Phishing Attack on Ramsey County impacts 117,905 Individuals
Sep20

Phishing Attack on Ramsey County impacts 117,905 Individuals

Ramsey County has revealed that a phishing attack that took place in August 2018 impacted a great many more individuals than first thought. The victim count has been revised to 117,905 from 599. The original breach report stated the email accounts of 26 staff members were compromised in a phishing attack that took place around August 9, 2018. The attack was identified quickly and the affected accounts were locked down. The individuals...

Read More
First HIPAA Violation Case Under 2019 Right of Access Initiative Settled by OCR
Sep16

First HIPAA Violation Case Under 2019 Right of Access Initiative Settled by OCR

Earlier in 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) revealed that one of the main focuses of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical data. The HIPAA right of access permits patients to obtain copies of their medical records on request. HIPAA-covered entities must honor those requests...

Read More
PHI of 183,000 Patients Exposed in Phishing Attack on Presbyterian Healthcare Services
Aug27

PHI of 183,000 Patients Exposed in Phishing Attack on Presbyterian Healthcare Services

The Albuquerque, NM-based not-for-profit health organization Presbyterian Healthcare Services, has suffered a phishing attack that resulted in the email accounts of several workers subjected to unauthorized access. The phishing attack was noticed by Presbyterian Healthcare Services during June 6, 2019. The breach investigation showed the email accounts were infiltrated a month earlier, on or around May 9, 2019. Upon identification of...

Read More
3,000 Records Potentially Compromised in Rhode Island Healthcare Attack
Aug24

3,000 Records Potentially Compromised in Rhode Island Healthcare Attack

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is contacting 2,943 patients to make them aware that some of their health information was saved on a server which was subjected to unauthorized access on June 19, 2019 when a hacker obtained access to its databases. The breach was discovered the same day and the network was safeguarded. An external computer forensics firm was contracted to assist with the investigation and help...

Read More
10,000 Patients  Have Personal Data Impacted in Massachusetts General Hospital Breach
Aug24

10,000 Patients Have Personal Data Impacted in Massachusetts General Hospital Breach

Massachusetts General Hospital (MGH) has identified that computer applications used by security experts in its Department of Neurology have been infiltrated using unauthorized access. The individual to blame would have been able to access the protected health information of around 10,000 patients. MGH discovered the breach on June 24, 2019 and quickly shut down access to the applications and databases. An investigation was initiated,...

Read More
Researchers Provide Insights into Motivations Behind Healthcare Cyberattacks
Aug22

Researchers Provide Insights into Motivations Behind Healthcare Cyberattacks

A new report from FireEye provides insights into the motivations behind cyberattacks on U.S. healthcare organizations. The report shows patient information is not the only type of sensitive data being sought. There has been a marked increase in cyberattacks on cancer research institutes and medical institutions for the research data they hold. The attacks are being conducted by Advanced Persistent Threat (APT) groups affiliated to...

Read More
Data Breach Exposes Medical Records of Western Connecticut Health Network Patients
Aug22

Data Breach Exposes Medical Records of Western Connecticut Health Network Patients

Nuvance Health has started getting in touch with certain Western Connecticut Health Network (WCHN) patients to make them aware that some of their protected health information has been exposed. On June 11, 2019, WCHN sent a box of medical records to the Connecticut State Department of Public Health. The package was sent using the U.S. Postal Service (USPS), but the package was harmed while on the move, exposing the contents of the...

Read More
Washington Hospital Hit $1m Ransom Demand by Cybercriminals
Aug16

Washington Hospital Hit $1m Ransom Demand by Cybercriminals

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still wreaking havoc over two months after the initial attack took place. The cybercriminals have requested $1 million for the keys to unlock the encryption on the captured data. On June 15, 2019, Grays Harbor Community Hospital started noticing IT problems. The attack happened on a Saturday when staffing numbers were low so, at first, the problem was put down...

Read More
Lost Thumb Drive was used to Store PHI for Renown Health
Aug12

Lost Thumb Drive was used to Store PHI for Renown Health

Renown Health, the largest healthcare supplier in Northern Nevada, has started getting in touch with certain patients to make them aware that some of their protected health information (PHI) may have was accessible.Patient information was held in files on a portable storage device (thumb drive) identified as missing on June 30, 2019. An extensive search of the facility was conducted but the thumb drive could not be found. An...

Read More
2019: A Particularly Bad Year for Healthcare Data Breaches
Aug07

2019: A Particularly Bad Year for Healthcare Data Breaches

Cyberattacks on healthcare organizations have continued to increase throughout the first half of 2019 and this year has seen the discovery of the second largest healthcare data breach ever reported. American Medical Collection Agency experienced a cyberattack in which the records of more than 20 million patients were exposed and potentially stolen. It should be no surprise to hear that in terms of both the number of healthcare data...

Read More
AMCA Breach Impacts 2.2 Million Patients  of Clinical Pathology Laboratories
Jul24

AMCA Breach Impacts 2.2 Million Patients of Clinical Pathology Laboratories

It has recently been discovered that the protected health information (PHI) of approximately 2.2 million of patients of Clinical Pathology Laboratories in Texas may have been infiltrated in the data breach at American Medical Collection Agency (AMCA). AMCA supplies debt collection services to many healthcare firms, which necessitates access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website...

Read More
AMCA Data Breach Total Nears 25 Million
Jul23

AMCA Data Breach Total Nears 25 Million

The number of healthcare providers confirmed to have been affected by the American Medical Collection Agency (AMCA) data breach has continued to grow over the past week. To date, 18 healthcare providers have made announcements that the protected health information they provided to AMCA has been exposed. AMCA is a collection agency that works with several healthcare organizations and recovers unpaid medical bills. In March 2019,...

Read More
25,000 Adirondack Health Patients Hit by Email Account Hack
Jul21

25,000 Adirondack Health Patients Hit by Email Account Hack

Vermont-based Adirondack Health is getting in touch with around 25,000 patients that some of their protected health information has potentially been obtained by a cyber criminal. Information such as patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. A smaller subset of patients also had their Social Security number accessible. Adirondack Health is...

