and medical supplies, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially accessed and copied the protected health information of some of its patients. The breach was identified on or around December 17, 2019 when suspicious activity was detected in the email account. The investigation confirmed the attacker potentially had access to protected health information such as names, medical record numbers, Social Security numbers, diagnosis information, health insurance policy numbers, subscriber numbers, medical histories, HIPAA account information, driver’s license/state identification numbers, and/or taxpayer ID numbers. No evidence was fund to suggest patient information was viewed or stolen in the attack, but unauthorized data access and data exfiltration could not be ruled out. A comprehensive analysis of the email accounts was conducted which was completed on May 14, 2020. The review revealed the account contained the PHI of 47,767...

Read More
May 2020 Healthcare Data Breach Report
Jun23

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.   Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has...

Read More
Hacker Arrested and Charged Over 2014 UPMC Cyberattack
Jun22

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

The United States Attorney’s Office of the Western District of Pennsylvania has announced a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC). UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers. The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency. Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity...

Read More
Breaches Reported by Hanger Clinic, Gateway Health, and Sunrise Treatment Center
Jun19

Breaches Reported by Hanger Clinic, Gateway Health, and Sunrise Treatment Center

Sunrise Treatment Center in Cincinnati, OH is alerting 3,660 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of an employee. The breach occurred on February 26, 2020 and was detected the following day. A forensic investigation of the breach was completed on April 15, 2020 and confirmed that the email account contained patient information such as first and last names, birth dates, descriptions of the treatment provided, medications, health plan numbers, account balances, treatment dates, and some Social Security numbers. While patient information may have been accessed, the purpose of the attack was to try to convince Sunrise employees to wire money to a foreign bank account. A fraudulent wire transfer was detected and blocked before any money left Sunrise accounts. Sunrise found no evidence to suggest patient information was accessed or obtained in the attack but, as a precaution, Sunrise has offered affected patients complimentary membership to credit monitoring services for 12...

Read More
Ransomware Attacks Reported by Rangely District Hospital and Electronic Waveform Lab
Jun16

Ransomware Attacks Reported by Rangely District Hospital and Electronic Waveform Lab

Rangely District Hospital in Colorado has started notifying patients that some of their protected health information was stored on parts of its network that were affected by an April 2020 ransomware attack. The ransomware attack was discovered on April 9, 2020 and steps were taken to contain the attack, but it was not possible to prevent the encryption of certain files, some of which contained patient information. Rangely District Hospital said the initial attack on its systems occurred on April 2, 2020, but ransomware was not deployed until April 9, 2020. The hospital reports that the encryption process was automated, and no evidence was found to suggest data was accessed or exfiltrated. The investigation indicates a foreign threat actor conducted the attack, but it was not possible to determine who was responsible. While patient data is not believed to be obtained, it was not possible to rule out unauthorized access. Files encrypted by the ransomware that could potentially have been viewed included the following types of personal and protected health information: Names, dates of...

Read More
Cano Health Discovers 2-Year Email Account Breach
Jun16

Cano Health Discovers 2-Year Email Account Breach

The Florida-based population health management company and healthcare provider Cano Health has discovered the email accounts of three employees have been accessed by an unauthorized individual who set up a mail forwarder on the email accounts that sent emails to external addresses. The breach was detected on April 13, 2020, but the investigation revealed the accounts were compromised two years previously, on or around May 18, 2018. All emails sent to and from the accounts between May 18, 2018 and April 13, 2020 are believed to have been obtained and have potentially been accessed. A review of the emails confirmed they contained personal and protected health information such as names, contact information, dates of birth, healthcare information, insurance information, social security numbers, government identification numbers and/or financial account numbers. Cano Health is in the process of notifying affected individuals and has advised them to regularly review their accounts and benefits statements for signs of fraudulent activity. Cano Health will be providing affected patients...

Read More
Everett & Hurite Ophthalmic Association Email Breach Impacts 34,000 Patients
Jun10

Everett & Hurite Ophthalmic Association Email Breach Impacts 34,000 Patients

The Everett & Hurite Ophthalmic Association (EHOA), a team of ophthalmology specialists serving Pittsburgh, PA & Warrendale, PA, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially viewed patient information. EHOA became aware of a breach on March 23, 2020 when suspicious activity was detected in the employee’s email account. After securing the account, third party forensic specialists were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, which was breached between February 25, 2020 and March 25, 2020. A comprehensive review of emails and attachments in the account revealed they contained the protected health information of 34,113 patients. The majority of patients had their names included in an internal report that was used for reporting to the HHS’ Centers for Medicare and Medicaid Services (CMS). For certain individuals, their Social Security number, financial data, health insurance details, date of birth, and health and treatment...

Read More
University of Utah Health Suffers Further Phishing Attack
Jun09

University of Utah Health Suffers Further Phishing Attack

University of Utah Health has suffered another phishing attack, with the latest incident resulting in the exposure of the protected health information (PHI) of 2,700 patients. This is the third phishing incident to be reported to the HHS’ Office for Civil Rights by the University of Utah this year. The previous incidents were reported on March 21 and April 3 and affected 3,670 and 5,000 patients respectively. In the latest attack, an unauthorized individual gained access to employee email accounts between April 6 and May 22, 2020 as a result of responses to phishing emails. The email accounts were promptly secured, and an investigation was launched to determine whether the attackers gained access to patients’ PHI. It was not possible to tell whether PHI was accessed or exfiltrated, but the accounts did contain a limited amount of PHI which was potentially accessed. An analysis of emails and attachments in the compromised accounts revealed they contained names, medical record numbers, dates of birth, and some clinical information related to the medical services received at...

