Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit
Jan17

Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack. In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs....

Read More
Online Pharmacy Notifies 105,000 Patients About Cyberattack and Potential Theft of PHI
Jan14

Online Pharmacy Notifies 105,000 Patients About Cyberattack and Potential Theft of PHI

The Auburndale, FL-based digital pharmacy and health app developer Ravkoo has started notifying certain patients that some of their sensitive personal information has been exposed and potentially obtained by an unauthorized individual. Ravkoo hosts its online prescription portal on Amazon Web Services (AWS). The portal was targeted in a cyberattack that was detected on September 27, 2021. Upon discovery of the security breach, steps were immediately taken to secure the portal and third-party cybersecurity experts were engaged to assist with the forensic investigation, mitigation, restoration, and remediation efforts. The investigation confirmed sensitive patient data had been exposed and may have been compromised, including names, addresses, phone numbers, certain prescription information, and limited medical data. Ravkoo said the impacted portal did not contain any Social Security numbers, which are not maintained in the affected portal. The forensic investigation did not uncover any evidence that indicated information contained within the portal has been or will be misused....

Read More
EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach
Jan14

EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach

QRS, a Tennessee-based healthcare technology services company and EHR vendor, is facing a class action lawsuit over an August 2021 cyberattack in which the protected health information (PHI) of almost 320,000 patients was exposed and potentially stolen. The investigation into the data breach confirmed a hacker had gained access to one of its dedicated patient portal servers between August 23 and August 26, 2021, and viewed and possibly obtained files containing patients’ PHI. Sensitive data stored on the server included patients’ names, addresses, birth dates, usernames, medical information, and Social Security numbers. QRS started sending notification letters to affected individuals in late October and offered identity theft protection services to individuals who had their Social Security number exposed. On January 3, 2022, Matthew Tincher, a Frankfurt, KY resident, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS. The lawsuit alleges QRS was negligent for failing to reasonably secure, monitor, and maintain the PHI...

Read More
Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack
Jan14

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack. A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022. According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors. Stewart said he...

Read More
PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised
Jan12

PHI of Anthem Members and Advocate Aurora Health Patients Potentially Compromised

Anthem Inc. has alerted 2,003 members that some of their protected health information has potentially been viewed or obtained by an unauthorized individual who gained access to the network of one of its business associates. Anthem works with the Atlanta, GA-based insurance broker OneDigital, which provides support for individuals enrolled in group health plans to help them procure and manage their health insurance. OneDigital had been provided with the protected health information of certain members to assist them or their current or former employer to obtain and manage their health insurance plan. On November 24, 2021, Anthem was notified by OneDigital about a network server hacking incident that occurred in January 2021. Anthem said the investigation into the breach did not uncover any direct evidence of unauthorized viewing or theft of protected health information, but those activities could not be ruled out. The types of data stored on the compromised systems included names, addresses, dates of birth, healthcare provider names, health insurance numbers, group numbers, dates and...

Read More
Over 30 Healthcare Providers Affected by CIOX Health Data Breach
Jan11

Over 30 Healthcare Providers Affected by CIOX Health Data Breach

The health information management services provider CIOX Health has suffered a data breach that has affected at least 32 healthcare providers. In July 2021, CIOX Health discovered an unauthorized individual had gained access to the email of an employee in the customer service department. The email account was immediately secured, with the subsequent investigation confirming the email account had first been accessed by an unauthorized individual on June 24, 2021, and access remained possible until the security breach was detected on July 2, 2021. The CIOX Health breach investigation confirmed that the incident was confined to a single employee email account, with the review of the contents of the email account determining on September 24, 2021, that it contained emails and attachments that included the protected health information of some of its healthcare provider clients such as names, dates of birth, provider names, dates of service, and the Social Security numbers, driver’s license numbers,  health insurance information, and/or treatment information of a very limited number of...

Read More
Millennium Eye Care Says Ransomware Gang Stole a Large Amount of Patient Data
Jan10

Millennium Eye Care Says Ransomware Gang Stole a Large Amount of Patient Data

Millennium Eye Care, a Freehold, NJ-based provider of ophthalmology services, announced on December 22, 2021, that hackers recently gained access to its computer network and used ransomware to encrypt files in an attempt to extort money from the practice. It is unclear when the attack occurred from its breach notification letters, but Millennium Eye Care said it discovered on November 14, 2021, that the attackers had exfiltrated “a large amount of data” prior to encrypting files. The files obtained in the attack included a range of protected health information including names and Social Security numbers. Millennium Eye Care said it has increased network security measures to reduce the risk of further attacks and has provided additional cybersecurity training to the workforce to help them recognize external attacks. Affected individuals have been notified by mail and have been provided with information on the steps they can take to protect against identity theft and fraud. Identity theft protection services are being provided free of charge and affected patients will also be covered...

Read More
BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach
Jan07

BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach

A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen. Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered. Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost....

Read More
Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois
Jan06

Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois

Fertility Centers of Illinois (FCI) has recently notified 79,943 current and former patients that some of their protected health information may have been viewed or obtained by unauthorized individuals. FCI identified suspicious network activity on February 1, 2021, and took prompt action to secure its systems. Independent forensic investigators were then engaged to determine the nature and scope of the security breach. FCI had implemented security measures to keep patient data secure, and those measures ensured its electronic medical record system could not be accessed; however, the attackers were found to have accessed administrative files and folders. A review of those files confirmed on August 27, 2021, that they contained a range of patient data including names in combination with one or more of the following types of information: Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification...

Read More
Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General
Jan05

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan. RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers. RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach...

Read More
Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach
Jan04

Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach

A major data breach has been announced by Florida’s Broward Health involving the personal and protected health information of more than 1.35 million individuals. The data breach occurred on October 15, 2021, when a hacker gained access to the Broward Health network through the office of a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services. Broward Health discovered and blocked the intrusion on October 19, 2021, and a password reset was performed for all employees to prevent further unauthorized access. Assisted by a third-party cybersecurity company, Broward Health conducted a comprehensive investigation to determine the nature and scope of the breach. The investigation confirmed the attacker had access to parts of the network where employee and patient information were stored, including sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial/bank account information, health insurance information, medical histories, health conditions,...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach
Jan03

Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach

Nampa, Idaho-based Saltzer Health has started notifying certain patients that some of their protected health information (PHI) has been exposed in an email account breach that was detected on June 1, 2021. The investigation revealed an unauthorized individual had access to an employee’s email account between May 25, 2021, and June 1, 2021. Saltzer Health was unable to find evidence indicating the attacker viewed or exfiltrated emails from the account, but it was not possible to rule the possibility of unauthorized PHI access and data theft. The investigation confirmed the breach was confined to a single email account and no other systems were affected. Assisted by third-party specialists, Saltzer Health conducted a comprehensive review of the email account to determine which patients had been affected. The review was completed on September 21, 2021, and revealed the following types of patient data were stored in the account: Names, contact information, state identification numbers, driver’s license numbers, medical record numbers, medical histories, diagnoses, treatment...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Jan02

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Largest Healthcare Data Breaches of 2021
Dec30

Largest Healthcare Data Breaches of 2021

The largest healthcare data breaches of 2021 rank as some of the worst of all time. In this post, we summarize some of the most serious data breaches to be reported in what has turned out to be another record-breaking year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches. It has also been a particularly bad year in terms of the number of breached healthcare records. Across the 686 2021 healthcare data breaches, 44,993,618 healthcare records have been exposed or stolen, which makes 2021 the second-worst year in terms of breached healthcare records. There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million...

Read More
Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists
Dec29

Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists

The Bradenton, FL-based gastroenterology healthcare provider Florida Digestive Health Specialists (FDHS) has recently started notifying more than 212,000 patients that some of their protected health information has been exposed in a December 2020 cyberattack. Notification letters were sent to affected individuals on December 27, 2021, by attorney Jason M. Schwent of Clark Hill. The letters explain that suspicious activity was detected in an employee email account on December 16, 2020, which involved an unauthorized individual sending emails from that account. This was a business email compromise attack where access to an internal email account is gained, usually via a phishing email, and the account is then used to impersonate an employee to convince other individuals to make fraudulent wire transfers. In this case, on December 21, 2020, FDHS determined a fraudulent transfer of funds had been made to an unknown bank account. FDHS engaged the services of Clark Hill and a third-party cybersecurity firm to investigate the cyberattack. The investigation confirmed a limited number of...

Read More
Patient Data Stolen in Cyberattack on the Medical Review Institute of America
Dec29

Patient Data Stolen in Cyberattack on the Medical Review Institute of America

The Medical Review Institute of America (MRoiA) suffered a suspected ransomware attack in November 2021 in which sensitive patient data were stolen. MRoiA is provided with patient data by HIPAA-covered entities as part of the clinical peer review process of healthcare services. In a data breach notice provided to the Vermont attorney general, MRoiA said it was the victim of a sophisticated cyberattack that was detected on November 9, 2021. Third-party cybersecurity experts were immediately engaged to conduct a forensic investigation to determine the nature and scope of the attack and to assist with its remediation efforts, including restoring its systems and operations. On November 12, 2021, MRoiA discovered the attackers had exfiltrated sensitive data, including patients’ electronic protected health information (ePHI). MRoiA did not state in the breach notification letter whether ransomware was involved, although the attack has the hallmarks of a double-extortion ransomware attack. MRoiA said on November 16, 2021, it received assurances that the stolen data were retrieved and...

Read More
HIPAA Enforcement by State Attorneys General
Dec28

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases...

Read More
Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures
Dec27

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December. The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files. Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims. While the attack was detected in December 2020, it...

Read More
Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impact More Than 355,000 Patients
Dec24

Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impact More Than 355,000 Patients

A hacker gained access to the IT network of Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services and accessed files containing sensitive patient data. The intrusion was detected on November 11, 2021, and steps were immediately taken to remove the hacker from its network. Assisted by a third-party computer forensics firm, BioPlus determined its IT environment was compromised on October 25, 2021, and the hacker was removed from its systems on November 11. The investigation confirmed files containing the protected health information of certain patients had been accessed, but it was not possible to rule out the possibility that the hacker accessed the PHI of all of its patients. The decision was therefore taken to notify all 350,000 current and former patients about the breach. Files that were accessible to the hacker included patient names, dates of birth, addresses, medical record numbers, current/former health plan member ID numbers, claims information, diagnoses, and/or prescription information. Some patients also had their Social Security number exposed. Notification...

Read More
What are the Penalties for HIPAA Violations?
Dec23

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack
Dec23

PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack

Morgantown, WV-based Monongalia Health System has started notifying almost 400,000 patients that some of their protected health information (PHI) may have been obtained by unauthorized individuals in a recent cyberattack. The security incident came to light when one of its vendors reported not receiving a July 2021 payment that had left Monongalia Health’s accounts. The investigation into the incident confirmed this was a business email compromise (BEC) attack. The attacker had used a phishing email to obtain the credentials for a Monongalia Health contractor’s email account, which was used to send a request to Monongalia Health to have the bank account details for an upcoming payment changed to an account controlled by the attacker. Monongalia Health said the investigation revealed several Monongalia Health email accounts had been compromised as a result of employees responding to phishing emails, and emails and email attachments in those accounts contained patients’ protected health information. The purpose of the attack appears to have solely been to obtain funds from Monongalia...

Read More
Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare
Dec22

Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare

Paducah, KY-based Southern Orthopaedic Associates (SOA), doing business as the Orthopaedic Institute of Western Kentucky, has started notifying 106,910 patients about a breach of some of their protected health information. SOA detected unauthorized activity in an employee email account on or around July 7, 2021. Steps were immediately taken to secure the account and an investigation was launched to determine the nature and scope of the breach. Assisted by a third-party computer forensics company, SOA determined that several employee email accounts had been compromised between June 24, 2021, and July 8, 2021; however, it was not possible to tell which, if any, emails in the account had been accessed. A comprehensive review was conducted of all emails and attachments in the compromised accounts to determine if they contained any protected health information. The review was completed on October 21, 2021, and confirmed the accounts contained patient names and Social Security numbers. Notification letters were sent to affected individuals starting on December 12, 2021. SOA has offered a...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos
Dec17

Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos

The number of healthcare providers affected by the recent ransomware attack on Kronos has been growing over the past few days. 7 healthcare providers have now confirmed they have been affected by the attack. Kronos is a Lowell, MA-based workforce management and human capital management solution provider that many healthcare organizations use for payroll, scheduling, and other services. On December 11, 2021, Kronos discovered unusual activity in its systems deployed within the Kronos Private Cloud. Steps were immediately taken to investigate the activity and block any unauthorized access. It was rapidly determined to be a ransomware attack, that affected parts of its cloud environment where Ultimate Kronos Group (UKG) solutions are deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling. UKG said it engaged a leading cyber security firm to assess and mitigate the attack and the investigation into the breach is ongoing. The affected solutions remain offline and Kronos has strongly suggested its clients should evaluate and implement...

Read More
Over 535,000 Individuals Affected by Ransomware Attack on Texas ENT Specialists
Dec17

Over 535,000 Individuals Affected by Ransomware Attack on Texas ENT Specialists

Texas Ear, Nose & Throat Specialists P.A. (Texas ENT Specialists) has recently announced it was the victim of a cyberattack that was detected on October 19, 2021. When the attack was detected, prompt action was taken to prevent further unauthorized system access and a third-party cybersecurity firm was engaged to investigate and determine the nature and extent of the attack. The forensic investigation revealed the attackers first gained access to its systems on August 9, 2021, and between then and August 15, files were copied and exfiltrated from its systems. A review of those files confirmed they contained the protected health information (PHI) of 535,489 patients, including names, dates of birth, medical record numbers, and procedure codes. A subset of individuals also had their Social Security numbers stolen; however, its electronic medical record system was unaffected. Texas ENT Specialists mailed notification letters to affected individuals on December 10, 2021. Patients who had their Social Security number stolen have been offered complimentary membership to Experian’s...

