Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Mar 10, 2021 | Compliance News
Elara Caring, one of the United States’ biggest home-based medical care services providers, has encountered a phishing attack that affected about 100,000 patients.
In the middle of December, the provider discovered suspicious activity in a few email accounts of workers. It took immediate action to protect the accounts and stop the attackers from being able to access the email accounts. A third-party cyber security company aided in scrutinizing the incident.
The investigation established that an unauthorized individual accessed a number of employee email accounts, even though no information was uncovered that indicates the attackers accessed or acquired any patient data in the email accounts. It was impossible to exclude theft of information.
An analysis of the breached email accounts showed they comprised the sensitive data of 100,487 patients, which include names, dates of birth, Employer ID numbers, Social Security numbers, driver’s license numbers financial/bank account details, passport numbers, home address, email addresses, and security passwords, insurance data and insurance account numbers. Elara Caring offered the people impacted by the incident complimentary credit monitoring and identity protection services.
The provider also took action to strengthen data security and has provided supplemental training about cybersecurity to its staff members.
Email Account Breach at Cornerstone Care Affects 11,487 Individuals
An unauthorized person accessed an email account holding the PHI of 11,487 patients getting services from Cornerstone Care community health centers based in Northern West Virginia And Southwestern Pennsylvania.
The company discovered the email account incident on June 1, 2020 and employed third-party security professionals to help investigate the breach. It was established that the breach simply affected one company email account. An evaluation of the PHI contained in the account was done on January 13, 2021.
The account had the names and addresses of patients plus, for a number of people, birth date, Social Security number, medical record, illness, treatment method, diagnosis, and/or medical insurance data. People whose Social Security number was affected got free credit monitoring and identity theft protection services.
Cornerstone Care mailed notifications to the impacted persons on February 25, 2021. It additionally employed multi-factor authentication on the email accounts.
ProPath Email Accounts Viewed by an Unauthorized Person
ProPath, the United States’ major, nationwide, fully physician-owned pathology practice, has found out an unauthorized person who got access to two email accounts that contain patient data.
The unauthorized individual gained access to the email accounts from May 4, 2020 to September 14, 2020. ProPath discovered on January 28, 2021 that PHI in the email accounts were the names of patients, birth dates, test orders, medical diagnosis and/or clinical treatment data, medical procedure details, and doctor name. The Social Security number, financial account details, driver’s license number, health insurance details, and/or passport number of some people were likewise compromised.
People whose Social Security number was exposed were provided credit monitoring services at no cost. Staff members have gotten more training to support them discover malicious messages and more technical safety measures have already been put in place.
It’s not yet confirmed how many persons the incident affected. ProPath mentioned lots of men and women who obtained testing from the provider were not impacted by the breach.
by Maria Perez | Mar 3, 2021 | HIPAA News and Advice
The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill made quite a few amendments to the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.
The most important and noticeable changes include the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions along with changes in penalties to be imposed in case of breach of HIPAA.
With changes in HIPAA, the penalties can now be imposed on covered entities along with individuals in position to the previous law where penalties could only be imposed on covered entities. As such, if someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Also, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.
Protected health information can be released by covered entities without authorization only for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.
With new laws, patients will have a greater ability to try to find out who has accessed their protected health information. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.
In order to make sure that they are HIPAA compliant, the covered entities should keep an eye on releases from HSS about changes, consult with their legal representative, make sure that their designated privacy officer is properly trained and that he or she is training their employees and keep their lines of communication open with business associates and make sure any contracts they have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.
by Maria Perez | Mar 3, 2021 | Compliance News, EHR & Interoperability, Healthcare Industry News
Email Accounts Breach at Summit Behavioral Healthcare
Summit Behavioral Healthcare based in Brentwood, TN found out about the breach of two staff email accounts starting in May 2020. This provider of behavioral health services manages 18 addition treatment centers throughout America.
An independent forensics company was involved to look into the breach and affirmed on January 21, 2021 that the breached accounts held protected health information and unauthorized men and women may have accessed or gotten PHI.
The data included in the accounts differed from person to person and might have involved names along with at least one of the following types of information: diagnosis or symptom data, treatment details, prescribed medication data, medical insurance numbers, medical background, Social Security number, financial account details, Medicare/Medicaid identification numbers, and healthcare provider data.
Summit Behavioral Healthcare already notified the affected people and provided a complimentary one-year credit monitoring and identity theft protection services membership.
Email Account Compromised at Jacobson Memorial Hospital and Care Center
Jacobson Memorial Hospital and Care Center located in Elgin, ND has learned that an unauthorized individual viewed an email account that contains the PHI of 1,547 patients.
The hospital discovered the breach approximately on August 5, 2020 and an independent cybersecurity agency was retained to look into the breach and ascertain whether any records were accessed. It looks like the attack was done as a way to distribute spam email messages using the account; nonetheless, it’s probable that patient files were accessed.
The account comprised names, birth dates, addresses, email addresses, telephone numbers, Social Security numbers, credit card numbers, insurance policy numbers, bank account numbers, and various health details.
