Breaches at Beaumont Health, Southcare Minute Clinic and Samaritan Medical Center

Beaumont Health, which is the leading healthcare organization in Michigan, began informing about 6,000 patients concerning the potential access to their protected health information (PHI) by unauthorized persons.

On June 5, 2020, Beaumont Health found out that unauthorized persons accessed email accounts between January 3, 2020 and January 29, 2020. The email accounts held the protected health information of patients including names, dates of birth, procedure and treatment data, type of treatment delivered, diagnoses, diagnosis codes, prescription details, patient account numbers, and medical record numbers.

Though unauthorized persons accessed the email accounts, there is no evidence determined that implies the hackers viewed or stolen the emails or email attachments in the accounts. There is also no report received that indicate the misuse of patient data.

This is Beaumont Health’s second notification of a phishing-related breach this year. Last April, Beaumont Health began informing 112,211 persons about the breach of their PHI held in email accounts in late 2019.

Beaumont Health already took action to enhance its internal procedures to permit it to know and avert threats a lot quicker later on. More precautions were enforced to better email security, which includes the usage of multi-factor authentication. More training on determining and controlling of malicious emails was also given to personnel.

Samaritan Medical Center Checking out Probable Security Breach

Samaritan Medical Center based in Watertown, NY announced a security event that has caused it to shut down its computer systems. Workers have used pen and paper while the breach is remediated at the same time giving medical care to patients. Patients were not transported to other hospitals, nevertheless, certain non-urgent visits were rebooked. No other details regarding the precise nature of the security breach is provided during this period.

Improper Disposal of Medical Documents by Southcare Minute Clinic

The North Carolina Department of Health and Human Services is examining the Southcare Minute Clinic based in Wilmington, NC concerning the incorrect disposal of medical documents. The Wilmington Police Department took action on a call telling them that sensitive files and unsafe waste were dumped in an ordinary dumpster in the back of the old Southcare Minute Clinic situated at 1506 Market Street.

The dumpster was identified to comprise files with patient data, used needles, and other harmful waste products. The police stated that there was HIPAA Rules violation, however, established that there was no crime undertaken. Since then, the dumpster has been cleaned up and there’s no longer any danger to people’s safety. The North Carolina Department of Health and Human Services is going to decide if it is proper to charge a financial penalty.

Cyberattacks at Highpoint Foot and Ankle Center and the University of Utah Affects 35,000+ Patients’ PHI

Highpoint Foot and Ankle Center based in New Britain Township, PA encountered a ransomware attack in May 2020 during which the attackers encrypted and probably accessed or exfiltrated patient information. Highpoint Foot and Ankle learned the attack on May 20, 2020 when personnel was kept from getting particular files on the system.

The investigation started and found out that an unauthorized person had downloaded ransomware remotely on its computer networks. There is no evidence obtained that suggest the attacker accessed patient data before encrypting the files. There was also no report received that suggest the misuse of patient data.

A third-party computer forensics agency was engaged to aid with the investigation and confirmed that the possible compromise of files containing the PHI of 25,554 patients. The files comprised names, dates of birth, addresses, social security numbers, treatment information, diagnoses, and release conditions.

Further precautions have now been put in place to secure patient data and all patients impacted by the data breach already received notifications via mail.

Phishing Attack on the University of Utah Affects Up to 10,000 Patients

The University of Utah has suffered a phishing attack that has most likely impacted the protected health information (PHI) of about 10,000 patients. This is the University of Utah’s fourth data breach report to be submitted to the Department of Health and Human Services in 2020. All four incidents are stated as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (impacting 1,909 persons), April 3, 2020 (impacting 5,000 persons), and March 21, 2020 (impacting 3,670 persons).

Unauthorized persons got access to personnel email accounts between January 22, 2020 and May 22, 2020, as indicated by the substitute breach notice posted on the University of Utah Health webpage. It is uncertain at this time if the most current breach report also involved getting access to personnel email accounts in an identical time period.

Kathy Wilets, Public Relations Director at the University of Utah Health gave a report to mentioning that the phishing occurrences were being regarded as independent incidents but might have been a part of a synchronized campaign. She explained the most current incident probably involved getting access to some amount of patient information and the number of persons affected of 10,000 is an estimation. The investigation could confirm whether fewer persons were affected. Action has been done to strengthen email security, such as the setup of 2-factor authentication.