Read More
Almost 50,000 Health Plan Members Affected by Ransomware Attack on Broward County Public Schools
Dec15

Almost 50,000 Health Plan Members Affected by Ransomware Attack on Broward County Public Schools

In March 2021, ransomware was used in an attack on Broward County Public Schools in Florida and files were encrypted. The investigation into the breach revealed access to the school network was first gained by unauthorized individuals on November 12, 2020, with the ransomware deployed on March 6, 2021. The attack was detected on March 7, 2021. The hackers demanded a ransom payment of $40 million for the keys to decrypt files, which was later reduced to $10, million but the school district refused to pay. Initially, it did not appear that any sensitive data had been obtained in the attack, but on April 19, 2021, it was discovered that some files stored on its systems had been stolen when they were released publicly on the Conti ransomware gang’s data leak website. Schools are not usually covered by the Health Insurance Portability and Accountability Act (HIPAA), so HIPAA breach notifications are not required when student records are compromised; however, in this case, the school district is a HIPAA-covered entity as it operates a self-insured health plan. On June 8, 2021, it was...

Read More
Chicago Accountancy Firm Discovers Data was Stolen in December 2020 Ransomware Attack
Dec15

Chicago Accountancy Firm Discovers Data was Stolen in December 2020 Ransomware Attack

The Chicago, IL-based accountancy firm Bansley and Kiener LLP has announced it was the victim of a December 2020 ransomware attack that saw certain files within its systems encrypted. The attack only caused temporary disruption, and it was possible to restore all encrypted systems from backups and rapidly return to normal operations. The attack occurred on December 10, 2020, and the subsequent investigation into the incident found no evidence of data theft and confirmed that the breach had been fully contained. However, Bansley and Kiener said in a December 3, 2021 data breach notification letter that the firm learned on May 24, 2021, that the attackers had exfiltrated some files from its systems, and those files contained sensitive client information. A third-party cybersecurity firm was engaged to assist with the subsequent investigation and while it was not possible to confirm the specific types of information that had been accessed and exfiltrated, on August 24, 2021, the investigation confirmed the names and Social Security numbers of some individuals may have been obtained by...

Read More
PHI of 750,000 Patients of Oregon Anesthesiology Recovered Following Ransomware Attack
Dec14

PHI of 750,000 Patients of Oregon Anesthesiology Recovered Following Ransomware Attack

On July 11, 2021, Oregon Anesthesiology Group discovered it was the victim of a ransomware attack. Files on its systems had been encrypted which prevented access to its servers and patient data. Following the attack, its IT infrastructure was reconstructed and offline data backups were used to promptly restore the affected files. A digital forensics firm was engaged to investigate the breach and it was confirmed that patient and employee information had been compromised, with the affected parts of its network found to contain files that included names, addresses, dates of service, diagnosis and procedure codes and descriptions, medical record numbers, insurance provider names, and insurance ID numbers. Employee data potentially compromised in the attack included names, addresses, Social Security numbers, and other information contained in W-2 forms. The forensic investigation revealed that once the hackers had gained access to its network, they data-mined administrator credentials which allowed them to access encrypted data on its network. The FBI told Oregon Anesthesiology Group...

Read More
Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients
Dec10

Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients

Howard University College of Dentistry discovered on September 3, 2021, that unauthorized individuals had gained access to its network and used ransomware to encrypt files. An announcement was made by the university shortly after the attack that it had been forced to cancel online and hybrid classes while its systems were restored, and that a nationally recognized computer forensics firm had been engaged to investigate the incident to determine the extent of the attack and whether sensitive information was accessed or stolen. On September 24, 2021, the university determined that a system that housed patients’ dental records was affected by the attack. No specific evidence of unauthorized access or data exfiltration was found, although dental records were encrypted. The encrypted records related to dental visits between October 5, 2019, and September 3, 2021, and included information such as names, contact information, dates of birth, dental record numbers, health insurance information, dental history information, and for a limited number of patients, Social Security numbers. The...

Read More
Data Breaches Reported by UH College of Optometry and Valley Mountain Regional Center
Dec08

Data Breaches Reported by UH College of Optometry and Valley Mountain Regional Center

The University of Houston College of Optometry has discovered an unauthorized individual from outside the United States gained access to the network of an affiliated eye clinic and stole information contained in the clinic’s database. The Community Eye Clinic in Fort Worth, TX, is managed and administered by UH College of Optometry. Security staff identified the intrusion at 9 a.m. on September 13, 2021, the morning after the breach occurred. The IT security team immediately took steps to secure the system, further defensive safeguards have been implemented to better protect patient data, and its monitoring and alerts have been enhanced. A review has also been conducted of the clinic’s IT protocols and procedures to ensure that industry-standard practices are followed. The files obtained by the attacker related to patients who received treatment at the Community Eye Clinic between May 22, 2013, and September 13, 2021. The information in the database included names, dates of birth, contact information, government ID numbers, health insurance information, passport numbers,...

Read More
Ransomware Attacks Reported by TriValley Primary Care and Medsurant Health
Dec08

Ransomware Attacks Reported by TriValley Primary Care and Medsurant Health

On October 11, 2021, Perkasie, PA-based TriValley Primary Care discovered ransomware had been installed on its networks and servers, which contained the protected health information of some of its patients. Action was quickly taken to secure its systems and prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation. The forensic investigation concluded on November 4, 2021, but it was not possible to tell exactly when unauthorized individuals first gained access to its systems nor whether any specific patient information was viewed or obtained by the attackers. At the time of issuing notification letters to affected individuals, TriValley Primary Care was unaware of any actual or attempted misuse of patient data. As a precaution against identity theft and fraud, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. TriValley Primary Care said it has taken action to prevent further security breaches, including implementing additional technical safeguards,...

Read More
Sound Generations Reports Two Ransomware Attacks Affecting Over 100,000 Individuals
Dec07

Sound Generations Reports Two Ransomware Attacks Affecting Over 100,000 Individuals

Seattle, WA-based Sound Generations has announced that unauthorized individuals have gained access to its internal systems and have used ransomware to encrypt files. Sound Generations is a nonprofit that helps older adults and adults with disabilities obtain free to low-cost healthcare resources. The organization is the largest provider of comprehensive services for aging adults in King County, WA. According to the substitute breach notification letter uploaded to its website, unauthorized individuals accessed its systems and encrypted data on July 18, 2021, and again on September 18, 2021. In both cases, the unauthorized access was promptly terminated and both incidents were investigated by a third-party forensics firm to determine the nature and scope of the security breaches; however, it was not possible to tell if any protected health information was viewed or obtained by the attackers. An internal review of the affected systems confirmed the protected health information of 103,576 individuals was stored on the affected systems. That information included demographic and health...

Read More
PHI of 40,000 Individuals Exposed in Email Account Breaches
Dec07

PHI of 40,000 Individuals Exposed in Email Account Breaches

Three healthcare providers have recently reported security breaches involving the email accounts of employees, resulting in the exposure and potential theft of the protected health information of more than 40,000 individuals. Saltzer Health Saltzer Health in Idaho identified a breach of its email environment on June 1, 2021. Steps were promptly taken to prevent further unauthorized access, with the subsequent investigation confirming an unauthorized individual had accessed the account between May 25, 2021, and June 1, 2021. It was not possible to tell if any patient information was accessed or exfiltrated, but a comprehensive review of the account by third-party specialists confirmed it contained the protected health information of 15,650 patients. The review was completed on September 21, 2021, and confirmed the email account contained the following types of information: Names, contact information, medical record numbers, patient identification numbers, driver’s license/state identification numbers, medical histories, diagnoses, treatment information, physician information,...

Read More
400,000 Patients Potentially Affected by Planned Parenthood Ransomware Attack
Dec03

400,000 Patients Potentially Affected by Planned Parenthood Ransomware Attack

Planned Parenthood has recently announced it was the victim of a ransomware attack in October that affected its Los Angeles branch. According to the announcement, a ransomware gang gained access to the network between October 9, 2021, and October 17, 2021, and deployed ransomware to encrypt files. A ransom demand was then issued, payment of which was required to obtain the keys to decrypt data. Prior to using ransomware, certain files were exfiltrated from its systems and were used as leverage to get Planned Parenthood to pay the ransom. It is currently unclear if the ransom was paid but, at the time of writing, the stolen files do not appear to have been published on any ransomware gang’s data leak site. The ransomware attack was detected by Planned Parenthood Los Angeles on October 17, 2021, and steps were immediately taken to secure its network and investigate the security breach. When it was confirmed that files had been stolen, a review was conducted to determine the types of information that had been compromised.  On November 4, 2021, it was confirmed that some of the stolen...

Read More
HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations
Dec01

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records. The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified. The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the...

Read More
One Community Health Patients Notified About April 2021 Cyberattack and Data Theft
Nov29

One Community Health Patients Notified About April 2021 Cyberattack and Data Theft

Sacramento, CA-based One Community Health has recently notified patients that its systems were compromised between April 19 and April 20, 2021. An unauthorized individual was discovered to have gained access to systems containing the personal and protected health information of certain employees and patients. A comprehensive forensic investigation was conducted by a third-party cybersecurity firm to determine the nature and scope of the attack, and One Community Health was notified on October 6, 2021, that the attacker had exfiltrated files from its network that included full names and one or more of the following data elements: Address, other demographic information, telephone number, email address, date of birth, Social Security number, driver’s license number, insurance information, diagnosis information, and treatment information. Notification letters started to be sent to all affected patients on November 22, 2021. There have been no reported cases of identity theft or fraud; however, complimentary credit monitoring services have been offered to affected individuals as a...

Read More
Sarasota MRI, Consociate Health, & Upstate Homecare Notify Patients About Data Breaches
Nov29

Sarasota MRI, Consociate Health, & Upstate Homecare Notify Patients About Data Breaches

Sarasota MRI, Consociate Health, and Upstate Homecare have recently notified regulators and patients about security incidents involving personal and protected health information. Upstate Homecare Notifies 5,100 Patients About Ransomware Attack The Albany, NY-based home healthcare provider, Upstate Healthcare, has notified 5,114 patients about a recent ransomware attack in which patient data was stolen. It is unclear from the breach notification letters when the attack occurred; however, an investigation conducted by a third-party cybersecurity firm determined on November 4, 2021, that patient data had been stolen and posted to a data leak website on the darknet. The stolen data included full names, dates of birth, addresses, telephone numbers, email addresses, driver’s license numbers, bank account information, Social Security numbers, treatment information physicians’ names, patient ID numbers, and Medicare/Medicaid numbers. Following the attack, Upstate Healthcare performed a comprehensive review of its security measures and has implemented additional safeguards to better protect...

Read More
Former Huntington Hospital Employee Charged with Criminal HIPAA Violation
Nov25

Former Huntington Hospital Employee Charged with Criminal HIPAA Violation

A former employee of Huntington Hospital in New York has been charged with a criminal HIPAA violation over the unauthorized accessing of 12,925 patient records. The employee worked the night shift at Huntington Hospital during which time he impermissibly accessed patients’ medical records over 4 months between October 2018 and February 2019. The types of information viewed by the employee included demographic information such as names, dates of birth, telephone numbers, addresses, internal account numbers, medical record numbers, and clinical information including diagnoses, medications, lab test results, treatment information, and healthcare provider names. Huntington Hospital said it found no evidence to suggest Social Security numbers, insurance information, credit card numbers, and other payment-related information were accessed. When the unauthorized access was discovered, the employee was immediately suspended while a comprehensive investigation was conducted. The investigation concluded on February 25, 2019, the employee was terminated for the HIPAA violation, and law...

Read More
Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply
Nov25

Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply

Retinal Consultants Medical Group, ACE Surgical Supply, and Three Rivers Regional Commission have recently reported cyberattacks in which the protected health information of patients may have been obtained by unauthorized individuals. Retinal Consultants Medical Group Hacking Incident Affects 11,603 Patients Vitreo-Retinal Medical Group Inc., dba Retinal Consultants Medical Group, says it was the victim of a sophisticated cyberattack that was detected on or around July 12, 2021 and caused a service disruption. Vitreo-Retinal Medical Group engaged third-party cybersecurity consultants to help restore its systems and investigate the nature and scope of the attack. While the investigation confirmed unauthorized individuals had gained access to its computer network, it was not possible to tell if any protected health information was accessed or exfiltrated, although no reports have been received that suggest actual or attempted misuse of patient data. A comprehensive manual and programmatic review of the affected systems confirmed the following types of protected health information had...

Read More
PHI of 57,000 Patients Potentially Compromised in TriValley Primary Care Cyberattack
Nov24

PHI of 57,000 Patients Potentially Compromised in TriValley Primary Care Cyberattack

Perkasie, PA-based TriValley Primary Care has started notifying 57,596 patients that some of their personal and protected health information has potentially been compromised. Suspicious activity was detected in its IT environment on October 11, 2021. Steps were immediately taken to secure its systems and prevent further unauthorized access, and third-party forensic experts were engaged to conduct an investigation to determine the nature and scope of the cyberattack. The investigation into the breach concluded on November 4 and while no evidence of actual or attempted misuse of patient data was identified, unauthorized access and potential theft of protected health information could not be ruled out. As such, affected patients have been advised to be vigilant against identity theft and fraud, and complimentary credit monitoring services have been provided to affected individuals. A review of the files on the affected systems confirmed the following types of patient data may have been compromised: First and last name, gender, home address, phone number, email address, date of birth,...

