Cyberattacks and Data Theft Announced by Medical Healthcare Solutions and Advocates Inc.

Advocates Inc. in Massachusetts., a non-profit provider of support services for people encountering life challenges including autism, brain injury, addiction intellectual handicaps, behavioral health, and mental health, has reported it recently suffered a sophisticated cyberattack and data theft occurrence.

Advocates discovered on October 1, 2021, that an unauthorized person had obtained access to its system and copied files comprising the sensitive data of patients and staff members. A prominent cybersecurity agency was engaged to aid with the inquiry, which revealed that an anonymous individual had accessed its network and duplicated files in a period of four days between September 14, 2021 and September 18, 2021.

The files included names, birth dates, addresses, Social Security numbers, medical insurance details, client ID numbers, diagnoses, and treatment details. After validating the individuals impacted, Advocate compiled updated contact data to be able to issue the written notifications, thus the delay in providing notification letters.

The cyberattack report was sent to the Federal Bureau of Investigation and government authorities. The breach report sent to the Department of Health and Human Services’ Office for Civil Rights reveals the protected health information (PHI) of 68,236 persons was contained in the stolen information. Advocates mentioned it doesn’t know if any actual or attempted improper use of the stolen data; nevertheless, as a preventative measure, affected people were provided free credit monitoring and identity theft protection services.

PHI Compromised in Cyberattack on Medical Healthcare Solutions

The medical billing firm Medical Healthcare Solutions located in Boston, MA has lately reported it encountered a cyberattack. The attack was identified on November 19, 2021, and steps were promptly taken to safeguard its system to stop more unauthorized access. The investigation established an unauthorized person had acquired access to its network from October 1, 2021 to October 4, 2021, and stolen a number of files from its system.

An analysis of the stolen records showed they comprised these types of information: Name, address, birth date, sex, telephone number, email address, driver’s license/state ID number, Social Security number, financial account number, payment card number, card CVV/expiration, routing number, diagnosis/treatment details, procedure type, provider name, prescription data, date of service, patient account number, medical record number insurance group number, insurance ID number, insurance plan name, claim number, provider ID number, process code, treatment price, and diagnosis code.

A final record of persons impacted by the breach was secured on January 8, and notification letters were already distributed. Free credit monitoring and identity theft protection services were given to affected people. The breach report was submitted to the HHS’ Office for Civil Rights, nevertheless, it has not yet been posted on the breach site, therefore it is presently not clear how many persons were impacted.

More Than 50% of All Healthcare IoT Devices Have an Identified, Unpatched Critical Vulnerability

The latest research by Cynerio, a healthcare IoT security platform provider, has shown that 53% of connected medical devices and other healthcare IoT devices have at the least one unresolved critical vulnerability that can probably be taken advantage of to acquire access to systems and sensitive records or impact the availability of the devices. The researchers likewise identified one-third of bedside healthcare IoT devices have a minimum of one unpatched critical vulnerability that may impact service availability, data privacy, or put patient safety at risk.

The researchers assessed the connected device footprints at over 300 hospitals to determine threats and vulnerabilities existing in their Internet of Medical Things (IoMT) and IoT devices. The most often utilized healthcare IoT device is IV pumps, which constitute approximately 38% of a hospital’s IoT footprint. These devices were known to be the most susceptible to attack, as 73% got a vulnerability that can jeopardize patient safety, service accessibility, or cause information theft. 50% of VOIP systems included vulnerabilities, with patient monitors, ultrasound devices, and medication dispensers the next most unsecured device types.

The lately reported Urgent11 and Ripple20 IoT vulnerabilities are obviously a reason for concern; nevertheless, there are far more prevalent and quickly exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities have an effect on close to 10% of medical IoT and IoMT devices, although the most well-known risk was weak credentials. Standard passwords can simply be located in online device guides and weak passwords are prone to brute force attacks. 1/5 or 21% of IoT and IoMT devices were identified to have default or inadequate credentials.

Most pharmacology, oncology, and laboratory units and substantial numbers of the gadgets employed in neurology, radiology, and surgery sections were using obsolete Windows versions (older than Windows 10) which are likely vulnerable.

