Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access
Mar24

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims. Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing. In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined. Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank,...

Read More
California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee
Mar22

California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee

The Department of State Hospitals (DSH) in California has discovered an employee accessed the protected health information (PHI) of 1,415 current/former patients and 617 employees without authorization. The individual had an Information Technology role and had access to data servers containing sensitive patient and employee information in order to complete work duties. The improper access was discovered by DSH on February 25, 2021 during a routine annual review of access to data folders. An investigation was immediately launched which revealed the employee had been accessing data without authorization for around 10 months. Files containing names, COVID-19 test results, and other health information necessary for tracking COVID-19 were copied directly from the server. The investigation into the privacy breach is ongoing and the employee has been placed on administrative leave pending completion of the investigation. So far, the investigation has not uncovered any evidence to suggest the copied data has been misused or disclosed to any other individual. DSH explained that safeguards...

Read More
February 2021 Healthcare Data Breach Report
Mar19

February 2021 Healthcare Data Breach Report

There was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents. After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches. Largest Healthcare Data Breaches Reported in February 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware Gore Medical Management, LLC GA Healthcare Provider...

Read More
More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed
Mar19

More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health. In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware. Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021. Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months. Arizona...

Read More
PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack
Mar17

PHI of 26,600 Individuals Potentially Copied in Colorado Retina Associates Phishing Attack

On January 12, 2021, Denver-based Colorado Retina Associates discovered the email account of one of its employees had been accessed by an unauthorized individual who used it to send phishing emails to individuals in the employee’s contact list. The email account was immediately secured and a cybersecurity firm was engaged to investigate the incident to determine the extent of the breach. That investigation concluded on February 24, 2021 and revealed other email accounts had also been compromised, two of which contained patients’ protected health information. The nature of the attack meant that between January 6, 2021 and January 17, 2021, synching may have occurred. That means the contents of the email accounts may have been copied to the attacker’s device. A comprehensive review of the email accounts was performed which revealed the protected health information of 26,609 individuals was stored in the accounts. The types of PHI varied from individual to individual may have included full names, date of birth, home addresses, phone numbers, email addresses, dates of service,...

Read More
2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches
Mar16

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks. The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net. The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised. Healthcare Hacking Incidents Increased...

Read More
Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised
Mar16

Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised

The Portland, OR-based technology and communication solution provider Metro Presort suffered a ransomware attack on May 6, 2019 which resulted in the encryption of files and locked staff out of its systems. The ransomware attack was promptly identified and was contained by May 15, 2019 and the company was able to recover from the attack relatively quickly. An investigation into the attack found no evidence to suggest files were removed from its system, and since the company already encrypted customer data, the attackers would not have been able to access any sensitive information. In October 2020, Metro Presort reinvestigated the attack and the secondary investigation was unable to confirm that files containing customer data were definitely encrypted before the attack. The invoices, statements, and spreadsheets that Metro presort processed for clients, including healthcare organizations, could potentially have been accessed. An analysis of those files confirmed they contained patient names, addresses, dates of birth, patient and health plan IDs or account numbers, appointment...

Read More
Ransomware Gangs Claim Three More Healthcare Victims
Mar15

Ransomware Gangs Claim Three More Healthcare Victims

PeakTPA, a St. Louis, MO-based provider of health plan management and back-office services, has announced it suffered a cyberattack on or around December 28, 2020 in which protected health information was stolen. The security incident was detected on December 31 and involved two cloud servers used by the company to manage program of all-inclusive care for the Elderly (PACE) claims.  According to the breach report submitted to the HHS’ Office for Civil Rights, the PHI of up to 50,000 individuals was stolen or exposed. An investigation into the attack confirmed the attackers obtained full names, home addresses, dates of birth, Social Security numbers, PACE program IDs, and diagnosis and treatment information. Affected individuals have been notified and offered complimentary membership to credit monitoring, fraud consultation, and identity theft restoration services via Kroll. St. Bernard’s Total Life Healthcare, Inc., which provides PACE in Northeast Arkansas, and Rocky Mountain Health Care Services in Colorado Springs have confirmed that 528 of their patients have been impacted by...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals
Mar12

Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals

Premier Diagnostics, a Utah-based COVID-19 testing service, has inadvertently exposed the protected health information of tens of thousands of individuals. Two Exposed Amazon S3 buckets were discovered by Bob Diachenko of Comparitech on February 22, 2021. It was not initially clear who owned the data, which related to patients from Utah, Nevada, and Colorado. The S3 buckets were eventually traced to Premier Diagnostics. The S3 buckets contained two databases, one of which included around 200,000 images of scans of ID cards such as driver’s licenses, passports, state ID cards, medical insurance cards, and other IDs documents. The databases had been indexed by search engines and could be accessed over the Internet without a password. Premier Diagnostics was determined to be the probable owner of the data on February 25, 2020 and attempts were made to contact the company. Contact was finally made on March 1, 2021 and the databases were secured the same day. It is unclear whether the databases were found and downloaded by any individuals other then Diachenko in the week or more that...

Read More
New London Hospital Data Breach Affects Almost 35,000 Patients
Mar12

New London Hospital Data Breach Affects Almost 35,000 Patients

New London Hospital in central New Hampshire has discovered an unauthorized individual gained access to a file on its network in July 2020 and may have obtained the protected health information of 34,878 patients. A third-party cybersecurity firm was engaged to assist with the investigation and determined on February 16, 2021 that the file was accessed for a short period and may have been copied. The file contained patient names, limited demographic information, and Social Security numbers; however, no diagnosis, treatment, or hospitalization information was compromised. New London Hospital is unaware of any misuse of information contained in the file. The network system on which the file was stored is no longer used by the hospital. Additional safeguards have now been implemented to prevent similar breaches in the future. All patients have been notified and offered complimentary credit monitoring and identity theft protection services. Child Focus Reports Malware Infection and 2,700-Record Data Breach Child Focus, a Cincinnati, OH-based nonprofit that provides support to children...

Read More
Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion
Mar11

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations. The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks. These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data. Healthcare...

Read More
207K MultiCare Health System and Woodcreek Healthcare Patients Affected by Ransomware Attack
Mar10

207K MultiCare Health System and Woodcreek Healthcare Patients Affected by Ransomware Attack

The number of individuals affected by a ransomware attack on St. Cloud-based Netgain Technology LLC has increased, with a further 207,000 individuals now confirmed as being affected and that figure certain to rise over the coming days. Netgain Technology provides IT and technology services to several entities in the healthcare industry, including the medical practice management company Woodcreek Provider Service in Washington. Ramsey County in Minnesota was previously confirmed to have been affected by the ransomware attack. Woodcreek Provider Service provides support to pediatric clinics and urgent care centers owned and operated by MultiCare Health System.  Woodcreek Provider Service was notified by Netgain about the December 3, 2020 attack and informed that the protected health information of patients and the personal information of employees and contractors were stored on servers affected by the ransomware attack, and may have been obtained by the attackers who first gained access to its systems on November 23, 2020. The Woodcreek Provider Service IT network and computer system...

Read More
Phishing Attack Impacts 135K Saint Alphonsus Health System and Saint Agnes Medical Center Patients
Mar10

Phishing Attack Impacts 135K Saint Alphonsus Health System and Saint Agnes Medical Center Patients

A phishing attack on Saint Alphonsus Health System in Boise, ID has resulted in the exposure of patient information and has also impacted patients of Saint Agnes Medical Center in Fresno, CA. Saint Alphonsus identified unusual activity in an employee’s email account on January 6, 2021. The account was immediately secured, and an investigation was conducted to determine the source and nature of the activity. Saint Alphonsus determined that the account had been accessed by an unauthorized individual on January 4, 2021, giving the individual access to the account and information contained therein for 2 days. The account was used to send phishing emails to other individuals in an attempt to obtain usernames and passwords. The employee whose credentials were compromised assisted with certain business functions that required access to protected health information, including performing billing functions for the West Region of Trinity Health, which includes Fresno. A review of all emails and attachments revealed the account contained the protected health information of certain patients....

Read More
PHI of More Than 100,000 Elara Caring Patients Potentially Compromised in Phishing Attack
Mar05

PHI of More Than 100,000 Elara Caring Patients Potentially Compromised in Phishing Attack

Elara Caring, one the largest providers of home-based healthcare services in the United States, has suffered a phishing attack that has impacted more than 100,000 patients. In mid-December, suspicious activity was identified in some employee email accounts. Prompt action was taken to secure the accounts to prevent further unauthorized access and a third-party security firm was engaged to investigate the breach. The investigation confirmed that multiple employee email accounts had been accessed by an unauthorized individual, although no evidence was found to suggest any patient information in those accounts was viewed or obtained by the attackers. It was, however, not possible to rule out data theft. A review of the compromised email accounts revealed they contained the PHI of 100,487 patients, including names, addresses, Social Security numbers, driver’s license numbers, Employer ID numbers, financial/bank account information, dates of birth, email addresses and passwords, insurance information and insurance account numbers, and passport numbers. Individuals affected by the breach...

Read More
Up to 100,000 Individuals Affected by Cochise Eye and Laser Ransomware Attack
Mar04

Up to 100,000 Individuals Affected by Cochise Eye and Laser Ransomware Attack

The Sierra Vista, AZ-based ophthalmology and optometry provider Cochise Eye and Laser experienced a ransomware attack on January 13, 2021 that resulted in the encryption of its patient scheduling and billing software. The attack prevented Cochise Eye and Laser from accessing any data in its scheduling system. Eye care services continued to be provided to patients, with the practice reverting to using paper charts. According to a February 17, 2021 breach notice on its website, paper charts were still in use as the scheduling system remained out of action. The investigation into the ransomware attack found no evidence to indicate any patient data were exfiltrated prior to the encryption of files; however, data theft could not be ruled out. The types of information potentially accessed by the attackers included names, dates of birth, addresses, phone numbers and, for some individuals, Social Security numbers. Since the attack, Cochise Eye and Laser has been working on improving the security of its systems and is implementing a new offsite backup system. Efforts to recover the...

Read More
Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack
Mar04

Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack

AllyAlign Health, a Glen Allen, VA-based Medicare Advantage health plan administrator, has started notifying members and providers about an attempted ransomware attack that occurred on November 13, 2020. According to the breach notification letters sent to affected individuals, AllyAlign Health first became aware of the attack on November 14, 2020. An investigation of the incident found the systems accessed by the attackers contained members’ first and last names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, Medicare beneficiary identifiers, medical claims histories, health insurance policy numbers, and other medical information. Providers affected by the breach have been notified that names, addresses, dates of birth, Social Security numbers, and Council for Affordable Quality Healthcare (CAQH) credentialing information may have been compromised. It is unclear exactly how many individuals have been affected by the incident. According to the breach notification sent to the Maine Attorney General, the protected health information of...

Read More
IBM X-Force: Healthcare Cyberattacks Doubled in 2020
Mar03

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020. The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9. The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial...

Read More
Roundup of Recent Healthcare Phishing and Malware Incidents
Mar02

Roundup of Recent Healthcare Phishing and Malware Incidents

A round up of recent healthcare privacy breaches that have been reported to the HHS’ Office for Civil Rights and state Attorneys General recently. Twelve Oaks Recovery Discovers Malware Infection and Data Theft Twelve Oaks Recovery, a Navarre, FL-based addiction and mental health treatment center, has discovered an unauthorized individual gained access to its network, installed malware, and stole documents from its systems. The attack was detected on December 13, 2020 when unusual network activity was detected. A forensic investigation confirmed malware had been deployed on December 13, and the following day data exfiltration was confirmed. A review of the documents obtained by the attacker revealed they contained the protected health information of 9,023 patients, and included names, addresses, dates of birth, medical record numbers, and Social Security numbers. Twelve Oaks Recovery has enhanced its network monitoring tools and taken steps to prevent similar breaches from occurring in the future. Rainbow Rehabilitation Centers Discovers Email Account Breach Rainbow Rehabilitation...

