Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Healthcare service provider. Show all posts

EHR Vendor QRS Faces Lawsuit After Cyberattack Exposed Nearly 320,000 Patients' Information

 

QRS, a healthcare technology firm, that offers EHR services, is now facing a class-action lawsuit over a data breach that reportedly exposed the health and private details of 319,778 current and former patients last summer. 

The lawsuit was filed by plaintiff, Kentucky resident Matthew Tincher in the U.S. Eastern District Court of Tennessee on Jan. 3, who was one of the victims of a data breach. In a complaint, he alleged that the data exfiltration could have been mitigated if QRS had adequately guarded the patient's health information in its possession. Additionally, the firm took two months to notify affected individuals of the data exposure.

Last year in November, QRS reported that an unauthorized third party accessed one QRS dedicated patient portal server for three days in August, and potentially secured critical data, including Social Security numbers, patient identification numbers, portal usernames, names, addresses, birth dates, and medical treatment information. The lawsuit shows the client was Lexington Heart Specialists in Kentucky. 

According to the Health Insurance Portability and Accountability Act breach notification on the EHR vendor’s website, QRS instantly took the server offline, notified law enforcement, and conducted an investigation. 

“Upon information and belief, based on the criminal hacking activity that targeted Plaintiff’s and Class Members’ Sensitive Information, the time frame of the breach over three days, and Plaintiff Tincher’s experience of actual identity theft shortly after the breach, it is more likely than not that his Sensitive Information was exfiltrated and stolen during the Data Breach,” the lawsuit claimed. 

The suit argues that QRS should have prevented the data breach by implementing cybersecurity measures recommended by the U.S. government, including a training program for workers; strong spam filters; firewall configurations that block access to known malicious IP addresses; patches for operating systems, software, and firmware; regular automatic scans with anti-virus and anti-malware programs; and properly configured access controls. 

The healthcare firm is accused of negligence and/or recklessness, as well as violating federal and state regulations, as well as HIPAA. The lawsuit argues the two-month wait to inform patients placed them at a greater risk of identity theft; but it should be plainly noted that HIPAA requires covered entities and business associates to report breaches within 60 days of discovery, for which QRS complied.

Lastly, the lawsuit raises concerns with the health data left under QRS possession, as it “remains unencrypted and available for unauthorized third parties to access and abuse.” As long as QRS “fails to undertake appropriate and adequate measures to protect” the data remains at risk.

As a result, the victims are seeking injunctive relief, including a court order requiring QRS to implement and maintain "a comprehensive information security program designed to safeguard the confidentiality and integrity of the PII and PHI of plaintiff and class members."

400,000 Planned Parenthood Patients' Personal Information has been Leaked

 

According to the Washington Post, Planned Parenthood sent letters to around 400,000 patients earlier this week warning them that some of their personal information had been compromised in a cyberattack. Patients' names, as well as "one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information," were stolen, according to the healthcare provider. 

According to the statement, staff members initially discovered unusual activity on their computer network on October 17th. Planned Parenthood Los Angeles shut down its networks, alerted authorities, and hired a third-party cybersecurity firm to assist in the investigation. According to the statement, a hacker gained access to the healthcare provider's network between Oct. 9 and 17, installed "malware/ransomware," and took some files from the system. 

According to Planned Parenthood spokesperson John Erickson, the data leak was limited to the Los Angeles facilities. That's a total of 21 locations, with patients from Beverly Hills to Burbank and Compton affected. “We take safeguarding patients’ information extremely seriously, and have taken steps to address this incident,” Erickson said. “Our focus now is on notifying and supporting those patients whose information was involved in this incident.” 

In a letter to patients, Planned Parenthood compliance officer Kevin Oliver stated, "At this time, we have no evidence that any information implicated in this incident has been exploited for fraudulent purposes." Nonetheless, out of an abundance of caution, Oliver advised all patients affected by the incident to pay closer attention to "statements you get from your health insurer and health care providers." 

According to the statement, the incident was limited to Planned Parenthood Los Angeles and did not affect any other affiliates. Although the purpose of the hack is unknown, Planned Parenthood has previously been the victim of politically motivated cyberattacks. More than 300 Planned Parenthood Federation of America employees' names and email addresses were exposed on a private website run by a group of hackers known as 3301.

The incident happened as Planned Parenthood was mired in controversy over a series of carefully altered undercover videos released by an anti-abortion group accusing the organization of earning illegally from the sale of foetal parts for medical research. The videos were condemned by Planned Parenthood as misleading, and investigations in a dozen states found no evidence of the organization's wrongdoing.

CaptureRx Ransomware Hit Multiple Healthcare Provider Clients

 

CaptureRx, a world-leading San Antonio-based Healthcare technology organization has recently witnessed a ransomware attack wherein hackers accessed the protected health credentials of its customers and patients. 

The health organization provides its facilities to around 500 hospitals and health centers in over 45 states via an independent pharmacy network with other independent, local, and national pharmacies – the company is a TX-based 340B solution provider. 

The cybersecurity unit had discovered an attack on February 19 earlier this year, with the confirmation that an unauthorized cyber group got access into the health care facility and had stolen files of around 24,000 individuals that contain sensitive credentials of the patients including their first and last names, dates of birth, prescription information, and medical record numbers. 

Once the attack was detected, the firm began to review all those files, which was finished on March 19, 2021. In the wake of the incident, while taking measures, the firm informed all affected healthcare provider clients between March 30 and April 7, 2021. 

Cautioned by the attack, the firm has revised its policies and procedures of the systems while giving additional training to the workforce in order to reduce future possibilities of such attacks. 

However, at the moment, the organization has not provided any further technical details on the breach such as how many of its healthcare provider clients were affected. Nevertheless, HIPAA journal has reported a shortlist of victims including: 

• Thrifty Drug Stores (Thrifty White) – Currently unknown number of patients. 
• The Mohawk Valley Health System affiliate, Faxton St. Luke’s Healthcare in New York – 17,655 patients. 
• Randolph, VT-based Gifford Health Care – 6,777 patients. 

Furthermore, CaptureRx reported: The investigation that took place has uncovered that no evidence shows any actual or attempted misuse of stolen data. However, affected individuals are suggested to monitor their bank accounts against any fraudulent activity.