Read More
Data Breaches Reported by True Health New Mexico & Educators Mutual Insurance Association
Nov24

Data Breaches Reported by True Health New Mexico & Educators Mutual Insurance Association

The Albuquerque, NM-based health insurance agency True Health New Mexico has started notifying certain health plan members about the exposure and potential theft of some of their protected health information. A data security incident was detected on October 5, 2021, and steps were immediately taken to secure its IT systems. The internal incident response team launched an investigation and third-party cybersecurity defense firms were engaged to assist with the forensic investigation. The investigation revealed an unauthorized individual had gained access to its IT systems in early October and may have viewed or exfiltrated files that contained protected health information such as names, dates of birth, ages, home addresses, email addresses, insurance information, medical information, Social Security numbers, health account member IDs, provider information, and date(s) of service. True Health New Mexico said at the time of issuing notification letters, no evidence had been found of misuse of members’ information; however, as a precaution against identity theft and fraud, affected...

Read More
October 2021 Healthcare Data Breach Report
Nov22

October 2021 Healthcare Data Breach Report

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021. The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021. Largest Healthcare Data Breaches in October 2021 There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause Eskenazi Health IN...

Read More
University Hospital Newark Notifies More Than 19,000 Individuals About Historic Insider Theft
Nov22

University Hospital Newark Notifies More Than 19,000 Individuals About Historic Insider Theft

University Hospital Newark (NY) has discovered the protected health information of thousands of patients has been acquired by a former employee, who accessed the information without authorization over the course of a year. That information was subsequently disclosed to other individuals who were also not authorized to view the information. Insider breaches such as this are fairly common, although what makes this case stand out is when the access occurred. In its substitute breach notice, University Hospital Newark said the unauthorized access occurred between January 1, 2016, and December 31, 2017. The former employee had been provided with access to patient data to complete work duties but had exceeded the authorized use of that access and had viewed patient data not pertinent to job functions. The types of information viewed and obtained by the individual included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to care patients received at University Hospital. University Hospital...

Read More
PHI of 127,000 NorthCare Patients Potentially Compromised in Ransomware Attack
Nov17

PHI of 127,000 NorthCare Patients Potentially Compromised in Ransomware Attack

NorthCare, an Oklahoma City, OK-based mental health clinic, was the victim of a ransomware attack in June 2021 in which patients protected health information may have been compromised. NorthCare identified suspicious network activity on June 1, 2021, when ransomware was used to encrypt files. The investigation into the attack confirmed its network was breached on May 29, 2021. The attackers rapidly deployed ransomware to prevent access to files and demanded payment of a ransom for the keys to decrypt files. Steps were immediately taken to contain the attack and while it was not possible to prevent file encryption, it was possible to restore its systems and data from backups without paying the ransom. The parts of the network accessed by the attackers contained patients’ protected health information. While data exfiltration was not confirmed, NorthCare is assuming the attackers accessed patient data. The types of data potentially compromised in the attack included full names, addresses, dates of birth, medical diagnoses, and Social Security numbers. Following the attack, third-party...

Read More
HHS Increases HIPAA Penalties for 2021 per the Inflation Adjustment Act
Nov17

HHS Increases HIPAA Penalties for 2021 per the Inflation Adjustment Act

Under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015*, the Office of the Assistant Secretary for Financial Resources of the Department of Health and Human Services (HHS) has issued a final rule that implements adjustments to the maximum civil monetary penalties for HIPAA violations for 2021. According to the Department of Health and Human Services, the 2021 annual inflation adjustment “is determined using the percent increase in the Consumer Price Index for all Urban Consumers (CPI–U) for the month of October of the year in which the amount of each CMP was most recently established or modified.” The cost-of-living adjustment multiplier for 2021 is 1.01182. Previous cost-of-living multipliers are indicated below: 2017 – 1.01636 2018 – 1.02041 2019 – 1.02522 2020 – 1.01764 The final rule took effect on Monday, November 15, 2021, and applies to penalties assessed on or after November 15, 2021, if the violation occurred on or after November 2, 2015. These penalties will apply until the next inflation increase is applied. The annual...

Read More
Data Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital
Nov17

Data Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital

Lakeshore Bone & Joint Institute, an orthopedic practice in Indiana, has experienced a breach of its Microsoft Office 365 environment, which included emails and attachments that contained the protected health information of certain patients. Unusual activity was detected in an employee email account on July 7, 2021. Steps were immediately taken to prevent further unauthorized access and a cybersecurity and digital forensic firm was retained to investigate the breach and assist with remediation efforts. The breach investigation confirmed that an unauthorized individual had gained access to a single employee email account. A review of the account was completed on October 21, 2021, and revealed the following types of patient information may have been viewed or acquired in the attack: Date of birth, treatment information, diagnosis, provider name, MRN/patient ID, health insurance information, treatment cost information, and, for certain individuals, Social Security numbers. Individuals whose Social Security numbers were potentially compromised have been offered a 12-month...

Read More
PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches
Nov16

PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches

The protected health information of 1,271,642 individuals has been exposed and potentially stolen in two healthcare hacking incidents that were recently been reported to the Department of Health and Human Services’ Office for Civil Rights. PHI of 688,000 Individuals Compromised in Sea Mar Community Health Centers Hack Sea Mar Community Health Centers is a nonprofit community-based provider of health, human, housing, educational, and cultural services to underserved communities in Washington state. On June 24, 2021, Sea Mar learned sensitive data had been exfiltrated from its IT systems by an unauthorized individual. Assisted by a leading third-party cybersecurity firm, Sea Mar determined its systems had been accessed between December 2020 and March 2021. According to the breach notice posted on its website, a review was conducted of the information potentially stolen from its network, which confirmed the following data types had been stolen: Name, address, Social Security number, date of birth, client identification number, diagnostic and treatment information, insurance...

Read More
Southern Ohio Medical Center Diverts Ambulances Due to Cyberattack
Nov15

Southern Ohio Medical Center Diverts Ambulances Due to Cyberattack

Southern Ohio Medical Center (SOMC) in Portsmouth, OH, is recovering from a cyberattack that occurred on the morning of Thursday, November 11, 2021. The attack forced the hospital to go on diversion and direct ambulances to other healthcare facilities. The hospital also had to cancel some appointments and outpatient services. “This morning, an unauthorized third-party gained access to SOMC’s computer servers in what appears to be a targeted cyberattack. We are working with federal law enforcement and Internet security firms to investigate this incident” explained SOMC in a Facebook post on Thursday. “Patient care and safety remain our top priority as we work to resolve this situation as quickly as possible. While this does not impact our ability to provide care to current inpatients, we are presently diverting ambulances to other hospitals.” The 248-bed not-for-profit hospital came off diversion on Friday morning, although it has not yet been able to return to full operations. Law enforcement has been informed and a third-party cybersecurity company has been engaged to investigate...

Read More
New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations
Nov12

New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations

The New Jersey Attorney General has approved a $130,000 settlement with two printing firms to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) that resulted in a breach of the protected health information (PHI) of 55,715 New Jersey residents. Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients. When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include...

Read More
DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information
Nov11

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States. Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses. Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin. The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat...

Read More
Malware Infection Discovered by JEV Plastic Surgery & Medical Aesthetics
Nov11

Malware Infection Discovered by JEV Plastic Surgery & Medical Aesthetics

Owing Mills, MD-based JEV Plastic Surgery & Medical Aesthetics has started notifying 1,620 patients about a security breach that has exposed some of their protected health information. Malware was detected which allowed an unauthorized individual to access systems that contained protected health information. A third-party forensic investigation determined the malware had been installed on April 30, 2021, and allowed its systems to be accessed until June 14, 2021. A comprehensive review of files on the affected systems was conducted to determine whether any patient information had been viewed or acquired. On September 8, 2021, JEV Plastic Surgery confirmed files on the compromised systems contained protected health information such as names, dates of birth, consultation notes, medical histories, and surgical operative notes. JEV Plastic Surgery says it is unaware of any actual or attempted misuse of personal data. JEV Plastic Surgery is reviewing its policies and procedures and will update them as necessary to improve data security. New internal training protocols have also been...

Read More
Maxim Healthcare Group Notifies 65,000 Individuals About October 2020 Email Breach
Nov10

Maxim Healthcare Group Notifies 65,000 Individuals About October 2020 Email Breach

Columbia, MD-based Maxim Healthcare Group has started notifying 65,267 individuals about a historic breach of its email environment and the exposure of their protected health information. Maxim Healthcare Group, which includes Maxim Healthcare Services and Maxim Healthcare Staffing, said it identified suspicious activity in its email environment on or around December 4, 2020. Steps were taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach. The investigation revealed unauthorized individuals had access to several employee email accounts between October 1, 2020, and December 4, 2020. A comprehensive review of those accounts revealed they contained a range of protected health information that was potentially accessed and exfiltrated. The forensic investigation was unable to determine which emails, if any, were accessed and exfiltrated. Maxim Healthcare said a manual and programmatic review was conducted of the contents of emails and attachments, which confirmed the following data may have been compromised:...

Read More
Ransomware Roundup: 5 Healthcare Organizations Fall Victim to Ransomware Attacks
Nov09

Ransomware Roundup: 5 Healthcare Organizations Fall Victim to Ransomware Attacks

Ransomware attacks have recently been reported by Surecare Specialty Pharmacy, Victory Health Partners, Strategic Benefits Advisors, Blue Shield of California, and Blue Cross of California. PHI of 8,412 Patients Potentially Compromised in Surecare Specialty Pharmacy Ransomware Attack El Paso, TX-based Surecare Specialty Pharmacy has recently announced it was the victim of a sophisticated ransomware attack on August 16, 2021. Surecare’s IT service provider took immediate action when the attack was detected, and a third-party forensics firm was engaged to investigate the attack. The investigation confirmed on August 31, 2021, that files containing a limited amount of patients’ protected health information may have been accessed and/or exfiltrated prior to the deployment of ransomware, although no evidence was found to indicate that was the case nor have any reports been received that suggest any misuse of patient data. A review of the encrypted files confirmed they contained patient names, addresses, dates of birth, health insurance information, and prescription information. The...

Read More
PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers
Nov09

PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers

Four healthcare providers have recently announced their IT systems have been compromised and patient data may have been accessed. Hacker Gains Access to Server of New York Psychotherapy and Counseling Center New York Psychotherapy and Counseling Center (NYPCC), an NYC-based non-profit mental health services provider, has announced it was the victim of a cyberattack that was discovered on September 11, 2021. Steps were immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. NYPCC said its electronic medical record system was not compromised; however, the attacker is believed to have accessed some files on the server that contained patients’ protected health information. A review of the files on the server revealed the following information may have been compromised: names, dates of service, addresses, Medicaid IDs, and dates of birth. NYPCC said it is committed to continually reviewing and updating its security protocols...

Read More
PHI of 320,000 Patients Potentially Compromised in EHR Vendor Hacking Incident
Nov08

PHI of 320,000 Patients Potentially Compromised in EHR Vendor Hacking Incident

QRS Inc, a Tennessee-based healthcare technology services company and provider of the Paradigm practice management and electronic health records (EHR) solution, has announced a data breach involving the protected health information (PHI) of almost 320,000 individuals. The cyberattack was detected on August 26, 2021, three days after a server was breached. QRS explained in its breach notification letters that a hacker gained access to the electronic patient portal and potentially accessed and exfiltrated the PHI of patients of some of its healthcare provider clients. When the breach was detected, the compromised server was immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack. Assisted by a third-party computer forensics firm, QRS determined the breach was limited to a single server. No other QRS systems nor those of its clients were affected. The compromised server contained files that included PHI such as names, addresses, dates of birth, Social Security numbers, patient identification...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Nov06

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
Nationwide Laboratory Services Ransomware Attack Affects 33,000 Patients
Nov05

Nationwide Laboratory Services Ransomware Attack Affects 33,000 Patients

Boca Raton, FL-based Nationwide Laboratory Services, which was acquired by Quest Diagnostics in the summer, was the victim of a ransomware attack earlier this year. Nationwide Laboratory Services detected a breach of its systems on May 19, 2021, when ransomware was used to encrypt files across its network and prevent files from being accessed. Steps were immediately taken to contain the attack and a third-party cybersecurity firm was engaged to assist with the investigation and remediation efforts. The forensic investigation confirmed on August 31, 2021, that the attackers gained access to parts of its network where patients’ protected health information was stored, and potentially accessed information such as names, dates of birth, lab test results, medical record numbers, Medicare numbers, and health insurance information. A subset of the individuals affected had their Social Security numbers exposed. The types of information exposed in the attack varied from patient to patient. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights...

Read More
Cyberattacks Reported by Las Vegas Cancer Center and Seneca Family of Agencies
Nov04

Cyberattacks Reported by Las Vegas Cancer Center and Seneca Family of Agencies

Seneca Family of Agencies, a California provider of mental health, education, juvenile justice, placement, and permanency services, identified unauthorized activity within its computer systems on August 27, 2021. Action was immediately taken to secure its systems and prevent further unauthorized access, with the subsequent investigation confirming its systems were compromised on August 25. While no evidence of actual or attempted misuse of information has been identified, it is possible protected health information was compromised. The types of information stored on the affected systems differed from patient to patient and may have included the following data elements: name, date of birth, Social Security number, address, phone number, email address, medical record number, treatment/diagnosis information, health insurance information, Medicare/Medicaid number, provider name, prescription information, driver’s license/state identification number, and/or digital signature. Seneca Family of Agencies said, as a precaution, affected individuals are being offered credit monitoring and...