Read More
Universal Health Services Ransomware Attack Cost $67 Million in 2020
Mar01

Universal Health Services Ransomware Attack Cost $67 Million in 2020

2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS). UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country. The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack. UHS worked fast to restore its information technology infrastructure following the attack and worked around the clock to return to normal business operations; however, the...

Read More
Gore Medical Management Alerted to 2017 Breach of 79,100 Patients’ PHI
Feb26

Gore Medical Management Alerted to 2017 Breach of 79,100 Patients’ PHI

Gore Medical Management, a medical practice company based in Griffin, GA, has discovered a historic data breach involving the protected health information (PHI) of 79,100 individuals. The breach occurred in 2017 and affects patients of Family Medical Center in Thomaston, which is now part of Upson Regional Medical Center. In November 2020, Gore Medical Management was informed by the Federal Bureau of Investigation that a third-party computer had been recovered as part of an investigation which was found to contain the PHI of Family Medical Center patients. The breach investigation confirmed that the vulnerability exploited by the hacker to gain access to the Family Medical Center network had been identified and corrected a few months after the breach, although the breach itself was not detected at the time. The medical record system was not compromised, but files containing names, addresses, dates of birth, and Social Security numbers were exfiltrated. No financial information or healthcare records were involved. There does not appear to have been further access of its systems or...

Read More
Email Security Breach Impacts 47,000 Covenant Healthcare Patients
Feb26

Email Security Breach Impacts 47,000 Covenant Healthcare Patients

Covenant Healthcare in Saginaw, MI has discovered an unauthorized individual gained access to two employee email accounts that contained the protected health information of 47,178 patients. The security breach was identified on December 21, 2020, with the investigation revealing the first email account was compromised on May 4, 2020. A review of the compromised email accounts revealed they contained the following types of protected health information: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnosis and clinical information, medical treatment information, prescription information, doctors’ names, medical record numbers, patient account numbers, and medical insurance information. Affected individuals have been advised to place a fraud alert on their accounts and to monitor their account statements for signs of unauthorized activity. Affected individuals do not appear to have been offered complimentary credit monitoring. “We are committed to keeping your personal information safe and pledge to continually evaluate and modify our...

Read More
Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems
Feb25

Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems

St. Margaret’s Health –Spring Valley in Illinois is investigating a cyberattack that occurred over the weekend of February 20/21, 2021. The security breach was detected by the hospital’s IT team on February 21, and the hospital’s computer network and all web-based applications including email and its patient portal were shut down. The hospital had security systems in place to protect against intrusions and data breaches. It is currently unclear how those systems were bypassed. Third-party cybersecurity experts have been engaged to assist with the investigation and remediation efforts. St. Margaret’s Health had developed and practiced computer downtime emergency operations, which have been implemented and the hospital has temporarily reverted to paper records for recoding patient information and the hospital is relying on telephone and fax for communication while the email system is out of action. It is currently unclear for how long the systems will remain offline. The cyberattack did not affected the computer systems of St. Margaret’s Peru, as those computer systems...

Read More
March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches
Feb25

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020. HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized...

Read More
Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers
Feb24

Exploitation of Vulnerabilities in Accellion File Transfer Appliance Gave Hackers Access to Data of Kroger Customers

Kroger has announced it has suffered a data security incident involving the exploitation of SQL injection vulnerabilities in its Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy appliance that was released around 20 years ago as a secure file transfer solution for sharing files too large to send via email. A zero-day vulnerability in the product was first identified by Accellion in mid-December 2020, with a further three vulnerabilities subsequently identified. Some of those vulnerabilities were exploited by a threat actor to gain access to the vulnerable devices. The hacker then installed a web shell which was used to exfiltrate sensitive data. Accellion explained in a February 22, 2021 press release that Mandiant had investigated the security incident and attributed the attacks to a criminal hacker tracked as UNC2546. UNC2546 has been linked to the FIN11 hacking group and CL0P ransomware operation. In January, several Accellion FTA customers reported receiving ransom demands for the return of stolen data. Threats were made to publish stolen data on the CL0P...

Read More
Ransom Paid to Recover Healthcare Data Stolen in Cyberattack on Online Storage Vendor
Feb22

Ransom Paid to Recover Healthcare Data Stolen in Cyberattack on Online Storage Vendor

The protected health information of 29,982 patients of a Laguna Hills, CA-based provider of medical and surgical eye care services has potentially been stolen in a cyberattack on its online storage vendor. On January 15, 2021, Harvard Eye Associates was informed by its storage vendor that hackers had gained access to the vendor’s computer system and exfiltrated data. It is not clear whether files were encrypted to prevent access; however, a ransom demand was issued for the return of the stolen data. The storage vendor consulted with cybersecurity experts and the Federal Bureau of Investigation and took the decision to pay the ransom demand. The hackers returned the stolen data and provided assurances that no copies of the data had been made and there had been no further disclosures of the stolen information. The cybersecurity experts engaged by the security vendor have been monitoring the Internet and darknet and have not found any evidence to suggest the stolen data has been sold or leaked online. An investigation into the breach revealed the hackers first gained access to its...

Read More
January 2021 Healthcare Data Breach Report
Feb19

January 2021 Healthcare Data Breach Report

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day. There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records. Largest Healthcare Data Breaches Reported in January 2021 The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply...

Read More
Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack
Feb19

Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack

Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020. As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone. The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information. Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients. The lawsuit – Jewett et al. v. Wilmington...

Read More
Grand River Medical Group Email Breach Impacts 34,000 Patients
Feb18

Grand River Medical Group Email Breach Impacts 34,000 Patients

Grand River Medical Group in Dubuque, OH has discovered an unauthorized individual gained access to the email account of an employee and may have viewed or obtained the protected health information of 34,000 patients. Upon discovery of the breach, a password reset was performed to prevent any further unauthorized access and an internal investigation was launched to determine whether any other systems were breached. The Grand River Medical Group IT team confirmed that only one email account was compromised and no other systems were accessed. Third-party breach response experts were engaged to conduct a forensic analysis to determine whether any patient information in the email account was viewed or exfiltrated. It was not possible to rule out data theft, although no evidence was found to indicate patient data was stolen in the attack. The information in the email account varied from patient to patient and included one or more of the following types of protected health information in addition to patient names: Address, date of birth, patient’s balance and balance type, visit type,...

Read More
Ransomware Gangs Leaks Sensitive Data Allegedly Stolen from Two More Healthcare Providers
Feb17

Ransomware Gangs Leaks Sensitive Data Allegedly Stolen from Two More Healthcare Providers

The Conti ransomware gang has published data on its leak site which was allegedly obtained in an attack on Rehoboth McKinley Christian Health Care Services in New Mexico. The leaked data includes sensitive patient information including scanned patient ID cards, passports, driver’s license numbers, diagnoses, treatment information, and diagnostic reports, although we have not been able to confirm the source of the data. The breach has not yet appeared on the HHS breach portal so it is currently unclear how many individuals have been affected. The Conti ransomware gang claims it has only published around 2% of data stolen in the attack. The latest data leak by the Conti ransomware gang follows similar leaks of the data stolen in the ransomware attacks on Leon Medical Centers in Florida and Nocona General Hospital in Texas. The Avaddon ransomware gang has similarly published data on its leak site that was allegedly stolen in an attack on Capital Medical Center in Olympia in Washington. The gang has threatened to leak further data within the next few days if the ransom is not paid. The...

Read More
Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients
Feb17

Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients

An email error by an employee of Campbell County Health (CCH) has resulted in the impermissible disclosure of the protected health information of 900 individuals. The Gillette, WY-based health system discovered on February 5, 2021 that an employee sent an email to a patient and attached an incorrect file. The file contained patient names, account numbers, and their type of insurance. The email error was discovered within an hour of the email being sent and the recipient was immediately contacted and was told to securely delete the attachment. CCH officials provided instructions on how to ensure that the file was permanently deleted from the email account and all devices, and CCH has received satisfactory assurances that the file has now been permanently deleted and no further disclosures were made. Affected individuals have been notified about the incident and internal policies are being revised to prevent similar incidents in the future. CCH has also provided further training to employees on best practices for protecting patient data. UT Southwestern Medical Center Alerts Patients...

Read More
21st Century Oncology Data Breach Settlement Receives Preliminary Approval
Feb16

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals. 21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016. The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in...

Read More
Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation
Feb15

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019. OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule. The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019. The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been...

Read More
Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers
Feb12

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas. Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients. It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal. According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by...

Read More
Renown Health Pays $75,000 to Settle HIPAA Right of Access Case
Feb11

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action. Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000. OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made. The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical...

Read More
Nebraska Medicine Notifies 219,000 Patients About September 2020 Malware Attack
Feb10

Nebraska Medicine Notifies 219,000 Patients About September 2020 Malware Attack

Nebraska Medicine has started notifying approximately 219,000 patients about a malware attack that allowed an unauthorized individual to view and obtain patient information. Nebraska Medicine identified unusual activity in some of its systems on September 20, 2020. All affected devices were isolated to contain the breach and impacted systems were shut down to prevent any further unauthorized access. Independent computer forensics experts were engaged to conduct an investigation and determine the nature and scope of the security breach. The investigation confirmed that an unauthorized individual first gained access to the network on August 27, 2020 and deployed malware. Between August 27 and September 20, that individual copied certain files, some of which contained patient information. The files contained information about patients who received medical services at The Nebraska Medical Center or University of Nebraska Medical Center, as well as a limited number of patients who visited Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare. The protected...

Read More
Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack
Feb09

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals. US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information. The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information. The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures...

Read More
Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients
Feb08

Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients

University of Pittsburgh Medical Center (UPMC) has announced the protected health information of more than 36,000 patients has potentially been accessed by unauthorized individuals following a cyberattack on a company that provides billing-related legal services to UPMC. In June 2020, Charles J. Hilton & Associates P.C. (CJH) discovered suspicious activity in its employee email system and launched an investigation. On July 21, 2020, CJH determined that hackers had gained access to the email accounts of several of its employees between April 1, 2020 and June 25, 2020. Computer forensics specialists conducted an extensive investigation into the incident to determine which information was accessed or obtained by the hackers. UPMC said it received a notification about the breach in December 2020 confirming patient information may have been accessed by the hackers. Notification letters are now being sent by CJH to all patients potentially affected by the breach. UPMC said none of its systems, including its electronic medical record system, were affected, and the only information...

Read More
Ramsey County and Crisp Regional Health Services Affected by Ransomware Attacks
Feb05

Ramsey County and Crisp Regional Health Services Affected by Ransomware Attacks

The County Manager’s Office of Ramsey County, MN has started notifying 8,687 clients of its Family Health Division that some of their personal information has potentially been accessed by unauthorized individuals in a ransomware attack on one of its vendors. St. Cloud-based Netgain Technology LLC provides technology services to Ramsey County, including an application used by the Family Health Division for documenting home visits. Data within that application was potentially accessed and exfiltrated by threat actors prior to the deployment of ransomware.  The application contained information such as names, addresses, dates of birth, dates of service, telephone numbers, account numbers, health insurance information, medical information and, for a small number of individuals, Social Security numbers. The attack appears to have been conducted with the sole purpose of extorting money from Netgain rather than to gain access to personal information; however, it was not possible to rule out unauthorized access or data theft. Ramsey County was notified about the attack on December 2, 2020...

