mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years

By | February 16, 2023

The mobile pharmacy solution provider, mscripts, has recently announced that a misconfiguration of its cloud storage environment has exposed client data online for the past 6 years. The misconfiguration was detected and remediated on November 18, 2022, with the third-party forensics investigation confirming the cloud storage environment had been unsecured since September 30, 2016.

A review of the files stored in that environment confirmed they contained the protected health information of 66,372 patients of participating pharmacies. The information related to locker pickups at pharmacy locations, and also included images of prescription bottles and insurance cards, which had been submitted via the mscripts web or mobile app. The information potentially accessed during that time includes names, dates of birth, phone numbers, addresses, prescription numbers, medication names, originating pharmacy information, health insurance company names, member IDs, group numbers, and, in certain cases, dependents’ names.

mscripts said the issue has now been resolved and security procedures have been enhanced to ensure similar data exposure incidents do not occur in the future. Affected individuals have been notified and advised to monitor their billing statements and notifications of prescriptions for any unauthorized activity.

Care Dimensions Says Website Compromised to Steal Payment Card Information

Danvers, MA-based Care Dimensions, a provider of hospice, palliative, and home primary care services, has recently reported a data breach to the Maine Attorney General that has affected up to 1,713 patients. Care Dimensions recently discovered that the donation page of its website had been altered, and malicious code was added to capture the payment card details of donors.

The forensic investigation confirmed on or around January 6, 2023, that the malicious code was added on February 18, 2022, and allowed an unknown threat actor to capture payment card information when donations were made, including cardholder name, contact information, credit and debit card numbers, expiration dates, and CVV codes. The malicious code was removed on December 8, 2022.

The breach affects all individuals who made donations through the website between February 18, 2022, and December 8, 2022. Those individuals have been advised to regularly review their financial account statements for fraudulent or irregular activity and to immediately report any unauthorized purchases. Fraud alerts and security freezes with credit agencies have also been recommended. Care Dimension said third-party cybersecurity experts have conducted a full review of its website code and penetration tests to ensure that the exploited vulnerability has been fully remediated.

Brooks Rehabilitation Reports Website Tracking Technology-Related Impermissible PHI Disclosure

Brooks Rehabilitation, a Florida-based network of medical rehabilitation services, has recently notified 1,554 patients about an impermissible disclosure of some of their protected health information to third parties due to the use of pixels and cookies on its website.

The pixels and cookies were used on its website for tracking user activity to enhance its website and improve the user experience. Brooks Rehabilitation recently learned that those technologies captured and transmitted user information to the technology companies that provided the code. The investigation confirmed that the following types of information may have been impermissibly disclosed to technology companies: name, phone number, email address, computer IP address, other information provided in the comments section of the website, and any Brooks sites visited while visiting its website. Brooks Rehabilitation said it was unable to determine whether any of that information has been further disclosed or used by the technology companies, such as for targeted advertising.

Brooks Rehabilitation said the tracking technologies were disabled in December 2022 and there are no plans to use them again unless it can be confirmed that they will not transmit any user information.

Email Account Compromised at Minuteman Senior Services

The Bedford, MA-based senior care provider, Minuteman Senior Services, has confirmed that an unauthorized individual gained access to the email account of an employee between November 21 and November 30, 2022. Third-party data review specialists are currently conducting a programmatic and manual review of all emails and attachments in the account to determine the extent of the privacy breach.

The information potentially accessed includes full name, address, date of birth, gender, health insurance information, diagnosis, and service utilization. The information exposed varies from patient to patient. Since it is not yet known how many individuals have been affected, the incident was reported to the HHS’ Office for Civil Rights with a placeholder of 500 individuals. Notification letters will be issued when the review is complete and the total will be updated with OCR when the extent of the incident is confirmed.

This is the second email account compromise incident to be reported by Minuteman Senior Services in the past year. A similar breach occurred on June 1, 2022, although in that case the unauthorized access was detected and blocked within 24 hours. That breach affected up to 4,000 individuals.

The Center for Autism and Related Disorders

The Center for Autism and Related Disorders (CARD) in Portland, OR, has notified certain patients about an impermissible disclosure of a limited amount of their personal information due to an error by a third-party billing vendor. When the software for the system for generating patient invoices was updated, a computer error occurred that resulted in certain caregivers being sent invoices for unrelated patients.

The invoices included HIPAA-protected information such as patient names, CARD internal reference numbers, and payment histories, which included insurance payments, patient payments, adjustments, and account balances. No other information was involved. The error was rapidly identified, detected, and fixed, and only affected its January 2023 billing statements for patient cost-sharing amounts. Processes have now been strengthened for detecting errors such as this to prevent any further mailing errors.

The incident has yet to appear on the HHS’ breach portal so it is currently unclear how many individuals have been affected.

The post mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years appeared first on HIPAA Journal.