Read More
$107,000 Stolen from Kentucky Employees’ Health Plan Members in Two Recent Cyberattacks
Jun08

$107,000 Stolen from Kentucky Employees’ Health Plan Members in Two Recent Cyberattacks

The Commonwealth of Kentucky Personnel Cabinet has announced that two data breaches occurred between late April and Early May. The attacks resulted in the exposure of the protected health information of around 1,000 members of the Kentucky Employees’ Health Plan. The first attack occurred between April 21 and April 27 and a second occurred in mid-May. In both cases, the attackers used stolen credentials to gain access to accounts. In the first attack, legitimate credentials were used to gain access to StayWell systems. StayWell is a third-party vendor that manages a well-being and incentive portal for health plan members. Through the portal, plan members are empowered to take care of their health and lead healthier lifestyles. Plan members who meet their health goals by completing certain actions and challenges are rewarded with points that can be exchanged for gift cards. The first cyberattack was detected and investigated by StayWell, the Commonwealth Office of Technology, and the Kentucky Personnel Cabinet. It was determined that while the attackers gained access to the portal,...

Read More
St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records
Jun05

St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records

St Joseph Health System in North Central Indiana is alerting patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals. The breach did not happen at St Joseph Health, but at one of its business associates. Central Files Inc, a secure record storage facility in South Bend, IN, was contracted to securely store patient records in compliance with federal and state regulations and to destroy certain records in accordance with HIPAA Rules. Central Files Inc. has now permanently closed but was required to continue to store patient records until an alternative secure records facility could be located. Between April 1 and April 9, 2020, several healthcare groups affiliated with St Joseph Health System were notified that confidential records containing information patient information had been dumped in a location in the South Bend area at some point prior to April 1, 2020. The records discovered at the site were in poor condition. According to the substitute breach notification on the St Joseph Health System website, the...

Read More
Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack
Jun04

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year. Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks. Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to...

Read More
Kaiser Permanente Discovers 8-Year Employee HIPAA Breach
Jun03

Kaiser Permanente Discovers 8-Year Employee HIPAA Breach

The Oakland, CA-based healthcare provider, Kaiser Permanente, has discovered a former employee accessed the radiology records of thousands of patients without authorization over a period of 8 years. The privacy breach was discovered in late March and the employee was placed on administrative leave while an internal investigation was conducted. Kaiser Permanente was unable to find any legitimate work reason for the employee accessing the records and determined that the access fell outside of the scope of the employee’s job functions. The first instance of unauthorized access occurred in 2012 and the employee continued to access radiology records until her actions were discovered in March 2020. The employee worked as an imaging technician in the radiology department and has now been fired over the HIPAA violation. While unauthorized accessing of protected health information was confirmed, Kaiser Permanente found no evidence to suggest that patient information was copied or was used to commit fraud or any criminal activities. The breach was reported to the Department of Health and...

Read More
Mat-Su Surgical Associates Suffer Ransomware Attack
May28

Mat-Su Surgical Associates Suffer Ransomware Attack

Palmer, AK-based Mat-Su Surgical Associates has announced they were the victim of a ransomware attack in March, 2020. The attack was discovered on March 16 when staff were locked out of their computer systems. A team of independent computer forensics investigators were engaged to assess the nature and scope of the attack and determine whether any patient data had been accessed or stolen by the attackers. It was not possible to determine whether the attacker had exfiltrated data or viewed patient information prior to encryption, but the investigators could not rule out unauthorized data access. The attacker was determined to have gained access to parts of its computer system that contained the protected health information of 13,146 patients. The information potentially compromised in the attack included the names of current and former patients of Valley Surgical Associates and Mat-Su Surgical Associates, along with addresses, diagnoses, treatment information, lab test results, health insurance information, Social Security numbers, and other information related to the medical care...

Read More
Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches
May22

Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches

District Medical Group (DMG), an integrated medical group serving patients in Arizona, has started notifying 10,190 patients that some of their protected health information has potentially been compromised. On March 11, 2020, DMG discovered an unauthorized individual had gained access to the email accounts of some of its employees as a result of responses to phishing emails. A password reset was immediately performed to prevent further unauthorized access and a leading cybersecurity firm was engaged to investigate the breach. The investigation revealed a limited number of email accounts were compromised between February 4, 2020 and February 10, 2020. An analysis of emails and attachments in the breached accounts revealed they contained patient information such as names, medical record numbers, medical information, and health insurance information. A limited number of Social Security numbers were also potentially compromised. No evidence was uncovered that suggested the emails were opened or copied by the attackers. Affected patients have been advised to be vigilant and monitor...

Read More
April 2020 Healthcare Data Breach Report
May20

April 2020 Healthcare Data Breach Report

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month. While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached. Largest Healthcare Data Breaches in April 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email...