Read More
PHI of 45,262 Desert Pain Institute Patients Potentially Compromised in Cyberattack
Nov04

PHI of 45,262 Desert Pain Institute Patients Potentially Compromised in Cyberattack

Baywood Medical Associates, doing business as Desert Pain Institute (DPI) in Mesa, AZ, has discovered unauthorized individuals gained access to parts of its computer network that contained the protected health information of patients. The security breach was detected and stopped by DPI on September 13, 2021, and a third-party cybersecurity company was engaged to assist with the investigation and determine the nature and scope of the cyberattack. On October 15, 2021, the forensic investigators confirmed evidence was found indicating the attackers had accessed parts of its network where patients’ protected health information was stored. A review of the files on systems accessible to the hackers releveled the following information may have been viewed or exfiltrated: Full names, addresses, dates of birth, Social Security numbers, tax identification numbers, driver’s license/state-issued identification card numbers, military identification numbers, financial account numbers, medical information, and health insurance policy number. The types of data potentially compromised varied from...

Read More
Data Breaches Reported by Family of Woodstock and Viverant
Nov03

Data Breaches Reported by Family of Woodstock and Viverant

Family of Woodstock (FOW), a New York provider of crisis intervention, information, prevention, and support services, has suffered a cyberattack in which the protected health information of 8,214 individuals was potentially compromised. The cyberattack was detected on August 3, 2021, and rapid steps were taken to eject the attackers from its network and restore its systems and operations. Third-party forensic investigators were engaged to determine the nature and scope of the breach, with the initial phase of the investigation concluding on September 11, 2021. FOW said the investigation confirmed the attackers had access to parts of its network that contained protected health information such as first and last names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, medical history, diagnosis, treatment, condition, and health insurance information. At the time of issuing notifications, no evidence had been found indicating any attempted or actual misuse of information. FOW has implemented...

Read More
More than 650K Patients of Community Medical Centers Notified About Hacking Incident
Nov01

More than 650K Patients of Community Medical Centers Notified About Hacking Incident

The protected health information of more than 650,000 patients of Community Medical Centers (CMC) in California has potentially been obtained by hackers. CMC is a not-for-profit network of community health centers that serve patients in the San Joaquin, Solano, and Yolo counties in Northern California. CMC identified suspicious activity in its computer systems on October 10, 2021, and shut down its systems to prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach, with assistance provided by third-party cybersecurity experts. The forensic investigation confirmed that unauthorized individuals had gained access to parts of its network where protected health information was stored, including first and last names, mailing addresses, dates of birth, Social Security numbers, demographic information, and medical information. Due to the sensitive nature of the exposed data, CMC is offering complimentary identity theft protection, identity theft resolution, and credit monitoring services to affected individuals. CMC said it has...

Read More
Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital
Oct29

Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed. Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21. While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed. Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters...

Read More
PHI of Employees Potentially Compromised in Tech Etch Ransomware Attack
Oct28

PHI of Employees Potentially Compromised in Tech Etch Ransomware Attack

Tech Etch, a Plymouth, MA-based manufacturer of precision-engineered thin metal components, flexible printed circuits, and EMI/RFI shielding, has announced it was the victim of a ransomware attack in which the personal and protected health information of current and former employees was potentially compromised. Companies such as Tech Etch would not normally be required to comply with HIPAA; however, the company provides a health plan for its employees and, as such, is classed as a HIPAA-covered entity. Tech Etch discovered the ransomware attack on August 25, 2021, with the investigation determining the attackers gained access to its network on August 20. Tech Etch engaged an external forensic cybersecurity team to assist with the breach investigation, help secure its network, and prevent any further unauthorized access. Tech Etch had viable backups that were unaffected and was able to restore all encrypted data without paying the ransom. Multiple safeguards had been implemented to secure employees’ personal and protected health information, but despite those protections, some...

Read More
PHI of 24,891 Specialty Surgery Center of Central New York Patients Potentially Compromised
Oct26

PHI of 24,891 Specialty Surgery Center of Central New York Patients Potentially Compromised

Syracuse ASC, dba Specialty Surgery Center of Central New York, has started notifying 24,891 patients that some of their protected health information (PHI) was potentially accessed by unauthorized individuals who gained access to its computer systems. The breach was identified by Syracuse ASC around March 31, 2021, and steps were immediately taken to secure its systems and prevent further unauthorized access. A third-party cybersecurity firm was engaged to assist with the forensic investigation, which concluded on April 30, 2021, and determined the hackers accessed parts of its systems that contained PHI. A second investigation was conducted to determine which individuals’ PHI had been exposed. A list of individuals potentially affected by the incident was obtained on August 16, 2021, with the delay in issuing notifications due to a “substantial data validation process to verify the accuracy of the data.” The file review confirmed names may have been compromised along with limited health information, but no evidence was found to indicate any actual or attempted misuse of data on...

Read More
UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence
Oct21

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail. Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums. In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela. Three of...

Read More
September 2021 Healthcare Data Breach Report
Oct20

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...

Read More
Data Breaches Reported by PracticeMax and UMass Memorial Health
Oct20

Data Breaches Reported by PracticeMax and UMass Memorial Health

Members of Anthem Inc, Humana, and DaVita health plan members with End-Stage Kidney Disease who are enrolled in the VillageHealth program have been notified that some of their protected health information has potentially been compromised in a ransomware attack at business associate PracticeMax. The VillageHealth program helps health plan members with care coordination between the dialysis center, nephrologists, and providers and shares the results with their health plan provider through PracticeMax. PracticeMax, a provider of business management and information technology solutions to healthcare organizations, identified the attack on May 1, 2021. The investigation revealed the attackers gained access to its systems on April 12, 2021, with access possible until May 5, 2021. PracticeMax said it regained access to its IT systems the following day. A forensic investigation of the attack confirmed one server was affected that contained protected health information (PHI) which may have been accessed and acquired by the attackers. The investigation into the attack concluded on August 19,...

Read More
Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients
Oct18

Phishing Attack on Business Associate Affects Tens of Thousands of Professional Dental Alliance Patients

Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group, has notified tens of thousands of patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021. Professional Dental Alliance says the breach occurred at its vendor North American Dental Management. Steps were immediately taken to secure the affected accounts and prevent further unauthorized access. An investigation was launched which revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails. The investigation into the breach uncovered no evidence of attempted or actual misuse of patient data, with the investigators concluding the breach was likely limited to credential harvesting. A comprehensive review of the affected email accounts confirmed they contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental...

Read More
350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack
Oct13

350,000 Patients of ReproSource Fertility Diagnostics Affected by Ransomware Attack

Malborough, MA-based ReproSource Fertility Diagnostics has suffered a ransomware attack in which hackers gained access to systems containing the protected health information of up to 350,000 patients. ReproSource is a leading laboratory for reproductive health that is owned by Quest Diagnostics. ReproSource discovered the ransomware attack on August 10, 2021 and promptly severed network connections to contain the incident. An investigation into the security breach confirmed the attack occurred on August 8. While it is possible that patient data was exfiltrated by the attackers prior to the deployment of ransomware, at this stage no evidence of data theft has been identified. A review of the files on the affected systems was completed on September 24 and revealed they contained the following types of protected health information: Names, phone numbers, addresses, email addresses, dates of birth, billing and health information (CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information), health insurance or group plan identification...

Read More
Premier Patient Health Care Alerts Patients About Insider Data Breach
Oct13

Premier Patient Health Care Alerts Patients About Insider Data Breach

Carrollton, TX-based Premier Patient Health Care has discovered the protected health information of 37,636 patients has been obtained by an unauthorized individual in an insider wrongdoing incident. Premier Patient Health Care is an Accountable Care Organization (ACO) that works with physicians to improve clinical outcomes under the Medicare Shared Savings Program (MSSP). The ACO and Premier Patient Health Care are operated and run by Premier Management Company, which is a business associate of many primary care physicians who are HIPAA-covered entities. On April 30, 2020, Wiseman Innovations, a technology vendor used by Premier Management Company, determined a former Premier Patient Health Care executive had accessed its computer system in July 2020 after the termination of employment and viewed and obtained a file containing patient data. A review of the file confirmed it contained the protected health information of patients of primary care physicians, including full names, age, date of birth, sex, race, county, state of residence, and ZIP code along with Medicare beneficiary...

Read More
Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach
Oct08

Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach. Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware. Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients. The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and...

Read More
Ransomware Deployed 2 Minutes After Hackers Gained Access to Johnson Memorial Health’s Network
Oct07

Ransomware Deployed 2 Minutes After Hackers Gained Access to Johnson Memorial Health’s Network

Johnson Memorial Health has announced it was the victim of a ransomware attack on October 1, 2021. The attack saw files encrypted which crippled its IT systems. Emergency protocols were immediately implemented and employees are manually recording patient information and writing prescriptions until systems can be restored. Ransomware gangs often gain access to systems days, weeks, or even months prior to deploying ransomware. During that time, they move laterally within networks to gain access to as many systems as possible before ransomware is deployed; however, not always. The attack on Johnson Memorial Healthcare occurred at lightning speed. According to Dr. David Dunkle, President and CEO of Johnson Memorial Health, the hackers gained access to its IT systems at 10:31 p.m. on Friday night and deployed ransomware 2 minutes later at 10:33 p.m. The hospital’s IT department detected abnormal activity around 10:40 p.m. the same evening and shut down its network at 10:45 p.m. to minimize the damage caused. A ransom demand was issued by the attackers, but Dunkie says no payment has...

Read More
Eskenazi Health Confirms Patient Data Was Stolen in August Ransomware Attack
Oct07

Eskenazi Health Confirms Patient Data Was Stolen in August Ransomware Attack

Indianapolis, IN-based Eskenazi Health has announced it was the victim of a ransomware attack that was detected on or around August 4, 2021. Suspicious activity was detected and the IT team immediately shut down systems to contain the attack. Emergency protocols were implemented, with staff reverting to pen and paper to record patient data. Without access to critical IT systems the decision was taken to go on diversion and ambulances were re-routed from Health & Hospital Corporation of Marion County to alternative facilities. An investigation was launched to determine the nature and extent of the attack. Eskenazi Health said the forensic investigation determined the hackers had first gained access to its systems on May 19, 2021 and disabled its security systems to ensure their presence in the network was not detected. The intrusion was only detected when ransomware was deployed and files started to be encrypted. The forensic investigators confirmed the attackers had been removed from its network and systems were secure. The initial investigation into the attack indicated...

Read More
Almost 54,000 Patients Affected by OSF HealthCare Ransomware Attack
Oct07

Almost 54,000 Patients Affected by OSF HealthCare Ransomware Attack

The Peoria, IL-based not-for-profit catholic health system OSF HealthCare has started notifying 53,907 patients about a cyberattack that was discovered on April 23, 2021. OSF HealthCare said upon discovery of the breach, steps were taken to prevent further unauthorized access and a third-party forensic investigator was engaged to conduct an investigation into the attack to determine the extent of the breach. The investigator confirmed the attackers first accessed its systems on March 7, 2021 and access remained possible until April 23, 2021. OSF HealthCare said the attackers accessed certain files on its system that related to patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center. On August 24 it was determined the following types of patient data may have been compromised: Names, contact information, dates of birth, Social Security numbers, driver’s license numbers, state/government ID numbers, treatment information, diagnosis information and codes, physician names, dates of service, hospital units, prescription information,...

Read More
How to Report a HIPAA Violation Anonymously
Oct06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
Cyberattacks Reported by Schneck Medical Center and Epilepsy Foundation of Texas
Oct06

Cyberattacks Reported by Schneck Medical Center and Epilepsy Foundation of Texas

Schneck Medical Center in Seymour, IN has announced it was a victim of a cyberattack which has had an impact on organizational operations. The attack was detected on September 29, 2021 and an announcement was made the same day. In response to the attack, all IT systems within its facilities were suspended out of an abundance of caution, and third-party cybersecurity experts have been engaged to assist with the investigation and restore its IT system as quickly as possible. Schneck Medical Center said investigations into cyberattacks and the restoration of IT systems take time to fully resolve, but steps have been taken to minimize disruption to its systems. Schneck Medical Center said most medical services have not been affected by the attack and patients should arrive as normal for scheduled services and appointments. Patients will be notified individually if for any reason their appointment has had to be postponed as a result of the attack. “As a team of dedicated and caring medical professionals, we understand that healthcare is about people taking care of people. We remain...

Read More
Ransomware Attack on Florida Behavioral Health Service Provider Affects 19,000 Individuals
Oct01

Ransomware Attack on Florida Behavioral Health Service Provider Affects 19,000 Individuals

The Clearwater, FL-based non-profit behavioral health service provider Directions for Living was the victim of a ransomware attack on July 17, 2021. Upon detection of the attack, law enforcement was notified and third-party computer forensics experts were engaged to investigate the scope of the attack and assist with remediation efforts. The investigation concluded on August 30, 2021. A review of servers potentially accessed by the attackers confirmed they contained personal and protected health information of current and former clients, including names, addresses, dates of birth, Social Security numbers, diagnostic codes, claims information, insurance information, healthcare provider names, date of service, and certain health information. Directions for Living said its electronic medical record system was not affected and could not be accessed by the attackers and clients’ financial information was not stored on the affected servers. While personal and protected health information may have been accessed by unauthorized individuals, Directions for Living said no evidence has been...

