6,092 Patients of FABEN Obstetrics and Gynecology Alerted about Ransomware Attack
FABEN Obstetrics and Gynecology has been hit by a ransomware hacking attack on a server that stored patients’ protected health information (PHI). The ransomware was discovered on November 21, 2018 and lead to widespread file encryption. A review was initiated to determine the extent of the attack and whether any patients’ PHI was obtained or downloaded by the hackers. A review of the files stored on the server showed that files...
Email Account Breach Impacts Valley Hope Association Patients
Valley Hope Association has revealed that a hacker has been able to log onto the email account of a member of staff. The organisation discovered that an account breach may have taken place, on October 10 2018, when unusual account activity was noticed. Swift action was taken to stop account access continuing and a third-party computer forensics firm was retained to determine the nature and scope of the data breach. The investigation...
Around 1,000 Lebanon VA Medical Center Patients have their PHI Impermissibly Disclosed
It has been discovered the protected health information of hundreds of elderly patients of Lebanon VA Medical Center in Pennsylvania has been impermissibly disclosed to a family member of a veteran. The data breach, which took place in November 2018, involved a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was seeking nursing home facilities. The list should have included nursing...
773 Million Email Addresses and 21 Million Unique Passwords Listed for Sale
A massive collection of login credentials that includes approximately 773 million email addresses has been uncovered by security researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and maintains the Have I Been Pwned (HIBP) website, where people can check to see whether their login credentials have been stolen in a data breach. Hunt discovered the 87GB database on a popular hacking forum. The data was spread across...
BenefitMall Phishing Attack Impacts 111,589 Plan Members
A recently discovered BenefitMall phishing attack has resulted in the exposure of 111,589 plan members’ protected health information. BenefitMall, a division of Centerstone Insurance and Financial Services, discovered on October 11, 2018, that hackers had gained access to several employee email accounts as a result of their responses to phishing emails. Third party computer forensics experts were called in to assist with the...
Four-Month Email Account Hack Impacts 111K Individuals
Centerstone Insurance and Financial Services, which conducts its business as BenefitMall, has begun alerting more than 111,000 individuals that some of their protected health information has been illegally accessed, and possible stolen, in a recent email hacking incident. Dallas, TX-based BenefitMall is a supplier of employee benefits, payroll, HR, and employer services and has a workforce of over 20,000 advisors, brokers, and CPAs...
Ransomware Attack at Bobby Yee Podiatric Offices Affects 24,000 Patients
The Podiatric Offices of Bobby Yee have been subjected to a ransomware which led to the encryption of files that included the protected health information (PHI) of up to 24,000 patients and other clients. It was discovered that attack happened on October 29, 2018 when medical records were encrypted by the ransomware. Among the range of data which was breached are files containing information such as full name, address, contact...
AJMC Study: Following a Data Breach Hospitals’ Advertising Expenditure Rises 64%
In a recent study published in the American Journal of Managed Care Sung J. Choi, PhD and M. Eric Johnson, PhD looked into how advertising expenditures at hospitals changed in the aftermath of a data breach. The study, showed that hospitals invest an average o f64% more on advertising spending in the year after a data breach. Advertising expenditures were discovered 79% higher over the two-year period after a data breach. The authors...
Choice Rehabilitation Residents Affected by Email Breach
It has been found that an unauthorized individual hacked into a corporate email account of one of the employees of Choice Rehabilitation of Creve Coeur, MO, in order to set up a mail forwarder which shares emails with a personal email account. The breach happened on July 1, 2018 and the mail forwarder was left switched on until September 30, 2018. A complete review the email account showed that the protected health information of...
Ransomware Attack Hits Vendor of Dental Center of Northwest Ohio
Existing and previous at the Dental Center of Northwest Ohio in Toledo, OH, have been contacted to advise them that some of their protected health information may have been obtained illegally via a ransomware attack on one of its third party suppliers. A managed IT service provider called Arakyta got in touch with the dental center on September 1, 2018, regarding a security breach on a server hosting some dental center systems. With...
More Than 50 Accounts Compromised in San Diego School District Data Breach
A major data breach has been reported by the San Diego School District that has potentially resulted in the theft of the personal information of more than half a million current and former staff and students. The data exposed as a result of the breach date back to the 2008/2009 school year. The breach was detected following reports from district staff of a spate of phishing emails. The emails were highly believable and fooled users...
Q3 2018 Healthcare Data Breach Report Published
A Q3 2018 healthcare data breach report from Protenus shows there has been a significant reduction in healthcare data breaches compared to the previous quarter. In Q2, 142 healthcare organizations reported data breaches compared to 117 in Q3. However, due to some large breaches in Q3, the total number of exposed records was substantially higher. Between July and September, the health records of 4,390,512 patients were exposed,...
Anthem Data Breach Settlement of $16 Million Agreed with OCR
The largest ever healthcare data breach in the United States has attracted the largest ever fine for noncompliance with HIPAA Rules. The Anthem data breach settlement of $16 million eclipses the previous highest HIPAA fine of $5.55 million and reflects not only the severity of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen, but also the extent of noncompliance with HIPAA...
