Data Breaches at Manquen Vance, DNF Medical Centers and Peak Vista Community Health

The Manquen Vance group health plan broker and consultancy firm based in Michigan, previously known as Cornerstone Municipal Advisory Group – is informing 7,018 people regarding a potential compromise of their personal and health information (PHI).

The investigation began on November 16, 2020 after the company noticed suspicious activity in a worker’s email account. Manquen Vance affirmed that unauthorized individuals accessed the account from November 1 to 16. Only one email account had been compromised.

Although it is likely that emails and file attachments with sensitive information were viewed or copied, there is no sure evidence found to point out that was what happened. The late issuance of breach notifications was because of the long process of examining each email in the account for sensitive data. That procedure was concluded on February 2, 2021 and ascertained that members’ names, Social Security numbers, and medical insurance information had potentially been breached. Since the security incident, Manquen Vance has taken steps to boost email security to avoid identical breaches from happening again.

DNF Medical Centers Terminates Employee for Rerouting Blood Samples to Unauthorized Laboratory

DNF Medical Centers located in Florida is sending notification to 846 persons regarding a breach of their PHI. The healthcare provider discovered on February 18, 2021 that an employee was diverting the blood samples of patients to an unauthorized laboratory for screening, and not to LabCorp or Quest.

Patient data sheets were dispatched with the blood samples which comprised patient names, birth dates, addresses, phone numbers, healthcare provider name, and the last 4 digits of Social Security numbers. DNF Medical Centers stated that the lab performed medical tests as required and returned the results; nevertheless, because this was an unauthorized lab, DNF Medical Centers is worried about the integrity of the test results. Therefore, affected patients were informed and asked to do their blood tests again at zero cost.

An investigation of the incident was started and the employee was interviewed and eventually fired. DNF Medical Centers believes no personal information was improperly used or further disclosed and that the blood samples were provided to the laboratory for the needed medical assessments to be done to permit the laboratory to bill patients’ health insurance companies for the lab tests.

PHI Breach in Peak Vista Community Health Robbery

On March 7, 2021, robbers broke into a facility of Peak Vista Community Health located in Colorado Springs and stole computer devices. On March 31, 2021, Peak Vista confirmed that two thieved computers held patient records with names, dates of birth, telephone numbers, health record numbers, prescription medication lists, and diagnosis data.

Peak Vista has filed a report submitted about
the theft to law enforcement, however, the equipment has not been recovered. Though it is possible that the thieves accessed the data on the computers, there is no proof of attempted or actual misuse of patient data discovered. Peak Vista Community Health mentioned only a few of its patients were impacted and every one of them has already been advised via mail.

Data Breaches at the American College of Emergency Physicians, VEP Healthcare and Epilepsy Florida

The American College of Emergency Physicians (ACEP) has begun informing selected members about the unauthorized access of some of their personal information that was stored on a server.

Besides giving professional organizational services to its members, ACEP provides management services to organizations including Society for Emergency Medicine Physician Assistants (SEMPA), the Emergency Medicine Foundation (EMF), and the Emergency Medicine Residents’ Association (EMRA). The breach affected data associated with those companies. Those who purchased from or donated to EMF, SEMPA, or EMRA were impacted by the breach.

ACEP detected unusual activity in its systems on September 7, 2020. The compromised server contained the login information for its SQL database servers, which also stored members’ data. Although there is no evidence that indicates the use of the credentials to access the databases, it’s not possible to make sure there’s no unauthorized access. The details covering April 8, 2020 to September 21, 2020 were exposed.

There were varying compromised records from individual to individual. Aside from names, sensitive data like Social Security numbers and financial information were compromised.

The breached server has been recovered, passwords altered, and more technical security steps have now been applied. ACEP offered 12 months of credit monitoring services to affected persons.

VEP Healthcare Discovers Unauthorized Access to Multiple Email Accounts

VEP Healthcare based in Portland, OR found out that unauthorized individuals accessed several employee email accounts after employees responded to phishing emails and shared their login information. The provider discovered the email security incident on March 11, 2021. The investigators of the breach stated that the impacted email accounts were accessed from November 15, 2019 to January 20, 2020. It is still uncertain precisely what data the compromised accounts contained.

Although the hackers accessed the email accounts, there is no proof that suggests the access or theft of any protected health information. Nonetheless, as a safety precaution, VEP Healthcare offered the affected people a complimentary 12-month membership to the IDX identify theft protection service and a $1 million identity theft insurance coverage.

Since the incident, VEP healthcare has improved email security, integrated 2-factor authentication on email accounts, has altered its policies and procedures, and offered more security awareness training to the workforce.

Epilepsy Florida Impacted by Blackbaud Data Breach

Epilepsy Florida has recently affirmed that it was impacted by the Blackbaud Inc. data breach. The breach happened in May 2020 and the healthcare provider sent notifications to affected clients last July 2020.

In a substitute breach notice posted in March 30, 2021, Epilepsy Florida stated that it began investigating the breach to know what information were exposed and, after asking for more data from Blackbaud, it was mentioned that the breach only included the full names of 1,832 persons. No other details appear to have been compromised.

Email Account Breach Impacts 221,000 Total Health Care Members

Health plan Total Health Care Inc based in Detroit, MI has learned unauthorized people have gotten access to a number of personnel email accounts that enclosed sensitive personal data of health plan members and doctor associates.

Upon uncovering the breach, the health plan immediately secured the email accounts to avoid continuing unauthorized access and engaged security specialists to perform a forensic analysis to find out the type and extent of the breach. The results of the investigation showed that the breach only affected email accounts. Unauthorized individuals accessed them from December 16, 2020 to February 5, 2021.

There was no evidence found that indicates the viewing or misuse of any protected health information (PHI), however, unauthorized access cannot be eliminated. Analysis of the emails within the accounts showed they comprised names, birth dates, addresses, member IDs, claims details, and Social Security numbers.

