HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breach Affects 120,000 Priority Health Plan Members

The Michigan-based health plan provider, Priority Health, has confirmed that it has been affected by a data breach at a business associate, the law firm Warner Norcross & Judd (WNJ).

WNJ identified suspicious network activity on October 22, 2021. Steps were immediately taken to prevent further unauthorized access and a digital forensics firm was engaged to assist with the investigation. That investigation confirmed that the attackers had gained access to parts of its network that contained the protected health information of approximately 120,000 members of Priority Health’s health plans.

The affected information included names, pharmacy claim information from certain prescriptions filled in 2012, including drug names, prescription filling dates, and insurance provider names. WNJ said it found no evidence of misuse of plan members’ information, but the possibility of data theft could not be ruled out.

WNJ said Priority Health was notified about the breach n June 6, 2022 – Almost 8 months after the security incident was detected.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

PHI Exposed in Attempted BEC Attack on Living Innovations

Living Innovations, a provider of services to people with disabilities, has confirmed that unauthorized individuals gained access to the email accounts of certain employees between June 6 and June 14, 2022, due to responses to phishing emails. The email account breaches were detected on June 7, 2022, when suspicious email account activity was detected.

The attack appears to have been conducted to try to divert invoice payment to an attacker-controlled account, rather than to access patient information; however, unauthorized access to patient information could not be ruled out. A review of the affected email accounts revealed they contained patient data such as names, client health insurance information, Medicaid information, Social Security numbers, and limited information related to services received at Living Innovations.

Living Innovations said it found no evidence of data theft or misuse of patient information; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Additional training has been provided to employees on how to identify and avoid phishing emails.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 4,000 individuals.

Phishing Attack on Microsoft 365 Account Affects 2,200 Florida Springs Surgery Center Patients

Florida Springs Surgery Center has discovered a breach of its Microsoft 365 email environment. The breach was detected on June 2, 2022, with the investigation confirming an unauthorized actor accessed an employee’s account between May 25, 2022, and June 2, 2022.

The account was compromised when an employee responded to a phishing email that spoofed a trusted entity. The review of the email environment confirmed the breach was limited to the employee’s account; however, that account contained the protected health information of 2,203 individuals. The types of information varied from individual to individual, and may have included names, addresses, birth dates, Social Security numbers, driver’s license/state ID numbers, financial account information, medical and/or treatment information, diagnosis or procedure information, prescriptions/medications, health insurance information, and billing and claims information.

Florida Springs Surgery Center has taken steps to improve email security, including adding multi-factor authentication for all accounts. Complimentary credit monitoring and identity restoration services have been offered to individuals who had their Social Security number, driver’s license/state ID number, or financial account information exposed.

MultiCare Health System says 18,615 Patients Affected by Avamere Health Services Cyberattack

MultiCare Health Services has confirmed that it is one of the companies affected by a cyberattack on business associate Avamere Health Services. According to the notification, a threat actor accessed Avamere Health Services’ systems and potentially deleted information of patients who received services from MultiCare between September 2016 and November 2021.

The affected individuals had used the Connected Care Network, which is a subsidiary of MultiCare Health Services. Affected individuals have been offered complimentary credit monitoring and identity theft protection services. The breach has been covered in more detail in this post.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.