Data Breaches at EyeMed, Midwest Geriatric Management and TennCare

Aetna has reported that over 484,000 of its members were affected by a data breach that occurred at a business associate offering services for its vision benefits plan members. In July 2020, an unauthorized person acquired access to an email account of a staff of EyeMed based in Cincinnati and utilized it for sending other phishing emails to people listed in the mailbox’s address book.

EyeMed looked into the breach and confirmed that the mailbox stored the protected health information (PHI) of 484,157 Aetna members, close to 1,300 members of Blue Cross Blue Shield of Tennessee, and 60,545 members of Tufts Health Plan. There is no proof found that indicates the theft or misuse of data. Still, it can’t be 100% certain that there was no data theft. Affected health plans received notifications about the breach in September.

The compromised email account included data like members’ names, birth dates, health insurance ID numbers, vision insurance ID numbers, and the Social Security numbers, birth certificates, diagnoses, and financial information for some persons. The breach just impacted current and past members of the health plans noted above that obtained vision benefits via EyeMed.

An EyeMed spokesperson stated that it has taken immediate action to strengthen security and gave security awareness training to help avert the same data breach from occurring again.

BEC Attack on Midwest Geriatric Management  Affects 4,800 People

Midwest Geriatric Management (MGM) Healthcare has informed 4,814 persons that a selection of their PHI was possibly exposed because of a business email compromise attack. A scammer imitated the CFO and sent an email message to an MGM employee asking for a spreadsheet to be sent through email. Thinking the request was authentic, the personnel responded and provided the sheet.

Email security features were set up that should prohibit attacks such as this, however in this instance those security features were bypassed. The spreadsheet included names, account balances, and the name of the pertinent center. No other data was breached.

MGM’s investigation showed that this was a separate case and no other parts were affected. Additional training was offered to staff about email security and, as a safety measure, all impacted people got a free myTrueIdentity identity theft protection services membership.

TennCare Mailing Vendor Breach Affects 3,300 Members

The state Medicaid health plan of Tennessee, TennCare, has reported a mailing error by a vendor that resulted in the exposure of some of the PHI of roughly 3,300 members.

Gainwell, which operates TennCare’s Medicaid Management Information System, found out that the mailing vendor Axis Direct dispatched messages to TennCare members in late 2019 and 2020 that was misaddressed and delivered to the wrong recipients.

TennCare received advice regarding the breach on October 23, 2020. Gainwell assured TennCare that it has identified the cause of the error and has taken steps to avoid similar incidents later on. Affected people received free credit monitoring services membership.

Email Account Breaches Reported by Meharry Medical College and MEDNAX Services

Meharry Medical College based in Nashville, TN, has identified an email account breach that potentially resulted in the access or theft of up to 20,983 patients’ protected health information (PHI) by unauthorized persons.

Meharry Medical College discovered the breach around July 28, 2020 and blocked the account immediately. Third-party technical professionals investigated the incident and stated that only one email account was involved. On September 1, 2020, the investigators said that because of the nature of the breach, it was likely that the hackers copied the contents of the email account, probably unintentionally in the course of the regular email synchronization process.

An evaluation of the email account content showed that it contained the full names of patients, birth dates, provider names, diagnoses/diagnostic codes, internal patient account numbers, and other medical data. The Social Security numbers, Medicare/Medicaid numbers, and medical insurance details of some patients were also included.

Persons who had Social Security numbers potentially exposed received free identity theft protection services.

Phishing Attack on MEDNAX Services Inc. Potentially Exposed PHI

MEDNAX Services Inc based in Sunrise, FL provides revenue cycle management and some administrative services to affiliated physician practice networks. The company discovered on June 19, 2020 that unauthorized persons were able to access its Microsoft Office 365-hosted email system because of employees that responded to phishing email messages.

Aided by a national forensic company, MEDNAX confirmed the compromise of several business email accounts from June 17, 2020 to June 22, 2020. These accounts were independent of the internal network and systems of MEDNAX. An evaluation of the compromised email accounts showed they included the names of patient and guarantors, email addresses, addresses, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, financial account data, medical insurance details, medical and treatment data, Medicare/Medicaid numbers, and billing and claims data. MEDNAX could not determine what patient information the unauthorized persons accessed if any.

Impacted persons received free membership to identity monitoring services for 12 months. MEDNAX has carried out an evaluation of its security controls and will take steps to improve security to avoid the same breaches later on.

Mayo Clinic Faces Multiple Lawsuits Because of Insider Privacy Breach

Multiple class-action lawsuits had been filed against Mayo Clinic due to an insider data breach reported in October 2020. Mayo Clinic found out a former staff got access to the medical data of 1,600 patients without a permit to do so and viewed data including patient names, demographic details, birth dates, clinical notes, medical record numbers, and medical images.

Under the Health Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities need to use controls to protect the confidentiality, privacy, and integrity of protected health information (PHI) and restricts health data disclosures and uses whenever patient permission is not obtained.

Healthcare workers are allowed access to PHI during their work duties, but in this incident, the former worker did not have any legitimate work reason for accessing the records. The unauthorized access violates the HIPAA Rules; nevertheless, there is no private cause of action in HIPAA, therefore affected individuals of such a breach can’t take legal action for any HIPAA violation that brings about the exposure of their health records.

Two lawsuits were recently filed in Minnesota state courts for violating the Minnesota Health Records Act (MHRA), which implemented stricter rules protecting the privacy of healthcare data in Minnesota. MHRA applies to all Minnesota-licensed doctors and the laws have a private cause of action, therefore patients whose providers break MHRA cannot be sued.

The lawsuit claims that Mayo Clinic failed to implement systems or procedures that make sure plaintiffs’ and similarly situated persons’ health records would be protected and not prone to unauthorized access, and that the former employee accessed the medical information of the plaintiff without acquiring their authorization first.