Breaches at Quantum Imaging and Therapeutic Associates, Delaware Department of Health and Social Services and US HealthCenter

The radiology practice Quantum Imaging and Therapeutic Associates located in Pennsylvania made an announcement that they received reports concerning a non-physician worker who purportedly disclosed to a Facebook group an x-ray image of a male patient’s genitalia.

The disclosure of health-related photos on social communities, with no patient authorization, is a violation of HIPAA and patient privacy. Quantum gave an announcement on Facebook verifying the reports gotten concerning a privacy breach and explained that Quantum is dedicated to keeping its patients’ privacy and is really saddened by the reports. No other details were issued regarding the breach while the investigation is not yet complete. The Fairview Township police were notified regarding the incident and started an investigation, nevertheless, there are no apprehensions yet at this point. Some persons have left a comment on the Facebook posting saying the photo may be seen by ‘thousands’ of individuals.

Delaware Department of Health and Social Services Uncovered Impermissible Disclosure of PHI

The Delaware Department of Health and Social Services found a spreadsheet comprising PHI was disclose to four students by accident.

Four senior students at the University of Delaware asked for the information intended for a project to determine service gaps within the community and received a spreadsheet. The data requested by the senior students included the age groups of persons and their disability state. The identifying data were not deleted before giving the spreadsheet. The senior students had seen the complete names, dates of birth, diagnoses, and county data of 350 persons.

The students presented their report through Zoom on May 8, displaying the listed patients’ PHI also. The Delaware Department of Health and Social Services at once stopped the report upon knowing that PHI was listed. The students were told to remove the information while the person who gave the spreadsheet was put under discipline.

US HealthCenter Uncovered an Email Account Security Breach

The US HealthCenter, a health risk management firm, found out that an unauthorized individual got access to an email account and could have seen or acquired the private and protected health information (PHI) of the Cost Plus World Market’s (Cost Plus) Wellness Program members.

The compromised email inbox was utilized to obtain the members’ accomplished Annual Preventive Screening affidavits. Inquiries from Wellness Program members regarding the program were at the same time forwarded to the email account. US HealthCenter learned about the unapproved access on April 13, 2020 because the hacker employed the email account to transmit phishing emails to participants of the Cost Plus wellness program. At the time the email account was accessed, the unauthorized person could see and send email messages.

The analysis of email messages in the account confirmed they comprised participants’ names, birth dates, employee numbers, doctor signatures, dates of exams, and some medical details.

US HealthCenter protected the account promptly and presently hosted the account on a new Microsoft Office 365 system, which offers better security defenses having multi-factor authentication. There is no proof identified that indicate the improper use of personal data.

Breaches at Central California Alliance for Health, Wisconsin Department of Corrections and Hutton & Hale, D.D.S., Inc.

Breaches at Central California Alliance for Health, Hutton & Hale, D.D.S., Inc. and Wisconsin Department of Corrections

The Central California Alliance for Health learned that an unauthorized person obtained access to a number of employees’ email accounts and most likely read or stolen data in email messages and file attachments. The healthcare organization discovered the breach on May 7, 2020 and took fast action to protect the impacted accounts. In all cases, the accounts were viewed for approximately an hour.

An analysis of the breached accounts showed they comprised a small amount of protected health information (PHI) of Central California Alliance for Health members like Alliance Care management program information, birth dates, claims details, demographic data, Medi-Cal ID numbers, referral data, and health care details. There was no breach of financial data or Social Security numbers.

Subsequent to the breach, Central California Alliance for Health executed a total password reset for every email account, this includes the email accounts that weren’t exposed. Employees likewise got additional training regarding email security.

Central California Alliance for Health by now submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights specifying that 35,883 members were impacted.

Wisconsin Department of Corrections Breach Affects 1,853 People

The Wisconsin Department of Corrections found out that the data of people located in its treatment centers was compromised on the sites of three vendors hired to handle canteen purchases. An employee found the information on May 15, 2020. Impacted people were alerted on June 15, 2020.

