Patient Takes Legal Action Against Eskenazi Health Concerning Data Misuse

The protected health information (PHI) of an Eskenazi Health patient was compromised in a ransomware attack on August 2021. The patient is currently taking legal action against the healthcare organization over the data breach.

It is now typical for ransomware gangs to copy sensitive information prior to deploying ransomware for encrypting files. The stolen records are employed to pressure victims to make ransom payments, as was the situation in the cyberattack at Eskenazi Health. Eskenazi Health located in Indianapolis, IN uncovered the attack at the beginning of August and promptly turned off its computer programs so as to stop continuing unauthorized access and limit the attack. The healthcare service provider decided to redirect ambulances and postpone selected consultations as a precautionary measure as its electronic medical record system was not accessible.

As per the data breach investigation, Eskenazi Health’s systems were first compromised in May and the threat actors exfiltrated files that contain sensitive patient data. The issuance of notification letters to affected patients began at the beginning of November. Patients were advised with regards to the data breach and were given free identity theft protection and credit monitoring services. When sending notifications, there were no reports involving the misuse of patient information, even though some patient data were released on the gang’s data leak website. The breach report sent to the HHS’ Office for Civil Rights at the start of October reveals the breach impacted 1,515,918 patients.

Eskenazi Health stated the stolen information involved workers, providers, patients, previous patients, and providers and impacted names, addresses, phone numbers, email addresses, dates of birth, patient account numbers, health record numbers, diagnoses, clinical data, physicians’ names, insurance details, medications, passport numbers, driver’s license numbers, face images, credit card data, and Social Security numbers.

Terri Ruehl Young, the Eskenazi Health patient, was among the persons affected by the information breach. According to the lawsuit, Young alleges a bogus charge amounting to $370 was placed on the credit card she utilized for settling her bill and her Equifax credit report revealed there was an effort to alter her name.

The lawsuit claims patients put their trust in Eskenazi Health to safeguard its systems and patient data, nevertheless, the healthcare company betrayed that trust by not being able to use advanced security practices and proper safety measures to secure patient information. The lawsuit states unjust enrichment, negligence, and breach of contract.

The lawsuit likewise brings up the amount of time it had taken Eskenazi Health to alert patients regarding the security breach. The lawsuit says that breach notification letters were provided over 6 months right after the first security breach, and 3 months after the finding out of the breach by Exkenaki Health. The HIPAA Breach Notification Rule necessitates the sending of notifications in 60 days after the discovery of a data breach.

Cohen and Malad and John Steinkamp & Associates submitted the lawsuit wanting class-action status and a trial by jury. A Eskenazi Health representative mentioned the lawsuit is not yet officially served.

One Community Health Patients Informed Regarding a Cyberattack and Data Theft in April 2021

One Community Health based in Sacramento, CA has recently informed patients about the compromise of its systems between April 19 and April 20, 2021. It was discovered that an unauthorized individual has acquired access to systems that contain the personal data and protected health information (PHI) of some workers and patients.

A complete forensic inspection was performed by a third-party cybersecurity agency to find out the nature and magnitude of the attack, and One Community Health was alerted on October 6, 2021, that the attacker had exfiltrated files from its network comprising full names and one or more of the following data elements: telephone number, address, other demographic data, email address, date of birth, driver’s license number, Social Security number, insurance details, diagnosis details, and treatment data.

One Community Health began sending breach notification letters to all affected patients on November 22, 2021. There were no reported incidents of identity theft or fraud; nevertheless, complimentary credit monitoring services have been provided to impacted people as a safety measure against identity theft and fraud.

One Community Health stated it has been working with cybersecurity specialists to improve its security against cyberattacks, and has improved endpoint detection, email protection, and has gotten 24/7 managed detection response.

PHI Disclosure Due to Email Error by Eye Care Product Company

Alcon, a manufacturer of eye care products, has learned that an email error led to the disclosure of some patients’ PHI to healthcare organizations not permitted to view the PHI.

On October 5, 2021, Alcon emailed patients’ protected health information to healthcare companies to assist in billing. The emails were meant to just include details concerning each healthcare company’s patients; nonetheless, a technical problem resulted in the emails containing the information of patients of other healthcare organizations.

The emails included some data regarding patients who had lately got an Alcon intraocular lens implant, specifically, first and last names, dates of implant, device serial numbers, and names of treating physicians.