Read More
14,591 DHS Patients have PHI Compromised in Phishing Attack on California Business Associate
Jul16

14,591 DHS Patients have PHI Compromised in Phishing Attack on California Business Associate

Nemadji Research Corporation, an outfit working with California Reimbursement Enterprises, has revealed that an unauthorized person obtained access to the email account of a staff emmber and may have viewed or copied the protected health information (PHI). California Reimbursement Enterprises is a business associate of several healthcare centers and hospitals in California and operates to provide a patient eligibility and billing...

Read More
Tennessee Hospice Phishing Attack may have impacted Sensitive Data
Jul12

Tennessee Hospice Phishing Attack may have impacted Sensitive Data

A provider of end-of-life care, palliative care, bereavement support and community education based in Alive Hospice in Nashville, Tennessee has revealed  that the email account of a staff member was infiltrated during May 2019. On May 6, 2019, suspicious activity was noticed  in a staff member’s account. The password for the account was quickly amended and an investigation was launched into the cause of the violation. The...

Read More
Unauthorized Use of PHI as Teaching Tool Leads to Legal Action by Student
Jul08

Unauthorized Use of PHI as Teaching Tool Leads to Legal Action by Student

A medical student at Marshall University is suing the institution, along with Cabell Huntington Hospital, in relation to the unauthorized sharing of some of his protected health information (PHI) to a class of students. The student, who is referred to only as as J.M.A in the lawsuit, alleges that his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information...

Read More
California and Illinois Clinics Discover Ransomware Attacks
Jun26

California and Illinois Clinics Discover Ransomware Attacks

Quantum Vision Centers and Eye Surgery Center patients located in Illinois are being contact to make them aware that some of their protected health information may have been illegally obtained in an April 2019 ransomware attack. An unauthorized person obtained access to certain Quantum systems and deployed ransomware on April 18, 2019. The ransomware encrypted files, some of which included data such as names, dates of birth,...

Read More
645,000 Clients of Oregon Department of Human Services Alerted Regarding Phishing Breach
Jun22

645,000 Clients of Oregon Department of Human Services Alerted Regarding Phishing Breach

The Oregon Department of Human Services (ODHS) is making contact with 645,000 clients to advise them that some of their personal information may have been compromised due to a phishing attack.The targeted attack kicked off on January 9, 2019 and lead to 9 ODHS employees clicking on links in emails and disclosing their login details. ODHS and the Department of Administrative Services Enterprise Security Office noticed the breach on...

Read More
Two Maryland Healthcare Providers Affected by Potential Breach at Meditab Software I
Jun21

Two Maryland Healthcare Providers Affected by Potential Breach at Meditab Software I

In Maryland two healthcare providers have been impacted by a possible data breach that took place at their business associate, Meditab Software Inc.Meditab supplies EMR and practice management software to healthcare providers and its systems include patient data. In March 2019, Meditab found some protected health information (PHI) had been left unsecured. Meditab had established a portal to view statistics for its Fax Cloud services....

Read More
Phishing Breach Notifications sent to 645,000 Clients of Oregon Department of Human Services
Jun10

Phishing Breach Notifications sent to 645,000 Clients of Oregon Department of Human Services

The Oregon Department of Human Services (ODHS) is making contact with 645,000 clients to advise them that a portion of their personal information was possibly impacted due to a phishing attack. The phishing attack took place beginning on January 9, 2019 and lead to nine ODHS members of staff visiting links in emails and disclosing their login details. ODHS and the Department of Administrative Services Enterprise Security Office...

Read More
Misconfigured ElasticSearch Server at University of Chicago Medicine Impacts over 1.68mRecords
Jun07

Misconfigured ElasticSearch Server at University of Chicago Medicine Impacts over 1.68mRecords

It has been revealed that University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed due to a misconfigured server. The records were saved on a misconfigured ElasticSearch server which had mistakenly had protections removed allowing it to be accessed over the internet without the requirement for any authentication. The misconfiguration permitted a database to be accessed which included...

Read More
AMCA Breach Affects Almost 7.7 Million Patients
Jun06

AMCA Breach Affects Almost 7.7 Million Patients

After reports that the data breach at American Medical Collection Agency (AMCA) impacted the records of 11.9 million Quest Diagnostics patients, comes revelation that another healthcare company that has been impacted by the breach. On June 4, 2019, LabCorp, a different nationwide group of blood testing centers, announced that 7.7 million people whose blood samples were processed by the company may have had their sensitive information...

Read More
LabCorp Impacted by AMCA Data Breach: Up to 7.7 Million Customers Affected
Jun05

LabCorp Impacted by AMCA Data Breach: Up to 7.7 Million Customers Affected

A day after Quest Diagnostics confirmed 11.9 million of its customers have been affected by a cyberattack on American Medical Collection Agency (AMCA) comes news that a rival network of blood testing laboratories has also been impacted. LabCorp also uses AMCA’s billings collection services and the data of its customers has also been exposed. In a recent U.S. Securities and Exchange Commission (SEC) filing, LabCorp states that it...

Read More
Sensitive Information of 11.9 Million Quest Diagnostics Patients Compromised
Jun04

Sensitive Information of 11.9 Million Quest Diagnostics Patients Compromised

Quest Diagnostics, one of the leading medical laboratories and blood testing companies in the United States, has been affected by a data breach at one of its vendors. That breach has resulted in the exposure and potential theft of almost 12 million individuals’ personal, medical, and financial information. According to a recent U.S. Securities and Exchange Commission (SEC) filing, Quest Diagnostics was notified of a data breach at the...