The breached data was minimal including names and data concerning the treatment facility in their location. That data needs to be encrypted on the web pages. The issue is already remedied and the data is not available any more on the web.

Hacking of Hutton & Hale, D.D.S., Inc. Affects 8,394 Patients

Dr. Ann Hale of Hutton & Hale, D.D.S., Inc. began informing 8,394 patients regarding the likely exposure of their PHI due to hacking of the practice’s stored data and computer networks on May 25, 2020.

Those systems stored patients’ medical records and PHI including names, contact phone numbers, addresses, X-ray information, and Social Security numbers.

All impacted patients were given free of charge one-year membership to identity theft protection and credit monitoring services and will be covered by a $1,000,000 identity theft insurance plan. Thus far, there are no reports obtained that indicate the improper use of any patient data.

The practice is incorporating more safety measures to its web server infrastructure to avert more security breaches.

Up to 69,000 Persons Affected by Cyberattacks on Healthcare Fiscal Management and Friendship Community Care

Nearly 69,000 Persons Affected by Cyberattacks on Healthcare Fiscal Management and Friendship Community Care

Healthcare Fiscal Management Inc. (HFMI) located in Wilmington, NC provides physician groups, hospitals and clinics with self-pay conversion and insurance eligibility services. HFMI suffered a ransomware attack that allowed attackers to have access to the private and protected health information (PHI) of patients of St. Mary’s Health Care System based in Athens, GA.

An unauthorized person accessed the HFMI systems on April 12, 2020 and released a ransomware payload the next day that encrypted information kept on its systems. The hacker accessed systems that have the personal and PHI of patients who obtained medical services at St. Mary’s from November 2019 to April 2020.

The attackers possibly accessed and acquired the information of about 58,000 patients, though data accessor theft cannot be affirmed. The PHI kept on the breached systems included names, Social Security numbers, birth dates, account numbers, health record numbers, and service dates.

HFMI was ready in case of this sort of event and had practical backups that were employed to reestablish information the same day to an alternative hosting provider. A forensic investigation team was hired to look into the incident. The forensic investigators stated that the attackers do not have possession of the information. The information is likewise not available over the web.

Security experts are going over security settings and, from their advice, steps are undertaken to improve security. HFMI has given all impacted persons no-cost credit monitoring and identity theft protection services as a precautionary measure against identity theft and fraud.

Phishing Attack on Friendship Community Care Affects 9,745 Patients

Friendship Community Care (FCC) based in Russellville, AR, a not-for-profit care provider of grownups and youngsters with handicaps, encountered a phishing attack last January 2020.

FCC identified the phishing attack on February 4, 2020 after seeing suspicious activity in the email account of an employee. Forensic investigators helped inspect the breach and confirmed on February 5, 2020 that an unauthorized person had obtained access to the email account, however upon additional investigation, it confirmed the breach of a number of Office 365 email accounts utilizing credentials acquired in the phishing attack.

FCC found out on February 7, 2020 that the email accounts comprised PHI. A detailed evaluation of the email accounts affirmed the probable access of 9,745 persons’ PHI, even though there is no proof received that indicate the attacker accessed or acquired the emails.

The compromised email accounts comprised names, birth dates, addresses, Client ID numbers, Social Security numbers, Medicaid IDs/Medicare IDs, employer ID numbers, patient numbers, medical data, state ID card numbers, student ID numbers, driver’s license numbers, financial account details, mother’s maiden names, marriage certificates, birth certificates, facial photographs and disability codes.

FCC provided free credit monitoring and identity protection services to impacted persons. An analysis of email security was performed, and steps are being undertaken to strengthen security to avert identical breaches later on.

Ransomware Attacks on North Shore Pain Management and Florida Orthopaedic Institute

North Shore Pain Management (NSPM) based in Massachusetts started sending notifications to 12,472 patients because hackers potentially stole some of their protected health information (PHI). NSPM became aware of the breach on April 21, 2020 and its investigation confirmed the first access of their system by hackers on April 16, 2020.

NSPM posted on its website a substitute breach notice but did not provide any data with regards to the nature of the attack. Nonetheless, Emsisoft and affirmed the attack where AKO ransomware was used. The group that conducted the attack posted 4GB of stolen information on their Tor website because of no ransom payment.