Because of the sensitive character of information within the accounts, impacted persons were provided complimentary credit monitoring services for about two years via CyberScout. Measures had been undertaken to enhance email security, which includes going over and revising policies and processes and giving extra security awareness instruction to the employees.

The health plan already reported the breach to the HHS’ Office for Civil Rights as impacting 221,454 people.

Harrington Physician Services Reports Potential Breach of a Patient Mailing List

Harrington Physician Services based in Southbridge, MA is informing 4,393 patients with regards to the potential exposure of some of their PHI. It was later learned that a mailing list was loaded to a place inside its information system that wasn’t designed to store patient information. Consequently, it’s possible that people beyond Harrington Physician Services might have accessed the mailing list, which contained names, addresses, ages, birth dates, primary care doctor names and most recent office visit date.

The investigation didn’t find any proof that indicates accessing the mailing list, however, it wasn’t possible to exclude a breach. Exposure of the mailing list was just for a brief time period and, to be able to access the mailing list, a person needs to access the network where it was kept. The danger to patients is for that reason considered to be minimal; nevertheless, as a safety measure, impacted patients were advised and given details about credit protection and monitoring services.

Email Security Breaches at Orthopaedics Practice and Administrative Advantage

The Centers for Advanced Orthopaedics based in Maryland, Virginia and Washington DC learned that unauthorized persons accessed the email accounts of several employees. On September 17, 2020, the practice detected suspicious activities in its email system. Investigating third-party cybersecurity specialists confirmed that unauthorized individuals accessed a number of email accounts from October 2019 to September 2020.

An evaluation of the compromised email accounts was carried out to find out the types of information that were breached and it was affirmed on January 25, 2021 that protected health information (PHI) might have been viewed or gotten by cybercriminals.

The email accounts comprised data of patients, workers, and their dependents. Patient records were mostly restricted to names, diagnoses, treatment details and dates of birth. A part of patients furthermore had one or more of these data types included in the email account: driver’s license number, Social Security number, passport number, financial account data, payment card details, or email/username and password.

Staff and dependent details were usually limited to date of births, medical diagnoses, treatment data, Social Security numbers, and driver’s license numbers. A subset included at least one of the following data: passport number, payment card data, financial account details, or email/username and password.

Breach notification letters were delivered to affected people starting March 25, 2021. Complimentary credit monitoring and identity restoration services were provided to impacted persons.

Policies and procedures and security solutions are being evaluated and will be revised to enhance security against these forms of breaches.

Vendor Email Breach Impacts Remedy Medical Group Patients

Administrative Advantage, a vendor offering billing support services to Remedy Medical Group, a pain management specialty practice in California, has found out that an unauthorized individual accessed the email account of an employee. The vendor noticed suspicious activity in the email account in July 2020 and investigated the incident to know the nature and magnitude of the breach. The investigating third-party security specialists established on August 18, 2020 that unauthorized people accessed the email account from June 23, 2020 to July 9, 2020.

The email account compromised at the time of the breach contained the PHI of Remedy Medical Group patients, such as names, financial account details, driver’s license and/or state identification numbers, Social Security numbers, credit and/or debit card data, birth dates, electronic signature details, passport numbers, username and password data, Medicare numbers, Medicaid numbers, medical record numbers, treatment locations, diagnoses, health insurance data, and lab test data. The types of data likely compromised varied from one patient to another.

Because of the breach, security steps were assessed and extra training on email security was given to the workforce. People possibly in danger of identity theft were given access to identity theft protection services at zero cost.

Three Healthcare Companies Encounter Email Account Breaches

Here are some of the latest healthcare privacy breaches reported to the HHS’ Office for Civil Rights and state Attorneys General.

Rainbow Rehabilitation Centers Detects Email Account Breach

Rainbow Rehabilitation Centers based in Livonia, MI provide therapeutic rehabilitation services for people with injuries in the brain and spinal cord. The provider found out that an unauthorized person obtained access to the email account of an employee containing 1,749 patients’ protected health information (PHI) and the data of its employee group health plans.

Independent forensic specialists were involved to look into the breach and affirmed that just one email account was compromised. An analysis of the account showed it included PHI like names, driver’s license numbers, Social Security numbers, consultation scheduling details, and medical plan and benefits application data. It wasn’t possible to find out whether the attacker accessed any of that data, however, there was no report obtained that indicate the misuse of any patient data.

Rainbow Rehabilitation Centers had notified the affected people and provided a free one-year membership to credit monitoring and identity theft protection services.

Email Accounts Compromised at Summit Behavioral Healthcare

Summit Behavioral Healthcare based in Brentwood, TN learned about the compromise of two employee email accounts beginning in late May 2020. This healthcare provider of behavioral health services operates 18 addition treatment centers across the United States.

A third-party digital forensics company was called in to inspect the breach and confirmed on January 21, 2021 that the compromised accounts contained protected health information and unauthorized individuals could have accessed or obtained PHI.

The records contained in the accounts were different from one individual to another and may have contained names plus one or more of these types of data: diagnosis or symptom data, treatment details, prescription data, health insurance numbers, medical history, Social Security number, financial account details, Medicaid / Medicare identification numbers, and healthcare provider data.

Summit Behavioral Healthcare already notified the affected persons and gave a complimentary 12-month credit monitoring and identity theft protection services membership.

Email Account Breach at Jacobson Memorial Hospital and Care Center

Jacobson Memorial Hospital and Care Center based in Elgin, ND has found out that an unauthorized person viewed an email account with the PHI of 1,547 patients.

The hospital detected the breach on or around August 5, 2020 and a third-party cybersecurity agency was called in to investigate the breach and find out if any data were accessed. It seems that the attack was performed so as to send out spam emails from the account; nevertheless, it is likely that patient data was viewed.

The account included names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, insurance policy numbers, credit card numbers, bank account numbers, and certain health details.

A new hospital-wide security system has currently been put in place, policies and procedures were updated, and further training was given to staff members and vendors on data protection. Jacobson Memorial Hospital and Care Center offered the affected individuals free credit monitoring and identity theft restoration services.