Respiratory Care Provider Victim of Phishing Attack
Norwood, MA-based Reliable Respiratory has discovered a hacker has gained access to the email account of one of its employees, and through that account, potentially accessed the protected health information of some of its patients. The respiratory care provider was alerted to a possible email account breach on July 3 when suspicious activity was detected in the email account. An investigation was immediately launched which confirmed...
38,000 Patient Health Records Exposed in Legacy Health Phishing Attack
A phishing attack on the Portland, Oregon-based healthcare provider, Legacy Health, has resulted in the exposure and possible theft of 38,000 patients’ protected health information. The phishing attack was detected on June 21, although an investigation into the security breach revealed that access had first been gained to some employees’ email accounts several weeks earlier in May. An analysis of the compromised email accounts...
Major Phishing Attack Reported by Augusta University Health
Augusta University Health has experienced a phishing attack that has resulted in the unauthorized accessing of several employees’ email accounts. The substitute breach notice uploaded to the University of Augusta website indicates investigators determined on July 31, 2018 that email accounts containing the protected health information (PHI) of patients and personally identifiable information (PII) of employees had been compromised....
UnityPoint Health Phishing Attack Exposed PHI of 1.4 Million Patients
Another UnityPoint Health phishing attack has been discovered, and this time it is huge. Hackers have gained access to multiple email accounts which contained the protected health information of approximately 1.4 million patients. This incident is the largest healthcare data breach to be reported since August 2016 and the largest healthcare phishing incident reported since the HHS’ Office for Civil Rights started publishing summaries...
1.5 Million Health Records Breached in Singapore
Hackers have successfully gained access to a health database of the Singapore government (SingHealth), allowing them to view the health records of 1.5 million individuals, including the health records of Prime Minister Lee Hsien Loong. Access to the database was gained through a front-end workstation which provided the attackers with privileged access to the database. The data breach was detected on July 4, 2018 when suspicious...
LabCorp Investigating Possible Data Breach
LabCorp, one of the world’s largest clinical testing laboratories, has experienced a cyberattack that has potentially resulted in the health data of millions of patients being accessed by hackers. The cyberattack was detected over the weekend of July 14, when unusual activity was detected on its Diagnostics systems. The IT security team took prompt action and started shutting down systems to contain the attack. Some of those systems...
Failure to Encrypt ePHI Costs Cancer Treatment and Research Center $4.34 Million
The Department of Health and Human Services’ Office for Civil Rights has announced its third HIPAA financial penalty of 2018. The $4.34 million civil monetary penalty is the fourth largest HIPAA penalty ever issued to resolve HIPAA violations. While most covered entities and business associates agree to settle HIPAA violations and pay the penalty, on rare occasions the penalties are contested, and the case goes before an...
92 Million Users of MyHeritage DNA Testing Service Affected by Data Breach
MyHeritage, a provider of DNA testing services, has announced it has experienced a data breach that has impacted more than 92 million users. The breach affects all users of the DNA testing service who signed up prior to October 26, 2017 – the date of the breach. In total, 92,283,889 usernames and hashed passwords were exposed, making this the largest data breach reported in 2018, and the largest security breach since the 143-million...
Hackers Potentially Had Access to 42,000 Patients Health Data for a Month After Phishing Attack
The Ohio Healthcare Provider Aultman Health Foundation has discovered some of its employees have been duped by a phishing attack that resulted in the threat actors behind the campaign gaining access to several email accounts. A phishing attack was detected on March 28, prompting a full investigation of the breach. The investigation revealed some employees had fallen for the phishing scam in mid-February. Further accounts were then...
$875,000 Settlement Agreed in W-2 Phishing Scam Lawsuit
A class-action lawsuit stemming from a W-2 phishing scam that saw an employee of the respiratory therapy supplier Lincare Inc., send the W-2 Forms of employees to a scammer has been settled for $875,000. As is typical with these types of Business Email Compromise (BEC) attacks, the scammer pretended to be a senior executive and sent an email to an employee of the HR department requesting W-2 information for the company’s employees....
17,639 Capital Digestive Care Clients Impacted by Hacking Attack
Silver Spring, MD-based gastroenterology group Capital Digestive Care has announced that one of its business associates distributed files to a commercial cloud server that dd not have adequate security measures, exposing the protected health information of approximately 17,639 clients. The exposure was brought to the attention of Capital Digestive Care on February 23, 2018 and were quickly put in place to secure the files and prevent...
582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services
A recent survey carried out with hackers, incident responders, and penetration testers has showed that most can gain access to a targeted system in around 15 hours, but 54% of hackers take under five hours to gain access to a system, and identify and obtain sensitive data. The data comes from the second yearly Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were located in the United States. Those...