The posted data include various sensitive data of workers and patients. The NSPM breach notice claimed that the stolen information consists of patient names, medical insurance information, account balances, birth dates, financial details, diagnosis and treatment information. Ultrasound and MRI images were likewise compromised for For several patients. Those patients using their Social Security numbers with their health insurance /member number had exposed their SSNs as well.

Because of the exposed stolen information on the web, NSPM instructed the affected patients to monitor their explanation of benefits statements and financial accounts for any sign of information misuse. NSPM provided credit monitoring and identity theft protection services at no cost to the patients whose Social Security numbers were exposed. NSPM appointed another IT management provider to reinforce its cybersecurity.

The AKO ransomware attackers are identical to gangs that deploy ransomware manually. They engaged in data theft prior to file encryption to increase the likelihood of getting ransom payment. The AKO group typically requires companies with big revenues to pay two ransom payments – one for the price tag of the decryptor and another for stolen data deletion. The cost of deleting files may be between $100,000 and $2,000,000.

The group claimed that some healthcare providers just pay the cost of deleting data. There is no confirmation if NSPM made a ransom payment.

Ransomware Attack on Florida Orthopaedic Institute

A ransomware attack on Florida Orthopaedic Institute in Tampa, FL occurred on April 9, 2020 resulting in the encryption of patient data. An internal investigation of the breach showed there was a potential theft of patients’ personal information and PHI prior to file encryption. Nevertheless, there is no report received by Florida Orthopaedic Institute regarding any patient data misuse due to the attack.

Florida Orthopaedic Institute appointed a third-party computer forensic firm to continue the investigation. Steps had already been taken to get back the encrypted data and protect its servers. The affected patients already received breach notification letters, including the offer of free fraud consultation, credit monitoring, and identity theft restoration services.

The encrypted data and possibly obtained by the attackers included the following: names, Social Security numbers, birth dates, medical information related to appointment times, diagnosis codes, doctor’s locations, paid amount, insurance plan ID numbers, payer ID numbers, claims addresses, and/or FOI claims history.

Florida Orthopaedic Institute appointed third-party experts to enhance security to avert any more cyberattacks in the future.

The HHS’ Office for Civil Rights breach hasn’t put up yet the incident details on its breach website, hence the number of impacted patients is not known at this time.

Hacker Busted and Charged for the UPMC Cyberattack in 2014

The United States Attorney’s Office of the Western District of Pennsylvania announced the arrest of a person who was accused of the breach of the University of Pennsylvania Medical Center (UPMC) HR databases in 2014.

UPMC runs 40 hospitals in 700 outpatient sites and physicians’ offices and has over 90,000 staff. In January 2014, UPMC learned that a hacker viewed a human resources server Oracle PeopleSoft database where the personally identifiable information (PII) of 65,000 UPMC staff is stored. The stolen information in the breach was purportedly made available for sale on the darknet. There were names, birth dates, addresses, tax, and salary details, and Social Security numbers included.

The arrested person was Justin Sean Johnson. He’s 29 years old residing in Michigan who recently worked at the Federal Emergency Management Agency as an IT expert.

On May 20, 2020, Johnson was under the monikers TDS and DS when he was charged on 43 counts: one count of conspiracy, 5 counts of aggravated identity theft, and 37 counts of wire fraud. Apparently, Johnson hacked the database, copied PII, and marketed the stolen PII on darknet marketplaces including AlphaBay Market to many international buyers. Prosecutors furthermore claim that Johnson offered other PII on the darknet community aside from the PII of UPMC staff from 2014 to 2017.

The compromised UPMC PII was later employed in a massive plan to deceive UPMC workers. Hundreds of fake tax returns were submitted using the names of UPMC workers, which prosecutors state resulted in approximately $1.7 million in phony reimbursements being given. Those refunds were turned into Amazon gift cards that were used to acquire approximately $885,000 in goods, which were largely sent to Venezuela to be offered in marketplaces on the web.