Read More
Medical Informatics Engineering Settles HIPAA Violation Cases for $1 Million
May28

Medical Informatics Engineering Settles HIPAA Violation Cases for $1 Million

The electronic medical record software company Medical Informatics Engineering (MIE) has agreed to settle its HIPAA violation case with the U.S. Department of Health and Human Services’ Office for Civil Rights for $100,000 and has agreed to pay $900,000 to resolve a multi-state action filed by state attorneys general over a 2015 data breach. MIE experienced a data breach on May 7, 2015 when hackers gained access to a server used by...

Read More
Uploaded to Unapproved and Unsecured Cloud Service Used by UMC Physicians
May21

Uploaded to Unapproved and Unsecured Cloud Service Used by UMC Physicians

UMC Physicians, based in Lubbock, is contacting patients of UMC Southwest Gastroenterology to make them aware that some of their protected health information has been exposed due to errors of judgement by two of its employed providers. Those suppliers had each set up a Google shared drive which was used to track follow up jobs related to the provision of care to patients. While the shared drives were set up with good aims and were...

Read More
Verity Health’s St. Vincent Medical Center Reports Phishing Attack
May20

Verity Health’s St. Vincent Medical Center Reports Phishing Attack

St. Vincent Medical Center, a part of Verity Health System, has announced  a staff email account has been hacked following a response to a phishing email. The breach took place on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was discovered on March 26 and the account was secured within hours. During the period of time time that the unauthorized individual had access to the account, it...

Read More
1,100 Spectrum Health Lakeland Patients Affected by Phishing Attack
May11

1,100 Spectrum Health Lakeland Patients Affected by Phishing Attack

Spectrum Health Lakeland has revealed that a breach, the second the group has suffered in as many months, has exposed the protected health information (PHI) of some of its clients. The previous breach took place at Wolverine Services Group and affected around 60,000 of its patients. The latest incident involved an unauthorized person obtaining access to an email account due to the response to a phishing email. As was the case with the...

Read More

Extensive HIPAA Failures Lead to $3 Million for Touchstone Medical Imaging

The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed that a settlement has been agreed between with the Franklin, TN-based diagnostic medical imaging services firm, Touchstone Medical Imaging. The settlement resolves many breaches of HIPAA Rules identified by OCR during the review of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 in relation to the violations...

Read More
Chinese Nationals Charged over 78.8 Million-Record Anthem Inc Hack
May10

Chinese Nationals Charged over 78.8 Million-Record Anthem Inc Hack

The U.S. Department of Justice has announced that two Chinese nationals have been charged over the 2015 hacking of Anthem Inc., and three other cyberattacks on U.S. businesses. In February 2015, Anthem Inc., discovered its systems had been infiltrated. Further investigation revealed the records of 78.8 million plan members had been stolen in what was, and still is, the largest healthcare data breach ever to be discovered. On Thursday,...

Read More
American Baptist Homes of the Midwest Reports Ransomware Attack
May10

American Baptist Homes of the Midwest Reports Ransomware Attack

American Baptist Homes of the Midwest (ABHM), a supplier of assisted living and assisted care centers around the U.S Midwest, has reported a security breach involving the use of ransomware on its systems. The attack began on or around March 10, 2019. The attack was detected quickly, but only after the encryption routine had kicked off. The attack was disabled and affected accounts were secured, but not in time to prevent widespread...

Read More
Bodybuilding.com Data Breach Impacts 3,193 Employees
May10

Bodybuilding.com Data Breach Impacts 3,193 Employees

The bodybuilding and personal fitness website Bodybuilding.com has revealed it has had to deal with a security incident that may have lead to the information of customers and employees being accessed by unauthorized people. While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office...

Read More
Delayed Breach Response Costs Tennessee Medical Imaging Firm $3 Million
May08

Delayed Breach Response Costs Tennessee Medical Imaging Firm $3 Million

It is not possible to prevent all healthcare data breaches, but when a breach is experienced it must be investigated and mitigated promptly. Delaying the breach response and notifications can prove extremely costly, as the Tennessee medical imaging firm Touchstone Medical imaging discovered. On May 9, 2014, Touchstone Medical Imaging was notified by the FBI that an FTP server had been left unsecured. At the same time, the HHS’ Office...

Read More
PII of 137,000 Individuals Discovered in Unsecured Elasticsearch Database
May03

PII of 137,000 Individuals Discovered in Unsecured Elasticsearch Database

An unsecured Elasticsearch database containing the personally identifiable information of approximately 137,000 people has been exposed over the Internet. The database was discovered by security researcher Jeremiah Fowler, who determined that the data belonged to the medical emergency evacuation service provider SkyMed. Fowler discovered the security settings for the database had not been correctly configured and the database could be...

Read More

Business Associate Phishing Attack Impacts PHI of 17,531 Patients

Women’s Health USA Inc., an Avon, CT-based business associate that supplies a range of practice management services to healthcare groups, has suffered a phishing attack that has lead to the exposure of patients’ protected health data. A review was initiated following the discovery of suspicious activity within specific employee email accounts. The targeted email accounts were safeguarded, and a leading cybersecurity firm was engaged...

Read More
Biggest Malware Threats in Healthcare Revealed
Apr30

Biggest Malware Threats in Healthcare Revealed

A recent report from Malwarebytes has revealed Trojans are the biggest malware threat. Trojans account for 79% of all malware detected on healthcare systems by Malwarebytes. The Emotet Trojan is the leading malware variant, accounting for 37% of all detected Trojans. While the Emotet Trojan was once just a banking Trojan concerned with obtaining credentials to online bank accounts, it has since evolved to include a wide range of...

Read More
Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach
Apr26

Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach

Massachusetts-based supplier of medical billing services Doctors’ Management Service Inc. noticed that malicious software had been downloaded to its network which stopped files from being accessed on December 24, 2018 A review into the security incident was initiated which found GandCrab ransomware had been deployed. Files were rescued from backups and no ransom was paid. The review also found that the individual responsible for...

Read More
EmCare Phishing Attack Exposes 60,000 Records
Apr26

EmCare Phishing Attack Exposes 60,000 Records

The Dallas, TX-based physician staffing company EmCare has revealed that it has been impacted by a data breach that has impacted around 60,000 individuals, 31,000 of whom were patients. The exposed data was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized person after several employees responded to phishing emails and disclosed their email details. It is unclear from Emcare’s...