Manufacturer of Oxygen Equipment Reports Data Theft Incident Possibly Impacting 30,000 Individuals
Inogen, a manufacturer of portable oxygen concentrators, has found that an unauthorized individual has obtained the credentials of a employees and has used them to access to the staff member’s email account. Phishing and other credentials theft incidents are commonplace in the healthcare industry, although what makes this incident unusual is the number of people affected by the attack. The compromised email account includeed the...
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Illinoie-based physiatry organization Integrated Rehab Consultants is broadcasting notification correspondence to some patients alerting them to the exposure of some of their protected health information, in line with HIPAA regulations. However, the breach was not discovered within the past 60 days. Integrated Rehab Consultants (IRC) initially became aware of the exposure of PHI on December 2, 2016 – 16 months previously. The...
Des Moines Crisis Observation Center Discovers Inappropriate Dissemination of Patient Data
1,071 patients who were treated at the Des Moines Crisis Observation Center managed by Polk County Health Services Inc., have been contacted to advise them that some of their protected health information has been “accidentally and unknowingly disseminated” at some point in the last 3.5 years. The breach was first identified on February 14, 2018, although the inquiry revealed that information was first disclosed on June 1, 2014 and the...
Misconfigured Security Settings Results in63,500 Middletown Medical Patients Having PHI Exposed
A security setting that was not configured properly on a radiology system has lead to the patients’ protected health information of tens of thousands of patients of Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, The breach was first discovered on January 29, 2018. On January 30 the interface was realigned that any unauthorized individuals could no longer obtain patient information. The length of time...
Possible Abuse of Credit Card Details Affects 1,500 Baptist Health Patients
A former worker at Baptist Health’s West Kendall Baptist Hospital based in Miami, FL illegally obtained the credit card details of patients and used the information to complete fraudulent transactions. The misuse of credit cards was identified by Baptist Health on March 9, 2018 and the matter was then made known to Miami-Dade law enforcement and the employee was removed from their position. Baptist Health has not made it known...
Multiple Staff Email Accounts Accessed in UnityPoint Health Phishing Attack
It has been discovered that the email accounts of several employees of UnityPoint Health hhave been compromised and accessed by unauthorized people. Access to the staff email accounts was first obtained on November 1, 2017 and went on for a period of three months until February 7, 2018, when the phishing attack was noticed and access to the compromised email accounts was turned off. When the phishing attack was first noticed,...
Email Account Breach Impacts 4,000 Patients of Texas Health Resources
Texas Health Resources is sending notifications to ‘fewer than 4,000 patients’ that some of their Private Health Information may have been seen by an unauthorized persons. The Arlington-based health care provider, a supplier to over 1.7 million patients in North Texas, says that the data breach may have happened as early as October 2017, although they did not identify it until January 17, 2018, when law enforcement alerted the the...
Almost 14,000 Affected by SAMBA Privacy Breach
14,000 individuals are being alerted about a February 2018 breach of protected health information at the Special Agents Mutual Benefit Association (SAMBA). The data breach affects eligible family members of plan members who were covered by the Federal Employees Health Benefits Plan during 2017. It is an Internal Revenue Service (IRS) obligation for SAMBA to send a copy of Form 1095-B to all plan members every tax year. The form in...
Data Breach Notification and Information Security Laws Updated in Oregon
Data breach notification laws in Oregon have been updated to enhance security for state residents whose personal data is accessible to the public during a data breach. Kate Brown, the State governor, signed the Senate Bill (SB 1551) last month, which updates several parts of the legislation, particularly Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become...
Arc of Erie County New York Reports 3,751 Patients’ PHI Was Exposed on Internet over 30-Month Period
A provider of person-centered services to individuals with developmental disabilities, The Arc of Erie County New York (The Arc), has reported that two spreadsheets listing the protected health information of 3,751 patients were open to the public via the Internet without the need for authentication for a time period of longer than 30 months from July 2015 to February 2018. The two spreadsheets in question could be seen through the...
Missing Hard Drives from Chesapeake Regional Healthcare Contained PHI of 2,100 Patients
Chesapeake, Virginia based Chesapeake Regional Healthcare has reported that two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from their Chesapeake Regional Medical Center campus at that location. The private health information stored on the devices in question relates to patients who participated in research at its Sleep Center between April 2015 and February 2018. it is...
Improper Disposal of PHI is Common According to JAMA Study
A recently completed study (published in JAMA) has emphasized just how often hospitals are disposing of PHI in an unsafe fashion. While the study was completed in Canada, which is not subject to HIPAA, the results emphasize a critical area of PHI security that is often neglected. Incorrect Destruction of PHI is More Commonplace than Previously Thought Researchers at St. Michael’s Hospital in Toronto reviewed recycled paperwork at...
Data Breach Notification Law Enacted by South Dakota
It has taken some time for South Dakota to introduce legislation to enhance protections for consumers impacted by breaches of their personal private data. Laws have already been passed in 48 states that obligate persons and companies that hold personal information to publish notifications to breach victims when that information is accessible by unauthorized individuals. Last week, South Dakota citizens were given similar security...
