Email Incidents Reported by CareOregon Advantage, Ultimate Care, and University Medical Center Southern Nevada

Three email incidents were recently reported by CareOregon Advantage, University Medical Center Southern Nevada, and Ultimate Care. A total of 38,485 individuals were affected.

PHI of CareOregon Advantage Members Exposed Due to Misdirected Email

CareOregon Advantage, the health insurance agency based in Portland, OR , has started sending notifications to 10,467 plan members regarding an impermissible disclosure of some of their protected health information (PHI). On January 27, 2022, an email having an attachment with plan member data was sent to a contracted consultant erroneously.

The consultant quickly informed CareOregon Advantage concerning the mistake and permanently removed the email message and attachment. The attached file included information such as member names, ID numbers, Medicaid/Medicare numbers, and birth dates. CareOregon Advantage is convinced the possibility of misuse of member information is negligible.

CareOregon Advantage stated its investigation affirmed that it has the proper policies and procedures in place to deal with these types of situations and those policies and protocols are evaluated yearly. The worker who sent the email was given extra training.

15,788 Individuals Affected by Phishing Attack on Ultimate Care

Ultimate Care, the home care agency located in Brooklyn, NY, has just announced that unauthorized persons
accessed some employee email accounts since employees responded to phishing emails. When the security breach was discovered, quick action was done to secure its email account and a forensic investigation was started to know the scope of the data breach.

The forensic investigation results showed that unauthorized individuals accessed the email accounts from April 7, 2021 to June 2, 2021. A manual analysis of all emails in the accounts established they comprised names, together with one or more of the following types of data: driver’s license numbers, passport numbers, Social Security numbers, dates of birth, financial account data, credit or debit card details, medical details, medical insurance policy data, and/or usernames and passwords.

Ultimate Care mentioned there were no reports received that indicate the improper use of any patient data; nevertheless, as a safety measure against identity theft and fraud, people whose Social Security numbers were exposed were provided complimentary one-year memberships with a credit monitoring provider. Notification letters were mailed to impacted persons on February 22, 2022.

The breach report was submitted to the HHS’ Office for Civil Rights indicating that 15,788 people were affected.

Business Associate Email Breach Impacted University Medical Center Southern Nevada Patients

University Medical Center Southern Nevada (UMC) has lately reported the potential compromise of the PHI of 12,230 patients was potentially compromised in a cyberattack at one of its business associates: The healthcare software vendor Advent Health Partners (AHA).

AHA found out about the email breach in early September 2021 and confirmed on December 2, 2021, that files made up of the PHI of its healthcare firm customers were accessed. The files included last and first names, Social Security numbers, drivers’ license information, birth dates, health insurance details, medical treatment data, and financial account details. AHA issued notification letters regarding the cyberattack on January 6, 2021. Advent Health Partners sent the breach report indicating that 1,383 persons were impacted, however a few of its clients, which include UMC, reported the breach on their own.

This is UMC’s third reported data breach in the last 18 months. UMC encountered a REvil ransomware attack in June 2021 that allowed the theft of the PHI of 1.3 million people, and last March 2021, UMC announced an unauthorized access/disclosure incident affecting 1,833 people.

Houston Area Community Services, County of Kings, and NYU Langone Health Reported Data Breaches

Houston Area Community Services, County of Kings in California, and NYU Langone Health reported data breaches recently.

Avenue 360 Health and Wellness Reports Employee Email Accounts Breach

Houston Area Community Services, Inc., dba Avenue 360 Health and Wellness, found out an unauthorized individual has acquired access to the email accounts of a number of employees and may have viewed or gotten the protected health information (PHI) of 12,186 people.

Avenue 360 Health and Wellness stated its investigation confirmed the email accounts had been compromised between January 15, 2021 and April 2, 2021. A third-party vendor specializing in the evaluation of security incidents such as this was engaged to assist with the breach investigation.

The provider conducted a thorough evaluation of all emails and file attachments contained in the account. On November 9, 2021, Avenue 360 found out that the account included names, health insurance details, medical record numbers, birthdates, diagnoses, clinical and treatment information, and prescription data. The Social Security numbers and/or financial data of some persons were likewise exposed.

Avenue 360 did not receive any reports of actual or attempted misuse of patient data because of the email security breach. Affected individuals started receiving notification letters on January 5, 2022, and complimentary credit monitoring services were offered to people whose Social Security number was compromised. Since the breach, email security was enhanced with anti-spam solutions and multi-factor authentication.

Web Server Misconfiguration Led to the Exposure of COVID-19 Data of 16,590 People

County of Kings, which is a political subdivision of the State of California, has uncovered the misconfiguration of a public web server, which resulted in the breach of information regarding COVID-19 cases.

The California Department of Public Health and County healthcare providers gave the information to County’s Public Health Department. The data included names, addresses, dates of birth, and COVID-19 related details. The misconfiguration was discovered on November 24, 2021, and the issue was completely fixed on December 6, 2021. The investigation confirmed that the misconfiguration happened on February 15, 2021.

County of Kings authorities stated they could not rule out unauthorized accessing of the information in that span of 10 months, though there are no indications that any of the breached data has been or will be misused.

The sending of notification letters to the 16,590 persons whose sensitive details were exposed
began on January 21, 2022. The County is convinced that the limited nature of the compromised data indicates persons are not at risk and do not need to take any other actions. The County mentioned it is taking steps to make sure COVID-19 data is better secured later on.

NYU Langone Health Informs 1,123 Patient Regarding Mismailing Incident

NYU Langone Health has started sending notifications to 1,123 patients regarding a vendor mailing error. On or about November 12, 2021, NYU Langone informed patients concerning a scheduled relocation of an oncology surgeon, who was based in Lake Success, NY.

A third-party vendor was employed to distribute the notification letters and reformatted the addresses which caused a misalignment of patient names and addresses on the envelopes. Because of this, the letters were delivered to incorrect patients. The letters were addressed as “Dear Patient,” and there was no protected health information included.

NYU Langone has gotten assurances from its vendor that policies, procedures, and practices were evaluated and updated to avoid similar misdirected mailings down the road.

