Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians
Jul30

More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians

Email accounts containing the protected health information of 447,426 patients of Orlando Family Physicians in Florida have been accessed by an unauthorized individual. Orlando Family Physicians said the first email account was compromised on April 15, 2021 as a result of an employee responding to a phishing email and disclosing their account credentials. Action was promptly taken to block unauthorized access, and an investigation was launched to determine the nature and extent of the breach. Assisted by a leading cybersecurity forensics firm, Orlando Family Physicians determined that an additional three employee email accounts had also been subjected to unauthorized access. All four of the compromised email accounts had external access blocked within 24 hours of the initial unauthored account access. Orlando Family Physicians determined on May 21, 2021, that the unauthorized individual potentially accessed emails in the account that contained patients’ protected health information. A review of the emails and attachments was conducted, and on July 9, 2021, Orlando Family Physicians...

Read More
PHI Potentially Compromised in Ransomware Attacks on Eye Center and Law Firm
Jul30

PHI Potentially Compromised in Ransomware Attacks on Eye Center and Law Firm

Francisco J. Pabalan MD has reported a ransomware attack that has affected up to 50,000 patients of the Pabalan Eye Center in Riverside, CA. The ransomware attack was discovered on March 3, 2021, with the investigation confirming the attack commenced on March 1. The attackers encrypted files on computers and servers that prevented access and patient data was ransomed. All affected computers and servers had been backed up prior to the attack, so it was possible to recover the encrypted data without having to pay the ransom. The investigation found no evidence of data theft, with the attack appearing to only have been conducted to cause disruption to services in order to extort money from the practice. Following the attack, all computers and servers were formatted prior to operating systems and software being reinstalled, and patient data were then restored from backups. Additional security measures have been implemented, including new anti-virus and anti-ransomware software, new data encryption technology, and a new Security Rule Risk Management Plan has been developed and put in...

Read More
Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company
Jul30

Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company

The Los Angeles Fire Department has discovered the COVID-19 vaccination statuses of 4,900 employees has been accidentally exposed online. A list that included the full names of employees, dates of birth, employee numbers, and COVID-19 vaccination information (vaccination dates, doses, or declined vaccine) had been published on a website accessible to the public. During the time that the website was active, it was possible to visit the site and conduct searches of the database for names and employee numbers. The database was not password protected and no information had to be entered to authenticate users. If a wildcard search was conducted, a table was generated that listed the data of all 4,900 employees. The website – covid.lacofdems.com – had been privately registered and was linked to the Fire Department’s Emergency Medical Service’s bureau. The website, which had not been authorized, was created on April 29, 2021 and was deactivated on July 15, 2021. The website had reportedly been created to allow Department employees to retrieve lost vaccination information. Prior to...

Read More
The Average Cost of a Healthcare Data Breach is Now $9.42 Million
Jul29

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident. The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches. According to IBM, data breaches...

Read More
McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack
Jul28

McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack

McLaren Health Care Corporation (MHCC), the operator of 15 hospitals and over 100 primary care locations in Michigan and Ohio, has announced the protected health information of 64,600 of its cancer patients may have been compromised in a ransomware attack on vendor Elekta Inc. Elekta provides software and technology services to MHCC facilities in Macomb, Northern Michigan, Gaylord, Cheboygan, West Branch, Lapeer, Central and Bay City, which includes data storage. Between April 2 and April 20, 2021, Hackers had access to Elekta’s systems, exfiltrated data, then deployed ransomware to encrypt files. A ransom demand was issued, payment of which was required to decrypt data and prevent the exposure of data stolen in the attack. Elekta notified MHCC about the breach on May 17, 2021. While patient data was affected, Elekta said it has no reason to believe that any of the stolen information will be further disclosed or published online. However, as a precaution against identity theft and fraud, complimentary identity theft protection and credit monitoring services are being offered to...

Read More
Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare
Jul28

Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare

UC San Diego Health has discovered unauthorized individuals gained access to the email accounts of some of its employees and may have accessed or exfiltrated emails containing patient data. The email accounts were compromised as a result of employees responding to phishing emails and disclosing their email credentials. The email environment has now been secured and additional measures have been implemented to improve security. The investigation into the breach revealed the first email account was compromised on December 2, 2020, and others were compromised up until April 8, 2020. At this stage, no evidence has been found to indicate any emails or email attachments were subjected to unauthorized access between December 2020 and April 2021, and no reports have been received that suggest the protected health information (PHI) of patients has been misused; however, it was not possible to rule out unauthorized PHI access and data exfiltration. The investigation into the breach is ongoing to identify exactly what happened and the information that has been affected. Notification letters...

Read More
Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack
Jul27

Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack

A ransomware attack on Fort Myers, FL-based Florida Heart Associates that started around May 19, 2021 has caused serious and ongoing disruption to its services, with the medical practice only operating at around 50% capacity two months after the attack. Disruption is expected to continue for several more weeks, with the practice not expecting to fully recover until the end of next month or even early September. Prior to the use of ransomware, the attackers exfiltrated files containing the protected health information of 45,148 patients, including Social Security numbers, member identification numbers, birth dates, and health insurance information. A ransom demand was issued to ensure the deletion of stolen data and to provide the keys to decrypt data, but the decision was taken by the practice not to pay the attackers. The ransomware gang was ejected from the network, but not before much of its IT infrastructure was rendered inoperable. The investigation revealed its systems were first breached on May 9, 2021, with the hackers deploying ransomware on May 19, when staff were...

Read More
Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case
Jul27

Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case

Overlake Hospital Medical Center in Bellevue, WA has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance information, and health data. The breach in question was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees, with one of the email accounts compromised between December 6, 2019 and December 9, 2019, and the others compromised for several hours on December 9. The investigation did not uncover evidence of data theft or misuse of patient data, but it was not possible to rule unauthorized access to protected health information (PHI) and the exfiltration of data. The PHI of up to 109,000 patients was contained in the compromised email accounts. Affected individuals were notified starting on February 4, 2020 and Overlake Hospital Medical Center took several steps to improve security, including implementing multi-factor authentication, changing email...

Read More
Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity
Jul26

Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity

Oklahoma Heart Hospital has started notifying certain patients about a privacy incident in which paperwork containing limited patient information was accidentally donated to charity. A former employee had made handwritten notes which contained the protected health information of a limited number of patients during the course of that individual’s employment at Oklahoma Heart Hospital between 2011 and 2014. Some of the former employee’s personal possessions were donated to charity in May 2021, with the handwritten notes accidentally included in the donated items. Oklahoma Heart Hospital was contacted by the individual who found the notes and arrangements were immediately made to collect the paperwork. The documents were then cataloged to identify the patients involved and the types of information that had been exposed. The notes included information such as patients’ names, medical record numbers, OHH visit numbers, dates of birth, ages, admit dates, genders, and clinical information consisting of diagnosis, lab results, medications and/or treatment information. No information was...

Read More
UNC Health and Nebraska DHHS Report Phishing Attacks
Jul26

UNC Health and Nebraska DHHS Report Phishing Attacks

The Nebraska Department of Health and Human Services has announced a security incident involving the protected health information of clients of Aging Partners, a department of the City of Lincoln. The breach was discovered by the Lincoln Information Services Department on May 25, 2021. Employees had responded to phishing emails and disclosed credentials to their email accounts, which contained more than 46,000 emails. Assisted by a computer forensics company, it was determined that the email account was accessed by an unauthorized individual between May 18 and May 21. A review of the emails in the account confirmed some contained patient information such as names, addresses, dates of birth, phone numbers, Social Security numbers, dates of service, type/amount of service, and some health information such as diagnoses, care assessments, and medication lists. Emails also contained bank account numbers or other financial information of a limited number of individuals. 6,600 of the emails included the PHI of Aging Partners’ clients, although only 1,513 individuals have been affected....

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
June 2021 Healthcare Data Breach Report
Jul21

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year. While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June. More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month. Largest Healthcare Data Breaches in June 2021 There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare...

Read More
Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association
Jul20

Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association

The medical payment billing service provider MultiPlan has announced a breach of its email environment. On January 27, 2021, suspicious activity was identified in the email account of one of its employees. Action was immediately taken to terminate unauthorized access and the employee’s email credentials were changed. MultiPlan immediately launched an investigation to determine the nature and scope of the breach, with assistance provided by forensics experts. The investigation confirmed that the main purpose of the attack was to divert wire transfers from MultiPlan customers looking to pay invoices. The email account was compromised and used by the attacker to communicate with those customers regarding billing, and to attempt to divert payments to an account under their control. While protected health information does not appear to have been targeted in the attack, the compromised email account was found to contain the protected health information of 214,956 individuals. That information could have been viewed or obtained by the attacker between December 23, 2020 and January 27,...

Read More
Advocate Aurora Health, Jefferson Health, and Intermountain Healthcare Affected by Elekta Ransomware Attack
Jul20

Advocate Aurora Health, Jefferson Health, and Intermountain Healthcare Affected by Elekta Ransomware Attack

Three more healthcare providers have announced they have been affected by the recent ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc. Elekta provides a cloud-based mobile application called SmartClinic, which is used by healthcare providers to access patient information for cancer treatments. Cybercriminals gained access to Elekta’s systems between April 2, 2021 and April 20, 2021 exfiltrated the SmartClinic database prior to deploying ransomware and encrypting files. The database contained the personal and protected health information (PHI) of patients of 42 healthcare systems in the United States. Elekta notified affected customers in May 2021. Advocate Aurora Health has recently announced that 68,000 of its patients across 7 sites in Illinois have been affected by the attack. The following types of PHI were acquired by the ransomware gang: names, addresses, dates of birth, height and weight measurements, Social Security numbers, driver’s license numbers, diagnosis information, treatment information, and appointment confirmations....

Read More
Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI
Jul19

Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI

Sierra Nevada Primary Care Physicians in California is alerting 1,717 patients about an incident involving the theft of some of their protected health information, including names and credit card information. On May 20, 2021, Sierra Nevada Primary Care Physicians was notified by the District Attorney’s office that two envelopes containing receipts from the practice had been found in the vehicle of a suspect. The receipts were for payments made by patients between January 1, 2019 and March 20, 2019. For individuals who paid in person at the front desk using a debit or credit card, the receipts contained the individual’s name, name of the practice, amount charged, and the last four digits of the card number. Receipts for payments made by individuals using a debit card or credit card by mail or over the phone included that individual’s name, debit/credit card number, expiry date, CVV code, signature, practice name, and amount charged. The District Attorney confirmed that the two envelopes and receipts were recovered and the perpetrators were arrested. Sierra Nevada Primary Care...

Read More
Lake County Health Department Notifies 25,000 Patients About Two Data Breaches
Jul19

Lake County Health Department Notifies 25,000 Patients About Two Data Breaches

The Lake County Health Department in Illinois has announced it has suffered two data breaches that potentially involved the personal and protected health information of around 25,000 patients. The first breach occurred in 2019 when a Lake County Health employee sent an unencrypted email from their work email account to an internal employee’s personal email account. The email had an attached spreadsheet of medical record requests dating from December 2016 to June 2019. The requests had been made through a third-party company which handled release of information requests for the Lake County Health Department. The spreadsheet included the names of 24,241 patients along with dates relevant to the vendor. Lake County Health discovered the breach on July 22, 2019; however, it took until July 2021 for notification letters to be sent to affected patients. The reason for the delay of almost two years was due to Lake County Health officials not believing notification letters were required, as no personal health information had been compromised; however, the Department of Health and Human...

Read More
30,000 Florida Blue Members Impacted by Brute Force Attack on Member Portal
Jul16

30,000 Florida Blue Members Impacted by Brute Force Attack on Member Portal

The protected health information of up to 30,063 members of Florida Blue (Blue Cross and Blue Shield of Florida) may have been viewed or obtained by unauthorized individuals in a brute force attack on the Florida Blue online member portal. Starting on June 8, 2021, unknown individuals conducted a brute force campaign using a large database of user identifiers and corresponding passwords that was available from online sources in an attempt to gain access to the portal. The database appears to have been compiled from data breaches at third party companies where username and password combinations had been compromised. Florida Blue reports that some of those automated attempts were successful and the attacker gained access to information contained in online member accounts. This information typically included names, contact information, claims information, payment information, health insurance policy information, and other personal information. While access to accounts was gained, Florida Blue found no evidence to suggest any information in those accounts was removed by the attacker....

Read More
Cyberattack on Florida Heart Associates Potentially Affects 45,000 Patients
Jul15

Cyberattack on Florida Heart Associates Potentially Affects 45,000 Patients

Florida Heart Associates is notifying 45,148 patients about a recent security breach in which their personal and protected health information may have been compromised. The security breach was detected on or around May 19, 2021, when unusual activity was spotted within certain networked computers. Steps were immediately taken to contain the breach and secure personal information and an investigation was launched to determine the nature and scope of the breach. Florida Heart Associates determined that its computer network was breached between May 9 and May 19, 2021. Security systems had been implemented prior to the breach which limited the impact of the intrusion; however, it is possible that the attackers gained access to servers on which patient information was stored. The impacted servers contained names, member identification numbers, dates of birth, Social Security numbers, and health insurance information, all of which may have been accessed. Florida Heart Associates said in its substitute breach notice that no indications have been received to suggest any information on the...