The latest organization-wide security system has already been enforced, guidelines and procedures were kept up to date, and extra training was offered to personnel and vendors on data security. Jacobson Memorial Hospital and Care Center provided the impacted persons free credit monitoring and identity theft restoration services.
Twelve Oaks Recovery Finds Malware Infection and Data Theft
Twelve Oaks Recover based in Navarre, FL, an addiction and mental health treatment facility, has found out that an unauthorized person accessed its system, infected it with malware, and stole records. The attack was discovered on December 13, 2020 after finding strange network activity. Conducting a forensic investigation affirmed the deployment of malware on December 13. A data exfiltration was confirmed to have happened the following day.
An evaluation of the records acquired by the attacker showed that they included the PHI of 9,023 patients, and contained names, birth dates, addresses, Social Security numbers and medical record numbers.
Twelve Oaks Recovery has improved its network tracking tools and undertaken steps to avoid the same breaches from happening again.
Kaiser Permanente Terminates Worker for Improper PHI Access
Kaiser Permanente has terminated a worker for accessing the medical records of members with no authorization. The provider detected the privacy breach on December 28, 2020 and upon investigation, it was confirmed that information was accessed with no reasons associated with the healthcare service needs of members. The types of data compromised included names, addresses, email addresses, phone numbers, birth dates, and pictures. No other sensitive data was compromised
Kaiser Permanente is going over its guidelines and procedures and will be enforcing more safety measures, as needed, to avoid the same privacy breaches later on.
by Maria Perez | Feb 24, 2021 | Compliance News
The protected health information (PHI) of 29,982 patients of Harvard Eye Associates located in Laguna Hills, CA was potentially stolen during a cyberattack on its online storage vendor. The medical and surgical eye care services provider received information on January 15, 2021 that hackers gained access to the computer system of its storage vendor and exfiltrated data.
It isn’t certain whether there was file encryption to prevent access; nevertheless, there was a ransom demand received in exchange for the return of the stolen files. The storage vendor conferred with cybersecurity specialists and the Federal Bureau of Investigation and decided to pay the ransom demand.
The hackers resent the stolen information and gave assurances that they did not retain any copies of the data and there were no other disclosures of the stolen files. The cybersecurity professionals called in by the security vendor are tracking the Internet and darknet and didn’t find any proof that suggests the sale or leak of the stolen data online. An investigation into the breach revealed that the hackers first obtained access to its computer networks on October 24, 2020.
The hackers likely acquired the following types of patient information: patients’ names, phone numbers, addresses, email addresses, dates of birth, medical histories, health insurance data, prescription drugs, and data regarding treatment acquired at Harvard Eye Associates.
Harvard Eye Associates offers billing and other admin services to Alicia Surgery Center based in Laguna Hills, which needs access to the types of information already mentioned. The security incident likewise affected Alicia Surgery Center patients. It is presently uncertain how many Alicia Surgery Center patients were impacted.
Harvard Eye Associates and Alicia Surgery Center posted in their website breach notices that affected patients will get notifications and offers of complimentary credit monitoring and identity theft protection services.
by Maria Perez | Feb 17, 2021 | Compliance News
The court has granted preliminary approval of a settlement offered by 21st Century Oncology to solve a November 2020 class-action legal action. The class-action lawsuit was registered in District Court for the Middle District of Florida in support of affected individuals of a 2015 cyberattack that essentially impacted 2.2 million persons.
The Federal Bureau of Investigation notified 21st Century Oncology regarding a breach of its computer network on November 13, 2015. An unauthorized individual had obtained access to its system and could have viewed or acquired access to one of its databases on October 3, 2015. The database included patients’ names, diagnoses, treatment details, insurance data, and Social Security numbers. Notifications to affected people were overdue at the request of the FBI so as not to obstruct the investigation. Patients impacted by the breach began receiving notification letters in March 2016.
The Department of Health and Human Services’ Office for Civil Rights started a breach investigation and uncovered probable HIPAA violations. 21st Century Oncology resolved the case in December 2017 without any admission of liability and consented to pay a $2.3 million fine.
The class-action lawsuit desired breach victims to be paid for sustaining losses because of the incident, which include a refund of out-of-pocket expenditures, time spent seeking to fix things, and losses suffered due to identity theft and fraud.
With the provisions of the offered settlement, all breach victims will be eligible to claim credit monitoring and identity theft protection services via Total Identity for 2 years, which could be deferred for around two years.
Additionally, the 21st Century Oncology negotiation will see breach victims refunded for standard time expended correcting troubles somewhat traceable to the data breach, which is dependent on two hours at $20 each hour to as much as $40. Additionally, a claim may be made for reported time spent, to as much as 13 hours at $20 every hour to around $260.
Any person who will be able to give evidence of out-of-pocket costs sustained because of the breach or reported fraud may be allowed to file a claim as much as $10,000.
All persons advised concerning the breach in or about March 2016 are protected by the settlement and could file a claim. The due date for making claims is May 10, 2021. Any class member who wants to disapprove or exclude themselves from the arbitration has till March 9, 2021 to achieve this.
Though the court has issued initial acceptance of the settlement deal, finalized approval is not yet given. A fairness hearing is timetabled for June 15, 2021.