Phishing-Related PHI Breaches Reported at Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E and Signature Healthcare Brockton Hospital

Email accounts that contain the protected health information (PHI) of patients were exposed at Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. and Signature Healthcare Brockton Hospital.

Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E

Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E has lately informed 20,579 persons regarding the exposure of sensitive information in an email security incident. The provider noticed suspicious activity in a worker’s email account on December 21, 2021 and secured the account immediately to block unauthorized access. A forensic investigation was performed to find out the nature and extent of the breach.

On October 25, 2021, the investigation confirmed that the email account had been accessed by an unauthorized person from May 11, 2021 to August 2, 2021, because the employee responded to a phishing email. After a manual audit of the emails and file attachments, it was confirmed that they included these types of data:

Names, birth dates, government ID numbers, financial account data, Social Security numbers, and medical data that possibly includes medical provider data, diagnostic and conditions details, treatment and medication data, medical ID number(s), and/or medical insurance plan details. I.A.T.S.E Local ONE stated it did not find any evidence of sensitive information misuse.

After the breach, I.A.T.S.E Local ONE sought the help of its IT managed services provider to enforce additional security procedures so as to strengthen email security to stop other data breaches.

Signature Healthcare Brockton Hospital

Signature Healthcare based in Massachusetts has lately reported a data breach that has impacted 9,798 patients of Brockton Hospital. Suspicious activity had been discovered in its email system on November 4, 2021. The investigators of the incident confirmed that unauthorized individuals had accessed the email accounts of a number of doctors between October 16, 2021 and November 4, 2021.

A prominent forensic security company investigated the breach and stated that its computer programs and network remained secure. Signature Healthcare mentioned that it seemed there was no access of email accounts nor exfiltration of patient data. There was also no proof that show the misuse of any PHI; nonetheless, unauthorized PHI access cannot be excluded.

The breached email accounts held these types of data: First and last names, birthdates, sex, dates of appointments, test data, medical record numbers, diagnoses, and medical backgrounds. Signature Healthcare is going over its technical settings and processes and will take the appropriate steps to strengthen security to avoid other breaches later on.

Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impacting More Than 355,000 Patients

A hacker acquired access to BioPlus Specialty Pharmacy Services, an IT network based in Altamonte Springs, FL. Files containing sensitive patient data had been accessed by the attacker. The pharmacy detected the intrusion on November 11, 2021, and took immediate steps to take out the hacker from its system. A third-party computer forensics company helped BioPlus to confirm the compromise of its IT environment on October 25, 2021, and removed the attacker from its systems on November 11.

The investigation affirmed that the hacker accessed files that contain the protected health information (PHI) of selected patients, however, it was not possible to eliminate the probability that the hacker viewed the PHI of all its patients. The decision was hence taken to alert all 350,000 present and former patients concerning the breach.

The files accessed by the attacker contained patient names, dates of birth, addresses, medical record numbers, existing/past health plan member ID numbers, claims data, diagnoses, and/or prescription details. A number of patients likewise had their Social Security number exposed. The issuance of notification letters started on December 10, 2021. Individuals whose Social Security numbers were compromised were provided no-cost credit monitoring and identity protection services. BioPlus stated it has put in place extra safeguards to avoid similar breaches later on.

Capital Region Medical Center IT Systems Still Not Accessible a Week After Cyberattack

Capital Region Medical Center (CMRC) located in Jefferson City, MO, has confirmed it encountered a cyberattack that resulted in the shutdown of its network and phone systems. The cyberattack was discovered on December 17, 2021, and its online and telephone systems remain offline. The medical center is employing its downtime procedures and patients can visit, but a number of appointments were canceled. The cyberattack has additionally affected the pharmacies of the Capital Region.

The Capital Region information security staff is working diligently to bring back its systems online as fast, and securely, as possible. The health and safety of its patients are regarded as very important and treatment to patients will be given as expected. There are downtime protocols in place for physicians, nurses, and personnel to provide care in these types of situations, and its employees are dedicated to doing everything they can to minimize disruption and give uninterrupted care to its patients.

5,356 People Affected by Weddell Pediatric Dental Specialists Data Breach

Weddell Pediatric Dental Specialists based in Carmel, IN, has started sending notifications to 5,356 people that an unauthorized individual obtained access to a worker’s email account that included their protected health information (PHI).

The email account breach was noticed on July 23, 2021, and the account was promptly secured. Aided by third-party cybersecurity experts, the dental practice established that the breach only impacted one employee email account. The review and evaluation of emails and file attachments in the account were finished on October 27, 2021, and confirmed the account comprised patient names, together with one or more of the following data elements: date of birth, health diagnosis, medical treatment details, financial account data and in certain instances Social Security numbers.

Persons whose Social Security number had been exposed were offered complimentary credit monitoring services for 12 months. Weddell Pediatric Dental Specialists stated no information indicated the misuse of any patient information.

Southern Orthopaedic Associates and Eduro Healthcare Report Hacking Incidents

Southern Orthopaedic Associates (SOA) based in Paducah, KY has started sending notification letters to 106,910 patients regarding a breach that affected their protected health information (PHI).

SOA noticed unauthorized activity in the email account of an employee on or around July 8, 2021. The healthcare provider immediately took steps to secure the account. An investigation was begun to know the nature and magnitude of the breach. With the help of a third-party computer forensics agency, SOA learned that a number of employee email accounts were compromised from June 24, 2021, to July 8, 2021; nevertheless, it cannot tell which, if any, email messages in the account were seen.

A thorough analysis was performed of all emails and file attachments in the breached accounts to find out whether or not they include any protected health information. The evaluation was finished on October 21, 2021, and affirmed that the accounts comprised patient names plus Social Security numbers.

SOA sent notification letters to the affected people starting on December 12, 2021. Complimentary one-year membership to credit monitoring services through Experian has been offered. Additional safeguards to enhance email security had been implemented. The workforce was given further security awareness training.

Eduro Healthcare Data Breach Impacts More Than 8,000 Patients

Eduro Healthcare in Salt Lake City, UT has informed 8,059 patients concerning a potential compromise of their PHI. In March 2021, the healthcare provider detected suspicious activity in its network and took immediate action to limit the security breach. The healthcare organization enforced its incident response plan which permitted it to easily bring back access to its system.