As per MHRA, healthcare organizations should get a signed and dated permission form from a patient or the legal representative of the patient allowing the release of their health data, unless there is a specific authorization in law, or if there’s a representation from a provider having a signed and dated authorization form from the patient under consideration permitting the release of their medical information.

The lawsuit additionally brings common law tort claims for the privacy breach, vicarious liability, and negligent infliction of emotional hurt. A significant contributory element to the emotional stress was that a number of medical photos were viewed including nude pictures of patients taken in association with their cancer treatments. The plaintiffs expect monetary damages and other relief considered as suitable by the courts.

Security Incidents at People Incorporated and My Choice HouseCalls Potentially Impacts PHI

in Minnesota provides integrated behavioral and mental health services. 27,500 of its patients are receiving notification regarding the exposure of some of their protected health information (PHI) contained in an email account due to a data breach from April 28, 2020 to May 4, 2020.

The provider took immediate action to prevent continued email account access and launched an investigation to find out the nature and extent of the data breach. Third-party cybersecurity specialists helped in the conduct of a manual account review and People Incorporated confirmed on September 8, 2020 that there were personal data and PHI of patients contained in the email accounts. Although a third party had accessed the email accounts, there is no evidence that suggests the theft or misuse of any information.

The following PHI were included in the compromised accounts: names, birth dates, addresses, treatment data, medical record numbers and insurance details. The financial account details, Social Security numbers, health insurance data, and state identification numbers or driver’s licenses were also compromised for some individuals. People whose Social Security numbers were possibly compromised received offers of credit monitoring services.

People Incorporated already took steps to identify threats and remediate them more quickly down the road. Extra technical security procedures were put in place, and employees were provided with training on identifying and handling of malicious emails.

My Choice HouseCalls Burglary Potentially Impacts PHI

My Choice HouseCalls in Jacksonville, Florida provides in-home primary care. Thieves broke into its administrative offices and stole a number of computers on or around September 3, 2020. Though law enforcement has already received a report of the theft, the stolen computers were not recovered yet.

A forensic investigation confirmed that the content of computers included the following types of patient data: names, addresses, names and routes of providers, facilities accessed by patients, patient profile images, types of consultations, medical histories, diagnoses, names of medical equipment supplier, the organizations offering home health services and their information, insurance data and patient and provider contact details.

My Choice HouseCalls is currently imposing whole drive encryption to avert the exposure of patient data in case of another break-in. The breach report forwarded to the HHS’ Office for Civil Rights indicates that there were 3,370 patients affected.

Zoll Sues Barracuda Networks for Breach of 277,000-Records

The US District Court in Massachusetts filed a lawsuit on behalf of the medical device vendor Zoll against its IT service vendor Barracuda Networks based in Campbell, CA. Allegedly, Barracuda Networks was responsible for botching a server migration which caused the compromise of the protected health information (PHI) of 277,139 patients.

The breach involved archived emails that were being transferred to a new email archiving solution. A configuration problem resulted in the exposure of those email messages for longer than 2 months from November 8, 2018 to December 28, 2020. The settings error was fixed, but Zoll did not get any information regarding the breach until January 24, 2019. The breach investigation revealed that the exposed emails included this patient information: names, contact data, dates of birth, medical data, and Social Security numbers for some patients.

Zoll contracted with a firm called Apptix – currently known as Fusion Connect – in 2012 and had a business associate agreement to supply hosted business communication solutions. Apptix subsequently signed a contract with a business named Sonian to deliver services including email storage. Barracuda Networks acquired Sonian in 2017.

As per the lawsuit, Barracuda Networks knew about the email breach on January 1, 2019. Its investigation showed that Barracuda Networks’ error left a data port open, exposing the email search functionality of the migration tool on a small part of the indices. The port stayed open for about 7 weeks before the error was determined and the port was shut. While the port was open an unauthorized individual acquired access to email data and “continually performed an automated search of the email archive.

A breach of PHI of this sort has effects on patients. Affected patients experienced injury and damages due to the exposure and theft of their personal and healthcare information. In April 2019, a case was filed versus Zoll on behalf of the victims of the breach. Zoll sought indemnification from Apptix; however, the firm didn’t give any response. The lawsuit has since been dealt with.

Besides the settlement and legal expenses suffered, Zoll expended internal and external resources for investigation and mitigation measures, issuance of breach notification letters to affected patients, and free access to services that shield patients against loss and harm. The lawsuit aims to retrieve those fees from Baracuda Networks.

Zoll claims that Barracuda Networks was negligent for being unable to implement acceptable safeguards to secure Zoll’s data and that Barracuda Networks didn’t completely support Zoll’s investigation. Zoll alleges that Barracuda Networks did not give the investigators access to its online environment and didn’t answer a lot of the investigators’ queries. Zoll stated Barracuda Networks did not give information such as the dates when PHI was compromised, the types of data compromised, and whether the attackers exfiltrated any data.

The lawsuit states that Barracuda Networks did reply to the breach and enforced extra safety measures, policies and procedures to avoid the same events in the future, however breached its obligations to employ reasonable protections prior to the breach to secure Zoll information. Zol additionally claims a breach of implied warranty of merchantability, since the email archiving service was guaranteed to be safe for email archiving when security problems permitted unauthorized persons to access private archived data. Zoll furthermore alleges the email archiving solution was flawed and not good for the purpose and therefore Barracuda Networks breached the supposed warranty for fitness for a particular purpose.

Saint Francis Healthcare System to Pay $350,000 to Settle Data Breach Lawsuit

Saint Francis Healthcare System reached a $350,000 settlement with the patients affected by a ransomware attack on Ferguson Medical Group (FMG) that occurred in September 2019.