Unaddressed software programs and firmware vulnerabilities are usual in bedside gadgets, with the most usual being wrong input validation, inappropriate authentication, and the ongoing usage of devices for which a device recall alert was given. With no visibility into the devices connected to the network and detailed stock of all IoT and IoMT devices, determining and responding to vulnerabilities before attackers exploit them will be a serious challenge and it is going to be inescapable that certain devices will continue to be vulnerable.

A lot of medical instruments are utilized in critical care settings, where very minimal downtime happens. Over 80% of healthcare IoT devices are employed every month or more often, which provides security teams a short time to identify and deal with vulnerabilities and separate the network. An IT solution ready that could provide visibility into interconnected medical devices and give key details on the security of those equipment will allow security teams to determine vulnerable devices and schedule updates.

Frequently, it’s not possible to use patches. In many cases, medical IoT devices are in continual use and they are usually utilized beyond the end-of-support time. In these instances, the best security choice is virtual patching, where steps are undertaken to avert the exploitation of vulnerabilities like quarantining devices and sectioning the system.

Sectioning the network is one of the most critical steps to take on to strengthen healthcare IoT and IoMT security. When segmentation is done that takes into account healthcare workflows and patient care situations, Cybnerio claims 92% of critical risks in IoT and IoMT devices may be successfully mitigated.

Nearly all medical IoT and IoMT cybersecurity initiatives are targeted on developing a complete inventory of all IoT and IoMT devices and getting data concerning those devices to determine probable risks. Hospitals and health networks don’t require more information – they need to have innovative solutions that minimize risks and enable them to combat cyberattacks, and as medical device security specialists, it’s time for all of us to step up.

Online Pharmacy Alerts 105,000 Patients Concerning Cyberattack and Probable Theft of PHI

The digital pharmacy and health application creator Ravkoo in Auburndale, FL has begun informing selected patients concerning an unauthorized person who accessed and likely stole their sensitive personal information.

Ravkoo makes use of Amazon Web Services (AWS) to host its online prescription site. The site suffered a cyberattack that was noticed on September 27, 2021. After the knowledge of the data breach, Ravkoo took prompt action to safeguard the website and engaged third-party cybersecurity specialists to aid in the forensic investigation, mitigation, recovery, and remediation initiatives.

The investigation established the compromise of sensitive patient data, which include names, telephone numbers, addresses, a number of prescription details, and limited medical information. Ravkoo explained the affected site didn’t include any Social Security numbers, which are not retained in the impacted portal. The forensic investigation uncovered no proof that suggested the improper use of data stored in the portal.

Ravkoo already submitted the cyberattack report to the Federal Bureau of Investigation (FBI) and is helping with the inquiry. Ravkoo likewise has employed forensics professionals to assess the security of its AWS system. Steps are currently being undertaken to strengthen security to avert other data breaches down the road.

The security breach report has been sent to the Department of Health and Human Services’ Office for Civil Rights stating that approximately 105,000 persons were impacted. Affected people are being given free use of Kroll’s online credit monitoring service as a preventative measure, which consists of access to resolution services in the eventuality of identity theft.

The Intercept’s Micah Lee mentioned in a September 28, 2021 Twitter update that an attacker had taken responsibility for the cyberattack on Ravkoo and stated the patient site was “hilariously easy” to get into and needed the usage of a secret admin website that any user can sign in to and get patient records.

PHI of Anthem Members and Advocate Aurora Health Patients Possibly Exposed

Anthem Inc. has notified 2,003 people that an unauthorized person possibly seen or acquired their protected health information (PHI) after getting access to the network of one of its business associates.

Anthem partners with the insurance broker OneDigital based in Atlanta, GA, which gives assistance for people signed up in group health plans to support them in getting and taking care of their health insurance. OneDigital was provided access to the protected health information of a number of members to guide them or their existing or past employer to get and take care of their medical insurance policy.

