[BreachExchange] American Medical Tech Reports 2019 Email Hack Impacting 47K Patients

[Destry Winant]

https://healthitsecurity.com/news/american-medical-tech-reports-2019-email-hack-impacting-47k-patients

June 30, 2020 - California-based American Medical Technologies (AMT),
a healthcare supplier, recently began notifying 47,767 patients that
their data was potentially breached after a hack of an employee email
account in 2019.

On December 17, 2019, AMT officials first detected suspicious behavior
occurring within one employee email account. An investigation was
launched with assistance from a third-party forensics team, which
included a data mining process.

Five months later, the investigation revealed personal information was
potentially accessible to the attacker during the security incident.
AMT will provide impacted patients with free credit monitoring
services.

The notification did not detail just what patient information was
contained in the impacted account. But it’s important to note that
under HIPAA, covered entities have just 60 days from the time of
breach discovery to report incidents impacting over 500 patients.

AMT has since reviewed the security of its email systems with
assistance from two information security vendors and made improvements
based on those recommendations. The vendor has also implemented
security improvements to its web server infrastructure.

MISSOURI COUNTY HEALTH CENTER INVESTIGATES COVID-19 DASHBOARD LEAK

Clay County Health Center in Missouri is investigating a reported data
leak from its COVID-19 dashboard, after some patients claimed to have
been able to access a spreadsheet containing personally identifiable
information, including positive COVID-19 cases, according to local
news outlet ABC KMBC 9 News.

An individual sent the news team an apparent screenshot of the
dashboard, which showed 44 alleged entries from the screenshot,
including names, contact information, ages, and ethnicities, as well
as confirmed cases of COVID-19.

About one-third of those entries appeared to be from the Pleasant
Valley Manor Care Center, which has a known COVID-19 outbreak.

“Clay County Public Health Center takes any potential violation of
HIPAA very seriously,” Clay County Public Health Center spokeswoman
Kelsey Net, said in a statement. “When we learned there was the
possibility of a problem existing, we immediately disabled access to
the dashboard.”

“Some sections of information that were previously available have been
removed from the dashboard until the situation can be fully
investigated,” she added. “We’re following HIPAA standards and
currently have our HIPAA Privacy Officer and HIPAA Security Officer
thoroughly investigating the matter.”

It’s currently unknown how long the site issue occurred, or when it began.

CHOICE HEALTH MANAGEMENT REPORTS BREACH FROM 2019

Choice Health Management Services in North Carolina is just now
notifying an undisclosed number of patients, employees, and other
associated third parties that their personal and health information
was potentially breached after a hack on several employee email
accounts in 2019.

According to the notice, officials first discovered suspicious
activity in certain employee email accounts sometime in late 2019.
Upon discovery, the account access was blocked, and user credentials
were changed.

On January 17, 2020, the investigation confirmed a hacker accessed
those accounts, but could not determine just what emails and
attachments were subjected to the unauthorized access.

A review was then launched with help from a third-party team to
determine the information contained in the compromised accounts, which
concluded on March 27 that the impacted accounts indeed held personal
health information.

“However, since the vendor was unable to link a large number of the
individuals to the facility where the individuals sought treatment,
Choice Health Management Services began a review of its internal
records to determine this information so notice could be provided to
the appropriate facility,” officials said in a statement.

“On May 12, 2020, Choice Health Management Services completed its
internal review and determined which individuals received care from a
facility associated with Choice Health Management Services.  On April
16, 2020 and again on May 22, 2020, Choice Health Management Services
notified facilities about the event and requested permission to
provide patients and residents with notice, which was subsequently
granted.”

Officials were able to determine the potentially compromised data
varied by patient and could include names, Social Security numbers,
driver’s licenses, passport numbers, credit cards, financial
information, employer identification numbers, email addresses and
credentials, diagnostic or treatment information, dates of service,
providers, patient numbers, surgical information, and other sensitive
data.

On June 23, Choice Health began notifying patients of the potential
data breach. Officials said they’ve since rebuilt the impacted
computer to eradicate a potential virus or malware, as well as
reviewed the privacy policies and procedures and implemented
additional security safeguards.

RANSOMWARE ATTACK HITS FLORIDA ORTHOPAEDIC INSTITUTE

An undisclosed number of patients are being notified by the Florida
Orthopaedic Institute (FOI) of a potential patient data breach, after
a recent ransomware attack.

First discovered on or about April 9, the ransomware encrypted the
data stored on the servers of FOI. The system was quickly secured, as
officials worked to restore the impacted data and investigate with
help from a third-party forensics investigator.

The investigation concluded on May 6 that patient data was potentially
exfiltrated or accessed during the cyberattack. The impacted data
varied by patients and could include names, contact details, Social
Security numbers, dates of birth, insurance plan identification
numbers, claims addresses, FOI claims histories, diagnosis codes,
payer identification numbers, payment amounts, and physician
locations.

All affected patients will receive free identity monitoring.

CHI ST. LUKE’S HEALTH MEMORIAL LUFKIN EMAIL HACK

A hack of several employee email accounts at CHI St. Luke’s Health
Memorial Lufkin potentially compromised some patient information.

The potential compromise was uncovered during an investigation into a
security event involving one of the provider’s servers on March 25.
Officials said they reset passwords across the enterprise and launched
an internal investigation with its threat management team and outside
vendors.

The affected data included patient names, diagnoses, dates of service,
and facility account numbers. The investigation did not find evidence
to confirm the data was viewed or obtained during the hack, which
occurred on April 23.

“The investigation included engaging forensic experts, interviewing
employees, reviewing data and access logs, conducting threat
intelligence analysis, and reviewing various data file types in order
to determine what, if anything, had happened,” officials said in a
statement.

“The patients’ electronic health records were not involved,” they
added. “CHI St. Luke’s Health-Memorial Lufkin has taken steps to
confirm that its network remains secure, and it is continuing to work
with law enforcement and forensic experts.”

CHI St. Luke’s has since replaced and upgraded its hardware, made
software changes, and improved processes for accessing the network.