Saint Francis acquired FMG after a cyberattack which made the electronic health records on its systems not accessible. Saint Francis decided to recover the encrypted data using backups instead of paying the ransom. Although patient information and some other files were retrieved, it wasn’t possible to retrieve all information encrypted during the attack. FMG could not recover a batch of information associated to medical services given to patients from September 20, 2018 to December 31, 2018 and was considered permanently gone. FMG reported that the breach affected approximately 107,000 patients, and those persons were given free credit monitoring services.

Saint Francis Healthcare faced a class-action lawsuit that was filed in January 2020 at the U.S. District Court of Eastern Missouri for alleged negligence, breach of contracts both expressed and implied privacy invasion, and the Missouri Merchandise Practices Act violation. About 90,000 patients who were affected patients by the breach affixed their name on the lawsuit.

Although credit monitoring services were provided free to impacted persons, the plaintiffs desired payment for expenses incurred due to the data breach including attorneys’ fees. The lawsuit additionally wanted Saint Francis Healthcare to carry out more safety measures to enhance data security.

Saint Francis Healthcare filed a motion to dismiss the legal action in March 2020 claiming the plaintiffs didn’t express a viable cause for relief. The plaintiffs stated that the motion to dismiss didn’t have enough merit; even so, should the case proceed with the trial, the result is going to be unpredictable. The two parties decided to have a settlement out of court.

The offered settlement will pay all plaintiffs up to $280 to take care of out-of-pocket expenditures sustained because of the breach, extra credit monitoring services, and payment for time expended on safeguarding their personal identities.

Saint Francis Healthcare likewise consented to take steps to strengthen security by

  • going over firewall protocols
  • automatically upgrading its firewall to the most recent version
  • implementing patches quickly
  • limiting remote legacy systems access,
  • creating and employing new password management guidelines
  • Implementing multi-factor authentication on its VPN access points
  • employing geo-blocking for traffic to some IP addresses,
  • taking away RDP from the vendor access solution
  • using a vulnerability scanning system
  • offering more extensive cybersecurity training to the employees.

The settlement is currently waiting for the judge’s approval. There is a scheduled conference by District Judge Stephen R. Clark of the District Court of Eastern Missouri on November 17, 2020.

Email Account Breach at Payment Processing Vendor Impacts 3 Healthcare Providers

Provider Health Services in Lafayette, LA, Arkansas Methodist Medical Center in Paragould, and lntelliRad Imaging in Miami, FL have reported that they were impacted by an email security breach that occurred in one of their business associates.

IBERIABANK provides the three entities with a lockbox service collecting and processing payments. IBERIABANK partners with Technology Management Resources, Inc. (TMR) as its third‐party lockbox service provider that captures and processes payment information for the lockbox. TMR found out on July 3, 2020 that an unauthorized person accessed an employee’s email account and potentially viewed or exfiltrated images that contain protected health information (PHI).

TMR informed impacted clients on August 21, 2020 and affirmed that the hacker most likely viewed pictures of checks and various images that had PHI inside the TMR’s iRemit application. The threat actor accessed the images from August 5, 2018 to May 31, 2020, with the majority of the activity occurring from February 2020 to May 2020.

In the substitute breach notice of Provider Health Services, it stated that the PHI possibly viewed included names, addresses, several medical data, and Social Security numbers.

Arkansas Methodist Medical Center reported that aside from the above information, the following data were potentially compromised: checking account numbers and routing numbers indicated on personal checks and data given together with payments for instance AMMC account numbers.

lntelliRad imaging confirmed that the potentially compromised information included patient names, addresses, bank account and routing number, Social Security numbers, diagnosis and treatment details, test results, medical insurance data, and other data associated to patient health care.

After the breach occurred, TMR took various steps to avert more breaches. Extra firewall protocols were implemented to carefully manage the iRemit web page access. Access from other countries was also restricted.

The email security breach affected 4,916 patients from Arkansas Methodist Medical Center, 1,700 patients from Provider Health Services, and said 1,862 patients from lntelliRad imaging.

Dickinson County Health, Passavant Memorial Homes Security and Michigan Medicine’s Security Breach

Dickinson County Health in Michigan has experienced a malware attack that has pushed its EHR system offline. The attack has compelled the health system to undertake EHR downtime procedures and log patient information using pen and paper. The malware attack started on October 17, 2020 and disrupted computer systems at all its Wisconsin and Michigan clinics and hospitals.

Systems were de-activated to control the malware and third-party security specialists were engaged to look into the breach and reestablish its systems and information. Although the attack brought about substantial disruption, almost all patient services continued to be completely operational. It is presently not clear if the attackers accessed or stole patient data.

DCHS CEO Chuck Nelson said that the matter is given the highest priority. Industry best practices and serious safety methods are being implemented. During the investigation, the company maintained high standards for patient care throughout their system.

25,000 People Likely Impacted by Passavant Memorial Homes Security Breach

Passavant Memorial Homes Family of Services (PMHFOS) in Pennsylvania provides support services for people with intellectual handicaps, autism, and behavioral health care. A security breach occurred at PMHFOS and the protected health information (PHI) of its clients was potentially compromised.

The security breach occurred on August 15, 2020. Using the contact form on the PMHFOS website, an unauthorized individual sent a message to an authorized user saying that his/her username and password was obtained and allowed systems access. The message alerted PMHFOS about the vulnerability and the individual maintained there was no malicious action taken.

A third-party computer forensics expert investigated the breach and confirmed there was no malware installed and no files was encrypted; nonetheless, it was impossible to know whether there was any individually identifiable information viewed or exfiltrated. Scans were performed on the dark web to figure out if any client records were released, however there was no information. A examination of the accessed systems revealed they included the PHI of 25,000 persons.

Because of the breach, PMHFOS deactivated the compromised account, conducted a system-wide password reset, offered more security awareness training to workers, and updated its network security steps. PMHFOS also implemented two-factor authentication. The authorities and PMHFOS’ cyber insurance provider already received a breach notification.

