OCR closes investigation of Bizmatics, Inc. breach

In doing some of my weekly investigating, I discovered that OCR seems to have closed its investigation into the Bizmatics, Inc. breach that affected an untold number of PrognoCIS customers and their patients. At last count, I think we knew about almost 300,000 patients that were notified of an incident where Bizmatics could not even determine whether patient records had been accessed or not. But as part of its investigation into Complete Family Foot Care’s report, OCR noted in closing its investigation: Bizmatics, Inc., a business associate (BA) that the covered entity (CE), Complete Family Foot Care, employs for the online storage and management of its patient health records, discovered an unauthorized access to the computer servers on which the CE’s’s patient files were stored. The breach affected 5,883 individuals and included clinical information. Upon request of the CE, the BA provided breach notification to affected individuals and complimentary identity recovery services for individuals victimized by identity theft. The CE also provided breach notification to HHS and the media and posted substitute notice on its website. Following the breach the BA comprehensively scanned for malware and any external vulnerabilities, upgraded all anti-virus and anti-malware programs as well as system hardware and operating systems, updated server and account passwords, and revised its firewall configurations. The BA also implemented stricter password policies and initiated the installation of an active traffic-monitoring solution for its network. OCR obtained written assurances that the CE and BA implemented the corrective actions listed above. Given that the investigation appears closed – and I do think the changes Bizmatics made sound appropriate – we may never find out how many patients, total, were notified of this incident. Did I ever mention I hate not knowing things? If anyone actually knows what the total count was for this incident, please get in touch. Whistleblowers welcome.

Uncommon Care, PA notifies almost 14,000 patients of Bizmatics breach

Oh my. Another Bizmatics, Inc. client has been first notifying patients of the 2015 breach discovered at the end of 2015. This time it’s Uncommon Care, PA in Texas, and they had to notify 13,674 patients. Uncommon Care, PA is committed to protecting patient information. This commitment includes notifying patients if there is a possibility that someone may have obtained access to their information. Uncommon Care uses a company called Bizmatics, Inc. to electronically store the medical information of our patients. We were informed by Bizmatics that in 2015 there had been an unauthorized access to certain electronic medical records in their custody. Bizmatics, however, could not determine that the records of Uncommon Care patients were affected. We subsequently received a letter from Bizmatics in early April, 2016 stating that even after an investigation, they could not determine that the records of Uncommon Care’s patients were accessed or acquired by unauthorized persons, or used in an unauthorized manner. We had further discussions with Bizmatics, but as of May 28, 2016, they still could not determine if the records of Uncommon Care’s patients were ever improperly accessed. Although there is no evidence at this time that patient information, which may include name, date of birth, social security number, address, or medical diagnosis, was improperly accessed or used, in an abundance of caution we decided it was appropriate to post this notification. As an added precaution, we have arranged to have Equifax Credit Watch Silver available to provide credit monitoring for 12 months at no cost to patients. Patients who believe they may have been affected by this incident, and wish to enroll in free credit monitoring should call 1-888-530-6783. Patients may also choose to contact any one of the three major credit bureaus to have a “fraud alert” placed on your credit file and obtain a copy of your credit report. This alerts creditors of possible fraudulent activity within your report. It also requests that they contact you prior to establishing any accounts in your name. Once the fraud alert is added to your credit report, all creditors should contact you prior to establishing any account in your name. To do this, you can call one of three credit bureaus listed below: Equifax: 1-800-525-6285; P.O. Box 740256, Atlanta, GA, or www.equifax.com Experian: 1-888-397-3742; P.O. Box 4500, Allen, TX 75013, or www.experian.com/fraud TransUnion: 1-800-680-7289; P.O. Box 2000, Chester, PA, or www.transunion.com When you receive your credit reports, make sure that your personal information is accurate. If you see anything that you do not understand, call the credit bureau at the telephone number on the report. We advise you to remain vigilant by reviewing your account statements and monitoring your free credit reports. Additional information on how to prevent identity theft may also be obtained by contacting the Federal Trade Commission or the North Carolina Attorney General’s Office. The Federal Trade Commission The North Carolina Attorney General’s Office 600 Pennsylvania Ave., NW 9001 Mail Service Center Washington, DC 20580 Raleigh, NC 27699-9001 Telephone: 1-877-382-4357 Telephone: 1-877-566-7226 http://www.ftc.gov/ http://www.ncdoj.gov/ We sincerely regret any inconvenience or concern caused by this incident. If you have any questions, please contact us at 1-888-530-6783.