Two more people were accused in 2017 regarding the UPMC hacking.
Maritza Maxima Soler Nodarse, from Venezuela who pleaded guilty to conspiracy to swindle the United States and was associated with reporting fake tax returns, got sentenced to time served and was expelled from the country.
Yoandy Perez Llanes, from Cuba who pleaded guilty to aggravated identity theft and money laundering, is awaiting his sentence in August 2020

The breach investigation showed that the hacker gained access to the OracleSoft database initially on December 1, 2023. After being able to access the database, the hacker conducted a test query and was able to access the information of around 23,500 people. From January 21, 2014 to February 14, 2014, the hacker viewed the database several times daily and stole the information of a huge number of UPMC employees.

Johnson encounters a long prison term in case he is determined guilty of the violations. The conspiracy charge holds a 5 years maximum imprisonment and a penalty of about $250,000. The wire fraud charges hold 20-years maximum imprisonment and a penalty of as much as $250,000 for every count and, there is going to be compulsory 2-year imprisonment for aggravated identity theft and a penalty of as much as $250,000 for every count.

The healthcare industry is an enticing target of hackers interested in taking personal data for use in scams; the Secret Service is fully committed to uncovering and arresting those that partake in criminal acts that exploit the Nation’s critical systems for their own benefit.

Cybercriminals like Johnson need to realize that the U.S. Secret Service won’t stop chasing them until they’re in custody and pay for their criminal acts.

PHI Exposed Due to Breaches at Cano Health and the Department of Behavioral Health and Intellectual Disability Services

Cano Health, a population health management firm and healthcare service provider located in Florida, reported that an unauthorized individual got access to the email accounts of three workers by creating a mail forwarder the email accounts which directed emails to other addresses.

Caro Health became aware of the data breach on April 13, 2020, nevertheless, the investigation findings showed that the accounts were compromised two years earlier, some time in May 18, 2018. That means every email that was sent to and from the email accounts from May 18, 2018 to April 13, 2020 are presumed to have been acquired and were possibly accessed.

An evaluation of the emails affirmed that they held private and protected health information (PHI) for instance names, contact details, dates of birth, medical details, insurance data, government identification numbers, financial account numbers and/or social security numbers.

Cano Health is notifying impacted people and has instructed them to periodically check their accounts and benefits statements for indications of fake transactions. Cano Health is going to give impacted patients credit monitoring services at no cost.

Cano Health is working to strengthen email security. The Department of Health and Human Services’ Office for Civil Rights hasn’t published the breach details on its portal yet, thus it is uncertain at this point how many individuals have been impacted.

Phishing Attack on City of Philadelphia Affects 33,376 Patients

The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) reported a cyberattack that led to the exposure of the PHI of 33,376 persons.

On March 31, 2020, DBHIDS noticed suspicious actions in the email account of an employee, though the breach investigation affirmed that there were two email accounts compromised on April 2, 2020. The phishing attack investigation is still in progress and forensics professionals are already analyzing the email accounts, though there is no proof yet showing the hackers accessed or exfiltrated patient information.

The breach impacts patients having mental disabilities who had formerly gotten services from the Division of Intellectual disAbility Services (IDS). The kinds of data exposed varied from one patient to another and might have contained data elements like names, addresses, birth dates, Social Security numbers, medical insurance details, account and/or medical record numbers, diagnoses, provider names, service dates and short descriptions of the services the person had or were obtained from IDS. The copies of birth certificates and Social Security cards of a number of patients were likewise exposed.

DBHIDS will mail the notification letters to impacted persons in the forthcoming weeks and will provide free credit monitoring services.

To avoid identical breaches later, a number of steps were undertaken. Further education will be given to workers to enable them to identify phishing emails. Campaigns to track network activity were improved.

St Joseph Health System Confirms the Improper Disposal of Patient Documents by Health Record Storage Center

St Joseph Health System in North Central Indiana is notifying patients concerning the compromise of some of their protected health information (PHI) because of unauthorized access. The data breach didn’t take place at St Joseph Health but in a business associate.

Central Files Inc, a safe document storage center in South Bend, IN, was hired to safely store patient files in compliance with government and state laws and to discard some records as per HIPAA regulations. Central Files Inc. is now completely closed nevertheless must continue to keep patient information until an alternate safe records center may be established.