Read More
PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack
Sep30

PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack

Lisle, IL-based Navistar Inc. has issued further notification letters to individuals affected by a security breach that was detected on May 20, 2021. The U.S. truck manufacturer immediately implemented its cybersecurity response plan when a potential breach of its information technology systems was detected, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the breach. On May 31, 2021, Navistar was informed that certain data had been extracted from its systems in the attack. The investigation into the data theft confirmed on August 20, 2021 that the exfiltrated files contained the protected health information of current and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. That information is understood to have been stolen prior to the discovery of the security breach on May 20. Navistar said the exfiltrated data potentially included names, addresses, dates of birth, and information related to participation on the health and insurance plans, which may have...

Read More
Data Breaches Reported by Horizon House and Samaritan Center of Puget Sound
Sep29

Data Breaches Reported by Horizon House and Samaritan Center of Puget Sound

Horizon House, Inc., a Philadelphia, PA-based provider of mental health and residential treatment services has announced its IT systems have been hacked and ransomware was deployed, with the attackers gaining access to systems containing the protected health information of 27,823 individuals. Suspicious activity was detected in its computer systems on March 5, 2021. An investigation was launched to determine the nature and scope of the breach, which revealed an unauthorized individual had access to its systems between March 2 and March 5, 2021. A review of files stored on the compromised systems was completed around September 3, 2021. The files contained protected health information such as names, addresses, Social Security numbers, driver’s license numbers, state identification card numbers, dates of birth, financial account information, medical claim information, medical record numbers, patient account numbers, medical diagnoses, medical treatment information, medical information, health insurance information, and medical claims information. All individuals affected by the...

Read More
PHI of 29,000 Patients Potentially Compromised in McAllen Surgical Specialty Center Ransomware Attack
Sep29

PHI of 29,000 Patients Potentially Compromised in McAllen Surgical Specialty Center Ransomware Attack

McAllen Surgical Specialty Center in Texas has started notifying patients about a ransomware attack that was detected on May 14, 2021. Third-party computer forensics specialists were engaged to investigate the breach and determine the nature and scope of the attack. The investigators determined unauthorized individuals had gained access to certain computers and servers on May 12, 2021 and deployed ransomware. Unauthorized access to its network was blocked on May 14. A comprehensive analysis was conducted to determine the servers and computers that had been affected, and which had potentially been accessed by the hackers. On July 22, it was determined patient data had potentially been compromised in the attack. The affected computers and servers contained a range of patient information, with the types of exposed data varying from patient to patient. Data potentially affected included names, addresses, Social Security numbers, dates of service, health insurance information, provider name, patient numbers, and medical record numbers. No evidence of data theft was identified and...

Read More
Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack
Sep28

Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack

Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information of 496,949 patients. On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information. HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing individual...

Read More
Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack
Sep27

Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack

While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack. Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted. While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents...

Read More
Data Breaches Reported by Vista Radiology, Indian Creek Foundation & Mankato Clinic
Sep27

Data Breaches Reported by Vista Radiology, Indian Creek Foundation & Mankato Clinic

Vista Radiology Reports Breach of the PHI of up to 3,634 Individuals Knoxville, TN-based Vista Radiology has notified 3,634 patients about a ransomware attack experienced on July 11, 2021 which took part of its network offline. A leading computer forensics firm was engaged to conduct a full investigation into the attack. And the initial investigation appeared to suggest the sole purpose of the attack was to encrypt its systems, and that data exfiltration was not involved. However, Vista Radiology was informed on July 15 that some evidence had been found that files or folders containing patient data had been accessed and viewed. The investigation confirmed files were encrypted in the evening of July 10 with a subset of those files accessed prior to encryption. The files that had been viewed only contained a limited amount of patient data and no significant amount of data were exfiltrated by the attackers. It was not possible to determine if the PHI of any specific patients had been accessed, so notification letters were sent to all patients potentially affected by the attack. The...

Read More
Vice Society Ransomware Gang Attacks United Health Centers of San Joaquin Valley
Sep27

Vice Society Ransomware Gang Attacks United Health Centers of San Joaquin Valley

The Vice Society ransomware gang claims to have conducted a ransomware attack on the California healthcare provider United Health Centers of San Joaquin Valley. United Health Centers operates more than 20 community health centers in Fresno, Kings, and Tulare counties. The Vice Society ransomware gang emerged mid-2021 and is believed to be a spin-off of the HelloKitty ransomware operation. The gang is known to use a variety of methods to gain access to victims networks, including exploiting vulnerabilities such as the PrintNightmare bugs. The gang is known for exfiltrating data from victims’ systems prior to the use of ransomware to encrypt files. Data are then published on its data leak site to pressure victims into paying the ransom. This attack appears to be no exception. Bleeping Computer reports it was notified on August 31, 2021 about the ransomware attack on United Health Centers by a trusted member of the cybersecurity community who said the healthcare provider’s entire network was shut down as a result of the attack. The cyberattack has yet to appear on the HHS’ Office for...

Read More
Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice
Sep24

Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice

Eastern Los Angeles Regional Center has discovered the email account of an employee has been accessed by an unauthorized individual. Suspicious activity was detected in the email account on July 15, 2021. A password reset was performed to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach. It was confirmed that the account was accessed for a limited period of time on July 15, 2021 and that the email account contained the protected health information of 12,921 individuals, including first and last names, Social Security numbers, ELARC-issued client identifier numbers, Tax ID numbers, medical histories, treatment or diagnosis information, and health insurance information. Eastern Los Angeles Regional Center said it found no evidence to suggest any information in the email account was exfiltrated or subjected to actual or attempted misuse. Additional technical safeguards have been implemented to further enhance the security of sensitive information and affected individuals have been offered 12 months of complimentary...

Read More
K and B Surgical Center & Healthpointe Medical Group Notify Patients About Hacking Incidents
Sep24

K and B Surgical Center & Healthpointe Medical Group Notify Patients About Hacking Incidents

K and B Surgical Center in Beverley Hills, CA has discovered an unauthorized individual gained access to its computer network. The security breach was detected on March 30, 2021, with the third-party forensic investigation confirming its network was compromised between March 25 and March 30. Upon discovery of the breach, steps were taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The investigation concluded on April 27, 2021 that the attacker gained access to parts of the network that contained the protected health information of patients. Data mining was performed on the affected servers to determine which types on information had been exposed and the patients that had been affected. K and B Surgical Center said in its September 3, 2021 breach notification letters that it took until July 27 to obtain a finalized list of affected patients. The types of information potentially accessed and/or exfiltrated included the following data elements: Names, addresses, phone numbers, driver’s license numbers,...

Read More
Ransomware Attacks Reported by Family Medical Center of Michigan & Buddhist Tzu Chi Medical Foundation
Sep23

Ransomware Attacks Reported by Family Medical Center of Michigan & Buddhist Tzu Chi Medical Foundation

Temperance, MI-based Family Medical Center of Michigan (FMC) has notified 21,988 patients about a July 2020 ransomware attack in which their protected health information was compromised. FMC said the attack appeared to have been conducted by a cybercriminal gang operating out of Ukraine. The attackers encrypted FMC’s financial files which prevented its employees from accessing patients’ financial information. A ransom demand of $30,000 in cryptocurrency was issued for the digital key to unlock the encrypted files. FMC said it worked with a third-party computer security firm – IDX – to investigate the breach and help secure its digital environment. IDX advised paying the ransom as part of a strategy to determine the scope of the attack. FMC CEO, Ed Larkins said it complied with the demand and paid the ransom a week after the attack occurred. The attackers took two weeks to send the key to decrypt files. The investigation into the attack confirmed only financial information was affected and patient medical records were not compromised in the attack. Patients affected by the attack...

Read More
U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals
Sep22

U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals

The U.S. Vision Inc. subsidiary, USV Optical Inc. has announced unauthorized individuals have gained access to certain servers and systems that contained patients’ protected health information.  The unauthorized access was detected on May 12, 2021, with the subsequent forensic investigation confirming the hackers had access to its systems for almost a month from April 20, 2021 to May 17, 2021, when its systems were secured. Third-party computer forensics specialists are continuing to investigate the breach to determine the full extent and scope of the intrusion but have concluded that unauthorized individuals potentially viewed and exfiltrated patient data in the attack. It has been confirmed that the following types of employee and patient data have been exposed: Names, eyecare insurance information, and eyecare insurance application and/or claims information. A subset of individuals may also have had the following data exposed: Address, date of birth, and/or other individual identifiers. No reports have been received to date of any cases of attempted or actual misuse of personal...

Read More
August 2021 Healthcare Data Breach Report
Sep21

August 2021 Healthcare Data Breach Report

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021. While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined. Largest Healthcare Data Breaches Reported in August 2021 Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks...

Read More
Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital
Sep21

Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital

Barlow Respiratory Hospital in Los Angeles, CA has announced it has suffered a ransomware attack on August 27, 2021. The attack was conducted by the Vice Society ransomware gang, which gained access to its network and electronic medical record system. Prior to using ransomware to encrypt files, the gang exfiltrated patient data, some of which has been posted on the gang’s dark web data leak site. Barlow Respiratory Hospital said while the attack affected several IT systems, the hospital was able to continue to operate under its emergency procedures and patient care was not interrupted. Upon detection of the security breach, law enforcement agencies were notified and a third-party cybersecurity firm was engaged to assist with the investigation and determine the scope of the data breach. The investigation into the attack is ongoing. While some ransomware operations have said they will not target healthcare providers, Vice Society does not fall into that category. The ransomware operation appeared in June 2021 and has already attacked multiple healthcare providers, including Eskenazi...

Read More
Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans
Sep21

Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans

The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor. The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days. The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack. The cyberattack was extensive and caused major disruption. Some IT systems...

Read More
Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients
Sep20

Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients

Wilmington, DE-based Simon Eye Management has suffered a breach of its email environment and hackers potentially gained access to the protected health information of 144,373 patients. Simon Eye identified suspicious activity in certain employee email accounts on or around June 8, 2021. Action was immediately taken to secure the accounts and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. Assisted by third -party security experts, Simon Eye determined that unauthorized individuals gained access to employee email accounts between May 12 and May 18, 2021. The incident was an attempted business email compromise (BEC) attack, where employee email accounts are compromised and used in a scam to trick employees into making fraudulent wire transfers, in this case through the manipulation of invoices. Simon Eye said none of the attackers’ attempts were successful. While gaining access to patient data did not appear to be the goal of the attackers, the email accounts they were able to access did contain patients’...

Read More
Stolen Laptop Contained the PHI of Dignity Health Patients
Sep17

Stolen Laptop Contained the PHI of Dignity Health Patients

Resource Anesthesiology Associates (RAA) of California has started notifying certain patients of Dignity Health’s Mercy Hospital Downtown and Mercy Hospital Southwest that some of their protected health information was stored on a laptop computer that was stolen. RAA of California provides anesthesiology services at the Dignity Health hospitals, which requires access to patient data. On July 8, the laptop was stolen from an RAA of California administrator. The theft was reported to law enforcement, but the device has not been recovered. RAA of California conducted an investigation to determine which patient information was stored on the device and could potentially be accessed. The review confirmed the following types of information were stored on the device: Names, addresses, dates of birth, provider names, dates of service, diagnoses and treatment information, health insurance information, and other information related to patients’ medical care. The laptop computer was protected with a password, which provides a degree of protection against unauthorized access. However, passwords...

Read More
1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI
Sep17

1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI

The Department of State Hospitals – Coalinga (DSH-C) in California has notified 1,738 patients that some of their protected health information has been impermissibly disclosed by a DSH-C employee. The United States District Court, Eastern District of California had made a request to be provided with DSH-C patient rosters in order to determine whether patients were eligible for a waiver of filing fees when filing a lawsuit. Those rosters were provided to a District Court Clerk by a DSH-C employee. The patient rosters contained information about patients that had not filed a lawsuit, and the rosters contained more information than was required by the District Court Clerk to determine eligibility for a waiver. The disclosure was therefore in violation of the HIPAA Rules. The rosters contained the following data elements: name, case number, birth date, legal commitment, admission date, unit number, and gender. DSH-C said it has no reason to believe the information was used for any reason other than for an eligibility determination for a public benefit provided by the Court. Upon...

Read More
36,500 Patients of Austin Cancer Centers Notified About PHI Exposure
Sep17

36,500 Patients of Austin Cancer Centers Notified About PHI Exposure

Austin Cancer Centers is alerting 36,503 patients about a security incident discovered on August 4, 2021 in which some of their protected health information was exposed. Unauthorized individuals were discovered to have gained access to computer systems and installed malware. To prevent further unauthorized access, computer systems were immediately shut down and law enforcement was notified. Since then, Austin Cancer Centers has worked with cybersecurity experts to learn about the exact nature and scope of the incident. Austin Cancer Centers said the malware has now been removed, systems have been restored and secured, and its facilities are open. The forensic investigation into the security breach confirmed hackers first gained access to its computer systems on July 21, and access remained possible until the breach was discovered on August 4. A comprehensive review was conducted to identify all files on the network that could possibly have been accessed in the attack. Those files were found to contain patient information such as names, addresses, dates of birth, insurance carrier...

Read More
Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data
Sep16

Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data

The personal data of individuals who took a COVID-19 test at a Walgreens pharmacy has been exposed over the Internet due to vulnerabilities in its COVID-19 test registration system. It is currently unclear how many individuals have been affected, although they could well number in the millions given the number of COVID-19 tests Walgreens has performed since April 2020. It is unclear when the vulnerabilities were introduced on the website, but they date back to at least March 2021 when they were discovered by Interstitial Technology PBC consultant Alejandro Ruiz. He identified a security error when a member of his family had a COVID-19 test performed at Walgreens. Ruiz contacted Walgreens to alert them to the data exposure, but claimed the company was not responsive. Ruiz spoke to Recode about the issue, which had the security flaws confirmed by two security experts. Recorde reported the issue to Walgreens, and the company said, “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate.” However, as of September 13, 2021 the...