Read More
4 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks
Feb04

4 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks

A round up of healthcare phishing attacks that have been publicly disclosed in the past few days. 2,254 Patients Affected by Leonard J. Chabert Medical Center Email Account Breach Leonard J. Chabert Medical Center has been notified that the protected health information of some of its patients has been compromised in a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD). LSU HCSD announced the breach publicly on November 20, 2020 but discovered on November 24, 2020 that some patient data from Leonard J. Chabert Medical Center, its partner hospital, had also potentially been compromised. Leonard J. Chabert Medical Center was provided with information related to the breach on December 3, 2020, the analysis of which revealed the protected health information of 2,254 patients had been exposed between September 15, 2020 to September 18, 2020. For most patients, the exposed data was limited to names, phone numbers, addresses, medical record numbers, dates of birth, account numbers, dates of service, types of services received, and health insurance...

Read More
Montefiore Medical Center and Bethesda Hospital Fire Employees for HIPAA Breaches
Feb02

Montefiore Medical Center and Bethesda Hospital Fire Employees for HIPAA Breaches

Baptist Health’s Bethesda Hospital in Boynton Beach, FL has fired an employee for impermissibly accessing a patient’s protected health information and altering a home health order which was used to provide a patient with home care services. The HIPAA breach was identified on December 1, 2020, prompting an internal investigation. The employee has now been terminated and the incident reported to law enforcement. The investigation revealed other patient records may also have been accessed by the former employee between June 1, 2019 and December 2, 2020. The types of information potentially viewed included names, dates of birth, addresses, health insurance information, Social Security numbers, and clinical documentation. All affected individuals have been notified and offered complimentary identity theft protection and credit monitoring services and Baptist Health is exploring ways to further safeguard patients’ protected health information and prevent similar breaches in the future. The incident has yet to be listed on the HHS’ Office for Civil Rights’ website so it is currently...

Read More
Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI and Exposure of 3.5 Million Records
Feb01

Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI and Exposure of 3.5 Million Records

The Tallahassee, FL-based Medicaid health plan, Florida Healthy Kids Corporation, has discovered its web hosting provider failed to patch vulnerabilities which were exploited by cybercriminals to gain access to its website and the protected health information of applicants for benefits for the past 7 years. The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 3.5 million individuals, making this one of the largest healthcare data breaches of all time. Florida Healthy Kids used Jelly Bean Communications Design, LLC. for hosting its website. The website included an online application that recorded information about individuals when they applied for Florida KidCare benefits or renewed their health or dental coverage online. On December 9, 2020, Jelly Bean Communications notified Florida Healthy Kids that unauthorized individuals had gained access to the website and tampered with the addresses of several thousand applicants. Florida Healthy Kids engaged cybersecurity experts to conduct an investigation to determine the scope and severity of the...

Read More
Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack
Jan27

Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack

Roper St. Francis Healthcare has notified 189,761 patients that some of their protected health information was contained in employee email accounts that were accessed by an unauthorized individual. The email security breach was detected in late October 2020, and the subsequent investigation revealed three email accounts were compromised between October 14 and October 29, 2020. A review off the email accounts was conducted to determine the information that was potentially accessed. It was not possible to tell if patient information was viewed or exfiltrated, although the attacker would have been able to access names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information. The email accounts also contained the health insurance information and Social Security numbers of a limited number of patients. Roper St. Francis Healthcare has offered complimentary credit monitoring and identity theft protection services to individuals whose Social...

Read More
Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack
Jan26

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients. One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution. The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence. Blackbaud discovered the ransomware...

Read More
HIPAA Enforcement by State Attorneys General
Jan21

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases were...

Read More
Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center
Jan21

Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center

Gainwell Technologies has discovered unauthorized individuals have potentially accessed the information of certain participants of Wisconsin’s Medicaid program, which was stored in emails and email attachments in a compromised account. Access to the email account was first gained on October 29, 2020 and continued until November 16, 2020. The account contained information such as names, member ID numbers, and billing codes for services. Approximately 1,200 Wisconsin Medicaid members have been affected. Affected individuals have been offered a 1-year complimentary membership to credit monitoring services. Gainwell provides fiscal-agent services for the Wisconsin Department of Health Services (DHS) Medicaid Program. Since the breach occurred, the DHS and Gainwell have worked together to prevent similar breaches in the future. This is the second incident to be reported as having affected Gainwell in recent weeks. Gainwell operates the Medicaid Management Information System used by the Tennessee state Medicaid health plan, TennCare. Gainwell discovered an error at a mailing vendor...

Read More
At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020
Jan20

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft. The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year. In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities. These attacks have caused significant financial harm and in some cases the disruption has had life threatening...

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty
Jan18

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals. The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties. Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015. The hackers installed malware on its systems,...

Read More
What are the Penalties for HIPAA Violations?
Jan15

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
South Country Health Alliance Breach Impacts 66,874 Plan Members
Jan15

South Country Health Alliance Breach Impacts 66,874 Plan Members

Owatonna, MN-based Minnesota South Country Health Alliance has discovered an unauthorized individual accessed the email account of an employee that contained the protected health information of 66,874 of its members. The email account breach was detected on September 14, 2020, with the subsequent investigation revealing the account was first accessed by an unauthorized individual on June 25, 2020. The review of the email account was completed on November 5, 2020 and revealed it contained personal and protected health information such as names, addresses, Social Security numbers, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, date of death, provider name, and treatment cost information. Notifications were sent to all affected members on December 30, 2020. The delay in issuing notifications was due to the time taken to identify current mailing addresses for affected individuals. The breach investigation did not uncover any evidence to suggest any protected health information in the account was viewed or obtained or has been misused....

Read More
M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal
Jan15

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights. The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen. The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI. HIPAA penalties are tiered and are based on the level of culpability, with the Office...

Read More
2020 HIPAA Violation Cases and Penalties
Jan13

2020 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. Penalties for Noncompliance with the HIPAA Right of Access In late 2019, the OCR announced a new HIPAA enforcement initiative to tackle noncompliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been highly active and has imposed 14 financial penalties for noncompliance, 11 of which were announced in 2020. The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of...

Read More
OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine
Jan13

OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine

The HHS’ Office for Civil Rights (OCR) is continuing to crackdown on healthcare providers that are not providing patients with timely access to their medical records. Yesterday, OCR announced a settlement had been agreed with Banner Health to resolve a HIPAA Right of Access investigation. Banner Health agreed to pay $200,000 to settle the case. The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their own protected health information. When a request is received, HIPAA-covered entities are required to provide a copy of the requested records within 30 days. In late 2019, OCR announced it was cracking down on noncompliance with this important provision of HIPAA. Since then, 14 financial penalties have been imposed on covered entities that have failed to provide patients with timely access to their medical records. Phoenix, AZ-based Banner Health is one of the largest health care systems in the United States. The non-profit health system operates 30 hospitals and many primary care, urgent care, and specialty care facilities. OCR received two...

Read More
LSU Health Discovers Additional Hospital Affected by September 2020 Email Account Breach
Jan12

LSU Health Discovers Additional Hospital Affected by September 2020 Email Account Breach

The protected health information of certain patients of LSU Health University Medical Center-New Orleans has potentially been compromised in an email security breach. LSU Health New Orleans Health Care Services Division previously announced on November 20, 2020 that it has suffered a security breach involving the email account of an employee in September 2020. At the time, it appeared that the breach only affected certain patients who had received medical services at Lallie Kemp Regional Medical Center in Independence; Leonard J. Chabert Medical Center in Houma; W. O. Moss Regional Medical Center in Lake Charles; and the former Earl K. Long Medical Center in Baton Rouge; Bogalusa Medical Center in Bogalusa; University Medical Center in Lafayette; or Interim LSU Hospital in New Orleans. LSU Health’s ongoing investigation revealed the data of certain patients of its partner hospital, University Medical Center-New Orleans, was also stored in the compromised email account. The breach occurred on September 15, 2020 and was discovered on September 18.  While the email account was...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Jan10

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Lake Region Healthcare Recovering from Ransomware Attack
Jan08

Lake Region Healthcare Recovering from Ransomware Attack

Lake Region Healthcare in Fergus Falls, Minnesota is investigating a ransomware attack that was first detected on December 22, 2020. The attack impacted several of the healthcare provider’s systems and caused some disruption to normal operations at its locations in Fergus Falls, Battle Lake, Ashby, and Barnesville. Emergency procedures had been developed prior to the attack which were immediately implemented, and care continued to be provided to patients while the attack was investigated and remediated. Third-party cybersecurity experts were engaged to assist with the investigation and determine the scope of the attack, and while the investigation is ongoing, most of the systems impacted by the attack have been restored and services are operating as usual, largely due to working off alternative systems. While it is common for data to be stolen prior to the deployment of ransomware, no evidence has been found to indicate that was the case with this attack. Patient care continues to be provided, but patients have been advised to contact the hospital to confirm their appointments....

Read More
Email Breaches Reported by Mattapan Community Health Center and Prestera Center for Mental Health Services
Jan07

Email Breaches Reported by Mattapan Community Health Center and Prestera Center for Mental Health Services

Prestera Center for Mental Health Services, the largest behavioral health services provider in West Virginia, has discovered an unauthorized individual potentially accessed the protected health information of a small percentage of its current and former patients. An unauthorized individual gained access to Prestera Center’s business email environment which contained protected health information such as patient names, dates of birth, medical record numbers, patient account numbers, diagnostic information, prescription information, treatment information, and healthcare provider information. The email system also contained a limited number of patient addresses, Social Security numbers, and Medicare/Medicaid numbers. A third-party vendor was engaged to assist with the investigation and determine whether any PHI was viewed or obtained during the data security incident. Prestera Center said the investigation did not uncover any evidence of attempted or actual misuse of patient information, but since PHI may have been viewed or acquired, affected individuals have been offered...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Jan06

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
Breaches Reported by Northwestern Memorial Hospital, Apex Laboratory, and Five Points Eye Care
Jan04

Breaches Reported by Northwestern Memorial Hospital, Apex Laboratory, and Five Points Eye Care

Northwestern Memorial Hospital in Chicago discovered a former temporary worker may have inappropriately viewed the medical records of certain patients while employed at the hospital. The unauthorized access was detected on December 2, 2020. A review of access logs revealed the individual viewed patient records without a work-related purpose for doing so between October 27, 2020 and December 2, 2020.  The information potentially viewed was limited to patient names, addresses, and treatment information. The worker did not have access to financial information or Social Security numbers. Northwestern Memorial Hospital issued a statement about the privacy breach confirming the records of 682 patients may have been viewed and confirmed that the temporary worker is no longer employed by the hospital. It is unclear why the records were accessed. All affected patients are being notified about the privacy breach by mail and the incident has been reported to appropriate authorities. The HHS’ Office for Civil Rights breach portal shows 682 patients were affected by the breach. Apex...

Read More
Largest Healthcare Data Breaches in 2020
Jan01

Largest Healthcare Data Breaches in 2020

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records. The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years. The Largest Healthcare Data Breaches in 2020 When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom...