All healthcare companies who acquired the email were called and informed to erase the email and Alcon has evaluated and updated its policies and processes to avoid identical breaches later on. Because of the nature of the data compromised and the entities that obtained the data, Alcon believes no patient information will be used in the wrong way.

Vulnerabilities Found in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Five vulnerabilities were discovered that can impact these medical devices:

the IntelliBridge EC 80 and EC 40 Hub, Efficia CM Series, and Philips Patient Information Center iX Patient Monitors.

IntelliBride EC 40 and EC 80 Hub
Two vulnerabilities were discovered that have an effect on C.00.04 and previous models of the IntelliBridge EC 40 and EC 80 Hub. An unauthorized person could profitably manipulate the vulnerabilities with success and manage to execute software programs, alter system settings, and update/look at files that could contain unidentifiable patient information.

CVE-2021-32993 – The first vulnerability is caused by the usage of hard-coded credentials inside the applications for its own incoming authentication, outgoing communication to exterior components, or the encryption of internal information.

CVE-2021-33017 – The second vulnerability involves a problem with authentication bypass. Although the normal access path of the device demands authentication, another path was found that doesn’t call for authentication.

The two vulnerabilities were given a CVSS v3 severity rating of 8.1 of 10.

Philips hasn’t given a patch to resolve the vulnerabilities, nevertheless wants to resolve the vulnerabilities before the year ends. Meanwhile, Philips suggests simply utilizing the products within Philips authorized descriptions, and merely making use of Philips-permitted application, software arrangement, security configurations, and system services. The products must be physically singled out from the hospital system.

Efficia CM Series and Patient Information Center iX Patient Monitors

Three vulnerabilities were found to impact the Philips Patient Information Center iX and Efficia CM series patient monitors. The vulnerabilities can be exploited to acquire access to patient files and to carry out a denial-of-service attack. Though exploitation has a low attack complexity, the vulnerabilities may basically be exploited by way of an adjacent network.

The vulnerabilities impact the following Philips devices:

  • Efficia CM Series: Revisions A.01 to C.0x and 4.0
  • Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03

Vulnerable models of the PIC iX don’t effectively verify input to decide whether or not the input has the components to be processed carefully and accurately. The vulnerability is tagged as CVE-2021-43548 and was given a CVSS severity rating of 6.5 out of 10.

A hard-coded cryptographic key was utilized which suggests encrypted data can be restored from vulnerable versions of the PIC iX. The vulnerability is monitored as CVE-2021-43552 and was assigned a 6.1 CVSS score.

A broken or risky cryptographic algorithm signifies sensitive records can be exposed in communications between PIC iX and Efficia CM Series patient monitors. The vulnerability is tagged as CVE-2-21-43550 with a CVSS rating of 5.9.

CVE-2021-43548 has been resolved in PIC iX C.03.06 and updates to correct the other two vulnerabilities will be released before 2022 ends.

To decrease the probability for exploitation of the flaws, the products must only be employed as per Philips authorized requirements, which involve physically or logically distancing the gadgets from the hospital’s local area network, and employing a firewall or router that can easily use access control lists restraining access in and out of the patient monitoring network for only important IP addresses and ports.

Philips-introduced hardware has Bitlocker Drive Encryption enabled automatically and this should never be disabled. If disposing of, NIST SP 800-88 media sanitization instructions need to be observed. Patient files are not contained in archives by default, and so in case archives are exported that have patient files, the data must be kept safely with tough access controls.

Patients are Unaware of the Magnitude of Healthcare Cyberattacks and Data Theft

Armis, the unified asset visibility and security platform provider, conducted a recent survey to take a look at the condition of cybersecurity in the healthcare industry and the security risks that healthcare organizations are now facing.

The survey was performed by Censuswide on 400 IT specialists at healthcare companies throughout the U.S., and 2,000 U.S. patients to get their opinions on cybersecurity and data breaches in the healthcare industry.

The survey affirmed the increasing cyber risk, with 85% of respondents claiming cyber risk has grown in the last 12 months. Ransomware gangs have targeted the healthcare sector over the past 12 months, and many of those attacks have been successful. 58% of the surveyed IT experts mentioned their company had encountered a ransomware attack during the past 12 months.