PHI Exposed Due to Data Breaches at Gore Medical Management and Pennsylvania Adult & Teen Challenge

Medical practice company Gore Medical Management based in Griffin, GA has discovered a historic data breach affecting the protected health information (PHI) of 79,100 people. The breach happened in 2017 and affected patients of Family Medical Center based in Thomaston, which is right now connected to Upson Regional Medical Center.

In November 2020, the Federal Bureau of Investigation informed Gore Medical Management that a third-party computer was retrieved during an investigation which was discovered to consist of the PHI of Family Medical Center patients.

It was confirmed by the breach investigation that a hacker exploited a vulnerability to obtain access to the Family Medical Center’s network. The vulnerability was identified and fixed a few months after the breach, but the breach itself was not discovered back then. The medical record system wasn’t affected, however, files containing names, addresses, dates of birth, and Social Security numbers were copied. There was no financial data or healthcare data involved.

There does not appear to be further access of its systems or any other information transfers since 2017. Gore Medical Management has already sent notifications to all impacted patients and has provided them a 12-month identity theft protection and credit monitoring service membership.

Pennsylvania Adult & Teen Challenge Detected Compromised Email Accounts With PHI of 7,771 People

Pennsylvania Adult & Teen Challenge located in Rehrersburg, PA reported that an unauthorized individual acquired access to employee email accounts that held the PHI of 7,771 individuals. This provider offers addiction treatment programs for adults and youth.

On July 29, 2020, the provider detected suspicious activity in an email account and took steps to stop continual access and check out the breach. The investigation affirmed that an unauthorized person accessed selected email accounts from July 27, 2020 to July 30, 2020.

A forensic investigation was carried out, and the compromised accounts were evaluated to determine the records possibly obtained by the attacker. The review process was finished on December 29, 2020.

The types of information contained in the accounts vary from one person to another and might have included names together with one or more of the following data elements: date of birth, financial account details, payment card details, driver’s license number, Social Security Number, prescription data, diagnosis data, treatment data, treatment provider, health insurance details, medical data, Medicare/Medicaid ID number, employer identification number, electronic signature, username, and password.

It was not possible to know if the hacker accessed or obtained data in the email accounts, but no report was acquired thus far that indicates the misuse of any patient information. Notification letters were recently sent to affected persons and free identity theft protection services were given.

Data Breach Reports from Gainwell Technologies, Mattapan Community Health Center, TaylorMade Diagnostics, and Hendrick Health

Gainwell Technologies found out that unauthorized persons have likely accessed the data of a number of patients of Wisconsin’s Medicaid program. The data was saved in email messages and file attachments in a breached account.

The hackers acquired initial access to the email account on October 29, 2020 up to November 16, 2020. The information contained in the account included names, billing codes for services and member ID numbers. The breach affected about 1,200 Wisconsin Medicaid members. Gainwell Technologies offered the affected persons a free membership to credit monitoring services for one year.

Gainwell is a fiscal-agent services provider for the Wisconsin Department of Health Services (DHS) Medicaid Program. After the breach happened, the DHS and Gainwell have taken preventive steps together to avoid the same breaches in the future.

This is Gainwell’s second reported incident in recent weeks. Gainwell manages the Medicaid Management Information System that TennCare, Tennessee’s state Medicaid health plan uses. Gainwell identified a mailing vendor error that resulted in the sending of mailings to the wrong addresses from 2019 to 2020. The two incidents were not connected.

Email Account Breach at Mattapan Community Health Center

Mattapan Community Health Center (MCHC) is informing 4,075 patients regarding unauthorized persons that gained access to some of their protected health information (PHI) contained in an email account.

MCHC detected unusual email account activity on October 16, 2020. A third-party computer forensics company, MCHC confirmed that the email account was breached on July 28, 2020. After a manual and programmatic analysis of the email account, MCHC confirmed that the unauthorized persons potentially accessed the following information: Names, medical diagnoses, treatment data, provider details, medical insurance data, medical record numbers and/or Social Security numbers.

MCHC already implemented additional security measures to avoid other email security breaches.

Conti Ransomware Gang Exposes Information Stolen from TaylorMade Diagnostics

TaylorMade Diagnostics based in Chesapeake, VA manages occupational health clinics servicing transportation firms and government organizations. A ransomware attack on the company resulted in the exposure of workers’ health information online.

The ransomware gang stole around 3,000 files before encrypting files. The information was posted on a darknet leak site managed by the Conti ransomware gang. The leaked information is associated with employees of Taylor Made Diagnostics clients, such as Norfolk Southern Railroad and
the United Parcel Service. The leaked information contained facts about medical tests, reports of drug and alcohol testing, and complete names, Social Security numbers, and copies of driver’s licenses.

Update on Hendrick Health November 2020 Ransomware Attack

Hendrick Health has given additional details on a ransomware attack that made it implement EHR downtime measures last November 2020. The company detected the attack on November 20, 2020 and promptly enforced security measures. Based on the investigation results, the attackers first accessed its systems on October 10, 2020 and possibly viewed or acquired patient data until November 9, 2020.

The compromised data may have included patients’ names, demographic information, Social Security numbers, and other data associated with the services offered by Hendrick Health. The breach just impacted patients who had gotten medical services at the Hendrick Clinic or the Hendrick Medical Center in the past. The breach did not affect the Hendrick Medical Centers located in Brownwood and the South.

The compromised systems stored the ePHI of 640,436 patients. Hendrick Health has strengthened data security measures and system tracking as well as added new features to its security alert application.

Email Account Breaches at South Country Health Alliance Breach, Precision Spine Care, and Jefferson Healthcare

Minnesota South Country Health Alliance based in Owatonna, MN has uncovered that an unauthorized person gained access to an employee’s email account that held the protected health information (PHI) of 66,874 of its members.

The email account breach was noticed on September 14, 2020, with the succeeding investigation showing the unauthorized individual first accessed the account on June 25, 2020. The evaluation of the email account was concluded on November 5, 2020 and unveiled it included personal data and PHI like names, Social Security numbers, addresses, health insurance details, Medicare and Medicaid numbers, diagnostic or treatment data, date of death, name of the provider, and treatment cost details.