Eduro Healthcare stated the quick action taken in response to the breach was considered to have averted unauthorized persons from accessing and exfiltrating patient files; nonetheless, on August 24, 2021, Eduro Healthcare found out that certain patient data were exfiltrated and published on a dark web data leak site.

Then started a painstaking process of finding the people impacted and the types of information that was compromised. That process was finished on October 21, 2021. The exposed information included first and last names, dates of birth, provider name, date(s) of service, treatment data, health insurance information, and Social Security numbers.

Affected persons have been provided 12 months of free credit monitoring and identity restoration services with IDX and will be covered by a $1,000,000 identity theft insurance plan. Eduro Healthcare has put in place more security controls, performed a total audit of all accounts, strengthened password protocols, reconfigured its firewall, used multi-factor authentication on email accounts, and updated its system security practices and procedures.

Email Security Breaches At MultiPlan and Hawaii Independent Physicians Association

The medical payment billing service provider MultiPlan made an announcement a breach of its email environment. On January 27, 2021, suspicious activity was seen in the email account of one employee. The action was quickly done to end unauthorized access. The credentials of the worker’s email were altered.

MultiPlan right away started an investigation to figure out the nature and extent of the breach, with support given by forensics professionals. The investigation established that the primary objective of the attack was to change wire transfers from the clients of MultiPlan hoping to pay invoices. The attacker used the compromised email account to speak with those clients concerning billing and to try to reroute payments to their accounts.

Although the attackers didn’t appear to target protected health information (PHI), the breached email account was discovered to have the PHI of 214,956 people. That data might have been looked at or acquired by the attacker from December 23, 2020 to January 27, 2021.

The types of data contained in the account were full names, emails, physical addresses, birth dates, healthcare company names, medical record numbers, cost/date of medical services, claims identifiers, medical insurance ID numbers, Social Security numbers, group IDs, and member IDs.

MultiPlan has informed all impacted persons and will be paying for the cost of two years of credit monitoring. Extra protocols and procedures have already been put in place to avoid further email account breaches down the road.

Email Account Breach at Hawaii Independent Physicians Association

Hawaii Independent Physicians Association (HIPA) is sending notifications to 18,770 patients regarding a security breach that involves a subcontractor’s email account.

HIPA determined on February 4, 2021 that an unauthorized person obtained access to the email account. The covered entity promptly stopped external access to the account and asked all HIPA users to modify their login information for their site and email accounts as a safety measure. With the assistance of a third-party cybersecurity company, HIPA established the breach only affected one email account which had the protected health information (PHI) of patients of its physicians.

The compromised account contained these types of data: full names, home addresses, dates of birth, and details concerning the overall health condition of patients. There was no proof of unauthorized information access found, however, the probability that PHI was seen or gotten can’t be eliminated.

The cybersecurity agency looking into the breach made suggestions to enhance email protection and HIPA is now applying the recommended adjustments.

PHI Exposed in Email Incidents at Discovery Practice Management and One Medical

Discovery Practice Management Informs People Regarding June 2020 Email Breach

Admin support services provider Discovery Practice Management to Authentic Recovery Center and Cliffside Malibu facilities located in California, has reported that unauthorized people acquired access to the email system it retains for those services.

Suspicious email activity was discovered in the email environment on July 31, 2020. An investigation into the breach showed there were unauthorized sign-ins to personnel email accounts at the two facilities from June 22, 2020 to June 26, 2020.

The accounts were promptly secured and a third-party cybersecurity agency was involved to inspect the incident however it cannot be confirmed if protected health information (PHI) in the accounts was accessed or exfiltrated.

PHI possibly exposed contained names, birth dates, addresses, medical record numbers, patient account numbers, medical insurance details, financial account/payment card data, driver’s license number, Social Security numbers, and clinical data, like diagnosis, treatment details, and medicine details.

The company stated in its breach notice to the California Attorney General that it collaborated with both practices to verify the contact data for the 13,611 persons whose details was probably compromised. That process was accomplished on June 2, 2021. Persons impacted by the breach have now been informed and have been provided a free one-year membership to credit monitoring and identity theft protection assistance.

Discovery Practice Management is convinced the attack was not done so as to steal patient data, instead, it is believed to have been meant to reroute invoice payments. Steps have already been taken to enhance email security and upgraded training has been given to the facilities’ employees to determine and prevent suspicious e-mails.

Email Addresses of Hundreds of One Medical Patients Got Compromised

An email error resulted in the compromise of the email addresses of numerous One Medical patients. The provider dispatched emails to patients requesting them to confirm their email addresses. The patients’ email addresses were not placed on the ‘BCC’ field of the email but on the ‘To’ field, therefore, it’s possible that all people who received the email could view all the email addresses.

Only the patients’ email addresses were compromised, however, the emails did show the owner of one email address as a patient from One Medical. A number of the persons who got the email tweeted a complaint. One person claimed that the email received had 981 visible email addresses.

One Medical released an announcement on Twitter in reply to the blunder. The company acknowledged the exposure of the recipients’ email addresses and apologized for the issue of concern. At the same time, the company assured that the incident is being investigated and said that there was no security breach of its systems. Proper measures had been implemented to avoid the same incident in the future.

Data Breaches at San Juan Regional Medical Center, Coastal Medical Group and Springfield Psychological

San Juan Regional Medical Center has recently sent notifications to tens of thousands of its patients concerning a security breach that happened in the fall of 2020. The medical center based in Farmington, NM found out that an unauthorized individual accessed its network on September 8, 2020. Immediate action was done to avoid further unauthorized access and an investigation was begun to know the nature and magnitude of the breach.

The forensic investigation revealed the attacker exfiltrated data between September 7th and 8th. A manual evaluation of those files confirmed they included the protected health information (PHI) of 68,792 people. The types of information in the records varied from one patient to another and included names in combination with one or more of the following data elements:

Birth dates, driver’s license numbers, Social Security numbers, financial account numbers, passport data, health insurance details, diagnoses, treatment details, medical record numbers, and patient account numbers.