13% of IT security professionals see ransomware attacks as a reason for concern, saying many are confident that they can retrieve data in case of an attack. Nevertheless, data breaches that bring about the loss of patient information were a serious concern, with 52% of IT experts rating data loss as a major problem, with cyberattacks on hospital operations ranked as the main issue by 23% of healthcare IT pros.

Protecting against cyberattacks is growing to be more and more difficult considering the broadening of attack surfaces. Armis says there are now 430 million interconnected healthcare devices globally, and that number will continue to rise. When asked regarding the riskiest systems and devices, building systems including HVAC were the greatest issue with 54% of IT specialists rating them as a serious cybersecurity risk. Imaging machines were considered as among the riskiest by 43% of survey respondents, then medication dispensing equipment (40%), check-in kiosks (39%), and vital sign checking devices (33%). Although there is concern concerning the protection of these systems and medical devices, 95% of IT experts stated they thought their linked devices and systems were patched and operating on the most recent software.

The increase in cyberattacks on the healthcare industry is impacting decisions in healthcare. 75% of IT specialists mentioned recent attacks have had a formidable impact on decision making and 86% of survey participants stated their company had designated a CISO; nevertheless, only 52% of survey respondents reported their firm was allocating more than adequate funding to pay for IT security.

The survey of patients suggested one third had been the target of a healthcare attack, and although nearly half of patients (49%) mentioned they would change healthcare service provider if it suffered a ransomware attack, a lot of patients are not aware of the magnitude of current cyberattacks and how frequently they are currently being reported. In 2018, healthcare data breach reports were submitted at a rate of 1 each day. In the last year, 7 months had data breach reports of more than 2 every day.

In spite of substantial media reports concerning healthcare data breaches and vulnerabilities in medical devices, 61% of potential patients stated they did not hear about any healthcare cyberattacks in the last two years, obviously showing numerous patients are uninformed of the danger of ransomware and other cyberattacks. Nonetheless, patients are aware of the effect those cyberattacks may have, with 73% of prospective patients understanding a cyberattack could impact the quality of medical care they get.

When potential patients were questioned regarding their privacy considerations, 52% mentioned they were concerned that a cyberattack would close down hospital operations and will possibly affect patient care, and 37% stated they were worried about the privacy of information accessible using online portals.

There definitely appears to be trust issues, as just 23% of prospective patients stated they respected their healthcare company with their sensitive personal data. In contrast, 30% stated they relied on their best friend with that data.

Chinese APT Group Attacked Healthcare Companies by Exploiting Zoho Password Management Platform Vulnerability

An advanced persistent threat (APT) actor continues to conduct an espionage campaign that resulted in the compromise of the systems of no less than 9 companies. The campaign targeted companies in a variety of critical industries, such as healthcare, defense, energy, technology, and education.

Security researchers at Palo Alto Networks identified the campaign and although there is no confirmed identity of the hacking group yet, the researchers think the Chinese state-sponsored hacking group APT27, also known as Iron Tiger, TG-3390, Emissary Panda, and LuckyMouse
likely conducted the attacks because of the usage of hacking resources and strategies that match past APT27 activity.

The campaign took advantage of a critical vulnerability (CVE-2021-40539) found in the ManageEngine ADSelfService Plus, which is a business password management and single sign-on tool created by Zoho. Remote attackers had successful exploitation of the vulnerability to carry out arbitrary code and seize total control of vulnerable programs.

On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory alert that exploits for the vulnerability were accessible in the public domain and APT actors are using it to install web shells on compromised servers to obtain persistent access.

Palo Alto Networks identified another campaign that concerned substantial scans for vulnerable servers utilizing rented infrastructure in the United States. Vulnerable systems that were not patched had been attacked since September 22, 2021, and the attacks continued until October.

The attackers used a web shell known as Godzilla, with a part of victims had installed a new backdoor named NGlite. The web shell or backdoor was then utilized to execute commands and proceed laterally in the victims’ environments, exfiltrating sensitive information from victims’ systems. As soon as the attackers find a domain controller, they put in a new credential-stealing program called KdcSponge, and gathered credentials and took files like the SYSTEM hive from the registry and the Active Directory database file (ntds.dit).

