Nov 162018
 

Some 2,000 clients of Albany-based nonprofit Family Tree Relief Nursery were notified by mail Thursday that unauthorized persons had accessed the organization’s computer programs between June and August.

Executive Director Renee Smith said the organization’s computer was hacked by ransomware in late August. The incident briefly prevented staff from accessing client information.

[…]

Smith recommended that clients review their health records and billing information, as well as financial account statements, or monitor credit reports to determine any discrepancies or unusual activities.

Clients who have additional questions about the incident can contact Family Tree’s call center toll-free at 888-299-1145.

Nov 162018
 

From Episcopal Health Services:

Episcopal Health Services recently discovered an incident that may affect the security of personal information of certain current and former patients. We take this incident very seriously and the confidentiality, privacy, and security of our information is one of our highest priorities.

What Happened? On September 18, 2018 Episcopal Health Services became aware of suspicious activity in employee email accounts. We immediately began an investigation to determine what happened and what information may have been affected. With the assistance of third party forensic investigators, we determined that certain employee email accounts were subject to unauthorized access between August 28, 2018 and October 5, 2018. These email accounts were then reviewed to determine whether they contained any protected health or personal information. On November 1, 2018, Episcopal Health Services determined that the accounts subject to unauthorized access contained protected health information of certain individuals. The types of information contained within the potentially impacted emails are: Social Security number, date of birth, financial account information, medical history information, prescription information, medical record number, treatment or diagnosis information, and health insurance information or policy number. The types of information varied by individual.

Episcopal Health Services is not aware of any reported attempted or actual misuse of any personal information as a result of this event.

What is Episcopal Health Services doing in response to this incident? Episcopal Health Services is committed to, and takes very seriously, its responsibility to protect all data entrusted to us. We are continuously taking steps to enhance data security protections. As part of our incident response, we changed the log-in credentials for all employee email accounts to prevent further unauthorized access. Since then, we have continued ongoing efforts to enhance security controls and to implement additional controls to help protect employee email accounts from unauthorized access. In an abundance of caution, we are also notifying and offering 12 months of complimentary credit monitoring to potentially affected individuals so that they may take further steps to best protect their personal information, should they feel it is appropriate to do so. We are also notifying any required federal and state regulators.

What should I do in response to this incident? Episcopal Health Services encourages you to remain vigilant against incidents of identity theft and fraud. You should review your account statements or your loved ones’ account statements for suspicious activity. If you see any unauthorized charges, promptly contact the bank or credit card company. We also recommend reviewing your credit report for inquiries from companies that you have not contacted, accounts you did not open and debts on your accounts that you cannot explain.

What can I do to protect my information?

Monitor Your Accounts.

Credit Reports. Episcopal Health Services encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.

Security Freeze You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:

[…]

Questions regarding the incident should be directed to 1-866-775-4209, Monday through Friday from 9:00a.m. to 6:00 p.m. Eastern Time.

Read the full notification on EHS.org. The number of patients affected was not disclosed, but perhaps it will show up on HHS’s breach tool.

Nov 162018
 

Reading a notification that employee email accounts were hacked and customer or patient information may have been accessed is nothing particularly unusual these days. What is a bit surprising, however, is when a breached entity offers those affected five years worth of credit monitoring, remediation, and other services. And that’s exactly what HealthEquity, Inc. is doing.

According to the letter to the California Attorney General’s Office from their external counsel, the Utah-headquartered firm,

either directly or in association with employers and health plans, provides services designed to give individuals tax advantages to offset health care costs, including health savings accounts (“HSAs”), health reimbursement arrangements (“HRAs”), health flexible spending arrangements (“FSAs”), limited purpose FSAs (“LPFSAs”), and dependent care reimbursement accounts (“DCRAs”). HSAs are individual custodial accounts, and HRAs, FSAs, LPFSAs, and DCRAs are employer plans (see, e.g., IRS Publication 969).

The incident being reported involved individuals with those types of plans as well as some employees of HealthEquity, whose health plan enrollment information was potentially accessed.

According to a notification to the California Attorney General’s Office, on October 5, HealthEquity’s information security team identified unauthorized logins to two HealthEquity employees’ email accounts.  One of the accounts was accessed on October 5, and the other account was accessed on various occasions between September 4, 2018 and October 3, 2018.

The investigation was unable to conclusively rule out – or rule in – whether the attacker actually accessed and viewed emails in those accounts that contained personal and/or protected health information.

