Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Jul 17, 2020 | Compliance News
Breaches at Central California Alliance for Health, Hutton & Hale, D.D.S., Inc. and Wisconsin Department of Corrections
The Central California Alliance for Health learned that an unauthorized person obtained access to a number of employees’ email accounts and most likely read or stolen data in email messages and file attachments. The healthcare organization discovered the breach on May 7, 2020 and took fast action to protect the impacted accounts. In all cases, the accounts were viewed for approximately an hour.
An analysis of the breached accounts showed they comprised a small amount of protected health information (PHI) of Central California Alliance for Health members like Alliance Care management program information, birth dates, claims details, demographic data, Medi-Cal ID numbers, referral data, and health care details. There was no breach of financial data or Social Security numbers.
Subsequent to the breach, Central California Alliance for Health executed a total password reset for every email account, this includes the email accounts that weren’t exposed. Employees likewise got additional training regarding email security.
Central California Alliance for Health by now submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights specifying that 35,883 members were impacted.
Wisconsin Department of Corrections Breach Affects 1,853 People
The Wisconsin Department of Corrections found out that the data of people located in its treatment centers was compromised on the sites of three vendors hired to handle canteen purchases. An employee found the information on May 15, 2020. Impacted people were alerted on June 15, 2020.
The breached data was minimal including names and data concerning the treatment facility in their location. That data needs to be encrypted on the web pages. The issue is already remedied and the data is not available any more on the web.
Hacking of Hutton & Hale, D.D.S., Inc. Affects 8,394 Patients
Dr. Ann Hale of Hutton & Hale, D.D.S., Inc. began informing 8,394 patients regarding the likely exposure of their PHI due to hacking of the practice’s stored data and computer networks on May 25, 2020.
Those systems stored patients’ medical records and PHI including names, contact phone numbers, addresses, X-ray information, and Social Security numbers.
All impacted patients were given free of charge one-year membership to identity theft protection and credit monitoring services and will be covered by a $1,000,000 identity theft insurance plan. Thus far, there are no reports obtained that indicate the improper use of any patient data.
The practice is incorporating more safety measures to its web server infrastructure to avert more security breaches.
by Maria Perez | Jul 8, 2020 | Compliance News
Nearly 69,000 Persons Affected by Cyberattacks on Healthcare Fiscal Management and Friendship Community Care
Healthcare Fiscal Management Inc. (HFMI) located in Wilmington, NC provides physician groups, hospitals and clinics with self-pay conversion and insurance eligibility services. HFMI suffered a ransomware attack that allowed attackers to have access to the private and protected health information (PHI) of patients of St. Mary’s Health Care System based in Athens, GA.
An unauthorized person accessed the HFMI systems on April 12, 2020 and released a ransomware payload the next day that encrypted information kept on its systems. The hacker accessed systems that have the personal and PHI of patients who obtained medical services at St. Mary’s from November 2019 to April 2020.
The attackers possibly accessed and acquired the information of about 58,000 patients, though data accessor theft cannot be affirmed. The PHI kept on the breached systems included names, Social Security numbers, birth dates, account numbers, health record numbers, and service dates.
HFMI was ready in case of this sort of event and had practical backups that were employed to reestablish information the same day to an alternative hosting provider. A forensic investigation team was hired to look into the incident. The forensic investigators stated that the attackers do not have possession of the information. The information is likewise not available over the web.
Security experts are going over security settings and, from their advice, steps are undertaken to improve security. HFMI has given all impacted persons no-cost credit monitoring and identity theft protection services as a precautionary measure against identity theft and fraud.
Phishing Attack on Friendship Community Care Affects 9,745 Patients
Friendship Community Care (FCC) based in Russellville, AR, a not-for-profit care provider of grownups and youngsters with handicaps, encountered a phishing attack last January 2020.
FCC identified the phishing attack on February 4, 2020 after seeing suspicious activity in the email account of an employee. Forensic investigators helped inspect the breach and confirmed on February 5, 2020 that an unauthorized person had obtained access to the email account, however upon additional investigation, it confirmed the breach of a number of Office 365 email accounts utilizing credentials acquired in the phishing attack.
FCC found out on February 7, 2020 that the email accounts comprised PHI. A detailed evaluation of the email accounts affirmed the probable access of 9,745 persons’ PHI, even though there is no proof received that indicate the attacker accessed or acquired the emails.
