Patient PHI Compromised Due to Email Breach and Lost/Stolen Storage Devices

7,777 Patients of Starling Physicians Impacted by Email Breach

Starling Physicians based in Rocky Hill, CT started informing 7,777 patients regarding an unauthorized person who likely accessed some of their protected health information (PHI) stored in email accounts.

Starling Physicians detected a breach of its email system on or some time on July 7, 2020. A detailed review was done to ascertain the scope of the breach and whether or not patient data was accessed. Though there is no proof found that PHI was accessed, unauthorized information access cannot be excluded.

A review of the emails and attachments revealed that they stored names as well as a few of these data elements: medical record numbers, patient account numbers, birth dates, diagnostic data, healthcare provider data, prescription data, and treatment details. The address, Medicare/Medicaid ID number and/or Social Security number of a few affected persons were also exposed.

Starling Physicians is improving its cybersecurity solutions to avert the same data security occurrences.

Unencrypted Storage Devices Stolen from Moffitt Cancer Center

Lee Moffitt Cancer Center and Research Institute located in Tampa is informing 4,056 patients regarding the two stolen unencrypted storage devices and paper documents with PHI.

A briefcase containing the USB devices and files was stolen from a physician’s vehicle on July 2, 2020. An analysis of the USB devices and papers established that they included the following some protected health information: patient names, dates of birth, information about the services obtained at Moffitt, and medical record numbers.

The workforce underwent additional training on patient data security. The policies on using USB devices are under review. Moffitt also improved its auto-encryption procedures to make sure that all patient information is protected. Moffitt Cancer Center does not know about any attempt of patient information misuse.

Lost Hard Drive Held the PHI of INTEGRIS Baptist Medical Center Patients

INTEGRIS is informing some patients that a portable hard drive along with a few of their protected health information was lost at the time of an on-campus office move. It was just on October 17, 2020
that INTEGRIS noticed that the hard drive was missing. A detailed search was performed nonetheless the hard drive cannot be found.

A duplicate copy of the hard drive’s data was located and reviewed. It was confirmed to consist of information of a number of patients who obtained medical services at INTEGRIS Baptist Medical Center Portland Avenue in Oklahoma City, earlier named as Deaconess Hospital. The patient data on the drive only included patients’ names, limited clinical information and Social Security numbers.

INTEGRIS provided the affected individuals with complimentary membership of Experian’s IdentityWorksSM Credit 3B service for 12 months.

Breaches at Beaumont Health, Samaritan Medical Center and Southcare Minute Clinic

Beaumont Health, which is the biggest healthcare company in Michigan, began sending notifications to around 6,000 patients concerning the possible access of some of their protected health information (PHI) by unauthorized people.

On June 5, 2020, Beaumont Health discovered that unauthorized people got access to email accounts from January 3, 2020 to January 29, 2020. The email accounts were comprised of the PHI of patients such as birth dates, procedure and treatment details, type of treatment given, diagnoses, diagnosis codes, prescription data, medical record numbers, and patient account numbers.

Even though unauthorized people got access to the email accounts, there is no proof identified that indicate the attackers viewed or duplicated the emails or email attachments in the email accounts. There is likewise no report gotten that shows the misuse of patient information.

This is Beaumont Health’s second announcement of a phishing-related breach this 2020. Last April, Beaumont Health started sending notification 112,211 people regarding the breach of some of their PHI included in email accounts at the end of 2019.

Beaumont Health already took steps to better its internal processes to enable it to determine and minimize threats more quickly down the road. Extra safety measures were put in place to strengthen email security, such as using multi-factor authentication. Additional training on identifying and dealing with malicious emails was likewise offered to workers.

Inappropriate Disposal of Healthcare Records by Southcare Minute Clinic

The North Carolina Department of Health and Human Services is investigating the Southcare Minute Clinic located in Wilmington, NC regarding the inappropriate junking of healthcare records. The Wilmington Police Department reacted to a call informing them that sensitive paperwork and dangerous waste were discarded in a standard dumpster at the rear of the past Southcare Minute Clinic located at 1506 Market Street.

The dumpster was discovered to have documents with patient details, used needles, and other dangerous waste materials. The police affirmed that there was a violation of HIPAA rules, however, confirmed that there was no crime done. Since then, the dumpster was taken away and there is no more risk to community safety. The North Carolina Department of Health and Human Services is going to identify if it is right to issue a financial penalty.

Samaritan Medical Center Looking into Possible Data Breach

Samaritan Medical Center located in Watertown, NY reported a security occurrence that has compelled it to take down its computer networks. Employees have turned to use pen and paper while the incident is being resolved at the same time providing healthcare to patients. Patients were not moved to other centers, however, a number of non-urgent consultations were canceled. No more data about the specific nature of the breach is available at this time.

Data Breaches at Health Plan Member Portals, Zipari and Central California Alliance for Health

Health plan Independence Blue Cross based in Philadelphia, AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey found out that unauthorized people got access to pages of their member portals between March 17, 2020 and April 30, 2020 and likely viewed the personal and protected health information (PHI) of a few members.