Phishing Attack on CareFirst BCBS Impacts 6,800 Plan Members
CareFirst Blue Cross Blue Shield is alerting 6,800 of its plan members that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a successful phishing attack on one of its employees. Phishing attacks are conducted to gain access to sensitive information such as email credentials. Those credentials are then used to access to sensitive data or conduct further attacks on an...
Cambridge Health Alliance Advised of PHI Breach by Law Enforcement
Massachusetts based Cambridge Health Alliance (CHA) have been advised, by law enforcement agencies, that the protected health information of some of its clients has been found in the possession of an unauthorized person. The breach occurred On January 31, 2018, Everett Massachusetts Police Department made CHA aware that files including the PHI of some of its clients had been found in the possession of an person unauthorized to have...
Clinical Pathology Laboratories Southeast Patients’ Have PHI Exposed Due to Theft of Unencrypted Laptop
Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has revealed that an unencrypted laptop computer issued to a member of staff has been stolen, exposing the protected health information of a number of patients and their payment guarantors. CPLSE quickly activated safety actions to prevent the laptop from being used to gain access to its network and the theft was made known to law enforcement; however, it is possible that the...
35,000 Patients of ATI Physical Therapy Affect by Data Breach
The protected health information of more than 35,000 patients of ATI Physical Therapy has has potentially been compromised by a cyber attack that occurred when hackers obtained access to staff email accounts. A security violation was discovered on January 18, 2018 when ATI Physical Therapy saw that the direct deposit information of some of its staff members had been altered in its payroll platform. Quick action was taken to remove...
Finger Lakes Health Computer System Grinds to Halt After Ransomware Attack
A ransomware attack on Finger Lakes Health, based in Geneva, NY, has impacted the computer system to the extent that staff have had to work using pen and paper. In the meantime efforts to remove the malware and restore access to electronic data have been enhanced. The health system came under attack from the health system beginning at around midnight on Sunday March 18, 2018, with workers first noticing the attack when a ransom demand...
NH-ISAC Partnership with Anomali Boosts Threat Detection and Data Sharing
The National Health Information Sharing and Analysis Center (NH-ISAC) and Anomali have begun working together and will be providing threat intelligence to healthcare centers through NH-ISAC. As part of this partnership Anomali will be helping NH-ISAC with the required tools and infrastructure to allow its clients to work together and share threat intelligence with other subscribers. Anomali will be making up to date threat...
1,049 Patients of RoxSan Pharmacy Notified of 2015 Email Breach
1,049 patients of Beverly Hills, CA-based RoxSan Pharmacy have been warned that some of their protected health information has been shared with a business associate through an unencrypted email. The notification letters were sent to affected people during February, although the incident happened on January 20, 2015. Commenting in a recent press release, RoxSan stated that affected individuals are being contatced in “as timely a manner...
Primary Health Care Experiences Multiple Email Hacks
A non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, Primary Health Care Inc. has reported that hackers gained access to the email accounts of four workers and may have viewed or downloaded patients’ PHI. A press release issued by Primary Health Care and published a substitute breach notice to its website on March 16, 2018 outlining that the breach occurred on February 28, 2017. The breach was...
10,000 ShopRite Clients Have PHI Exposed to Improper Destruction of Device
A Millville, New Jersey based ShopRite pharmacy has reported that an electronic device used to save the signatures of people has been destroyed without first deleting all stored protected health information from the device. A restricted amount of protected health information was held on the computing device, including patients’ names, birth dates, contact details, zip codes, prescription numbers, medication names, signatures,...
PHI of 5,300 Individuals Disclosed to Employees of QuadMed
The protected health information of 5,305 patients of QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, may have been impermissibly shared with some employees. In November 2013, QuadMed took over management of an onsite clinic at Hillenbrand Inc. Occupational health information of employees based at the Batesville, IN-based manufacturer was held in an electronic medical...
33,420 BJC Healthcare Patients Have PHI Exposed in 8-Months HIPAA Breach
BJC Healthcare has revealed that the protected health information of 33,420 of it’s subscribers has been open to public accessible for eight months without adequate for HIPAA compliant authentication required to view the PHI. The BJC Healthcare group is one of the largest not-for profit healthcare groups located in the United States. The healthcare organization, based in St Louis, runs two nationally recognized hospitals in...
Top Healthcare Security Threats Revealed in HIMSS Survey Results
HIMSS has released the findings of its 2017 healthcare cybersecurity survey, which gives us valuable insights into the state of cybersecurity in the healthcare sector and names the top healthcare security threats. The HIMSS 2018 cybersecurity survey was carried out on 239 respondents from the healthcare sector between December 2017 and January 2018. The findings of the survey were revealed at the HIMSS 2018 Conference & Exhibition...