Although data theft was verified, no evidence has been found to suggest any of the stolen PHI was misused. Free credit monitoring services have been provided to people whose Social Security number was compromised. Steps have likewise been taken to secure its system and enhance internal processes to avoid even more security breaches.

Coastal Medical Group Reports Hacking and Data Theft

Gastroenterology and internal medicine specialist Coastal Medical Group based in Old Bridge, NJ has experienced a security breach in which patient information has possibly been compromised. The practice, which is shown as permanently closed, found out about the breach on April 21, 2021.

The investigation shows systems were initially compromised on March 25, 2021. Based on a statement released by the practice, incident response and recovery processes were quickly executed, and the practice worked immediately to evaluate the security of its systems and stop further unauthorized access.

The investigation affirmed that the attacker acquired files made up of protected health information, which included full names, residence addresses, dates of birth, other demographic and contact data, Social Security numbers, insurance details, diagnoses, and treatment data.

The practice has informed all affected patients through mail and has given complimentary credit monitoring and identity theft protection services. Steps have additionally been undertaken to protect its networks to stop any more breaches.

It is presently uncertain how many persons were impacted.

Email Error at Springfield Psychological

Springfield Psychological in Pennsylvania has advised certain present, former, and prospective patients regarding an email error that exposed email addresses. A routine marketing email was sent on June 9, 2020; nonetheless, rather than having the recipients’ email addresses unseen, the email was delivered in a way that made recipients’ email addresses visible to all recipients.

Apart from determining the people as having received or considered receiving healthcare services from Springfield Psychological, the only data compromised were email addresses.

Springfield Psychological contacted the HHS’ Office for Civil Rights concerning the incident in late 2020 and on May 25, 2021, OCR informed Springfield Psychological that the event was a reportable breach according to HIPAA. Affected persons were then quickly informed.

PHI Breach at Five Rivers Health Centers and Cancer Centers of Southwest Oklahoma

Five Rivers Health Centers based in Ohio has informed 155,748 patients about the access by an unauthorized person to some of their protected health information (PHI) that was kept in email accounts subsequent to a phishing attack.

It is not clear when Five Rivers Health Centers discovered the breach, but according to reports, after doing a comprehensive forensic investigation into the cyberattack as well as a manual records review, it found out on March 31, 2021, that the compromised email accounts included patients’ personal and health data.

The forensic investigation affirmed the breach of the email accounts from April 1, 2020, to June 2, 2020. The healthcare provider sent notification letters to affected individuals on May 28, 2021 over a year after the occurrence of the first email account breach.

The types of PHI identified in the emails and attachments differed from one patient to another and might have contained at least one of these data elements: Name, address, birth date, patient account number, medical record number, diagnoses, treatment and/or clinical data, test result data, laboratory test results, provider name, treatment cost details, dates of service, prescription details, medical insurance data, and Medicare or Medicaid numbers.

The payment card numbers, financial account number, driver’s license number, Social Security number and/or state ID number of a few persons were likewise exposed. A one-year free membership to a credit monitoring service was offered to persons who had their Social Security numbers exposed.

After the attack, Five Rivers Health Centers reviewed and updated its guidelines and procedures, implemented 2-factor authentication, and provided employees with more training on cybersecurity.

8,000 Cancer Centers of Southwest Oklahoma Patients Affected by Breach

Cancer Centers of Southwest Oklahoma (CCSO) has found out about the potential compromise of the PHI of 8,000 patients in a cyberattack on one business associate. Elekta Inc. provides CCSO with a 1st generation cloud-based storage system, which suffered an attack early this year.

Elekta employed third-party cybersecurity specialists to look into the security breach and affirmed the incident on April 28, 2021. Breached systems contained the PHI of CCSO patients. Although it wasn’t possible to know what data the attackers accessed or exfiltrated, Elekta came to the conclusion that all system data had been exposed and ought to be regarded as compromised. Elekta’s cloud-based storage system is still offline until the forensic investigation concludes.

CCSO mentioned in its substitute breach notification letter that the information stored in the system and potentially accessed or stolen included names, Social Security numbers, addresses, birth dates, height, weight, clinical diagnosis, medical treatment information and consultation confirmations.

Elekta is providing free identity monitoring, fraud consult, and identity theft restoration services to impacted persons.

Data Breaches at Manquen Vance, DNF Medical Centers and Peak Vista Community Health

The Manquen Vance group health plan broker and consultancy firm based in Michigan, previously known as Cornerstone Municipal Advisory Group – is informing 7,018 people regarding a potential compromise of their personal and health information (PHI).

The investigation began on November 16, 2020 after the company noticed suspicious activity in a worker’s email account. Manquen Vance affirmed that unauthorized individuals accessed the account from November 1 to 16. Only one email account had been compromised.

Although it is likely that emails and file attachments with sensitive information were viewed or copied, there is no sure evidence found to point out that was what happened. The late issuance of breach notifications was because of the long process of examining each email in the account for sensitive data. That procedure was concluded on February 2, 2021 and ascertained that members’ names, Social Security numbers, and medical insurance information had potentially been breached. Since the security incident, Manquen Vance has taken steps to boost email security to avoid identical breaches from happening again.

DNF Medical Centers Terminates Employee for Rerouting Blood Samples to Unauthorized Laboratory

DNF Medical Centers located in Florida is sending notification to 846 persons regarding a breach of their PHI. The healthcare provider discovered on February 18, 2021 that an employee was diverting the blood samples of patients to an unauthorized laboratory for screening, and not to LabCorp or Quest.

Patient data sheets were dispatched with the blood samples which comprised patient names, birth dates, addresses, phone numbers, healthcare provider name, and the last 4 digits of Social Security numbers. DNF Medical Centers stated that the lab performed medical tests as required and returned the results; nevertheless, because this was an unauthorized lab, DNF Medical Centers is worried about the integrity of the test results. Therefore, affected patients were informed and asked to do their blood tests again at zero cost.

An investigation of the incident was started and the employee was interviewed and eventually fired. DNF Medical Centers believes no personal information was improperly used or further disclosed and that the blood samples were provided to the laboratory for the needed medical assessments to be done to permit the laboratory to bill patients’ health insurance companies for the lab tests.