Read More
Desert Wells Family Medicine Ransomware Attack Causes Permanent Loss of EHR Data
Sep15

Desert Wells Family Medicine Ransomware Attack Causes Permanent Loss of EHR Data

Queen Creek, AZ-based Desert Wells Family Medicine has started notifying 35,000 patients that their protected health information has been compromised in a recent ransomware attack. The attack occurred on May 21, 2021 and resulted in the encryption of data, including its electronic health record (EHR) system. All data had been backed up prior to the attack, but in addition to encrypting files, the attacker corrupted backup files which means all data contained in its EHR system prior to May 21 cannot be recovered. The types of data in the system, which may also have been obtained by the hackers in the incident, included patient names, addresses, dates of birth, billing account numbers, Social Security numbers, medical record numbers, and treatment information. Desert Wells said it has not found any evidence that suggests there has been any attempted or actual misuse of patient data, and the third-party computer forensics investigators found no evidence that patient data had been exfiltrated prior to file encryption, although it was not possible to rule out data theft with a high...

Read More
HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients
Sep15

HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients

The protected health information (PHI) of 116,898 patients of Waterville, MA-based HealthReach Community Health Centers has been potentially compromised in a third-party data breach. HealthReach Community Health Centers, which operates 11 community health centers in Central and Western Maine, discovered a worker at a third-party data storage facility had improperly disposed of hard drives that contained the data of patients. Under HIPAA, all electronic devices that contain PHI must be disposed of in a manner that ensures data on the devices cannot be read or reconstructed. This typically involves clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field), or destroying the media via disintegration, pulverization, melting, incineration, or shredding. In a data breach notice sent to the Maine Attorney General, HealthReach said patient data had been exposed on April 7 and it was notified about the improper disposal incident on May 7.  Upon discovery of the incident, HealthReach...

Read More
Jackson Health Investigating Nurse Social Media HIPAA Violation
Sep14

Jackson Health Investigating Nurse Social Media HIPAA Violation

Jackson Health has launched an investigation into a nurse social media violation after photographs of a baby with a birth defect were posted on Facebook. A nurse who worked in the neonatal intensive care unit at Jackson Memorial Hospital posted two photographs on Facebook of a baby with gastroschisis – a rare birth defect of the abdominal wall that can cause the intestines to protrude from the body. The photos were accompanied with the captions, “My night was going great then boom!” and “Your intestines posed (sic) to be inside not outside baby! #gastroschisis.” The disturbing images were posted on accounts belonging to Sierra Samuels. The posting of images of patients on social media without first obtaining authorization is a serious breach of patient privacy. Photographs of patients are classed as protected health information and posting images on social media platforms, even in closed Facebook groups, is a violation of the Health Insurance Portability and Accountability Act (HIPAA) unless prior authorization is obtained from the patient. HIPAA requires healthcare providers to...

Read More
OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
Sep13

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019. Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year. The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making...

Read More
Philadelphia Mental Health Service Provider Breach Affects 29,000 Patients
Sep10

Philadelphia Mental Health Service Provider Breach Affects 29,000 Patients

The Wedge Recovery Centers, a mental health service provider based in Philadelphia, Pennsylvania, discovered suspicious activity within the computer network on June 25, 2021 which indicated unauthorized individuals had breached the security defenses. Steps were immediately taken to block further access and an investigation was launched to determine the nature and scope of the breach. The investigation confirmed an unauthorized actor had gained access to its network on June 25, 2021; however, no evidence was uncovered during the course of the investigation to suggest any individual’s information had been subjected to actual or attempted misuse as a result of the security breach. A comprehensive review was conducted of all data potentially affected and that process is ongoing; however, it has now been confirmed that the following types of information were stored in files on parts of the network that were compromised: Name, address, date of birth, Social Security number, and treatment and health insurance information. The Wedge Recovery Centers have implemented additional technical...

Read More
TX: Denton County Discovers COVID-19 Application Leaked Data of 346,000 Individuals
Sep09

TX: Denton County Discovers COVID-19 Application Leaked Data of 346,000 Individuals

Denton County in Texas has discovered a vulnerability in a third-party provider application used in connection with individuals’ personal health information has potentially been exploited by unauthorized individuals. The application was used at COVID-19 vaccination clinics in the County, and contained information such as names, dates of birth, email addresses, phone numbers, and COVID-19 vaccination information. The vulnerability, discovered by Denton County officials on July 7, 2021, meant the information in the application database was accessible by anonymous users. When the flaw was discovered, the application was immediately shut down and an investigation was launched to determine the extent of the issue and whether any unauthorized individuals had exploited the flaw to gain access to sensitive data. Denton County confirmed that an error had been made configuring the application which exposed data to unauthorized individuals. While no evidence was found to indicate any actual or attempted misuse of individuals’ protected health information, it was not possible to rule out...

Read More
Data Breaches at Business Associates Affect LifeLong Medical Care & Beaumont Health Patients
Sep07

Data Breaches at Business Associates Affect LifeLong Medical Care & Beaumont Health Patients

LifeLong Medical Care, a Californian healthcare provider serving patients in Alameda, Contra Costa, and Marin Counties, has notified certain patients whose protected health information was impacted in a ransomware attack on the third-party vendor Netgain Technologies. The breach has been reported to the HHS’ Office for Civil Rights as involving the PHI of 115,448 patients. Netgain Technologies discovered a security breach on November 24, 2020 involving ransomware. An internal investigation into the breach determined on February 25, 2021 that the attackers had accessed and obtained files containing the information of its customers. The attackers first breached its systems on November 15, 2020. LifeLong Medical Care said it launched a comprehensive investigation into the breach and discovered on August 9, 2021 that the personal and protected health information of patients was accessed and/or exfiltrated from Netgain’s network. Affected patients had their full name compromised along with one or more of the following data elements: Social Security number, date of birth, patient...

Read More
CareATC Email Accounts Accessed by Unauthorized Individuals
Sep03

CareATC Email Accounts Accessed by Unauthorized Individuals

CareATC, a Tulsa, OK-based population health management company, has discovered the email accounts of two employees have been accessed by unauthorized individuals, who potentially gained access to the personal information of patients and employees. CareATC launched an investigation on June 29, 2021 when suspicious activity was detected in the email account of an employee. Third-party forensics specialists were engaged to assist with the investigation and determine the extent and scope of the security breach. That investigation revealed a second email account had also been compromised, with the two email accounts subject to unauthorized access between June 18 and June 29, 2021. Upon discovery of the compromised email accounts steps were taken to block any further unauthorized access, and a comprehensive review was conducted to determine which patient data had been exposed. The review was completed around August 11, 2021. For the majority of affected individuals – which include patients, employees, and dependents of patients and employees – the information in the compromised email...

Read More
Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals
Sep01

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021. Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers. While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data. “It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers...

Read More
655,000 DuPage Medical Group Patients Notified About PHI Breach
Sep01

655,000 DuPage Medical Group Patients Notified About PHI Breach

DuPage Medical Group, the largest independent physician group in the state of Illinois, has started notifying 655,384 patients about a security breach in which their personal and protected health information may have been compromised. DuPage Medical Group identified suspicious activity in its computer network on July 13, 2021 and engaged cyber forensic specialists to conduct an investigation to determine the full nature and scope of the breach. They determined unauthorized actors had gained access to its IT systems on July 12 and access remained possible until the breach was detected on July 13 and its network was secured. A comprehensive review was conducted of all files on the systems that were accessible to the hackers and, on August 17, 2021, DuPage Medical Group confirmed that files containing patient information had potentially been impacted. The types of information potentially compromised in the security breach varied from patient to patient and may have included the following data elements: Names, address­es, dates of birth, diag­no­sis codes, Cur­rent Pro­ce­dur­al...

Read More
San Andreas Regional Center Victim of Ransomware Attack
Aug30

San Andreas Regional Center Victim of Ransomware Attack

San Andreas Regional Center in San Jose, CA has started notifying patients that their PHI may have been compromised in a July 2021 ransomware attack. On July 5, its networks and servers were taken out of action as a result of the attack. Steps were rapidly taken to remediate the attack and third-party computer forensics experts were engaged to investigate the breach, determine how access to its systems was gained, and to discover the extent to which patient data had been affected. The initial investigation into the ransomware attack was concluded on August 2, 2021, when it was confirmed that the attackers had gained access to parts of the network where patients’ protected health information was stored and certain files stored on its servers that contained patient data had been exfiltrated by the attackers prior to the use of ransomware. It was not possible to determine any specific patient information that was stolen by the attackers. At the time of issuing notification letters to affected patients, San Andreas Regional Center had not identified any instances of attempted or actual...

Read More
48,000 Individuals Affected by Ransomware Attack on CarePointe ENT
Aug27

48,000 Individuals Affected by Ransomware Attack on CarePointe ENT

The Merrillville, IN-based ear, nose, and throat specialist, CarePointe ENT, has announced it suffered a ransomware attack on June 25, 2021 which resulted in the encryption of files on its network. Some of the files encrypted in the attack are known to include the personal and protected health information of its patients. It is common in ransomware attacks for sensitive data to be exfiltrated prior to the use of ransomware to encrypt files. The main purpose of data exfiltration is to pressure victims into paying the ransom. CarePointe said it believes the attack was conduced with the sole purpose of extorting money from the practice, not to steal patient data. No reports have been received which suggest any patient data have been misused as a result of the cyberattack, although after thoroughly investigating the attack it was not possible to rule out the possibility that patient data had been viewed by the attackers. CarePointe said it has taken steps to reduce the likelihood of further cyberattacks, with the additional measures implemented including enhanced its threat detection...

Read More
PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack
Aug27

PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack

Atlanta Allergy & Asthma has started notifying 9,851 patients about a January 2021 cyberattack in which their protected health information was exposed and potentially compromised. Atlanta Allergy & Asthma said its investigation into the breach determined hackers had access to its network between January 5 and January 13, 2021. Upon discovery of the breach, steps were immediately taken to kick the unauthorized individuals out of its network and mitigate against any potential harm. Atlanta Allergy & Asthma engaged third party cybersecurity professionals to determine the nature and scope of the breach, with the investigation confirming the attackers had access to parts of the network where documentation was stored that included protected health information. A comprehensive review was conducted of those documents. Atlanta Allergy & Asthma said it was confirmed on July 8, 2021 that the following types of information had potentially been compromised: Names, dates of birth, Social Security numbers, financial account numbers and/or routing numbers, diagnoses, treatment...

Read More
Metro Infectious Disease Consultants Reports 172,000-Record Data Breach
Aug26

Metro Infectious Disease Consultants Reports 172,000-Record Data Breach

Metro Infectious Disease Consultants is notifying 171,740 patients about an email security incident discovered on June 24, 2021. An unauthorized individual was found to have gained access to certain employees’ email accounts which contained the protected health information of patients. Upon discovery of the security breach, steps were immediately taken to secure the accounts to prevent further access and Metro Infectious Disease Consultants engaged a computer forensics firm to determine the extent and scope of the breach. The investigation confirmed the breach was confined to its email environment and that the compromised email accounts contained patient data such as names, addresses, dates of birth, account numbers, insurance information, prescription information, limited clinical information, Social Security numbers, and driver’s license numbers. The types of data in the account varied from individual to individual. Metro Infectious Disease Consultants has sent notification letters to all individuals affected by the breach and complimentary credit monitoring and identity theft...

Read More
South Florida Community Care Plan Notifies Patients About Insider Email Breach
Aug25

South Florida Community Care Plan Notifies Patients About Insider Email Breach

South Florida Community Care Plan has discovered a former employee sent internal documents containing the protected health information of plan members to a personal email account. The breach was discovered on June 21, 2021 during a review of the former employee’s email account. An investigation was launched into the unauthorized activity which determined on June 21, 2021 that the documents contained the following types of plan member information: Names, addresses, dates of birth, member identification numbers, primary care physician names, diagnoses, procedure billing codes, approved services, and/or procedure types. The sending of plan members’ information to personal email accounts is a violation of South Florida Community Care Plan policies; however, no evidence was found to indicate the information was sent outside the scope of the former employee’s employment. South Florida Community Care Plan said data security is one of its top priorities and steps were taken to prevent unauthorized data access and exfiltration. The employee’s email and login credentials were revoked at the...

Read More
Revere Health Phishing Attack Impacts 12,000 Patients
Aug25

Revere Health Phishing Attack Impacts 12,000 Patients

The U.S. Agency for International Development (USAID) was impersonated in phishing campaign that has resulted in the exposure of the protected health information of approximately 12,000 patients of the Utah healthcare provider Revere Health. The phishing attack was rapidly detected by the revere Health IT team, which quickly secured the mailbox to block unauthorized access. According to a breach notice published by Revere Health, the mailbox was only compromised for around 45 minutes on June 21, 2021. An investigation was launched into the breach to determine whether any information in the email account was viewed or downloaded. While it was not possible to tell whether emails in the account were accessed or exfiltrated, Revere Health said it has monitored the Internet and has found no instances of patient data being shared online. A review of emails and email attachments confirmed they contained the protected health information of patients of the Heart of Dixie Cardiology Department in St. George, which included medical record numbers, dates of birth, provider names, procedures,...