Palo Alto Networks mentioned its scans reveal there are presently about 11,000 servers utilizing the Zoho software program, but it is uncertain how many had been patched to protect against the CVE-2021-40539 vulnerability. The APT group tried to attack no less than 370 Zoho ManageEngine servers located in the United States only.

Over 650K Patients of Community Medical Centers Alerted Regarding Hacking Incident

Unauthorized individuals possibly accessed the protected health information (PHI) of over 650,000 patients of Community Medical Centers (CMC) located in California.

CMC is a non-profit group of community health centers that provide care for patients in the Solano, Yolo, and San Joaquin counties in Northern California. CMC discovered suspicious activity in its computer systems on October 10, 2021, and turned off its systems to avoid further unauthorized access. An investigation was started to know the nature and magnitude of the breach, with help provided by third-party cybersecurity specialists.

The forensic investigation established that unauthorized people had gotten access to sections of its system where PHI was kept, such as first and last names, birth dates, postal addresses, Social Security numbers, health data, and demographic data.

Considering the sensitive character of the compromised information, CMC is providing free identity theft protection, identity theft resolution, and credit monitoring services to affected persons. CMC stated that its systems are already secure, policies and procedures have been assessed and made current to boost security, and data management policies were evaluated and updated.

CMC has informed the authorities concerning the breach, together with the relevant state attorneys general and the Department of Health and Human Services.

The breach notification given to the Maine attorney general shows that the PHI of 656,047 people was possibly exposed.

Professional Healthcare Management Reports Ransomware Attack

Professional Healthcare Management (PMH) has begun informing a number of patients concerning the likely exposure of some of their PHI during a ransomware attack that occurred in September 2021.

PMH noticed the attack on September 14 and immediately took action to secure its databases and workstations. Third-party cybersecurity and incident response professionals helped PMH to immediately protect and regain its networks and operations. The healthcare company carried out an investigation to find out the nature and extent of the breach and affirmed that hackers might have acquired the personal information and PHI of patients.

The breach inquiry is in progress yet, at this time, no proof of patient data misuse or theft has been determined; nonetheless, notification letters are right now being mailed to impacted persons and the breach report was submitted to the HHS’ Office for Civil Rights.

PMH stated these types of patient data were likely breached: Social Security numbers, first and last names, medical insurance details (Medicare number, Medicaid number, and insurance ID number), diagnosis code(s), and medicine name(s).

More safety measures are being enforced to strengthen IT security, cybersecurity guidelines, and processes are being upgraded, and supplemental cybersecurity training was given to the labor force.

Study Explains Healthcare Staff Have Unnecessary Access to Significant Amounts of PHI

A new study has pointed out extensive security breakdowns at healthcare institutions, which include inadequate access controls, few prohibitions on access to protected health information (PHI), and terrible password practices, which are placing sensitive information in jeopardy.

The study, done by Varonis, a data security and insider threat detection platform provider, analyzed about 3 billion files at 58 healthcare companies, such as healthcare providers, pharmaceutical corporations, and biotechnology organizations. The purpose of the study was to know whether security controls were put in place to safeguard sensitive data and to allow establishments to better recognize their cybersecurity weaknesses in the face of escalating threats.

The Health Insurance Portability and Accountability Act (HIPAA) demands access to PHI be confined to workers who must view PHI for work reasons. Whenever access is approved, the HIPAA minimum essential standard is applicable, and merely the minimum amount of PHI must be accessible. Each user needs to be given a unique username to track PHI access. Passwords are needed to check users, according to the HIPAA Security Rule.

The results of the Varonis research were circulated in the 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech. It revealed that an average healthcare staff has access to 31,000 sensitive records made up of PHI, fiscal, and proprietary information on their first day on the job. Those files were saved on sections of the network that all employees can access.

In general, 20% of each firm’s files are available to every staff, though in many occasions access is not necessary to carry out work tasks. 50% of companies investigated had over 1,000 sensitive data accessible to all staff, and one in four records at small healthcare companies can be seen by every worker. There were no controls on access to 1 in 10 records that had PHI or intellectual property.

It was discovered that smaller companies have an outrageous volume of exposed records, which include sensitive data files, intellectual property, and patient reports. On the first day at work, new personnel at small organizations have quick access to above 11,000 exposed data, and approximately one-half of them have sensitive details.