PHI Breach in Peak Vista Community Health Robbery

On March 7, 2021, robbers broke into a facility of Peak Vista Community Health located in Colorado Springs and stole computer devices. On March 31, 2021, Peak Vista confirmed that two thieved computers held patient records with names, dates of birth, telephone numbers, health record numbers, prescription medication lists, and diagnosis data.

Peak Vista has filed a report submitted about
the theft to law enforcement, however, the equipment has not been recovered. Though it is possible that the thieves accessed the data on the computers, there is no proof of attempted or actual misuse of patient data discovered. Peak Vista Community Health mentioned only a few of its patients were impacted and every one of them has already been advised via mail.

Data Breaches at the American College of Emergency Physicians, VEP Healthcare and Epilepsy Florida

The American College of Emergency Physicians (ACEP) has begun informing selected members about the unauthorized access of some of their personal information that was stored on a server.

Besides giving professional organizational services to its members, ACEP provides management services to organizations including Society for Emergency Medicine Physician Assistants (SEMPA), the Emergency Medicine Foundation (EMF), and the Emergency Medicine Residents’ Association (EMRA). The breach affected data associated with those companies. Those who purchased from or donated to EMF, SEMPA, or EMRA were impacted by the breach.

ACEP detected unusual activity in its systems on September 7, 2020. The compromised server contained the login information for its SQL database servers, which also stored members’ data. Although there is no evidence that indicates the use of the credentials to access the databases, it’s not possible to make sure there’s no unauthorized access. The details covering April 8, 2020 to September 21, 2020 were exposed.

There were varying compromised records from individual to individual. Aside from names, sensitive data like Social Security numbers and financial information were compromised.

The breached server has been recovered, passwords altered, and more technical security steps have now been applied. ACEP offered 12 months of credit monitoring services to affected persons.

VEP Healthcare Discovers Unauthorized Access to Multiple Email Accounts

VEP Healthcare based in Portland, OR found out that unauthorized individuals accessed several employee email accounts after employees responded to phishing emails and shared their login information. The provider discovered the email security incident on March 11, 2021. The investigators of the breach stated that the impacted email accounts were accessed from November 15, 2019 to January 20, 2020. It is still uncertain precisely what data the compromised accounts contained.

Although the hackers accessed the email accounts, there is no proof that suggests the access or theft of any protected health information. Nonetheless, as a safety precaution, VEP Healthcare offered the affected people a complimentary 12-month membership to the IDX identify theft protection service and a $1 million identity theft insurance coverage.

Since the incident, VEP healthcare has improved email security, integrated 2-factor authentication on email accounts, has altered its policies and procedures, and offered more security awareness training to the workforce.

Epilepsy Florida Impacted by Blackbaud Data Breach

Epilepsy Florida has recently affirmed that it was impacted by the Blackbaud Inc. data breach. The breach happened in May 2020 and the healthcare provider sent notifications to affected clients last July 2020.

In a substitute breach notice posted in March 30, 2021, Epilepsy Florida stated that it began investigating the breach to know what information were exposed and, after asking for more data from Blackbaud, it was mentioned that the breach only included the full names of 1,832 persons. No other details appear to have been compromised.

Email Account Breach Impacts 221,000 Total Health Care Members

Health plan Total Health Care Inc based in Detroit, MI has learned unauthorized people have gotten access to a number of personnel email accounts that enclosed sensitive personal data of health plan members and doctor associates.

Upon uncovering the breach, the health plan immediately secured the email accounts to avoid continuing unauthorized access and engaged security specialists to perform a forensic analysis to find out the type and extent of the breach. The results of the investigation showed that the breach only affected email accounts. Unauthorized individuals accessed them from December 16, 2020 to February 5, 2021.

There was no evidence found that indicates the viewing or misuse of any protected health information (PHI), however, unauthorized access cannot be eliminated. Analysis of the emails within the accounts showed they comprised names, birth dates, addresses, member IDs, claims details, and Social Security numbers.

Because of the sensitive character of information within the accounts, impacted persons were provided complimentary credit monitoring services for about two years via CyberScout. Measures had been undertaken to enhance email security, which includes going over and revising policies and processes and giving extra security awareness instruction to the employees.

The health plan already reported the breach to the HHS’ Office for Civil Rights as impacting 221,454 people.

Harrington Physician Services Reports Potential Breach of a Patient Mailing List

Harrington Physician Services based in Southbridge, MA is informing 4,393 patients with regards to the potential exposure of some of their PHI. It was later learned that a mailing list was loaded to a place inside its information system that wasn’t designed to store patient information. Consequently, it’s possible that people beyond Harrington Physician Services might have accessed the mailing list, which contained names, addresses, ages, birth dates, primary care doctor names and most recent office visit date.

The investigation didn’t find any proof that indicates accessing the mailing list, however, it wasn’t possible to exclude a breach. Exposure of the mailing list was just for a brief time period and, to be able to access the mailing list, a person needs to access the network where it was kept. The danger to patients is for that reason considered to be minimal; nevertheless, as a safety measure, impacted patients were advised and given details about credit protection and monitoring services.

Email Security Breaches at Orthopaedics Practice and Administrative Advantage

The Centers for Advanced Orthopaedics based in Maryland, Virginia and Washington DC learned that unauthorized persons accessed the email accounts of several employees. On September 17, 2020, the practice detected suspicious activities in its email system. Investigating third-party cybersecurity specialists confirmed that unauthorized individuals accessed a number of email accounts from October 2019 to September 2020.

An evaluation of the compromised email accounts was carried out to find out the types of information that were breached and it was affirmed on January 25, 2021 that protected health information (PHI) might have been viewed or gotten by cybercriminals.

The email accounts comprised data of patients, workers, and their dependents. Patient records were mostly restricted to names, diagnoses, treatment details and dates of birth. A part of patients furthermore had one or more of these data types included in the email account: driver’s license number, Social Security number, passport number, financial account data, payment card details, or email/username and password.

Staff and dependent details were usually limited to date of births, medical diagnoses, treatment data, Social Security numbers, and driver’s license numbers. A subset included at least one of the following data: passport number, payment card data, financial account details, or email/username and password.

Breach notification letters were delivered to affected people starting March 25, 2021. Complimentary credit monitoring and identity restoration services were provided to impacted persons.

