jayzynism - stock.adobe.com

Malware, Unauthorized Access Lead to Healthcare PHI Breaches

Unauthorized access and malware lead to healthcare PHI breaches and network outages for clinics across the country grappling with growing cyber threats.

New cyber threats are constantly emerging, leaving organizations vulnerable to healthcare protected health information (PHI) breaches, ransomware, and unauthorized access incidents.

Recent data breaches consist of PHI exposure at two fertility clinics, stolen patient records, and unauthorized access to patient files by a terminated executive. In New Jersey, one clinic is facing consequences for allegedly failing to safeguard PHI in the face of a data breach.

AG Announces $495K Settlement for Improper Data Security Measures at NJ Fertility Clinic

The office of Andrew J. Bruck, acting attorney general of New Jersey, along with the Division of Consumer Affairs, announced a $495,000 settlement with Diamond Institute for Infertility and Menopause. The Essex County clinic allegedly failed to conduct cybersecurity risk assessments and improperly handled a data breach. Diamond disputed all allegations.

The data breach compromised the personal information of 14,663 patients and allowed multiple instances of unauthorized access to the provider’s network between 2016 and 2017. The Division of Consumer Affairs alleged that Diamond violated the HIPAA Privacy Rule, the HIPAA Security Rule, and the New Jersey Consumer Fraud Act when it removed technical and administrative safeguards for protected health information.

The allegations argued that Diamond failed to conduct an accurate risk assessment of potential vulnerabilities, failed to implement a mechanism to encrypt PHI, and failed to review security measures.

Investigators also alleged that Diamond failed to implement proper procedures for creating and changing passwords and failed to implement procedures to verify that a person accessing PHI is who they claim to be.  

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy. Major cybersecurity lapses like the ones leading up to this data breach are unacceptable,” Bruck stated.

“Today’s settlement sends the message that such privacy lapses come with significant consequences.”

Diamond agreed to develop a comprehensive information security program, appoint a new HIPAA privacy and security officer, train employees on privacy practices, develop an incident response plan, and implement technical safeguards.

Hackers Remove 69K Patient Files from NM Medical Center’s Network

San Juan Regional Medical Center (SJRMC) provided more information to patients about a malware incident in September 2020 that resulted in a hacker removing 69,000 patient records from the medical center’s network.

On July 13, 2021, SJRMC discovered that the impacted files contained protected health information, including names, Social Security numbers, driver’s license numbers, dates of birth, passport information, health insurance information, diagnosis and treatment information, and financial account numbers.

“SJRMC previously identified and notified patients of this incident. The manual document review of the impacted files was extensive and required significant time to complete. As a result, SJRMC provided two rounds of notification – one in June and one in September,” the medical center explained.

“SJRMC takes this incident and security of personal information very seriously. Cybersecurity threats continue to evolve and as a result, SJRMC has taken additional steps to secure its network and improve internal procedures to identify and remediate future threats. SJRMC continues to assess and update its internal policies and procedures in order to minimize the risk of a similar incident in the future.”

Notified individuals should consider placing fraud alerts or security freezes on credit files and remain vigilant in reviewing account statements.

MA Fertility Clinic Ransomware Attack Exposes PHI of 350K

Massachusetts-based fertility clinic ReproSource, owned by Quest Diagnostics, announced that it fell victim to a ransomware attack that forced the clinic to shut down its IT network. The cyberattack impacted 350,000 individuals, according to the Maine attorney general’s office.  

ReproSource discovered suspicious activity on August 10, two days after an unauthorized party had accessed its network. The clinic severed network access and immediately launched an investigation. Although there was no evidence that the unauthorized party obtained any data, ReproSource notified potentially impacted individuals of the incident on September 24.

The personally identifiable information (PII) and protected health information (PHI) potentially accessed included names, phone numbers, addresses, email addresses, CPT codes, diagnosis codes, medical history, health insurance identification numbers, Social Security numbers, credit card numbers, and birth dates.

“We promptly notified law enforcement. We also enhanced our cybersecurity by adding additional monitoring and detection tools as additional safeguards against ransomware and other cyber threats,” the announcement stated.

The clinic is offering impacted individuals free credit and identity monitoring through Kroll.

Terminated Executive Accessed PHI of 37K at Texas ACO

Premier Patient Healthcare, an accountable care organization (ACO) based in Carrollton, Texas, suffered a data security incident when a terminated executive wrongly accessed a file containing protected health information after their employment ended.

According to the Maine attorney general’s office, the incident exposed the data of 37,636 individuals. Premier Patient Care discovered the breach on April 30, 2021, but it occurred in July 2020. Premier began notifying patients in October.

“Premier, in partnership with its contracted technology vendor, is completing an ongoing investigation and has reported the incident to the appropriate agencies,” the ACO explained in a statement.

“At this time, we have been unable to determine how the information was further handled or used after it was acquired.”

Impacted information included full name, county and state of residence, ZIP code, age, sex, and race. The file also included Medicare beneficiary information, including eligibility period and hierarchical condition category risk score.

Premier said that it reported the incident to HHS and partnered with IDX to address any questions and concerns.

Next Steps

Dig Deeper on Healthcare data breaches