Read More
11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack
Apr20

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Riverplace Counseling Center in Anoka, MN, has revealed that malware was discovered on its systems which may have allowed unauthorized individuals to obtain access to patients’ protected health information. The malware infection was first noticed on January 20, 2019. The counseling center brought in an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis process was completed...

Read More
Servers Compromised and Virus Deployed at Centrelake Medical Group
Apr19

Servers Compromised and Virus Deployed at Centrelake Medical Group

Centrelake Medical Group, a group of 8 medical imaging and oncology clinics in California, is notifying a number of patients that some of their protected health information has been exposed due to of a computer virus. The computer virus was identified in February 2019 when it stopped the medical group from accessing its files. The virus seems to be a form of ransomware, although no mention of ransomware or a ransom demand was made in...

Read More

$4.7 Million Settlement Agreed in Washington State University Data Breach Class Action Lawsuit

In the past few days a $4.7 million settlement has been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on external hard drives which were saved in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had taken place at the storage...

Read More
Pharmaceutical Giant Targeted in Long-Term Cyber Espionage Campaign
Apr08

Pharmaceutical Giant Targeted in Long-Term Cyber Espionage Campaign

The German pharmaceutical giant Bayer has announced that it has been targeted by hackers who installed malware on its network. The attack was contained, but the malware was not removed for months. Instead, Bayer has been observing the malware in an attempt to determine the ultimate goal of the attack and the identity of the threat actors behind the campaign. The malware was installed on its network in early 2018. The affected systems...

Read More
UW Medicine Exposes 1m Patients PHI by Removing Security
Mar20

UW Medicine Exposes 1m Patients PHI by Removing Security

Around 974,000 patients of UW Medicine have had their PHI exposed online due to the accidental disabling of protections on a website server. The error led to sensitive internal files being indexed by search engines. Sensitive patient information was accessible using Internet searches without any need for authentication. The Seattle-based group noticed a vulnerability on a website server on December 26, 2018, following being contacted...

Read More
Sharecare Health Data Services Issues Alert 8 Months After Breach Discovery
Mar16

Sharecare Health Data Services Issues Alert 8 Months After Breach Discovery

Sharecare Health Data Services (SHDS), a San Diego firm that provides secure electronic exchange and medical records management services for healthcare groups, has contacted some of its clients to advise them that hackers gained access to parts of its systems that contained sensitive patient data. SHDS discovered abnormal network activity on June 26, 2018, leading to an in-depth investigation. The investigation showed cyber criminals...

Read More
16,440 Patients Affect Due to Breach at Kentucky Counseling Center
Mar06

16,440 Patients Affect Due to Breach at Kentucky Counseling Center

Kentucky Counseling Center (KCC) has uncovered a list of 16,440 clients has been illegally taken and shared with another person. A current member of staff is thought to have accessed and copied patient information without authorization, uploading the data to an anonymous file sharing service, and then sending a hyperlink to the list to a former staff member of KCC. The former staff member was sent the link to the patient list on...

Read More
Milestone Family Medicine Data Breach Made Known to St. Francis Patients
Mar05

Milestone Family Medicine Data Breach Made Known to St. Francis Patients

Bon Secours St. Francis Health System is getting in touch with patients in relation to a security breach that may have led to some of their protected health information (PHI) being viewed/accessed by unauthorized actors who obtained access to the systems of Milestone Family Medicine in Greenville, SC. Milestone Family Medicine was connected with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously worked...

Read More

PHI Incident at Rush University Medical Center Impacts up to 45,000 Patients

Rush University Medical Center is contacting around 45,000 patients to advise them that their PHI has been exposed due to a data incident at a financial services vendor. Rush discovered the incident on January 22, 2019. A member of staff of the financial services vendor was found to have shared a file containing patients’ PHI to an unauthorized third party in May 2018. The sort of information in the file varied from patient to patient...

Read More
Rutland Regional Medical Center Emails Accounts Accessed by Hackers
Mar04

Rutland Regional Medical Center Emails Accounts Accessed by Hackers

Rutland City -based Rutland Regional Medical, the biggest community hospital in Vermont, has uncovered a hack of its IT systems where cybercriminals obtained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information. The hack was discovered on December 21, 2018 when a staff member of the medical center saw that their email account had been used to transmit large quantities of...

Read More
UConn Health Phishing Attack Impacts 326K Patients
Feb25

UConn Health Phishing Attack Impacts 326K Patients

A UConn Health phishing attack in December has potentially allowed an unauthorized individual to gain access to the health information of hundreds of thousands of patients. The attack was detected on December 24, 2018, and all email accounts were secured to prevent further unauthorized access. It is unclear for how long the attacker had control of the accounts. The breach may have dated back months. During the time that accounts could...

Read More
Pawnee County Memorial Hospital Malware Attack Impacts 7,000 Patients
Feb14

Pawnee County Memorial Hospital Malware Attack Impacts 7,000 Patients

Pawnee County Memorial Hospital in Pawnee City, Nebraska, is contacting 7,038 clients that some of their protected health information has possibly been accessed by a cyber criminal. On November 29, 2018, the hospital were advised that malware had been downloaded which allowed an unauthorized person to obtain access to its email system. Malware was placed into the hospital’s email system when a staff member opened a malicious email...

Read More
Georgia Eye Associates Email Breach Impacts 24,000 Patients
Feb14

Georgia Eye Associates Email Breach Impacts 24,000 Patients

EyeSouth Partners has revealed that a cyber criminal has obtained access to a staff member’s email account and may have viewed/obtained the electronic protected health information (ePHI) of up to 24,000 clients. EyeSouth Partners is a registered business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. EyeSouth Partners became aware, on October 25 last year,...