Policies and procedures and security solutions are being evaluated and will be revised to enhance security against these forms of breaches.

Vendor Email Breach Impacts Remedy Medical Group Patients

Administrative Advantage, a vendor offering billing support services to Remedy Medical Group, a pain management specialty practice in California, has found out that an unauthorized individual accessed the email account of an employee. The vendor noticed suspicious activity in the email account in July 2020 and investigated the incident to know the nature and magnitude of the breach. The investigating third-party security specialists established on August 18, 2020 that unauthorized people accessed the email account from June 23, 2020 to July 9, 2020.

The email account compromised at the time of the breach contained the PHI of Remedy Medical Group patients, such as names, financial account details, driver’s license and/or state identification numbers, Social Security numbers, credit and/or debit card data, birth dates, electronic signature details, passport numbers, username and password data, Medicare numbers, Medicaid numbers, medical record numbers, treatment locations, diagnoses, health insurance data, and lab test data. The types of data likely compromised varied from one patient to another.

Because of the breach, security steps were assessed and extra training on email security was given to the workforce. People possibly in danger of identity theft were given access to identity theft protection services at zero cost.

Three Healthcare Companies Encounter Email Account Breaches

Here are some of the latest healthcare privacy breaches reported to the HHS’ Office for Civil Rights and state Attorneys General.

Rainbow Rehabilitation Centers Detects Email Account Breach

Rainbow Rehabilitation Centers based in Livonia, MI provide therapeutic rehabilitation services for people with injuries in the brain and spinal cord. The provider found out that an unauthorized person obtained access to the email account of an employee containing 1,749 patients’ protected health information (PHI) and the data of its employee group health plans.

Independent forensic specialists were involved to look into the breach and affirmed that just one email account was compromised. An analysis of the account showed it included PHI like names, driver’s license numbers, Social Security numbers, consultation scheduling details, and medical plan and benefits application data. It wasn’t possible to find out whether the attacker accessed any of that data, however, there was no report obtained that indicate the misuse of any patient data.

Rainbow Rehabilitation Centers had notified the affected people and provided a free one-year membership to credit monitoring and identity theft protection services.

Email Accounts Compromised at Summit Behavioral Healthcare

Summit Behavioral Healthcare based in Brentwood, TN learned about the compromise of two employee email accounts beginning in late May 2020. This healthcare provider of behavioral health services operates 18 addition treatment centers across the United States.

A third-party digital forensics company was called in to inspect the breach and confirmed on January 21, 2021 that the compromised accounts contained protected health information and unauthorized individuals could have accessed or obtained PHI.

The records contained in the accounts were different from one individual to another and may have contained names plus one or more of these types of data: diagnosis or symptom data, treatment details, prescription data, health insurance numbers, medical history, Social Security number, financial account details, Medicaid / Medicare identification numbers, and healthcare provider data.

Summit Behavioral Healthcare already notified the affected persons and gave a complimentary 12-month credit monitoring and identity theft protection services membership.

Email Account Breach at Jacobson Memorial Hospital and Care Center

Jacobson Memorial Hospital and Care Center based in Elgin, ND has found out that an unauthorized person viewed an email account with the PHI of 1,547 patients.

The hospital detected the breach on or around August 5, 2020 and a third-party cybersecurity agency was called in to investigate the breach and find out if any data were accessed. It seems that the attack was performed so as to send out spam emails from the account; nevertheless, it is likely that patient data was viewed.

The account included names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, insurance policy numbers, credit card numbers, bank account numbers, and certain health details.

A new hospital-wide security system has currently been put in place, policies and procedures were updated, and further training was given to staff members and vendors on data protection. Jacobson Memorial Hospital and Care Center offered the affected individuals free credit monitoring and identity theft restoration services.

PHI Exposed Due to Data Breaches at Gore Medical Management and Pennsylvania Adult & Teen Challenge

Medical practice company Gore Medical Management based in Griffin, GA has discovered a historic data breach affecting the protected health information (PHI) of 79,100 people. The breach happened in 2017 and affected patients of Family Medical Center based in Thomaston, which is right now connected to Upson Regional Medical Center.

In November 2020, the Federal Bureau of Investigation informed Gore Medical Management that a third-party computer was retrieved during an investigation which was discovered to consist of the PHI of Family Medical Center patients.

It was confirmed by the breach investigation that a hacker exploited a vulnerability to obtain access to the Family Medical Center’s network. The vulnerability was identified and fixed a few months after the breach, but the breach itself was not discovered back then. The medical record system wasn’t affected, however, files containing names, addresses, dates of birth, and Social Security numbers were copied. There was no financial data or healthcare data involved.

There does not appear to be further access of its systems or any other information transfers since 2017. Gore Medical Management has already sent notifications to all impacted patients and has provided them a 12-month identity theft protection and credit monitoring service membership.

Pennsylvania Adult & Teen Challenge Detected Compromised Email Accounts With PHI of 7,771 People

Pennsylvania Adult & Teen Challenge located in Rehrersburg, PA reported that an unauthorized individual acquired access to employee email accounts that held the PHI of 7,771 individuals. This provider offers addiction treatment programs for adults and youth.

On July 29, 2020, the provider detected suspicious activity in an email account and took steps to stop continual access and check out the breach. The investigation affirmed that an unauthorized person accessed selected email accounts from July 27, 2020 to July 30, 2020.

A forensic investigation was carried out, and the compromised accounts were evaluated to determine the records possibly obtained by the attacker. The review process was finished on December 29, 2020.

The types of information contained in the accounts vary from one person to another and might have included names together with one or more of the following data elements: date of birth, financial account details, payment card details, driver’s license number, Social Security Number, prescription data, diagnosis data, treatment data, treatment provider, health insurance details, medical data, Medicare/Medicaid ID number, employer identification number, electronic signature, username, and password.

It was not possible to know if the hacker accessed or obtained data in the email accounts, but no report was acquired thus far that indicates the misuse of any patient information. Notification letters were recently sent to affected persons and free identity theft protection services were given.