The types of information disclosed consist of names, plan type, member identification numbers, spending account balances, claims data, and user reward summaries.

Based on the breach investigation, the hacker used valid credentials to sign in to the portal. In all instances, the passwords utilized to access the member sites were acquired due to the breaches of third-party websites and programs, like the MyFitnessPal breach in 2018. The passwords for those third-party sites were also used on member sites.

The health plans were advised about the breach on May 8, 2020 and promptly took steps to protect the accounts and stop further unauthorized access. All affected members already received notifications and offers of 24-months free credit monitoring and identity theft protection services.

Business Associate Data Breach Affects 49,500 Providence Health Plan Members

A data breach at a business associate of Providence Health Plan based in Oregon impacted 49,511 of its members.

On April 17, 2020, Zipari in Brooklyn informed Providence Health Plan regarding a coding error that enabled the online exposure of documents related to employer-sponsored health plans. Zipari detected the coding error on April 9, 2020. Based on the investigation, unauthorized individuals accessed the documents in May, September, and November 2019. The information contained in the documents were names of member and employer and dates of birth. No other information was exposed.

Because of the breach, Providence Health Plan scheduled a third-party audit of Zipari’s data security policies. Plan members were provided with free credit monitoring services.

Central California Alliance for Health Finds A Number of Email Accounts Breached

Central California Alliance for Health (CCAH) found out on May 7, 2020 that an unauthorized individual obtained access to a number of employees’ email accounts and possibly viewed and acquired the protected health information of a few of its members. Based on the breach notification submitted to the California Attorney General’s office, numerous CCAH email accounts were subjected to unauthorized access for approximately one hour.

An analysis of the compromised email accounts confirmed they included names, demographic data, dates of birth, Medi-Cal ID numbers, claims data, Alliance Care Management Program files, medical data, and referral details.

CCAH implemented a full password reset on all email accounts and provided employees with more training on email security. CCAH is not aware of any wrong use of member’s information.

UnityPoint Health Accepts $2.8 Million+ Proposed Settlement to End a Class Action Data Breach Lawsuit

UnityPoint Health based in Des Moines, Iowa made a decision to resolve a proposed class action lawsuit that victims of two phishing attacks in 2017 and 2018 filed after the incidents t resulted in the exposure of the protected health information (PHI) of 1.4 million patients.

The first phishing attack happened in November 2017 and Unity Point Health found out about it on February 15, 2018. The attackers accessed the email accounts of some employees in its Madison campus for over 3 months and possibly acquired the PHI of around 16,429 patients. Patients received breach notifications in April 2018.

The second phishing attack, which involved an impersonation of a UnityPoint executive in March 2018, was far more extensive. A number of employees disclosed their login information after responding to the phishing email. UnityPoint Health discovered the attack in May 2018. According to the investigation, the PHI of 1.4 million patients were found in the compromised email accounts. This phishing attack resulted in the second biggest healthcare data breach reported in 2018. The attackers were able to access the email accounts for roughly one month prior to the discovery of the breach and the email accounts were made secure. UnityPoint Health sent notification letters to affected patients in August 2018.

The victims filed a lawsuit after the breach announcement. Allegedly, UnityPoint Health did not handle the breach properly and misrepresented the scope, nature, breadth, cost, and harm of the breach. Breach notifications were not issued within the 60-day time period required by the HIPAA Breach Notification Rule. Further, the notifications sent to the patients did not mention the compromise of their Social Security numbers.

The breach notification letters issued by UnityPoint Health mentioned that there’s no evidence that suggests the exposure of the patients’ PHI will result in unintended uses, which means that the affected patients were in danger. UnityPoint Health additionally did not provide credit monitoring or identity theft protection services to breach victims, even if there were exposure of driver’s license numbers and Social Security numbers.

UnityPoint Health partly succeeded in having the lawsuit dismissed when a US District Court judged partially dismissed some lawsuit claims in July 2019. The other claims were retained. The judge decided that the plaintiffs’ allegations had adequate facts that point to a reasonable probability of identity theft in the future.

The proposed settlement on June 26, 2020 to take care of the lawsuit will give victims fiscal and injunctive relief. UnityPoint Health agreed to provide at least $2.8 million to class members for claims. Every affected person can file a maximum claim of $1,000 for recorded ordinary out-of-pocket expenditures like credit monitoring and identity theft protection services, and around 3 hours in lost time billed at $15 hourly.

A person is entitled to a maximum claim of $6,000 to pay for unusual expenditures such as recorded out-of-pocket expenditures and about 10 hours billed at $15 hourly for time lost taking care of credit freezes, credit monitoring services, and other activiites done because of the breach. As opposed to most data breach negotiations, UnityPoint Health did not put a limit on extraordinary expenditure claims, thus UnityPoint Health will pay for actual losses submitted by victims with their valid claims. All victims will additionally be eligible for a one-year credit monitoring and identity theft protection services membership and will have a $1 million insurance policy coverage for identity theft. The cost of the credit monitoring services and insurance policy per class memeber is estimated to be $200.

