Des Plaines, IL-based Lutheran Social Services of Illinois, one of the largest providers of social services in the state, has announced that its systems were compromised and ransomware was used to encrypt files. The cyberattack was detected on January 27, 2022, and systems were taken offline to contain the attack. and third-party cybersecurity professionals were engaged to investigate the breach and determine the scope of the attack.
The forensic investigation and document review concluded on December 28, 2022, and confirmed that the attackers had access to its network between December 31, 2021, and January 27, 2022, and may have viewed or obtained files that contained protected health information. Data theft could not be ruled out, but at the time of issuing notifications, no reports had been received to suggest that sensitive information has been used for identity theft or fraud. The data potentially accessed included names, birth dates, Social Security numbers, financial information, driver’s license numbers, biometric information, diagnosis and treatment information, and health insurance information.
The HHS’ Office for Civil Rights data breach portal shows a breach reported by Lutheran Social Services of Illinois on March 25, 2022, indicating 1,000 individuals were affected. This coincides with the 60-day reporting deadline of the HIPAA Breach Notification Rule. This appears to have been a placeholder until the total number of individuals was determined. The breach notification sent to the Maine Attorney General indicates up to 184,183 individuals were affected, including 9 Maine residents. No reason was provided as to why it took 12 months from the date of discovery of the breach to issue breach notification letters to affected individuals.
Affected individuals have been offered complimentary Single Bureau credit monitoring services and Lutheran Social Services of Illinois said it has taken steps to further protect unauthorized access to individual records.
University of Colorado Hospital Authority Announced Third-Party Data Breach
University of Colorado Hospital Authority (UCHealth) has recently announced that one of its vendors has suffered a data breach that has affected 48,879 patients. UCHealth works with a software vendor called Diligent, which provides business operation tools and hosted services. Diligent recently notified UCHealth that it experienced a software incident that involved patient, provider, and employee data. The company’s software was accessed in the attack and attachments were downloaded from the hosted service that included UCHelath files. UCHealth’s email, electronic health records, and internal files were not impacted.
UCHealth said the stolen files included names, addresses, dates of birth, treatment-related information, and for a very limited number of individuals, Social Security numbers and/or financial information. UCHealth has confirmed that Diligent has implemented additional safeguards to prevent further data breaches.
PHI of PharmaCare Services and NextGen Healthcare Patients Posted on Dark Web
Cybercriminals have been attempting to extort money from the EHR and practice management solution provider, NextGen Healthcare, and Blanco, TX-based PharmaCare Services. Both healthcare organizations were recently added to the data leak site of the BlackCat ransomware group. The listing for NextGen Healthcare has since been removed but the PharmaCare Services listing is still live.
At the time of publication, no breach has been reported to the HHS’ Office for Civil Rights by either company. NextGen Healthcare has confirmed that an investigation has been launched into a security incident and that normal operations have resumed. A spokesperson for the company said client data does not appear to have been compromised and no evidence of data theft has been detected.
The BlackCat ransomware group operates under the ransomware-as-a-service model, with affiliates used to conduct attacks on behalf of the group for a percentage of any ransoms they generate. BlackCat claims that its affiliates are not permitted to attack medical institutions, hospitals, and ambulance services, although pharmaceutical firms and private clinics are not off-limits. The HHS has previously issued a warning about BlackCat ransomware, stating that while there appears to be a ban on attacks on the sector, ransomware gangs have previously violated their own bans on attacking healthcare organziations.
The post Up to 184,000 Clients of Lutheran Social Services of Illinois Impacted by Ransomware Attack appeared first on HIPAA Journal.