Read More
More Than 114,000 Patients Affected by Wilmington Surgical Associates Ransomware Attack
Dec31

More Than 114,000 Patients Affected by Wilmington Surgical Associates Ransomware Attack

In October 2020, the NetWalker ransomware gang claimed responsibility for a ransomware attack on the North Carolina-based surgical center, Wilmington Surgical Associates. The gang claimed to have stolen around 13GB of data prior to deploying NetWalker ransomware and encrypting files. The stolen batch of data included thousands of documents containing sensitive information. HIPAA Journal has not yet been able to obtain a copy of the breach notification; however, the ransomware attack has now appeared on the HHS’ Office for Civil Rights breach portal and shows the PHI of 114,834 patients was compromised in the attack. The NetWalker ransomware gang targets healthcare providers and the gang has stepped up its attacks in 2020. The gang was behind the ransomware attack on the University of California San Francisco and stole sensitive and valuable research data. The University felt it had no alternative other than to pay the $1.14 million ransom to recover the encrypted data. Other healthcare providers attacked with NetWalker ransomware this year include the Crozer-Keystone Health System...

Read More
Two Florida Healthcare Providers Attacked with Ransomware
Dec29

Two Florida Healthcare Providers Attacked with Ransomware

The Tampa, FL-based Agency for Community Treatment Services, Inc. (ACTS) is alerting certain patients that some of their protected health information has potentially been compromised in an October 21, 2020 cyberattack. The security breach was detected on October 23 when ransomware was deployed. The hackers gained access to parts of the ACTS server and data infrastructure and encrypted files to prevent access. Systems were taken offline to prevent further unauthorized access and third-party computer forensic experts were engaged to assist with the investigation and determine the scope of the breach. While unauthorized data access was possible, the investigation did not uncover any specific evidence to indicate patient data had been accessed or exfiltrated. ACTS explained that this was due to the extensive efforts made by the attackers to conceal their malicious activity. The attackers may therefore have accessed or stolen information stored on the breached systems. The review of the compromised systems revealed they contained patient names, dates of birth, Social Security numbers,...

Read More
484,000 Aetna Members Impacted by EyeMed Phishing Incident
Dec28

484,000 Aetna Members Impacted by EyeMed Phishing Incident

Aetna has announced more than 484,000 of its members have been impacted by a data breach at a business associate that provides services for members of its vision benefits plans. In July 2020, an unauthorized individual gained access to an email account of an employee of Cincinnati-based EyeMed and used the email account to send further phishing emails to individuals in the address book of the mailbox. EyeMed investigated the breach and determined the mailbox contained the protected health information of 484,157 Aetna members, 60,545 members of Tufts Health Plan, and 1,340 members of Blue Cross Blue Shield of Tennessee.  No evidence of data theft or misuse of PHI was identified, although it was not possible to rule out data theft with a high degree of certainty. Affected health plans were notified about the breach in September. The compromised email account contained information such as members’ names, dates of birth, vision insurance ID numbers, health insurance ID numbers and, for a limited number of individuals, Social Security numbers, birth certificates, diagnoses, and...

Read More
Former GenRx Pharmacy Patients’ PHI Potentially Compromised in Ransomware Attack
Dec24

Former GenRx Pharmacy Patients’ PHI Potentially Compromised in Ransomware Attack

Scottsdale, AZ-based GenRx Pharmacy is alerting certain patients that some of their protected health information has potentially been compromised in a ransomware attack. The attack was detected on September 28, 2020 and the IT team acted quickly and terminated the attacker’s access to its systems the same day. The investigation confirmed ransomware was deployed on 27 September and prior to the use of ransomware a small number of files containing protected health information were exfiltrated by the attackers. A review of the stolen files revealed they contained protected health information such as names, addresses, dates of birth, gender, allergy information, patient IDs, prescription transaction IDs, medication lists, health plan information, and prescription information. Social Security numbers are not collected by the pharmacies and financial information is not retained, so that information could not have been compromised. GenRx Pharmacy had valid backups that were used to restore the encrypted data and no ransom was paid. The breach report submitted to the HHS’ Office for...

Read More
OCR Announces its 19th HIPAA Penalty of 2020
Dec23

OCR Announces its 19th HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care. Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a complaint from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule. The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records. Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and...

Read More
November 2020 Healthcare Data Breach Report
Dec22

November 2020 Healthcare Data Breach Report

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud. November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).   The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records. Largest Healthcare Data Breaches Reported in November 2020 Name of Covered Entity State Covered...

Read More
OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules
Dec18

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their...

Read More
FTC Settles 2019 Consumer Data Breach Case with SkyMed
Dec18

FTC Settles 2019 Consumer Data Breach Case with SkyMed

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information. SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted. The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused....

Read More
Lost Storage Device Contained Unencrypted PHI of Cedar Springs Hospital Patients
Dec18

Lost Storage Device Contained Unencrypted PHI of Cedar Springs Hospital Patients

Cedar Springs Hospital in Colorado Springs, CO is notifying certain patients that some of their protected health information was stored on a portable storage device that was lost in October 2020. The Colorado Department of Public Health and Environment had sent a request to the hospital to provide a copy of certain patient records on an external storage device as part of a survey. The information was provided, but the storage device was misplaced by a Colorado health department surveyor. The state health department has a policy that requires data on external storage devices to be encrypted; however, Cedar Springs Hospital learned on October 28, 2020 that the device was not encrypted. Consequently, protected health information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, patient ID numbers, diagnoses, treatment information, dates of treatment, treatment location, treating physician and prescription information could potentially be accessed by unauthorized individuals. A review of the data on the device was completed on November 9, 2020...

Read More
Email Account Breaches Reported by Meharry Medical College and MEDNAX Services
Dec18

Email Account Breaches Reported by Meharry Medical College and MEDNAX Services

Meharry Medical College in Nashville, TN, has discovered an email account breach may have resulted in unauthorized individuals viewing or acquiring the protected health information of up to 20,963 patients. The email account breach was detected and blocked around July 28, 2020. Third-party technical experts were engaged to investigate the breach and confirmed that the incident was limited to a single email account. On September 1, 2020, Meharry Medical College was informed that the nature of the breach meant it was possible that the contents of the email account may have been copied, most likely inadvertently during the standard email synchronization process. A review of the content of the email account was performed and it was determined the email account contained patients’ full names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information. A limited number of patients also had their Social Security numbers, Medicare/Medicaid numbers, and health insurance information compromised. Individuals whose Social Security...

Read More
Tufts Health Plan Members’ PHI Exposed in EyeMed Phishing Attack
Dec11

Tufts Health Plan Members’ PHI Exposed in EyeMed Phishing Attack

60,545 members of Tufts Health Plan have had their protected health information exposed in a phishing attack on the vision benefits management company EyeMed. The phishing attack occurred in June 2020 and was discovered by EyeMed on July 1, 2020. Access to the breached account was terminated the same day. EyeMed notified Tufts Health Plan about the breach in September 2020. The compromised email account contained the following types of protected health information: Names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license or other government identification numbers, and birth or marriage certificates. Partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and/or passport numbers were implicated for some individuals. Affected individuals have been offered a 2-year complimentary membership to credit monitoring and identity protection services. Security Incident...

Read More
Dental Care Alliance Data Breach Impacts More Than 1 Million Patients
Dec10

Dental Care Alliance Data Breach Impacts More Than 1 Million Patients

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, has been hacked and the protected health information of more than a million individuals has potentially been compromised. The breach occurred on September 18, 2020, was detected on October 11, and was contained on October 13. A breach notification submitted to the Maine Attorney General’s office indicates some patient information was acquired by the hackers, such as patient names in combination with financial account numbers, although Dental Care Alliance said only around 10% of the affected individuals had their financial account number exposed. For the majority of individuals affected by the breach, the information potentially compromised was limited to names, addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, and health insurance information. Dental Care Alliance said it acted quickly when the breach was discovered to secure its systems to prevent any further unauthorized...

Read More
Six More Healthcare Providers Impacted by Ransomware Attacks
Dec10

Six More Healthcare Providers Impacted by Ransomware Attacks

GBMC HealthCare in Maryland, Golden Gate Regional Center in California, and Dyras Dental in Michigan have recently suffered ransomware attacks and Allegheny Health Network, AMITA Health, and Bayhealth have announced they have been affected by the ransomware attack on Blackbaud Inc. GBMC HealthCare Towson, MD-based GBMC HealthCare has announced it suffered a ransomware attack on December 6, 2020 that forced its computer systems offline and the healthcare provider is now operating under EHR downtime procedures while the attack is mitigated.  GBMC HealthCare had planned for such an attack and had processes in place to ensure care could continue to be provided to patients while keeping disruption to a minimum. Safe and effective care continues to be provided to patients and its emergency department did not stop receiving patients; however, some elective procedures scheduled for Monday 7, December were postponed. Efforts are underway to bring systems back online and restore the encrypted data and law enforcement has been notified and is investigating the attack. The Egregor ransomware...

Read More
Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health
Dec08

Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health

Insider data breaches have been reported by Montefiore Medical Center and Mercy Health. Both incidents involved an employee accessing patient information when there was no legitimate work-related reason for doing so. Former Montefiore Medical Center Employee Accessed Patient Data for Billing Scam Montefiore Medical Center in New York City has discovered a former employee accessed patient information as part of a billing scam. Patient names, medical record numbers, and surgery dates were viewed and used to create invoices for unused surgical products, in connection with a vendor. Montefiore Medical Center discovered the fraud after the invoices had been paid and launched an investigation that revealed the former employee had accessed the information of approximately 4,000 patients without authorization between January 2018 and July 2020. Medical records, Social Security numbers, and financial information were not accessed, and the investigation has not uncovered any evidence to suggest patients or their insurance companies were defrauded. The fraud has been reported to law...

Read More
Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health
Dec02

Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health

University of Minnesota Physicians has suffered a phishing attack that gave the attackers access to the email accounts of two employees. One email account was accessible between January 30 and January 31, 2020 and the other on February 4, 2020 for a short period of time. Upon discovery of the breach, the accounts were immediately secured, and third-party forensic investigators were engaged to assess the nature and scope of the breach. The review did not uncover any evidence to suggest emails in the accounts had been viewed or patient data obtained, but it was not possible to rule out data access with a sufficiently high degree of certainty. A review of the compromised accounts revealed they contained the protected health information of certain patients. The types of information in the accounts varied from patient to patient and may have included name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. A limited number of individuals also had...

Read More
Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years
Dec01

Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc. Fairchild Medical Center Discovers Patient Information has been Exposed Online Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet. In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals. The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were...

Read More
More Than 295K Patients Impacted by Cyberattack on AspenPointe
Dec01

More Than 295K Patients Impacted by Cyberattack on AspenPointe

The Colorado Springs-based mental health and behavioral health services provider AspenPointe has announced it was the victim of a cyberattack in September 2020 in which patient information may have been compromised. The attack forced the healthcare provider to take its systems offline and most of its operations were affected for several days while the attack was mitigated. Third-party cybersecurity professionals were engaged to assist with the investigation and recovery efforts and determine the extent to which patient information may have been compromised. A review of the documents potentially accessible to the attackers revealed on November 10, 2020 that patient information had potentially been accessed or acquired. The documents on the breached systems contained patient names along with one or more of the following data elements: date of birth, driver’s license number, bank account information, Medicaid ID number, admission/discharge dates, diagnosis code, date of last visit, and/or Social Security number. Following the discovery of the breach, a password reset was performed....

Read More
Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach
Nov30

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes. The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained. Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being...