Minnesota South Country Health Alliance mailed notifications to all members affected by the incident on December 30, 2020. The late issuance of notifications was caused by the time it took to determine the present mailing addresses for impacted persons.

The breach investigation didn’t show any proof to indicate the viewing, theft or misuse of any protected health information in the account. South Country Health Alliance is giving free credit monitoring and identity protection services to individuals possibly affected by the breach.

20,787 Patients Impacted by Precision Spine Care Email Breach

Precision Spine Care in Tyler, TX announced that an email account breach led to the compromise of the protected health information (PHI) of 20,787 patients.

An unauthorized person obtained access to the email account of an employee and tried to redirect funds to another bank account. The motive of the attackers seems to be to do a payment scam only, although it did not succeed. The investigation into the breach included an analysis of the affected email account, which held names, addresses, birth dates, and some medical data.

There was no information uncovered that shows the attacker had access to any PHI in the email account. Precision Spine Care sent notifications to all impacted people in January 2021.

2,550 Persons Impacted by Jefferson Healthcare Phishing Attack

Jefferson Healthcare in Washington found out that an unauthorized person accessed the email account of an employee who responded to a phishing email. In the email account, there was a DocuSign document that needed login credentials to be able to access the file.

Only one email account was impacted by the breach. No other systems were impacted. The breach investigation revealed that the email account accessed by an unauthorized person on November 12, 2020.

After an analysis of the compromised account, Jefferson Healthcare confirmed that it contained the PHI of about 2,550 patients. The investigators had to check over 30,000 file attachments manually to ascertain if they included patient data.

Although the emails and attachments contained some personal data and PHI, for most affected patients, the data was not particularly sensitive. The account contained Social Security and/or financial data of 84 patients. Those people were given free credit monitoring services.

The attacker used the breached email account to send other malicious emails to persons listed as contacts in the account. A total of 658 emails were dispatched from the account. Jefferson Healthcare notified those persons and told them not to open the file attachment.

Another Hospital Affected by LSU Health Email Account Breach in September 2020

An email security breach at LSU Health University Medical Center-New Orleans resulted in the potential compromise of the protected health information (PHI) of some patients.

LSU Health New Orleans Health Care Services Division reported on November 20, 2020 that it has experienced a security breach that involved the email account of a worker in September 2020. During the time, it looked like the breach merely affected a number of patients who had acquired medical services in the following healthcare centers: Leonard J. Chabert Medical Center in Houma; Lallie Kemp Regional Medical Center in Independence; W. O. Moss Regional Medical Center in Lake Charles; and the former Earl K. Long Medical Center in Baton Rouge; University Medical Center in Lafayette; Bogalusa Medical Center in Bogalusa; or Interim LSU Hospital in New Orleans.

LSU Health’s continuing investigation uncovered that the information of a number of patients of its partner hospital, University Medical Center-New Orleans, was additionally found in the compromised email account.

The breach happened on September 15, 2020 and LSU Health discovered it on September 18. Although an unauthorized individual accessed the email account, there is no particular evidence found regarding the access or misuse of PHI.

The breach involved varying types of information, which may have included patients’ names, addresses, phone numbers, medical record numbers, account numbers, Social Security numbers, dates of birth, dates of service, types of services obtained, and health insurance data. The bank account number and health data of a small percentage of patients might also have been exposed.

Beebe Medical Foundation Impacted by Blackbaud Ransomware Attack

Beebe Medical Foundation based in Lewes, DE has announced that it was impacted by the Blackbaud ransomware attack. Beebe Medical Foundation explained in a breach notice last December 28, 2020 that it received a notification from Blackbaud on July 16, 2020 about the ransomware attack that compromised Blackbaud’s systems from February 7, 2020 to May 20, 2020.

It just became obvious that Beebe records were affected in November 2020. After performing a review of the actual information involved, Beebe stated on December 2, 2020 that the attackers obtained access to the personal information of 56,953 people. The stolen records included names, birth dates; physician names; dates of assessment; visit dates; and the department associated with medical services received.

Blackbaud paid the attackers their ransom demand and was assured that the stolen information has now been destroyed; nevertheless, as a safety precaution, Beebe is sending breach notifications to impacted individuals.

Data Breaches at EyeMed, Midwest Geriatric Management and TennCare

Aetna has reported that over 484,000 of its members were affected by a data breach that occurred at a business associate offering services for its vision benefits plan members. In July 2020, an unauthorized person acquired access to an email account of a staff of EyeMed based in Cincinnati and utilized it for sending other phishing emails to people listed in the mailbox’s address book.

EyeMed looked into the breach and confirmed that the mailbox stored the protected health information (PHI) of 484,157 Aetna members, close to 1,300 members of Blue Cross Blue Shield of Tennessee, and 60,545 members of Tufts Health Plan. There is no proof found that indicates the theft or misuse of data. Still, it can’t be 100% certain that there was no data theft. Affected health plans received notifications about the breach in September.

The compromised email account included data like members’ names, birth dates, health insurance ID numbers, vision insurance ID numbers, and the Social Security numbers, birth certificates, diagnoses, and financial information for some persons. The breach just impacted current and past members of the health plans noted above that obtained vision benefits via EyeMed.

An EyeMed spokesperson stated that it has taken immediate action to strengthen security and gave security awareness training to help avert the same data breach from occurring again.

BEC Attack on Midwest Geriatric Management  Affects 4,800 People

Midwest Geriatric Management (MGM) Healthcare has informed 4,814 persons that a selection of their PHI was possibly exposed because of a business email compromise attack. A scammer imitated the CFO and sent an email message to an MGM employee asking for a spreadsheet to be sent through email. Thinking the request was authentic, the personnel responded and provided the sheet.

Email security features were set up that should prohibit attacks such as this, however in this instance those security features were bypassed. The spreadsheet included names, account balances, and the name of the pertinent center. No other data was breached.