On November 24, 2021, OneDigital alerted Anthem concerning a system server hacking incident that took place in January 2021. Anthem stated the incident investigation did not show any direct proof that there was unauthorized access or theft of PHI, however, those activities cannot be eliminated.

The types of data kept on the breached systems consisted of names, birth dates, addresses, healthcare company names, health insurance numbers, group numbers, dates and types of medical care services, medical record numbers, medication data, laboratory test data, payment details, claims data, driver’s license numbers, and Social Security numbers.

Anthem provided the impacted persons with complimentary credit monitoring and identity theft protection services for one year. Anthem mentioned it is working together with OneDigital to lessen the chance of the same breaches taking place later on.

Exposure of the PHI of Over 1,700 Advocate Aurora Health Patients Because of Billing Error

The 26-hospital health system located in Illinois, Advocate Aurora Health, has informed over 1,700 individuals concerning the possible breach of some of their PHI.

Approximately on July 29, 2021, the hospital made billing statements and sent them to patients by mail, however, they were unable to reach their destination. The documents included some PHI, for example, patients’ names, the types of services received, dates of service, the name of the medical care provider they went to, and visit account numbers.

Advocate Aurora Health became aware of the billing problem on October 29, 2021. The following investigation showed there was an unintentional alteration to its billing application that was not noticed so that the statements were sent to the incorrect address. Advocate Aurora Health stated it didn’t get any report of actual or attempted improper use of any patient information resulting from the incident, nevertheless patients were advised by mail as a preventative measure and were given free credit monitoring services.

Advocate Aurora Health explained it is changing its internal processes and technical solutions to avert identical breaches down the road. The breach report was sent to the HHS’ Office for Civil Rights as impacting 1,729 persons.

Broward Health Alerts More Than 1.3 Million People Regarding the October 2021 Data Breach

At the beginning of the year, a big breach was announced by Broward Health located in Florida, which has just started informing over 1.3 million patients and workers concerning a data breach that took place on October 15, 2021. A hacker obtained access to the Broward Health system via a third-party healthcare provider’s office that was given access to the Broward Health network for delivering medical services.

Broward Health uncovered and stopped the attack on October 19, 2021, and performed a password reset for all staff members to avert more unauthorized access. With the assistance of a third-party cybersecurity firm, Broward Health carried out a thorough investigation to find out the nature and extent of the breach.

The investigation established that the attacker acquired access to sections of the system where worker and patient data were saved, which include sensitive data: names, addresses, email addresses, birth dates, telephone numbers, financial/bank account details, health insurance data, medical backgrounds, medical problems, treatment and diagnosis details, medical record numbers, Social Security numbers, and driver’s license numbers. Broward Health reported some records were exfiltrated from its networks.

The cyberattack report was sent to the Department of Justice which wanted Broward Health to put off distributing breach notification letters to affected people in order not to obstruct the law enforcement inquiry.

Broward Health took action to boost security and avert the same occurrences down the road, which comprise of using multifactor authentication for all end-users of its network and establishing minimum-security specifications for all devices not maintained by Broward Health’s IT department having network access. Those security prerequisites will be effective this January.

Broward Health did not receive any reports that show patient or staff information was misused, nevertheless as a preventative measure against identity theft and fraud, impacted persons were provided a free two-year membership to the Experian IdentityWorksSM service, consisting of identity theft protection, discovery, and resolution services.

The breach hasn’t shown up on the HHS’ Office for Civil Rights breach website although it was documented with the Maine Attorney General as likely impacting 1,357,879 individuals.

Attorneys General are Also Allowed to Issue HIPAA Violation Fines

Since the HITECH Act (Section 13410(e) (1)) was introduced in February 2009, state attorneys general are authorized to make HIPAA-covered entities responsible for the compromise of the PHI of state locals and may submit civil actions to the federal district courts. In case of HIPAA violations, penalties may be issued as much as $25,000 for each violation category, for every calendar year. The minimum applicable penalty is $100 for every violation.

A covered entity that encountered a data breach impacting residents in several states may be required to pay HIPAA violation penalties to attorneys general in several states. Not many states have issued penalties to HIPAA-regulated entities for violating the HIPAA Regulations. They are California, Connecticut, the District of Columbia, Massachusetts, Minnesota, Indiana, New Jersey, New York, and Vermont.

