UCLA Health Announces Pixel-Related Data Breach
UCLA Health has recently started notifying approximately 94,000 patients about an impermissible disclosure of their protected health information to certain unnamed service providers due to the use of analytics tools on its website and mobile app.
UCLA Health said analytics tools were used to better understand how patients interacted with the website and app. The data collected by UCLA Health was aggregated and used to develop more efficient and effective communication to improve its services to patients. UCLA Health said it was made aware of the potential for these analytics tools to transmit sensitive patient information to service providers in June 2022, and immediately disabled these tools on the website and app. A third-party forensics firm was then engaged to review the data collected and potentially transmitted by these tools to establish the extent of any privacy violation.
The privacy violation occurred due to the use of these tools on the appointment scheduling forms on the website and app, which may have captured and transmitted the URL/website address (which could include provider name, specialty, or ad campaign name), page view, IP address, third-party cookies, and hashed values of certain fields on the appointment request form. The hashed value form fields potentially included first and last name, email address, mailing address, phone number, and gender. UCLA Health confirmed that the tracking tools were not added to the myUCLAhealth online patient portal.
UCLA Health said notification letters were sent on January 13, 2022. The delay was due to the time taken to conduct the forensic investigation. UCLA Health said it has since enhanced its technology evaluation procedures.
Livingston Memorial VNA Health Corporation Announces Ransomware Attack
Livingston Memorial VNA Health Corporation, which provides hospice services in Ventura, CA, has confirmed that hackers gained access to its IT systems and used ransomware to encrypt files on or around February 19, 2022. The forensic investigation confirmed the attackers had access to patient data prior to encrypting files but says no reports of misuse of data have been received to date. The breach also affected patients of its affiliates Livingston Memorial Visiting Nurse Association and Livingston Caregivers.
In the notice to the California attorney general, Livingston explained that the delay in issuing notifications was due to the length of time it took to verify which individuals had been affected. The complete list of affected individuals was finalized on November 3, 2022, and in accordance with HIPAA, a substitute breach notice was placed on its website from May 6, 2022, to August 9, 2022, confirming a security breach had occurred. Affected individuals have been offered complimentary single-bureau credit monitoring services.
Livingston said it has greatly improved its cybersecurity posture, including increasing logging and alerts, adding further internal controls and safeguards, increasing the frequency of third-party penetration tests, and reviewing all security policies and firewall rules.
Benefit Administrative Systems, LLC Confirms Security Breach Involved Data Theft
Benefit Administrative Systems, LLC, a Homewood, IL-based administrator of the Connected Care Health Plan, has notified certain individuals about the exposure of an electronic file that contained sensitive personally identifiable information. An alert was generated when the file was accessed by unauthorized individuals, and steps were immediately taken to protect its systems. The forensic investigation confirmed on November 1, 2022, that the file had been exfiltrated and contained first/last names, email addresses, health insurance member numbers, and health insurance group numbers of certain members.
Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months and steps have been taken to improve security to prevent similar breaches in the future.
Atlantic General Hospital Recovering from Suspected Ransomware Attack
Atlantic General Hospital in Maryland is currently investigating a security incident that resulted in a limited network outage. A spokesperson for the hospital confirmed that the ER is continuing to receive and treat patients and elective surgeries and other outpatient procedures are being performed, although the hospital website says the walk-in outpatient lab is temporarily closed until further notice and the RediScripts pharmacy, pulmonary function testing, and outpatient imaging have been disrupted. At this stage of the investigation, it is too early to tell if, and to what extent, patient data has been exposed.
The post Ransomware Attacks, Hacks, and Pixel-Related Data Breaches Reported appeared first on HIPAA Journal.