Read More
Minnesota Infertility Clinic Suffers Malware Attack
Feb09

Minnesota Infertility Clinic Suffers Malware Attack

Malware has been downloaded to the network of Reproductive Medicine and Infertility Associates, an infertility clinic located in Woodbury, Minnesota. While no proof was found to imply any patient information was accessed or exfiltrated by the malware, the chance of a data breach taking place could not be eliminated. The malware attack was discovered by the infertility clinic on December 5, 2018 and an external computer forensics firm...

Read More
Roper St. Francis Healthcare Phishing Attack Sees 13 Accounts Compromised
Feb06

Roper St. Francis Healthcare Phishing Attack Sees 13 Accounts Compromised

A massive phishing campaign targeting Roper St. Francis Healthcare has seen attackers gain access to the email accounts of 13 staff members. The phishing attack was discovered on November 30, 2018 and actions were taken to block access to a corporate email account. The investigation into the breach showed further email accounts had been accessed. The affected accounts were logged onto by the hacker between November 15 and December 1,...

Read More
$935,000 Settlement Agreed Between Aetna and California AG in HIV Status Breach Case
Feb03

$935,000 Settlement Agreed Between Aetna and California AG in HIV Status Breach Case

Health insurance company Aetna has reach an agreement to to a HIPAA penalty of $935,000 to the California Attorney General in relation to alleged violations of state laws during a 2017 privacy breach that released state residents’ HIV status. On July 28, 2017, Aetna’s mailing supplier sent letters to plan subscribers who were receiving HIV medications or pre-exposure prophylaxis to stop them from contracting HIV. The letters included...

Read More
6,092 Patients of FABEN Obstetrics and Gynecology Alerted about Ransomware Attack
Feb01

6,092 Patients of FABEN Obstetrics and Gynecology Alerted about Ransomware Attack

FABEN Obstetrics and Gynecology has been hit by a ransomware hacking attack on a server that stored patients’ protected health information (PHI). The ransomware was discovered on November 21, 2018 and lead to widespread file encryption. A review was initiated to determine the extent of the attack and whether any patients’ PHI was obtained or downloaded by the hackers. A review of the files stored on the server showed that files...

Read More
Email Account Breach Impacts Valley Hope Association Patients
Jan23

Email Account Breach Impacts Valley Hope Association Patients

Valley Hope Association has revealed that a hacker has been able to log onto the email account of a member of staff. The organisation discovered that an account breach may have taken place, on October 10 2018, when unusual account activity was noticed. Swift action was taken to stop account access continuing and a third-party computer forensics firm was retained to determine the nature and scope of the data breach. The investigation...

Read More
Around 1,000 Lebanon VA Medical Center Patients have their Impermissibly Disclosed
Jan18

Around 1,000 Lebanon VA Medical Center Patients have their Impermissibly Disclosed

It has been discovered the protected health information of hundreds of elderly patients of Lebanon VA Medical Center in Pennsylvania has been impermissibly disclosed to a family member of a veteran. The data breach, which took place in November 2018, involved a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was seeking nursing home facilities. The list should have included nursing...

Read More
773 Million Email Addresses and 21 Million Unique Passwords Listed for Sale
Jan18

773 Million Email Addresses and 21 Million Unique Passwords Listed for Sale

A massive collection of login credentials that includes approximately 773 million email addresses has been uncovered by security researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and maintains the Have I Been Pwned (HIBP) website, where people can check to see whether their login credentials have been stolen in a data breach. Hunt discovered the 87GB database on a popular hacking forum. The data was spread across...

Read More
BenefitMall Phishing Attack Impacts 111,589 Plan Members
Jan16

BenefitMall Phishing Attack Impacts 111,589 Plan Members

A recently discovered BenefitMall phishing attack has resulted in the exposure of 111,589 plan members’ protected health information.   BenefitMall, a division of Centerstone Insurance and Financial Services, discovered on October 11, 2018, that hackers had gained access to several employee email accounts as a result of their responses to phishing emails. Third party computer forensics experts were called in to assist with the...

Read More
Four-Month Email Account Hack Impacts 111K Individuals
Jan15

Four-Month Email Account Hack Impacts 111K Individuals

Centerstone Insurance and Financial Services, which conducts its business as BenefitMall, has begun alerting more than 111,000 individuals that some of their protected health information has been illegally accessed, and possible stolen, in a recent email hacking incident. Dallas, TX-based BenefitMall is a supplier of employee benefits, payroll, HR, and employer services and has a workforce of over 20,000 advisors, brokers, and CPAs...

Read More
Ransomware Attack at Bobby Yee Podiatric Offices Affects 24,000 Patients
Jan12

Ransomware Attack at Bobby Yee Podiatric Offices Affects 24,000 Patients

The Podiatric Offices of Bobby Yee have been subjected to a ransomware which led to the encryption of files that included the protected health information (PHI) of up to 24,000 patients and other clients. It was discovered that attack happened on October 29, 2018 when medical records were encrypted by the ransomware. Among the range of data which was breached are files containing information such as full name, address, contact...

Read More
AJMC Study: Following a Data Breach Hospitals’ Advertising Expenditure Rises 64%
Jan08

AJMC Study: Following a Data Breach Hospitals’ Advertising Expenditure Rises 64%

In a recent study published in the American Journal of Managed Care Sung J. Choi, PhD and M. Eric Johnson, PhD looked into how advertising expenditures at hospitals changed in the aftermath of a data breach. The study, showed that hospitals invest an average o f64% more on advertising spending in the year after a data breach. Advertising expenditures were discovered 79% higher over the two-year period after a data breach. The authors...

Read More
Choice Rehabilitation Residents targeted with Email Account Breach
Jan04

Choice Rehabilitation Residents targeted with Email Account Breach

It has been found that an unauthorized individual hacked into a corporate email account of one of the employees of Choice Rehabilitation of Creve Coeur, MO, in order to set up a mail forwarder which shares emails to a personal email account. The breach happened on July 1, 2018 and the mail forwarder was left switched on until until September 30, 2018. A complete review the email account showed that the protected health information of...