MGM’s investigation showed that this was a separate case and no other parts were affected. Additional training was offered to staff about email security and, as a safety measure, all impacted people got a free myTrueIdentity identity theft protection services membership.

TennCare Mailing Vendor Breach Affects 3,300 Members

The state Medicaid health plan of Tennessee, TennCare, has reported a mailing error by a vendor that resulted in the exposure of some of the PHI of roughly 3,300 members.

Gainwell, which operates TennCare’s Medicaid Management Information System, found out that the mailing vendor Axis Direct dispatched messages to TennCare members in late 2019 and 2020 that was misaddressed and delivered to the wrong recipients.

TennCare received advice regarding the breach on October 23, 2020. Gainwell assured TennCare that it has identified the cause of the error and has taken steps to avoid similar incidents later on. Affected people received free credit monitoring services membership.

Email Account Breaches Reported by Meharry Medical College and MEDNAX Services

Meharry Medical College based in Nashville, TN, has identified an email account breach that potentially resulted in the access or theft of up to 20,983 patients’ protected health information (PHI) by unauthorized persons.

Meharry Medical College discovered the breach around July 28, 2020 and blocked the account immediately. Third-party technical professionals investigated the incident and stated that only one email account was involved. On September 1, 2020, the investigators said that because of the nature of the breach, it was likely that the hackers copied the contents of the email account, probably unintentionally in the course of the regular email synchronization process.

An evaluation of the email account content showed that it contained the full names of patients, birth dates, provider names, diagnoses/diagnostic codes, internal patient account numbers, and other medical data. The Social Security numbers, Medicare/Medicaid numbers, and medical insurance details of some patients were also included.

Persons who had Social Security numbers potentially exposed received free identity theft protection services.

Phishing Attack on MEDNAX Services Inc. Potentially Exposed PHI

MEDNAX Services Inc based in Sunrise, FL provides revenue cycle management and some administrative services to affiliated physician practice networks. The company discovered on June 19, 2020 that unauthorized persons were able to access its Microsoft Office 365-hosted email system because of employees that responded to phishing email messages.

Aided by a national forensic company, MEDNAX confirmed the compromise of several business email accounts from June 17, 2020 to June 22, 2020. These accounts were independent of the internal network and systems of MEDNAX. An evaluation of the compromised email accounts showed they included the names of patient and guarantors, email addresses, addresses, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, financial account data, medical insurance details, medical and treatment data, Medicare/Medicaid numbers, and billing and claims data. MEDNAX could not determine what patient information the unauthorized persons accessed if any.

Impacted persons received free membership to identity monitoring services for 12 months. MEDNAX has carried out an evaluation of its security controls and will take steps to improve security to avoid the same breaches later on.

Mayo Clinic Faces Multiple Lawsuits Because of Insider Privacy Breach

Multiple class-action lawsuits had been filed against Mayo Clinic due to an insider data breach reported in October 2020. Mayo Clinic found out a former staff got access to the medical data of 1,600 patients without a permit to do so and viewed data including patient names, demographic details, birth dates, clinical notes, medical record numbers, and medical images.

Under the Health Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities need to use controls to protect the confidentiality, privacy, and integrity of protected health information (PHI) and restricts health data disclosures and uses whenever patient permission is not obtained.

Healthcare workers are allowed access to PHI during their work duties, but in this incident, the former worker did not have any legitimate work reason for accessing the records. The unauthorized access violates the HIPAA Rules; nevertheless, there is no private cause of action in HIPAA, therefore affected individuals of such a breach can’t take legal action for any HIPAA violation that brings about the exposure of their health records.

Two lawsuits were recently filed in Minnesota state courts for violating the Minnesota Health Records Act (MHRA), which implemented stricter rules protecting the privacy of healthcare data in Minnesota. MHRA applies to all Minnesota-licensed doctors and the laws have a private cause of action, therefore patients whose providers break MHRA cannot be sued.

The lawsuit claims that Mayo Clinic failed to implement systems or procedures that make sure plaintiffs’ and similarly situated persons’ health records would be protected and not prone to unauthorized access, and that the former employee accessed the medical information of the plaintiff without acquiring their authorization first.

As per MHRA, healthcare organizations should get a signed and dated permission form from a patient or the legal representative of the patient allowing the release of their health data, unless there is a specific authorization in law, or if there’s a representation from a provider having a signed and dated authorization form from the patient under consideration permitting the release of their medical information.

The lawsuit additionally brings common law tort claims for the privacy breach, vicarious liability, and negligent infliction of emotional hurt. A significant contributory element to the emotional stress was that a number of medical photos were viewed including nude pictures of patients taken in association with their cancer treatments. The plaintiffs expect monetary damages and other relief considered as suitable by the courts.

Security Incidents at People Incorporated and My Choice HouseCalls Potentially Impacts PHI

in Minnesota provides integrated behavioral and mental health services. 27,500 of its patients are receiving notification regarding the exposure of some of their protected health information (PHI) contained in an email account due to a data breach from April 28, 2020 to May 4, 2020.

The provider took immediate action to prevent continued email account access and launched an investigation to find out the nature and extent of the data breach. Third-party cybersecurity specialists helped in the conduct of a manual account review and People Incorporated confirmed on September 8, 2020 that there were personal data and PHI of patients contained in the email accounts. Although a third party had accessed the email accounts, there is no evidence that suggests the theft or misuse of any information.

The following PHI were included in the compromised accounts: names, birth dates, addresses, treatment data, medical record numbers and insurance details. The financial account details, Social Security numbers, health insurance data, and state identification numbers or driver’s licenses were also compromised for some individuals. People whose Social Security numbers were possibly compromised received offers of credit monitoring services.

People Incorporated already took steps to identify threats and remediate them more quickly down the road. Extra technical security procedures were put in place, and employees were provided with training on identifying and handling of malicious emails.