Email Addresses of Michigan Medicine Patients Exposed Due to Email Error

Michigan Medicine in Ann Arbor-M has began sending notifications to 1,062 patients about the potential access of their names, email addresses, and some health data by unauthorized individuals.

Michigan Medicine communicated an email communication in late September to patients telling them regarding a case of Inflammatory bowel Disease. But, Michigan Medicine did not add the patients’ email address on the blind carbon copy (BCC) field and could as a result be viewed by all other individuals on the mailing list.

The email did not include highly sensitive details, although it may still be probable to establish the names of patients from their email addresses plus the email identified patients as struggling against inflammatory bowel disease.

Upon discovery of the email error, Michigan Medicine sent individual notifications to all people on their records informing them regarding the mistake and telling them to delete the initial email. Letters were likewise sent to affected individuals on October 16. Michigan Medicine has now changed its procedures for sending emails to avoid identical mistakes later on.

PHI of Almost 30,000 People Exposed at Oaklawn Hospital and Mono County Breaches

Oaklawn Hospital based in Marshall, MI, sent notifications to 26,861 patients about a potential breach of their personal and healthcare information.

It wasn’t clearly stated when the hospital found out about the breach, but on July 28, 2020, the forensic investigation confirmed that unauthorized third parties got access to a number of employees’ email accounts starting April 14 until April 15, 2020. The attackers accessed the accounts after getting the response of employees to the phishing emails and having their login information. The employees spotted the breach soon after receiving reports of suspicious emails in many employee email accounts.

An extensive manual document audit verified the fact that the breached email accounts held protected health information (PHI). The breached information included patient names, birth dates, health information, and medical insurance information. A selected number of patients likewise had their driver’s license numbers, financial account information, Social Security numbers, and online account data possibly compromised. The overdue sending of notification letters was as a result of the time-consuming procedure of manually reviewing documents.

After the phishing attack, Oaklawn Hospital assessed its cybersecurity procedures and implemented measures to strengthen its technical security, including the use of multi-factor authentication. Workers also received extra security awareness training.
.
All affected patients were advised to keep an eye on their explanation of benefits statements and check for transactions related to healthcare services that they didn’t get. The hospital additionally provided credit monitoring services for free to those whose Social Security numbers were possibly exposed.

Even though there is a confirmation of the unauthorized email account access, no evidence supports the probability of data access or theft by the attackers. The hospital did not receive any report of patient data misuse as well.

Breach of COVID-19 Statistics Database

Mono County in California discovered that its COVID-19 statistics online database was accessed without authorization from April 2 up to July 24, 2020. The database stored the PHI of men and women who got screenings for COVID-19 prior to July 24, 2020.

The database secured information such as the sex, birth date, ethnicity, geographic location of Mono County residents, and their COVID-19 testing results. There was no name, address, or other identifying information included in the database. Mono County made the database secure on July 28, 2020 thus the database cannot be accessed anymore.

Mono County submitted the breach report to the HHS’ Office for Civil Rights indicating that 2,850 persons were affected by the incident.

Data Breaches at Legacy Community Health Services, Georgia Department of Human Services and VOXX International

Phishing Attack on Legacy Community Health Services Impacts 228,000 People

Legacy Community Health Services located is informing 228,009 patients regarding a breach that involve some of their protected health information (PHI). An unauthorized person viewed the PHI saved in an email account.

Legacy Community Health Services discovered the data breach on July 29, 2020, which was prompted by one employee’s response to a phishing email that gave away the login information to the hacker. The email account was made secure right away and a computer forensics company investigated the breach.

There is no evidence found that shows the attacker accessed email messages or stole electronic protected health information. However, the probability of data theft cannot be completely discounted. The data contained in the breached email account were patient names, service dates, and health data associated to health care at Legacy, together with the Social Security numbers of a limited number of patients. Free membership to a credit monitoring and identity protection services was given to patients whose SSN was exposed.

Legacy Community Health Services has strengthened email security since the phishing attack and the employees acquired retraining on recognizing and averting phishing emails.

Georgia Department of Human Services Reports Breach of Several Employee Email Accounts

Unauthorized persons got access to the email accounts of several Georgia Department of Human Services employees. The email accounts held the personal information and PHI of parents and kids who were part of Child Protective Services (CPS) incidents with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services found out in August that the emails, which the hackers possibly accessed comprised personal information and PHI. The breach investigation showed that the unauthorized individuals obtained access to the accounts from May 3, 2020 to May 15, 2020.

The types of data compromised differed from one individual to another and might have contained full names, names of family members, relationship to the child getting services, home county, birth date, age, DFCS identification numbers, DFCS case number, frequency contacted by DFCS, an identifier that shows whether face-to-face contact was medically proper, telephone numbers, email addresses, Medicaid identification number, Medicaid medical insurance identification number, Social Security number, healthcare provider name and consultation dates.

Psychological reports, consultation notes, medical diagnoses, and substance abuse details related to 12 persons were additionally included in the breached email accounts, as well as the bank account details of one person.

Ransomware Attack on VOXX International

VOXX International Corporation has affirmed the ransomware attack it encountered on July 7, 2020 and the potential compromise of the PHI of its benefit plan members. Data stored in data files on the impacted servers contained names, email addresses, addresses, birth dates, Social Security numbers, financial account numbers, and/or medical insurance data of present and past workers, their dependents and beneficiaries.

The result of the investigation into the ransomware attack showed that the attackers acquired access to the servers from June 4, 2020 to July 7, 2020 and before the ransomware deployment, the attackers accessed some of the files stored on the servers. Upon examination of the files, they were found to have the PHI of 6,034 persons.

VOXX has already set up an endpoint threat detection and response program and is taking steps to improve network security. All impacted people were provided with free Experian’s IdentityWorks identity theft resolution services.