Read More
Mille Lacs Health System Phishing Attack Impacts 10,600 Patients
May19

Mille Lacs Health System Phishing Attack Impacts 10,600 Patients

Onamia, MN-based Mille Lacs Health System has experienced a phishing attack that exposed the protected health information of more than 10,000 patients. Phishing emails were sent to some of its employees containing links that directed them to a website that requested their email credentials. A small number of employees were fooled by the scam. Mille Lacs Health System learned about the phishing attack on November 14, 2020 and launched an investigation to determine the extent of the breach. On February 24, 2020, it was confirmed that the stolen email credentials were used by the attacker to access email accounts between August 26, 2019 and January 7, 2020. A review of the compromised email accounts was completed on April 22, 2020 and confirmed that patient information may have been accessed. Information potentially compromised includes first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and for certain individuals, Social Security numbers.  No evidence was found to suggest patient information...

Read More
Management and Network Services Notifies 30,132 Patients About PHI Breach
May15

Management and Network Services Notifies 30,132 Patients About PHI Breach

Management and Network Services (MNS), LLC, a Dublin, OH-based provider of administrative support services to post-acute healthcare providers, has discovered the email accounts of some of its employees have been compromised. In a May 4, 2020 breach notification letter, MNS explained that it learned on or around August 21, 2019 that several employee email accounts had been subjected to unauthorized access between April and July of 2019. The analysis of the email accounts recently revealed five accounts contained the protected health information of patients of its clients. The information in emails and email attachments varied from individual to individual and may have included the following data elements: name, medical treatment information, diagnosis information/codes, medication information, dates of service, insurance provider, health insurance number, date of birth, and Social Security number. A limited number of individuals also had their driver’s license number, State ID card number, and/or financial account information exposed. MNS has taken steps to improve email security...

Read More
Data Stolen in Magellan Health Ransomware Attack
May13

Data Stolen in Magellan Health Ransomware Attack

The Fortune 500 company Magellan Health has announced it experienced a ransomware attack in April that resulted in the encryption of files and theft of some employee information. The ransomware attack was detected by Magellan Health on April 11, 2020 when files were encrypted on its systems. The investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6. The attacker had fooled the employee by impersonating a client of Magellan Health. Magellan Health engaged the cybersecurity firm Mandiant to assist with the investigation into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and exfiltrated a subset of that data prior to the encryption of files. The attacker also downloaded malware that was used to steal login credentials. The data stolen by the hacker related to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited...

Read More
Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners
May08

Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners

Saint Francis Healthcare Partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email system. The attack occurred on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially compromised.  The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial information or Social Security numbers were compromised. The investigation uncovered no evidence to suggest patient information was accessed, stolen, or misused. Steps have now been taken to improve data security practices and all affected patients have been notified by...

Read More
Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations
May07

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months. The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed. No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital. This is not the first incident of...

Read More
Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility
May06

Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility

Several healthcare providers have been affected by an unusual data breach at Waupaca, WI-based STAT Informatics Solutions, LLC. STAT provides secure medical records services to several healthcare providers which includes scanning paper files so they can be added to hospital medical record systems. On March 3, 2020, a STAT facility in Lebanon, TN was hit by a tornado, which caused extensive damage to the building and some of the records stored in the facility. STAT notified all affected clients the same day, and representatives of those healthcare providers visited the site to assist with locating and securing medical records in the facility. To limit the potential for unauthorized access, a tall fence was erected around the building while the medical records were located and secured. Two security guards were also posted on site 24/7 to prevent unauthorized individuals from accessing the building. The majority of the medical records were found in the remnants of the building, but the records were determined to be unsalvageable and have now been securely destroyed. While it is...

Read More
Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals
May06

Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals

BJC Healthcare has announced that the email accounts of three of its employees have been accessed by an unauthorized individual after the employees responded to phishing emails. Suspicious activity was detected in the email accounts on March 6, 2020 and the accounts were immediately secured. A leading computer forensics firm was engaged to conduct an investigation which revealed the three accounts had only been accessed for a limited period of time on March 6. It was not possible to tell if patient data was viewed or obtained by the attacker. A review of the accounts revealed they contained the data of patients at 19 BJC and affiliated hospitals. Protected health information in emails and attachments varied from patient to patient and may have included the following data elements: Patients’ names, medical record numbers, patient account numbers, dates of birth, and limited treatment and/or clinical information, which included provider names, visit dates, medications, diagnoses, and testing information. The health insurance information, Social Security numbers, and driver’s license...

Read More
Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches
May01

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months. LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach. A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data. Raymond Eugenio holds shares in LabCorp which lost value as a...

Read More
Ransomware Attackers Claim Three More Healthcare Victims
Apr29

Ransomware Attackers Claim Three More Healthcare Victims

Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. The attack resulted in several IT systems being taken out of action, including its Meditech electronic medical record system, which has been rendered inoperable. The attack is currently being investigated and assistance is being provided by a third-party computer forensics firm. Parkview Medical Center is currently working around the clock to bring its systems back online and recover the encrypted data. In the meantime, medical services continue to be offered to patients, who remain the number one priority. Staff have switched to pen and paper to record patient information until systems can be brought back online. Despite not having access to important systems, the medical center says the level and quality of care provided to patients has not changed. A spokesperson for the medical center said, “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as...