The four breach victims named in the filed lawsuit could claim an extra $2,500 each. UnityPoint Health will also pay all the costs of notice and claims administration plus attorney fees amounting to around $1.58 million.

UnityPoint Health additionally agreed to improve network and data security. A third-party security company will do a yearly audit of UnityPoint Health to ensure there are adequate security measures, and the provider complies with security guidelines.

Because there is no limit on claims, this healthcare data breach settlement may become one of the biggest ever. A judge only needs to approve the settlement for finalization at the end of the year.

112,000 Beaumont Health Patients Received Breach Notification About a May 2019 Incident

Beaumont Health, which is the biggest healthcare system in Michigan, reported a likely exposure of patient information contained in emails and attachments as unauthorized individuals accessed the email accounts of a number of employees.

Beaumont Health found out about the breach of email account on March 29, 2020. The incident that transpired around 10 months ago brought about the compromise and potential patient data theft. Based on the breach investigation results, unauthorized individuals got access to the email accounts beginning May 23, 2019 until June 3, 2019. Forensic specialists looked into the breach to know the magnitude and scope of the breach, alongside a manual analysis of all emails in the breached accounts. It took some time to finish the breach investigation, therefore there was a delay in the issuance of breach notifications to the affected patients.

The investigators affirmed that the protected health information (PHI) of 112,000 persons was contained in the compromised email. The affected patients were around 5% of the 2.3 million Beaumont Health patients. The types of information exposed and might have been stolen by the threat actors were different from patient to patient. The compromised information included the name of patients as well as at least one of the following data elements: birth dates, diagnosis codes, diagnoses, kinds of treatment, procedures, treatment locations, prescription information, health record numbers. and internal patient account numbers The Social Security numbers including the other records of a number of patients were similarly potentially compromised. Though the forensic investigators affirmed that the threat actors accessed the email accounts, there was no way to make sure no data was viewed or stolen.

As a result of the breach, Beaumont Health provided more training to its employees so that they could recognize malicious and phishing email messages. Modification of internal policies was taken on and more technical security steps were set up to avoid other breaches from happening in the future.

This occurrence is the second reported data breach at Beaumont Health this year. The first incident was reported in January and involved the breach of PHI of 1,182 patients. A former hospital employee accessed the records of patients who got treatment after being injured in a car accident. Allegedly, the snooping employee shared the patient data with a personal injury attorney.

Phishing Attacks at the Washington University School of Medicine and Doctors Community Medical Center

Washington University School of Medicine is informing 14,795 oncology patients regarding the breach of some of their protected health information (PHI) contained in an email account last January 2020.

Because a research administrator in the Division of Oncology responded to a phishing email, an unauthorized person was able to access his email account from January 12, 2020 to January 13, 2020. After becoming aware of the breach, the Washington University School of Medicine took quick action to make the account secure and block further unauthorized access. A third-party computer forensics company came in to help with the investigation.

A careful analysis of email messages and attachments in the account showed that they have these patient data: names, birth dates, patient account numbers, medical record numbers, limited treatment and/or clinical data, such as diagnoses, names of providers, and laboratory test results. The medical insurance data and/or Social Security numbers of some patients were exposed too.

Affected people already received breach notification letters. The people who had their Social Security numbers potentially compromised received offers of free credit monitoring and identity protection services.

Washington University School of Medicine already took steps to enhance email security. The employees received reinforced training on identifying suspicious emails.

Doctors Community Medical Center Phishing Attack

Doctors Community Medical Center based in Maryland is notifying some patients about a breach of their PHI.

The medical center discovered the data breach in January 2020 after detecting suspicious activity in its payroll system. A breach investigation confirmed that a small number of employees received phishing emails and were tricked into disclosing their account credentials. Besides getting access to the email accounts of the employees, the attackers likewise had accessed the payroll information of the employees.

According to the investigation, the first breach of the accounts happened on November 6, 2019 and access possibly continued until January 30, 2020. On February 13, 2020, Doctors Community Medical Center confirmed that data sheets with patient information were found in a few of the compromised email accounts.

Third-party forensic investigators were unable to affirm if the attackers accessed, copied or disclosed the patient data. Nevertheless. there was no report received that suggest the misuse of patient information. Because unauthorized data access cannot be eliminated, the medical center notified the patients and offered them credit monitoring and identity restoration services for free.

The potentially compromised types of information included names, addresses, birth dates, Social Security numbers, military identification numbers, driver’s license numbers, financial account information, diagnoses, prescription information, treatment information, provider names, medical record numbers, Medicare/Medicaid numbers, patient IDs, health insurance information, access credentials and treatment cost information.

The health system is looking into its policies and procedures and updating as needed. Additional safeguards will be put in place to stop more attacks.

Nearly 110,000 Patient Records Compromised Due to Breaches at Surefile and Golden Valley Health Centers

Stephan C Dean, the co-owner of Surefile, submitted a hacking/IT incident report to the HHS’ Office for Civil Rights (OCR) on March 4, 2020. The California record storage company indicated that the incident impacted more than 70,000 people.