Patient PHI Compromised Due to Email Breach and Lost/Stolen Storage Devices

7,777 Patients of Starling Physicians Impacted by Email Breach

Starling Physicians based in Rocky Hill, CT started informing 7,777 patients regarding an unauthorized person who likely accessed some of their protected health information (PHI) stored in email accounts.

Starling Physicians detected a breach of its email system on or some time on July 7, 2020. A detailed review was done to ascertain the scope of the breach and whether or not patient data was accessed. Though there is no proof found that PHI was accessed, unauthorized information access cannot be excluded.

A review of the emails and attachments revealed that they stored names as well as a few of these data elements: medical record numbers, patient account numbers, birth dates, diagnostic data, healthcare provider data, prescription data, and treatment details. The address, Medicare/Medicaid ID number and/or Social Security number of a few affected persons were also exposed.

Starling Physicians is improving its cybersecurity solutions to avert the same data security occurrences.

Unencrypted Storage Devices Stolen from Moffitt Cancer Center

Lee Moffitt Cancer Center and Research Institute located in Tampa is informing 4,056 patients regarding the two stolen unencrypted storage devices and paper documents with PHI.

A briefcase containing the USB devices and files was stolen from a physician’s vehicle on July 2, 2020. An analysis of the USB devices and papers established that they included the following some protected health information: patient names, dates of birth, information about the services obtained at Moffitt, and medical record numbers.

The workforce underwent additional training on patient data security. The policies on using USB devices are under review. Moffitt also improved its auto-encryption procedures to make sure that all patient information is protected. Moffitt Cancer Center does not know about any attempt of patient information misuse.

Lost Hard Drive Held the PHI of INTEGRIS Baptist Medical Center Patients

INTEGRIS is informing some patients that a portable hard drive along with a few of their protected health information was lost at the time of an on-campus office move. It was just on October 17, 2020
that INTEGRIS noticed that the hard drive was missing. A detailed search was performed nonetheless the hard drive cannot be found.

A duplicate copy of the hard drive’s data was located and reviewed. It was confirmed to consist of information of a number of patients who obtained medical services at INTEGRIS Baptist Medical Center Portland Avenue in Oklahoma City, earlier named as Deaconess Hospital. The patient data on the drive only included patients’ names, limited clinical information and Social Security numbers.

INTEGRIS provided the affected individuals with complimentary membership of Experian’s IdentityWorksSM Credit 3B service for 12 months.

Breaches at Beaumont Health, Samaritan Medical Center and Southcare Minute Clinic

Beaumont Health, which is the biggest healthcare company in Michigan, began sending notifications to around 6,000 patients concerning the possible access of some of their protected health information (PHI) by unauthorized people.

On June 5, 2020, Beaumont Health discovered that unauthorized people got access to email accounts from January 3, 2020 to January 29, 2020. The email accounts were comprised of the PHI of patients such as birth dates, procedure and treatment details, type of treatment given, diagnoses, diagnosis codes, prescription data, medical record numbers, and patient account numbers.

Even though unauthorized people got access to the email accounts, there is no proof identified that indicate the attackers viewed or duplicated the emails or email attachments in the email accounts. There is likewise no report gotten that shows the misuse of patient information.

This is Beaumont Health’s second announcement of a phishing-related breach this 2020. Last April, Beaumont Health started sending notification 112,211 people regarding the breach of some of their PHI included in email accounts at the end of 2019.

Beaumont Health already took steps to better its internal processes to enable it to determine and minimize threats more quickly down the road. Extra safety measures were put in place to strengthen email security, such as using multi-factor authentication. Additional training on identifying and dealing with malicious emails was likewise offered to workers.

Inappropriate Disposal of Healthcare Records by Southcare Minute Clinic

The North Carolina Department of Health and Human Services is investigating the Southcare Minute Clinic located in Wilmington, NC regarding the inappropriate junking of healthcare records. The Wilmington Police Department reacted to a call informing them that sensitive paperwork and dangerous waste were discarded in a standard dumpster at the rear of the past Southcare Minute Clinic located at 1506 Market Street.

The dumpster was discovered to have documents with patient details, used needles, and other dangerous waste materials. The police affirmed that there was a violation of HIPAA rules, however, confirmed that there was no crime done. Since then, the dumpster was taken away and there is no more risk to community safety. The North Carolina Department of Health and Human Services is going to identify if it is right to issue a financial penalty.

Samaritan Medical Center Looking into Possible Data Breach

Samaritan Medical Center located in Watertown, NY reported a security occurrence that has compelled it to take down its computer networks. Employees have turned to use pen and paper while the incident is being resolved at the same time providing healthcare to patients. Patients were not moved to other centers, however, a number of non-urgent consultations were canceled. No more data about the specific nature of the breach is available at this time.

Data Breaches at Health Plan Member Portals, Zipari and Central California Alliance for Health

Health plan Independence Blue Cross based in Philadelphia, AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey found out that unauthorized people got access to pages of their member portals between March 17, 2020 and April 30, 2020 and likely viewed the personal and protected health information (PHI) of a few members.

The types of information disclosed consist of names, plan type, member identification numbers, spending account balances, claims data, and user reward summaries.

Based on the breach investigation, the hacker used valid credentials to sign in to the portal. In all instances, the passwords utilized to access the member sites were acquired due to the breaches of third-party websites and programs, like the MyFitnessPal breach in 2018. The passwords for those third-party sites were also used on member sites.

The health plans were advised about the breach on May 8, 2020 and promptly took steps to protect the accounts and stop further unauthorized access. All affected members already received notifications and offers of 24-months free credit monitoring and identity theft protection services.

Business Associate Data Breach Affects 49,500 Providence Health Plan Members

A data breach at a business associate of Providence Health Plan based in Oregon impacted 49,511 of its members.