Read More
233,000 Patients Notified About PHI Breach at Genetic Testing Lab
Apr28

233,000 Patients Notified About PHI Breach at Genetic Testing Lab

Ambry Genetics, an Aliso Viejo, CA-based genetic testing laboratory, is notifying 232,772 individuals that some of their protected health information was exposed as a result of a recent email security breach. At almost 233,000 records, this is the second largest healthcare data breach to be reported in 2020. Ambry Genetics discovered an unauthorized individual gained access to an employee’s email account between January 22 and January 24, 2020 and potentially viewed and obtained the protected health information of its customers. The security team and third-party computer forensics experts were unable to determine if any information in the compromised accounts was accessed or stolen, but no reports have been received to suggest any personal information has been misused. The email accounts were reviewed and found to contain information such as names, medical information, and other information related to the services provided by Ambry Genetics. A small number of individuals also had their Social Security number exposed. Ambry Genetics has taken steps to enhance security and further...

Read More
March 2020 Healthcare Data Breach Report
Apr24

March 2020 Healthcare Data Breach Report

March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records. In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records. Largest Healthcare Data Breaches in March 2020 The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients. A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed. The third largest data breach of the month was reported by Brandywine Urology Consultants, which...

Read More
PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks
Apr21

PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks

Aurora Medical Center-Bay Area in Marinette, WI is notifying 27,137 patients that some of their protected health information has been exposed as a result of a January 1, 2020 phishing attack. Several employees responded to the messages and disclosed their email account credentials, which gave the attackers access to their email accounts. The breach was discovered by the medical center on January 9, 2020. A password reset was immediately performed to prevent any further account access and the security breach was reported to law enforcement. An internal investigation was launched to determine what information was accessed by the attackers, which revealed emails and attachments in the accounts contained the protected health information of patients. Aurora Medical Center has not received any reports indicating there has been any misuse of patient information, but it was not possible to rule out data theft. A review of the emails in the accounts revealed they contained a range of PHI. The information varied from patient to patient and may have included names, first and last names,...

Read More
Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach
Apr20

Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach

Michigan’s largest healthcare system, Beaumont Health, has announced that unauthorized individuals have gained access to the email accounts of some of its employees and potentially viewed or obtained patient information stored in emails and email attachments. On March 29, 2020, Beaumont Health learned that the email account breach, which occurred almost 10 months ago, resulted in the exposure and potential theft of patient information. The investigation of the breach revealed the email accounts were accessed by unauthorized individuals between May 23, 2019 and June 3, 2019. A forensic investigation was performed to determine the extent and scope of the breach, along with a manual review of all emails in the compromised accounts. That review has taken some time to complete, hence the delay in issuing breach notification letters. The breached email accounts were discovered to contain the protected health information of around 5% of its 2.3 million patients, which is around 112,000 individuals. The types of information exposed and potentially stolen varied from patient to patient and...

Read More
Washington University School of Medicine Breach Impacts 14,795 Oncology Patients
Apr15

Washington University School of Medicine Breach Impacts 14,795 Oncology Patients

Washington University School of Medicine is notifying 14,795 oncology patients that some of their protected health information was stored in an email account that was breached in January 2020. An unauthorized individual gained access to the email account of a research supervisor in the Division of Oncology between January 12, 2020 and January 13, 2020 as a result of a response to a phishing email. Upon discovery of the breach, immediate action was taken to secure the account and prevent further unauthorized access and a third-party computer forensics firm was engaged to assist with the investigation. A painstaking review of emails and email attachments in the account revealed they contained the following patient information: Names, dates of birth, medical record numbers, patient account numbers, limited treatment and/or clinical information, including diagnoses, provider names, and lab test results. Certain patients also had their health insurance information and/or Social Security numbers exposed. Affected individuals are now being notified about the breach and individuals whose...

Read More
PHI of 16,600 Patients Potentially Compromised in Ransomware Attack on Andrews Braces
Apr14

PHI of 16,600 Patients Potentially Compromised in Ransomware Attack on Andrews Braces

The Sparks, NV orthodontics practice, Andrews Braces, has experienced a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day. The practice hired a third-party forensic investigator to assess the scope and extent of the attack and determine whether patient information had been accessed or exfiltrated prior to encryption. While it is not uncommon for ransomware attacks to involve data theft, the investigation did not uncover any evidence to suggest data had been obtained by the attackers. This appeared to be an automated attack with the sole aim of encrypting data to extort money from the practice. The practice regularly backed up patient data and stored its backups securely, so it was possible to restore the encrypted files without paying the ransom. Data theft is not suspected but the possibility could not be ruled out, so notification letters have been sent to all affected patients. The types of data which could potentially have...

Read More
Phishing Attacks Reported by Hartford Healthcare and Saint Francis Ministries
Apr14

Phishing Attacks Reported by Hartford Healthcare and Saint Francis Ministries

The Saint Francis Ministries health system has announced that the email account of one of its employees was accessed by an unauthorized individual, who may have obtained patient information. The breach was identified on December 19, 2019 when suspicious activity was detected in an employee’s email account.  A third-party computer forensics firm was engaged to investigate the breach and determined on February 12, 2020 that the account was subjected to unauthorized access between December 13, 2020 and December 20, 2019. It was not possible to tell if the attacker accessed emails containing patient information or downloaded any email data, but no reports have been received to suggest any patient information has been misused. A review of the affected accounts was completed on March 24, 2020 which revealed that the following information was potentially compromised: Name, date of birth, Social Security number, driver’s license number, state ID number, bank/financial account number, credit or debit card number, diagnosis, treatment information, prescription information, provider name,...