Stephan Dean and his wife were involved in a long term legal fight with Kaiser Permanente regarding the giving back and deleting of electronic files that contain patient data. Kaiser Permanente wanted the files to be completely deleted; nevertheless, Stephan Dean asserts that Kaiser Permanente owes him payment for the services provided. The on-and-off legal action was subsequently ditched, however, the electronic files were not given back or deleted.

Surefile was Kaiser Permanente’s business associate, that is why Surefile got paper copies of health records from Kaiser Permanente in 2008. After Surefile and Kaiser Permanente’s business agreement ended, Stephan Dean gave back the paper copies of health records to Kaiser Permanente; but Stephan Dean still has the emails containing patient data on his computer. Stephan Dean submitted to OCR a complaint regarding the alleged HIPAA violations pertaining to the emails and the absence of a business associate agreement. Although OCR opened a case and investigated the matter, the case was subsequently closed without issuing a penalty.

On August 20, 2019, Microsoft informed Stephan Dean that an unauthorized person potentially accessed his MSN email account. The account involved contained spreadsheets and other files sent by Kaiser Permanente to Stephan Dean.

Stephan Dean just talked with Dissent of databreaches.net and mentioned that the 70,000 records merely represent a data sample. The actual number may be approximately 1 million records, which can just be confirmed by forensic accounting.

Databreaches.net report included the initial breach in 2012 up to the latest story. An in-depth article on the legal dispute is available on this link.

Email Security Breach at Golden Valley Health Centers

The patients of Golden Valley Health Centers, which comprise of the healthcare centers located in the Modesto, Merced, and Central Valley regions of California, received notifications about the exposure of some of their protected health information (PHI). An unauthorized person accessed an account containing email messages and file attachments with patient information. Golden Valley discovered the breach on March 3, 2020 and had forensic investigators looking into the incident.

An analysis of the account confirmed that it contained information such as names, billing data, medical insurance data, patient referral details and appointment records. Although the investigation established that an unauthorized person accessed the email account, there is no proof of data theft or misuse found.

Because of the breach, Golden Valley Health Centers is examining and updating its information security guidelines and privacy practices. Employees will also be provided with further training.

The summary report posted on the HHS’ Office for Civil Rights breach portal indicates 39,700 patients were affected.

Email Security Breaches at Relation Insurance and Rainbow Hospice Care

The insurance brokerage company Relational Insurance Inc., doing business as Relation Insurance Services of Georgia (RISG), had encountered an email security breach last August 2019. It was discovered that an unauthorized person haa acquired access to an employee’s email account and potentially read or copied emails that contain the protected health information (PHI) of its clients.

RISG discovered the breach on August 15, 2019 after noticing suspicious activity in the employee’s email account. An independent computer forensics company helped investigate the breach and determine whether an unauthorized person accessed the account from August 14 to August 15.

On August 16, 2019, RISG learned that there was PHI contained in the account; however, the account review, which included determination of the people affected and the information potentially compromised, was just finished on December 13, 2019.

According to the investigation, the account contained a broad selection of information, which varied from one person to another. The PHI that was potentially breached included: name, address, phone number, email address, birth date, driver’s license number, passport number, Social Security number, identification number issued by the state, copies of marriage or birth certificates, financial company name, account and routing number, credit/debit card number, PIN, expiration date, prescription details, treatment data, provider name, patient ID, medical record number, medical insurance data, treatment cost, mental or physical condition, medical history, diagnosis code, type of procedure, procedure code, treatment site, medical device number, admission and discharge date, and date of death.

RISG has taken steps to enhance email security and stop the same breaches later on. The breach report sent to the HHS’ Office for Civil Rights indicates that the breach potentially affected the PHI of about 4,335 people.

Rainbow Hospice Care, Inc. Discovers Email Security Breach

Rainbow Hospice Care, Inc. based in Jefferson, WI discovered the unauthorized access of an employee’s email account and the potential viewing or downloading of the PHI of 2,029 present and past patients.

Third-party forensic detectives investigated the breach. Although they affirmed the access of the account by an unauthorized person, they could not ascertain if the hacker accessed or exfiltrated any patient information. An analysis of the breached account showed it was comprised of patient names, birth dates, Social Security numbers, treatment data, and medical record numbers.

Patients received notifications about the breach and offers of free credit monitoring services via Experian. Rainbow Hospice Care has not received any report of misuse of patient data. The provider’s substitute breach notice stated that it is unlikely that patient information was misused.

Impermissible Disclosure of 5,300 Patients’ PHI Due to Mailing Errors

HIPAA-covered entities reported recently two communication error,s which caused the impermissible disclosure of the personal and protected health information (PHI) of 5,339 patients.

Impermissible PHI Disclosure at Mercy Health Physician Partners Southwest

Mercy Health Physician Partners Southwest located in Byron Center, MI, began mailing breach notification letters on February 10, 2019 to inform its patients about the recent mailing error committed by a third-party vendor hired by Mercy Health.