On April 17, 2020, Zipari in Brooklyn informed Providence Health Plan regarding a coding error that enabled the online exposure of documents related to employer-sponsored health plans. Zipari detected the coding error on April 9, 2020. Based on the investigation, unauthorized individuals accessed the documents in May, September, and November 2019. The information contained in the documents were names of member and employer and dates of birth. No other information was exposed.

Because of the breach, Providence Health Plan scheduled a third-party audit of Zipari’s data security policies. Plan members were provided with free credit monitoring services.

Central California Alliance for Health Finds A Number of Email Accounts Breached

Central California Alliance for Health (CCAH) found out on May 7, 2020 that an unauthorized individual obtained access to a number of employees’ email accounts and possibly viewed and acquired the protected health information of a few of its members. Based on the breach notification submitted to the California Attorney General’s office, numerous CCAH email accounts were subjected to unauthorized access for approximately one hour.

An analysis of the compromised email accounts confirmed they included names, demographic data, dates of birth, Medi-Cal ID numbers, claims data, Alliance Care Management Program files, medical data, and referral details.

CCAH implemented a full password reset on all email accounts and provided employees with more training on email security. CCAH is not aware of any wrong use of member’s information.

UnityPoint Health Accepts $2.8 Million+ Proposed Settlement to End a Class Action Data Breach Lawsuit

UnityPoint Health based in Des Moines, Iowa made a decision to resolve a proposed class action lawsuit that victims of two phishing attacks in 2017 and 2018 filed after the incidents t resulted in the exposure of the protected health information (PHI) of 1.4 million patients.

The first phishing attack happened in November 2017 and Unity Point Health found out about it on February 15, 2018. The attackers accessed the email accounts of some employees in its Madison campus for over 3 months and possibly acquired the PHI of around 16,429 patients. Patients received breach notifications in April 2018.

The second phishing attack, which involved an impersonation of a UnityPoint executive in March 2018, was far more extensive. A number of employees disclosed their login information after responding to the phishing email. UnityPoint Health discovered the attack in May 2018. According to the investigation, the PHI of 1.4 million patients were found in the compromised email accounts. This phishing attack resulted in the second biggest healthcare data breach reported in 2018. The attackers were able to access the email accounts for roughly one month prior to the discovery of the breach and the email accounts were made secure. UnityPoint Health sent notification letters to affected patients in August 2018.

The victims filed a lawsuit after the breach announcement. Allegedly, UnityPoint Health did not handle the breach properly and misrepresented the scope, nature, breadth, cost, and harm of the breach. Breach notifications were not issued within the 60-day time period required by the HIPAA Breach Notification Rule. Further, the notifications sent to the patients did not mention the compromise of their Social Security numbers.

The breach notification letters issued by UnityPoint Health mentioned that there’s no evidence that suggests the exposure of the patients’ PHI will result in unintended uses, which means that the affected patients were in danger. UnityPoint Health additionally did not provide credit monitoring or identity theft protection services to breach victims, even if there were exposure of driver’s license numbers and Social Security numbers.

UnityPoint Health partly succeeded in having the lawsuit dismissed when a US District Court judged partially dismissed some lawsuit claims in July 2019. The other claims were retained. The judge decided that the plaintiffs’ allegations had adequate facts that point to a reasonable probability of identity theft in the future.

The proposed settlement on June 26, 2020 to take care of the lawsuit will give victims fiscal and injunctive relief. UnityPoint Health agreed to provide at least $2.8 million to class members for claims. Every affected person can file a maximum claim of $1,000 for recorded ordinary out-of-pocket expenditures like credit monitoring and identity theft protection services, and around 3 hours in lost time billed at $15 hourly.

A person is entitled to a maximum claim of $6,000 to pay for unusual expenditures such as recorded out-of-pocket expenditures and about 10 hours billed at $15 hourly for time lost taking care of credit freezes, credit monitoring services, and other activiites done because of the breach. As opposed to most data breach negotiations, UnityPoint Health did not put a limit on extraordinary expenditure claims, thus UnityPoint Health will pay for actual losses submitted by victims with their valid claims. All victims will additionally be eligible for a one-year credit monitoring and identity theft protection services membership and will have a $1 million insurance policy coverage for identity theft. The cost of the credit monitoring services and insurance policy per class memeber is estimated to be $200.

The four breach victims named in the filed lawsuit could claim an extra $2,500 each. UnityPoint Health will also pay all the costs of notice and claims administration plus attorney fees amounting to around $1.58 million.

UnityPoint Health additionally agreed to improve network and data security. A third-party security company will do a yearly audit of UnityPoint Health to ensure there are adequate security measures, and the provider complies with security guidelines.

Because there is no limit on claims, this healthcare data breach settlement may become one of the biggest ever. A judge only needs to approve the settlement for finalization at the end of the year.

112,000 Beaumont Health Patients Received Breach Notification About a May 2019 Incident

Beaumont Health, which is the biggest healthcare system in Michigan, reported a likely exposure of patient information contained in emails and attachments as unauthorized individuals accessed the email accounts of a number of employees.

Beaumont Health found out about the breach of email account on March 29, 2020. The incident that transpired around 10 months ago brought about the compromise and potential patient data theft. Based on the breach investigation results, unauthorized individuals got access to the email accounts beginning May 23, 2019 until June 3, 2019. Forensic specialists looked into the breach to know the magnitude and scope of the breach, alongside a manual analysis of all emails in the breached accounts. It took some time to finish the breach investigation, therefore there was a delay in the issuance of breach notifications to the affected patients.

The investigators affirmed that the protected health information (PHI) of 112,000 persons was contained in the compromised email. The affected patients were around 5% of the 2.3 million Beaumont Health patients. The types of information exposed and might have been stolen by the threat actors were different from patient to patient. The compromised information included the name of patients as well as at least one of the following data elements: birth dates, diagnosis codes, diagnoses, kinds of treatment, procedures, treatment locations, prescription information, health record numbers. and internal patient account numbers The Social Security numbers including the other records of a number of patients were similarly potentially compromised. Though the forensic investigators affirmed that the threat actors accessed the email accounts, there was no way to make sure no data was viewed or stolen.