NY Attorney General Fines EmblemHealth €575,000 for HIPAA Breach
A mailing mistake by EmblemHealth in 2016 that resulted in the Health Insurance Claim Numbers of 81,122 plan subscribers printed on the exterior of envelopes has resulted in the New York Attorney General applying a $575,000 settlement fine. Despite that all mailings have a unique patient identifier on the envelope, in this case the potential for damage was high as Health Insurance Claim numbers are formed using the Social Security...
New York Surgery & Endoscopy Suffers Record Data Breach Affected 135,000 Patients
A malware infection has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients at St. Peter’s Surgery & Endoscopy Center, located in New York So far in 2018, this is the second largest healthcare data breach reported and the most serious seen in New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016. The St. Peter’s Surgery & Endoscopy...
70,320 Tufts Health Plan Members Affected by Window Envelope Privacy Breach
Tufts Health Plan is warning 70,320 of its subscribers that their health plan ID numbers have been accessed. A mailing vendor/partner utilized by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage subscribers between December 11, 2017 and January 2, 2018. Envelopes with plastic windows were used which naturally permitted plan members’ names and addresses to be visible, but Tufts Health Plan member IDs were...
Kansas Department for Aging and Disability Services Experiences 11,000-Record Breach
It has been discovered that an employee at Kansas Department for Aging and Disability Services (KDADS) sent an unauthorized email to a group of KDADS business associates that included the protected health information of almost 11,000 individuals. The email was issued to individuals who had already signed a business associate agreement with KDADS which disallows them from disclosing or using inappropriately any emailed protected health...
Increase in W-2 Phishing Campaigns Leads to FBI Warning
The Federal Bureau of Investigation (FBI) has issued a new alert for businesses due to a major rise in phishing attacks attacking payroll worker. The target of the phishing attacks is to download copies of the W-2 forms of workers. Information on the forms is used to carry out identity theft and tax fraud. 2017 saw record numbers of phishing campaigns targeting businesses, educational institutions, and healthcare groups. In some...
Updated Common Rule Allows Research Institutions Another Six Months for Compliance
Initially scheduled due to be introduced on January 19, 2018, amendments to the Common Rule – The Federal Policy for the Protection of Human Subjects have been put back for six months, allowing research groups additional time to comply with the new provisions. July 19, 2018 is the new date for the change to be introduced,however the provision covering cooperative research still has an introduction and enforceable date of January 20,...
Phishing Attack on Sutter Health Business Associate Impacts Patients
Sutter Health is contacting certain patients to advise them that their protected health information may have been exposed in a phishing attack on the legal firm Salem and Green, one of its business associates. It is thought that the attack took place on or around October 11, 2017, a phishing email was received by a worker at Salem and Green. The worker responded and, in doing so, allowed the attackers access to their email account....
HIPAA Compliance and Citrix ShareFile
ShareFile was purchased by Citrix Systems during 2011 and the service is offered as a suitable data sync, file sharing, and collaboration service for the healthcare sector. it is vitally important for anyone considering using it to consider HIPAA compliance and Citrix Fileshare. It is a safe file sharing, data storage and collaboration service that permits large files to be easily sent within a company, with remote workers, and with...
Triple-S Advantage Suffers Serious Data Breach with 36k Subscribers Impacted
36,000 plan members of Triple-S Advantage has experienced a privacy breach that has impacted. The breach was experience by the Puerto Rico based group when a mailing error which saw sensitive information of plan members sent to incorrect recipients. The data that was exposed, due to the mailing mistake, was limited and did not incorporate Social Security numbers or financial files; however, plan members’ ID numbers were impermissibly...
HIPAA $100,000 Fine Applied After Illinois Business Closes
HIPAA covered organization and their business associates must continue to adhere to Rules even when they close down. The HHS’ Office for Civil Rights (OCR) has reinforced this point with a $100,000 fine for FileFax Inc., for violations that happened after the business had ceased operating. FileFax is a Northbrook, IL-based firm that supplies medical record storage, maintenance, and delivery facilities for HIPAA covered organizations....
Decatur County General Hospital Malware Attack Exposes 24,000 Patient Records
It has been has that Decatur County General Hospital in Tennessee suffered a malware attack after a virus was uploaded to a server housing its electronic medical record network. It is thought that attacker could have gained access to the medical records of up to 24,000 people. The malware software installation was found on November 27, 2017 by the hospital’s medical record system vendor, who maintains the server on which the system is...
Ron’s Pharmacy Services’ Patients Receive Email Account Breach Alerts
San Diego, CA-based Ron’s Pharmacy Services has found that an employee’s email account containing limited protected health information has been logged onto by an unknown individual. Unusual activity was noticed on the employee’s email account during October 3, 2017 resulting in an investigation; however, it was not until December 21, 2017 that it was revealed that an unauthorized individual had obtained messages in the email...
Western Washington Medical Group Patients Impacted by HIPAA Breach
842 patients of Western Washington Medical Group have had their protected health information exposed when files including sensitive health information were disposed of with regular trash in November 2017. The breach occurred when the janitorial service used by the medical group removed the contents from shredding bins along with regular trash. Instead of sensitive documents being permanently terminated in adherence with HIPAA Rules,...