Read More
Ransomware Attack Potentially Impacts More Than 113,000 Patients of Brandywine Urology Consultants
Apr10

Ransomware Attack Potentially Impacts More Than 113,000 Patients of Brandywine Urology Consultants

Delaware-based Brandywine Urology Consultants has announced it experienced a ransomware attack on January 25, 2020 that resulted in the encryption of files on its servers and computers. The scope of the attack was limited and the practice’s electronic medical record system was not affected. No medical records were exposed or compromised in the attack. The practice acted quickly and took steps to isolate the attack and reduce the harm caused. After securing its systems, a complete scan was performed to ensure no malicious software or code remained and it was determined that the attack had been completely neutralized. A third-party security company was engaged to thoroughly investigate the attack and determine whether the attackers had gained access to or stole patient information. While many ransomware gangs conduct manual attacks and steal data prior to deploying their ransomware payload, the investigation suggests this was an automated attack that was conducted with the sole purpose of encrypting files to extort money from the practice. The investigation into the attack is ongoing...

Read More
PHI Exposed in Phishing Attacks on Healthcare Resource Group and Confido
Apr08

PHI Exposed in Phishing Attacks on Healthcare Resource Group and Confido

The pharmacy benefits consulting firm Confido has started notifying 3,600 of its clients’ employees, members, and their dependents, that some of their personal information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account. The email account breach was detected on December 12, 2020 and an investigation was launched to determine the scale and scope of the breach. Assisted by a third-party security firm, Confido determined on January 17, 2020 that an unauthorized individual had access to the email account for a period of two weeks between November 29, 2019 and December 12, 2019. It was not possible to determine if information in the email account was downloaded, but the possibility could not be ruled out. A comprehensive review of the email account revealed it contained names, dates of birth, health insurance information, Social Security numbers, prescription information, treatment information, and clinical information such as diagnoses and provider names. Individuals affected by the breach were notified on February 10, 2020....

Read More
35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach
Apr03

35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach

The Otis R. Bowen Center for Human Services, an Indiana-based provider of mental health and addiction recovery healthcare services, has announced that unauthorized individuals have gained access to the email accounts of two of its employees. It is unclear when the email account breaches occurred and for how long unauthorized individuals had access to the email accounts. In its website substitute breach notification, The Otis R. Bowen Center said an independent digital forensic investigation revealed on January 28, 2020 that PHI had potentially been accessed as a result of the attack. The review of the accounts has now been completed to determine which patients have been affected and those individuals have been individually notified by main. No mention was made about the types of information that were potentially compromised. The Otis R. Bowen Center said the investigation did not uncover any evidence to suggest that any PHI had been misused as a result of the breach but, out of an abundance of caution, affected individuals have been offered complimentary membership to credit...

Read More
Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics
Apr01

Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics

Stockdale Radiology in California has announced that patient data has been compromised as a result of a ransomware attack on January 17, 2020. An internal investigation confirmed that the attackers gained access to patients’ first and last names, addresses, refund logs, and personal health information, including doctor’s notes. Stockdale Radiology said a limited number of patient files were publicly exposed by the attackers.  Stockdale Radiology also discovered on January 29, 2020, that further patient information may have been accessed, but has not been publicly disclosed. Systems were immediately shut down to prevent any further unauthorized data access and a third-party computer forensics firm was engaged to investigate the breach and determine how access was gained and who was affected. The FBI was immediately notified about the attack and arrived at Stockdale Radiology within 30 minutes. The FBI investigation into the breach is ongoing. In response the attack, Stockdale Radiology has conducted a review of internal data management and its security protocols and has taken steps...

Read More
California Business Associate Reports Potential Breach of Upwards of 70,000 Records
Mar27

California Business Associate Reports Potential Breach of Upwards of 70,000 Records

Stephan C Dean, the co-owner of the California record storage firm Surefile, reported a hacking/IT incident to the HHS’ Office for Civil Rights (OCR) on March 4, 2020 as impacting upwards of 70,000 individuals. Stephan Dean and his wife have been engaged in a long running legal dispute with Kaiser Permanente over the return and deletion of electronic files containing patient information. Kaiser Permanente has been trying to get the files permanently deleted; however, Stephan Dean insists that Kaiser Permanente owes him money for services rendered. The on-and-off legal action was eventually dropped, but the emails were never returned or deleted. Surefile worked with Kaiser Permanente and was provided with paper copies of medical records in 2008. When the agreement between Surefile and Kaiser Permanente ended, Stephan Dean returned the paper copies of the medical records to Kaiser Permanente; however, emails containing patient information that were sent to Stephan Dean by Kaiser Permanente remained on his computer. Stephan Dean filed a complaint with OCR over alleged HIPAA violations...