Data Breach Reports from Gainwell Technologies, Mattapan Community Health Center, TaylorMade Diagnostics, and Hendrick Health

Gainwell Technologies found out that unauthorized persons have likely accessed the data of a number of patients of Wisconsin’s Medicaid program. The data was saved in email messages and file attachments in a breached account.

The hackers acquired initial access to the email account on October 29, 2020 up to November 16, 2020. The information contained in the account included names, billing codes for services and member ID numbers. The breach affected about 1,200 Wisconsin Medicaid members. Gainwell Technologies offered the affected persons a free membership to credit monitoring services for one year.

Gainwell is a fiscal-agent services provider for the Wisconsin Department of Health Services (DHS) Medicaid Program. After the breach happened, the DHS and Gainwell have taken preventive steps together to avoid the same breaches in the future.

This is Gainwell’s second reported incident in recent weeks. Gainwell manages the Medicaid Management Information System that TennCare, Tennessee’s state Medicaid health plan uses. Gainwell identified a mailing vendor error that resulted in the sending of mailings to the wrong addresses from 2019 to 2020. The two incidents were not connected.

Email Account Breach at Mattapan Community Health Center

Mattapan Community Health Center (MCHC) is informing 4,075 patients regarding unauthorized persons that gained access to some of their protected health information (PHI) contained in an email account.

MCHC detected unusual email account activity on October 16, 2020. A third-party computer forensics company, MCHC confirmed that the email account was breached on July 28, 2020. After a manual and programmatic analysis of the email account, MCHC confirmed that the unauthorized persons potentially accessed the following information: Names, medical diagnoses, treatment data, provider details, medical insurance data, medical record numbers and/or Social Security numbers.

MCHC already implemented additional security measures to avoid other email security breaches.

Conti Ransomware Gang Exposes Information Stolen from TaylorMade Diagnostics

TaylorMade Diagnostics based in Chesapeake, VA manages occupational health clinics servicing transportation firms and government organizations. A ransomware attack on the company resulted in the exposure of workers’ health information online.

The ransomware gang stole around 3,000 files before encrypting files. The information was posted on a darknet leak site managed by the Conti ransomware gang. The leaked information is associated with employees of Taylor Made Diagnostics clients, such as Norfolk Southern Railroad and
the United Parcel Service. The leaked information contained facts about medical tests, reports of drug and alcohol testing, and complete names, Social Security numbers, and copies of driver’s licenses.

Update on Hendrick Health November 2020 Ransomware Attack

Hendrick Health has given additional details on a ransomware attack that made it implement EHR downtime measures last November 2020. The company detected the attack on November 20, 2020 and promptly enforced security measures. Based on the investigation results, the attackers first accessed its systems on October 10, 2020 and possibly viewed or acquired patient data until November 9, 2020.

The compromised data may have included patients’ names, demographic information, Social Security numbers, and other data associated with the services offered by Hendrick Health. The breach just impacted patients who had gotten medical services at the Hendrick Clinic or the Hendrick Medical Center in the past. The breach did not affect the Hendrick Medical Centers located in Brownwood and the South.

The compromised systems stored the ePHI of 640,436 patients. Hendrick Health has strengthened data security measures and system tracking as well as added new features to its security alert application.

Email Account Breaches at South Country Health Alliance Breach, Precision Spine Care, and Jefferson Healthcare

Minnesota South Country Health Alliance based in Owatonna, MN has uncovered that an unauthorized person gained access to an employee’s email account that held the protected health information (PHI) of 66,874 of its members.

The email account breach was noticed on September 14, 2020, with the succeeding investigation showing the unauthorized individual first accessed the account on June 25, 2020. The evaluation of the email account was concluded on November 5, 2020 and unveiled it included personal data and PHI like names, Social Security numbers, addresses, health insurance details, Medicare and Medicaid numbers, diagnostic or treatment data, date of death, name of the provider, and treatment cost details.

Minnesota South Country Health Alliance mailed notifications to all members affected by the incident on December 30, 2020. The late issuance of notifications was caused by the time it took to determine the present mailing addresses for impacted persons.

The breach investigation didn’t show any proof to indicate the viewing, theft or misuse of any protected health information in the account. South Country Health Alliance is giving free credit monitoring and identity protection services to individuals possibly affected by the breach.

20,787 Patients Impacted by Precision Spine Care Email Breach

Precision Spine Care in Tyler, TX announced that an email account breach led to the compromise of the protected health information (PHI) of 20,787 patients.

An unauthorized person obtained access to the email account of an employee and tried to redirect funds to another bank account. The motive of the attackers seems to be to do a payment scam only, although it did not succeed. The investigation into the breach included an analysis of the affected email account, which held names, addresses, birth dates, and some medical data.

There was no information uncovered that shows the attacker had access to any PHI in the email account. Precision Spine Care sent notifications to all impacted people in January 2021.

2,550 Persons Impacted by Jefferson Healthcare Phishing Attack

Jefferson Healthcare in Washington found out that an unauthorized person accessed the email account of an employee who responded to a phishing email. In the email account, there was a DocuSign document that needed login credentials to be able to access the file.

Only one email account was impacted by the breach. No other systems were impacted. The breach investigation revealed that the email account accessed by an unauthorized person on November 12, 2020.

After an analysis of the compromised account, Jefferson Healthcare confirmed that it contained the PHI of about 2,550 patients. The investigators had to check over 30,000 file attachments manually to ascertain if they included patient data.

Although the emails and attachments contained some personal data and PHI, for most affected patients, the data was not particularly sensitive. The account contained Social Security and/or financial data of 84 patients. Those people were given free credit monitoring services.

The attacker used the breached email account to send other malicious emails to persons listed as contacts in the account. A total of 658 emails were dispatched from the account. Jefferson Healthcare notified those persons and told them not to open the file attachment.

Another Hospital Affected by LSU Health Email Account Breach in September 2020

An email security breach at LSU Health University Medical Center-New Orleans resulted in the potential compromise of the protected health information (PHI) of some patients.