May 2017 Partners HealthCare Breach May Have Affected 2,600 Clients
2,600 clients of Partners HealthCare System are being warned that some of their protected health information may have been compromised in a May 2017 breach. While HIPAA covered organizations are given a time period of up to 60 days following the discovery of a breach to file an incident report to OCR (if the breach impacts 500 or more people) and notify those affected by the violation, this incident occurred and was found in May 2017....
CarePlus Health Warns 11,200 Subscribers of PHI Breach
A privacy incident has been suffered by Miami, FL-based CarePlus Health Plans where certain plan subscribers’ protected health information were mistakenly shared with other plan subscribers. Benefits statement explanations were sent to its plan subscribers on January 9 and January 16, 2018, although on January 17, CarePlus noticed that some of the statements had been sent to the wrong recipients. The EoB statements included details...
Lost Device Means PHI of 660 Eastern Maine Medical Center Patients Could Be at Risk
A portable hard drive that has gone missing from the State Street facility, in Bangor, ME of Eastern Maine Medical Center. The group is now notifying 660 clients that some of their protected health information could have been exposed. The missing device did not have encryption and data on the device could be accessed without no password requirement. While it has not been confirmed if it was stolen, but the device could not be located...
Forrest General Hospital Phishing Attack Exposes Patients’ PHI
The PHI has of patients of Forrest Health’s Forrest General Hospital has potentially been obtained by a third party after access was gained to the email account of one of the employees of a business associate, Horne LLP. HORNE LLP is a provider of certain Medicare reimbursement procedures to Forrest General Hospital and due to this needs requires access to patients’ private health information. HORNE found email account breach on...
Allscripts Facing Class Action Lawsuit Following Ransomware Attack
Allscripts experienced a ransomware attack at centers in Raleigh and Charlotte, NC, resulting in several applications remaining offline for as many as 1,500 clients. Florida-based Surfside Non-Surgical Orthopedics. has already begun legal action by filing a class action lawsuit against the EHR vendor. A new variety SamSam ransomware infected Allscripts, a provider of EHR and e-prescription services to 2,500 hospitals and 19,000...
Breach Notification Bill Advanced by South Dakota Senate Attorney Judiciary Committee
A vote in favor of introducing data breach notification legislation has been overwhelmingly passed by the South Dakota Senate Attorney Judiciary Committee. The bill advanced after a 7-0 vote. It was originally introduced at the request of South Dakota Attorney General Marty Jackley. Presently there are only two states left in the US that have yet to implement data breach legislation to protect state residents. As it seems that South...
DC Assisted Living Facility Hit by Malware Breach Exposing 5,200 PHI Records
A malware attack experienced at Westminster Ingleside King Farm Presbyterian Retirement Communities may have allowed the hackers to obtain the protected health information of thousands of its clients. The Washington D.C., located assisted living center had adapted a wide range of security solutions to stop unauthorized access to its systems, although on this occasion they were unable to prevent the attack. The malware was identified...
53,000 Pharmacy Patients Have PHI Exposed in Email Hack
Patients of Onco360 and CareMed Specialty Pharmacy have been notified that the PHI of 53,173 patients has been compromised due to a phishing attack. A security breach was discovered on November 14, 2017, when suspicious activity involving an member of staff’s email account was uncovered. Following the discovery third party computer forensics experts conducted an investigation to determine the manner and extent of the breach. It...
Unauthorized Palomar Health Nurse Viewed Medical Records of Over 1,300 Patients
A former nurse employed at Palomar Medical Center Escondido viewed, without authorization, the medical records of more than 1,300 patients who were receiving treatment at the hospital. Those affected are now being made aware of the breach. The breaches were experienced over a 15-month period from February 10, 2016 and May 7, 2017. The access that was not permitted was first seen when access logs were reviewed. The audit revealed a...
Hancock Health Hit by Ransomware Attack
Following a ransomware attack on Indiana-based organization Hancock Health last Thursday, staff at the hospital had no choice but to move to using pen and paper to detail patient health information, while IT staff made efforts to obstruct the attack and regain access to encrypted files. The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run...
Registered Nurses ‘Happy’ With PHI Security According to University of Phoenix Survey
The results of a recent survey completed by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are of the belief that their organization’s ability to prevent data breaches is of an acceptable level. The survey was transmitted to 504 permanent RNs and administrative workers across the USA. Respondents had held their position for a minimum of two years. Just under half of RNs (48%) and 57% of...
Coplin Health Systems Patients’ PHI Possibly Compromised by Laptop Theft
43,000 patients of West Virginia-based Coplin Health Systems have been warned that their PHI may have been exposed following the theft of an unencrypted laptop computer from the vehicle of an worker at the organization. Coplin Health was discovered the laptop theft on November 2, 2017. The theft was then reported to law enforcement and an investigation was initiated, although at the time of sending the warnings, the laptop computer in...