Read More
US Fertility Reports Ransomware Attack Involving Data Theft
Nov27

US Fertility Reports Ransomware Attack Involving Data Theft

US Fertility has announced it suffered a ransomware attack on September 14, 2020 that affected some of its computer systems, including systems that contained sensitive protected health information. US Fertility is the largest operator of fertility clinics in the United States, running clinics at 55 locations in 10 states. Almost half of its locations are known to have been affected by the attack. US Fertility responded immediately to the attack and determined that data had been encrypted on a number of its servers and workstations connected to its domain. Those devices were immediately taken offline while the attack was investigated. Third-party security and forensic experts were retained to assist with the investigation and the recovery of data on the affected workstations and servers. USF said it successfully restored all affected devices and reconnected them to the network on September 20, 2020. The attack has been reported to federal law enforcement and USF is assisting in the ongoing investigation. USF said the forensic investigation has now been completed and data theft has...

Read More
UVM Health Restores Electronic Health Record System One Month After Ransomware Attack
Nov27

UVM Health Restores Electronic Health Record System One Month After Ransomware Attack

University of Vermont Health Network has announced it has brought its electronic health record (EHR) system back online, a month after experiencing a ransomware attack. The ransomware attack occurred on October 25, 2020 and caused a massive outage across all six of its hospitals. For the past month, staff have been forced to record patient information, orders, and medications using pen and paper while its computer systems were out of action. Care continued to be provided to patients during the attack and recovery process, but the recovery of its EHR will greatly improve efficiency. The attack caused major disruption, especially at University of Vermont Medical Center in Burlington, but the attack affected its entire network. Without access to essential patient data, many elective procedures had to be rescheduled and the radiology department on the main campus experienced major delays, and was only open on a limited basis. In a November 24, 2020 update, UVM Health announced it had achieved a major milestone in the recovery process, having brought its Epic EHR system back online for...

Read More
Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services
Nov24

Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services

Connecticut Department of Social Services (DSS) has reported a potential breach of the protected health information of 37,000 individuals as a result of a series of phishing attacks that occurred between July and December 2019. Several email accounts were compromised and were used to send spam emails to several DSS employees, the investigation of which confirmed the phishing attacks. A comprehensive investigation was conducted using state information technology resources and a third-party forensic IT firm, but no evidence was found to indicate the attackers had accessed patient information in the email accounts. According to the DSS breach notice, “Due to the large volume of emails involved and the nature of the phishing attack, the forensic efforts could not determine with certainty that the hackers did not access personal information.” Identity theft protection services have been offered to affected individuals as a precaution and steps have been taken to improve email security and better protect against phishing attacks in the future. More Than 92,000 Individuals Affected by...

Read More
Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands
Nov24

Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands

Three healthcare providers in New York, Florida, and Georgia have started notifying patients that some of their protected health information was potentially compromised in recent cyberattacks, two of which involved ransomware and one involved an unspecified computer virus. Four Winds Hospital, NY Four Winds Hospital in Katonah, NY, discovered files had been encrypted by ransomware on or around September 1, 2020. The attack prevented the hospital from accessing its computer systems and resulted in downtime of around two weeks while the attack was mitigated. Upon discovery of the attack, steps were immediately taken to prevent any further unauthorized system access and third-party cybersecurity experts were engaged to help identify the scope of the attack and whether patient data had been compromised. According to Four Winds Hospital’s substitute breach notice, “[The cybersecurity experts] obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified.” That suggest a ransom was paid, although that has not been...

Read More
October 2020 Healthcare Data Breach Report
Nov23

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud. The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months. Largest Healthcare Data Breaches Reported in October 2020 Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware Presbyterian Healthcare Services...

Read More
HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center
Nov20

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative. In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records. The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer. The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that...

Read More
PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls
Nov18

PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls

People Incorporated Mental Health Services, a provider of integrated behavioral and mental health services in Minnesota, is notifying 27,500 patients that some of their protected health information was exposed in an email account breach between April 28, 2020 and May 4, 2020. Prompt action was taken to block further access to the email accounts and an investigation was launched to determine the nature and scope of the breach. Assisted by third-party cybersecurity experts, and after conducting a manual document review, People Incorporated discovered on September 8, 2020 that the email accounts contained patients’ personal and protected health information. While third party access to the email accounts had occurred, no evidence was found to indicate any information was stolen or has been misused. The PHI in the compromised accounts included names, dates of birth, addresses, treatment information, insurance information, and medical record numbers and, for a limited number of individuals, Social Security numbers, financial account information, health insurance information, and...

Read More
Ransomware Attacks Impact First Impressions Orthodontics, Kids First Dentistry & Orthodontics, and Hendrick Health Patients
Nov17

Ransomware Attacks Impact First Impressions Orthodontics, Kids First Dentistry & Orthodontics, and Hendrick Health Patients

First Impressions Orthodontics, a subsidiary of Professional Dental Alliance of Connecticut PLLC, experienced a ransomware attack on September 28, 2020 that potentially saw the protected health information of 23,000 patients accessed by the attackers. Backups were regularly performed and stored securely, so patient data could be recovered without having to pay the ransom. In addition to the 23,000 First Impressions Orthodontics patients, 5,000 patients of Kids First Dentistry & Orthodontics who had x-rays performed at First Impressions Orthodontics were also impacted by the breach. The types of data potentially compromised included names, addresses, telephone numbers, email addresses, contact telephone numbers, Social Security numbers, dental insurance numbers, dental records, dental images, service charge amounts, and payments received for services provided. Patients who only had their x-ray images compromised only had their name, date of birth, and insurance information exposed. Affected individuals were notified in accordance with HIPAA requirements, but no evidence of data...

Read More
North Dakota and Delaware State Departments Report Breaches of PHI
Nov17

North Dakota and Delaware State Departments Report Breaches of PHI

The North Dakota Department of Health, Department of Human Services, Cavalier County Health District, and other state agencies were impacted by a phishing attack that saw multiple employee email accounts compromised between November 23 and December 23, 2019. The breach investigation did not uncover any evidence to suggest protected health information was stolen or misused or that the attack was conducted in order to obtain patient information. An analysis of the compromised accounts revealed they contained names, dates of birth, addresses, medical diagnoses and treatment information, driver’s license numbers and mothers’ maiden name and, for a limited number of individuals, Social Security numbers and/or financial information. The breach report submitted to the HHS’ Office for Civil Rights indicates 35,416 individuals were affected by the breach. All individuals affected have been notified and those who had their Social Security number exposed have been offered free membership to credit monitoring services. North Dakota has since taken steps to improve email security to prevent...

Read More
Luxottica Data Breach Impacts 829,454 Individuals in the United States
Nov13

Luxottica Data Breach Impacts 829,454 Individuals in the United States

Luxottica, the world’s largest eyewear company, experienced a cyberattack that affected some of the websites operated by the company. Luxottica is the owner of eyewear brands such as Ray-Ban, Oakley, and Persol and produces designer eyewear for many well-known fashion brands. It also operates the EyeMed vision benefits company and partners with LensCrafters, Target Optical, EyeMed, Pearle Vision, and other eye care providers. Luxottica partners are provided with web-based appointment scheduling software that allows patients to book appointments with eye care providers online and by phone. According to a recent breach notification, the appointment scheduling application was hacked by unknown individuals on August 5, 2020 and the attackers potentially gained access to the personal and protected health information of patients of its eye care partners. Luxottica discovered the cyberattack on August 9, 2020 and immediately took steps to contain the breach. The subsequent investigation confirmed personal and protected health information were potentially accessed and acquired by the...

Read More
Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals
Nov11

Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals

Timberline Billing Service, LLC, a Des Moines, IA-based Medicaid billing company, has suffered a ransomware attack that resulted in the encryption and theft of data. An investigation into the attack revealed an unknown individual gained access to its systems between February 12, 2020 and March 4, 2020 and deployed ransomware. Prior to the encryption of files, some information was exfiltrated from its systems. Timberline’s clients include around 190 schools in Iowa. School districts in the state that have been impacted by the breach have now been notified. It is currently unclear exactly how many schools were affected and if the breach was limited to schools in Iowa. Timberline also has offices in Kansas and Illinois. The types of data potentially obtained by the attacker included names, dates of birth, Medicaid ID numbers, and billing information. A limited number of Social Security numbers were also potentially compromised. While data theft occurred, no reports have been received to indicate any data have been misused. The breach has been reported to the Department of Health and...

Read More
PHI Incidents Recently Reported by Healthcare Providers and Business Associates
Nov10

PHI Incidents Recently Reported by Healthcare Providers and Business Associates

A roundup of privacy and security incidents recently reported by HIPAA-covered entities and business associates that involved the exposure of disclosure of protected health information. Server Breach Impacts Patients of Northwest Eye Surgeons and Sight Partners Northwest Eye Surgeons LLC and Sight Partners LLC have started notifying 20,838 patients that some of their protected health information was stored on a server that was accessed by an unauthorized third party. The breach was detected on May 1, 2020 and an investigation was immediately launched to determine the extent and scope of the breach. A third-party cybersecurity firm was engaged to assist with the investigation, and the review of the affected server was completed on July 31, 2020. A different IT firm was then engaged on August 7, 2020 to identify all protected health information stored on the server to determine which patients were affected. The review revealed the server contained information such as patients’ names, dates of birth, Social Security numbers, driver’s license numbers, ID numbers, financial account and...

Read More
$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit
Nov09

$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit

A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG). FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services. A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the...

Read More
Healthcare Providers Affected by Email Account Breach at Payment Processing Vendor
Nov06

Healthcare Providers Affected by Email Account Breach at Payment Processing Vendor

Lafayette, LA-based Provider Health Services, Paragould-based Arkansas Methodist Medical Center, and Miami, FL-based lntelliRad Imaging have announced they have been affected by an email security breach at one of their business associates. All three entities have a lockbox service with IBERIABANK to collect and process payments. IBERIABANK uses Technology Management Resources, Inc. (TMR) as a third‐party lockbox service provider for capturing and processing payment data for the lockbox. TMR discovered on July 3, 2020 that one of its employee’s email accounts had been accessed by an unauthorized individual, and that individual may have accessed or exfiltrated images containing protected health information. TMR notified affected customers on August 21, 2020 and confirmed that the threat actor potentially viewed images of checks and other images that contained protected health information within the TMR’s iRemit application. The unauthorized access occurred between August 5, 2018 and May 31, 2020, with most of the activity occurring between February 2020 and May 2020. Provider Health...

Read More
Blackbaud SEC Filing Provides Further Information on Data Breach and Mitigation Costs
Nov05

Blackbaud SEC Filing Provides Further Information on Data Breach and Mitigation Costs

The number of victims reporting being impacted by the Blackbaud ransomware attack and data breach has continued to grow over the past few weeks, with the Department of Health and Human Services’ Office for Civil Rights breach portal continuing to list healthcare victims. Recent additions include Moffitt Cancer Center, OSF HealthCare System, and Geisinger, with those three entities reporting the incident as affecting a total of 276,600 individuals. While the total number of victims has not been disclosed by Blackbaud, at least 250 healthcare organizations, non-profits, and educational institutions are known to have been impacted, with healthcare organizations reporting the breach as affecting more than 10 million individuals. Unsurprisingly given the breach costs incurred by organizations and the number of individuals whose personal information has been exposed, Blackbaud is facing many class action lawsuits. At least 23 proposed class action lawsuits have been filed so far in the United States and Canada, according to its 2020 Q3 Quarterly Report filed with the U.S. Securities and...