Read More
Over 200,000 Individuals Potentially Affected by ClearBalance Phishing Attack
Jul14

Over 200,000 Individuals Potentially Affected by ClearBalance Phishing Attack

San Diego, CA-based ClearBalance, a loan provider that helps patients spread the cost of their hospital bills, was the victim of a phishing attack on March 8, 2021 where employees were tricked into disclosing their login credentials. ClearBalance identified the email security breach on April 26, 2021 when the attacker attempted to make a fraudulent wire transfer. Steps were immediately taken to secure the email environment and prevent further unauthorized access, and the attempted wire transfer failed. No funds were transferred to the attacker’s account. A third-party computer forensic investigator was engaged to investigate the breach and to determine whether the attacker accessed or obtained any sensitive data. The investigator confirmed that the breach was limited to the email environment and no other systems were affected and that the unauthorized individual had been ejected from email accounts the day the breach was detected. The attacker was not able to gain access to the database that hosts the medical record systems of any healthcare providers; however, some sensitive data...

Read More
Wisconsin Dermatology Practice Reports Data Breach Affecting 2.41 Million Individuals
Jul12

Wisconsin Dermatology Practice Reports Data Breach Affecting 2.41 Million Individuals

Manitowoc, WI-based Forefront Management, LLC and Forefront Dermatology, S.C. discovered on June 4, 2021 that unauthorized individuals had gained access to its network and potentially viewed private and confidential employee and patient information. The affected systems were immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack. On June 24, 2021, Forefront determined that certain files stored on its network had been accessed and potentially obtained which contained the personal information of a limited number of Forefront employees, including their names and Social Security numbers. The investigation revealed its network was first breached on May 28, 2021 and access remained possible until June 4, 2021. During the course of the investigation, Forefront determined the unauthorized individual also accessed files that included the personal and protected health information of a limited number of current and former Forefront patients. Patient information potentially compromised in the attack...

Read More
Coastal Family Health Center Cyberattack Affects 62,000 Patients
Jul09

Coastal Family Health Center Cyberattack Affects 62,000 Patients

Coastal Family Health Center (CFHC), the fourth largest community health center in Mississippi, has started notifying patients about a May 13, 2021 cyberattack that involved some of their protected health information. CFHC said hackers attempted to shut down its computer operations; however, that attempt failed and CFHC was able to continue treating patients and providing services to the community. An investigation was immediately launched into the incident to determine how the attack occurred and whether any sensitive patient information was accessed by the hackers. On June 4, 2021 the investigation revealed some files accessed by the attackers contained the protected health information of patients, including names, addresses, Social Security numbers, health insurance information, and health and treatment information. Independent cybersecurity professionals were engaged to assist with improving the security of its systems and policies and procedures have been changed to prevent further breaches in the future. After determining current mailing addresses, notification letters were...

Read More
Ransomware Attacks Reported by 5 HIPAA Covered Entities and Business Associates
Jul07

Ransomware Attacks Reported by 5 HIPAA Covered Entities and Business Associates

Professional Business Systems, Inc. operating as Practicefirst Medical Management Solutions and PBS Medcode Corp, a provider of medical management services involving data processing for healthcare providers, has suffered a ransomware attack in which files containing patient information were obtained by the attackers. The ransomware attack was identified on December 30, 2020, and its systems were promptly shut down in an effort to contain the attack. Third-party cybersecurity experts were engaged to investigate the incident and law enforcement was notified. Practicefirst has not confirmed whether the ransom was paid but did say it received assurances from the attacker that the files copied from its systems have been destroyed and were not further disclosed. There have been no identified cases of misuse of patient information; however, all affected individuals have been advised to monitor their accounts for any sign of fraudulent activity. The types of patient information contained in the files differed from patient to patient and may have included the following data elements:  name,...

Read More
UW Health Discovers 4-Month Breach of Its MyChart Portal
Jul07

UW Health Discovers 4-Month Breach of Its MyChart Portal

University of Wisconsin Hospitals and Clinics Authority has reported a breach of its Epic MyChart portal which has affected 4,318 UW Health patients. Unusual activity was detected in the portal and an investigation was launched on April 20, 2021, to determine the nature and extent of the breach. The investigation ran until May 4, 2021, and determined unauthorized individuals had access to the portal for a period of around 4 months, with dates of access ranging from December 27, 2020 to April 13, 2021. UW Health said the individual had viewed the MyChart patient portal homepage which displays clinical information such as hospital admission dates, appointment reminders, care team, subject lines of messages from providers, and prompts to view new test results. Pages were also accessed that included some patient appointment and admission dates, demographic information such as names, addresses, phone numbers, and email addresses, health insurance and claims information, diagnoses, medications, and test results. Notification letters were sent to affected patients starting on June 18,...

Read More
PHI of Veterans with PTSD Potentially Compromised in OSU Data Breach
Jul06

PHI of Veterans with PTSD Potentially Compromised in OSU Data Breach

An Ohio State University (OSU) pilot program to help veterans recover from Post Traumatic Stress Disorder (PTSD) and other mental health issues was breached and the personal information of patients has been compromised, according to a recent NBC4 Investigates Report. The (OSU) Veterans Neuromodulation Operation Wellness (NOW) pilot program was shut down permanently on June 15, 2021, but prior to the closure, a data breach occurred. OSU explained in its notification letters to affected individuals that the breach was detected on April 24, 2021, and occurred between January 25, 2021, and March 4, 2021. NBC4 Investigates spoke with one veteran who received a June 14, 2021, notification letter from the Office of Compliance and Integrity informing him that his name, address, Social Security number, and medical history may have been compromised. It is currently unclear how many individuals have been affected by the breach. The Veterans Now Program was paused in March 2021 for a week, with the program’s lead doctor placed on leave. The program was then re-started without the lead doctor...

Read More
PHI Exposed in Email Incidents at Discovery Practice Management, One Medical, and Peoples Community Health Clinic
Jul06

PHI Exposed in Email Incidents at Discovery Practice Management, One Medical, and Peoples Community Health Clinic

Discovery Practice Management Notifies Individuals About June 2020 Email Incident Discovery Practice Management, a provider of administrative support services to Authentic Recovery Center and Cliffside Malibu facilities in California, has announced that unauthorized individuals gained access to the email environment it maintains for those facilities. Suspicious email activity was detected in the email environment on July 31, 2020. An investigation was launched which revealed there had been unauthorized logins to staff email accounts at both facilities between June 22, 2020 and June 26, 2020. The accounts were immediately secured and a third-party cybersecurity firm was engaged to investigate the breach but it was not possible to confirm whether protected health information in the accounts was viewed or exfiltrated. Protected health information potentially compromised included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license number,...

Read More
Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies
Jul05

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide. The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure. It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed. Fast Response Limited Extent of the Attack...

Read More
Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit
Jul05

Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has agreed to settle a class action lawsuit filed by victims of a 2.96 million-record data breach discovered in 2019. The investigation into the data breach was completed on April 24, 2019. Dominion National determined unauthorized individuals gained access to its servers which contained the personal and protected health information of health plan customers. Initially, the breach was thought to have affected 122,000 health plan members, but further investigations showed the protected health information of 2,964,778 individuals had potentially been compromised.  The investigation revealed the breach had started as early as August 25, 2010, with the types of data accessible including names, dates of birth, email addresses, member ID numbers, group numbers, subscriber numbers, and Social Security numbers. Individuals who enrolled online through the Dominion National website may also have had their bank account and routing number exposed. Providers were also affected...

Read More
Northwestern Memorial HealthCare and Renown Health Affected by Elekta Cyberattack
Jul02

Northwestern Memorial HealthCare and Renown Health Affected by Elekta Cyberattack

Chicago, IL-based Northwestern Memorial HealthCare and Reno, NV-based Renown Health have been affected by a cyberattack on one of their business associates. The data breach was discovered by Stockholm-based Elekta, which provides a software platform used for clinical radiotherapy treatment for cancer and brain disorders. Elekta issued a statement confirming its first-generation cloud-based storage system was accessed by unauthorized individuals, which affected a subset of customers in North America. Elekta has been working with law enforcement and third-party cybersecurity experts to determine exactly how the breach occurred and the nature and scope of the attack. Elekta started notifying affected healthcare providers in April 2021. Elekta’s investigation revealed its systems were compromised between April 2, 2021 and April 20, 2021. During that time the attackers accessed and exfiltrated a copy of a database that contained the information of oncology patients. The breach was confined to Elekta’s systems. The systems of its healthcare provider clients were not accessed at any...

Read More
University Medical Center of Southern Nevada Suffers REvil Ransomware Attack
Jul02

University Medical Center of Southern Nevada Suffers REvil Ransomware Attack

University Medical Center of Southern Nevada (UMC) has suffered a ransomware attack in which patient data was stolen. The medical center confirmed it identified suspicious activity within the hospital network in mid-June and took immediate action to contain the threat and restrict access to its servers. The investigation into the cyberattack is continuing and law enforcement has been notified. At this stage it appears that the attackers targeted a server that was used to store patient data. The investigation is still in the early stages, but UMC said it appears that clinical systems were not affected. UBM said it is working with the Las Vegas Metropolitan Police Department, the FBI, and third-party cybersecurity experts to determine the exact origin and scope of the breach. Any cyberattack that causes disruption to hospital operations has potential to result in considerable harm to patients. This is especially true for an attack on UMC, which runs the only Level 1 trauma center in Nevada. UMC said the fast action of its IT department helped to contain the breach, but that response...

Read More
Email Data Breaches Reported by UofL Health and Jawonio
Jun29

Email Data Breaches Reported by UofL Health and Jawonio

UofL Health has started notifying 42,465 patients that some of their protected health information (PHI) was sent to an incorrect external email address. The Louisville, KY healthcare system sent notification letters to affected patients on June 7, 2021 advising them about the exposure of some of their PHI. UofL Health was contacted the following day by the owner of the external domain and was provided with technical evidence that showed the emails had not been viewed by anyone and had been permanently deleted. Some patients whose PHI was exposed were offered complimentary identity theft protection services. While it has now been confirmed that PHI had not been viewed and is no longer accessible, UofL Health said any patient who was offered identity theft protection services will still be able to sign up for them free of charge. “We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner,” said UofL Health in a website notice to its patients. UofL Health did not state in its breach notice...

Read More
Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years
Jun29

Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years

A former employee of Aultman Health Foundation accessed 7,300 patient records without authorization for almost 12 years before the HIPAA violation was discovered. The employee was provided with access to patient records to fulfil duties related to coordinating patient care but was discovered to have accessed patient records when there was no legitimate work reason for doing so. The types of information accessed included patient names, addresses, dates of birth, health insurance information, diagnosis and treatment information, and Social Security numbers. Aultman said it suspended the employee’s access to patient records as soon as the privacy violation was uncovered, and an investigation was immediately launched to determine the nature and scope of the HIPAA violation. The investigation revealed the employee accessed patient records without authorization from September 14, 2009 until April 26, 2021. The employee was terminated for violating HIPAA and hospital policies. Aultman has started notifying patients whose records were viewed. Patient’s whose Social Security number was...

Read More
Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation
Jun25

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend. Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties. Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so. Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed. Bacor...

Read More
Maximus Reports Breach Affecting 334,000 Medicaid Healthcare Providers
Jun24

Maximus Reports Breach Affecting 334,000 Medicaid Healthcare Providers

Ohio Medicaid has announced that its data manager, Maximus Corp, has experienced a data breach in which the personal information of Medicaid healthcare providers has been compromised. Maximus is a global provider of government health data services. Through the provision of those services the company had been provided with the personal information of Medicaid healthcare providers. On May 19, 2021, Maximus discovered a server that contained personal information provided to the Ohio Department of Medicaid (ODM) or to a Managed Care Plan had been accessed by unauthorized individuals between May 17 and May 19, 2021. Upon discovery of the breach, Maximus took the server offline to prevent any further unauthorized access and a leading third-party cybersecurity firm was engaged to assist with the investigation. The cybersecurity firm confirmed that the breach was confined to an application on the server and no other servers, applications, or systems were affected. No evidence was found to indicate any information within the application has been misused, although data theft could not be...

Read More
PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack
Jun24

PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack

Wolfe Eye Clinic, an operator of a network of eye health clinics throughout Iowa, has announced it was the victim of a ransomware attack on February 8, 2021. Hackers gained access to its systems and used ransomware to encrypt files. A ransom demand was issued for the keys to decrypt files, but the clinic refused to pay and opted to recover files from backups. As is now common in ransomware attacks, prior to file encryption the attackers exfiltrated data from Wolfe Eye Clinic systems. Wolfe Eye Clinic explained in its substitute breach notification letter that immediate action was taken to secure its network environment and independent IT security and forensic investigators were engaged to determine the scope and extent of the security breach. Due to the scale and complexity of the attack, it took until May 28, 2021 for the full scope of the security breach to be determined and to identify the information compromised in the attack. The forensic investigation concluded on June 8, 2021, when it was confirmed the attackers accessed and exfiltrated the data of current and former...