Unencrypted Hard Drive Results in the PHI of 9387 Patients’ Being Exposed
In late November, the Framingham, MA-based Charles River Medical Associates based practice discovered one of its external hard drives was missing from its usual location. The missing device contained x-ray images, names, patient ID numbers, and birth details. All patients who had visited the Framingham radiology lab for a bone density scan since 2010 had their x-ray images obtained – almost 9,400 individuals. The hard drive was...
PHI Breach at Oklahoma State University Center for Health Sciences
An unauthorized individual has gained access to parts of the Oklahoma State University Center for Health Sciences (OSUCHS) network and may have accessed files containing billing details of Medicaid patients. The security breach was uncovered on November 7, 2017 with access to the network terminated the next day. Third party computer forensics experts were employed to carry out a comprehensive investigation to determine which areas of...
Florida Agency for Health Care Administration Hit by Phishing Attack
An unauthorized individual has gained access to a single email account of a staff member at the Agency for Health Care Administration in Florida using a phishing scam. The staff member was sent, and responded to, a malicious phishing email on November 15, 2017 and shared login details that permitted the attacker to remotely access his/her email account and, potentially, the protected health information of up to 30,000 Medicaid...
Compassion Care Hospice Cyber Attack Affects 1,128 Clients
The protected health information of 1,128 clients of Compassionate Care Hospice Las Vegas (CCHLV) may have been accessed by an unauthorized individual person. The person in question obtained gained access to the company’s may have viewed the content of the servers. CCHLV discovered the violation on Mits network on October 28, 2017. The server was accessed by an unauthorized individual. CCHLV hired a firm specializing in...
Unauthorized Person May Have Accessed PHI of 1,128 CCHLV Patients
It has been discovered that an unauthorized individual may have viewed the protected health information of 1,128 patients of Compassionate Care Hospice Las Vegas (CCHLV). During a review on October 28, 2017, CCHLV found that its systems had been accessed without authorization. After finding the breach, CCHLV brought in a third-party forensics company to conduct a thorough investigation to look into breach and identify exactly who may...
5,000 Members of Kaiser Permanente Notified About Two Security Incidents
Two security incidents have recently been reported to the Department of Health and Human Services’ Office for Civil Rights by Kaiser Permanente. Combined, more than 5,000 people have been affected by the two breaches. Those affected were clients of the Kaiser Foundation Group Health Plan. The most potentially dangerous incident, regarding the number of individuals harmed, was an email-related breach threatening 4,389 health plan...
Bronson Healthcare Group Phishing Attack Impacts 8,256 Patients
A recent Bronson Healthcare Group phishing attack has resulted in a hacker gaining access to the protected health information (PHI) of 8,256 patients. The attack allowed the hacker to gain access to the health system’s email system, which contained the names, medications, and treatment information of patients. No Social Security numbers or patients’ financial information was compromised, and its electronic medical record system was...
Employee-Related Data Breach at SSM Health Affects 29,000
It has been discovered that a former worker at the St. Louis, MO-based not-for-profit health system, SSM Health was accessing the health records of clients for 8 months despite not haveing any legitimate work reason. The individual worked in SSM Health’s customer service support call center, and due to this, did not have permission to access financial information, only demographic, health, and clinical data. The access was discovered...
Sports Medicine Practice Hit by Two Hacking Attacks in 7 Days
A hacker has gained access to its systems and encrypted files with ransomware at a family and sports medicine practice based in Colorado. Longs Peak Family Practice (LPFP) in Longmont CO, discovered suspicious activity taking place on its internal network on November 5, 2017 and took quick measures to safeguard its systems. However, before the measure were in place, the attacker ran ransomware code which encrypted files on some parts...
24,000 Patients Impacted by Emory Healthcare Data Breach
It has been discovered that a former worker at Emory Healthcare (EHC) has obtained the protected health information of 24,000 EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, from where it was accessible by other people. The former worker was a physician at Emory Healthcare, who is now a staff member at the University of Arizona (UA) College of Medicine. EHC says client information was taken covertly and...
Cyberattack Affects Internal Access to Jones Memorial Hospital Servers
University of Rochester Medicine’s Jones Memorial Hospital, located in Wellsville, New York is currently dealing with a cyberattack that has inflicted some unexpected downtime on the organization. The attack is believed to have begun on Wednesday December 27 and has caused disruption to some of its information servers. The details of the cyberattack is unclear and it has yet to be resolved. The cyberattack has been limited to Jones...
Access to Wager Evans Dental Records Prevented for 5 Days After Ransomware Attack
Wager Evans Dental practice, based in Reno, NV, has experienced a ransomware attack that cut off access to dental records and images for five days towards the end of 2017. The ransomware attack happened on October 30, 2017. The ransomware software was installed on one computer and one server used by the Dental Clinic. Ransomware can be installed by hackers using many different methods, although most commonly attacks using email. That...