Read More
Hawaii Pacific Health Discovers 5-Year Insider Data Breach
Mar25

Hawaii Pacific Health Discovers 5-Year Insider Data Breach

Hawaii Pacific Health has discovered an employee of Straub Medical Center in Honolulu has been snooping on the medical records of patients over a period of more than 5 years. Hawaii Pacific Health discovered the unauthorized access on January 17, 2020 and launched an investigation. An analysis of access logs revealed the employee first started viewing patient records in November 2014 and continued to do so undetected until January 2020. During that time, the employee viewed the medical records of 3,772 patients. After concluding the investigation, the employee was terminated. Affected patients had received treatment at Straub Medical Center, Kapiolani Medical Center for Women & Children, Pali Momi Medical Center, or Wilcox Medical Center. The types of information that the employee could have viewed included patients’ first and last names, telephone numbers, addresses, email addresses, dates of birth, race/ethnicity, religion, medical record numbers, primary care provider information, dates of service, appointment types and related notes, hospital account numbers, department...

Read More
February 2020 Healthcare Data Breach Report
Mar24

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records. Largest Healthcare Data Breaches in February 2020 The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in. The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents. Name of Covered Entity...

Read More
Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk
Mar23

Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk

The Minnesota-based senior care provider LifeSprk is notifying 9,000 of its clients that some of their protected health information was potentially compromised as a result of a November 2019 phishing attack. On January 17, 2020, Lifesprk discovered an unauthorized individual had gained access to the email account of one of its employees. The account was immediately secured and a third-party cybersecurity firm was engaged to investigate the breach. The cybersecurity firm determined that a limited number of employee email accounts were compromised from November 5 through November 7, 2019. For the majority of affected individuals, information in the compromised accounts was limited to names, medical record numbers, health insurance information, and some health information. Certain patients also had financial information and/or their Social Security number exposed. The investigation into the breach is ongoing. To date, no evidence of data theft or misuse of protected health information has been found. Affected patients started to be notified on March 17, 2020. The delay in sending...

Read More
Roundup of Recent Healthcare Data Breaches
Mar20

Roundup of Recent Healthcare Data Breaches

A roundup of healthcare data breaches and security incidents recently reported to the HHS’ Office for Civil Rights and by media. Texas Network of Walk-in Clinics Attacked with Maze Ransomware AffordaCare Urgent Care Clinic, a network of walk-in clinics in Texas, has been attacked by the Maze ransomware gang. According to a recent report on DataBreaches.net, the hackers stole 40GB of data prior to encrypting files. Some of the stolen data was published online when AffordaCare refused to pay the ransom. The published data included patient contact details, medical histories, diagnoses, billing information, health insurance information, and employee payroll data. It is currently unclear how many patients have been affected as the breach has not yet appeared on the HHS’ Office for Civil Rights breach portal. Tandem Diabetes Care Patients Notified About Phishing Attack Tandem Diabetes Care, Inc. in San Diego, CA has been targeted by cybercriminals who gained access to the email accounts of a limited number of its employees between January 17, 2020 and January 20, 2020. The attack was...

Read More
University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack
Mar09

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies. The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare. UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States. UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer...

Read More
53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months
Mar09

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past, and 53% have experienced a breach of protected health information in the past 12 months. The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry. Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%). Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only...

Read More
Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches
Mar06

Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches

Relational Insurance Inc., an insurance brokerage firm doing business as Relation Insurance Services of Georgia (RISG), experienced an email security breach in August 2019. An unauthorized individual was discovered to have gained access to the email account of an employee and potentially viewed or copied emails containing protected health information (PHI). The breach was detected on August 15, 2019 when suspicious activity was detected in the email account. A third-party computer forensics firm assisted with the investigation and determined the account was accessed by an unauthorized individual between August 14 and August 15. On August 16, 2019, RISG determined the account contained PHI; however, it took until December 13, 2019 for a full review of the account to be completed to determine which individuals had been affected and exactly what information was potentially compromised. The account was found to contain a wide range of information, which differed from individual to individual. The breached PHI may have included: Name, address, telephone number, email address, date of...

Read More
6 Healthcare Organizations Discover PHI Has Potentially Been Compromised
Mar05

6 Healthcare Organizations Discover PHI Has Potentially Been Compromised

Six possible data breaches have been reported by healthcare organizations in the past few days that may have resulted in an impermissible disclosure of patient data. 8,701 patients are known to have been affected by the breaches. Harris Health System Notifies Patients About Potential Privacy Breach Houston, TX-based Harris Health System has notified 2,298 patients that some of their protected health information (PHI) has been exposed. On December 30, 2019, two envelopes were sent to Ben Taub Hospital to be scanned and archived in the Harris Health electronic medical record system, but the envelopes were lost in transit. The envelopes contained 143 sheets which are believed to include data from patients who visited Gulfgate Health Center for medical services between December 9, 2019 and December 27, 2019. The sheets contained information such as names, dates of birth, addresses, telephone numbers, test results, diagnoses, health insurance information, medical information, provider information, and Social Security numbers. Since it was not possible to determine which patients were...