My Choice HouseCalls Burglary Potentially Impacts PHI

My Choice HouseCalls in Jacksonville, Florida provides in-home primary care. Thieves broke into its administrative offices and stole a number of computers on or around September 3, 2020. Though law enforcement has already received a report of the theft, the stolen computers were not recovered yet.

A forensic investigation confirmed that the content of computers included the following types of patient data: names, addresses, names and routes of providers, facilities accessed by patients, patient profile images, types of consultations, medical histories, diagnoses, names of medical equipment supplier, the organizations offering home health services and their information, insurance data and patient and provider contact details.

My Choice HouseCalls is currently imposing whole drive encryption to avert the exposure of patient data in case of another break-in. The breach report forwarded to the HHS’ Office for Civil Rights indicates that there were 3,370 patients affected.

Zoll Sues Barracuda Networks for Breach of 277,000-Records

The US District Court in Massachusetts filed a lawsuit on behalf of the medical device vendor Zoll against its IT service vendor Barracuda Networks based in Campbell, CA. Allegedly, Barracuda Networks was responsible for botching a server migration which caused the compromise of the protected health information (PHI) of 277,139 patients.

The breach involved archived emails that were being transferred to a new email archiving solution. A configuration problem resulted in the exposure of those email messages for longer than 2 months from November 8, 2018 to December 28, 2020. The settings error was fixed, but Zoll did not get any information regarding the breach until January 24, 2019. The breach investigation revealed that the exposed emails included this patient information: names, contact data, dates of birth, medical data, and Social Security numbers for some patients.

Zoll contracted with a firm called Apptix – currently known as Fusion Connect – in 2012 and had a business associate agreement to supply hosted business communication solutions. Apptix subsequently signed a contract with a business named Sonian to deliver services including email storage. Barracuda Networks acquired Sonian in 2017.

As per the lawsuit, Barracuda Networks knew about the email breach on January 1, 2019. Its investigation showed that Barracuda Networks’ error left a data port open, exposing the email search functionality of the migration tool on a small part of the indices. The port stayed open for about 7 weeks before the error was determined and the port was shut. While the port was open an unauthorized individual acquired access to email data and “continually performed an automated search of the email archive.

A breach of PHI of this sort has effects on patients. Affected patients experienced injury and damages due to the exposure and theft of their personal and healthcare information. In April 2019, a case was filed versus Zoll on behalf of the victims of the breach. Zoll sought indemnification from Apptix; however, the firm didn’t give any response. The lawsuit has since been dealt with.

Besides the settlement and legal expenses suffered, Zoll expended internal and external resources for investigation and mitigation measures, issuance of breach notification letters to affected patients, and free access to services that shield patients against loss and harm. The lawsuit aims to retrieve those fees from Baracuda Networks.

Zoll claims that Barracuda Networks was negligent for being unable to implement acceptable safeguards to secure Zoll’s data and that Barracuda Networks didn’t completely support Zoll’s investigation. Zoll alleges that Barracuda Networks did not give the investigators access to its online environment and didn’t answer a lot of the investigators’ queries. Zoll stated Barracuda Networks did not give information such as the dates when PHI was compromised, the types of data compromised, and whether the attackers exfiltrated any data.

The lawsuit states that Barracuda Networks did reply to the breach and enforced extra safety measures, policies and procedures to avoid the same events in the future, however breached its obligations to employ reasonable protections prior to the breach to secure Zoll information. Zol additionally claims a breach of implied warranty of merchantability, since the email archiving service was guaranteed to be safe for email archiving when security problems permitted unauthorized persons to access private archived data. Zoll furthermore alleges the email archiving solution was flawed and not good for the purpose and therefore Barracuda Networks breached the supposed warranty for fitness for a particular purpose.

Saint Francis Healthcare System to Pay $350,000 to Settle Data Breach Lawsuit

Saint Francis Healthcare System reached a $350,000 settlement with the patients affected by a ransomware attack on Ferguson Medical Group (FMG) that occurred in September 2019.

Saint Francis acquired FMG after a cyberattack which made the electronic health records on its systems not accessible. Saint Francis decided to recover the encrypted data using backups instead of paying the ransom. Although patient information and some other files were retrieved, it wasn’t possible to retrieve all information encrypted during the attack. FMG could not recover a batch of information associated to medical services given to patients from September 20, 2018 to December 31, 2018 and was considered permanently gone. FMG reported that the breach affected approximately 107,000 patients, and those persons were given free credit monitoring services.

Saint Francis Healthcare faced a class-action lawsuit that was filed in January 2020 at the U.S. District Court of Eastern Missouri for alleged negligence, breach of contracts both expressed and implied privacy invasion, and the Missouri Merchandise Practices Act violation. About 90,000 patients who were affected patients by the breach affixed their name on the lawsuit.

Although credit monitoring services were provided free to impacted persons, the plaintiffs desired payment for expenses incurred due to the data breach including attorneys’ fees. The lawsuit additionally wanted Saint Francis Healthcare to carry out more safety measures to enhance data security.

Saint Francis Healthcare filed a motion to dismiss the legal action in March 2020 claiming the plaintiffs didn’t express a viable cause for relief. The plaintiffs stated that the motion to dismiss didn’t have enough merit; even so, should the case proceed with the trial, the result is going to be unpredictable. The two parties decided to have a settlement out of court.

The offered settlement will pay all plaintiffs up to $280 to take care of out-of-pocket expenditures sustained because of the breach, extra credit monitoring services, and payment for time expended on safeguarding their personal identities.

Saint Francis Healthcare likewise consented to take steps to strengthen security by

  • going over firewall protocols
  • automatically upgrading its firewall to the most recent version
  • implementing patches quickly
  • limiting remote legacy systems access,
  • creating and employing new password management guidelines
  • Implementing multi-factor authentication on its VPN access points
  • employing geo-blocking for traffic to some IP addresses,
  • taking away RDP from the vendor access solution
  • using a vulnerability scanning system
  • offering more extensive cybersecurity training to the employees.

The settlement is currently waiting for the judge’s approval. There is a scheduled conference by District Judge Stephen R. Clark of the District Court of Eastern Missouri on November 17, 2020.