Mercy Health gave the mailing vendor a checklist consisting of 3,164 names and addresses of patients in order to send them letters telling about a physician’s departure. Because of a mistake in the mailing, the names were mismatched with the addresses. 2,487 patients received a notice that is addressed to another patient. There was no disclosure of other sensitive information.

The breach investigators discovered that the vendor did not sign any business associate agreement (BAA). Therefore, giving the vendor a copy of the patients’ list was a violation under HIPAA — an impermissible disclosure of PHI. The mailing vendor satisfactorily assured Mercy Health that it knows its responsibilities as required by HIPAA and there is now a BAA in place.

Email Error of Hawaii Hospital

On February 3, 2019, a staff of Queen’s Health Systems in Hawaii sent an email with file attachment to the wrong recipient. The PHI of 2,852 patients of the Queen’s North Hawaii Community Hospital and the Queen’s Medical Center were contained in the file attachment. The email error was discovered the next day.

Queen’s Health Systems tried to contact the individual to whom the email was sent by mistake to make certain the deletion of the patient list. However, there was no response has received. The information contained in the email attachment included the names of patients, health plan ID numbers, admission, and discharge dates, and limited data regarding the care received. The file additionally included the 300 patients’ diagnoses. The breach impacted patients who obtained healthcare services after June 1, 2019.

There was no report received that indicate the misuse of patient information. Patients were advised to keep track of their explanation of benefits statements and submit a report when there are patient services listed that were not received.

Email Breach at Hospital Sisters Health System and Burglary at Jefferson Center for Mental Health

Hospital Sisters Health System learned recently about the occurrence of an email security breach in August 2019. Unauthorized people possibly got access to e-mail messages and attachments that contain 16,167 patients’ protected health information (PHI).

Hospital Sisters Health System provides patient care in Wisconsin and Illinois as a 15-hospital health system. During the period between August 6, 2019 and August 9, 2019, some unauthorized individuals got email access to the accounts of a few employees. The health system took immediate action to secure email accounts by means of replacing passwords. A well-known computer forensic firm works on the breach investigation to know if there was patient data contained in the compromised email accounts.

On December 2, 2019, the investigators advised the Hospital Sisters Health System that attackers possibly viewed patient information. The information identified in the compromised email accounts were the following: patient names, birth dates, and various clinical information. The Social Security number, medical insurance information, or driver’s license number of some patients were likewise compromised.

Hospital Sisters Health System started mailing notification letters to all patients with compromised information on January 31, 2020. Persons with exposed Social Security numbers or driver’s license numbers were offered free identity theft protection services. They were additionally told to check their financial accounts and explanation of benefits statements with care and report to the police authorities in case there is any suspicious activity.

Because of the breach, the Hospital Sisters Health System took the necessary steps to strengthen email security so that the same incident will be avoided in the future.

Jefferson Center for Mental Health Breach of PHI

Jefferson Center for Mental Health is a mental health care and substance use services provider located in a local community in Colorado. The center reported a burglary at its Independence Corner facility found in Wheat Ridge on November 29, 2019.

Jefferson Center knew about the burglary on December 2, 2019 and submitted a report to law enforcement. The thieves didn’t steal any paperwork that contains patient information, but the thieves may have viewed 1,319 patients’ private and treatment information.

Unauthorized data access is quite unlikely to have occurred. Nevertheless, patients were warned to keep watch over their accounts. Jefferson Center for Mental Health is presently working on securing its physical security offices.

Phishing Attack on InterMed and Laptop Theft at Children’s Hope Alliance

Healthcare company InterMed based in Portland, ME is informing 33,000 patients regarding the potential exposure of their protected health information (PHI) because of a phishing attack.

InterMed discovered the phishing attack on September 6, 2019. It was confirmed by the investigation team that the email account was breached on September 4. The attackers got access to the account up to September 6, 2019.

A top-rated national computer forensic company helped investigate the breach and identified three other email accounts were compromised from September 7 up to September 10, 2019.

A thorough evaluation of the compromised email accounts was carried out yet it wasn’t possible to identify what email messages or file attachments, the attackers had accessed.

Varied patients had varied types of data contained in the compromised email accounts. The following data might have been involved: patients’ names, birth dates, medical insurance details, and some clinical details. The Social Security number of a “very limited” number of patients were likewise compromised.

On November 5, 2019, InterMed started the sending of breach notification letters to impacted patients. Individuals who had their Social Security numbers compromised also got offers of complimentary credit monitoring and identity protection services.

InterMed had now taken action to strengthen email security and reinforced the training of employees to assure observance to email security guidelines.

Laptop of a Children’s Hope Alliance Employee Stolen

The child welfare agency known as Children’s Hope Alliance based in Barium Springs, NC has reported the theft of a laptop computer that contains sensitive information.

Based on the substitute breach notice posted on the website of Children’s Hope Alliance, the laptop theft happened on October 7, 2019. A digital forensic company investigated the incident to know if the laptop had any sensitive data. The investigation is in progress, however, the preliminary finding reveals that the device contained documents with information like names, birth dates, addresses, tax identification numbers, Social Security numbers, usernames, passwords, and medication and dosage details.