In the past years, attorneys general worked together and issued penalties for HIPAA violations to address big data breaches that have impacted individuals throughout America. They have pooled their resources together and taken a part of any resolutions or civil monetary penalties. Although just a few states have used their authority to require penalties for HIPAA violations, that doesn’t indicate HIPAA violations are not punished. Numerous states issued financial penalties for comparable violations of state regulations.

Are HIPAA Violations Criminal?

If a HIPAA-covered entity or business associate breaks HIPAA Rules, civil penalties may be enforced. If healthcare companies do not comply with the HIPAA, it is normally the employer that gets fined, however not at all times. When healthcare experts knowingly acquire or use protected health information (PHI) for purposes that aren’t allowed by the HIPAA Privacy Rule, they could be criminally accountable for the HIPAA violation based on the criminal enforcement condition of the Administrative Simplification subtitle of HIPAA.

The Department of Justice prosecutes criminal HIPAA violations, particularly those committed by individuals that have intentionally broken HIPAA Rules. There were a number of incidents that have led to large fines and jail sentences.

Criminal HIPAA violations consist of theft of patient data for monetary gain and improper disclosures with the intention to cause damage. Insufficient understanding of HIPAA rules isn’t an acceptable excuse. A person that “knowingly” breaks the HIPAA means the person knew what makes up the offense, not that there’s the absolute knowledge that he or she is breaking HIPAA Rules.

Criminal Penalties for HIPAA Violations

Criminal penalties for HIPAA violations have three distinct tiers with particular terms and an associated fine. A judge decides the penalties according to the facts of every specific case. Like with OCR, various general factors will have an effect on the penalty given. When a person made profits from the PHI access, theft, or disclosure, all money acquired may be returned, besides the payment of a penalty.

There are three tiers of criminal penalties for HIPAA violations. These are as follows:

Tier 1: Reasonable cause or without knowledge of violation – About 1 year in prison

Tier 2: Acquiring PHI under false pretenses – About 5 years in prison

Tier 3: Acquiring PHI for personal profit or with malicious intention – About 10 years in prison

In the past months, there’s been an increase in the number of workers found to be viewing or stealing PHI for different motives. The price of PHI on the black market is high, and this may be a big appeal for several people. It is consequently important that controls are set up to restrict the possibility for people to steal patient information, and to have systems and policies to make sure to identify improper PHI access and theft promptly.

All employees with access to PHI due to their work duties must be educated about the HIPAA criminal penalties and the result of violations, such as loss of job and potentially a long jail sentence and a big penalty.

State attorneys general are going after data theft and penalizing people found to have broken HIPAA Privacy Rules. A jail sentence for stealing HIPAA data is consequently very likely.

Data Breaches Reported by Texas ENT Specialists and Virginia Department of Behavioral Health and Developmental Services

Texas Ear, Nose & Throat Specialists P.A. (Texas ENT Specialists) has reported it experienced a cyberattack that was discovered on October 19, 2021.

As soon as the attack was discovered, quick action was undertaken to avoid further access to the network by unauthorized persons. A third-party cybersecurity company was involved to investigate and identify the nature and scope of the cyberattack. The forensic investigation showed that the attackers initially obtained access to its systems on August 9, 2021, and from then on until August 15, they copied and extracted files from its network.

An analysis of those files established they included the protected health information (PHI) of 535,489 individuals, such as names, birth dates, procedure codes, and health record numbers. A subset of people additionally had their Social Security numbers compromised; nevertheless, its electronic medical record system was not affected.

Texas ENT Specialists sent notification letters to affected persons on December 10, 2021. Patients whose Social Security numbers were compromised were given a free membership to Experian’s identity theft monitoring service.

Texas ENT Specialists reported that it has increased its privacy and data security program and has put in place more technical security procedures to better secure and keep an eye on its systems.