Read More
Ransomware Attack hits Vendor of Dental Center of Northwest Ohio
Jan01

Ransomware Attack hits Vendor of Dental Center of Northwest Ohio

Existing and previous at the Dental Center of Northwest Ohio in Toledo, OH, have been contacted to advise them that some of their protected health information may have been obtained illegally via a ransomware attack on one of its third party suppliers. A managed IT service provider called Arakyta got in touch with the dental center on September 1, 2018, regarding a security breach on a server hosting some dental center systems. With...

Read More
More Than 50 Accounts Compromised in San Diego School District Data Breach
Dec27

More Than 50 Accounts Compromised in San Diego School District Data Breach

A major data breach has been reported by the San Diego School District that has potentially resulted in the theft of the personal information of more than half a million current and former staff and students. The data exposed as a result of the breach date back to the 2008/2009 school year. The breach was detected following reports from district staff of a spate of phishing emails. The emails were highly believable and fooled users...

Read More
Q3 2018 Healthcare Data Breach Report Published
Nov09

Q3 2018 Healthcare Data Breach Report Published

A Q3 2018 healthcare data breach report from Protenus shows there has been a significant reduction in healthcare data breaches compared to the previous quarter. In Q2, 142 healthcare organizations reported data breaches compared to 117 in Q3. However, due to some large breaches in Q3, the total number of exposed records was substantially higher. Between July and September, the health records of 4,390,512 patients were exposed,...

Read More
Anthem Data Breach Settlement of $16 Million Agreed with OCR
Oct16

Anthem Data Breach Settlement of $16 Million Agreed with OCR

The largest ever healthcare data breach in the United States has attracted the largest ever fine for noncompliance with HIPAA Rules. The Anthem data breach settlement of $16 million eclipses the previous highest HIPAA fine of $5.55 million and reflects not only the severity of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen, but also the extent of noncompliance with HIPAA...

Read More
Respiratory Care Provider Victim of Phishing Attack
Sep05

Respiratory Care Provider Victim of Phishing Attack

Norwood, MA-based Reliable Respiratory has discovered a hacker has gained access to the email account of one of its employees, and through that account, potentially accessed the protected health information of some of its patients. The respiratory care provider was alerted to a possible email account breach on July 3 when suspicious activity was detected in the email account. An investigation was immediately launched which confirmed...

Read More
38,000 Patient Health Records Exposed in Legacy Health Phishing Attack
Aug20

38,000 Patient Health Records Exposed in Legacy Health Phishing Attack

A phishing attack on the Portland, Oregon-based healthcare provider, Legacy Health, has resulted in the exposure and possible theft of 38,000 patients’ protected health information. The phishing attack was detected on June 21, although an investigation into the security breach revealed that access had first been gained to some employees’ email accounts several weeks earlier in May. An analysis of the compromised email accounts...

Read More
Major Phishing Attack Reported by Augusta University Health
Aug17

Major Phishing Attack Reported by Augusta University Health

Augusta University Health has experienced a phishing attack that has resulted in the unauthorized accessing of several employees’ email accounts. The substitute breach notice uploaded to the University of Augusta website indicates investigators determined on July 31, 2018 that email accounts containing the protected health information (PHI) of patients and personally identifiable information (PII) of employees had been compromised....

Read More
UnityPoint Health Phishing Attack Exposed PHI of 1.4 Million Patients
Jul31

UnityPoint Health Phishing Attack Exposed PHI of 1.4 Million Patients

Another UnityPoint Health phishing attack has been discovered, and this time it is huge. Hackers have gained access to multiple email accounts which contained the protected health information of approximately 1.4 million patients. This incident is the largest healthcare data breach to be reported since August 2016 and the largest healthcare phishing incident reported since the HHS’ Office for Civil Rights started publishing summaries...

Read More
1.5 Million Health Records Breached in Singapore
Jul23

1.5 Million Health Records Breached in Singapore

Hackers have successfully gained access to a health database of the Singapore government (SingHealth), allowing them to view the health records of 1.5 million individuals, including the health records of Prime Minister Lee Hsien Loong. Access to the database was gained through a front-end workstation which provided the attackers with privileged access to the database. The data breach was detected on July 4, 2018 when suspicious...

Read More
LabCorp Investigating Possible Data Breach
Jul17

LabCorp Investigating Possible Data Breach

LabCorp, one of the world’s largest clinical testing laboratories, has experienced a cyberattack that has potentially resulted in the health data of millions of patients being accessed by hackers. The cyberattack was detected over the weekend of July 14, when unusual activity was detected on its Diagnostics systems. The IT security team took prompt action and started shutting down systems to contain the attack. Some of those systems...

Read More
Failure to Encrypt ePHI Costs Cancer Treatment and Research Center $4.34 Million
Jun19

Failure to Encrypt ePHI Costs Cancer Treatment and Research Center $4.34 Million

The Department of Health and Human Services’ Office for Civil Rights has announced its third HIPAA financial penalty of 2018. The $4.34 million civil monetary penalty is the fourth largest HIPAA penalty ever issued to resolve HIPAA violations. While most covered entities and business associates agree to settle HIPAA violations and pay the penalty, on rare occasions the penalties are contested, and the case goes before an...

Read More
92 Million Users of MyHeritage DNA Testing Service Affected by Data Breach
Jun06

92 Million Users of MyHeritage DNA Testing Service Affected by Data Breach

MyHeritage, a provider of DNA testing services, has announced it has experienced a data breach that has impacted more than 92 million users. The breach affects all users of the DNA testing service who signed up prior to October 26, 2017 – the date of the breach. In total, 92,283,889 usernames and hashed passwords were exposed, making this the largest data breach reported in 2018, and the largest security breach since the 143-million...