Children’s Hope Alliance submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that 4,564 people were affected. The breach summary also indicates that the breach was due to hacking/IT incident involving email. It is uncertain at this time if there was an error, a separate breach, or whether the laptop computer had been used for hacking into the email account of the employee.

Malware Attack on Native American Rehabilitation Association of the Northwest Impacts Approximately 25K Patients

Native American Rehabilitation Association of the Northwest, Inc.(NARA) in Portland, OR, which provides education, mental and physical health services and substance abuse treatment to native Americans, encountered a malware attack which resulted in the potential access of protected health information (PHI) by unauthorized persons.

NARA stated that the malware attack happened on November 4, 2019. At the beginning, the malware bypassed security controls but was identified later on that afternoon. The security team had control of the threat by November 5, 2019 and had reset all passwords on email accounts by November 6.

The malware variant used was the Emotet Trojan, which steals credentials and exfiltrate email messages and file attachments. It is consequently likely that the threat actors accessed emails and file attachments in the breached accounts, which may contain PHI.

According to the press release of NARA on January 3, 2020, the forensic investigators affirmed that the attackers possibly accessed the PHI of 344 persons or there’s a high probability of them being accessed. The attck also potentially affected another group of patients, but there is no proof of unauthorized access found.

The email accounts contained different types of information but may have comprised of names, birth dates, home addresses, Social Security numbers, and healthcare record or patient ID numbers. The clinical information of some individuals may have also been exposed. The information may have, included diagnoses, services obtained, treatment data, and treatment dates.

The HHS’ Office for Civil Rights’ Breach portal indicated that breach may have affected about 25,187 people. Jacqueline Mercer, CEO of NARA NW, expressed apologies to their clients because of the malware attack.

NARA NW already implemented a new endpoint security solution on all computers to keep track of suspicious activity. The healthcare provider is also reviewing policies and procedures for necessary updates to be implemented. Employees also received additional training on security awareness.

Kalispell Regional Healthcare Faces Second Lawsuit Over Phishing Attack

Kalispell Regional Healthcare in Montana is facing another lawsuit that was filed because of the May 2019 phishing attack that resulted in the access of some employees’ email accounts by cybercriminals.

Kalispell Regional Healthcare discovered the occurrence of the breach on August 28, 2019. According to the investigation, the hackers accessed the email accounts of employees on May 24, 2019 and possibly viewed patient data. The forensics team confirmed that the accounts stored the protected health information (PHI) of approximately 140,209 patients.

The substitute breach notification of Kalispell Regional Healthcare posted on its website confirmed the breach of the following information: names, telephone numbers, addresses, email addresses, dates of service, treatment details, medical insurance details, treating and referring doctors’ names, and medical invoice account numbers. The Social Security number of 250 or less Kalispell Regional Healthcare patients were also exposed. Patients impacted by the breach received free credit monitoring and identity theft protection services. The provider also took the required steps to enhance email security.

The first legal action was filed in the Cascade County District Court in Great Falls, MT on November 25, 2019 by attorney John Heenan for William Henderson, who had his personal data compromised in the breach. The lawsuit claims that Kalispell Regional Healthcare was negligent for not taking the necessary steps to protect patient information and not following the industry’s best practices to protect patient information. Henderson alleged that he faces more risks of identity theft and fraud because of the breach, however, it doesn’t seem that his personal data had been misused when he filed the lawsuit. The lawsuit claims that the healthcare provider violated the Montana Uniform Health Care Information Act.

Attorney William Rossbach filed the second lawsuit on December 24, 2019 on behalf of two patients. The lawsuit likewise alleges that Kalispell Regional Healthcare had committed a violation of the Montana Uniform Health Care Information Act. Annette Nevidomsky, one of the two patients, alleges she was a fraud victim and got unauthorized bills on her accounts after the breach.

The two lawyers are trying to get class-action status for their cases.

1,235 Clients of The Guidance Center Impacted By Unauthorized Email Account Access and Data Deletion

The not-for-profit mental health care services provider to deprived kids and their families known as The Guidance Center (TGC) located in Long Beach, Compton, San Pedro and Avalon in California had a security breach of its digital system.

TGC’s lawyer revealed in a breach notice provided to California Attorney General Xavier Becerra that strange activity was found in TGC’s digital system towards the end of March 2019. In the reports submitted by employees, it was noted that the data files and backups appeared to be gone. TGC started an internal investigation and learned about the deletion of the files. Deeper scrutiny similarly unveiled the reconfiguration of a TGC computer allowing its remote access.

TGC is certain that the change to the computer settings and the removal of files were probably carried out by an ex-employee. TGC sent the breach report to the Long Beach Police Department as well as the FBI. TGC’s lawyer provided a cease and desist letter to the individual believed to be the perpetrator of the unlawful access that occurred on March 30, 2019. After sending the letter, there was no other unauthorized access detected.

On April 19, 2019, TGC engaged a forensics company to know if there was patient data access by the unauthorized individual. It was found out that there was no proof of unauthorized PHI access or exfiltration of data. Nonetheless, there was remote access to the email accounts of some employees detected.