From April 1 to April 9, 2020, various healthcare groups allied with St Joseph Health System were advised that sensitive information comprising patient information was thrown in a place in the South Bend area some time prior to April 1, 2020.

The data uncovered at the location were in a terrible state. As per the substitute breach notification published on the St Joseph Health System webpage, the files had evidence of mold, moisture damage, and rodent infestation, and damage caused by combining with trash and other particles. Efforts were done to know patients whose records were compromised, however, trained security employees confirmed that inspecting almost all the records is going to be harmful to health and endorsed the best solution was to safely dispose of the files.

The documents that can be securely taken were retrieved and St Joseph Health System has employed a vendor to retrieve the other files from the area. That process was done on May 20, 2020 and agreements were made to safely and completely dispose of those documents.

In numerous instances, the records were obsolete and included old data. A couple of the paperwork involved paper copies of healthcare information and billing statements that comprised details like names, contact data, Social Security numbers, clinical and diagnostic details and service dates. Patients were advised concerning the breach. there is no proof that indicates the misuse of any data, though the likelihood of unauthorized access cannot be eliminated.

The documents were related to these entities

Allied Physicians of Michiana (From 1995 to 2007)
Saint Joseph Health System (From 1999 to 2013)
South Bend Medical Foundation (From 2009 to 2015)
New Avenues (From June 2004 to December 2015
Michiana Hematology Oncology (From 2002 to 2004)
Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)
Elkhart Emergency Physicians, Inc. / Goshen Emergency Physicians, LLC (From 2002 to 2010)

The HHS’ Office for Civil Rights breach website hasn’t posted the breach yet, hence it is unclear at this time how many patients were impacted.

Increase in Mobile Phishing Attacks During the COVID-19 Health Pandemic

Cybercriminals are reforming their strategies, approaches, and processes throughout the COVID-19 health pandemic and are targeting work from home workers by means of COVID-19 inspired baits in their phishing activities. The number of phishing attacks directed at individuals using mobile gadgets like mobile phones and tablets has dramatically increased based on a newly released report by Lookout mobile security firm.

Around the world, there was a 37% higher number of mobile phishing attacks on company users from the 4th quarter of 2019 up to the ending of the 1st quarter of 2020. In North America, there was actually a 66.3% growth in mobile phishing attacks. Cybercriminals are targeting people working from home in certain industries for instance healthcare and financial companies.

Although the dramatic rise in mobile phishing attacks is linked to the switch in work practices caused by the COVID-19 crisis, mobile phishing attacks have been progressively increasing during the last few quarters. The rate of success of phishing attacks on mobile gadget users seem to be greater, as users are more inclined to click on hyperlinks than if utilizing a laptop or desktop computer because the phishing links are trickier to distinguish as malicious on more compact screen measurements.

Though the full web link is likely viewable on a laptop or desktop computer, a mobile gadget will merely present the last segment of the web link, which could make the hyperlink seem legitimate on mobile gadgets. Whenever doing work from home, people more probably opt to use their smartphone to carry out tasks to be productive, especially those who do not have big screens or several monitors at home.

Mobile gadgets generally have no identical level of security like laptop computers and office computer systems, thus it’s less possible to deter phishing emails. There are even more ways that phishing hyperlinks could be sent to mobile gadgets than netbooks and desktop computers. On a desktop computer, phishing hyperlinks will mainly be sent through email, however, on mobile gadgets they could easily be sent through email, messaging applications, SMS, and social networking and dating applications. There is additionally a leaning for mobile phone users to react quickly and not wait to give thought to whether a request is authentic, though they might be notably mindful on a desktop or laptop computer.

The surge in phishing attacks aiming for mobile device users is a security problem and one that ought to be attended to by company management by means of education and training about security awareness, specifically with remote employees. Phishing awareness training needs to include the danger of mobile phishing attacks and make clear how hyperlinks could be previewed on mobile units and other tips that ought to be taken to confirm legitimate requests.

When the message looks like it comes from a person you are familiar with but looks like an unusual ask or brings you to an odd website, make contact with that individual straight away and verify the message. When doing remote jobs, it’s a lot more necessary to verify any sort of odd communication.

Education by itself might not be enough. Security software ought to also be employed on mobile gadgets to better secure users from phishing and ransomware attacks.