Email Account Breach at Payment Processing Vendor Impacts 3 Healthcare Providers

Provider Health Services in Lafayette, LA, Arkansas Methodist Medical Center in Paragould, and lntelliRad Imaging in Miami, FL have reported that they were impacted by an email security breach that occurred in one of their business associates.

IBERIABANK provides the three entities with a lockbox service collecting and processing payments. IBERIABANK partners with Technology Management Resources, Inc. (TMR) as its third‐party lockbox service provider that captures and processes payment information for the lockbox. TMR found out on July 3, 2020 that an unauthorized person accessed an employee’s email account and potentially viewed or exfiltrated images that contain protected health information (PHI).

TMR informed impacted clients on August 21, 2020 and affirmed that the hacker most likely viewed pictures of checks and various images that had PHI inside the TMR’s iRemit application. The threat actor accessed the images from August 5, 2018 to May 31, 2020, with the majority of the activity occurring from February 2020 to May 2020.

In the substitute breach notice of Provider Health Services, it stated that the PHI possibly viewed included names, addresses, several medical data, and Social Security numbers.

Arkansas Methodist Medical Center reported that aside from the above information, the following data were potentially compromised: checking account numbers and routing numbers indicated on personal checks and data given together with payments for instance AMMC account numbers.

lntelliRad imaging confirmed that the potentially compromised information included patient names, addresses, bank account and routing number, Social Security numbers, diagnosis and treatment details, test results, medical insurance data, and other data associated to patient health care.

After the breach occurred, TMR took various steps to avert more breaches. Extra firewall protocols were implemented to carefully manage the iRemit web page access. Access from other countries was also restricted.

The email security breach affected 4,916 patients from Arkansas Methodist Medical Center, 1,700 patients from Provider Health Services, and said 1,862 patients from lntelliRad imaging.

Dickinson County Health, Passavant Memorial Homes Security and Michigan Medicine’s Security Breach

Dickinson County Health in Michigan has experienced a malware attack that has pushed its EHR system offline. The attack has compelled the health system to undertake EHR downtime procedures and log patient information using pen and paper. The malware attack started on October 17, 2020 and disrupted computer systems at all its Wisconsin and Michigan clinics and hospitals.

Systems were de-activated to control the malware and third-party security specialists were engaged to look into the breach and reestablish its systems and information. Although the attack brought about substantial disruption, almost all patient services continued to be completely operational. It is presently not clear if the attackers accessed or stole patient data.

DCHS CEO Chuck Nelson said that the matter is given the highest priority. Industry best practices and serious safety methods are being implemented. During the investigation, the company maintained high standards for patient care throughout their system.

25,000 People Likely Impacted by Passavant Memorial Homes Security Breach

Passavant Memorial Homes Family of Services (PMHFOS) in Pennsylvania provides support services for people with intellectual handicaps, autism, and behavioral health care. A security breach occurred at PMHFOS and the protected health information (PHI) of its clients was potentially compromised.

The security breach occurred on August 15, 2020. Using the contact form on the PMHFOS website, an unauthorized individual sent a message to an authorized user saying that his/her username and password was obtained and allowed systems access. The message alerted PMHFOS about the vulnerability and the individual maintained there was no malicious action taken.

A third-party computer forensics expert investigated the breach and confirmed there was no malware installed and no files was encrypted; nonetheless, it was impossible to know whether there was any individually identifiable information viewed or exfiltrated. Scans were performed on the dark web to figure out if any client records were released, however there was no information. A examination of the accessed systems revealed they included the PHI of 25,000 persons.

Because of the breach, PMHFOS deactivated the compromised account, conducted a system-wide password reset, offered more security awareness training to workers, and updated its network security steps. PMHFOS also implemented two-factor authentication. The authorities and PMHFOS’ cyber insurance provider already received a breach notification.

Email Addresses of Michigan Medicine Patients Exposed Due to Email Error

Michigan Medicine in Ann Arbor-M has began sending notifications to 1,062 patients about the potential access of their names, email addresses, and some health data by unauthorized individuals.

Michigan Medicine communicated an email communication in late September to patients telling them regarding a case of Inflammatory bowel Disease. But, Michigan Medicine did not add the patients’ email address on the blind carbon copy (BCC) field and could as a result be viewed by all other individuals on the mailing list.

The email did not include highly sensitive details, although it may still be probable to establish the names of patients from their email addresses plus the email identified patients as struggling against inflammatory bowel disease.

Upon discovery of the email error, Michigan Medicine sent individual notifications to all people on their records informing them regarding the mistake and telling them to delete the initial email. Letters were likewise sent to affected individuals on October 16. Michigan Medicine has now changed its procedures for sending emails to avoid identical mistakes later on.

PHI of Almost 30,000 People Exposed at Oaklawn Hospital and Mono County Breaches

Oaklawn Hospital based in Marshall, MI, sent notifications to 26,861 patients about a potential breach of their personal and healthcare information.

It wasn’t clearly stated when the hospital found out about the breach, but on July 28, 2020, the forensic investigation confirmed that unauthorized third parties got access to a number of employees’ email accounts starting April 14 until April 15, 2020. The attackers accessed the accounts after getting the response of employees to the phishing emails and having their login information. The employees spotted the breach soon after receiving reports of suspicious emails in many employee email accounts.

An extensive manual document audit verified the fact that the breached email accounts held protected health information (PHI). The breached information included patient names, birth dates, health information, and medical insurance information. A selected number of patients likewise had their driver’s license numbers, financial account information, Social Security numbers, and online account data possibly compromised. The overdue sending of notification letters was as a result of the time-consuming procedure of manually reviewing documents.

After the phishing attack, Oaklawn Hospital assessed its cybersecurity procedures and implemented measures to strengthen its technical security, including the use of multi-factor authentication. Workers also received extra security awareness training.
All affected patients were advised to keep an eye on their explanation of benefits statements and check for transactions related to healthcare services that they didn’t get. The hospital additionally provided credit monitoring services for free to those whose Social Security numbers were possibly exposed.