Read More
PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates
Jun24

PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates

The Georgia fertility clinic Reproductive Biology Associates has announced it suffered a ransomware attack in April in which files containing the personal and protected health information of approximately 38,000 patients were exfiltrated by the attackers. The attackers gained access to a file server containing embryology data on April 7, 2021, and ransomware was used to encrypt files on April 16, 2021. The files contained the PHI of patients of Reproductive Biology Associates and its affiliate My Egg Bank North America, which included full names, addresses, Social Security numbers, laboratory test results, and information related to the handling of human tissue. The investigation into the attack concluded on June 7, 2021. While it has not been officially confirmed whether the ransom was paid, Reproductive Biology Associates said the attackers have deleted all data stolen in the attack and all encrypted data have now been recovered. Reproductive Biology Associates has been monitoring online and dark web sites for signs of misuse or misappropriation of the stolen data and will...

Read More
Prominence Health Plan Data Breach Impacts up to 45,000 Individuals
Jun23

Prominence Health Plan Data Breach Impacts up to 45,000 Individuals

The Nevada health insurer Prominence Health Plan has announced it suffered a security breach on November 30, 2020 in which hackers potentially obtained the protected health information of some of its plan members. The data breach was discovered on April 22, 2021 and steps were immediately taken to prevent further unauthorized access, including changing the credentials used by the attacker to gain access to its network. While Prominence Health Plan has not confirmed whether this was a ransomware attack, all affected plan member data has been restored from backups. The incident involved audio recordings of phone calls to the Prominence call center along with PDF files that included provider claim forms and letters to patients advising them about claim approvals and denials. The audio files typically included full names, dates of birth, and member ID numbers, while the PDF files contained a member’s name, date of birth, sex, member ID number, mailing address, and claim code. The files included PHI of individuals who had been members between 2010 and 2020. Approximately 45,000...

Read More
San Juan Regional Medical Center Data Breach Affects 68,792 Patients
Jun23

San Juan Regional Medical Center Data Breach Affects 68,792 Patients

San Juan Regional Medical Center has recently notified tens of thousands of its patients about a security breach that occurred in the fall of 2020. The Farmington, NM medical center discovered its network had been accessed by an unauthorized individual on September 8, 2020. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the breach. The forensic investigation revealed the attacker exfiltrated files between September 7th and 8th, with a manual review of those files confirming they contained the protected health information of 68,792 patients. The types of information in the files varied from patient to patient and included names in combination with one or more of the following date elements: Dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers. While data theft was confirmed, no evidence has been found to indicate any of...

Read More
South Texas Health System and Atricure Report Email Incidents
Jun21

South Texas Health System and Atricure Report Email Incidents

South Texas Health System has notified 6,761 individuals about an accidental disclosure of some of their protected health information. South Texas Health System provides discharge instructions after patients receive medical care in its hospitals. Part of that process involves an employee generating and emailing a monthly report that identifies patients that have been discharged from its hospital emergency departments. South Texas Health System discovered on April 8, 2021 that an email with an attached November 2020 report was sent to an incorrect email address on April 7. Steps were taken to try to identify the recipient and get the email deleted, but that individual remains unknown and it is unclear whether the email has been opened, viewed, or deleted. The email attachment contained a list of patients discharged from its hospital emergency departments in November 2020, which included names, internal hospital visit numbers, date and time of discharge, whether discharge instructions were provided, and information about where the patients were discharged. The nature of the data in...

Read More
May 2021 Healthcare Data Breach Report
Jun18

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67. May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months. Largest Healthcare Data Breaches Reported in April 2021 As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by...

Read More
NorthWest Congenital Heart Care Reports Theft of Device Containing PHI of 1,166 Patients
Jun17

NorthWest Congenital Heart Care Reports Theft of Device Containing PHI of 1,166 Patients

Washington-based NorthWest Congenital Heart Care is alerting 1,166 patients that some of their protected health information has been acquired by an unauthorized individual. On May 7, 2021, an unauthorized third party entered the office of a single NWCHC physician and stole an external hard drive that was used for data backups. The theft was reported to law enforcement, but the hard drive has not been recovered. A review of the data backups revealed they contained patient information such as names, dates of birth, ages, medical and treatment information, dates of service, location of service, physician names, services requested, procedures performed, diagnosis codes, diagnosis and treatment descriptions, medical record numbers and, for one individual, health insurance information. To reduce the risk of future data breaches, NorthWest Congenital Heart Care will be eliminating the use of external hard drives for data backups. Superior HealthPlan Members Affected by Accellion Data Breach 2,781 members of Superior HealthPlan in Texas have been notified that some of their protected...

Read More
Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach
Jun16

Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach

Arizona Asthma and Allergy Institute has issued breach notification letters to 70,372 patients who received services between October 1, 2015 and June 15, 2020. According to the breach notice, a range of their personal and protected health information including names, patient ID numbers, provider names, health insurance information, and treatment cost information was exposed online under the name of a different organization for a brief period in September 2020. After being alerted about the exposed data, a third-party forensics company was engaged to investigate the breach. The investigation concluded on March 8, 2021 and confirmed that protected health information had been exposed. According to databreaches.net, which contacted Arizona Asthma and Allergy Institute to alert them about the breach, this was a ransomware attack by the Maze ransomware operation. Sensitive data obtained in the breach had been posted to the Maze Group’s data leak site for a short period in September under the name Medical Management Inc. Stillwater Medical Center Investigation Security Breach Stillwater...

Read More
SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals
Jun16

SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals

A benefits administrator for home healthcare and nursing home workers, Service Employees International Union 775 (SEIU 775) Benefits Group, has experienced a cyberattack that resulted in the deletion of sensitive data. IT staff detected anomalies within SEIU 775’s data systems on or around April 4, 2021, which included the deletion of certain data. An investigation was launched into the malicious activity, led by third-party cybersecurity experts and forensic consultants. The investigation confirmed that its systems had been hacked and the data of unknown individuals had been deleted, including personally identifiable and protected health information. While information was deleted, no evidence was found to indicate any PII or PHI was viewed or acquired by the attackers and there have been no reported cases of misuse of data. Data potentially compromised included names, addresses, and demographic data along with Social Security numbers and potentially health plan eligibility information. Upon discovery of the malicious activity, steps were immediately taken to prevent further...

Read More
Five Rivers Health Centers Phishing Attack Affects Almost 156,000 Patients
Jun11

Five Rivers Health Centers Phishing Attack Affects Almost 156,000 Patients

Ohio-based Five Rivers Health Centers has notified 155,748 patients that some of their protected health information was stored in email accounts that have been accessed by an unauthorized individual following a phishing attack. It is unclear when the breach was discovered, but Five Rivers Health Centers reports that following an extensive forensic investigation into the cyberattack and a manual document review, it discovered on March 31, 2021, that the breached email accounts contained patients’ personal and health information. The forensic investigation confirmed that the email accounts had been breached between April 1, 2020, and June 2, 2020. Notification letters were sent to affected patients on May 28, 2021 – More than a year after the first email accounts were breached. The types of protected health information in emails and attachments varied from patient to patient and may have included one or more of the following data elements:  Name, address, date of birth, medical record number, patient account number, diagnoses, treatment and/or clinical information, test results, lab...

Read More
Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach
Jun10

Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach

The Louisville, KY-based health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action over a data breach discovered in late December 2020. On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky over the mishandling of Humana insurance plan members’ medical records. Humana had contracted with Cotiviti to handle medical records requests to send to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted some of the work to Visionary Medical Systems Inc. According to the lawsuit, an employee of Visionary Medical Systems uploaded the private and confidential medical records of Humana members to a personal Google Drive account in order to provide medical coding training as part of a “personal coding business endeavor.” The medical records were copied to the Google Drive account between October 12 and December 16, 2020, and that account was publicly accessible. The actions of the employee violated HIPAA and the terms of the business associate agreement. Visionary...

Read More
Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients
Jun08

Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients

Lafourche Medical Group, a Louisiana-based urgent care center operator, has notified 34,862 patients about a security breach that potentially involved some of their protected health information. On March 30, 2021, Lafourche Medical Group learned that an external accountant had responded to a phishing email that spoofed one of the owners of Lafourche Medical Group and disclosed login credentials to the attacker. The compromised credentials were used to gain access to the group’s Microsoft 365 environment. A third-party IT company was engaged to assist with the investigation, but found no evidence to suggest its on-premise systems or cloud-based electronic medical record system were compromised; however, the credentials could have been used to view or download data from its Microsoft 365 environment, which contained some patient information. “Due to the size of the email system, we are unable to identify all potential patient information that may have been contained in the system,” explained Lafourche Medical Group in its substitute breach notice. Clinical information was not...

Read More
Risk and Compliance Firm Reports Breach of 47,035 Records
Jun04

Risk and Compliance Firm Reports Breach of 47,035 Records

The risk and compliance firm LogicGate has identified a security incident in which the protected health information of 47,035 individuals has potentially been compromised. LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform. The Risk Cloud Platform is used by companies to identify and manage compliance risks and meet data protection and security standards. All backup files stored in AWS S3 buckets are encrypted, but the attacker was able to use the credentials to decrypt data. The backup files contained customer data that had been uploaded to their Risk Cloud environment prior to February 23, 2021. LogicGate said it did not identify any decrypt events associated with customers’ stored attachments. It is currently unclear whether any customer data was exfiltrated by the attacker and no details have been released about how the credentials were obtained. Hoboken Radiology Alerts Patients to...

Read More
Ransomware Attacks Affect Sturdy Memorial Hospital and UF Health
Jun04

Ransomware Attacks Affect Sturdy Memorial Hospital and UF Health

Sturdy Memorial Hospital in Attleboro, MA is notifying 57,379 patients about a computer security incident that occurred on February 9, 2021 in which patient data was stolen. According to the hospital’s breach notice, an unauthorized individual gained access to its systems but the hospital secured those systems later that day. The individual demanded a ransom payment to prevent the exposure/sale of data stolen in the attack. The hospital took the decision to pay the ransom and received assurances all stolen data would be permanently destroyed and would not be further disclosed. It is unclear whether this was simply a data theft incident or whether ransomware had been used in the attack. Third party computer forensics experts were engaged to investigate the breach, and a review was conducted to determine what patient data was compromised. The review was completed on April 21, 2021 and all affected individuals started to be notified on May 28, 2021. Sturdy Memorial Hospital said that in addition to its own patients, some patient data from other healthcare provider partners –...

Read More
147,000 Patients Affected by Scripps Health Ransomware Attack
Jun03

147,000 Patients Affected by Scripps Health Ransomware Attack

Scripps Health, the second largest healthcare provider in San Diego, has started sending breach notification letters to 147,267 patients to inform them that some of their personal and health information was stolen in a May 1, 2021 ransomware attack. The attack forced Scripps Health to adopt its EHR downtime procedures with its systems offline. Staff at its medical offices and hospitals were forced to work with paper charts while systems were restored and data was recovered. That process has taken almost a month, during which time access to important patient information such as test results was prevented. Scripps Health only regained the ability to create new records last week when the MyScripps patient portal was brought back online. The attack affected many of the healthcare provider’s care sites and caused disruption to operations at two of its four hospitals. Scripps Health took the decision to divert some critical patients to other facilities, with all four of its main hospitals placed on emergency care diversion for stroke, heart attack, and trauma patients. Some non-urgent...

Read More
Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case
Jun02

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019. DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received. In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into...

Read More
More than 3.2 Million Individuals Affected by 20/20 Hearing Care Network Data Breach
Jun02

More than 3.2 Million Individuals Affected by 20/20 Hearing Care Network Data Breach

The 20/20 Hearing Care Network has started notifying millions of current and former members that some of their protected health information (PHI) has potentially been compromised and/or deleted. On January 11, 2021, suspicious activity was detected in its AWS cloud storage environment. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the security breach. Third party forensics experts assisted with the investigation and confirmed that S3 buckets hosted in AWS had been accessed, data in those buckets downloaded, and then all data in the S3 buckets was deleted. The forensic investigation confirmed in late February that some of the data downloaded and deleted from the storage environment included PHI for some or all health plan members for whom records were held. While data theft was confirmed, it was not possible to tell exactly which information had been accessed or removed from the S3 buckets. The types of data potentially obtained in the attack included names, Social Security numbers, dates of...