As a result of the breach, Beaumont Health provided more training to its employees so that they could recognize malicious and phishing email messages. Modification of internal policies was taken on and more technical security steps were set up to avoid other breaches from happening in the future.

This occurrence is the second reported data breach at Beaumont Health this year. The first incident was reported in January and involved the breach of PHI of 1,182 patients. A former hospital employee accessed the records of patients who got treatment after being injured in a car accident. Allegedly, the snooping employee shared the patient data with a personal injury attorney.

Phishing Attacks at the Washington University School of Medicine and Doctors Community Medical Center

Washington University School of Medicine is informing 14,795 oncology patients regarding the breach of some of their protected health information (PHI) contained in an email account last January 2020.

Because a research administrator in the Division of Oncology responded to a phishing email, an unauthorized person was able to access his email account from January 12, 2020 to January 13, 2020. After becoming aware of the breach, the Washington University School of Medicine took quick action to make the account secure and block further unauthorized access. A third-party computer forensics company came in to help with the investigation.

A careful analysis of email messages and attachments in the account showed that they have these patient data: names, birth dates, patient account numbers, medical record numbers, limited treatment and/or clinical data, such as diagnoses, names of providers, and laboratory test results. The medical insurance data and/or Social Security numbers of some patients were exposed too.

Affected people already received breach notification letters. The people who had their Social Security numbers potentially compromised received offers of free credit monitoring and identity protection services.

Washington University School of Medicine already took steps to enhance email security. The employees received reinforced training on identifying suspicious emails.

Doctors Community Medical Center Phishing Attack

Doctors Community Medical Center based in Maryland is notifying some patients about a breach of their PHI.

The medical center discovered the data breach in January 2020 after detecting suspicious activity in its payroll system. A breach investigation confirmed that a small number of employees received phishing emails and were tricked into disclosing their account credentials. Besides getting access to the email accounts of the employees, the attackers likewise had accessed the payroll information of the employees.

According to the investigation, the first breach of the accounts happened on November 6, 2019 and access possibly continued until January 30, 2020. On February 13, 2020, Doctors Community Medical Center confirmed that data sheets with patient information were found in a few of the compromised email accounts.

Third-party forensic investigators were unable to affirm if the attackers accessed, copied or disclosed the patient data. Nevertheless. there was no report received that suggest the misuse of patient information. Because unauthorized data access cannot be eliminated, the medical center notified the patients and offered them credit monitoring and identity restoration services for free.

The potentially compromised types of information included names, addresses, birth dates, Social Security numbers, military identification numbers, driver’s license numbers, financial account information, diagnoses, prescription information, treatment information, provider names, medical record numbers, Medicare/Medicaid numbers, patient IDs, health insurance information, access credentials and treatment cost information.

The health system is looking into its policies and procedures and updating as needed. Additional safeguards will be put in place to stop more attacks.

Nearly 110,000 Patient Records Compromised Due to Breaches at Surefile and Golden Valley Health Centers

Stephan C Dean, the co-owner of Surefile, submitted a hacking/IT incident report to the HHS’ Office for Civil Rights (OCR) on March 4, 2020. The California record storage company indicated that the incident impacted more than 70,000 people.

Stephan Dean and his wife were involved in a long term legal fight with Kaiser Permanente regarding the giving back and deleting of electronic files that contain patient data. Kaiser Permanente wanted the files to be completely deleted; nevertheless, Stephan Dean asserts that Kaiser Permanente owes him payment for the services provided. The on-and-off legal action was subsequently ditched, however, the electronic files were not given back or deleted.

Surefile was Kaiser Permanente’s business associate, that is why Surefile got paper copies of health records from Kaiser Permanente in 2008. After Surefile and Kaiser Permanente’s business agreement ended, Stephan Dean gave back the paper copies of health records to Kaiser Permanente; but Stephan Dean still has the emails containing patient data on his computer. Stephan Dean submitted to OCR a complaint regarding the alleged HIPAA violations pertaining to the emails and the absence of a business associate agreement. Although OCR opened a case and investigated the matter, the case was subsequently closed without issuing a penalty.

On August 20, 2019, Microsoft informed Stephan Dean that an unauthorized person potentially accessed his MSN email account. The account involved contained spreadsheets and other files sent by Kaiser Permanente to Stephan Dean.

Stephan Dean just talked with Dissent of databreaches.net and mentioned that the 70,000 records merely represent a data sample. The actual number may be approximately 1 million records, which can just be confirmed by forensic accounting.

Databreaches.net report included the initial breach in 2012 up to the latest story. An in-depth article on the legal dispute is available on this link.

Email Security Breach at Golden Valley Health Centers

The patients of Golden Valley Health Centers, which comprise of the healthcare centers located in the Modesto, Merced, and Central Valley regions of California, received notifications about the exposure of some of their protected health information (PHI). An unauthorized person accessed an account containing email messages and file attachments with patient information. Golden Valley discovered the breach on March 3, 2020 and had forensic investigators looking into the incident.

An analysis of the account confirmed that it contained information such as names, billing data, medical insurance data, patient referral details and appointment records. Although the investigation established that an unauthorized person accessed the email account, there is no proof of data theft or misuse found.

Because of the breach, Golden Valley Health Centers is examining and updating its information security guidelines and privacy practices. Employees will also be provided with further training.

The summary report posted on the HHS’ Office for Civil Rights breach portal indicates 39,700 patients were affected.

Email Security Breaches at Relation Insurance and Rainbow Hospice Care

The insurance brokerage company Relational Insurance Inc., doing business as Relation Insurance Services of Georgia (RISG), had encountered an email security breach last August 2019. It was discovered that an unauthorized person haa acquired access to an employee’s email account and potentially read or copied emails that contain the protected health information (PHI) of its clients.

