Reported Data Breaches in Vanderbilt University Medical Center, Tift Regional Medical Center, and City of Dallas

OCR Investigates Vanderbilt University Medical Center Over Disclosure of Transgender Patients’ Health Data

The Department of Health and Human Services’ Office for Civil Rights (OCR) is investigating Vanderbilt University Medical Center for the exposure of transgender patients’ health data to Tennessee Attorney General, Jonathan Skrmetti. VUMC furnished the health data of transgender patients to AG Skrmetti following the receipt of civil investigative demands for the information in relation to an investigation into a possible medical billing scam. VUMC lately mailed notification letters to the impacted patients concerning the compromise of their data, which was given to AG Skrmetti in December 2022.

The HIPAA Privacy Rule allows but doesn’t necessitate, healthcare companies to share patients’ health documents for law enforcement reasons in particular instances, for instance in reply to an admin request when the data being required is applicable and material to a legit law enforcement query. VUMC and AG Skrmetti state that the disclosures were lawful. AG Skrmetti mentioned the data were asked for in reply to an investigation he was a part of. The investigation was started in September 2022 following a VUMC physician openly described having altered medical billing codes to avert insurance limits on gender-associated treatments.

A lot of members of the LGBTQ+ community condemn the health data disclosures. AG Skrmetti plus other government bodies in Tennessee have shown a hostile attitude concerning the rights of transgender persons and a government appeals panel lately signed state legislation banning puberty blockers and hormone therapy for young transgender. There are concerns that the data disclosed could be employed against the patients. Two patients lately filed a lawsuit against VUMC regarding the disclosures that claim AG Skrmetti got the data of 106 patients. Considering the attitude of state regulators concerning transgender rights, the individuals think VUMC ought to have given unidentified information – patient information that has had no personally identifiable information.

The Chief Communications Officer of VUMC, John Howser, lately stated that VUMC is helping OCR conduct a civil rights investigation involving the disclosures, even though he didn’t give any more data as the investigation is in progress.

August 2022 Cyberattack on Tift Regional Medical Center Patients

Tift Regional Medical Center located in Georgia has begun informing 180,142 patients about the compromise of their personal and protected health information (PHI) in a cyberattack that was discovered on or about August 16, 2022. Based on the breach notification letters, there was no systems encryption, no electronic medical record system access, and the network stayed accessible to employees and patients. The incident forensic investigation showed that files were or could have been viewed or duplicated with no permission from August 11, 2022 to August 17, 2022. The Hive ransomware group conducted the attack after it was subjected to a law enforcement takedown last January 2023. The Hive group stated that it stole 1TB of data during the attack and released some data on its data leak website.

The impacted patients were advised that the records included names, birth dates, Social Security numbers, and health data. Free credit monitoring services were provided for one year. The HIPAA Breach Notification Rule mandates the issuance of notifications within 60 days after discovering a data breach. The HHS got a notification promptly (October 14, 2022) with a provisional total of 500 breached records since it was still unknown during the time how many persons were impacted. Individual notices are likewise necessary for that particular time period. Tift Regional Medical Center gave no explanation in the breach notification letters about the delay in mailing the notification letters.

Health Plan Member Records Exposed in the City of Dallas Ransomware Attack

The city of Dallas encountered a ransomware attack last May 3, 2023, that affected a number of its IT systems and websites. Online services were inaccessible for a couple of days with a few IT systems throughout all networks not working for a number of weeks after the attack. According to reports, the city has paid about $8.6 million for software, hardware, incident response, and consulting services as a response to the Royal ransomware attack. The city has lately informed the HHS’ Office for Civil Rights about the theft of the PHI of 30,253 members of its self-insured group health plans during the attack, which includes names, Social Security numbers, addresses, and medical data.

Confirmed Clop Hacking Group’s MOVEit Transfer Hacks

The HIPAA-covered entities listed below have lately confirmed being impacted by the MOVEit Transfer hacks done by the Clop group at the end of May 2023. The group exploited a zero-day vulnerability in Progress Software’s file transfer solution, stole data, and issued ransom demands.

United Healthcare Services, Inc., MN. reported that 398,319 individuals were affected during an attack on United Healthcare Services. Data exposed included name, birth date, email address, address, telephone number, plan ID number, policy details, student ID number, Social Security number or national ID number, and claim details, such as claim numbers, provider data, dates of service, prescription details, and financial details associated with claims. Credit monitoring and identity theft protection were provided by Norton LifeLock credit for two years.

VNS Health Plans, NY reported that 103,775 individuals were affected during an attack on VNS Health Plans’ claims processing vendor, TMG Health Inc. The data exposed included name, email address, mailing address, phone number, birth date, Social Security number, member ID, Medicaid and/or Medicare number, benefit and subsidy details, billing data, medical claims details, dates of service, healthcare provider name and area of expertise. Personal Identity and Privacy Protection were provided by IDX for one year.

Vecino Health Centers, TX reported being affected by an attack on Harris Health, although there’s no information on the number of individuals affected at this point. Exposed information included names, birth dates, and prescription date(s). There was no mention of credit monitoring in the substitute breach notice.