Read More
Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks
Nov05

Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks

Redwood City, CA-based Ascend Clinical, a provider of ESRD laboratory testing for independent dialysis providers, has announced it suffered a phishing attack that led to a ransomware attack in May 2020. Unusual system activity and file encryption were detected on or around May 31, 2020. Prompt action was taken to isolate the affected systems and an investigation was launched to determine the nature and scope of the incident. Assisted by a third-party security firm, Ascend Clinical determined access to its systems was gained when an employee responded to a phishing email. Prior to the use of ransomware, the attackers accessed files that contained names, dates of birth, mailing addresses, and Social Security numbers. Steps have since been taken to strengthen its email security defenses to prevent similar attacks in the future. The breach report submitted to the HHS’ Office for Civil Rights indicates 77,443 individuals were affected by the incident. Alamance Skin Center Suffers Ransomware Attack The Greensboro-based health system, Cone Health, has suffered a ransomware attack that...

Read More
Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000
Nov04

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices. Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the ShopRite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY. In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes,...

Read More
Email Security Breaches Reported by Arkansas Otolaryngology Center and Centerstone
Nov04

Email Security Breaches Reported by Arkansas Otolaryngology Center and Centerstone

Centerstone, a provider of mental health and substance use disorder treatment services in Indiana, Illinois, Tennessee, and Florida, has discovered an employee’s email account has been accessed by an unauthorized individual. Unusual activity was detected in the email account and it was immediately secured. The investigation revealed the email account had been accessed between December 12, 2019 and December 16, 2019; however, it took until August 25, 2020 for the investigation to confirm that protected health information was contained within the account. The protected health information of patients was exposed in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers, state identification card numbers, medical diagnoses, treatment information, Medicaid and Medicare information, and health insurance information. The types of exposed data varied from patient to patient. Some employee information was also potentially compromised. Notification letters were sent to affected patients on Thursday, October 22, 2020 and information has been provided...

Read More
Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT
Nov02

Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case. An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules. During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative. While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health...

Read More
Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware
Oct29

Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware

Two more hospitals have experienced ransomware attacks that have taken their computer systems offline and have forced clinicians to switch to pen and paper to record patient information. Both ransomware attacks occurred on Tuesday, October 27, 2020, one on Sky Lakes Medical Center in Klamath Falls, OR and the other on St. Lawrence Health System in New York. Both attacks involved Ryuk ransomware. Sky Lakes Medical Center announced on Facebook that while its computer systems had been taken out of action, care continued to be provided to patients and its emergency and urgent care departments remained open and fully operational and most scheduled elective procedures were continuing as planned. At this stage, no evidence has been found to indicate any patient data were compromised in the attack; however, the investigation is still in the early stages. The attack on St. Lawrence Health System was detected several hours after the initial compromise. St. Lawrence Health System issued a statement saying its IT department had taken systems offline in an effort to contain the attack and...

Read More
Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches
Oct29

Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017. The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials. The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service. The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in...

Read More
Sonoma Valley Hospital Suffers Significant EHR Downtime Event
Oct28

Sonoma Valley Hospital Suffers Significant EHR Downtime Event

Sonoma Valley Hospital in California experienced a computer security incident on October 11, 2020 which took its computer systems offline and caused “a significant downtime event.” The hospital implemented its business continuity plan which allowed care to continue to be provided to patients while its computer systems were out of action. Throughout the incident its emergency department remained open and elective and necessary surgeries continued to be performed. The majority of diagnostic services continued without interruption, although the incident did cause disruption for some patients. The patient portal has remained available throughout, although new results have not been posted since October 11. An investigation into the incident was immediately launched and third-party cybersecurity experts were engaged to assist with the investigation and recovery efforts. In a December 8, 2020 letter to patients, the hospital explained that patient data may have been compromised during the attack. The letter confirms ransomware was used to encrypt files in an attempt to extort money from...

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
Dickinson County Health Suffers Ransomware Attack
Oct21

Dickinson County Health Suffers Ransomware Attack

Michigan-based Dickinson County Health has suffered a malware attack that has taken its EHR system offline. The attack has forced the health system to adopt EHR downtime procedures and record patient data using pen and paper. The attack commenced on October 17, 2020 and disrupted computer systems at all its clinics and hospitals in Michigan and Wisconsin. Systems were shut down to contain the malware and third-party security experts have been retained to investigate the breach and restore its systems and data. While the attack caused considerable disruption, virtually all patient services remained fully operational. It is currently unclear whether patient data were accessed or stolen by the attackers. “We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” said Chuck Nelson, DCHS CEO. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.” 25,000 Individuals Potentially Impacted by Passavant Memorial Homes Security Breach...

Read More
Piedmont Cancer Institute Phishing Attack Impacts 5,000 Patients
Oct15

Piedmont Cancer Institute Phishing Attack Impacts 5,000 Patients

Piedmont Cancer Institute (PCI) in Atlanta, GA is notifying 5,226 patients that some of their protected health information may have been viewed or obtained by an unauthorized individual who gained access to the email account of one of its employees. Assisted by a third-party cybersecurity firm, PCI determined the email account was compromised for more than a month, with the unauthorized individual first accessing the account on April 5, 2020. The account was secured on May 8, 2020. A review of the compromised account concluded on August 8, 2020 and revealed it contained a variety of protected health information. In addition to names, affected patients had one or more of the following data elements exposed: date of birth, medical information such as diagnosis and treatment information, financial account information, and/or credit/debit card number. To prevent further breaches, PCI has implemented multi-factor authentication on its email accounts and has provided further training to the workforce on email security. Potential Data Breach Discovered by McLaren Oakland Hospital McLaren...

Read More
Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack
Oct14

Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack

Universal Health Services has confirmed that all 250 of its hospitals in the United States are back up and running after a suspected ransomware attack that knocked out its systems for 3 weeks. The attack started on or around September 27, 2020. All systems were brought back online by October 12. An update was posted on the UHS website this week saying, “With back-loading of data substantially complete at this point, hospitals are resuming normal operations.” While systems were down, clinicians were forced to work with pen and paper in order to continue providing care for patients and, at some locations, patients had to be diverted to alternate facilities to receive treatment. The health system reported the security breach as a malware attack which forced it to shut down its network; however, several insiders took to Reddit to voice their concerns and explain that this was a ransomware attack. Based on the data posted by those insiders, the attack appeared to have involved Ryuk ransomware. The operators of Ryuk ransomware are known to exfiltrate data prior to the...

Read More
228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack
Oct12

228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack

Legacy Community Health Services in Texas is alerting 228,009 patients about a data breach involving some of their protected health information (PHI). The PHI was stored in an email account that was accessed by an unauthorized individual. The breach was detected on July 29, 2020, one day after an employee responded to a phishing email and disclosed login credentials to the attacker. The account was immediately secured and a computer forensics firm was engaged to assist with the investigation. No evidence was found to indicate emails were viewed by the attacker or that electronic protected health information was stolen, although the possibility of data theft could not be totally discounted. The compromised email account contained patient names, dates of service, and health information related to care at Legacy, along with a limited number of Social Security numbers. Complimentary membership to a credit monitoring and identity protection service was been offered to individuals whose SSN was compromised. Email security has been reinforced since the attack and the staff has been...

Read More
OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative
Oct12

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost. HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received. By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost. Under the OCR HIPAA...

Read More
Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation
Oct09

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million. A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information. The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during...

Read More
Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization
Oct08

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization

Mayo Clinic has started notifying more than 1,600 patients that some of their protected health information has been viewed by a former employee without authorization. Mayo Clinic confirmed on August 5, 2020 that a licensed health care professional had accessed the records of patients when there was no legitimate reason for doing so. The employee was ending their employment with Mayo Clinic when the privacy breach was discovered and the individual no longer works at Mayo Clinic. The reason for accessing the medical records is not known and Mayo Clinic has not disclosed when the privacy breach occurred. Mayo Clinic explained that the access was limited in duration and no evidence was found to suggest any information was printed or retained by the employee. The types of information accessed included names, dates of birth, demographic information, medical record numbers, medical images, and clinical notes. No financial information or Social Security numbers were viewed. Mayo Clinic has reported the unauthorized access to the Rochester Police Department and the FBI, and the privacy...

Read More
OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure
Oct08

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records. On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights. OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018. SJHMC did respond to the requests and provided some, but not all, of the...

Read More
Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks
Oct06

Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks

Prairieville, LA-based Magnolia Pediatrics is notifying 12,861 patients that some of their protected health information has potentially been compromised in a ransomware attack that occurred on or around March 26, 2020. The ransomware attack was investigated by its IT vendor, LaCompuTech, which determined only its master boot record had been affected and patient information had not been accessed, encrypted or exported by the attackers. The IT vendor determined a HIPAA breach had not occurred and the incident therefore did not need to be reported to the HHS’ Office for Civil Rights and notification letters to patients were not warranted. However, OCR informed Magnolia Pediatrics on September 11, 2020 that the incident was a reportable data breach and patient notification letters were required. OCR explained that any hacker who was able to access the master boot record must have had full control of the server and therefore had access to any protected health information stored on that server. Protected health information stored on the server included patients’ names, addresses,...

Read More
Clinical Trial Software Provider Hit with Ransomware Attack
Oct05

Clinical Trial Software Provider Hit with Ransomware Attack

Philadelphia-based eResearchTechnology, a company that sells software that is used in clinical trials, including clinical trials of Covid-19 vaccines, was hit with a ransomware attack that has affected several of its clients, including at least one company running Covid-19 vaccine trials. The attack occurred on September 20, 2020 and forced some clinical trial researchers to switch to pen and paper to track their patients. While patient safety was never put at risk, the attack has had an effect on clinical trials and has slowed progress. IQVIA, the research organization running AstraZeneca’s Covid-19 vaccine trial was one of the organizations affected by the attack, although it is unclear to what extent, if any, the attack affected its Covid-19 vaccine trial. Bristol Myers Squibb, which is leading efforts to develop a rapid test for the virus, was also affected by the ransomware attack. Both firms explained that the effect was limited as they had backups which could be used to recover data. IQVIA issued a statement saying it was unaware of any confidential data related to clinical...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered.  The HIPAA training for staff must include procedures for reporting breaches. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and...

Read More
Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack
Oct02

Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack

On Wednesday, Blackbaud filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) that provided further information on the ransomware attack the company suffered in May 2020. Blackbaud explained that the forensic investigation into the breach has revealed further information was potentially compromised in the breach. For certain customers, unencrypted fields that were intended for Social Security numbers, bank account information, and usernames and passwords may also have been accessed by the hackers. Most of the customers affected by the breach did not have this additional information exposed, as the fields for sensitive information were encrypted and any data included in those fields would have been unreadable to the attackers. Blackbaud explained that any customers who may have had sensitive information exposed are being contacted and notified and additional support is being provided. Blackbaud explained in the SEC filing that the company was able to prevent the attackers from fully encrypting certain files but confirmed that prior to encryption a subset of data...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack
Oct01

PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack

Oaklawn Hospital in Marshall, MI, has started notifying 26,861 patients about a potential breach of their personal and health information. It is unclear when the breach was detected, but the forensic investigation revealed on July 28, 2020 that the email accounts of certain employees had been accessed by unauthorized third parties between April 14 and April 15, 2020. Access to the accounts was gained after employees responded to phishing emails and disclosed their email credentials. The breach was detected when suspicious emails were found in several employee email accounts. A comprehensive manual document review was conducted to identify any protected health information stored in the compromised email accounts. The compromised accounts were discovered to contain patient names along with dates of birth, medical information, and health insurance information. The Social Security numbers, driver’s license numbers, financial account information, and online login information of “a very limited” number of patients were also potentially compromised. The delay in issuing notification...