Virginia Department of Behavioral Health and Developmental Services Experiences Second Funding Portal Breach

The Virginia Department of Behavioral Health and Developmental Services (DBHDS) is informing 4,037 people who tried for Individual and Family Support Program (IFSP) financial assistance that their PHI might have been impermissibly exposed. The breach impacted its IFSP Funding Website and took place on October 7, 2021. The breach was noticed in just minutes and the site was promptly taken off the internet to avert continuing unauthorized data access.

In 2019, DBHDS suffered a breach of its IFSP funding webpage that exposed the records of 1,442 persons. In the following 17 months, the internal team and the Virginia Information Technology Agency (VITA) reviewed the attack and tried to duplicate and fix the problem. Considerable testing of the Portal was carried out, and it was confirmed the Portal was clear to run once again. The newest breach looks a lot like the 2019 occurrence and might likewise have made possible the viewing of information by other individuals.

DBHDS mentioned it won’t make an effort to fix the Portal once more, and an alternate solution may be determined for future IFSP application processes. Persons whose application data were compromised could register for zero-cost credit monitoring services for two years.

Class Action Lawsuit Filed Against Planned Parenthood Los Angeles Due to October 2021 Ransomware Attack

Planned Parenthood Los Angeles (PPLA) is confronting a class action lawsuit with regards to a ransomware attack that was uncovered on October 17, 2021. The cyberattack breached the protected health information (PHI) of over 409,759 patients. The notification letters were mailed to the affected people on November 30, 2021, wherein PPLA mentioned the breach of its systems on October 9, 2021. The attackers obtained access to files comprising PHI up to October 17, which is the time they were thrown out from the network.

The records on the impacted systems comprised names, dates of birth, addresses, diagnoses, treatment, and medication details, and certain files were exfiltrated from its system before the encryption of files. PPLA mentioned it didn’t get any proof to suggest patient data has been misused.

A PPLA patient who had his PHI compromised in the security breach has filed a lawsuit regarding the incident. The lawsuit was submitted in the U.S. District Court of Central California and states the patient, as well as class members, were put at impending risk of harm due to the theft of their sensitive health information, which included electronic health records that note the processes conducted by PPLA for instance abortions, treatment of sexually transmitted diseases, emergency contraception medications, cancer screening data, other remarkably sensitive health data.

The lawsuit additionally references the time of the ransomware attack, which synchronized with the Supreme Court discussions on abortion, and claims the compromise of data on abortion treatments at this time makes it very likely that patients will experience problems. Aside from experiencing an upcoming danger of harm, affected people are possible to keep experiencing economic and actual hurt and have lost control of their healthcare records. They have likewise suffered out-of-pocket expenditures because of the data breach for example money and time spent securing their accounts, keeping track of identity theft and fraud, and doing something to stop improper use of their personal data. The lead plaintiff claims she has encountered actual harm because of the breach, which includes stress and anxiety, and has furthermore sustained damage and reduction in the value of her personal details.

Though the Health Insurance Portability and Accountability Act (HIPAA) is without private cause of action, the lawsuit states PPLA has violated HIPAA by its inability to make certain the privacy of patient information and not enough cybersecurity procedures are set up to avert unauthorized PHI access. The legal action furthermore says that this is the third data breach experienced by PPLA in the last 3 years.

Besides the HIPAA violations, the lawsuit says PPLA likewise breached the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA).

The lawsuit wishes injunctive relief, statutory and compensatory damages, investment in cybersecurity procedures to make sure other breaches don’t happen, and for impacted persons to be given identity theft protection and restoration services and to get an identity theft insurance coverage plan.

Patient Takes Legal Action Against Eskenazi Health Concerning Data Misuse

The protected health information (PHI) of an Eskenazi Health patient was compromised in a ransomware attack on August 2021. The patient is currently taking legal action against the healthcare organization over the data breach.

It is now typical for ransomware gangs to copy sensitive information prior to deploying ransomware for encrypting files. The stolen records are employed to pressure victims to make ransom payments, as was the situation in the cyberattack at Eskenazi Health. Eskenazi Health located in Indianapolis, IN uncovered the attack at the beginning of August and promptly turned off its computer programs so as to stop continuing unauthorized access and limit the attack. The healthcare service provider decided to redirect ambulances and postpone selected consultations as a precautionary measure as its electronic medical record system was not accessible.