The substitute breach notice posted on the TGC website stated the confirmation of sensitive data contained in the email accounts by TGC on September 19, 2019. It took TGC a long time to determine which clients were affected, get their up-to-date contact details and then send breach notifications on October 25, 2019.

The email accounts were found to contain the protected health information (PHI) of 1,235 current and previous clients. Consequently, there may have been unauthorized access of their information, though there is no proof identified.

The PHI of patients contained in the accounts included their names, birth dates, addresses, medical insurance/claims information, medical information and some patients’ Social Security numbers.

TGC offered all people who had their Social Security numbers compromised free credit monitoring services for one year. To avoid the occurrence of this issue in the future, TGC implemented additional security controls. Though the deleted files were retrieved, it’s not known why the email accounts were accessed and why the files and backups were deleted.

52,000 Patients Affected by Email Security Breaches in Two Maine Healthcare Providers

A recent email security breach at InterMed, one of the biggest healthcare companies in Southern Maine, resulted in the potential access of the information of about 30,000 patients.

InterMed discovered on September 6, 2019 that a third-party accessed the email account of an employee without authorization. According to the investigation results of the breach, the account compromise occurred on September 4 and there were three more employee email accounts that were compromised from September 7 to September 10, 2019.

The messages and attachments in the breached email accounts stored patient data including names, birth dates, clinical data, and health insurance details, and Social Security numbers for 155 people. The breach affected only the email accounts and not the electronic medical record system. But it cannot be ascertained if the attacker viewed the emails in the compromised account.

InterMed promptly secured the compromised email accounts and sent breach notifications to the affected patients on November 5. The provider also offered free credit monitoring and identity theft protection services to the people whose Social Security number was possibly exposed. Right now, InterMed is improving its compliance with email best practices and boosting its security against further cyberattacks.

22,000 Present and Past Clients Affected by Sweetser Breach

Sweetser, another healthcare provider in Saco, Maine, recently reported an email system breach. This mental health services provider discovered on June 24, 2019 the potential email account breach upon noticing suspicious activity in the account. A digital forensics firm investigated the breach and confirmed that the incident affected the email accounts of other employees. An unauthorized person accessed the accounts from June 18 to June 27, 2019.

Sweetser said that on September 10, 2019 the investigators confirmed finding patient information in one or more compromised email accounts. On September 13, 2019, the breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights indicating that 22,000 patients were impacted. Sweetser publicly announced the breach and began mailing the notification letters to patients on October 25, 2019.

The email accounts contained different types of information from patient to patient but included one or more of the following: names, addresses, phone numbers, birth dates, health insurance data, Social Security numbers, drivers license numbers, identification numbers, Medicare/Medicaid details, payment/claims data, diagnosis codes, and data on patients’ health conditions and treatments.

Sweetser offered credit monitoring and identity theft protection services for free to the people whose Social Security number was likely exposed.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns

Each year, HIMSS carries out a survey to collect information about safety experiences and cybersecurity practices at healthcare companies. The survey provides insights into the situation of cybersecurity in healthcare and identifies attack tendencies and common security gaps.

Continue reading “HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns”

Office 365 Phishing Campaign Uses SharePoint Partnership Request as Bait

A solitary Office 365 username/password blend can provide a hacker access to a huge quantity of confidential information. The information detailed in electronic mails can be of big value to rivals, identity thieves, and other fraudsters.

Office 365 identifications also give hackers access to cloud storage sources that can have extremely confidential business information and compromised accounts can be utilized to disperse malware and carry out additional phishing campaigns on a company’s workers and business associates.  

With the possible returns for a fruitful phishing attack so high, and a high proportion of companies using Office 365 (56% of all organizations internationally in 2018) it is no surprise that hackers are conducting targeted attacks on companies that use Office 365.

Office 365 Phishing Campaign Utilizes SharePoint Collaboration Request as Lire

A fresh report from Kaspersky Lab has emphasized an Office 365 phishing campaign that has confirmed to be highly effective. The campaign was first known in August 2018 and is still active. Kaspersky Lab approximates that as many as 10% of all companies using Office 365 have been targeted with the hack.

The campaign has been dubbed PhishPoint because it uses a SharePoint partnership request to lure workers into disclosing their Office 365 identifications. The electronic mails are reliable, the hyperlink seems to be genuine, the method used to get Office 365 login information is unlikely to stimulate doubt, and the campaign is able to sidestep Office 365 anti-phishing safeguards.

Electronic mails are transmitted to Office 365 users requesting partnership. The electronic mails have a genuine link to OneDrive for Business, which guides users to a document having an “Access Document” link at the bottom. As the hyperlink guides the user to a genuine document in OneDrive for Business, it is not recognized as a phishing electronic mail by Office 365.

If the user clicks the link he/she will be redirected to an Office 365 login page on a website managed by the attacker. The login page appears identical to the genuine login page utilized by Microsoft; however, any identifications entered on the site will be captured by the attacker.