RISG discovered the breach on August 15, 2019 after noticing suspicious activity in the employee’s email account. An independent computer forensics company helped investigate the breach and determine whether an unauthorized person accessed the account from August 14 to August 15.

On August 16, 2019, RISG learned that there was PHI contained in the account; however, the account review, which included determination of the people affected and the information potentially compromised, was just finished on December 13, 2019.

According to the investigation, the account contained a broad selection of information, which varied from one person to another. The PHI that was potentially breached included: name, address, phone number, email address, birth date, driver’s license number, passport number, Social Security number, identification number issued by the state, copies of marriage or birth certificates, financial company name, account and routing number, credit/debit card number, PIN, expiration date, prescription details, treatment data, provider name, patient ID, medical record number, medical insurance data, treatment cost, mental or physical condition, medical history, diagnosis code, type of procedure, procedure code, treatment site, medical device number, admission and discharge date, and date of death.

RISG has taken steps to enhance email security and stop the same breaches later on. The breach report sent to the HHS’ Office for Civil Rights indicates that the breach potentially affected the PHI of about 4,335 people.

Rainbow Hospice Care, Inc. Discovers Email Security Breach

Rainbow Hospice Care, Inc. based in Jefferson, WI discovered the unauthorized access of an employee’s email account and the potential viewing or downloading of the PHI of 2,029 present and past patients.

Third-party forensic detectives investigated the breach. Although they affirmed the access of the account by an unauthorized person, they could not ascertain if the hacker accessed or exfiltrated any patient information. An analysis of the breached account showed it was comprised of patient names, birth dates, Social Security numbers, treatment data, and medical record numbers.

Patients received notifications about the breach and offers of free credit monitoring services via Experian. Rainbow Hospice Care has not received any report of misuse of patient data. The provider’s substitute breach notice stated that it is unlikely that patient information was misused.

Impermissible Disclosure of 5,300 Patients’ PHI Due to Mailing Errors

HIPAA-covered entities reported recently two communication error,s which caused the impermissible disclosure of the personal and protected health information (PHI) of 5,339 patients.

Impermissible PHI Disclosure at Mercy Health Physician Partners Southwest

Mercy Health Physician Partners Southwest located in Byron Center, MI, began mailing breach notification letters on February 10, 2019 to inform its patients about the recent mailing error committed by a third-party vendor hired by Mercy Health.

Mercy Health gave the mailing vendor a checklist consisting of 3,164 names and addresses of patients in order to send them letters telling about a physician’s departure. Because of a mistake in the mailing, the names were mismatched with the addresses. 2,487 patients received a notice that is addressed to another patient. There was no disclosure of other sensitive information.

The breach investigators discovered that the vendor did not sign any business associate agreement (BAA). Therefore, giving the vendor a copy of the patients’ list was a violation under HIPAA — an impermissible disclosure of PHI. The mailing vendor satisfactorily assured Mercy Health that it knows its responsibilities as required by HIPAA and there is now a BAA in place.

Email Error of Hawaii Hospital

On February 3, 2019, a staff of Queen’s Health Systems in Hawaii sent an email with file attachment to the wrong recipient. The PHI of 2,852 patients of the Queen’s North Hawaii Community Hospital and the Queen’s Medical Center were contained in the file attachment. The email error was discovered the next day.

Queen’s Health Systems tried to contact the individual to whom the email was sent by mistake to make certain the deletion of the patient list. However, there was no response has received. The information contained in the email attachment included the names of patients, health plan ID numbers, admission, and discharge dates, and limited data regarding the care received. The file additionally included the 300 patients’ diagnoses. The breach impacted patients who obtained healthcare services after June 1, 2019.

There was no report received that indicate the misuse of patient information. Patients were advised to keep track of their explanation of benefits statements and submit a report when there are patient services listed that were not received.

Email Breach at Hospital Sisters Health System and Burglary at Jefferson Center for Mental Health

Hospital Sisters Health System learned recently about the occurrence of an email security breach in August 2019. Unauthorized people possibly got access to e-mail messages and attachments that contain 16,167 patients’ protected health information (PHI).

Hospital Sisters Health System provides patient care in Wisconsin and Illinois as a 15-hospital health system. During the period between August 6, 2019 and August 9, 2019, some unauthorized individuals got email access to the accounts of a few employees. The health system took immediate action to secure email accounts by means of replacing passwords. A well-known computer forensic firm works on the breach investigation to know if there was patient data contained in the compromised email accounts.

On December 2, 2019, the investigators advised the Hospital Sisters Health System that attackers possibly viewed patient information. The information identified in the compromised email accounts were the following: patient names, birth dates, and various clinical information. The Social Security number, medical insurance information, or driver’s license number of some patients were likewise compromised.

Hospital Sisters Health System started mailing notification letters to all patients with compromised information on January 31, 2020. Persons with exposed Social Security numbers or driver’s license numbers were offered free identity theft protection services. They were additionally told to check their financial accounts and explanation of benefits statements with care and report to the police authorities in case there is any suspicious activity.

Because of the breach, the Hospital Sisters Health System took the necessary steps to strengthen email security so that the same incident will be avoided in the future.

Jefferson Center for Mental Health Breach of PHI

Jefferson Center for Mental Health is a mental health care and substance use services provider located in a local community in Colorado. The center reported a burglary at its Independence Corner facility found in Wheat Ridge on November 29, 2019.

Jefferson Center knew about the burglary on December 2, 2019 and submitted a report to law enforcement. The thieves didn’t steal any paperwork that contains patient information, but the thieves may have viewed 1,319 patients’ private and treatment information.

Unauthorized data access is quite unlikely to have occurred. Nevertheless, patients were warned to keep watch over their accounts. Jefferson Center for Mental Health is presently working on securing its physical security offices.