Read More
Ransomware Attacks Affect Community Access Unlimited and CareSouth Carolina Patients
May28

Ransomware Attacks Affect Community Access Unlimited and CareSouth Carolina Patients

Hartsville, SC-based CareSouth Carolina has notified 76,035 patients that some of their protected health information has potentially been compromised in a ransomware attack on its IT vendor, Netgain Technologies. CareSouth Carolina was informed by Netgain on January 14, 2021 that the company had experienced a ransomware attack in December 2020, and the attackers had access to servers containing patient data from late November, some of which was exfiltrated prior to the use of ransomware. On April 13, 2021, Netgain provided CareSouth Carolina with a copy of the data that was potentially compromised. CareSouth Carolina conducted a review of the data and on April 27, 2021 confirmed the dataset included patient names, date of birth, address, diagnosis/conditions, lab results, medications, and other clinical information. For a small number of patients, Social Security numbers were involved. The attackers issued a ransom demand to Netgain and threatened to sell the stolen data if payment was made. Netgain took the decision to pay the ransom and received assurances that the stolen data...

Read More
4 More Healthcare Organizations Announce Patients Affected by Recent Ransomware Attacks
May27

4 More Healthcare Organizations Announce Patients Affected by Recent Ransomware Attacks

In the wake of the ransomware attack on Colonial Pipeline, some ransomware gangs such as REvil and Avaddon claimed that they have implemented new rules that require their affiliates to obtain authorization prior to attacking a target, and that attacks on healthcare organizations had been banned. However, many ransomware-as-a-service operations have not implemented restrictions and healthcare providers are still being targeted. Recently, 4 more healthcare organizations have been confirmed as falling victim to attacks. San Diego Family Care San Diego Family Care (SDFC) in California has confirmed it has been affected by a ransomware attack in December 2020. SDFC and its business associate Health Center Partners of Southern California (HCP) were impacted by a ransomware attack on their information technology hosting provider, Netgain Technologies. Netgain Technologies reportedly paid a $2.3 million ransom to obtain the keys to unlock the encrypted files and notified SDFC and HCP on January 20, 2021 that the protected health information of their patients had been compromised. SDFC and...

Read More
ZocDoc Says Programming Error Resulted in Exposure of Patient Data
May26

ZocDoc Says Programming Error Resulted in Exposure of Patient Data

ZocDoc, a New York-based provider of a platform that allows prospective patients book appointments with doctors and dentists, has discovered a bug in its software that allowed patient data to be accessed by medical and dental practices when access should have been restricted. The investigation revealed programming errors had occurred that meant from August 2020 until the errors were discovered and corrected, certain past and current practice staff members had access the provider portal, when their accounts should have been either decommissioned, deleted, or been limited. In all cases, the individuals who could have accessed patient data improperly were healthcare providers and are therefore bound to maintain the privacy and security of patient data. ZocDoc said there is no evidence to suggest there have been any further disclosures of patient data. Patient data potentially accessed included names, email addresses, phone numbers, appointment histories with the practice, insurance information, Social Security numbers, and medical information provided by individuals in connection with...

Read More
Rehoboth McKinley Christian Health Care Services Notifies Patients about February 2021 Ransomware Attack
May21

Rehoboth McKinley Christian Health Care Services Notifies Patients about February 2021 Ransomware Attack

Gallup, NM-based Rehoboth McKinley Christian Health Care Services (RMCHCS) has announced it was the victim of a ransomware attack in February 2021 in which patient data was exfiltrated. The Conti ransomware gang struck in February and stole a range of sensitive data, including job application data, background check information, staff reports, and the protected health information of patients. A sample of the stolen files was uploaded to the Conti data leak site to pressure the healthcare provider into paying the ransom. The data is no longer listed on the leak site, but it is unclear whether the ransom was paid. RMCHCS discovered on February 16, 2021 that patient data had been stolen by the ransomware group. RMCHSC engaged a third-party computer forensics firm to investigate the attack and determined the attackers exfiltrated data between January 21 and February 5, 2021. A review of the files potentially accessed by the hackers was completed on April 30, 2021 and notification letters were sent to those individuals. RMCHCS said the data potentially accessed included names, addresses,...

Read More
Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals
May21

Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals

Health Plan of San Joaquin (HPSJ), a non-profit Medi-Cal managed care provider based in French Camp, CA, has discovered an unauthorized individual has gained access to its email system and potentially accessed or obtained sensitive data. A potential email breach was suspected on or around October 12, 2020 when anomalous activity was identified in the email system. HPSJ determined on October 23, 2020 that multiple employee email accounts had been remotely accessed by an unauthorized individual. A password reset was performed on all affected email accounts to prevent further access, and the investigation confirmed that unauthorized access to email accounts occurred between September 26, 2020 and October 12, 2020. Following any email system breach, all emails in the compromised accounts must be checked to determine whether they contain any sensitive data. That can be a labor-intensive and time-consuming process. In this case, the process involved a programmatic and painstaking manual review, which revealed that the compromised email accounts contained the protected health information...

Read More
New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years
May21

New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years

New England Dermatology has started notifying 58,106 patients about the exposure of some of their protected health information. In an April 30, 2021 breach notice, New England Dermatology explained the privacy breach was due to the improper disposal of specimen bottles by its in-house pathology laboratory. The lab should have been sending the specimen bottles for shredding or incineration since the specimen bottles had printed labels that included patient data covered by the HIPAA Rules; however, they were discarded as regular trash. The information on the bottles included patients’ first and last names, birth dates, dates of specimen collection, name of provider who took the specimen, and body part from which the specimen was taken. No other information was included on the labels. The regular trash, including the specimen bottles, was collected by a waste contractor that serviced the building and was sent to landfill. The improper disposal dated back to February 4, 2011 and continued until the HIPAA violation was discovered on March 31, 2021. Any individual whose specimen(s) was...

Read More
PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online
May20

PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online

Arizona Asthma and Allergy Institute in Peoria, AZ has discovered the protected health information of up to 50,000 patients has been temporarily exposed online and could potentially have been accessed by an unauthorized individual. The affected patient data had been exposed for a brief period in September 2020 under the name of a different organization. Upon discovery of the security incident, a third-party computer forensics firm was engaged to investigate and determine the scope of the security breach and the extent to which patient data had been affected. The investigation confirmed on March 8, 2021 that the types of data exposed included first and last names, patient identification numbers, provider names, health insurance information, and treatment cost information. Affected patients had received medical services from the Arizona Asthma and Allergy Institute between October 1, 215 and June 15, 2020. While the exposure of data was confirmed, no evidence was found to indicate any patient data has been misused; however, affected patients have been advised to monitor their...

Read More
UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled
May19

UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled

A lawsuit filed against Universal Health Services (UHS) following a 2020 data breach has been allowed to proceed; however, only for one of the patients named on the lawsuit. UHS operates around 400 hospitals and care centers in the United States and the United Kingdom. In September 2020, UHS suffered a ransomware attack in which sensitive data was exfiltrated. The Ryuk ransomware gang threatened to release the stolen data on a leak site if the ransom was not paid, although the UHS investigation found no evidence of any data misuse. The attack affected all 400 UHS care sites and caused significant disruption, with IT systems finally being brought back online a month after the attack. UHS was forced to postpone some scheduled appointments as a result of the attack. A lawsuit was filed in the U.S. District Court, Eastern District of Pennsylvania by the law firm Morgan & Morgan naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. Two of the...

Read More
April 2021 Healthcare Data Breach Report
May18

April 2021 Healthcare Data Breach Report

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month. High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021. Largest Healthcare Data Breaches Reported in April 2021 There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents. Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies,...

Read More
140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised
May17

140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised

SEIU 775 Benefits Group in Washington has notified approximately 140,000 of its members that some of their protected health information has been exposed. Around April 4, 2020, SEIU 775 Benefits Group’s IT team detected anomalous activity within the group’s data systems, including the apparent deletion of certain data files. Third party digital forensics experts were engaged to assist with the investigation and confirmed that systems had been accessed by an unauthorized individual who deleted certain files that contained personally identifiable and protected health information. The forensics experts found no evidence to indicate any protected health information was downloaded or viewed and no reports have been received that suggest there has been any misuse of PHI. The types of information potentially accessed was limited to names, addresses, and Social Security numbers, with health plan eligibility or enrollment information also potentially compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll for 12...

Read More
Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall
May14

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data. In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic. To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR. 2020 saw an 11% increase in phishing attacks, with cases of misrepresentation...

Read More
Records of 200,000 Military Veterans Exposed Online
May13

Records of 200,000 Military Veterans Exposed Online

A database containing the personal and protected health information of almost 200,000 U.S. military veterans has been discovered to be accessible online by security researcher Jeremiah Fowler. The database was identified on April 18, 2021 and a review identified references to a company called United Valor Solutions. Jacksonville, NC-based United Valor Solutions is a contractor of the Department of Veterans Affairs (VA) that provides disability evaluation services for the VA and other government agencies. The database – which contained veterans’ names, dates of birth, contact information, medical information, appointment information, unencrypted passwords, and billing information – could be accessed without a password. The database could have been viewed and downloaded by anyone and information in the database altered or deleted. Fowler notified United Valor Solutions about the exposed data breach. The company replied the following day confirming the exposed database had been reported to its contractors and public access had been shut down. It is unclear for how long the...

Read More
University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years
May12

University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years

University of Florida Health Shands has discovered a former employee has accessed the medical records of 1,562 patients without authorization. The HIPAA violations were discovered on April 7, 2021 and the employee’s access to medical records was immediately terminated pending an investigation. The investigation confirmed the employee had been accessing patient medical records without a work reason for doing so from March 30, 2019 to April 6, 2021. The types of information that could have been viewed included names, addresses, phone numbers, birth dates, and lab test results, but no Social Security numbers, financial information, or health insurance information was compromised. University of Florida Health Shands does not believe any PHI has been stolen or further disclosed; however, out of an abundance of caution, affected individuals have been offered one year of complimentary credit monitoring services. Third Party Breach Affects St. Paul’s PACE Patients Community Eldercare of San Diego, dba St. Paul’s PACE, has been affected by a breach at one of its vendors. PeakTPA is a...

Read More
Ransomware Attack on New York Medical Group Impacts 330K Patients
May11

Ransomware Attack on New York Medical Group Impacts 330K Patients

The New York medical group practice, Orthopedic Associates of Dutchess County, has announced the protected health information of certain patients was potentially stolen in a recent cyberattack. The security incident was detected on March 5, 2021 when suspicious activity was identified in its systems. An investigation into the incident confirmed its systems had been accessed by unauthorized individuals on or around March 1, 2021. The attackers gained access to certain systems and encrypted files and issued a ransom demand for the keys to unlock the encrypted files. The attackers claimed they had stolen sensitive data prior to the encryption of files, although it was not possible to determine which files had been stolen. A review of the systems accessed by the attackers revealed they contained files that included protected health information such as names, addresses, contact telephone numbers, email addresses, emergency contact information, diagnoses, treatment information, medical record numbers, health insurance information, payment details, dates of birth, and Social Security...

Read More
CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients and 1,919,938 Individuals
May07

CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients and 1,919,938 Individuals

NEC Networks, dba CaptureRx, a San Antonio, TX-based provider of 340B administrative services to healthcare providers, has suffered a ransomware attack in which files containing the protected health information of customers’ patients were stolen. The security breach was detected on February 19, 2021, with the investigation confirming unauthorized individuals had accessed and acquired files containing sensitive data on February 6, 2021. A review of those files was completed on March 19, 2021 and affected healthcare provider clients were notified between March 30 and April 7, 2021. CaptureRx has since been working with the affected healthcare providers to notify all individuals affected. The types of data exposed and acquired by the attackers was limited to names, dates of birth, prescription information and, for a limited number of patients, medical record numbers. CaptureRx had security systems in place to ensure the privacy and security of healthcare data, but the attackers had managed to bypass those protections. Following the attack, policies and procedures were reviewed and...

Read More
Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause
May06

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years. In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware. This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors. Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption,...

Read More
Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians
May05

Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians

Lawmakers in the Commonwealth of Pennsylvania are calling for an investigation into a data breach involving the contact tracing information of 72,000 Pennsylvanians after it was discovered that sensitive information was being shared via unauthorized channels without the necessary security protections. Insight Global is an Atlanta-based firm that has been assisting the Commonwealth of Pennsylvania with COVID-19 contact tracing during the pandemic. Several individuals employed by Insight Global were discovered to have created and shared unauthorized copies of documents with each other in the course of conducting their contact tracing duties. Documents and spreadsheets were shared via non-secure channels such as personal Google accounts, which meant sensitive data were sent to servers outside the control of the state or Insight Global. Insight Global announced the breach on April 29, 2021 and said in its substitute breach notice that the data related to contract tracing of individuals between September 2020 and April 21, 2021. An investigation into the breach has been launched and...

Read More
Ransomware Attack on Scripps Health Disrupts Patient Care
May04

Ransomware Attack on Scripps Health Disrupts Patient Care

The San Diego-based healthcare provider Scripps Health suffered a cyberattack on May 1, 2021 which forced it to take its information technology systems offline. Scripps Health operates four hospitals in the San Diego area and has been able to continue to provide care to patients; however, stroke, heart attack, and trauma patients seeking emergency treatment at all four of its hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were diverted to alternative facilities as a precautionary measure. Scripps Health issued a statement confirming its outpatient urgent care centers, Scripps HealthExpress locations, and emergency departments do remain open, and staff are continuing to care for patients. While information technology systems are down, including its online portal, Scripps Health is operating on established backup processes and is using offline documentation methods. Patient safety has not been put at risk. It is unclear when it will be possible to bring systems back online, so the decision has been taken to postpone some patient appointments for Monday and later this...

