Law firm

Law firm notifies 255,000 people of HIPAA data incident 10 months after hack

Sensitive patient data may have been exposed in a number of cybersecurity incidents at organizations in the United States (Air Force)

Warner Norcross & Judge recently notified the Department of Health and Human Services of a Health Insurance Portability and Accountability Act data breach affecting 255,160 people. The law firm provides employment and immigration services to healthcare entities, including three of Michigan’s largest hospital systems.

On October 22, 2021, WNJ first discovered unauthorized activity on “certain of its systems” and took steps to secure the network. A digital forensics company was commissioned to investigate and perform “data mining and manual review”.

WNJ discovered that personal and protected health information was contained in the protected systems, including names, dates of birth, social security numbers, driver’s licenses, passports and government ID cards, annual compensation amounts , benefit contribution details, credit or debit card numbers and PINs. , financial accounts or routing numbers, and other sensitive data.

The notice appears to explain the long delay in notifying patients related to its data mining to identify relevant information and individuals. But under HIPAA, covered entities and business associates are required to report within 60 days of discovery, not at the end of an investigation.

WNJ has since “taken steps to help prevent a similar incident from happening in the future.”

Employee Email Hacking at Henderson & Walton Women’s Center

The protected health information of 34,306 patients linked to the Henderson & Walton Women’s Center in Alabama was compromised when an employee email was hacked. The notice does not explain when the hack began, just that its investigation ended on June 24.

After discovering the email systems intrusion, HWWC secured the account and implemented additional security measures. The notices stated that “all HWWC emails sent internally are encrypted. Hackers had no access to HWWC’s server or other data storage facilities. »

The data compromised varied by patient and could include dates of birth, SSNs, medical data, health insurance details, driver’s licenses and state ID numbers.

HWWC has since implemented additional security and privacy policies, added protections to its encrypted messaging system, and launched protocols for its emails containing patient information, including automatic deletion of such information after three days. The provider also intends to implement “a system to eliminate the sharing of any personal information via email at all.”

CorrectHealth notifies 54K of November 2021 incident

Approximately 54,000 people connected to CorrectHealth, a correctional healthcare provider in Georgia, were recently notified that a “cybersecurity incident” discovered in November 2021 led to the compromise of their personal and health information.

The incident was first discovered on November 10, 2021, when a malicious actor gained access to several employee email accounts. Upon discovery, CorrectHealth launched an investigation, which concluded on January 28. A three-month systems review followed to verify the type of information leaked and the identities of those potentially affected by the email hack.

The investigation revealed that full names, contact information and social security numbers were potentially exposed during the incident. All concerned will receive free credit monitoring services. Since the incident, CorrectHealth has since worked with the FBI as part of a “wider investigation into the threat group responsible.”

The vendor also issued a password reset for all employees, engaged with an advanced phishing service for its messaging platform, implemented multi-factor authentication, added single sign-on for clinical staff, launched security weekly data and monthly phishing simulation training for employees and added “disclaimers on all emails received from outside”.

NorthStar Health Reports April Email Hack

The hacking of an email account belonging to a NorthStar Healthcare Consulting employee led to the possible access or theft of Georgia Medicaid information for 18,354 members. NorthStar is a Business Associate of the Georgia Department of Community Health.

After discovering the intrusion, the account was secured and NorthStar changed the account passwords, in addition to notifying law enforcement. The investigation revealed that the threat actors had gained access to the affected email account, but could not verify what data, if any, had been accessed or acquired. A review of the systems confirmed that no other email accounts or systems were affected.

The affected account contained Medicaid member names and identification numbers, dates of birth, contact information, prescriptions, prescriber names, call numbers, and diagnoses.

The hack was first discovered on April 20. The notice does not explain the delay in notifying patients, but it could be attributed to “a comprehensive review to identify all individuals whose information was contained in the impacted account and potentially impacted by the incident.”

NorthStar has worked with a third-party forensic specialist to confirm the security of its network, while improving its data security and controls.

McKinney Methodist Hospital update: 125,000 patients affected

An update from McKinney Methodist Hospital, Allen Methodist Surgical Center and Craig Ranch Methodist Surgical Center on HHS’s breach reporting tool shows 125,401 patients were affected by systems hacking and theft of data that followed by the cast of Karakurt in early July.

As previously reported, “unusual activity on some systems” was discovered by hospitals on July 5. The investigation determined that threat actors copied files from the network during a two-month waiting period between May 20 and July 7, when it was discovered.

When Karakurt threatened to release the data, the hospitals posted a notice on the website notifying patients of the data theft so they could take prompt action to protect their privacy. The investigation was ongoing, but the review confirmed that the theft involved names, social security numbers, contact information, dates of birth, diagnoses, treatments, medical records numbers and details of the ‘Health Insurance.

The initial violation notice preceded an alert from the HHS Cybersecurity Coordination Center warning of the Karakurt Group’s continued targeting of healthcare. At least four supplier organizations have fallen victim to the threat actor’s tactics in the past three months.

First Street Family Health cyberattack resulted in deletion of backup data

In a quick notification, First Street Family Health recently notified 7,310 patients that their data had been lost after a cyberattack led to patients’ health information being accessed and/or stolen and “deleted automatic” backup data for its electronic medical records.

The cyberattack was discovered on July 16. The advisory does not agree with the threat behind the attack, merely that the vendor was “able to fully restore many files from backups that were unaffected by the attack.” Access to the systems began on July 5 and ended on July 16.

“The FSFH has not been locked down to the files by encryption as is often the case,” the officials explained. “Instead, his files were programmatically deleted.”

As a result, the FSFH was unable to retrieve EMR information from June 28, 2021 through July 15, 2022. The investigation found “no indication that the deleted files were first accessed or exported by the cybercriminal”.

The ensuing investigation revealed that the threat actors viewed and possibly acquired the medical referral forms of a small percentage of patients and included contact information, dates of birth, social security numbers, dates of service, diagnosis, conditions, lab results, ID cards and health insurance numbers. , and billing details. No financial or payment card information was affected.

Since the discovery of the intrusion, the FSFH has worked to continuously monitor its systems and block further access, following a full password reset and the implementation of enhanced measures. The vendor is working with an external cybersecurity firm to review its security practices and strengthen protocols. The incident was reported to federal law enforcement.