Read More
4 More U.S. Healthcare Providers Discover Email Account Breaches
Sep30

4 More U.S. Healthcare Providers Discover Email Account Breaches

Alameda Health System (AHS), an Alameda, CA-based provider of emergency, inpatient, outpatient, and wellness services in the East Bay area, has discovered an unauthorized individual temporarily gained access to the email account of an employee. AHS learned that the account was accessed for a brief period on April 8, 2020. The breach was discovered by AHS on June 17, 2020. Assisted by a leading forensic security firm, AHS determined that the following types of information were potentially compromised: names, dates of birth, medical record numbers, appointment dates, limited medical information, health insurance information, Social Security numbers and driver’s license numbers. AHS and the forensic investigators found no evidence to suggest any information was stolen or misused for the purpose of committing identity theft or fraud, but as a precaution, individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring and identity theft protection services. The breach report submitted to the HHS’ Office for Civil...

Read More
MU Health Care Phishing Attack Impacts 5,000 Patients
Sep29

MU Health Care Phishing Attack Impacts 5,000 Patients

University of Missouri Health Care (MU Health Care) has experienced a phishing attack that saw several employee email accounts compromised between May 4 and May 6, 2020. An investigation into the breach revealed the compromised email accounts contained patient information including names, account numbers, dates of birth, health insurance information, Social Security numbers, and driver’s license numbers. MU Health Care has notified all patients affected by the attack and has offered individuals whose Social Security number was potentially compromised complimentary credit monitoring services. No reports have been received that suggest any patient information has been misused. A breach report submitted to the HHS Office for Civil Rights shows indicates 189,736 individuals may have been impacted. Data Leaked Following University Hospital SunCrypt Ransomware Attack University Hospital, a teaching hospital in Newark, NJ, has experienced a ransomware attack involving SunCrypt ransomware. The attack occurred in September 2020. Prior to the use of ransomware, the attackers exfiltrated...

Read More
Universal Health Services Ransomware Attack Cripples IT Systems Across United States
Sep29

Universal Health Services Ransomware Attack Cripples IT Systems Across United States

Universal Health Services (UHS), a King of Prussia, PA-based health system with more than 400 healthcare facilities in the United States and UK, has suffered a major security breach that has seen its IT systems crippled. The Fortune 500 healthcare provider has more than 90,000 employees and serves around 3.5 million patients each year. According to a statement published on its website, the company “experienced an information technology security incident in the early morning hours of September 27, 2020.” Upon discovery of the breach, UHS “suspended user access to its information technology applications related to operations located in the United States.” UHS has implemented information security and emergency protocols and is working closely with its security partners to mitigate the attack and restore its IT operations as quickly as possible. The cyberattack crippled its IT systems, leaving affected hospitals without access to their computer and phone systems. UK facilities were unaffected by the attack. The attack forced UHS to redirect ambulances to other healthcare providers and...

Read More
OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross
Sep28

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals. Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access
Sep22

Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access

Montefiore Medical Center in Bronx, NY has fired an employee over the alleged theft of the protected health information of approximately 4,000 patients. Montefiore became aware of a potential internal data breach in July 2020 and launched an investigation into unauthorized medical record access. Montefiore had implemented a technology solution that monitors EHRs for inappropriate access, which identified the employee. The investigation confirmed that the employee had accessed medical records without any legitimate work reason between January 2018 and July 2020. Accessing the medical records of patients when there is no legitimate reason for doing so is a violation of HIPAA and hospital policies. Montefiore said criminal background checks are performed on all employees prior to being given a position at the medical center and Montefiore provides HIPAA training to all employees. The employee in question had received significant privacy and security training but had chosen to violate internal policies and HIPAA Rules. The investigation into the breach is ongoing and the matter has...

Read More
August 2020 Healthcare Data Breach Report
Sep22

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average. The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.     Largest Healthcare Data Breaches Reported in August 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud...

Read More
Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic
Sep21

Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a $1.5 million settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2016 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data. Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security...

Read More
HIPAA Right of Access Failures Result in Five OCR HIPAA Fines
Sep16

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records. The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request. After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities. Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial...

Read More
Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs
Sep15

Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs

The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans. Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information. Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review. The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security...

Read More
Starling Physicians Email Breach Impacts 7,777 Patients
Sep14

Starling Physicians Email Breach Impacts 7,777 Patients

Rocky Hill, CT-based Starling Physicians has started notifying 7,777 patients that some of their protected health information was stored in email accounts that were found to have been accessed by an unauthorized individual. A breach of its email environment was detected on or around July 7, 2020. A comprehensive review was conducted to determine the extent of the breach and whether any patient data had been accessed. While evidence of PHI access was not found, it was not possible to rule out unauthorized data access. Emails and email attachments were found to include names along with some of the following data elements: Dates of birth, medical record numbers, patient account numbers, diagnostic information, healthcare provider information, prescription information, and treatment information. A small number of affected individuals also had their address, social security number, and/or Medicare/Medicaid ID number exposed. Starling Physicians is strengthening its cybersecurity defenses to prevent similar data security events in the future. Advocate Aurora Health Notifies 2,979...

Read More
Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack
Sep11

Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack

Falls Church, VA-based Inova Health System is one of the latest healthcare providers to confirm that it has been affected by the ransomware attack on Blackbaud. A backup of its donor database contained the information of 1,045,270 donors, patients, and prospective donors, which takes the total number of healthcare victims in the United States past 2.99 million. That total is also likely to grow as the deadline for reporting the breach to the HHS has not yet been reached. On July 16, 2020, Blackbaud issued notifications to its clients that it had suffered a ransomware attack. Unauthorized individuals gained access to its systems on February 7, 2020, with access possible until May 20, 2020 when the attack was detected when ransomware was deployed. Prior to the deployment of ransomware, certain data were exfiltrated from Blackbaud’s servers. While not all clients were affected, the attackers were able to obtain backups of fundraising databases of many of the firm’s clients. For most organizations, the breached data were limited to donor names, addresses, dates of birth, contact...

Read More
Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records
Sep11

Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records

Hennepin County Medical Center in Minneapolis is potentially facing legal action after several employees were discovered to have snooped on George Floyd’s medical records. Attorney Antonio Romanucci of Chicago-based law firm Romanucci & Blandin said he was informed that several employees of Hennepin County Medical Center had accessed George Floyd’s medical records on multiple occasions when there was no legitimate reason for doing so, in clear violation of hospital policies and the Health Insurance Portability and Accountability Act (HIPAA). Attorneys representing Hennepin County Medical Center notified the family of George Floyd that certain records relating to George Floyd had been inappropriately accessed by certain employees. Details about the types of records viewed by the employees, the individuals involved, and their positions at Hennepin County Medical Center were not disclosed. Antonio Romanucci and the family’s legal team issued a statement to the Star Tribune saying they are currently “exploring all remedies” to “make this right and make the family whole for...

Read More
Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack
Sep09

Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July that took its email and phone system out of action and limited its lab and radiology services. The cyberattack, which involved ransomware, took certain systems out of action for several weeks. It is now two months after the attack and the external email system is still not working. The clinic’s medical record system was not breached, so the data potentially viewed and/or obtained were limited. The attack was performed by an overseas adversary, according to a statement issued by the clinic. It is unclear whether the ransom was paid. The clinic said, “We followed the recommendations our cybersecurity firm made to us in consultation with the FBI.” The investigation into the breach confirmed that the attackers potentially accessed the protected health information of 85 patients, all of whom have now been notified. The types of information involved were EMR data downloaded in order to send claims to insurance companies. Separate breach notification letters were also sent to 308,000 patients. Those individuals...

Read More
PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack
Sep07

PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack

Imperium Health Management, a Louisville, KY-based provider of development services to Accountable Care Organizations (ACOs), is notifying 139,114 individuals that some of their protected health information was potentially compromised in a recent phishing attack. Imperium Health learned of the attack on April 23, 2020. The investigation revealed one email account was breached on April 21, 2020 and a second email account was breached on April 24, 2020 due to the employees responding to phishing emails. The emails contained links that appeared to be legitimate but directed the employees to a website where their email credentials were harvested. A review of the compromised email accounts revealed they contained protected health information such as patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information. Imperium Health was notified that the accounts contained PHI on June 18, 2020....

Read More
Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million
Sep04

Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million

The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days. Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation. Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach. The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals...

Read More
Assured Imaging Ransomware Attack Affects Almost 245,000 Patients
Sep04

Assured Imaging Ransomware Attack Affects Almost 245,000 Patients

Tucson, AZ-based Assured Imaging, a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services, has announced it has suffered a ransomware attack that resulted in the encryption of its medical record system. Assured Imaging discovered the attack on May 19, 2020 and worked quickly to stop any further unauthorized access and restore the encrypted data. Assisted by a third-party computer forensics firm, Assured Imaging investigated the ransomware attack to determine the scope of the breach. The investigation revealed an unauthorized individual gained access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated “limited data” prior to the deployment of ransomware. The forensic investigation confirmed data had been stolen but it was not possible to determine exactly what information was exfiltrated by the attackers. A review was conducted to identify all types of information that could potentially have been accessed. The compromised system was found to contain full names, addresses, dates of birth, patient IDs, facility used, treating...

Read More
56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack
Sep03

56,000 Northwestern Memorial HealthCare Donors Impacted by Blackbaud Ransomware Attack

Northwestern Memorial HealthCare has discovered the personal information of individuals who had previously made donations to Northwestern Memorial HealthCare was potentially compromised in the recent Blackbaud ransomware attack. An unauthorized individual first gained access to Blackbaud systems on February 7, 2020, with the access possible until May 20,2020 when ransomware was deployed. Prior to the use of ransomware, the attacker may have accessed a backup of a database that contained names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information. The database also contained the Social Security numbers and/or financial/payment card information of 5 individuals. In total, the information of 55,983 Northwestern Memorial HealthCare donors was potentially compromised in the attack. Northwestern Memorial HealthCare is conducting a review of its third-party database storage vendors and its relationship with Blackbaud in order to prevent similar data breaches in the future. Names and Health...

Read More
Utah Pathology Services Email Breach Potentially Affects 112,000 Patients
Aug31

Utah Pathology Services Email Breach Potentially Affects 112,000 Patients

Utah Pathology Services has announced an unauthorized individual has gained access to the email account of an employee and attempted to redirect funds from Utah Pathology. The breach was detected promptly, the compromised email account was secured, and the attempted fraud was unsuccessful and did not involve any patient information. Independent IT and forensic investigators were engaged to assist with the investigation and help determine the extent of the breach. The investigation is ongoing, but it has now been confirmed that the compromised email account contained the personal and protected health information of 112,124 patients. The purpose of the attack appears to have been to redirect funds to an account under the control of the attacker, rather than to steal patient data; however, the possibility of data theft could not be ruled out and affected individuals are now being notified about the breach. The compromised email account contained the following types of information in addition to patient names: Gender, date of birth, mailing address, phone number, email address, health...

Read More
Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000
Aug28

Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000

A former nursing home employee has been accused of stealing the identities of dozens of nursing home residents and using their accounts to pay her bills. The woman, Anna Zur, 39, of Franklin Park, IL, previously worked in the corporate office of a care facility and abused her access rights to residents’ information to obtain documents and financial information, which she sent to a personal email account. She has been accused of stealing the identities of residents and using their accounts to purchase goods and services and pay her bills. The Palos Heights Police Department conducted a year-long investigation into cases of identity theft and fraud and issued a warrant for the woman’s arrest. She was taken into custody on August 26, 2020 and has been charged with felony counts of wire fraud and continuing a financial crimes enterprise. The woman has been linked to 35 cases of identity theft and is alleged to have defrauded individuals out of $25,000. Patient Data Stolen in Ventura Orthopedics Ransomware Attack The Californian healthcare provider Ventura Orthopedics has experienced a...