The compromised email accounts comprised names, birth dates, addresses, Client ID numbers, Social Security numbers, Medicaid IDs/Medicare IDs, employer ID numbers, patient numbers, medical data, state ID card numbers, student ID numbers, driver’s license numbers, financial account details, mother’s maiden names, marriage certificates, birth certificates, facial photographs and disability codes.
FCC provided free credit monitoring and identity protection services to impacted persons. An analysis of email security was performed, and steps are being undertaken to strengthen security to avert identical breaches later on.
by Maria Perez | Jul 2, 2020 | Compliance News
North Shore Pain Management (NSPM) based in Massachusetts started sending notifications to 12,472 patients because hackers potentially stole some of their protected health information (PHI). NSPM became aware of the breach on April 21, 2020 and its investigation confirmed the first access of their system by hackers on April 16, 2020.
NSPM posted on its website a substitute breach notice but did not provide any data with regards to the nature of the attack. Nonetheless, Emsisoft and databreaches.net affirmed the attack where AKO ransomware was used. The group that conducted the attack posted 4GB of stolen information on their Tor website because of no ransom payment.
The posted data include various sensitive data of workers and patients. The NSPM breach notice claimed that the stolen information consists of patient names, medical insurance information, account balances, birth dates, financial details, diagnosis and treatment information. Ultrasound and MRI images were likewise compromised for For several patients. Those patients using their Social Security numbers with their health insurance /member number had exposed their SSNs as well.
Because of the exposed stolen information on the web, NSPM instructed the affected patients to monitor their explanation of benefits statements and financial accounts for any sign of information misuse. NSPM provided credit monitoring and identity theft protection services at no cost to the patients whose Social Security numbers were exposed. NSPM appointed another IT management provider to reinforce its cybersecurity.
The AKO ransomware attackers are identical to gangs that deploy ransomware manually. They engaged in data theft prior to file encryption to increase the likelihood of getting ransom payment. The AKO group typically requires companies with big revenues to pay two ransom payments – one for the price tag of the decryptor and another for stolen data deletion. The cost of deleting files may be between $100,000 and $2,000,000.
The group claimed that some healthcare providers just pay the cost of deleting data. There is no confirmation if NSPM made a ransom payment.
Ransomware Attack on Florida Orthopaedic Institute
A ransomware attack on Florida Orthopaedic Institute in Tampa, FL occurred on April 9, 2020 resulting in the encryption of patient data. An internal investigation of the breach showed there was a potential theft of patients’ personal information and PHI prior to file encryption. Nevertheless, there is no report received by Florida Orthopaedic Institute regarding any patient data misuse due to the attack.
Florida Orthopaedic Institute appointed a third-party computer forensic firm to continue the investigation. Steps had already been taken to get back the encrypted data and protect its servers. The affected patients already received breach notification letters, including the offer of free fraud consultation, credit monitoring, and identity theft restoration services.
The encrypted data and possibly obtained by the attackers included the following: names, Social Security numbers, birth dates, medical information related to appointment times, diagnosis codes, doctor’s locations, paid amount, insurance plan ID numbers, payer ID numbers, claims addresses, and/or FOI claims history.
Florida Orthopaedic Institute appointed third-party experts to enhance security to avert any more cyberattacks in the future.
The HHS’ Office for Civil Rights breach hasn’t put up yet the incident details on its breach website, hence the number of impacted patients is not known at this time.
by Maria Perez | Jun 24, 2020 | Compliance News
The United States Attorney’s Office of the Western District of Pennsylvania announced the arrest of a person who was accused of the breach of the University of Pennsylvania Medical Center (UPMC) HR databases in 2014.
UPMC runs 40 hospitals in 700 outpatient sites and physicians’ offices and has over 90,000 staff. In January 2014, UPMC learned that a hacker viewed a human resources server Oracle PeopleSoft database where the personally identifiable information (PII) of 65,000 UPMC staff is stored. The stolen information in the breach was purportedly made available for sale on the darknet. There were names, birth dates, addresses, tax, and salary details, and Social Security numbers included.
The arrested person was Justin Sean Johnson. He’s 29 years old residing in Michigan who recently worked at the Federal Emergency Management Agency as an IT expert.