LSU Health New Orleans Health Care Services Division reported on November 20, 2020 that it has experienced a security breach that involved the email account of a worker in September 2020. During the time, it looked like the breach merely affected a number of patients who had acquired medical services in the following healthcare centers: Leonard J. Chabert Medical Center in Houma; Lallie Kemp Regional Medical Center in Independence; W. O. Moss Regional Medical Center in Lake Charles; and the former Earl K. Long Medical Center in Baton Rouge; University Medical Center in Lafayette; Bogalusa Medical Center in Bogalusa; or Interim LSU Hospital in New Orleans.

LSU Health’s continuing investigation uncovered that the information of a number of patients of its partner hospital, University Medical Center-New Orleans, was additionally found in the compromised email account.

The breach happened on September 15, 2020 and LSU Health discovered it on September 18. Although an unauthorized individual accessed the email account, there is no particular evidence found regarding the access or misuse of PHI.

The breach involved varying types of information, which may have included patients’ names, addresses, phone numbers, medical record numbers, account numbers, Social Security numbers, dates of birth, dates of service, types of services obtained, and health insurance data. The bank account number and health data of a small percentage of patients might also have been exposed.

Beebe Medical Foundation Impacted by Blackbaud Ransomware Attack

Beebe Medical Foundation based in Lewes, DE has announced that it was impacted by the Blackbaud ransomware attack. Beebe Medical Foundation explained in a breach notice last December 28, 2020 that it received a notification from Blackbaud on July 16, 2020 about the ransomware attack that compromised Blackbaud’s systems from February 7, 2020 to May 20, 2020.

It just became obvious that Beebe records were affected in November 2020. After performing a review of the actual information involved, Beebe stated on December 2, 2020 that the attackers obtained access to the personal information of 56,953 people. The stolen records included names, birth dates; physician names; dates of assessment; visit dates; and the department associated with medical services received.

Blackbaud paid the attackers their ransom demand and was assured that the stolen information has now been destroyed; nevertheless, as a safety precaution, Beebe is sending breach notifications to impacted individuals.

Data Breaches at EyeMed, Midwest Geriatric Management and TennCare

Aetna has reported that over 484,000 of its members were affected by a data breach that occurred at a business associate offering services for its vision benefits plan members. In July 2020, an unauthorized person acquired access to an email account of a staff of EyeMed based in Cincinnati and utilized it for sending other phishing emails to people listed in the mailbox’s address book.

EyeMed looked into the breach and confirmed that the mailbox stored the protected health information (PHI) of 484,157 Aetna members, close to 1,300 members of Blue Cross Blue Shield of Tennessee, and 60,545 members of Tufts Health Plan. There is no proof found that indicates the theft or misuse of data. Still, it can’t be 100% certain that there was no data theft. Affected health plans received notifications about the breach in September.

The compromised email account included data like members’ names, birth dates, health insurance ID numbers, vision insurance ID numbers, and the Social Security numbers, birth certificates, diagnoses, and financial information for some persons. The breach just impacted current and past members of the health plans noted above that obtained vision benefits via EyeMed.

An EyeMed spokesperson stated that it has taken immediate action to strengthen security and gave security awareness training to help avert the same data breach from occurring again.

BEC Attack on Midwest Geriatric Management  Affects 4,800 People

Midwest Geriatric Management (MGM) Healthcare has informed 4,814 persons that a selection of their PHI was possibly exposed because of a business email compromise attack. A scammer imitated the CFO and sent an email message to an MGM employee asking for a spreadsheet to be sent through email. Thinking the request was authentic, the personnel responded and provided the sheet.

Email security features were set up that should prohibit attacks such as this, however in this instance those security features were bypassed. The spreadsheet included names, account balances, and the name of the pertinent center. No other data was breached.

MGM’s investigation showed that this was a separate case and no other parts were affected. Additional training was offered to staff about email security and, as a safety measure, all impacted people got a free myTrueIdentity identity theft protection services membership.

TennCare Mailing Vendor Breach Affects 3,300 Members

The state Medicaid health plan of Tennessee, TennCare, has reported a mailing error by a vendor that resulted in the exposure of some of the PHI of roughly 3,300 members.

Gainwell, which operates TennCare’s Medicaid Management Information System, found out that the mailing vendor Axis Direct dispatched messages to TennCare members in late 2019 and 2020 that was misaddressed and delivered to the wrong recipients.

TennCare received advice regarding the breach on October 23, 2020. Gainwell assured TennCare that it has identified the cause of the error and has taken steps to avoid similar incidents later on. Affected people received free credit monitoring services membership.

Email Account Breaches Reported by Meharry Medical College and MEDNAX Services

Meharry Medical College based in Nashville, TN, has identified an email account breach that potentially resulted in the access or theft of up to 20,983 patients’ protected health information (PHI) by unauthorized persons.

Meharry Medical College discovered the breach around July 28, 2020 and blocked the account immediately. Third-party technical professionals investigated the incident and stated that only one email account was involved. On September 1, 2020, the investigators said that because of the nature of the breach, it was likely that the hackers copied the contents of the email account, probably unintentionally in the course of the regular email synchronization process.

An evaluation of the email account content showed that it contained the full names of patients, birth dates, provider names, diagnoses/diagnostic codes, internal patient account numbers, and other medical data. The Social Security numbers, Medicare/Medicaid numbers, and medical insurance details of some patients were also included.

Persons who had Social Security numbers potentially exposed received free identity theft protection services.

Phishing Attack on MEDNAX Services Inc. Potentially Exposed PHI

MEDNAX Services Inc based in Sunrise, FL provides revenue cycle management and some administrative services to affiliated physician practice networks. The company discovered on June 19, 2020 that unauthorized persons were able to access its Microsoft Office 365-hosted email system because of employees that responded to phishing email messages.

Aided by a national forensic company, MEDNAX confirmed the compromise of several business email accounts from June 17, 2020 to June 22, 2020. These accounts were independent of the internal network and systems of MEDNAX. An evaluation of the compromised email accounts showed they included the names of patient and guarantors, email addresses, addresses, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, financial account data, medical insurance details, medical and treatment data, Medicare/Medicaid numbers, and billing and claims data. MEDNAX could not determine what patient information the unauthorized persons accessed if any.

Impacted persons received free membership to identity monitoring services for 12 months. MEDNAX has carried out an evaluation of its security controls and will take steps to improve security to avoid the same breaches later on.