- Minnesota-based Associates in Psychiatry and Psychology (APP) said that it suffered a Triple-M ransomware attack on March 30-31.
It notified OCR on May 18 that 6,546 individuals were affected by the attack.
APP related that Eastern European hackers breached its servers and encrypted all its data files, disabled system restore function on all affected computes, reformatted its network storage device containing local backups, and left a note with the ransom amount and payment method.
The databases impacted contained patient names, addresses, phone numbers, insurance claim processing information, and diagnostic and treatment information. APP said that there was no evidence that patient data was viewed or copied during the attack.
APP Office Manager Jessie May told Information Security Media Group that the practice paid the ransom to regain access to the files. May declined to provide the amount of the ransom.
Humana Notifies Vermont AG about Suspicious Automated System Calls
Health insurer Humana notified the Vermont Attorney General on May 21 that it received a number of suspicious calls to its interactive voice response telephone system.
To access the system, a caller needs to provide date of birth, ZIP code, and Humana ID or Social Security number. In the case of the suspicious calls, the caller successfully provided the three pieces of information but did not stay on the line to speak with a representative or use the automated call system.
“Based on this, we believe it is possible that someone may be trying to use your information in an inappropriate manner,” Humana said in its notification sent out to affected individuals on May 14.
“At this time, no inappropriate action was taken within Humana’s systems using the information,” it added.
Humana related that it has blocked the suspicious phone numbers and is monitoring the automated telephone system for similar call patterns.
Patient Files May Have Been Accessed at Purdue Pharmacy, Clinic
Purdue University Pharmacy and Family Health Clinic of Carrol County notified patients that their information may have been compromised in computer breaches, the Journal & Courier reported May 30.
Last month, a Purdue University security team found an unauthorized access file that was installed on one of the pharmacy’s computers on September 1, 2017.
The information that may have been compromised included patient names, identification numbers, dates of birth, dates of service, medication information, diagnoses, treatment, and billing records. The team said it found no evidence that the information was accessed or taken.
This month, Purdue University's security team found malware on a Family Health Clinic of Carroll County computer used to scan health insurance cards, according to the Journal & Courier. The malware was placed on the computer on March 15, 2018.
The information on the clinic’s computer included patient names, health insurance information, driver’s licenses, and Medicare numbers. For those whose driver’s licenses and Medicare numbers might have been exposed, Purdue is offering free credit monitoring and identity protection services for one year.
The Trustees of Purdue University notified OCR on May 25 that a computer breach affected 1,711 individuals.
Aultman Says 43,000 Patients Affected by Email Breach
Ohio-based Aultman Health Foundation notified around 43,000 patients May 25 that their PHI may have been compromised in an email breach.
Aultman said that unauthorized individuals accessed certain email accounts maintained by AultWorks Occupational Medicine, as well as email accounts containing information associated with Aultman’s physician practices and Aultman Hospital. It was informed of the breach by Microsoft on March 28.
The information in the email accounts may have included patient name, address, clinical information, medical record number, and physician’s name.
Aultman said that it has no indication that any information has been misused.
Hancock County Board Forwards Confidential Files on Children Without Request
Ohio-based Hancock County Board of Developmental Disabilities notified OCR on May 17 that there was an unauthorized disclosure of unsecured PHI affecting 607 individuals.
On its website, the Hancock County Board of Developmental Disabilities disclosed that it had been forwarding files concerning children enrolled in its Early Intervention Program to local school districts without a request from the districts.
Information in those files may have included confidential information concerning the children, such as names, Social Security numbers, dates of birth, diagnoses, treatment information, and medications.
The board said it contacted each school district and either recovered the information or received assurances that the information was shredded without further disclosure.
The board said it had no reason to suspect malicious activity or that any unauthorized person viewed the information. It has revised its process for storage and disposal of records and does not expect the problem to recur. Affected individuals have been notified by mail.
Heritage Court Says PHI Files on Residents Stolen from Storage Area
Arizona-based Echo Canyon Healthcare, dba Heritage Court Post Acute of Scottsdale, informed OCR on May 21 that it experienced the theft of paper documents containing unsecured PHI on 1,765 individuals.
In a press release, Heritage Court Post Acute of Scottsdale said it discovered on March 23 that paper files containing confidential resident information were stolen from a locked storage area.
The information included demographic data, diagnoses, and medical treatment and procedures received by some residents. Some of the documents also contained financial information, including Social Security numbers and Medicare numbers.
Heritage Court Post Acute of Scottsdale said it was not aware of any misuse of the resident information by any unauthorized individual.
The rehabilitation and long-term care facility said it notified residents affected by the breach but did not indicate whether it was providing free credit monitoring services.