Posts in the U.S. Category at DataBreaches.net

MA: ResiDex Software discloses ransomware incident affecting clients’ patients’ protected health information

Posted by Dissent at 3:27 pm Health Data, Malware, Subcontractor, U.S.

Jun 182019

And yet another ransomware incident. They do not disclose the number of patients who were notified about this. Of note, sounds like their recovery was pretty smooth because they were prepared.

BOSTON, June 18, 2019 /PRNewswire/ — Tenx Systems, LLC d/b/a ResiDex Software (“ResiDex”) specializes in providing software for assisted living homes, group homes, and organizations providing care for the elderly or disabled, including Youville House, Youville Place and Wingate Healthcare (collectively “the Facilities”). ResiDex recently identified and addressed a security incident that may have involved personal information and/or protected health information of the current, former or prospective residents and/or staff members of the Facilities. ResiDex began providing notice on June 7, 2019 to all individuals potentially impacted by this incident. This release describes the incident, outlines measures that ResiDex has taken in response, and advises potentially impacted individuals on steps that they may take to further protect their information.

On April 9, 2019, ResiDex became aware of a data security incident, including ransomware, which impacted our server infrastructure and took our systems offline. ResiDex immediately undertook efforts to restore its servers to a new hosting provider. Backups and other information maintained by ResiDex were used to enable near seamless restoration of security and services on the same day. Additionally, ResiDex took affirmative steps to further safeguard its software systems. ResiDex simultaneously retained a forensic investigation firm to determine the nature of the security compromise and identify any individuals whose personal information and/or protected health information may have been compromised.

The forensic investigation was unable to identify any specific individuals whose personal information and/or protected health information may have been compromised due to the complexity of the event and efforts undertaken by the perpetrators to conceal their actions. The investigation did determine that first access to ResiDex’s systems occurred on approximately April 2, 2019, with the ransomware launched on April 9, 2019.

The data security incident may have resulted in unauthorized access to protected health information, including medical records that existed on ResiDex’s software as of April 9, 2019, and/or personal information including names and social security numbers. Please note that it is entirely possible that any one individual who is/was a current, former or prospective resident or staff member of the Facilities did not have their personal information and/or protected health information compromised as a result of the incident. Nonetheless, notification has been provided to all potentially impacted individuals in an abundance of caution.

Individuals who have received a notification or who believe that they may have potentially been impacted by this incident are invited to contact (877) 347-0184 between 9:00 a.m. and 9:00 p.m. Eastern Standard Time, Monday through Friday. ResiDex and the Facilities understand the importance of protecting the protected health information and personal information maintained on its systems and deeply regrets any concern that this may have caused the potentially impacted individuals.

SOURCE Tenx Systems, LLC d/b/a ResiDex Software

Two Maryland medical practices notify patients after business associate error exposes patient information

Posted by Dissent at 2:12 pm Breach Incidents, Health Data, Subcontractor, U.S.

Jun 182019

Maryland-based Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) are notifying patients because of an incident involving a third-party vendor/business associate.

According to their notification letters, on March 14, Meditab Software, Inc. became aware of a potential breach involving protected health information (phi). The breach may have included patients’ medical records or visit notes (diagnosis and treatment), patient names, addresses, dates of birth, and phone numbers.

Meditab reportedly identified the duration of the potential data breach to be between January 9, 2019 and March 14, 2019. Meditab also explained how the incident occurred. As described by CCA and SMMG:

Meditab has notified us that the incident involving PHI was an issue with a certain portal that allowed Meditab to view statistics for its Fax Cloud services. This analytics platform maintained statistics on all faxes sent but did not have any images directly on the server. However, as the fax was being transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax sent confirmation was received. Once the fax was sent, this link was no longer active. This portal was intended for Meditab use, only, and initially was deployed with username/password authentication in place. However, on January 9, 2019, this authentication was removed without authorization by one of Meditab’s programmers.

Meditab reportedly found that a limited number of faxes were discoverable until the time the incident was reported.

The entities somewhat understandably view this incident as resulting in a low risk of any harm to patients, further explaining:

While the analytics portal was not searchable or crawlable on any search engines, if the portal was found, any faxes that were discoverable would have to be accessed individually in a separate window in order to download or print.

Both entities have posted copies of their notification letters on their web sites and have reported the incident to HHS. CCA is notifying 1980 patients, while SMMG is notifying 1400 of its patients.

DataBreaches.net contacted Meditab Software to inquire as to how many other clients or how many patients, total, have been notified of this incident, but did not receive an immediate response.

NY: Cyber attacks cripple Olean Medical Group, possibly Seneca Nation Health System

Posted by Dissent at 10:13 am Health Data, U.S.

Jun 182019

Bob Clark reports:

Hackers attempting to ransom the computer systems at Olean Medical Group on Friday did not access records for 40,000 patients, group officials reported Monday.

In a faxed press release sent Monday, OMG officials noted the group is still seeing patients, even if charting is being completed by pen and paper instead of computer as the group recovers from the attack.

A similar situation appears to exist with the Seneca Nation Health System, with OMG officials reporting it is the same type of attack they experienced. The SNHS website also reported the computer system is down.

Read more on Olean Times Herald. The notice on SNHS’s site says that no patient information has been compromised, which does sound like a ransomware incident if no data was accessed but was locked up.

Thousands of medical injury claim records exposed by ad agency

Posted by Dissent at 8:37 am Business Sector, Commentaries and Analyses, Exposure, Health Data, U.S.

Jun 182019

Zack Whittaker reports:

An internet advertising company specializing in helping law firms sign up potential clients has exposed close to 150,000 records from a database that was left unsecured.

The database contained submissions as part of a lead-generation effort by X Social Media, a Florida-based ad firm that largely uses Facebook to advertise various campaigns for its law firm customers.

Read more on TechCrunch. It’s another could-have-awful-consequences exposure situation. And not surprisingly, the researchers who found it throw in references to HIPAA, although further down in their report, they acknowledge that x Social Media is not covered by HIPAA.

Throwing in references to HIPAA doesn’t help if HIPAA doesn’t apply — even though the public may want the standards of security and privacy to be upheld in the business sector. What would have been more on point for vpnMentor to mention would be any privacy policy for x Social Media or assurances about data security that may have been violated.

Think FTC, not HHS, folks.

Breaches have consequences: AMCA files Chapter 11

Posted by Dissent at 7:41 am Business Sector, Hack, Health Data, Of Note, U.S.

Jun 182019

Jeremy Hill of Bloomberg reports:

Retrieval-Masters Creditors Bureau Inc., whose business was blamed for a large-scale data breach that affected millions of Quest Diagnostics Inc. customers, filed for Chapter 11 protection, citing fallout from the security issue.

The company, which collects patient receivables for medical labs under the name American Medical Collection Agency, listed assets and liabilities of as much as $10 million in its bankruptcy petition filed in the Southern District of New York. It’s aiming to liquidate, the company said.