On May 20, 2020, Johnson was under the monikers TDS and DS when he was charged on 43 counts: one count of conspiracy, 5 counts of aggravated identity theft, and 37 counts of wire fraud. Apparently, Johnson hacked the database, copied PII, and marketed the stolen PII on darknet marketplaces including AlphaBay Market to many international buyers. Prosecutors furthermore claim that Johnson offered other PII on the darknet community aside from the PII of UPMC staff from 2014 to 2017.
The compromised UPMC PII was later employed in a massive plan to deceive UPMC workers. Hundreds of fake tax returns were submitted using the names of UPMC workers, which prosecutors state resulted in approximately $1.7 million in phony reimbursements being given. Those refunds were turned into Amazon gift cards that were used to acquire approximately $885,000 in goods, which were largely sent to Venezuela to be offered in marketplaces on the web.
Two more people were accused in 2017 regarding the UPMC hacking.
Maritza Maxima Soler Nodarse, from Venezuela who pleaded guilty to conspiracy to swindle the United States and was associated with reporting fake tax returns, got sentenced to time served and was expelled from the country.
Yoandy Perez Llanes, from Cuba who pleaded guilty to aggravated identity theft and money laundering, is awaiting his sentence in August 2020
The breach investigation showed that the hacker gained access to the OracleSoft database initially on December 1, 2023. After being able to access the database, the hacker conducted a test query and was able to access the information of around 23,500 people. From January 21, 2014 to February 14, 2014, the hacker viewed the database several times daily and stole the information of a huge number of UPMC employees.
Johnson encounters a long prison term in case he is determined guilty of the violations. The conspiracy charge holds a 5 years maximum imprisonment and a penalty of about $250,000. The wire fraud charges hold 20-years maximum imprisonment and a penalty of as much as $250,000 for every count and, there is going to be compulsory 2-year imprisonment for aggravated identity theft and a penalty of as much as $250,000 for every count.
The healthcare industry is an enticing target of hackers interested in taking personal data for use in scams; the Secret Service is fully committed to uncovering and arresting those that partake in criminal acts that exploit the Nation’s critical systems for their own benefit.
Cybercriminals like Johnson need to realize that the U.S. Secret Service won’t stop chasing them until they’re in custody and pay for their criminal acts.
by Maria Perez | Jun 17, 2020 | Compliance News
Cano Health, a population health management firm and healthcare service provider located in Florida, reported that an unauthorized individual got access to the email accounts of three workers by creating a mail forwarder the email accounts which directed emails to other addresses.
Caro Health became aware of the data breach on April 13, 2020, nevertheless, the investigation findings showed that the accounts were compromised two years earlier, some time in May 18, 2018. That means every email that was sent to and from the email accounts from May 18, 2018 to April 13, 2020 are presumed to have been acquired and were possibly accessed.
An evaluation of the emails affirmed that they held private and protected health information (PHI) for instance names, contact details, dates of birth, medical details, insurance data, government identification numbers, financial account numbers and/or social security numbers.
Cano Health is notifying impacted people and has instructed them to periodically check their accounts and benefits statements for indications of fake transactions. Cano Health is going to give impacted patients credit monitoring services at no cost.
Cano Health is working to strengthen email security. The Department of Health and Human Services’ Office for Civil Rights hasn’t published the breach details on its portal yet, thus it is uncertain at this point how many individuals have been impacted.
Phishing Attack on City of Philadelphia Affects 33,376 Patients
The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) reported a cyberattack that led to the exposure of the PHI of 33,376 persons.
On March 31, 2020, DBHIDS noticed suspicious actions in the email account of an employee, though the breach investigation affirmed that there were two email accounts compromised on April 2, 2020. The phishing attack investigation is still in progress and forensics professionals are already analyzing the email accounts, though there is no proof yet showing the hackers accessed or exfiltrated patient information.
The breach impacts patients having mental disabilities who had formerly gotten services from the Division of Intellectual disAbility Services (IDS). The kinds of data exposed varied from one patient to another and might have contained data elements like names, addresses, birth dates, Social Security numbers, medical insurance details, account and/or medical record numbers, diagnoses, provider names, service dates and short descriptions of the services the person had or were obtained from IDS. The copies of birth certificates and Social Security cards of a number of patients were likewise exposed.
DBHIDS will mail the notification letters to impacted persons in the forthcoming weeks and will provide free credit monitoring services.
To avoid identical breaches later, a number of steps were undertaken. Further education will be given to workers to enable them to identify phishing emails. Campaigns to track network activity were improved.