Read More
Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals
Aug26

Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals

Severna Park, MD-based Dynasplint Systems, a manufacturer of proprietary stretching devices to improve joint motion, has experienced a cyberattack in which personal and protected health information may have been accessed or stolen. The security breach occurred on May 16, 2020 and prevented employees from accessing computer systems. In a letter to the Iowa Attorney General, a lawyer representing Dynasplint explained that the company had suffered “an encryption attack” which prevented employees from accessing computer systems. Assisted by a digital forensics firm, Dynasplint Systems determined on June 4, 2020 that information such as names, addresses, dates of birth, Social Security numbers, and medical information may have been accessed and acquired by the attackers. The cyberattack was reported to the FBI and Dynasplint Systems is cooperating with the investigation to hold the individuals responsible accountable. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 102,800 individuals were potentially affected by...

Read More
AI Company Exposed 2.5 Million Patient Records Over the Internet
Aug21

AI Company Exposed 2.5 Million Patient Records Over the Internet

The personal and health information of more than 2.5 million patients has been exposed online, according to technology and security consultant Jeremiah Fowler. The records were discovered on July 7, 2020 in two folders that were publicly accessible over the Internet and required no passwords to access data. The folders were labeled as “staging data” and had been hosted by an artificial intelligence company called Cense AI, a company that provides SaaS-based intelligent process automation management solutions. The folders were hosted on the same IP address as the Cense website and could be accessed by removing the port from the IP address, which could be done by anyone with an Internet connection. The data could have been viewed, altered, or downloaded during the time it was accessible. An analysis of the data suggests it was collected from insurance companies and relate to individuals who had been involved in automobile accidents and had been referred for treatment for neck and spinal injuries. The data was quite detailed and included patient names, addresses, dates of birth,...

Read More
July 2020 Healthcare Data Breach Report
Aug19

July 2020 Healthcare Data Breach Report

July saw a major fall in the number of reported data breaches of 500 or more healthcare records, dropping below the 12-month average of 39.83 breaches per month. There was a 30.8% month-over-month fall in reported data breaches, dropping from 52 incidents in June to 36 in July; however, the number of breached records increased 26.3%, indicating the severity of some of the month’s data breaches.   1,322,211 healthcare records were exposed, stolen, or impermissibly disclosed in July’s reported breaches. The average breach size was 36,728 records and the median breach size was 6,537 records. Largest Healthcare Data Breaches Reported in July 2020 14 healthcare data breaches of 10,000 or more records were reported in July, with two of those breaches involving the records of more than 100,000 individuals, the largest of which was the ransomware attack on Florida Orthopaedic Institute which resulted in the exposure and potential theft of the records of 640,000 individuals. The other 100,000+ record breach was suffered by Behavioral Health Network in Maine. The breach was reported as...

Read More
R1 RCM Medical Collection Agency Suffers Ransomware Attack
Aug18

R1 RCM Medical Collection Agency Suffers Ransomware Attack

One of the largest medical debt collection agencies in the United States has suffered a ransomware attack. Chicago-based R1 RCM, formerly Accretive Health Inc., generated $1.18 billion in revenue in 2019 and works with more than 750 healthcare clients. It is currently unclear how many of its clients have been affected by the attack. The breach was recently reported by Brian Krebs of Krebs on Security. R1 RCM confirmed that it was attacked with ransomware and its systems were taken down in response to the attack. Recovery efforts are ongoing. No information has been released on the type of ransomware used in the attack and it is unclear if patient data was stolen prior to files being encrypted. Krebs spoke to a source close to the investigation who suggested the ransomware used in the attack was Defray. Defray ransomware is usually spread via malicious Word documents sent via email in small, targeted campaigns. The threat actors behind the ransomware have previously targeted education and healthcare verticals. In 2019, the medical debt collection agency, American Medical Collection...

Read More
Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors
Aug18

Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors

The Brewer, ME-based 10-hospital integrated healthcare system, Northern Light Health Foundation, has announced it has been affected by the recent ransomware attack on Blackbaud Inc. The databases affected contained information about donors, potential donors, and individuals who may have attended a fundraising event in the past. Patient medical records were stored separately and were unaffected. The databases contained the records of 657,392 individuals. South Carolina-based Blackbaud is one of the world’s largest providers of education, administration, fundraising, and financial management software. A company as large as Blackbaud is naturally a target for cybercriminals. Blackbaud explained it encounters millions of attacks each month and its cybersecurity team successfully defends the company against those attacks, although in May 2020 one of those attacks succeeded. The ransomware attack could have been far worse. Blackbaud detected the ransomware attack quickly and took action to block the attack. Blackbaud was able to prevent the ransomware from fully encrypting its files, and...

Read More
Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed
Aug17

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories. Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community. Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data. Exposed PII and PHI in Public GitHub Repositories Jelle Ursem is an ethical security...

Read More
Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online
Aug17

Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online

A database containing the personal information of more than 3.1 million patients has been exposed online and was subsequently deleted by the Meow bot. Security researcher Volodymyr ‘Bob’ Diachenko discovered the database on July 13, 2020. The database required no password to access and contained information such as patients’ names, email addresses, phone numbers, and treatment locations. Diachenko set about trying to identify the owner of the database and found it had been created by a medical software company called Adit, which makes online booking and patient management software for medical and dental practices. Diachenko contacted Adit to alert the company to the exposed database but received no response. A few days later, Diachenko discovered the data had been attacked by the Meow bot. The Meow bot appeared in late July and scans the internet for exposed databases. Security researchers such as Diachenko conduct scans to identify exposed data and then make contact with the data owners to try to get the data secured. The role of the Meow bot is search and destroy. When exposed...

Read More
Protected Health Information of 129K Individuals Potentially Compromised in Behavioral Health Network Malware Attack
Aug14

Protected Health Information of 129K Individuals Potentially Compromised in Behavioral Health Network Malware Attack

Behavioral Health Network (BHN), the largest behavioral health service provider in Western Massachusetts, has announced that malware was downloaded onto its computer systems that prevented files from being accessed. The security breach was discovered on May 28, 2020 when staff were prevented from accessing files. An investigation was immediately launched to determine the extent of the attack and whether any data had been exfiltrated by the attacker. Around July 17, 2020, BHN determined that an unauthorized individual had gained access to its systems on May 26, two days before the malware was introduced. While it was not possible to determine whether any data had been stolen by the attacker prior to the deployment of the malware, the possibility of data theft could not be totally ruled out. No reports have been received to date indicating patient data has been misused. An analysis of the affected systems revealed the protected health information of 129,571 current and former patients was potentially compromised. The systems that were accessible to the attacker contained names,...

Read More
Data Breaches Reported by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center
Aug13

Data Breaches Reported by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center

University of Maryland Faculty Physicians Inc. (FPI) has suffered a phishing attack in which the protected health information of patients of University of Maryland Medical Center (UMMC) may have been accessed by unauthorized individuals. FPI is the faculty practice plan for University of Maryland School of Medicine affiliated physician practice groups and provides support to physicians and staff who provide services at UMMC locations. Following the discovery of the unauthorized accessing of an FPI email account, the account was secured and a comprehensive investigation was conducted to determine the nature and scope of the breach. On May 26, 2020, FPI determined the email account was accessed by an unauthorized individual between February 6, 2020 and February 11, 2020. The email account contained the protected health information of 33,896 individuals. The types of information in the account varied from patient to patient and may have included the following data types in addition to patient names: Date of birth, medical record number, and clinical information related to the care...

Read More
Ashley County Medical Center Nurse Terminated for Improper Medical Record Access
Aug12

Ashley County Medical Center Nurse Terminated for Improper Medical Record Access

A former employee of Ashley County Medical Center has been discovered to have accessed the medical records of 722 patients without authorization. Ashley County Medical Center launched an investigation into the HIPAA violation and determined the nurse had viewed limited patient data for reasons unrelated to the provision of care or treatment. Ashley County Medical Center does not believe any patient information was shared with a third party or accessed with a view to misusing the data. Patient information is believed to have been accessed out of curiosity. Ashley County Medical Center has a sanctions policy in place covering unauthorized medical record access, and in line with that policy the nurse was terminated for the HIPAA violation. “Patient privacy is an extremely serious matter and any failure to protect patient information will subject employees to disciplinary actions,” said Phillip Gilmore, Chief Executive Officer, ACMC. “We are continuing to take steps to report the actions of this employee, notify any additional patients whose information was viewed, continuing to...

Read More
Almost 20,000 Patients Affected by Owens Ear Center Ransomware Attack
Aug12

Almost 20,000 Patients Affected by Owens Ear Center Ransomware Attack

Owens Ear Center in Fort Worth, TX, suffered a ransomware attack on May 28, 2020 in which patient information was encrypted. The computer systems that were encrypted contained patients’ medical records, which included information such as names, addresses, dates of birth, health insurance information, health information, and Social Security numbers. Many ransomware attacks on healthcare organizations see healthcare data stolen before it is encrypted. These double extortion attacks require a ransom to be paid in order to decrypt files and prevent the sale or publication of the stolen data. Owens Ear Center investigated the attack and found no evidence to indicate patient information was accessed or copied prior to file encryption and believes this was solely an attempt to extort money from the practice and that the attackers were not interested in patient data. However, since unauthorized data access could not be ruled out, all affected patients have been notified and, out of an abundance of caution, have been offered complimentary identity theft protection services. Steps have since...

Read More
Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware
Aug11

Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware

Long Island City, NY-based Boyce Technologies Inc, which makes transport communication systems and recently switched its production facilities to produce ventilators for hospitals during the pandemic, has been attacked with DoppelPaymer ransomware. Data was stolen prior to file encryption and a sample of the stolen data has been published on the threat actor’s blog. The stolen data includes purchase orders, assignment forms, and other sensitive data. Boyce Technologies Inc. was approved by the FDA to manufacture ventilators and was producing around 300 machines a day. Those ventilators have been used in hospitals in New York and the company is now making ventilators for other areas. The ransomware attack has threatened the production of those ventilators and has potentially put lives at risk. Piedmont Orthpedics/OrthoAtlanta, a network of orthopedic and sports medicine centers in the greater Atlanta area, has been attacked by threat actors using Pysa (Mespinosa) ransomware. As with the attack on Boyce Technologies, prior to the encryption of files the threat actors exfiltrated...

Read More
Children’s Hospital Colorado Suffers Phishing Attack
Aug10

Children’s Hospital Colorado Suffers Phishing Attack

Children’s Hospital Colorado is notifying 2,553 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual between April 6-12, 2020. Credentials to access the account were obtained when an employee responded to a phishing email. The phishing attack was identified by the hospital on June 22, 2020 and the account was immediately secured. A review of the emails and email attachments in the account revealed they contained patient names, zip codes, dates of service, medical record numbers, and clinical diagnosis information. Steps have since been taken to harden email security defenses, platforms are being evaluated for educating staff on cybersecurity, and technical controls related to email are also being reviewed. Stolen Hoag Clinic Laptop Contained Unencrypted PHI On June 5, 2020, a laptop computer issued to an employee of the Hoag Clinic in Costa Mesa, CA was stolen from a vehicle parked in the worksite parking lot in Newport Beach. The theft was discovered the same day and law enforcement was...

Read More