HealthEquity is sending four different versions of its notification letter to individuals to match the PII that may have been exposed for the individual:

  • Recipients of Version A had an account administered by HealthEquity and may have had their name and Social Security number exposed. 3,784 California residents are being sent that type of notification.
  • Recipients of Version B had an account administrated by HealthEquity and may have had their name, Social Security number, account type (HSA, HRA, FSA, LPFSA, DCRA), and employer’s name exposed. This version was drafted in conjunction with a health plan partner. 5,972 California residents are being sent this type notification.
  • Recipients of Version C had an account administered by HealthEquity and may have had their name, Social Security number, account type (HSA, HRA, FSA, LPFSA, DCRA), and associated employer or plan exposed. This version was drafted in conjunction with a health plan partner. 11,142 California residents are being sent this type of notification.
  • Recipients of Version D are employees or former employees (and their dependents) of HealthEquity whose health plan enrollment data may have been exposed. Eight California residents are being sent this type of notification.

Apart from the approximately 21,000 California residents, the notification did not indicate how many people, nationwide, are being notified.  HealthEquity provided DataBreaches.net with the following statement to address that question:

HealthEquity is committed to protecting the privacy of the individuals we serve. We sincerely regret this recent attack. While the results of our forensic investigation have found no evidence of actual or attempted misuse of the information, we are offering five years of free identity theft and credit monitoring services to all affected individuals. We are also implementing additional security protocols to help prevent this from occurring in the future. While the attack was limited to access through two Microsoft Outlook 365 email accounts and none of HealthEquity’s systems were accessed or impacted, we continue to be vigilant and proactive in protecting the personal information of the individuals we serve.

Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.

Their statement to DataBreaches.net mirrors their letter to those affected, where they write:

We are offering identity theft protection services through ID Experts®, a data breach and recovery services expert, to provide you with MyIDCareTM. MyIDCare services include: 5 years of credit monitoring, Cyberscan dark web monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. With this protection, MyIDCare will help you resolve issues if your identity is compromised.

In addition, HealthEquity has set up a call center and website through ID Experts to address any questions or concerns from impacted individuals.

The letter to those affected, signed by HealthEquity President and CEO Jon Kessler, adds:

HealthEquity has adopted enhanced security practices to prevent a similar incident from occurring in the future, including the implementation of additional technical security measures and retraining and reeducation of its workforce, and is actively monitoring accounts for any suspicious activity.

[…]

We sincerely apologize for this incident and are working hard to make it right.

So far, they certainly are doing what appears to be an admirable job of being transparent and supportive.

Nov 162018
 

From their notice:

On September 5, 2018, FHN Family Counseling Center (“FHN”) learned that a password-protected laptop was stolen out of a FHN employee’s vehicle. The employee immediately notified law enforcement, but the laptop has not yet been recovered. Upon learning of the incident, FHN immediately initiated an investigation to determine the scope of the incident and the impact on our patients. FHN determined that the laptop contained certain aspects of our patients’ personal information, which may include those patients’ name, address, date of birth, medical record number, insurance information, medical information, Social Security number and driver’s license number.

On November 2, 2018, FHN sent written notification to all potentially impacted individuals for whom we have contact information, and has arranged for complimentary identity theft protection services for those individuals whose Social Security numbers and/or driver’s license numbers were involved in the incident.

Affected individuals should refer to the notice they will receive in the mail regarding steps they can take to protect themselves. In general, we recommend, as a precautionary measure, that any impacted individuals remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely. If individuals detect any suspicious activity on an account, they should promptly notify the financial institution or company with which the account is maintained. They should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and their state’s attorney general.

Affected individuals may also wish to review the tips provided by the Federal Trade Commission (“FTC”) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft. For more information and to contact the FTC, please visit www.ftc.gov/idtheftor call 1-877-ID-THEFT (1-877-438-4338). Affected individuals may also contact the FTC at: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

FHN has a robust program in place to encrypt all laptops. We determined that, due to an isolated technical issue involving our encryption software, the specific laptop at issue was not encrypted at the time of the incident. FHN took steps to immediately re-encrypt all laptops affected by this technical issue and to re-train the employee whose laptop was stolen, as well as all employees, on safeguarding mobile devices.

FHN apologizes for any inconvenience or concern this incident might cause the affected individuals. Additional information is available via a confidential, toll-free inquiry line at 1-877-728-0077 between 8:00 a.m. and 5:00 p.m., Central Time, Monday through Friday.

According to their notification to HHS, 4,458 patients had information on the stolen laptop or were being notified of the theft.