Read More
Hackers Potentially Had Access to 42,000 Patients Health Data for a Month After Phishing Attack
May28

Hackers Potentially Had Access to 42,000 Patients Health Data for a Month After Phishing Attack

The Ohio Healthcare Provider Aultman Health Foundation has discovered some of its employees have been duped by a phishing attack that resulted in the threat actors behind the campaign gaining access to several email accounts. A phishing attack was detected on March 28, prompting a full investigation of the breach. The investigation revealed some employees had fallen for the phishing scam in mid-February. Further accounts were then...

Read More
$875,000 Settlement Agreed in W-2 Phishing Scam Lawsuit
May18

$875,000 Settlement Agreed in W-2 Phishing Scam Lawsuit

A class-action lawsuit stemming from a W-2 phishing scam that saw an employee of the respiratory therapy supplier Lincare Inc., send the W-2 Forms of employees to a scammer has been settled for $875,000. As is typical with these types of Business Email Compromise (BEC) attacks, the scammer pretended to be a senior executive and sent an email to an employee of the HR department requesting W-2 information for the company’s employees....

Read More
17,639 Capital Digestive Care Clients Impacted by Hacking Attack
May09

17,639 Capital Digestive Care Clients Impacted by Hacking Attack

Silver Spring, MD-based gastroenterology group Capital Digestive Care has announced that one of its business associates distributed files to a commercial cloud server that dd not have adequate security measures, exposing the protected health information of approximately 17,639 clients. The exposure was brought to the attention of Capital Digestive Care on February 23, 2018 and were quickly put in place to secure the files and prevent...

Read More
582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services
Apr27

582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services

A recent survey carried out with hackers, incident responders, and penetration testers has showed that most can gain access to a targeted system in around 15 hours, but 54% of hackers take under five hours to gain access to a system, and identify and obtain sensitive data. The data comes from the second yearly Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were located in the United States. Those...

Read More
Manufacturer of Oxygen Equipment Reports Data Theft Incident Possibly Impacted 30,000
Apr26

Manufacturer of Oxygen Equipment Reports Data Theft Incident Possibly Impacted 30,000

Inogen, a manufacturer of portable oxygen concentrators, has found that an unauthorized individual has obtained the credentials of a employees and has used them to access to the staff member’s email account. Phishing and other credentials theft incidents are commonplace in the healthcare industry, although what makes this incident unusual is the number of people affected by the attack. The compromised email account includeed the...

Read More
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Apr24

Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach

Illinoie-based physiatry organization Integrated Rehab Consultants is broadcasting notification correspondence to some patients alerting them to the exposure of some of their protected health information, in line with HIPAA regulations. However, the breach was not discovered within the past 60 days. Integrated Rehab Consultants (IRC) initially became aware of the exposure of PHI on December 2, 2016 – 16 months previously. The...

Read More
Des Moines Crisis Observation Center Suppers HIPAA Due to Inappropriate Dissemination of Data
Apr23

Des Moines Crisis Observation Center Suppers HIPAA Due to Inappropriate Dissemination of Data

1,071 patients who were treated at the Des Moines Crisis Observation Center managed by Polk County Health Services Inc., have been contacted to advise them  that some of their protected health information has been “accidentally and unknowingly disseminated” at some point in the last 3.5 years. The breach was first identified on February 14, 2018, although the inquiry revealed that information was first disclosed on June 1, 2014 and...

Read More
Misconfigured Security Settings Lead to 63,500 Middletown Medical Patients Having their PHI Exposed
Apr19

Misconfigured Security Settings Lead to 63,500 Middletown Medical Patients Having their PHI Exposed

A security setting that was not configured properly on a radiology system has lead to  the patients’ protected health information of tens of thousands of patients of Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, The breach was first discovered on January 29, 2018. On January 30 the interface was realigned that any unauthorized individuals could no longer obtain patient information. The length of time...

Read More
Possible Abuse of Credit Card Details Affects 1,500 Baptist Health Patients
Apr18

Possible Abuse of Credit Card Details Affects 1,500 Baptist Health Patients

A former worker at Baptist Health’s West Kendall Baptist Hospital based  in Miami, FL illegally obtained the credit card details of patients and used the information to complete fraudulent transactions. The misuse of credit cards was identified by Baptist Health on March 9, 2018 and the matter was then made known to Miami-Dade law enforcement and the employee was removed from their position. Baptist Health has not made it known...

Read More
Multiple Staff Email Accounts Accessed in UnityPoint Health Phishing Attack
Apr17

Multiple Staff Email Accounts Accessed in UnityPoint Health Phishing Attack

It has been discovered that the email accounts of several employees of UnityPoint Health hhave been compromised and accessed by unauthorized people. Access to the staff email accounts was first obtained on November 1, 2017 and went on for a period of three months until February 7, 2018, when the phishing attack was noticed and access to the compromised email accounts was turned off. When the phishing attack was first noticed,...

Read More
Email Account Breach Impacts 4,000 Patients of Texas Health Resources
Apr16

Email Account Breach Impacts 4,000 Patients of Texas Health Resources

Texas Health Resources is sending notifications to ‘fewer than 4,000 patients’ that some of their Private Health Information may have been seen by an unauthorized persons. The Arlington-based health care provider, a supplier to over 1.7 million patients in North Texas, says that the data breach may have happened as early as October 2017, although they did not identify it until January 17, 2018, when law enforcement alerted the the...

Read More
Almost 14,000 Affected by SAMBA Privacy Breach
Apr13

Almost 14,000 Affected by SAMBA Privacy Breach

14,000 individuals are being alerted about a February 2018 breach of protected health information at the Special Agents Mutual Benefit Association (SAMBA). The data breach affects eligible family members of plan members who were covered by the Federal Employees Health Benefits Plan during 2017. It is an Internal Revenue Service (IRS) obligation for SAMBA to send a copy of Form 1095-B to all plan members every tax year. The form in...

Read More
Data Breach Notification and Information Security Laws Updated in Oregon
Apr12

Data Breach Notification and Information Security Laws Updated in Oregon

Data breach notification laws in Oregon have been updated to enhance security  for state residents whose personal data is accessible to the public during a data breach. Kate Brown, the State governor, signed the Senate Bill (SB 1551) last month, which updates several parts of the legislation, particularly Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become...