Read More
California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents
Aug25

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws. Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified. Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems
Aug23

HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems

In early August, a hacker made contact with Dissent of DataBreaches.net and claimed to have hacked into the systems of a HVAC vendor. Through that vendor the hacker claimed to have gained access to the networks of its clients, one of which was Boston Children’s Hospital. The company in question is Canton, MA-based ENE Systems. DataBreaches.net reported in a recent blog post that the hacker had attempted to extort money from the HVAC vendor but the ransom was not paid. The hacker still claimed to have access to the network of ENE Systems and those of its clients and told Dissent that he/she was not interested in causing harm to the hospital. DataBreaches.net was asked to reach out to the hospital and make it clear that its network had been breached through the HVAC vendor, in case the vendor had not communicated the breach to the hospital. DataBreaches.net was provided with screenshots as proof of the hack. While it was not confirmed whether the networks of other hospitals had been breached, ENE systems lists Brigham & Women’s Hospital and Mass General Hospital as its clients on...

Read More
Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online
Aug19

Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online

The personal information of 750,000 Hoosiers collected as part of a COVID-19 contact tracing survey conducted by the Indiana Department of Health has been exposed online and downloaded by a company not authorized to access the data. The survey included information such as names, addresses, dates of birth, emails, and information on gender, ethnicity and race. The Indiana Department of Health was notified about the unauthorized access on July 2, 2021 and immediately took steps to secure the data to prevent further unauthorized access. According to Tracy Barnes, the Chief Information Officer of the state of Indiana, the company that accessed and downloaded the data was a firm “that intentionally looks for software vulnerabilities, then reaches out to seek business.” Last week, the Indiana Department of Health obtained a signed “certificate of destruction” from the company confirming the downloaded data had been permanently destroyed and that no further copies of the data had been retained. The company also confirmed the downloaded data had not been disclosed to any other company or...

Read More
1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack
Aug19

1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack

Around 4 a.m. on Thursday June 17, 2021, St. Joseph’s/Candler (SJ/C) hospital system in Savannah, GA suffered a ransomware attack. Upon detection of suspicious network activity, SJ/C immediately took steps to isolate and secure its systems. The attack prevented access to computer systems and emergency protocols were implemented, with staff reverting to pen and paper to record patient data. SJ/C notified law enforcement about the security breach and launched an investigation. Assisted by third party cybersecurity firms, SJ/C determined the hackers first gained access to its systems on December 18, 2020 and continued to have access to those systems until June 17, 2021, when the ransomware was deployed. “Patient care operations continue at our facilities using established back-up processes and other downtime procedures,” explained SJ/C in a statement shortly after the attack was detected. “Our physicians, nurses and staff are trained to provide care in these types of situations and are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our...

Read More
Scripps Health Ransomware Attack Cost Increases to Almost $113 Million
Aug18

Scripps Health Ransomware Attack Cost Increases to Almost $113 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack. While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected. Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four...

Read More
Cyberattack Forces Memorial Health System to Divert Patients to Alternate Hospitals
Aug17

Cyberattack Forces Memorial Health System to Divert Patients to Alternate Hospitals

Marietta, OH-based Memorial Health System has been forced to divert emergency care patients due to a suspected ransomware attack. The cyberattack occurred in the early hours of Sunday morning, with the health system forced to shut down IT systems to contain the attack. Emergency protocols were implemented due to the lack of access to essential IT systems, and the staff has been working with paper charts. Memorial Health System operates three hospitals in Ohio and West Virginia, all of which have been affected by the attack. Since electronic health records were not accessible, patient safety was potentially put at risk, so the decision was taken to divert emergency patents. “We will continue to accept: STEMI, STROKE and TRAUMA patients at Marietta Memorial Hospital. Belpre and Selby are on diversion for all patients due to radiology availability. It is in the best interest of all other patients to be taken to the nearest accepting facility,” according to an August 15 press release. “If all area hospitals on are diversion, patients will be transported to the emergency department...

Read More
PHI of 47,000 Individuals Potentially Compromised in Electromed Inc. Data Breach
Aug17

PHI of 47,000 Individuals Potentially Compromised in Electromed Inc. Data Breach

Electromed Inc., a New Prague, MN-based developer and manufacturer of airway clearance devices, has announced it suffered a security breach in June 2021 in which unauthorized individuals gained access to certain IT systems. Electromed said unauthorized activity was detected in its IT systems on June 16, 2021 and steps were immediately taken to prevent further unauthorized access. An investigation was launched to determine the source and scope of the breach and third-party cybersecurity experts were engaged to assist with the investigation. Electromed determined the unauthorized third party accessed certain files that contained the personal and protected health information of its customers, as well as information of its employees and certain third-party contractors.  A comprehensive review was conducted of all files on the affected systems, which revealed they contained customers’ first and last names, mailing addresses, medical information, health insurance information and, for associates, Social Security numbers, driver’s license numbers, and financial account information. While...

Read More
UNM Health Data Breach Affects More than 637,000 Patients
Aug17

UNM Health Data Breach Affects More than 637,000 Patients

UNM Health has discovered an unauthorized third party gained access to its network and potentially viewed and exfiltrated files from its systems that contained patients’ protected health information. The security breach was discovered on June 4, 2021 and an investigation was immediately launched to determine the extent and scope of the breach. UNM Health determined its systems were accessed by the unauthorized third-party on May 2, 2021 and files containing the protected health information of its patients, including those of UNM Hospital, UNM Medical Group, Inc., and UNM Sandoval Regional Medical Center Inc. were potentially compromised. A comprehensive review of all files on the compromised parts of its network was conducted and it was confirmed they contained information such as names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, and some clinical information related to the healthcare services provided by UNM Health. The Social Security numbers of a limited number of patients were also potentially compromised in...

Read More
PHI of Employees Compromised in Cyberattack on Waste Management Firm
Aug16

PHI of Employees Compromised in Cyberattack on Waste Management Firm

USA Waste-Management Resources, LLC has started notifying certain employees, former employees, and dependents covered by its self-administered health plan that some of their personal and protected health information was compromised in a January 2021 cyberattack. Waste-Management Resources said suspicious activity was detected in its IT systems on January 21, 2021. An investigation was launched and, assisted by third party computer forensics specialists, Waste-Management Resources confirmed that an unauthorized individual had accessed its systems between January 21 and January 23, 2021 and that certain files were accessed and stolen in the attack. An extensive review was conducted to determine if any files stored on the compromised parts of its network contained any sensitive information. That process was completed on June 21, 2021. The review confirmed the following types of information had been exposed and have potentially been compromised: Names, Social Security numbers, taxpayer identification numbers, government ID numbers, state ID numbers, driver’s license numbers,...

Read More
University Medical Center of Southern Nevada Confirms PHI Compromised in June Cyberattack
Aug13

University Medical Center of Southern Nevada Confirms PHI Compromised in June Cyberattack

University Medical Center of Southern Nevada (UMC) has issued an update on a cyberattack it experienced in June 2021 and has now confirmed that some patient information was compromised in the attack. The cyberattack occurred on June 14, 2021 and was conducted by a “by a well-known group of cybercriminals that seek to use the information for commercial gain,” according to a July 29, 201 UMC press release. UMC explained that suspicious activity was detected within its IT environment and prompt action was taken to remove the attackers from its network. UMC said the breach was contained the on June 15, with the initial investigation suggesting the attackers had gained access to certain file servers; however, the prompt action taken by its IT Division meant there was no disruption to patient care or its clinical systems. Initially, UMC said it had no reason to believe any clinical systems were accessed by the attackers, although the investigation into the cyberattack was ongoing to establish the nature and scope of the cyberattack. The forensic investigation has now confirmed that...

Read More
Email Account Breaches Reported by A2Z Diagnostics and Vision for Hope
Aug11

Email Account Breaches Reported by A2Z Diagnostics and Vision for Hope

The New Jersey specialist diagnostic testing laboratory A2Z Diagnostics has started notifying patients that some of their protected health information was contained in employee email accounts that were accessed by unauthorized individuals. Upon discovery of the breach, email accounts were immediately secured and third-party cybersecurity consultants were engaged to investigate the breach and determine whether any emails or attachments had been accessed or obtained in the attack. A2Z Diagnostics learned on June 28, 2021 that the compromised accounts were breached between February 2, 2021 and April 2, 2021, and some of the accounts contained the personal and protected health information of individuals who had tests performed at its laboratory; however, no evidence was found that suggested any emails had actually been viewed or stolen in the attack. The types of information in the accounts varied from individual to individual and may have included full names in combination with one or more of the following types of information:  Social Security number, date of birth, driver’s...

Read More
Long Island Jewish Forest Hills Hospital Notifies Patients About Insider Breach
Aug09

Long Island Jewish Forest Hills Hospital Notifies Patients About Insider Breach

Long Island Jewish Forest Hills Hospital (LIJFH) has started notifying 10,333 patients about an insider data breach involving their medical records. LIJFH explained in its breach notification letters that an unauthorized medical record access incident came to light around January 24, 2020. LIJFH had been issued with a subpoena for documents in connection with a law enforcement investigation into a “No Fault” motor vehicle accident insurance scheme that referenced an LIJFH employee. A review was conducted of access logs relating to its medical record system and it was determined that the now former employee had improperly accessed the medical records of patients. While no evidence was found to indicate any patient information had been misused, or that the former employee was in any way involved in the insurance scheme, the decision was taken to issue notification letters. Notification letters were sent to all patients whose medical records had been accessed by the former employee during the period that the individual had access to patients’ medical records, irrespective of whether...

Read More
Dynamic Health Care Malware Attack Affects Multiple Nursing and Rehabilitation Facilities in Illinois
Aug09

Dynamic Health Care Malware Attack Affects Multiple Nursing and Rehabilitation Facilities in Illinois

Patients and staff members at several nursing and rehabilitation facilities in Illinois are being notified that some of their protected health information has potentially been compromised in a cyberattack on Dynamic Health Care, Inc. Dynamic Health Care provides consulting, administrative, and back office services to nursing and rehabilitation facilities in Illinois that require access to certain staff and patient data. On November 8, 2020, Dynamic Health Care discovered malware had been installed on certain computers within its network. An investigation was launched into the malware incident to determine the full nature and scope of the incident. Dynamic Health Care confirmed an unauthorized individual had accessed its network on or around November 8, 2020 and on January 7, 2021, it was determined that during the time that access to the network was possible, the attacker potentially viewed or acquired information about staff and nursing home residents at facilities including Woodbridge Nursing Pavilion, Waterfront Terrace, Bridgeview Health Care Center, Willow Crest Nursing...

Read More
NCH Corporation and Others Announce Data Breaches
Aug06

NCH Corporation and Others Announce Data Breaches

Irving, TX-based NCH Corporation, an international marketer of maintenance products, has reported a suspected ransomware attack. Suspicious network activity was detected within its systems on March 5, 2021, “that caused certain systems in its network to become unavailable.” Steps were taken to block further unauthorized access and restore its systems. The investigation revealed the attackers had access to certain parts of its network between March 2 and March 5, 2021 and during that time there was unauthorized access to certain files stored on its file servers. It was not possible to tell which files had been accessed, so notifications have been sent to all individuals whose information was potentially compromised. The review of the files was completed on June 29, 2021. The files contained the names of certain current and former employees and their dependents, along with Social Security numbers and driver’s license numbers. Notification letters were sent on July 29, 2021 and affected individuals have been offered complimentary credit monitoring and identity theft protection...

Read More
Gastroenterology Consultants Notifies Patients About January 2021 Ransomware Attack
Aug06

Gastroenterology Consultants Notifies Patients About January 2021 Ransomware Attack

On January 10, 2021, Gastroenterology Consultants, PA suffered a ransomware attack that resulted in the encryption of sensitive data.  Yesterday, notifications were sent to patients potentially affected by the attack to inform them that their protected health information may have been accessed or compromised in the attack. Gastroenterology Consultants, the largest partnership GI practice in Houston, TX, launched an investigation into the attack and took steps to remove the attackers from its network and restore affected data. A substitute breach notice was uploaded to the company website on March 19, 2021 advising patients about the attack. No evidence was found to indicate any patient data were accessed by the attacker or exfiltrated in the attack. Attacks such as this typically warrant breach notification letters, as while evidence of data theft may not be found, it is usually not possible to rule out unauthorized access to PHI with a high degree of certainty. In this case, Rather than identify the individual patients affected by the attack, the decision was taken to notify all...

Read More
UF Health Says PHI Potentially Compromised in May 2021 Cyberattack
Aug05

UF Health Says PHI Potentially Compromised in May 2021 Cyberattack

On May 31, 2021, UF Health Central Florida experienced a cyberattack that affected Leesburg Hospital and The Villages Hospital. The security breach was announced by UF Health within a few hours of the attack being detected, although at the time it was unclear whether any patient data had been compromised in the incident. An investigation into the breach was conducted which determined the attackers had access to its computer network between May 29 and May 31, 2021, and while unauthorized access to patient data was not confirmed, UF Health has now reported that some patient data may have been accessible. The exposed data included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, and limited treatment information. UF Health said its electronic medical records were not involved or accessed, and the breach did not affect its Gainesville or Jacksonville campuses. UF Health said it has no reason to believe any exposed data has been misused or disclosed; however, as a precaution against identity...

Read More
73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months
Aug05

73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months

Ransomware attacks have increased significantly during the past year, but phishing attacks continue to cause problems for businesses, according to a recent survey conducted by Arlington Research on behalf of security firm Egress. Almost three quarters (73%) of surveyed businesses said they had experienced a phishing related data breach in the past 12 months. The survey for the 2021 Insider Data Breach Report was conducted on 500 IT leaders and 3,000 employees in the United States and United Kingdom. The survey revealed 74% of organizations had experienced a data breach as a result of employees breaking the rules, something that has not been helped by the pandemic when many employees have been working remotely. More than half (53%) of IT leaders said remote work had increased risk, with 53% reporting an increase in phishing incidents in the past year. The increased risk from remote working is of concern, especially as many organizations plan to continue to support remote working or adopt a hybrid working model in the future. 50% of IT leaders believe remote/hybrid working will make...