Read More
Health Aid of Ohio Security Incident Affects up to 141,00 Individuals
May04

Health Aid of Ohio Security Incident Affects up to 141,00 Individuals

Health Aid of Ohio, a Parma, OH-based full-service home medical equipment provider, has discovered unauthorized individuals gained access to its systems and exfiltrated some files from its network. The breach was detected on February 19, 2021 when suspicious network activity was detected. Action was quickly taken to eject the attackers from the network and secure all patient data. An investigation into the breach confirmed that files were accessed and exfiltrated from Health Aid’s systems, but it was not possible to determine exactly which files had been removed from its systems. It is possible that some of the exfiltrated files contained the protected health information of VA plan members. That information potentially included names, addresses, telephone numbers, and details of the type of equipment delivered to houses or was repaired in individuals’ homes. The protected health information of individuals who received services through their insurance carrier or healthcare provider included names, telephone numbers, dates of birth, Social Security numbers, insurance information,...

Read More
Californian Healthcare Provider Discovers Patient Data was Exposed on the Internet for Over a Year
Apr30

Californian Healthcare Provider Discovers Patient Data was Exposed on the Internet for Over a Year

Doctors Medical Center of Modesto (DCM) in California has discovered a contractor used by a former vendor accidentally exposed patient data over the Internet. DCM had contracted with the SaaS platform provider Medifies to provide virtual waiting room services. On April 2, 2021, DCM discovered the data of some of its patients was accessible over the Internet. DCM contacted Medifies about the exposed data and the issue was corrected the same day and the data was secured. The investigation into the breach confirmed an error had been made when performing a software update which allowed the data to be accessed via the Internet. The error was made by a Medifies software development contractor. The software update that made the information accessible occurred in December 2019, which meant patient data had been exposed online for more than a year, during which time it is possible that it was found and viewed by unauthorized individuals. No evidence was found to suggest any of the exposed information was viewed by unauthorized individuals. The exposed data varied from patient to patient and...

Read More
Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack
Apr29

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual. Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area. The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information. Patients affected by the breach were notified by mail starting October...

Read More
PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack
Apr29

PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack

An unauthorized individual gained access to the email account of an employee of River Springs Health Plans and installed malware which potentially allowed the contents of the email account to be exfiltrated. The employee responded to the phishing email on September 14, 2020. The malware was detected and removed the following day and the email account was secured. A leading forensics firm was retained to assist with the investigation and determine whether any sensitive information was accessed or obtained by the attackers. No evidence was found which suggested any member data had been exfiltrated, but data theft could not be ruled out. A comprehensive review of the affected account revealed on February 17, 2021 that the protected health information of 31,195 River Springs Health Plans members was stored in the email account. The types of information in the account varied from individual to individual and may have included the following information: First and last names, dates of birth, member ID, Medicare ID, Medicaid ID, Social Security number, and references to medical information...

Read More
Wyoming Department of Health Announces GitHub Data Breach Affecting 1/4 of Wyomingites
Apr28

Wyoming Department of Health Announces GitHub Data Breach Affecting 1/4 of Wyomingites

The Wyoming Department of Health (WDH) has discovered the protected health information of 164,021 individuals has been accidentally exposed online due to an error by a member of its workforce. On March 10, 2021, WDH discovered an employee had uploaded files containing medical test result data to private and public repositories on the software development platform GitHub. While security controls are in place to protect users’ privacy, an error by the employee meant the data could potentially have been accessed by individuals unauthorized to view the information from January 8, 2021. In total 53 files were uploaded to the platform that included COVID-19 and influenza test result data, along with one file that contained breath alcohol test results. The exposed information included patient IDs, dates of birth, addresses, dates of service, and test results. The COVID-19 test result data had been reported to WDH for Wyoming residents, although the tests themselves may have been performed anywhere in the United States between January 2020 and March 2021. The alcohol test results related...

Read More
Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks
Apr28

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%). While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang. The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site. These attacks show that file encryption is not always necessary, with the threat of publication...

Read More
Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals
Apr27

Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals

The protected health information of 153,013 individuals has potentially been compromised in an email security breach at HME Specialists LLC, dba Home Medical Equipment Holdco. HME Specialists discovered suspicious activity in its email system and immediately secured all affected accounts and engaged a specialist cybersecurity company to conduct a forensic investigation to determine the extent and nature of the breach. The cybersecurity firm confirmed on March 11, 2021 that certain compromised email accounts contained protected health information and that the accounts had been accessed by unauthorized individuals between June 24 and July 14, 2020. The accounts contained information such as names, dates of birth, diagnosis and/or other clinical information, along with limited Social Security numbers, driver’s license numbers, credit card numbers, account information and usernames and passwords. No specific evidence was found to suggest any information in the compromised accounts was acquired by the attackers or has been misused. Affected individuals for whom a current address was...

Read More
Radiation Treatments Disrupted After Cyberattack on Software Vendor
Apr27

Radiation Treatments Disrupted After Cyberattack on Software Vendor

The Swedish oncology and radiology system provider Elekta is recovering from a cyberattack that forced it to take its first-generation cloud-based storage system offline on April 20, 2021. While the company has confirmed it has suffered a security breach, details about the exact nature of the attack have yet to be released. It is unclear what type of malware was used in the attack, but ransomware is suspected. The cloud-based storage system was taken offline to contain the threat. Elekta said only a subset of customers in the United States that use its software have been affected and are experiencing a service outage as a result of the cloud-based systems being taken offline. Elekta is in the process of migrating those customers to its new Microsoft Azure cloud and the company is working around the clock to complete that process. All affected customers have been notified; however, few details about the incident have been made public so as not to compromise the internal and law enforcement investigations, but Elekta reports that the threat has now been fully contained....

Read More
Manquen Vance Email Breach Impacts 7,018 Patients
Apr26

Manquen Vance Email Breach Impacts 7,018 Patients

The Michigan-based group health plan broker and consultancy firm Manquen Vance – formerly Cornerstone Municipal Advisory Group – is alerting 7,018 individuals about a potential breach of their personal and health information. An investigation was launched on November 16, 2020 when the firm identified suspicious activity in the email account of an employee. Manquen Vance determined that the account was accessed by unauthorized individuals between November 1 and 16. No other email accounts were compromised. While it is possible that emails and attachments containing sensitive information were viewed or copied, no specific evidence was found to suggest that was the case. The delay in issuing notifications was due to the time-consuming process of checking every email in the account for sensitive information. That process was completed on February 2, 2021 and confirmed that members’ names, health insurance information, and Social Security numbers had potentially been compromised. Manquen Vance has since taken steps to improve email security to prevent similar breaches in the...

Read More
Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians
Apr21

Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians

The American College of Emergency Physicians (ACEP) has started alerting certain members that some of their personal information was stored on a server that was accessed by unauthorized individuals. In addition to providing professional organizational services to its members, management services are provided by ACEP to organizations such as the Emergency Medicine Foundation (EMF), Society for Emergency Medicine Physician Assistants (SEMPA), and the Emergency Medicine Residents’ Association (EMRA). The breach concerns data related to those organizations. Affected individuals had made a purchase from or donated to EMF, SEMPA, or EMRA. A breach was detected on September 7, 2020 when unusual activity was identified in its systems. A server had been compromised that contained the login details for its SQL database servers, and those databases contained members’ information. While no evidence was found to indicate the credentials were used to access the databases, it was not possible to rule out unauthorized access. The information exposed was for the dates April 8, 2020 to September 21,...

Read More
March 2021 Healthcare Data Breach Report
Apr19

March 2021 Healthcare Data Breach Report

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates. The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February. Largest Healthcare Data Breaches Reported in March 2021 The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates. Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server Health Net of California Health Plan 523,709 Hacking/IT...

Read More
Montefiore Medical Center Fires Employee for Unauthorized Record Access
Apr15

Montefiore Medical Center Fires Employee for Unauthorized Record Access

Montefiore Medical Center has discovered another employee has accessed patient information with no legitimate work reason for doing so. The New York hospital announced in February 2020 that an employee had been discovered to have accessed medical records without authorization for 5 months in 2020, and another employee was found to have obtained the PHI of approximately 4,000 patients between January 2018 and July 2020. The latest discovery involved an employee accessing the records of patients without authorization for more than a year. The breach was identified by Montefiore’s FairWarning software, which monitors records for inappropriate access. When unauthorized medical record access was discovered, the employee was suspended pending an investigation. A review of record access confirmed that the employee had accessed records with no legitimate work reason for doing so between January 2020 and February 2021. The types of information accessed varied from patient to patient and included first and last names, medical record numbers, addresses, emails, dates of birth, and the last...

Read More
PHI of More than 200,000 Washington D.C. Health Plan Members Stolen by Hackers
Apr13

PHI of More than 200,000 Washington D.C. Health Plan Members Stolen by Hackers

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) is alerting its members about a cyberattack in which their protected health information was stolen. CHPDC, formerly called Trusted Health Plans, detected a breach of its computer systems on January 28, 2021. The Washington D.C-based health plan took immediate steps to isolate the affected computers and secure its network to prevent further unauthorized access and the cybersecurity firm CrowdStrike was hired to investigate the breach. CrowdStrike confirmed that protected health information was exfiltrated by the attackers, who were most likely a foreign cybercriminal group. CHPDC said anyone who has been an enrollee of CHPDC has been affected, as well as current and former employees. The types of data stolen included full names, addresses, telephone numbers, dates of birth, Social Security numbers, Medicaid numbers, medical information, claims information, and a limited amount of clinical information. The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights...

Read More
221,000 Total Health Care Members Impacted by Email Account Breach
Apr13

221,000 Total Health Care Members Impacted by Email Account Breach

Total Health Care Inc., a Detroit, MI-based health plan, has discovered unauthorized individuals have gained access to several employee email accounts that contained sensitive personal information of health plan members and physician partners. Upon discovery of the breach, the email accounts were immediately secured to prevent further unauthorized access and security experts were engaged to conduct a forensic investigation to determine the nature and scope of the breach. The investigation confirmed that the breach was limited to email accounts, which were accessed by unauthorized individuals between December 16, 2020 and February 5, 2021. No evidence was found to suggest any protected health information was viewed or misused, but unauthorized access could not be ruled out. A review of the emails in the accounts revealed they contained names, addresses, dates of birth, member IDs, claims information, and Social Security numbers. Due to the sensitive nature of data in the accounts, affected individuals have been offered free credit monitoring services for up to two years through...

Read More
Adventist Health Physicians Network Fined $40,000 for Privacy Breach
Apr12

Adventist Health Physicians Network Fined $40,000 for Privacy Breach

Adventist Health Physicians Network in Simi Valley, California has been ordered to pay $40,000 in civil momentary penalties by the Ventura County District Attorney as part of a civil privacy settlement to resolve a patient privacy case that affected 3,797 patients. The privacy breach occurred in 2018 and involved an impermissible disclosure of physical documents containing private and confidential medical data. The Simi Valley hospital had used a storage facility Simi Valley for storing physical patient records; however, when payments stopped being to the storage facility, the hospital lost access to the storage unit and the contents were put up for sale at a public auction in October 2018. The individual who bought the contents of the storage unit at the auction discovered boxes of paperwork in the unit that contained the sensitive medical data of patients of Adventist Health. The hospital was notified, and the files were promptly collected and secured. Adventist Health conducted an investigation into the incident and was satisfied that none of the information in the storage unit...

Read More
PHI of More Than 420,000 Individuals Potentially Compromised in Ransomware Attack on Ohio Law Firm
Apr09

PHI of More Than 420,000 Individuals Potentially Compromised in Ransomware Attack on Ohio Law Firm

Bricker & Eckler, one of the leading law firms in Ohio, suffered a ransomware attack in January in which client information was potentially compromised. The ransomware infection was detected by the law firm on January 31, 2021 and a third-party cybersecurity firm was engaged to assist with the investigation. The investigation revealed the attackers first gained access to its systems on January 14, 2021, and access remained possible until January 31, 2021. During that time the attackers gained access to files containing client information and exfiltrated some data from the law firm’s systems. A notice about the security incident on the law firm’s website confirms that the attackers were contacted, and information stolen in the attack was retrieved, suggesting the ransom was paid. Bricker & Eckler said the attackers confirmed they took steps to delete the stolen data and reassurances were provided that there had been no further disclosures of the stolen information and that no copies of the data had been retained. As a full-service law firm serving clients in the healthcare...