As per the data breach investigation, Eskenazi Health’s systems were first compromised in May and the threat actors exfiltrated files that contain sensitive patient data. The issuance of notification letters to affected patients began at the beginning of November. Patients were advised with regards to the data breach and were given free identity theft protection and credit monitoring services. When sending notifications, there were no reports involving the misuse of patient information, even though some patient data were released on the gang’s data leak website. The breach report sent to the HHS’ Office for Civil Rights at the start of October reveals the breach impacted 1,515,918 patients.

Eskenazi Health stated the stolen information involved workers, providers, patients, previous patients, and providers and impacted names, addresses, phone numbers, email addresses, dates of birth, patient account numbers, health record numbers, diagnoses, clinical data, physicians’ names, insurance details, medications, passport numbers, driver’s license numbers, face images, credit card data, and Social Security numbers.

Terri Ruehl Young, the Eskenazi Health patient, was among the persons affected by the information breach. According to the lawsuit, Young alleges a bogus charge amounting to $370 was placed on the credit card she utilized for settling her bill and her Equifax credit report revealed there was an effort to alter her name.

The lawsuit claims patients put their trust in Eskenazi Health to safeguard its systems and patient data, nevertheless, the healthcare company betrayed that trust by not being able to use advanced security practices and proper safety measures to secure patient information. The lawsuit states unjust enrichment, negligence, and breach of contract.

The lawsuit likewise brings up the amount of time it had taken Eskenazi Health to alert patients regarding the security breach. The lawsuit says that breach notification letters were provided over 6 months right after the first security breach, and 3 months after the finding out of the breach by Exkenaki Health. The HIPAA Breach Notification Rule necessitates the sending of notifications in 60 days after the discovery of a data breach.

Cohen and Malad and John Steinkamp & Associates submitted the lawsuit wanting class-action status and a trial by jury. A Eskenazi Health representative mentioned the lawsuit is not yet officially served.

One Community Health Patients Informed Regarding a Cyberattack and Data Theft in April 2021

One Community Health based in Sacramento, CA has recently informed patients about the compromise of its systems between April 19 and April 20, 2021. It was discovered that an unauthorized individual has acquired access to systems that contain the personal data and protected health information (PHI) of some workers and patients.

A complete forensic inspection was performed by a third-party cybersecurity agency to find out the nature and magnitude of the attack, and One Community Health was alerted on October 6, 2021, that the attacker had exfiltrated files from its network comprising full names and one or more of the following data elements: telephone number, address, other demographic data, email address, date of birth, driver’s license number, Social Security number, insurance details, diagnosis details, and treatment data.

One Community Health began sending breach notification letters to all affected patients on November 22, 2021. There were no reported incidents of identity theft or fraud; nevertheless, complimentary credit monitoring services have been provided to impacted people as a safety measure against identity theft and fraud.

One Community Health stated it has been working with cybersecurity specialists to improve its security against cyberattacks, and has improved endpoint detection, email protection, and has gotten 24/7 managed detection response.

PHI Disclosure Due to Email Error by Eye Care Product Company

Alcon, a manufacturer of eye care products, has learned that an email error led to the disclosure of some patients’ PHI to healthcare organizations not permitted to view the PHI.

On October 5, 2021, Alcon emailed patients’ protected health information to healthcare companies to assist in billing. The emails were meant to just include details concerning each healthcare company’s patients; nonetheless, a technical problem resulted in the emails containing the information of patients of other healthcare organizations.

The emails included some data regarding patients who had lately got an Alcon intraocular lens implant, specifically, first and last names, dates of implant, device serial numbers, and names of treating physicians.

All healthcare companies who acquired the email were called and informed to erase the email and Alcon has evaluated and updated its policies and processes to avoid identical breaches later on. Because of the nature of the data compromised and the entities that obtained the data, Alcon believes no patient information will be used in the wrong way.