Nebraska Ransomware Attacks Compromised PHI of Almost 10,000 Patients
A ransomware attack that targeted Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska has potentially exposedin the protected health information of almost 10,000 clients. The ransomware attack took place on October 7, 2017 and saw a wide variety of files on some servers being encrypted by the ransomware. A ransom demand was made by the hackers, although this was not paid. The encrypted data was restored from a...
1,750 Patients Affected by Potential Data Theft Incident at Austin Manual Therapy
1,750 patients have been notified that some of their protected health information may have been accessed and stolen by a criminal attacker who gained access to Austin Manual Therapy (AMT) systems. Following a forensic investigation, by a leading national cybersecurity team, it has been found that access was first gained on October 3, 2017 and continued until October 9, when the intrusion was found and blocked. In the the breach notice...
1,900 MidMichigan Medical Center Patients’ PHI Found After Breach
MidMichigan Medical Center (MMC) in Alpena has made contact with patients to advise them of a possible breach of their health information, which may have literally benn blown into the hands of people unauthorized to view the information. Late on November 18, a MMC cardiologist moved patient files from the Alpena cardiology office without adequate authorization. The files were placed to the cardiologist’s vehicle in a storage container...
PHI of Almost 7,000 Patients Exposed in Two Separate Breaches
A binder holding a log of presurgical insurance authorizations was accidentally recycled by a cleaning company contracted by NYU Langone Health System in October. The binder was holding records referring to around 2,000 patients. The binder had saved information including names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID credentials. In some instances, short...
5,000 Patients’ PHI Exposed in Two Separate Breaches
Separate breaches of patients’ protected health information have been exposed at Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA. The Washington Health System Greene organization is contacting 4,145 patients to advise them that some of their protected health information has been exposed after a hard drive could not be found at their premises. An external hard drive used with a bone...
UNC Health Care Breach Potentially Impacts 24,000 Patients
A computer device belonging to UNC Dermatology & Skin Cancer Center in Chapel Hill, NC, has been stolen in a burglary, possibly exposing the protected health information of up to 24,000 patients of the clinic. Thieves removed the computer from the premised on October 8, 2017. UNC Health Care said the stolen computer contained a database on that gathered the protected health information of patients who had previously been treated...
18,500 Patients’ PHI Exposed After Multiple Email Accounts Were Compromised
The Detroit-based Henry Ford Health System has issued notifications to almost 18,500 patients that some of their PHI has potentially been seen by an unauthorized person. The PHI breach was discovered on October 3, 2017 when unauthorized access to the email accounts of several members of staff was detected. While protected health information was possible accessed or stolen, the health system’s EHR system was not accessed at any point....
Accessing Medical Records Without Authorization Leads to Hospital Employee Being Sacked
The medical histories of 769 patients at Lowell General Hospital have been accessed by an member of staff without any valid work reason. By accessing the medical records, the member of staff breached the Massachusetts- based hospital policies and violated the privacy of hospital patients. Once the breach was discovered, and completion of the following investigation, the employee was fired. Lowell General Hospital was content that only...
Healthcare Worker Stole PHI of 28,000 Health Care Services Patients
Private documents holding the PHI of patients have been stolen by a former employee of the Center for Health Care Services (CHCS) in San Antonio, a provider of mental health treatment and support services for patients with intellectual and developmental disabilities. Notifications of the breach have been sent to 28,434 patients who received care at CHCS before the summer of 2016. The breach of PHI was only found on November 7, 2017,...
Pennsylvania Obs/Gyn Clinic PHI Breach Reported
Paper files from Women’s Health Consultants, an obstetrics and gynecology practice that had centers in South Whitehall Township and Hanover Township, PA have been dumped at a recycling center in Allentown, Pennsylvania. The files – containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases – seem to have come from the firm which is no longer...
PHI Breach at UAB Medicine Leaves 652 Records Potentially Exposed
In Birmingham, Alabama, the UAB Medicine Viral Hepatitis Clinic has discovered a breach of patients’ protected health information (PHI) that could have affected up to 652 patients. The group, UAB Medicine, uses flash drives to transfer information from its Fibroscan machine to a computer. Two flash drives were identified discovered as missing on October 25, 2017. The portable storage devices were used to hold a limited amount of PHI...
Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident
A security breach, involving the improper disposal of a device used to capture customers’ signatures, has been encountered by ShopRite Supermarkets, Inc. The device in question was used at the ShopRite, Kingston, NY location between 2005 and 2015 and stored personal and medical data. Customers who attended the pharmacy and had prescriptions supplied between 2005 and 2015 have potentially been impacted by the exposure. For those...
Extortion Attempt on Sports Medicine Provider Exposes Private Data of 7,000 Individuals
Sports Medicine & Rehabilitation Therapy (SMART), based in Massachusetts, has contacting 7,000 clients regarding a breach of their protected private health information that occurred in September 2017. Potentially, the breach impacted all clients whose data was saved during a visit to a SMART outlet prior to December 31, 2016. Hackers, in an extortion attempt, accessed SMART systems, allegedly stole private information, and asked...