Another Bizmatics client notifies patients of breach

We’re still learning of other Bizmatics clients who were notified that their patient data may have been acquired by criminals. Lifewellness Institute in California notified HHS this month that they had notified 2,473 of their patients of the incident. In a letter to their patients, a copy of which was kindly provided to DataBreaches.net by Lifewellness Institute, they write:  Based on information provided to us by Bizmatics, in 2015 cyber intruders installed malware into PrognoCIS. It was not discovered by Bizmatics until the end of 2015. On March 30, 2016, our office was notified by Bizmatics that our patient files were on the server accessed by the cyber-intruders. Bizmatics worked with law enforcement and a cyber-security firm on the matter but has been unable to conclude whether or not your information was actually viewed or acquired. The information stored in the server accessed by the unauthorized users includes, but is not limited to, the following: name, address, phone number, birth date, marital status, Social Security number, insurance information, as well as the charted medical history. It is always advisable to closely monitor all accounts and credit information. Because of this concern, our office has arranged for you to receive, should you so desire, free credit monitoring for one year. We urge you to utilize this service through Equifax Personal Solutions to help you protect your identity and your credit information. Lifewellness Institute is the second entity we know of to report the Bizmatics breach to HHS this month. There are other entities for whom we have no information as yet, but may also have been impacted. Bizmatics has never responded to inquiries from this site or other media outlets.

Yet another entity first notifying patients of Bizmatics, Inc. breach

So it appears that Bizmatics, Inc. has continued notifying entities of their 2015 breach. I stumbled across this one today from Arkansas Spine and Pain. We have been notified by our electronic medical record vendor, Bizmatics, that cyber intruders may have installed malware on their system. Bizmatics learned of the intrusion in late 2015, however, we were notified on May 12, 2016 that our patient records were located on one of the Bizmatics servers that were affected. Bizmatics is unable to tell us whether any of our patient records have actually been accessed by any unauthorized individual. However, in an abundance of caution, we have notified all of our patients of this possibility. The Bizmatics server that houses our patient medical records and that was potentially affected by this breach contains patient names, addresses, date of birth, insurance information, social security number and clinical documentation. Again, we do not know that any of our patients’ information has been accessed. To learn how to protect yourself against identity theft, you may consult the Arkansas Attorney General’s website, which is accessible at: www.arkansasag.gov/programs/consumer-protection/my-identity We sincerely regret that this incident occurred and we have been notified by Bizmatics that they are taking steps to further strengthen its defenses against cyberattacks, including hardening its firewall and network configurations. We have also been assured by Bizmatics that they are committed to ensuring its systems are as secure as they can be in our current environment. If you have any questions or would like additional information, please contact Mr. Ithakar Pathan at 501-227-0184, ext. 130. This incident is not yet up on HHS’s public breach tool, so the number being notified is not known, but I’ll update this when we do get a number. But if they were first notified in May and they allude to “servers” (plural), I wonder how many more covered entities we have yet to find out about. Update: This was reported to HHS as affecting 17, 100.

ENT and Allergy Center of Arkansas notifying patients of Bizmatics security incident

Add the ENT and Allergy Center in Arkansas to the list of covered entities notifying patients of a breach involving Bizmatics, Inc. In a statement dated May 31, that is linked from their web site, Stephen Cashman, M.D., states that the practice was initially notified of the incident in January, 2016. But, “At that time, Bizmatics could not conclude that our patient records were among those that were accessed and had no reason to believe that the data that was compromised had been published or shared in any public manner.” In early April, however, Bizmatics notified the practice “that at least some of our electronic patient medical records were potentially accessed and obtained by unauthorized persons. The information contained in the records that may have been accessed included patient names, addresses, health visit information, and at least the last four digits of the patient’s Social Security number.” The unauthorized access did not include credit card number of financial and payment information, which are maintained on a separate system that is not related to Bizmatics or PrognoCIS. As reported by other clients of Bizmatics, Inc., Bizmatics remains “unable to ascertain with any specificity which individual patient records, or which information within specific patient records, was specifically affected.” The incident was reported to HHS as involving 16,200 patients. By now, approximately one quarter of a million patients have been notified from the handful of Bizmatics, Inc. clients for whom we have information. But Bizmatics, Inc. has 15,000 clients. If all of them were affected – and we do not know that because Bizmatics, Inc. hasn’t issued any statement or answered questions – then this incident could affect well over 50 million patients. Now it may be that no patient suffers any concrete harm such as ID theft or fraud, but the cost of even just notifying all these patients and offering them credit monitoring services would likely be very costly.