Read More
Healthcare Industry has Highest Number of Reported Data Breaches in 2021
Aug05

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security. Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets. The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked...

Read More
Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital
Aug04

Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital

Academic HealthPlans, Inc. (AHP) has discovered an unauthorized individual has gained access to the email accounts of two employees following responses to phishing emails. AHP was alerted to a potential breach when suspicious activity was detected in its Microsoft Office 365 email environment. The affected accounts were secured, and an investigation was launched to determine the extent of the breach. On June 4, 2021, AHP determined that the email accounts were compromised as a result of phishing attacks between August 6, 2020 and August 24, 2020, and on October 2, 2020. The breach was limited to those two accounts and did not involve any other systems. A comprehensive and time-consuming programmatic and manual review was conducted to identify the individuals and information affected. That review confirmed that the email accounts contained information related to the student health plans AHP administers. The exposed data include student names, dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information. No...

Read More
Guidehouse Reports Breach Affecting Multiple Healthcare Provider Clients
Aug04

Guidehouse Reports Breach Affecting Multiple Healthcare Provider Clients

Ventura, CA-based Community Memorial Health System, Ithaca, NY-based Cayuga Medical Center, and Allentown, PA-based Lehigh Valley Health Network have been affected by a cyberattack at a vendor used by one a business associate. The three healthcare providers used Guidehouse for medical billing and collection services. On January 20, 2021, hackers gained access to the Accellion File Transfer Appliance (FTA) used by Guidehouse for transferring files to clients. For patients of Community Memorial Health System the files included sensitive patient information such as names, dates of birth, member ID addresses, and certain medical information. For Cayuga Medical Center patients, names, dates of birth, insurance account numbers, and certain medical information were potentially compromised. For Lehigh Valley Health Network, the potentially compromised data include names, medical record numbers, account numbers, dates of service, diagnosis and procedure names, billing or payer information and provider names. Guidehouse was notified about the cyberattack by Accellion in March 2021 and...

Read More
Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology
Aug03

Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology

Prestera Mental Health Center in West Virginia has started notifying 2,152 individuals about a security breach involving employee email accounts. On or around April 1, 2021, Prestera Center learned that certain employee email accounts had been subjected to unauthorized access between August 2020 and September 2020. While it was possible to confirm that there had been unauthorized access, it was not possible to tell whether any patient data had been viewed or acquired. A review was conducted to determine the types of information that were present in the email accounts and which individuals had been affected. The types of data in the account varied from individual to individual and may have included names, addresses, dates of birth, state identification card numbers, Social Security numbers, financial account information, medical information, and health insurance information. Upon discovery of the breach, prompt action was taken to secure the accounts to prevent any further unauthorized access. Policies and procedures have since been reviewed and updated, and additional safeguards...

Read More
Star Refining & Express MRI Report Phishing Attacks
Aug02

Star Refining & Express MRI Report Phishing Attacks

The Peachtree Corners, GA-based medical imaging center, Express MRI, has started notifying patients that some of their protected health information has been exposed in a historic data breach. Express MRI discovered on July 10, 2020 that an unauthorized individual had gained access to one of its email accounts and used that account to send unauthorized emails. The incident was investigated at the time, but it was determined that no patient information had been accessed. A secondary review of the security breach was conducted on June 10, 2021, and while no specific evidence was uncovered that indicated there had been unauthorized data access or data theft, Express MRI concluded that it was not actually possible to totally rule out unauthorized data access or exfiltration, therefore breach notification letters were warranted. A review of the compromised account confirmed the following information may have been accessed or acquired: Names, addresses, email addresses, dates of birth, patient ages, referring physician names, body part scanned, and whether the scan was related to a...

Read More
Harris County, TX: PHI of 26,000 Individuals Exposed Online
Aug02

Harris County, TX: PHI of 26,000 Individuals Exposed Online

Harris County in Texas has discovered the personal and health information of thousands of individuals has been exposed online and was potentially accessed by unauthorized individuals. Under Harris County’s legally required reporting obligations, information is provided to the Harris County Justice Administration Department which includes System Person Numbers, which are unique identifiers that are assigned to individuals by the Harris County jail system. In addition to those numbers, some limited health information is provided related to the medical care individuals received at the County’s Jail Clinic, which includes health histories, diagnoses, and/or prescription information. The inadvertent disclosure of sensitive information was discovered by Harris County officials on July 9, 2021. Harris County determined that between March 15, 2021 and May 22, 2021, the above types of information were inadvertently made available on the Justice Administration Department’s website. No names were included, nor any Social Security numbers or financial account information, but since unique...

Read More
More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians
Jul30

More Than 447K Patients Affected by Phishing Attack on Orlando Family Physicians

Email accounts containing the protected health information of 447,426 patients of Orlando Family Physicians in Florida have been accessed by an unauthorized individual. Orlando Family Physicians said the first email account was compromised on April 15, 2021 as a result of an employee responding to a phishing email and disclosing their account credentials. Action was promptly taken to block unauthorized access, and an investigation was launched to determine the nature and extent of the breach. Assisted by a leading cybersecurity forensics firm, Orlando Family Physicians determined that an additional three employee email accounts had also been subjected to unauthorized access. All four of the compromised email accounts had external access blocked within 24 hours of the initial unauthored account access. Orlando Family Physicians determined on May 21, 2021, that the unauthorized individual potentially accessed emails in the account that contained patients’ protected health information. A review of the emails and attachments was conducted, and on July 9, 2021, Orlando Family Physicians...

Read More
PHI Potentially Compromised in Ransomware Attacks on Eye Center and Law Firm
Jul30

PHI Potentially Compromised in Ransomware Attacks on Eye Center and Law Firm

Francisco J. Pabalan MD has reported a ransomware attack that has affected up to 50,000 patients of the Pabalan Eye Center in Riverside, CA. The ransomware attack was discovered on March 3, 2021, with the investigation confirming the attack commenced on March 1. The attackers encrypted files on computers and servers that prevented access and patient data was ransomed. All affected computers and servers had been backed up prior to the attack, so it was possible to recover the encrypted data without having to pay the ransom. The investigation found no evidence of data theft, with the attack appearing to only have been conducted to cause disruption to services in order to extort money from the practice. Following the attack, all computers and servers were formatted prior to operating systems and software being reinstalled, and patient data were then restored from backups. Additional security measures have been implemented, including new anti-virus and anti-ransomware software, new data encryption technology, and a new Security Rule Risk Management Plan has been developed and put in...

Read More
Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company
Jul30

Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company

The Los Angeles Fire Department has discovered the COVID-19 vaccination statuses of 4,900 employees has been accidentally exposed online. A list that included the full names of employees, dates of birth, employee numbers, and COVID-19 vaccination information (vaccination dates, doses, or declined vaccine) had been published on a website accessible to the public. During the time that the website was active, it was possible to visit the site and conduct searches of the database for names and employee numbers. The database was not password protected and no information had to be entered to authenticate users. If a wildcard search was conducted, a table was generated that listed the data of all 4,900 employees. The website – covid.lacofdems.com – had been privately registered and was linked to the Fire Department’s Emergency Medical Service’s bureau. The website, which had not been authorized, was created on April 29, 2021 and was deactivated on July 15, 2021. The website had reportedly been created to allow Department employees to retrieve lost vaccination information. Prior to...

Read More
The Average Cost of a Healthcare Data Breach is Now $9.42 Million
Jul29

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident. The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches. According to IBM, data breaches...

Read More
McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack
Jul28

McLaren Health Care and Greenwood Leflore Hospital Impacted by Elekta Ransomware Attack

McLaren Health Care Corporation (MHCC), the operator of 15 hospitals and over 100 primary care locations in Michigan and Ohio, has announced the protected health information of 64,600 of its cancer patients may have been compromised in a ransomware attack on vendor Elekta Inc. Elekta provides software and technology services to MHCC facilities in Macomb, Northern Michigan, Gaylord, Cheboygan, West Branch, Lapeer, Central and Bay City, which includes data storage. Between April 2 and April 20, 2021, Hackers had access to Elekta’s systems, exfiltrated data, then deployed ransomware to encrypt files. A ransom demand was issued, payment of which was required to decrypt data and prevent the exposure of data stolen in the attack. Elekta notified MHCC about the breach on May 17, 2021. While patient data was affected, Elekta said it has no reason to believe that any of the stolen information will be further disclosed or published online. However, as a precaution against identity theft and fraud, complimentary identity theft protection and credit monitoring services are being offered to...

Read More
Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare
Jul28

Phishing Attacks Reported by UC San Diego Health and UnitedHealthcare

UC San Diego Health has discovered unauthorized individuals gained access to the email accounts of some of its employees and may have accessed or exfiltrated emails containing patient data. The email accounts were compromised as a result of employees responding to phishing emails and disclosing their email credentials. The email environment has now been secured and additional measures have been implemented to improve security. The investigation into the breach revealed the first email account was compromised on December 2, 2020, and others were compromised up until April 8, 2020. At this stage, no evidence has been found to indicate any emails or email attachments were subjected to unauthorized access between December 2020 and April 2021, and no reports have been received that suggest the protected health information (PHI) of patients has been misused; however, it was not possible to rule out unauthorized PHI access and data exfiltration. The investigation into the breach is ongoing to identify exactly what happened and the information that has been affected. Notification letters...

Read More
Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack
Jul27

Florida Heart Associates Operating at 50% Capacity 2 Months After Ransomware Attack

A ransomware attack on Fort Myers, FL-based Florida Heart Associates that started around May 19, 2021 has caused serious and ongoing disruption to its services, with the medical practice only operating at around 50% capacity two months after the attack. Disruption is expected to continue for several more weeks, with the practice not expecting to fully recover until the end of next month or even early September. Prior to the use of ransomware, the attackers exfiltrated files containing the protected health information of 45,148 patients, including Social Security numbers, member identification numbers, birth dates, and health insurance information. A ransom demand was issued to ensure the deletion of stolen data and to provide the keys to decrypt data, but the decision was taken by the practice not to pay the attackers. The ransomware gang was ejected from the network, but not before much of its IT infrastructure was rendered inoperable. The investigation revealed its systems were first breached on May 9, 2021, with the hackers deploying ransomware on May 19, when staff were...

Read More
Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case
Jul27

Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case

Overlake Hospital Medical Center in Bellevue, WA has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance information, and health data. The breach in question was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees, with one of the email accounts compromised between December 6, 2019 and December 9, 2019, and the others compromised for several hours on December 9. The investigation did not uncover evidence of data theft or misuse of patient data, but it was not possible to rule unauthorized access to protected health information (PHI) and the exfiltration of data. The PHI of up to 109,000 patients was contained in the compromised email accounts. Affected individuals were notified starting on February 4, 2020 and Overlake Hospital Medical Center took several steps to improve security, including implementing multi-factor authentication, changing email...

Read More
Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity
Jul26

Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity

Oklahoma Heart Hospital has started notifying certain patients about a privacy incident in which paperwork containing limited patient information was accidentally donated to charity. A former employee had made handwritten notes which contained the protected health information of a limited number of patients during the course of that individual’s employment at Oklahoma Heart Hospital between 2011 and 2014. Some of the former employee’s personal possessions were donated to charity in May 2021, with the handwritten notes accidentally included in the donated items. Oklahoma Heart Hospital was contacted by the individual who found the notes and arrangements were immediately made to collect the paperwork. The documents were then cataloged to identify the patients involved and the types of information that had been exposed. The notes included information such as patients’ names, medical record numbers, OHH visit numbers, dates of birth, ages, admit dates, genders, and clinical information consisting of diagnosis, lab results, medications and/or treatment information. No information was...

Read More
UNC Health and Nebraska DHHS Report Phishing Attacks
Jul26

UNC Health and Nebraska DHHS Report Phishing Attacks

The Nebraska Department of Health and Human Services has announced a security incident involving the protected health information of clients of Aging Partners, a department of the City of Lincoln. The breach was discovered by the Lincoln Information Services Department on May 25, 2021. Employees had responded to phishing emails and disclosed credentials to their email accounts, which contained more than 46,000 emails. Assisted by a computer forensics company, it was determined that the email account was accessed by an unauthorized individual between May 18 and May 21. A review of the emails in the account confirmed some contained patient information such as names, addresses, dates of birth, phone numbers, Social Security numbers, dates of service, type/amount of service, and some health information such as diagnoses, care assessments, and medication lists. Emails also contained bank account numbers or other financial information of a limited number of individuals. 6,600 of the emails included the PHI of Aging Partners’ clients, although only 1,513 individuals have been affected....

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
June 2021 Healthcare Data Breach Report
Jul21

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year. While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June. More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month. Largest Healthcare Data Breaches in June 2021 There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare...

Read More
Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association
Jul20

Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association

The medical payment billing service provider MultiPlan has announced a breach of its email environment. On January 27, 2021, suspicious activity was identified in the email account of one of its employees. Action was immediately taken to terminate unauthorized access and the employee’s email credentials were changed. MultiPlan immediately launched an investigation to determine the nature and scope of the breach, with assistance provided by forensics experts. The investigation confirmed that the main purpose of the attack was to divert wire transfers from MultiPlan customers looking to pay invoices. The email account was compromised and used by the attacker to communicate with those customers regarding billing, and to attempt to divert payments to an account under their control. While protected health information does not appear to have been targeted in the attack, the compromised email account was found to contain the protected health information of 214,956 individuals. That information could have been viewed or obtained by the attacker between December 23, 2020 and January 27,...

Read More