To lower risk, it is important to follow the principle of least privilege. When employees are granted extended access to sensitive details, there is a higher possibility for insider data theft. In case their credentials are compromised in a phishing attack, it gives external threat actors easy access to large volumes of information.

The issue is worsened by weak password practices. 77% of organizations studied for the research had 501 or more accounts having passwords that never expire, and 79% of institutions had over 1,000 ghost accounts. Hackers can make use of these accounts to get a quick way to access sensitive records and navigate networks and file structures unseen.

According to the Verizon Data Breach Investigations Report, there is a 58% rise in data breaches in 2020 and cyber attackers are actively targeting the healthcare, pharma, and biotech companies to steal sensitive information, intellectual property, and vaccine research files. The health care field has the largest data breach expenditures which the IBM Security Cost of a Data Breach Report stated as $7.13 million for each breach. Businesses that don’t control access to protected healthcare information can likewise face serious financial penalties as much as $1.5 million per annum, per violation classification.

To address significantly malicious and innovative cyberattacks, hospitals, pharmaceutic businesses, and biotech’s should double down on perfecting incident response processes and mitigation initiatives. Enforcing least privilege, locking down sensitive records, and controlling lateral movement in their networks are the utter basic minimum preventative measures that healthcare businesses must take.

Advisory Announced on Continuing BlackMatter Ransomware Attacks

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) gave a joint advisory regarding persistent BlackMatter ransomware attacks.

The group continues to run attacks in the U.S.A. since July 2021. It has conducted attacks on critical infrastructure entities including two agencies in the U.S. Food and Agriculture Sector. Data has been received that connects the group to the DarkSide ransomware gang that executed attacks from September 2020 to May 2021. The Colonial Pipeline attack with the BlackMatter ransomware is likely a rebrand of the DarkSide operations.

Inquiry into the attacks has provided agencies with vital data concerning the tactics, techniques, and procedures (TTPs) of the group, and an examination has been conducted on a ransomware sample in a sandbox environment.

The ransomware gang is identified to employ already compromised credentials to acquire access to the systems of victims, then utilizes the Server Message Block (SMB) protocol and the Lightweight Directory Access Protocol (LDAP) to acquire access to the Active Directory (AD) and locate all hosts on the system. The BlackMatter group deploys ransomware and then encrypts the hosts and shared drives remotely when they are located. The gang has been found to exfiltrate files and normally requires ransom payments of around $80,000 – $15 million in Bitcoin or Monero.

In the shared advisory, the NSA, CISA and FBI mentioned TTPs, provide Snort signatures which could be employed for uncovering the network activity linked with BlackMatter ransomware attacks, and various mitigations to cut down the possibility of a breach by the group.

Mitigations comprise of:

  • Employing detection signatures to distinguish and prohibit attacks in progress
  • Utilizing strong passwords tolerant to brute force attacks
  • Using multi-factor authentication to prohibit the usage of compromised credentials
  • Patching and making updates to systems quickly
  • Confining access to sources in networks
  • Employing network segmentation and traversal tracking
  • Employing admin disabling tools to support identity and privileged access administration
  • Employing and enforcing backup and recovery plans and processes

Ransom Disclosure Act Necessitates Reporting of Payments to Ransomware Groups In 48 Hours

New legislation was launched that necessitates ransomware attack victims to make known any payments given to the threat actors to the Department of Homeland Security (DHS) within 48 hours after making the ransom payment.

Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) brought in the Ransom Disclosure Act. The bill seeks to offer the DHS the facts it requires to check ransomware attacks and increase comprehension of how cybercriminal groups run their business, hence letting the DHS get a good overview of the ransomware threat confronting the United States.

Between 2019 and 2020, ransomware attacks grew by 62% across the world, and by 158% in the U.S.A. The Federal Bureau of Investigation (FBI) got 2,500 complaints concerning ransomware attacks in 2020, 20% higher in comparison to the past year and $29 million more reported losses due to ransomware attacks in 2020. Not every ransomware attack is documented. Numerous victims opt to privately pay the threat actors to obtain the keys to decrypt their information and stop the public disclosure of any stolen information during the attack.

Chainalysis is convinced ransomware groups around the world received more or less $350 million in cryptocurrency in 2020, which grew by 311%. Attacks kept on increasing in 2021. Based on Check Point’s mid-year security report, the first 6 months of 2021 had 93% higher ransomware attacks compared to the matching period of time the previous year.