Read More
Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI
Mar04

Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI

Walgreens has started notifying customers that some of their protected health information may have been accessed by other individuals as a result of an error in the personal secure messaging feature of the Walgreens mobile app. The secure messaging feature allows registered customers to receive SMS prescription refill notifications and deals and coupons. An undisclosed error in the app was identified that allowed certain information in its database to be viewed by other customers. Affected customers have been advised that one or more personal messages may have been viewed by other individuals between January 9, 2020 and January 15, 2020. The personal messages included patients’ first and last names, drug name and prescription number, store number, and shipping address. Walgreens said health-related information was only exposed for a limited number of affected customers. The messages did not include any Social Security numbers or financial information. According to a breach notice submitted to the California Attorney General on Friday, the error was detected by Walgreens on January...

Read More
Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval
Mar04

Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim. On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach. A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that...

Read More
HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020
Mar03

HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation. Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach in November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until Dr. Porter paid the company $50,000. The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI,...

Read More
Tennessee Orthopaedic Alliance Phishing Attack Impacts Over 81,000 Patients
Feb27

Tennessee Orthopaedic Alliance Phishing Attack Impacts Over 81,000 Patients

Phishing attacks have recently been reported by Tennessee Orthopaedic Alliance, Jefferson Dental Care Healthcare Management, and Munson Healthcare. 81,146 Patients Affected by Tennessee Orthopaedic Alliance Phishing Attack Tennessee Orthopaedic Alliance (TOA) has discovered unauthorized individuals have gained access to the email accounts of two employees. TOA became aware of the breach on October 18, 2019 when unusual activity was detected in an employee’s email account. The account was immediately secured, and third-party computer forensics experts were engaged to investigate the breach. The investigation revealed a second email account had also been compromised and the accounts were accessed by unauthorized individuals between August 16, 2019 and October 14, 2019. TOA determined on January 3, 2019 that the compromised email accounts contained names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, diagnostic information, treatment information, and treatment costs. Patients were notified about the breach on February 14, 2019....

Read More
Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources
Feb26

Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources

Rady Children’s Hospital-San Diego, the largest children’s hospital in California, discovered a security breach on January 3, 2020 in which the protected health information of certain patients was potentially accessed by an unauthorized individual. A computer used by the radiology department had been remotely accessed by an unauthorized individual via an open internet port. A digital forensics firm was engaged to investigate the breach and determined that the computer was compromised on June 20, 2019 and access remained possible until the port was closed on January 3, 2020. An analysis of the compromised device revealed on February 5, 2020 that names and genders of patients were potentially compromised along with the type and date of imaging studies and, for some patients, their date of birth, medical record number, referring physician’s name, and/or a description of the imaging study. No financial information, Social Security numbers, diagnoses, or medical images were compromised. Complimentary credit monitoring services have been offered to affected patients. Rady Children’s...

Read More
Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company
Feb26

Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company

The Lake Success, NY-based home health company, Personal Touch Home Care (PTHC), has started notifying patients that a recent ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc., has potentially seen some of their protected health information compromised. Crossroads informed PTHC on December 1, 2019 that the ransomware attack affected its Pennsylvania data center where PTHC’s electronic medical records were hosted. The ransomware attack prevented patient records from being accessed for a few days. While the EHR system was down, staff at PTHC switched to emergency protocols and used pen and paper to record patient information. The encrypted data has now been recovered. It is unclear whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were affected. The compromised medical records contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment information. PTHC is...

Read More
Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group
Feb25

Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group

The Albany, NY-based accounting, tax, and advisory firm, BST & Co. CPAs LLC, has experienced a Maze ransomware attack that has affected patients of the New York medical group, Community Care Physicians P.C. The Maze ransomware gang is one of a handful of threat groups that steal data from victims prior to deploying their ransomware payload. A threat is then issued to publish the stolen data if the ransom is not paid. Some of the data stolen in the attack has since been published by the gang, including names, dates of birth, addresses, contact telephone numbers, and Social Security numbers of BST employees. BST has issued a statement saying a computer virus was detected on December 7, 2019 which prevented access to its files. In addition to internal data, some information related to local clients was also potentially compromised, including Community Care Physicians. A leading computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The forensics experts determined the virus was active on the network from December 4,...

Read More
NRC Health Recovering from Ransomware Attack
Feb24

NRC Health Recovering from Ransomware Attack

NRC Health, a provider of patient survey services and software to more than 9,000 healthcare organizations, including 75% of the largest hospital systems in the United States and Canada, experienced a ransomware attack on February 11, 2020 that affected some of its computer systems. NRC Health immediately took steps to limit the harm caused and shut down its entire environment, including its client-facing portals. A leading computer forensic investigation firm was engaged to determine the nature and extent of the attack and the incident has been reported to the Federal Bureau of Investigation. According to the NRC Health website, the data of more than 25 million healthcare consumers in the United States and Canada is collected by NRC Health every year. Patient surveys conducted by NRC Health on behalf of its clients allow them to prove that patients are satisfied with the services they have received. That information is important for helping to improve patient care and also for determining how much Medicare reimbursement healthcare providers receive under the Affordable Care Act....