Read More
Malware Discovered on Networks of Squirrel Hill Health Center and La Clinica de la Raza
Apr08

Malware Discovered on Networks of Squirrel Hill Health Center and La Clinica de la Raza

La Clinica de la Raza in Oakland, CA is alerting certain patients about a potential breach of their protected health information. Malware was detected on systems containing patient data on January 28, 2021. A third-party forensics company was engaged to assist with the investigation into the malware attack and determined on February 26, 2021 that the malware would have allowed files containing patient data to be accessed. The breach was short lived, as the malware had been installed and was only active on January 12, 2021. During the short period of time that the malware was active it is possible that documents were viewed by unauthorized individuals, but the clinic believes relatively few documents were viewed. Those documents included full names, dates of birth, phone numbers, home addresses, health insurance information, and certain health information such as dates of service, diagnosis, test results, and treatment information related to medical services provided at the clinic. Steps have been taken to improve data security, including enhancing its intrusion detection and...

Read More
Orthopaedics Practice Discovers Year-Long Email Breach Affecting 125,000 Patients
Apr07

Orthopaedics Practice Discovers Year-Long Email Breach Affecting 125,000 Patients

The Centers for Advanced Orthopaedics has discovered multiple employee email accounts have been accessed by unauthorized individuals. The practice, which serves patients in Virginia, Maryland, and Washington DC, identified suspicious activity in its email system on September 17, 2020. Third party cybersecurity experts were engaged to assist with the investigation and determined several email accounts had been accessed by unauthorized individuals between October 2019 and September 2020. A review of the affected email accounts was conducted to determine the types of information that had been exposed and it was confirmed on January 25, 2021 that protected health information may have been viewed or acquired by cybercriminals. The email accounts contained information of patients, employees, and their dependents. Patient information was mostly restricted to names, dates of birth, diagnoses, and treatment information. A subset of patients also had one or more of the following data types stored in the account: Social Security number, driver’s license number, passport number, financial...

Read More
Third Party Data Breaches Reported by Apple Valley Clinic & BioTel Heart
Apr07

Third Party Data Breaches Reported by Apple Valley Clinic & BioTel Heart

Apple Valley Clinic in Minnesota has started notifying 157,939 patients that some of their protected health information was compromised in a ransomware attack on one of its information technology vendors. Apple Valley Clinic, which is part of Allina Health, used Netgain Technology LLC to host its information technology network and computer systems. In November 2020, Netgain was attacked with ransomware which took its data centers offline. Netgain notified Apple Valley Clinic on December 2, 2020 that patient data may have been compromised in the ransomware attack. Allina Health received confirmation on January 29, 2021 that patient information had been involved. The types of information compromised included names, dates of birth, bank account and routing numbers, Social Security numbers, patient billing information, and some medical information including symptoms and diagnoses. While several healthcare providers had PHI compromised, Apple Valley Clinic was the only Allina Health location to be affected. Apple Valley Clinic has since taken steps to improve information security,...

Read More
More Than 1.2 Million Health Net Members Affected by Accellion Cyberattack
Apr06

More Than 1.2 Million Health Net Members Affected by Accellion Cyberattack

Several healthcare organizations have recently confirmed they have been affected by the December 2020 Accellion cyberattack. The attack has been linked to the Clop ransomware gang, as its leak site was used to publish samples of data stolen in the attack, although ransomware is not believed to have been used. Accellion provided a file transfer solution that was used for transmitting files that were too large to be sent via email. In the case of Health Net, the platform was used for exchanging files with healthcare providers and others who support its operations. Health net reports that names, addresses, dates of birth, insurance ID numbers, and health information was obtained by the attackers. Accellion notified Health Net about the breach on January 25, 2021. Health Net has reported the breach as affecting 1,236,902 individuals across Health Net Community Solutions (686,556 individuals), Health Net of California (523,709 individuals), and Health Net Life Insurance Company (26,637 individuals). Trinity Health has recently alerted 586,869 patients that their PHI was compromised in...

Read More
Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach
Apr06

Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach

Roper St Francis Healthcare is facing a class action lawsuit over an October 2020 data breach in which patient data was allegedly stolen. The lawsuit alleges negligence for the failure to protect the private data of its patients. Between October 14 and 29, 2020, unauthorized individuals gained access to the email accounts of three of its employees. Those accounts contained the protected health information of around 190,000 patients. PHI in the compromised email accounts included financial and medical information. This was far from the only data breach to have affected Roper St. Francis Healthcare in the past 18 months. Prior to the October 2020 phishing attack, Roper St. Francis reported two data breaches in September, one of which was a phishing attack that affected 6,000 individuals and the other was a ransomware attack on its vendor Blackbaud, which affected around 92,963 Roper St. Francis patients. Prior to those breaches, a breach was reported on January 29, 2010 as affecting 35,253 individuals. According to the lawsuit, “At all relevant times, Roper knew the data it stored...

Read More
PHI from Multiple Covered Entities Published on GitHub
Apr05

PHI from Multiple Covered Entities Published on GitHub

Med-Data Inc. has confirmed that the protected health information of patients of several of its clients has been uploaded to the open-source software development hosting website GitHub, where it could have been accessed by unauthorized individuals. The Spring, TX-based revenue cycle management services vendor assists healthcare providers and health plans by processing Medicaid eligibility, third party liability, workers’ compensation and patient billing. On December 10, 2020, Med-Data was notified by security researcher Jelle Ursem that some data of its data had been discovered on GitHub. Dissent Doe of Databreaches.net provided a link to the uploaded data on December 14, 2020, according to the Med-Data breach notice. An investigation was immediately launched, and it was determined that one of its employees had saved files containing protected health information to personal folders on GitHub Arctic Code Vault between December 2018 and September 2019. Med-Data said the files were removed from GitHub on December 17, 2020. The files contained names, addresses, dates of birth, Social...

Read More
Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals
Apr02

Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals

Personal Touch Holding Corp, a Lake Success, NY-based provider of home health services, is alerting 753,107 patients about a breach of their protected health information. Personal Touch Holding Corp operates around 30 Personal Touch Home Care subsidiaries in more than half a dozen U.S. states. On January 27, 2021, Personal Touch discovered it was the victim of a cyberattack involving its private cloud hosted by its managed service providers. The attackers encrypted the cloud-stored business records of Personal Touch and 29 of its direct and indirect subsidiaries. The investigation into the ransomware attack is ongoing. At this stage it is unclear to what extent individual’s protected health information was compromised; however, it is possible that the attackers obtained data stored in its private cloud prior to the use of ransomware. An analysis of its cloud environment revealed the following types of patient information may have been compromised in the attack: names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, including check...

Read More
Lexington Medical Center and CalViva Health Affected by Third-Party Data Breaches
Mar31

Lexington Medical Center and CalViva Health Affected by Third-Party Data Breaches

Wake Forest Baptist Health has announced an unauthorized individual gained access to the systems of one of its technology vendors between October 16 and October 28, 2020 and potentially viewed or acquired files containing the protected health information of certain patients of Lexington Medical Center in North Carolina. The breach occurred at Healthgrades Operating Co. Inc., which provided the hospital with patient and community education on health matters and medical services. The exact nature of the breach was not disclosed. No reports have been received to date to indicate any information was stolen and misused. The types of PHI potentially accessed includes names, addresses, dates of birth, contact information, demographic information, medical treatment information, and Social Security numbers. The files contained PHI dated from mid-2010 to mid-2011. All individuals whose PHI was potentially compromised in the attack were notified by mail on March 26, 2021 and have been offered complimentary credit monitoring and identity theft protection services. It is currently unclear how...

Read More
University of Miami Health and Mott Community College Data Compromised in Ransomware Attacks
Mar30

University of Miami Health and Mott Community College Data Compromised in Ransomware Attacks

The protected health information of patients of University of Miami Health has been obtained by unauthorized individuals in a ransomware attack on the file transfer service provider Accellion. University of Miami Health used Accellion’s file transfer technology for sharing files that were too large to send via email. The University of Miami said the Accellion solution was only used by a small number of individuals at the university and prompt action was taken to contain the incident. The university has since stopped using Accellion’s file transfer services. The investigation into the attack is ongoing and the analysis of the files that were obtained or potentially compromised in the attack has not yet been completed, so it is not yet known exactly how many individuals have been affected. The University of Miami does not believe any of its systems were compromised in the attack with the breach believed to be limited to files sent or received through Accellion’s file transfer solution. The gang behind the attack demanded a $10 million ransom for the keys to decrypt data and avoid...

Read More
New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case
Mar29

New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years. OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records. OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting...

Read More
SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach
Mar26

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account. The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets. Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is...

Read More
Cancer Treatment Centers of America Announces 105,000-Record Data Breach
Mar26

Cancer Treatment Centers of America Announces 105,000-Record Data Breach

Cancer Treatment Centers of America is alerting 104,808 patients of its Midwestern Regional Medical Center that some of their protected health information was contained in an email account that was accessed by an unauthorized individual. Suspicious activity was identified in a CTCA account holder’s account on January 18, 2021. The account was immediately secured to prevent further unauthorized access and a third-party forensics firm was engaged to assist with the investigation and determine the nature and scope of the breach. The investigation revealed the email account was accessed on January 12, 2021 and access remained possible until January 18 when a password reset was performed. It was not possible to confirm which emails, if any, were accessed, nor was it possible to rule out data theft. A review of the compromised account revealed it contained patient names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information. No financial information or Social Security numbers were compromised. CTCA has implemented additional security...

Read More
Misconfiguration Resulted in Exposure of the PHI of 65,000 Mobile Anesthesiologists Patients
Mar25

Misconfiguration Resulted in Exposure of the PHI of 65,000 Mobile Anesthesiologists Patients

Mobile Anesthesiologists has recently discovered a limited amount of patients’ protected health information (PHI) has been exposed due to a technical misconfiguration. The error was determined to have occurred prior to December 14, 2020, and made PHI such as names, health insurance information, date of service, medical procedure, and dates of birth publicly accessible. An investigation into the error was concluded on January 28, 2021 and confirmed that the PHI of 65,403 individuals had been exposed. While the PHI could potentially have been accessed by unauthorized individuals, no evidence of unauthorized data access or PHI misuse was discovered. Affected individuals were notified by mail starting March 10, 2021. Haven Behavioral Healthcare Announces Breach of Systems Containing Patient Data Haven Behavioral Healthcare, a Nashville, TN—based operator of 7 licensed, acute care behavioral hospitals, has discovered unauthorized individuals gained access to its computer network and potentially viewed and exfiltrated patient data. A potential breach was identified on or around September...

Read More
Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000
Mar25

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty. OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months. When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay. OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right...

Read More
Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access
Mar24

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims. Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing. In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined. Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank,...

Read More
California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee
Mar22

California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee

The Department of State Hospitals (DSH) in California has discovered an employee accessed the protected health information (PHI) of 1,415 current/former patients and 617 employees without authorization. The individual had an Information Technology role and had access to data servers containing sensitive patient and employee information in order to complete work duties. The improper access was discovered by DSH on February 25, 2021 during a routine annual review of access to data folders. An investigation was immediately launched which revealed the employee had been accessing data without authorization for around 10 months. Files containing names, COVID-19 test results, and other health information necessary for tracking COVID-19 were copied directly from the server. The investigation into the privacy breach is ongoing and the employee has been placed on administrative leave pending completion of the investigation. So far, the investigation has not uncovered any evidence to suggest the copied data has been misused or disclosed to any other individual. DSH explained that safeguards...

Read More
February 2021 Healthcare Data Breach Report
Mar19

February 2021 Healthcare Data Breach Report

There was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents. After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches. Largest Healthcare Data Breaches Reported in February 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware Gore Medical Management, LLC GA Healthcare Provider...

Read More
More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed
Mar19

More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health. In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware. Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021. Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months. Arizona...

Read More
PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack
Mar17

PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack

On January 12, 2021, Denver-based Colorado Retina Associates discovered the email account of one of its employees had been accessed by an unauthorized individual who used it to send phishing emails to individuals in the employee’s contact list. The email account was immediately secured and a cybersecurity firm was engaged to investigate the incident to determine the extent of the breach. That investigation concluded on February 24, 2021 and revealed other email accounts had also been compromised, two of which contained patients’ protected health information. The nature of the attack meant that between January 6, 2021 and January 17, 2021, synching may have occurred. That means the contents of the email accounts may have been copied to the attacker’s device. A comprehensive review of the email accounts was performed which revealed the protected health information of 26,609 individuals was stored in the accounts. The types of PHI varied from individual to individual may have included full names, date of birth, home addresses, phone numbers, email addresses, dates of service,...

Read More
2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches
Mar16

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks. The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net. The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised. Healthcare Hacking Incidents Increased...

Read More
Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised
Mar16

Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised

The Portland, OR-based technology and communication solution provider Metro Presort suffered a ransomware attack on May 6, 2019 which resulted in the encryption of files and locked staff out of its systems. The ransomware attack was promptly identified and was contained by May 15, 2019 and the company was able to recover from the attack relatively quickly. An investigation into the attack found no evidence to suggest files were removed from its system, and since the company already encrypted customer data, the attackers would not have been able to access any sensitive information. In October 2020, Metro Presort reinvestigated the attack and the secondary investigation was unable to confirm that files containing customer data were definitely encrypted before the attack. The invoices, statements, and spreadsheets that Metro presort processed for clients, including healthcare organizations, could potentially have been accessed. An analysis of those files confirmed they contained patient names, addresses, dates of birth, patient and health plan IDs or account numbers, appointment...

