- Health Management Concepts (HMC) recently experienced a ransomware attack that quickly turned into a healthcare data breach.
In an Aug. 22 letter, attorneys for HMC informed the New Hampshire Attorney General that it discovered on July 16 a server it used to share files with its clients was infected by ransomware.
HMC said it paid the attackers for the decryption key, which they provided. HMC decrypted the data without impact on the healthcare management services it provides to clients.
However, HMC then discovered on July 19 that the attackers were “inadvertently provided” a file containing personal information, including names, Social Security numbers, and health insurance plan data, on IBU members. HMC explained that it provides chronic condition management to IBU (Inlandboatmen’s United of the Pacific National Benefit Funds).
HMC did not explain how the file was “inadvertently provided” to the attackers. It also did not say how many individuals were affected beyond the four New Hampshire residents covered by the letter.
CoveWare, a ransomware recovery firm, suggested that an encrypted file may have been sent to the attackers to demonstrate that they indeed could decrypt the file if the ransom was paid. The attackers responded by sending back the decrypted file. In this case, the “proof” file contained sensitive healthcare data. “This oversight was obviously a mistake, but it materially exacerbated the severity of the breach,” CoveWare judged.
HMC notified IBU about the breach. IBU then requested that HMC notify those affected as well as regulators on its behalf.
“To help prevent this type of incident from occurring again, HMC is adding enhanced security protocols to its current server, including removing access to the server through Remote Desktop Protocol. It also is migrating its server to another cloud computing service, which will provide additional security,” HMC said in its letter to the NH Attorney General.
Post Office Found Box of Clinic’s Medical Records in House
Gordon Schanzlin New Vision Institute reported to OCR on Aug. 10 that the theft of paper medical records may have affected PHI of 1,130 individuals.
In a statement, the Gordon Schanzlin related that on June 15 it become aware of a US Postal Service raid on a house in Southern California in which a box of medical records containing information on its clients was recovered.
The clinic launched an investigation and concluded that the box was taken by an unauthorized individual from a storage unit in October 2017.
Information that might have been exposed included patient names, addresses, dates of service, medical records, health insurance information, and Social Security numbers.
“In order to increase the security of our patient files, all information has been removed from the storage unit in question and is now stored with additional physical security measures,” the statement said.
Gordon Schanzlin said it is offering victims one year of free credit monitoring and identity restoration services.
Authentic Recovery Center Cops to Email Hacking Incident
California-based Authentic Recovery Center reported Aug. 17 that an email hacking incident exposed PHI on 1,790 individuals.
In a statement, ARC said that it found out on June 21 that an unauthorized third party had gained access to one of its secure email accounts between June 7 and 21, 2018.
For clients, the information exposed included names, an indication that the individual is or was a client or potential client, clinical information, and, for one individual, payment card information.
For employees, the information exposed included names and driver’s license numbers. For two employees, addresses, phone numbers, dates of birth and Social Security numbers might have been accessed.
ARC said it is offering free credit monitoring and identity theft recovery services to affected individuals.
The center said it is “implementing additional safeguards to further secure all email account information and providing additional training about the proper way to secure information systems.”
CoreSource Reports Unauthorized Disclosure of Health Plan Data
CoreSource, an Illinois-based health plan administration service provider, reported to OCR Aug. 3 that an unauthorized disclosure of PHI may have affected 769 individuals.
In a press release, CoreSource said that a file transferred to a client and its vendor containing information about prescription medication claims processed by CoreSource under an employee health plan inadvertently included prescription medication claim information for employees of Bedford Central School District in New York.
“On May 9, 2018, CoreSource transferred the prescription medication claims file to a client in a secure manner. That client then transferred the file to its vendor, who is their business associate, on or around May 15, 2018, also in a secure manner. On May 18, 2018, CoreSource was notified by the vendor that the file contained information about employees of Bedford Central School District,” the release explained.
Information that may have been exposed included member's name, member plan ID number, relationship to employee, drug code, drug description, pharmacy name, prescription number, service date, paid date, quantity, days' supply, cost and fee amounts, copay amount, and plan paid amount.
CoreSource said it is providing a year of identity theft protection services for free to those impacted by the breach.