Read More
Arc of Erie County New York Reports that 3,751 Patients’ PHI Was Exposed on Internet in 30-Month Period
Apr11

Arc of Erie County New York Reports that 3,751 Patients’ PHI Was Exposed on Internet in 30-Month Period

A provider of person-centered services to individuals with developmental disabilities, The Arc of Erie County New York (The Arc), has reported that two spreadsheets listing the protected health information of 3,751 patients were open to the public via the Internet without the need for authentication for a time period of longer than 30 months from July 2015 to February 2018. The two spreadsheets in question could be seen through the...

Read More
Missing Hard Drives from Chesapeake Regional Healthcare Reports PHI of 2,100 Patients
Apr09

Missing Hard Drives from Chesapeake Regional Healthcare Reports PHI of 2,100 Patients

Chesapeake, Virginia based Chesapeake Regional Healthcare has reported that two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from their Chesapeake Regional Medical Center campus at that location. The private health information stored on the devices in question relates to patients who participated in research at its Sleep Center between April 2015 and February 2018. it is...

Read More
Improper Disposal of PHI is Common According to JAMA Study
Apr05

Improper Disposal of PHI is Common According to JAMA Study

A recently completed study (published in JAMA) has emphasized  just how often hospitals are disposing of PHI in an unsafe fashion. While the study was completed in Canada, which is not subject to HIPAA, the results emphasize a critical area of PHI security that is often neglected. Incorrect Destruction of PHI is More Commonplace than Previously Thought Researchers at St. Michael’s Hospital in Toronto reviewed recycled paperwork at...

Read More
Data Breach Notification Law Enacted by South Dakota
Apr04

Data Breach Notification Law Enacted by South Dakota

It has taken some time for South Dakota to introduce legislation to enhance protections for consumers impacted by breaches of their personal private data. Laws have already been passed in 48 states that obligate persons and companies that hold personal information to publish notifications to breach victims when that information is accessible by unauthorized individuals. Last week, South Dakota citizens were given similar security...

Read More
Phishing Attack on CareFirst BCBS Impacts 6,800 Plan Members
Apr03

Phishing Attack on CareFirst BCBS Impacts 6,800 Plan Members

CareFirst Blue Cross Blue Shield is alerting 6,800 of its plan members that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a successful phishing attack on one of its employees. Phishing attacks are conducted to gain access to sensitive information such as email credentials. Those credentials are then used to access to sensitive data or conduct further attacks on an...

Read More
Cambridge Health Alliance Advised of PHI Breach by Law Enforcement
Apr02

Cambridge Health Alliance Advised of PHI Breach by Law Enforcement

Massachusetts based Cambridge Health Alliance (CHA) have been advised, by law enforcement agencies, that the protected health information of some of its clients has been found in the possession of an unauthorized person. The breach occurred On January 31, 2018, Everett Massachusetts Police Department made CHA aware that files including the PHI of some of its clients had been found in the possession of an person unauthorized to have...

Read More

Clinical Pathology Laboratories Southeast Patients’ Have PHI Exposed Due to Theft of Unencrypted Laptop

Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has revealed that an unencrypted laptop computer issued to a member of staff has been stolen, exposing the protected health information of a number of patients and their payment guarantors. CPLSE quickly activated safety actions to prevent the laptop from being used to gain access to its network and the theft was made known to law enforcement; however, it is possible that the...

Read More
35,000 Patients of ATI Physical Therapy Affect by Data Breach
Mar28

35,000 Patients of ATI Physical Therapy Affect by Data Breach

The protected health information of more than 35,000 patients of ATI Physical Therapy has  has potentially been compromised by a cyber attack that occurred when hackers obtained access to staff email accounts. A security violation was discovered on January 18, 2018 when ATI Physical Therapy saw that the direct deposit information of some of its staff members had been altered in its payroll platform. Quick action was taken to remove...

Read More
Finger Lakes Health Computer System Grind to Halt after Ransomeware Attack
Mar26

Finger Lakes Health Computer System Grind to Halt after Ransomeware Attack

A ransomware attack on Finger Lakes Health, based in Geneva, NY, has impacted the computer system to the extent that staff have had to work using pen and paper. In the meantime efforts to remove the malware and restore access to electronic data have been enhanced. The health system came under attack from the health system beginning at around midnight on Sunday March 18, 2018, with workers first noticing the attack when a ransom demand...

Read More
NH-ISAC Partnership with Anomali Boost Threat Detection and Data Sharing
Mar22

NH-ISAC Partnership with Anomali Boost Threat Detection and Data Sharing

The National Health Information Sharing and Analysis Center (NH-ISAC) and Anomali have begun working together and will be providing threat intelligence to healthcare centers through NH-ISAC. As part of this partnership Anomali will be helping NH-ISAC with the required tools and infrastructure to allow its clients to work together and share threat intelligence with other subscribers. Anomali will be making up to date threat...

Read More
1,049 Patients of RoxSan Pharmacy Notified of 2015 Email Breach
Mar20

1,049 Patients of RoxSan Pharmacy Notified of 2015 Email Breach

1,049 patients of Beverly Hills, CA-based RoxSan Pharmacy have been warned that some of their protected health information has been shared with a business associate through an unencrypted email. The notification letters were sent to affected people during February, although the incident happened on January 20, 2015. Commenting in a recent press release, RoxSan stated that affected individuals are being contatced in “as timely a manner...

Read More
Primary Health Care Experiences Multiple Email Hacks
Mar20

Primary Health Care Experiences Multiple Email Hacks

A non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, Primary Health Care Inc. has reported that hackers gained access to the email accounts of four workers and may have viewed or downloaded patients’ PHI. A press release issued by Primary Health Care and published a substitute breach notice to its website on March 16, 2018 outlining that the breach occurred on February 28, 2017. The breach was...

Read More