Read More
Ransomware Gangs Claim Three More Healthcare Victims
Mar15

Ransomware Gangs Claim Three More Healthcare Victims

PeakTPA, a St. Louis, MO-based provider of health plan management and back-office services, has announced it suffered a cyberattack on or around December 28, 2020 in which protected health information was stolen. The security incident was detected on December 31 and involved two cloud servers used by the company to manage program of all-inclusive care for the Elderly (PACE) claims.  According to the breach report submitted to the HHS’ Office for Civil Rights, the PHI of up to 50,000 individuals was stolen or exposed. An investigation into the attack confirmed the attackers obtained full names, home addresses, dates of birth, Social Security numbers, PACE program IDs, and diagnosis and treatment information. Affected individuals have been notified and offered complimentary membership to credit monitoring, fraud consultation, and identity theft restoration services via Kroll. St. Bernard’s Total Life Healthcare, Inc., which provides PACE in Northeast Arkansas, and Rocky Mountain Health Care Services in Colorado Springs have confirmed that 528 of their patients have been impacted by...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals
Mar12

Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals

Premier Diagnostics, a Utah-based COVID-19 testing service, has inadvertently exposed the protected health information of tens of thousands of individuals. Two Exposed Amazon S3 buckets were discovered by Bob Diachenko of Comparitech on February 22, 2021. It was not initially clear who owned the data, which related to patients from Utah, Nevada, and Colorado. The S3 buckets were eventually traced to Premier Diagnostics. The S3 buckets contained two databases, one of which included around 200,000 images of scans of ID cards such as driver’s licenses, passports, state ID cards, medical insurance cards, and other IDs documents. The databases had been indexed by search engines and could be accessed over the Internet without a password. Premier Diagnostics was determined to be the probable owner of the data on February 25, 2020 and attempts were made to contact the company. Contact was finally made on March 1, 2021 and the databases were secured the same day. It is unclear whether the databases were found and downloaded by any individuals other then Diachenko in the week or more that...

Read More
New London Hospital Data Breach Affects Almost 35,000 Patients
Mar12

New London Hospital Data Breach Affects Almost 35,000 Patients

New London Hospital in central New Hampshire has discovered an unauthorized individual gained access to a file on its network in July 2020 and may have obtained the protected health information of 34,878 patients. A third-party cybersecurity firm was engaged to assist with the investigation and determined on February 16, 2021 that the file was accessed for a short period and may have been copied. The file contained patient names, limited demographic information, and Social Security numbers; however, no diagnosis, treatment, or hospitalization information was compromised. New London Hospital is unaware of any misuse of information contained in the file. The network system on which the file was stored is no longer used by the hospital. Additional safeguards have now been implemented to prevent similar breaches in the future. All patients have been notified and offered complimentary credit monitoring and identity theft protection services. Child Focus Reports Malware Infection and 2,700-Record Data Breach Child Focus, a Cincinnati, OH-based nonprofit that provides support to children...

Read More
Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion
Mar11

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations. The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks. These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data. Healthcare...

Read More
207K MultiCare Health System and Woodcreek Healthcare Patients Affected by Ransomware Attack
Mar10

207K MultiCare Health System and Woodcreek Healthcare Patients Affected by Ransomware Attack

The number of individuals affected by a ransomware attack on St. Cloud-based Netgain Technology LLC has increased, with a further 207,000 individuals now confirmed as being affected and that figure certain to rise over the coming days. Netgain Technology provides IT and technology services to several entities in the healthcare industry, including the medical practice management company Woodcreek Provider Service in Washington. Ramsey County in Minnesota was previously confirmed to have been affected by the ransomware attack. Woodcreek Provider Service provides support to pediatric clinics and urgent care centers owned and operated by MultiCare Health System.  Woodcreek Provider Service was notified by Netgain about the December 3, 2020 attack and informed that the protected health information of patients and the personal information of employees and contractors were stored on servers affected by the ransomware attack, and may have been obtained by the attackers who first gained access to its systems on November 23, 2020. The Woodcreek Provider Service IT network and computer system...

Read More
Phishing Attack Impacts 135K Saint Alphonsus Health System and Saint Agnes Medical Center Patients
Mar10

Phishing Attack Impacts 135K Saint Alphonsus Health System and Saint Agnes Medical Center Patients

A phishing attack on Saint Alphonsus Health System in Boise, ID has resulted in the exposure of patient information and has also impacted patients of Saint Agnes Medical Center in Fresno, CA. Saint Alphonsus identified unusual activity in an employee’s email account on January 6, 2021. The account was immediately secured, and an investigation was conducted to determine the source and nature of the activity. Saint Alphonsus determined that the account had been accessed by an unauthorized individual on January 4, 2021, giving the individual access to the account and information contained therein for 2 days. The account was used to send phishing emails to other individuals in an attempt to obtain usernames and passwords. The employee whose credentials were compromised assisted with certain business functions that required access to protected health information, including performing billing functions for the West Region of Trinity Health, which includes Fresno. A review of all emails and attachments revealed the account contained the protected health information of certain patients....

Read More
PHI of More Than 100,000 Elara Caring Patients Potentially Compromised in Phishing Attack
Mar05

PHI of More Than 100,000 Elara Caring Patients Potentially Compromised in Phishing Attack

Elara Caring, one the largest providers of home-based healthcare services in the United States, has suffered a phishing attack that has impacted more than 100,000 patients. In mid-December, suspicious activity was identified in some employee email accounts. Prompt action was taken to secure the accounts to prevent further unauthorized access and a third-party security firm was engaged to investigate the breach. The investigation confirmed that multiple employee email accounts had been accessed by an unauthorized individual, although no evidence was found to suggest any patient information in those accounts was viewed or obtained by the attackers. It was, however, not possible to rule out data theft. A review of the compromised email accounts revealed they contained the PHI of 100,487 patients, including names, addresses, Social Security numbers, driver’s license numbers, Employer ID numbers, financial/bank account information, dates of birth, email addresses and passwords, insurance information and insurance account numbers, and passport numbers. Individuals affected by the breach...

Read More
Up to 100,000 Individuals Affected by Cochise Eye and Laser Ransomware Attack
Mar04

Up to 100,000 Individuals Affected by Cochise Eye and Laser Ransomware Attack

The Sierra Vista, AZ-based ophthalmology and optometry provider Cochise Eye and Laser experienced a ransomware attack on January 13, 2021 that resulted in the encryption of its patient scheduling and billing software. The attack prevented Cochise Eye and Laser from accessing any data in its scheduling system. Eye care services continued to be provided to patients, with the practice reverting to using paper charts. According to a February 17, 2021 breach notice on its website, paper charts were still in use as the scheduling system remained out of action. The investigation into the ransomware attack found no evidence to indicate any patient data were exfiltrated prior to the encryption of files; however, data theft could not be ruled out. The types of information potentially accessed by the attackers included names, dates of birth, addresses, phone numbers and, for some individuals, Social Security numbers. Since the attack, Cochise Eye and Laser has been working on improving the security of its systems and is implementing a new offsite backup system. Efforts to recover the...

Read More
Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack
Mar04

Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack

AllyAlign Health, a Glen Allen, VA-based Medicare Advantage health plan administrator, has started notifying members and providers about an attempted ransomware attack that occurred on November 13, 2020. According to the breach notification letters sent to affected individuals, AllyAlign Health first became aware of the attack on November 14, 2020. An investigation of the incident found the systems accessed by the attackers contained members’ first and last names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, Medicare beneficiary identifiers, medical claims histories, health insurance policy numbers, and other medical information. Providers affected by the breach have been notified that names, addresses, dates of birth, Social Security numbers, and Council for Affordable Quality Healthcare (CAQH) credentialing information may have been compromised. It is unclear exactly how many individuals have been affected by the incident. According to the breach notification sent to the Maine Attorney General, the protected health information of...

Read More
IBM X-Force: Healthcare Cyberattacks Doubled in 2020
Mar03

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020. The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9. The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial...

Read More
Roundup of Recent Healthcare Phishing and Malware Incidents
Mar02

Roundup of Recent Healthcare Phishing and Malware Incidents

A round up of recent healthcare privacy breaches that have been reported to the HHS’ Office for Civil Rights and state Attorneys General recently. Twelve Oaks Recovery Discovers Malware Infection and Data Theft Twelve Oaks Recovery, a Navarre, FL-based addiction and mental health treatment center, has discovered an unauthorized individual gained access to its network, installed malware, and stole documents from its systems. The attack was detected on December 13, 2020 when unusual network activity was detected. A forensic investigation confirmed malware had been deployed on December 13, and the following day data exfiltration was confirmed. A review of the documents obtained by the attacker revealed they contained the protected health information of 9,023 patients, and included names, addresses, dates of birth, medical record numbers, and Social Security numbers. Twelve Oaks Recovery has enhanced its network monitoring tools and taken steps to prevent similar breaches from occurring in the future. Rainbow Rehabilitation Centers Discovers Email Account Breach Rainbow Rehabilitation...

Read More
Universal Health Services Ransomware Attack Cost $67 Million in 2020
Mar01

Universal Health Services Ransomware Attack Cost $67 Million in 2020

2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS). UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country. The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack. UHS worked fast to restore its information technology infrastructure following the attack and worked around the clock to return to normal business operations; however, the...

Read More
Gore Medical Management Alerted to 2017 Breach of 79,100 Patients’ PHI
Feb26

Gore Medical Management Alerted to 2017 Breach of 79,100 Patients’ PHI

Gore Medical Management, a medical practice company based in Griffin, GA, has discovered a historic data breach involving the protected health information (PHI) of 79,100 individuals. The breach occurred in 2017 and affects patients of Family Medical Center in Thomaston, which is now part of Upson Regional Medical Center. In November 2020, Gore Medical Management was informed by the Federal Bureau of Investigation that a third-party computer had been recovered as part of an investigation which was found to contain the PHI of Family Medical Center patients. The breach investigation confirmed that the vulnerability exploited by the hacker to gain access to the Family Medical Center network had been identified and corrected a few months after the breach, although the breach itself was not detected at the time. The medical record system was not compromised, but files containing names, addresses, dates of birth, and Social Security numbers were exfiltrated. No financial information or healthcare records were involved. There does not appear to have been further access of its systems or...

Read More
Email Security Breach Impacts 47,000 Covenant Healthcare Patients
Feb26

Email Security Breach Impacts 47,000 Covenant Healthcare Patients

Covenant Healthcare in Saginaw, MI has discovered an unauthorized individual gained access to two employee email accounts that contained the protected health information of 47,178 patients. The security breach was identified on December 21, 2020, with the investigation revealing the first email account was compromised on May 4, 2020. A review of the compromised email accounts revealed they contained the following types of protected health information: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnosis and clinical information, medical treatment information, prescription information, doctors’ names, medical record numbers, patient account numbers, and medical insurance information. Affected individuals have been advised to place a fraud alert on their accounts and to monitor their account statements for signs of unauthorized activity. Affected individuals do not appear to have been offered complimentary credit monitoring. “We are committed to keeping your personal information safe and pledge to continually evaluate and modify our...

Read More
Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems
Feb25

Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems

St. Margaret’s Health –Spring Valley in Illinois is investigating a cyberattack that occurred over the weekend of February 20/21, 2021. The security breach was detected by the hospital’s IT team on February 21, and the hospital’s computer network and all web-based applications including email and its patient portal were shut down. The hospital had security systems in place to protect against intrusions and data breaches. It is currently unclear how those systems were bypassed. Third-party cybersecurity experts have been engaged to assist with the investigation and remediation efforts. St. Margaret’s Health had developed and practiced computer downtime emergency operations, which have been implemented and the hospital has temporarily reverted to paper records for recoding patient information and the hospital is relying on telephone and fax for communication while the email system is out of action. It is currently unclear for how long the systems will remain offline. The cyberattack did not affected the computer systems of St. Margaret’s Peru, as those computer systems...

Read More
March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches
Feb25

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020. HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized...

Read More
Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers
Feb24

Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers

Kroger has announced it has suffered a data security incident involving the exploitation of SQL injection vulnerabilities in its Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy appliance that was released around 20 years ago as a secure file transfer solution for sharing files too large to send via email. A zero-day vulnerability in the product was first identified by Accellion in mid-December 2020, with a further three vulnerabilities subsequently identified. Some of those vulnerabilities were exploited by a threat actor to gain access to the vulnerable devices. The hacker then installed a web shell which was used to exfiltrate sensitive data. Accellion explained in a February 22, 2021 press release that Mandiant had investigated the security incident and attributed the attacks to a criminal hacker tracked as UNC2546. UNC2546 has been linked to the FIN11 hacking group and CL0P ransomware operation. In January, several Accellion FTA customers reported receiving ransom demands for the return of stolen data. Threats were made to publish stolen data on the CL0P...