Read More
Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI
Feb24

Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI

Two communication errors have been reported by HIPAA-covered entities in the past few days, which have resulted in the impermissible disclosure of 5,339 patients’ personal and protected health information (PHI). Mercy Health Physician Partners Southwest Discovers Impermissible Disclosure of PHI Mercy Health Physician Partners Southwest in Byron Center, MI, started sending breach notification letters to patients on February 10, 2019 informing them that a third-party vendor contracted to Mercy Health made an error with a recent mailing. Mercy Health had provided the mailing vendor with a list of 3,164 names and addresses to send letters to patients informing them about the recent departure of a physician. An error in the mailing resulted in names being mismatched with addresses and 2,487 patients were sent a letter addressed to a different patient. No other sensitive information was disclosed. During the breach investigation it was discovered that there was no business associate agreement (BAA) in place with the vendor. The provision of the patient list was therefore an impermissible...

Read More
January 2020 Healthcare Data Breach Report
Feb21

January 2020 Healthcare Data Breach Report

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day. As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches compared to December 2019. While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years. Largest Healthcare Data Breaches in January 2020 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information PIH Health CA Healthcare Provider...

Read More
Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts
Feb21

Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle. A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes. Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health. According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any...

Read More
2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents
Feb20

2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents

According to the 2020 Protenus Breach Barometer report, there were 572 healthcare data breaches of 500 or more records in 2019 and at least 41.4 million patient records were breached. That represents a 13.7% annual increase in the number of reported breaches and a 174.5% increase in the number of breached records. The final total for 2019 is likely to be considerably higher, as the number of individuals affected by 91 of those breaches is not known, including two major breaches that have yet to be reported that affected more than 500 dental offices throughout the United States. The 2020 Protenus Breach Barometer report, produced in conjunction with databreaches.net, was compiled from breaches reported to the HHS’ Office for Civil Rights, the media, and other sources. The report shows a dramatic rise in the number of hacking incidents in 2019, which were up 49% from 2018. 58% of all reported breaches in 2019 were hacking/IT incidents and at least 36,911,960 records were exposed or stolen in those breaches. “It appears hacking incidents, particularly ransomware incidents, are on the...

Read More
PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack
Feb20

PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack

Bellevue, WA-based Overlake Medical Center & Clinics is notifying 109,000 patients that some of their personal and protected health information has potentially been compromised as a result of a December 2019 phishing attack. The phishing attack was detected on December 9, 2019 and a password reset was performed to prevent further unauthorized access. Overlake determined that one email account was compromised on December 6, 2019 and access remained possible until December 9 when the account was secured. Further email accounts were compromised on December 9, but access was only possible for a few hours. A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake. No Social Security numbers or financial information was compromised. The investigation uncovered no evidence of data theft and no reports have been received to suggest patient data has been misused. Steps have now been...

Read More
MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident
Feb19

MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident

MyEyeDr. Optometry of Colorado P.C, a network of vision care offices, is notifying 1,475 Colorado residents that some of their protected health information was potentially compromised prior to a recent ransomware attack. Certain MyEyeDr. systems were accessed by the attacker on December 11, 2019 and ransomware was downloaded and deployed. Steps were immediately taken by MyEyeDr. to prevent further unauthorized access and restore all affected records. The ransom was not paid. While it was possible to restore the majority of encrypted data, some files could not be recovered and remain encrypted. A third-party computer forensics firm was engaged to investigate the attack and determine whether any data had been stolen prior to file encryption. The forensics firm found no evidence to suggest data had been exfiltrated and the attack is believed to have only involved file encryption with a view to extorting money from MyEyeDr. A review of the affected systems revealed they contained patient information such as names, dates of birth, diagnoses, clinical information, and treatment...

Read More
Wise Health System Notifies 66,934 Patients of Phishing Attack
Feb18

Wise Health System Notifies 66,934 Patients of Phishing Attack

Wise Health System in Decatur, TX, is notifying 66,934 patients that some of their protected health information was potentially compromised in a phishing attack that occurred on March 14, 2019. Wise Health System previously reported the phishing attack to the Department of Health and Human Services’ Office for Civil Rights on July 13, 2019 as having affected 35,899 individuals. That total has now been updated following the completion of a data audit. The data audit commenced in June 2019 and has only just been completed. New notifications started to be sent to affected patients on February 13, 2020. In March 2019, several employees responded to phishing emails and disclosed their account credentials. The attackers used those credentials to access the Employee Kiosk and attempted to reroute payroll direct deposits. Wise Health System reports that attempts were made to reroute approximately 100 direct deposit payments. Security protocols required two checks to be issued to employees following a change to direct deposit information. This security measure was key to identifying the...

Read More
Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital
Feb14

Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital

On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group affiliated with Boston Children’s Hospital, experienced a malware attack that caused a system outage which prevented its 500+ pediatricians, nurse practitioners, and physician assistants from accessing patient data and scheduling calendars. PPOC has approximately 200 servers, 11 of which were impacted by the attack. IT teams at PPOC and Boston Children’s Hospital worked swiftly to contain the malware and the affected servers have now been quarantined. Servers unaffected by the attack were shut down as a precautionary measure. Boston Children’s Hospital issued a statement confirming its systems were unaffected by the attack. Patients were advised to reschedule non-urgent appointments as health records cannot be accessed until the malware is removed and the servers are brought back online. Children’s Hospital issued a statement on Wednesday saying progress was being made restoring the servers, but it was still unclear how long the recovery process would take. PPOC has...

Read More