Like the ransomware attack on Colonial Pipeline has proven, the groups responsible for these attacks create a major national security risk. That attack contributed to the shutdown of a serious fuel pipeline for approximately one week. The attack on JPS Foods affected food manufacturing, and a large number of attacks on the healthcare market have impacted the capacity of healthcare companies to give proper care to patients. This year, CISA mentioned ransomware attacks hamper care and have an effect on patient results, and there was a loss of life in the U.S.A. which is supposed to have been caused by a ransomware attack.

Ransomware attacks keep on increasing given that they are lucrative and grant ransomware gangs and their affiliates an excellent revenue. There is additionally little chance of being found and brought to the law. Sadly, investigations of ransomware groups could be affected by a deficiency of data, consequently the launch of the Ransom Disclosure Act.

Though the FBI urges the ransomware attacks reporting to aid investigations, it isn’t compulsory. Sad to say, considering that victims aren’t expected to report attacks or ransom payments to government authorities, the crucial information needed to fully grasp these cybercriminal businesses are lacking to stop these attacks, explained Congresswoman Ross. This law will put in place critical reporting requirements, such as the amount of ransom asked by the attackers and paid, and which currency is used. The U.S. is unable to continue to combat ransomware attacks without being aware of this information.

The Ransom Disclosure Act will call for:

  • Ransomware victims (except persons) to reveal any ransom payments in 48 hours after giving the payment, together with the amount, currency employed, and any details that were obtained on the entity requiring the ransom.
  • The DHS will be expected to publish data exposed during the past year regarding the ransoms paid, not including identifying details related to the entities who made payments.
  • The DHS will need to build a website for people to voluntarily submit a report of the ransom payments.
  • The Secretary of Homeland Security will have to do an analysis on commonalities between ransomware attacks and the scope to which cryptocurrency was involved in the attacks, and give suggestions for securing data systems and fortifying cybersecurity.

Cyberattacks Encountered by Schneck Medical Center and Epilepsy Foundation of Texas

Schneck Medical Center located in Seymour, IN has reported that it suffered a cyberattack that had affected its company operations.

The medical center discovered the attack on September 29, 2021 and made an announcement on the same day. As a response to the incident, all IT systems inside its facilities were stopped as a safety precaution. Third-party cybersecurity specialists were called in to help investigate the incident and reestablish its IT system as soon as possible. According to Schneck Medical Center, it took time to investigate the cyberattacks and to fully resolve the recovery of IT systems, however, steps were taken to lessen interruption to its IT systems.

Schneck Medical Center stated the majority of medical services were not impacted by the cyberattack and patients can come for booked medical services and appointments as usual. Patients will get individual notification when for any reason their scheduled visit is delayed because of the cyberattack.

Schneck Medical Center stated in its breach notification that it is committed in taking care of people. It will continue to deliver excellent care to communities and will give more updates as necessary.

At this point, it is uncertain whether patient data was exposed. More information will be published concerning the attack when the investigation affirms that attackers indeed obtained access to systems that contain patient data.

PHI Possibly Exposed in Epilepsy Foundation of Texas Due to Phishing Attack

An unauthorized person potentially accessed the email account of an Epilepsy Foundation of Texas employee and possibly acquired sensitive patient information. Epilepsy Foundation of Texas found out about the email account compromise on or around June 8, 2021 because the email account had been used for sending fraudulent email messages. After immediately securing the email account, the foundation conducted an investigation to find out the nature and extent of the breach.

The investigation affirmed the breach of the account after the employee replied to a phishing email. A review of the breach and the data within the email account was finished on September 2, 2021. Then efforts were made to acquire the correct address details of the affected persons in order to send notifications. The foundation began sending notification letters to affected persons on October 1, 2021.

Epilepsy Foundation of Texas mentioned the breached email account included first and last names, birth dates, driver’s license numbers, medical details, medical insurance data, Social Security numbers, financial account numbers, biometric information, usernames and passwords, and payment card numbers.

After the attack, security practices were evaluated and were now improved. Epilepsy Foundation of Texas stated it doesn’t know of any incidents of attempted or actual patient data misuse, but it has instructed impacted patients to exercise care and keep track of their accounts and explanation of benefits statements for indications of bogus activity.