Read More
Ransom Paid to Recover Healthcare Data Stolen in Cyberattack on Online Storage Vendor
Feb22

Ransom Paid to Recover Healthcare Data Stolen in Cyberattack on Online Storage Vendor

The protected health information of 29,982 patients of a Laguna Hills, CA-based provider of medical and surgical eye care services has potentially been stolen in a cyberattack on its online storage vendor. On January 15, 2021, Harvard Eye Associates was informed by its storage vendor that hackers had gained access to the vendor’s computer system and exfiltrated data. It is not clear whether files were encrypted to prevent access; however, a ransom demand was issued for the return of the stolen data. The storage vendor consulted with cybersecurity experts and the Federal Bureau of Investigation and took the decision to pay the ransom demand. The hackers returned the stolen data and provided assurances that no copies of the data had been made and there had been no further disclosures of the stolen information. The cybersecurity experts engaged by the security vendor have been monitoring the Internet and darknet and have not found any evidence to suggest the stolen data has been sold or leaked online. An investigation into the breach revealed the hackers first gained access to its...

Read More
January 2021 Healthcare Data Breach Report
Feb19

January 2021 Healthcare Data Breach Report

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day. There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records. Largest Healthcare Data Breaches Reported in January 2021 The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply...

Read More
Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack
Feb19

Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack

Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020. As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone. The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information. Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients. The lawsuit – Jewett et al. v. Wilmington...

Read More
Grand River Medical Group Email Breach Impacts 34,000 Patients
Feb18

Grand River Medical Group Email Breach Impacts 34,000 Patients

Grand River Medical Group in Dubuque, OH has discovered an unauthorized individual gained access to the email account of an employee and may have viewed or obtained the protected health information of 34,000 patients. Upon discovery of the breach, a password reset was performed to prevent any further unauthorized access and an internal investigation was launched to determine whether any other systems were breached. The Grand River Medical Group IT team confirmed that only one email account was compromised and no other systems were accessed. Third-party breach response experts were engaged to conduct a forensic analysis to determine whether any patient information in the email account was viewed or exfiltrated. It was not possible to rule out data theft, although no evidence was found to indicate patient data was stolen in the attack. The information in the email account varied from patient to patient and included one or more of the following types of protected health information in addition to patient names: Address, date of birth, patient’s balance and balance type, visit type,...

Read More
Ransomware Gangs Leaks Sensitive Data Allegedly Stolen from Two More Healthcare Providers
Feb17

Ransomware Gangs Leaks Sensitive Data Allegedly Stolen from Two More Healthcare Providers

The Conti ransomware gang has published data on its leak site which was allegedly obtained in an attack on Rehoboth McKinley Christian Health Care Services in New Mexico. The leaked data includes sensitive patient information including scanned patient ID cards, passports, driver’s license numbers, diagnoses, treatment information, and diagnostic reports, although we have not been able to confirm the source of the data. The breach has not yet appeared on the HHS breach portal so it is currently unclear how many individuals have been affected. The Conti ransomware gang claims it has only published around 2% of data stolen in the attack. The latest data leak by the Conti ransomware gang follows similar leaks of the data stolen in the ransomware attacks on Leon Medical Centers in Florida and Nocona General Hospital in Texas. The Avaddon ransomware gang has similarly published data on its leak site that was allegedly stolen in an attack on Capital Medical Center in Olympia in Washington. The gang has threatened to leak further data within the next few days if the ransom is not paid. The...

Read More
Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients
Feb17

Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients

An email error by an employee of Campbell County Health (CCH) has resulted in the impermissible disclosure of the protected health information of 900 individuals. The Gillette, WY-based health system discovered on February 5, 2021 that an employee sent an email to a patient and attached an incorrect file. The file contained patient names, account numbers, and their type of insurance. The email error was discovered within an hour of the email being sent and the recipient was immediately contacted and was told to securely delete the attachment. CCH officials provided instructions on how to ensure that the file was permanently deleted from the email account and all devices, and CCH has received satisfactory assurances that the file has now been permanently deleted and no further disclosures were made. Affected individuals have been notified about the incident and internal policies are being revised to prevent similar incidents in the future. CCH has also provided further training to employees on best practices for protecting patient data. UT Southwestern Medical Center Alerts Patients...

Read More
21st Century Oncology Data Breach Settlement Receives Preliminary Approval
Feb16

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals. 21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016. The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in...

Read More
Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation
Feb15

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019. OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule. The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019. The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been...

Read More
Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers
Feb12

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas. Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients. It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal. According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by...

Read More
Renown Health Pays $75,000 to Settle HIPAA Right of Access Case
Feb11

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action. Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000. OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made. The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical...

Read More
Nebraska Medicine Notifies 219,000 Patients About September 2020 Malware Attack
Feb10

Nebraska Medicine Notifies 219,000 Patients About September 2020 Malware Attack

Nebraska Medicine has started notifying approximately 219,000 patients about a malware attack that allowed an unauthorized individual to view and obtain patient information. Nebraska Medicine identified unusual activity in some of its systems on September 20, 2020. All affected devices were isolated to contain the breach and impacted systems were shut down to prevent any further unauthorized access. Independent computer forensics experts were engaged to conduct an investigation and determine the nature and scope of the security breach. The investigation confirmed that an unauthorized individual first gained access to the network on August 27, 2020 and deployed malware. Between August 27 and September 20, that individual copied certain files, some of which contained patient information. The files contained information about patients who received medical services at The Nebraska Medical Center or University of Nebraska Medical Center, as well as a limited number of patients who visited Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare. The protected...

Read More
Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack
Feb09

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals. US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information. The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information. The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures...

Read More
Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients
Feb08

Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients

University of Pittsburgh Medical Center (UPMC) has announced the protected health information of more than 36,000 patients has potentially been accessed by unauthorized individuals following a cyberattack on a company that provides billing-related legal services to UPMC. In June 2020, Charles J. Hilton & Associates P.C. (CJH) discovered suspicious activity in its employee email system and launched an investigation. On July 21, 2020, CJH determined that hackers had gained access to the email accounts of several of its employees between April 1, 2020 and June 25, 2020. Computer forensics specialists conducted an extensive investigation into the incident to determine which information was accessed or obtained by the hackers. UPMC said it received a notification about the breach in December 2020 confirming patient information may have been accessed by the hackers. Notification letters are now being sent by CJH to all patients potentially affected by the breach. UPMC said none of its systems, including its electronic medical record system, were affected, and the only information...

Read More
Ramsey County and Crisp Regional Health Services Affected by Ransomware Attacks
Feb05

Ramsey County and Crisp Regional Health Services Affected by Ransomware Attacks

The County Manager’s Office of Ramsey County, MN has started notifying 8,687 clients of its Family Health Division that some of their personal information has potentially been accessed by unauthorized individuals in a ransomware attack on one of its vendors. St. Cloud-based Netgain Technology LLC provides technology services to Ramsey County, including an application used by the Family Health Division for documenting home visits. Data within that application was potentially accessed and exfiltrated by threat actors prior to the deployment of ransomware.  The application contained information such as names, addresses, dates of birth, dates of service, telephone numbers, account numbers, health insurance information, medical information and, for a small number of individuals, Social Security numbers. The attack appears to have been conducted with the sole purpose of extorting money from Netgain rather than to gain access to personal information; however, it was not possible to rule out unauthorized access or data theft. Ramsey County was notified about the attack on December 2, 2020...

Read More
4 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks
Feb04

4 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks

A round up of healthcare phishing attacks that have been publicly disclosed in the past few days. 2,254 Patients Affected by Leonard J. Chabert Medical Center Email Account Breach Leonard J. Chabert Medical Center has been notified that the protected health information of some of its patients has been compromised in a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD). LSU HCSD announced the breach publicly on November 20, 2020 but discovered on November 24, 2020 that some patient data from Leonard J. Chabert Medical Center, its partner hospital, had also potentially been compromised. Leonard J. Chabert Medical Center was provided with information related to the breach on December 3, 2020, the analysis of which revealed the protected health information of 2,254 patients had been exposed between September 15, 2020 to September 18, 2020. For most patients, the exposed data was limited to names, phone numbers, addresses, medical record numbers, dates of birth, account numbers, dates of service, types of services received, and health insurance...

Read More
Montefiore Medical Center and Bethesda Hospital Fire Employees for HIPAA Breaches
Feb02

Montefiore Medical Center and Bethesda Hospital Fire Employees for HIPAA Breaches

Baptist Health’s Bethesda Hospital in Boynton Beach, FL has fired an employee for impermissibly accessing a patient’s protected health information and altering a home health order which was used to provide a patient with home care services. The HIPAA breach was identified on December 1, 2020, prompting an internal investigation. The employee has now been terminated and the incident reported to law enforcement. The investigation revealed other patient records may also have been accessed by the former employee between June 1, 2019 and December 2, 2020. The types of information potentially viewed included names, dates of birth, addresses, health insurance information, Social Security numbers, and clinical documentation. All affected individuals have been notified and offered complimentary identity theft protection and credit monitoring services and Baptist Health is exploring ways to further safeguard patients’ protected health information and prevent similar breaches in the future. The incident has yet to be listed on the HHS’ Office for Civil Rights’ website so it is currently...

Read More
Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI and Exposure of 3.5 Million Records
Feb01

Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI and Exposure of 3.5 Million Records

The Tallahassee, FL-based Medicaid health plan, Florida Healthy Kids Corporation, has discovered its web hosting provider failed to patch vulnerabilities which were exploited by cybercriminals to gain access to its website and the protected health information of applicants for benefits for the past 7 years. The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 3.5 million individuals, making this one of the largest healthcare data breaches of all time. Florida Healthy Kids used Jelly Bean Communications Design, LLC. for hosting its website. The website included an online application that recorded information about individuals when they applied for Florida KidCare benefits or renewed their health or dental coverage online. On December 9, 2020, Jelly Bean Communications notified Florida Healthy Kids that unauthorized individuals had gained access to the website and tampered with the addresses of several thousand applicants. Florida Healthy Kids engaged cybersecurity experts to conduct an investigation to determine the scope and severity of the...

Read More
Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack
Jan27

Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack

Roper St. Francis Healthcare has notified 189,761 patients that some of their protected health information was contained in employee email accounts that were accessed by an unauthorized individual. The email security breach was detected in late October 2020, and the subsequent investigation revealed three email accounts were compromised between October 14 and October 29, 2020. A review off the email accounts was conducted to determine the information that was potentially accessed. It was not possible to tell if patient information was viewed or exfiltrated, although the attacker would have been able to access names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information. The email accounts also contained the health insurance information and Social Security numbers of a limited number of patients. Roper St. Francis Healthcare has offered complimentary credit monitoring and identity theft protection services to individuals whose Social...

Read More
Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack
Jan26

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients. One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution. The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence. Blackbaud discovered the ransomware...

Read More
HIPAA Enforcement by State Attorneys General
Jan21

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases were...

Read More
Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center
Jan21

Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center

Gainwell Technologies has discovered unauthorized individuals have potentially accessed the information of certain participants of Wisconsin’s Medicaid program, which was stored in emails and email attachments in a compromised account. Access to the email account was first gained on October 29, 2020 and continued until November 16, 2020. The account contained information such as names, member ID numbers, and billing codes for services. Approximately 1,200 Wisconsin Medicaid members have been affected. Affected individuals have been offered a 1-year complimentary membership to credit monitoring services. Gainwell provides fiscal-agent services for the Wisconsin Department of Health Services (DHS) Medicaid Program. Since the breach occurred, the DHS and Gainwell have worked together to prevent similar breaches in the future. This is the second incident to be reported as having affected Gainwell in recent weeks. Gainwell operates the Medicaid Management Information System used by the Tennessee state Medicaid health plan, TennCare. Gainwell discovered an error at a mailing vendor...

Read More
At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020
Jan20

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft. The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year. In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities. These attacks have caused significant financial harm and in some cases the disruption has had life threatening...

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty
Jan18

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals. The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties. Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015. The hackers installed malware on its systems,...

Read More
What are the Penalties for HIPAA Violations?
Jan15

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
South Country Health Alliance Breach Impacts 66,874 Plan Members
Jan15

South Country Health Alliance Breach Impacts 66,874 Plan Members

Owatonna, MN-based Minnesota South Country Health Alliance has discovered an unauthorized individual accessed the email account of an employee that contained the protected health information of 66,874 of its members. The email account breach was detected on September 14, 2020, with the subsequent investigation revealing the account was first accessed by an unauthorized individual on June 25, 2020. The review of the email account was completed on November 5, 2020 and revealed it contained personal and protected health information such as names, addresses, Social Security numbers, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, date of death, provider name, and treatment cost information. Notifications were sent to all affected members on December 30, 2020. The delay in issuing notifications was due to the time taken to identify current mailing addresses for affected individuals. The breach investigation did not uncover any evidence to suggest any protected health information in the account was viewed or obtained or has been misused....

Read More