Even though there is a confirmation of the unauthorized email account access, no evidence supports the probability of data access or theft by the attackers. The hospital did not receive any report of patient data misuse as well.

Breach of COVID-19 Statistics Database

Mono County in California discovered that its COVID-19 statistics online database was accessed without authorization from April 2 up to July 24, 2020. The database stored the PHI of men and women who got screenings for COVID-19 prior to July 24, 2020.

The database secured information such as the sex, birth date, ethnicity, geographic location of Mono County residents, and their COVID-19 testing results. There was no name, address, or other identifying information included in the database. Mono County made the database secure on July 28, 2020 thus the database cannot be accessed anymore.

Mono County submitted the breach report to the HHS’ Office for Civil Rights indicating that 2,850 persons were affected by the incident.

Data Breaches at Legacy Community Health Services, Georgia Department of Human Services and VOXX International

Phishing Attack on Legacy Community Health Services Impacts 228,000 People

Legacy Community Health Services located is informing 228,009 patients regarding a breach that involve some of their protected health information (PHI). An unauthorized person viewed the PHI saved in an email account.

Legacy Community Health Services discovered the data breach on July 29, 2020, which was prompted by one employee’s response to a phishing email that gave away the login information to the hacker. The email account was made secure right away and a computer forensics company investigated the breach.

There is no evidence found that shows the attacker accessed email messages or stole electronic protected health information. However, the probability of data theft cannot be completely discounted. The data contained in the breached email account were patient names, service dates, and health data associated to health care at Legacy, together with the Social Security numbers of a limited number of patients. Free membership to a credit monitoring and identity protection services was given to patients whose SSN was exposed.

Legacy Community Health Services has strengthened email security since the phishing attack and the employees acquired retraining on recognizing and averting phishing emails.

Georgia Department of Human Services Reports Breach of Several Employee Email Accounts

Unauthorized persons got access to the email accounts of several Georgia Department of Human Services employees. The email accounts held the personal information and PHI of parents and kids who were part of Child Protective Services (CPS) incidents with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services found out in August that the emails, which the hackers possibly accessed comprised personal information and PHI. The breach investigation showed that the unauthorized individuals obtained access to the accounts from May 3, 2020 to May 15, 2020.

The types of data compromised differed from one individual to another and might have contained full names, names of family members, relationship to the child getting services, home county, birth date, age, DFCS identification numbers, DFCS case number, frequency contacted by DFCS, an identifier that shows whether face-to-face contact was medically proper, telephone numbers, email addresses, Medicaid identification number, Medicaid medical insurance identification number, Social Security number, healthcare provider name and consultation dates.

Psychological reports, consultation notes, medical diagnoses, and substance abuse details related to 12 persons were additionally included in the breached email accounts, as well as the bank account details of one person.

Ransomware Attack on VOXX International

VOXX International Corporation has affirmed the ransomware attack it encountered on July 7, 2020 and the potential compromise of the PHI of its benefit plan members. Data stored in data files on the impacted servers contained names, email addresses, addresses, birth dates, Social Security numbers, financial account numbers, and/or medical insurance data of present and past workers, their dependents and beneficiaries.

The result of the investigation into the ransomware attack showed that the attackers acquired access to the servers from June 4, 2020 to July 7, 2020 and before the ransomware deployment, the attackers accessed some of the files stored on the servers. Upon examination of the files, they were found to have the PHI of 6,034 persons.

VOXX has already set up an endpoint threat detection and response program and is taking steps to improve network security. All impacted people were provided with free Experian’s IdentityWorks identity theft resolution services.

Patient PHI Compromised Due to Email Breach and Lost/Stolen Storage Devices

7,777 Patients of Starling Physicians Impacted by Email Breach

Starling Physicians based in Rocky Hill, CT started informing 7,777 patients regarding an unauthorized person who likely accessed some of their protected health information (PHI) stored in email accounts.

Starling Physicians detected a breach of its email system on or some time on July 7, 2020. A detailed review was done to ascertain the scope of the breach and whether or not patient data was accessed. Though there is no proof found that PHI was accessed, unauthorized information access cannot be excluded.

A review of the emails and attachments revealed that they stored names as well as a few of these data elements: medical record numbers, patient account numbers, birth dates, diagnostic data, healthcare provider data, prescription data, and treatment details. The address, Medicare/Medicaid ID number and/or Social Security number of a few affected persons were also exposed.

Starling Physicians is improving its cybersecurity solutions to avert the same data security occurrences.

Unencrypted Storage Devices Stolen from Moffitt Cancer Center

Lee Moffitt Cancer Center and Research Institute located in Tampa is informing 4,056 patients regarding the two stolen unencrypted storage devices and paper documents with PHI.

A briefcase containing the USB devices and files was stolen from a physician’s vehicle on July 2, 2020. An analysis of the USB devices and papers established that they included the following some protected health information: patient names, dates of birth, information about the services obtained at Moffitt, and medical record numbers.

The workforce underwent additional training on patient data security. The policies on using USB devices are under review. Moffitt also improved its auto-encryption procedures to make sure that all patient information is protected. Moffitt Cancer Center does not know about any attempt of patient information misuse.

Lost Hard Drive Held the PHI of INTEGRIS Baptist Medical Center Patients

INTEGRIS is informing some patients that a portable hard drive along with a few of their protected health information was lost at the time of an on-campus office move. It was just on October 17, 2020
that INTEGRIS noticed that the hard drive was missing. A detailed search was performed nonetheless the hard drive cannot be found.

A duplicate copy of the hard drive’s data was located and reviewed. It was confirmed to consist of information of a number of patients who obtained medical services at INTEGRIS Baptist Medical Center Portland Avenue in Oklahoma City, earlier named as Deaconess Hospital. The patient data on the drive only included patients’ names, limited clinical information and Social Security numbers.

INTEGRIS provided the affected individuals with complimentary membership of Experian’s IdentityWorksSM Credit 3B service for 12 months.