Safeguarding Against Office 365 Phishing Attacks

Safeguarding against Office 365 phishing campaigns needs a defense in depth approach. Microsoft’s Advanced Threat Protection must be implemented to obstruct phishing electronic mails and avoid them from reaching inboxes, even though this campaign demonstrates that APT controls are not always effective. A better choice is to use a spam filtering/anti-phishing solution that looks deeper than the URL and examines the page/document where users are directed.

Endpoint safety solutions offer an additional safeguard against phishing attacks and web filters can be used to avoid users from visiting phishing websites. However, these technical solutions are not dependable.

New cheats are continuously being developed by cybercriminals that bypass anti-phishing defenses. Workers, therefore, need to be trained on how to identify phishing electronic mails and must be taught cybersecurity best practices. Through regular training, workers can be conditioned on how to react to electronic mail threats and can be changed into a robust last line of defense.

Latest Speedup Linux Backdoor Trojan Used in Widespread Attacks

Safety researchers at Check Point have recognized a new Trojan called Speedup which is being utilized in targeted attacks on Linux servers. The Speedup Linux backdoor Trojan can also be utilized to attack Mac appliances.

The Trojan is installed through abuses of weaknesses via six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.

The present campaign is targeting Linux appliances in the Philippines, China, India, and Latin America. The Trojan was first noticed in late December, but infections have risen substantially since January 22, 2019. Although the malware is now being acknowledged by numerous AV engines, at the time of analysis, the malware was not being noticed as malevolent.

As soon as fitted, the malware communicates with its C2 server and records the sufferer’s machine. The malware tries to spread laterally within the infected subnet through a variety of RCE weaknesses including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN Resource Manager command implementation fault, and a JBoss AS 3/4/5/6 RCE weakness.

A Python script is included which checks for additional Linux servers within both internal and external subnets. Access is gained via brute force implies using a pre-defined list of usernames/passwords. Perseverance is achieved through cron and an internal mutex which makes sure only one occurrence remains active at any one time.

The Speedup Linux backdoor Trojan constantly communicates with its C2 and copies and runs a variety of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running procedures on an infected host, uninstall programs, and update connected files.

Check Point scientists have attributed the Speakup Linux backdoor Trojan to a danger actor known as Zettabithf.

The complicated nature of the malware indicates it is likely that the objective of the attacker is not just to install cryptocurrency miners. When infected, any number of different malware payloads can be installed. Check Point proposes that more intrusive and aggressive campaigns are likely to be introduced.

Latest Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued the latest cybersecurity framework for medical devices. Medical device sellers, healthcare suppliers, and other healthcare industry stakeholders that implement the voluntary framework will be able to improve the safety of medical appliances throughout their lifecycle.

The HSCC is a union of private sector crucial healthcare infrastructure units that have associated with the government to find and mitigate dangers and exposures facing the healthcare sector. The group includes over 200 healthcare industry and government companies. Collectively they work on developing strategies to tackle present and evolving cybersecurity challenges encountered by the healthcare sector.

Over 80 companies contributed to the growth of the Medical Appliance and Health IT Joint Security Plan (JSP), which builds on commendations made by the Healthcare Industry Cybersecurity Task Force founded by the Division of Health and Human Services after the passing of the Cybersecurity Information Sharing Law of 2015.

“It is vital for medical device producers and health IT sellers to take into account the JSP’s voluntary framework and its related plans and templates all through the lifecycle of medical devices and health IT as doing so is expected to lead to better security and therefore better products for patients,” clarified HSCC.

Cybersecurity controls can be tough to incorporate into existing procedures. Companies often fail to know how vital safety controls are, and when considering how to increase cybersecurity many don’t know where to begin or have inadequate resources to dedicate to the job. The framework assists by providing direction on how to create a safety policy and procedures that ally with and integrate into present procedures.

HSCC is urging companies to commit to applying the JSP as it is thought that by doing so patient security will be enhanced.

The JSP can be adopted by companies of all sizes and stages of maturity and assists them to increase cybersecurity of medical devices by tackling main challenges. A lot of big producers have already generated similar cybersecurity programs to the JSP, therefore it is likely to be of most use for small to medium-sized firms that lack consciousness of the steps to take to improve cybersecurity and those with fewer resources to dedicate to cybersecurity.

The JSP uses safety by design rules and identifies shared responsibilities between industry stakeholders to synchronize safety standards, risk assessment methods, reporting of weaknesses, and improve information sharing between appliance producers and healthcare suppliers. The JSP covers the whole lifecycle of medical appliances, from development to deployment, management, and end of life. The JSP contains numerous recommendations including the inclusion of cybersecurity measures during the design and development of medical appliances, handling product complaints linked to cybersecurity events, alleviation of post-market weaknesses, managing safety risk, and decommissioning appliances at end of life.

The Medical Appliance and Health IT Joint Security Plan can be downloaded on this link.

773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale

A huge collection of login identifications that contains roughly 773 million electronic mail addresses has been uncovered by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and keeps the Have I Been Pwned (HIBP) website, where people can test to see whether their login identifications have been thieved in a data breach.

Continue reading “773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale”