Data Brokers and Health Apps Investigated Because of Privacy Practices

The House Committee on Oversight and Reform reported the start of an investigation to find out how data brokers and health application providers are accumulating and selling the personal reproductive health information of individuals. The investigation was prompted by the SCOTUS decision overturning Roe v. Wade because committee members were worried that the personal information of people receiving reproductive healthcare services might be abused.

The Chairwoman of the Committee on Oversight and Reform, Rep. Carolyn B. Maloney, the Chairman of the Subcommittee on Economic and Consumer Policy, Rep. Raja Krishnamoorthi, and Rep. Sara Jacobs sent a letter to five data brokers (Digital Envoy, SafeGraph, Placer.ai, Babel Street, and Gravy Analytics) and five health app providers (Flo Health, BioWink, Digitalchemy Ventures, Glow, and GP International) asking for documentation regarding how personal reproductive care data is collected and sold.

Big amounts of personal information are currently being gathered and sold, frequently with no knowledge of people. The data is employed to deliver targeted ads to individuals and for other purposes. There is a concern that the gathering and sale of this data might endanger the health, security, and privacy of U.S. citizens and healthcare companies.

Collecting sensitive information can cause serious risks to those receiving reproductive care and even to providers of this kind of care, not just by having invasive government surveillance, but also by allowing people to possibly encounter harassment, intimidation, or violence. Geographic information obtained via mobile phones could be employed to find individuals seeking care at hospitals, and lookup chat history talking about clinics or prescription medication generate digital breadcrumbs disclosing curiosity on abortion.

The Committee Members mentioned a research study publicized in JMIR entitled “Privacy, Data Sharing, and Data Security Policies of Women’s mHealth Apps: Scoping Review and Content Analysis,” which stated that 20 of the 23 most in-demand women’s health applications including reproductive health applications were giving user information to third parties, although only 52% of those applications acquired permission from users. The research discovered that many women’s mHealth applications had terrible data privacy, sharing, and safety requirements.

It is possible that information from health applications, particularly period trackers, can be employed to determine women who have gotten abortions. Data brokers are discovered to sell users’ location information, such as the location information of persons who went to healthcare clinics offering abortions. Lately, Google launched that it will additionally enhance privacy security by automatically removing the location information from Google accounts linked to consultations with healthcare companies that offer sensitive healthcare services, however, Google is not the sole provider that logs location information.

The data brokers and health application companies have until July 21, 2022 to answer and give the requested information.

Patient Data Breach at VCU Health and Cheyenne Regional Medical Center

Virginia Commonwealth University Health System (VCU Health) detected an extended privacy violation that possibly began on January 4, 2006. Based on the substitute breach notification posted on the VCU Health web page, transplant donor data were a part of the health records of a number of transplant patients. Transplant recipient data were also contained in the medical files of transplant donors.

Whenever recipients, donors of transplants, or their representatives signed into the patient website to see their medical files, they could have viewed the data of the donor/recipient. It is also likely that the data was given to persons who used requested a copy of their health data. In every case, the compromised data wasn’t available to the public, just to particular transplant recipients and donors.

VCU Health detected the privacy breach on February 7, 2022. The following investigation confirmed that more data might also have been accessible, including names, laboratory data, date(s) of service, medical record numbers, Social Security numbers, and/or birth dates.

Impacted persons received notification by mail and free credit monitoring services in case they had their Social Security numbers exposed. Steps were also undertaken to enhance privacy protections and avoid the same incidents later on. VCH Health stated a total of 4,441 transplant donors and recipients were impacted.

Snooping on Patient Records by Cheyenne Regional Medical Center Employee

Cheyenne Regional Medical Center (CRMC) found out that a former staff had been viewing the health records of patients with no permission for about two years. The former staff was allowed access to patient records to carry out her work responsibilities however had been viewing the files of patients for reasons not related to her task.

A previous co-staff member reported the privacy violation after the snooping staff member transferred to another department inside the medical center. The internal investigation of the incident confirmed that the files of around 1,600 patients were accessed with no authorization from Aug. 31, 2020 to May 26, 2022.

Gladys Ayokosok, Compliance director of CRMC, mentioned there was no evidence found that suggests the former employee copied or further disclosed any patient data. Affected persons have already received notification concerning the HIPAA violation by the employee. The following types of data were potentially viewed: names, birth dates, Social Security numbers, medical record numbers, dates of service, diagnoses, and treatment data.

Ayokosok stated that the access continued undetected for a very long time because the former staff member had formerly worked with the electronic health record company. To identify any incidents of snooping later on, the IT department has developed an audit record, which will enable the IT team to know whether employees accessed records an abnormal number of times, find out the reasons that employees are accessing patient data, and check to ensure there is a legit reason for viewing patient information.

Individuals Affected by Benefit Plan Administrators, The People Concern and Advocates Inc. Security Breaches

Benefit Plan Administrators Inc. based in Roanoke, VA has lately informed 3,775 people that an unauthorized person acquired access to its system and extracted files containing some of their protected health information (PHI). The breach notification letters do not say clearly when the breach happened, however, the forensic investigation finished on March 15, 2022. Affected individuals received the notification letters on or about June 15.

Benefit Plan Administrators mentioned the extraction of files from its systems which contained the following types of data: complete names, addresses, birth dates, Social Security numbers, gender category, claims details, prescription drugs data, and health diagnosis/conditions data. The HHS’ Office for Civil Rights received four separate breach reports. Affected employees include those of Williamson Employment Services, Inc.,
and Alpha Natural Resources Non-Union VEBA Trust.

There was no proof found that indicates the misuse of any of the extracted data. Free credit monitoring services were given to the impacted persons. Benefit Plan Administrators stated the IT section enforced extra safety measures to avoid the same incidents later on.

Email Accounts Breach at The People Concern

Homeless service, The People Concern based in Los Angeles, CA, has found out that an unauthorized third party accessed the email accounts of a number of its employees. The accounts included the sensitive data of community members including birth date, Social Security number, medical insurance details, and medical data relating to care received via its programs.

The security breach was discovered upon seeing suspicious activity in the email accounts. The investigation revealed that unauthorized persons accessed the accounts at different times from April 6, 2021 to December 9, 2021

Because of the breach, The People Concern improved email security measures and offered the affected persons free one-year membership to an identity theft protection and resolution service. It is presently uncertain how many people were affected.

More Individuals Affected by Advocates Inc. 2021 Data Breach

In January 2022, Advocates Inc. based in Framingham, MA began informing people impacted by a cyberattack that compromised its system from September 14, 2021 to September 18, 2021. The incident was at first thought to have impacted 68,236 persons, however, the investigation afterward confirmed that more people were impacted. The analysis of the affected files carried on until June 9, 2022, and more notifications were sent to impacted persons on June 28, 2022. It is presently uncertain how many more people were affected.

PHI Exposed in 3 HIPAA-Covered Entities’ Data Breaches

Texas Tech University Health Sciences Center has announced the compromise of the protected health information (PHI) of 1,290,104 patients because of a data breach that occurred at Eye Care Leaders, its electronic medical record vendor.

Eye Care Leaders stated it identified a security breach on Dec. 4, 2021, and shut down the affected systems within 24 hours. Texas Tech University Health Sciences Center mentioned it got the findings of the forensic investigation on April 19, 2022. The compromised files involved the following data elements: name, phone numbers, physical address, email, gender, date of birth, driver’s license number, health insurance details, medical record number, appointment data, social security number, as well as medical data associated with ophthalmology services. There is no evidence of data theft found.

In the last few weeks, the number of eye care providers identified to have been impacted by the Eye Care Leaders data breach is growing. No less than 23 eye care companies have said they have been affected and the PHI of about 2 million individuals is found to have been exposed.

1.24 Million Baptist Health Individuals’ PHI Potentially Exposed in a Cyberattack

Baptist Health has lately begun sending notifications to patients regarding a cyberattack that was identified on April 20, 2022, that involved malicious code installed on its network. Based on the announcement, an unauthorized individual got access to some Baptist Health systems between March 31 and April 24, 2022. During that time of access, several pieces of information were removed from its systems.

When the breach was discovered, user access was stopped, the breached systems were removed to avoid further unauthorized access, and cybersecurity measures were enforced. The portions of the system that were accessed included the data of patients of Baptist Medical Center based in San Antonio and Resolute Health Hospital located in New Braunfels in Texas and contained names, dates of birth, addresses, medical insurance details, health record numbers, dates of service, names of provider and facility, major complaint/reason for a visit, consultation procedures and diagnosis data, Social Security numbers, and billing and claims details.

Baptist Health stated it is enhancing its security and monitoring functions to lessen the chance of further data breaches. People have already been alerted and those whose Social Security numbers were possibly compromised have received complimentary credit monitoring and identity protection services.

Baptist Health has submitted the breach report to the HHS’ Office for Civil Rights indicating that 1,243,031 persons were impacted.

Medical Record Breach Reported by Santa Barbara County Department of Behavioral Wellness

Santa Barbara County Department of Behavioral Wellness based in California has lately made an announcement that a staff member obtained access to the medical records of patients without consent. The department detected the unauthorized access on March 30, 2022, after it enforced a new security system for identifying unauthorized medical record access, which quickly flagged the HIPAA breach.

The health record system access of that employee was terminated without delay pending an investigation. The staff member involved went through appropriate disciplinary measures. The information accessed by the employee had names, telephone numbers, addresses, email addresses, Social Security numbers, insurance details, medical data, and medical record numbers. There is no proof found that suggests that any patient details were printed, sent externally, or written down. The department mentioned it is going to conduct additional security audits later on and will be upgrading client outreach processes to avert any recurrences.

The department already sent breach notification letters to all affected people. The breach isn’t yet listed on the HHS’ Office for Civil Rights web page, therefore it is uncertain how many people were impacted.

University of Pittsburgh Medical Center Paid $450,000 to Resolve Data Breach Lawsuit

University of Pittsburgh Medical Center has decided to negotiate a class action data breach lawsuit. It will reserve $450,000 to take care of claims from men and women who have sustained losses because of the theft and wrong use of their protected health information (PHI).

The data breach impacted roughly 36,000 individuals and an unauthorized third party viewed and stole their protected health information between April 2020 and June 2020. The breach took place at Charles J. Hilton PC, (CJH), UPMC’s legal counsel that offered billing-related services. The exposed records were located in the provider’s email system and comprised names, dates of birth, Social Security numbers, financial details, ID numbers, signatures, insurance data, and medical records. The data breach was identified in June 2020; nonetheless, notification letters were dispatched to affected persons only in December 2020.

Though lots of speculative legal cases are filed versus medical companies and their business associates regarding the compromise of patient information, in this instance, the plaintiff was conned immediately after the breach, which was as a result of his data being stolen during the data breach that occurred at CJH. The hacker created an Amazon credit card account under his name. The plaintiff reported he had to expend a substantial amount of time handling the misuse of his personal information and PHI. The legal case claimed UPMC and CJH did not do their duty to secure patient records and hadn’t enforced fair and suitable safety measures to protect their private details.

UPMC and CJH did not admit any wrongdoing or liability yet decided to resolve the case. Under the stipulations of the negotiation, class members could submit a claim for a $250 cash as payment for recorded out-of-pocket costs associated with the security breach and could file claims for around $2,500 to retrieve fake charges and expenses linked to identity theft, in addition to $30 for the undocumented time used for handling the breach. 12 months of free credit monitoring, identity theft, and dark web monitoring services will likewise be given to class members. Claims need to be sent in on or before September 3, 2022.

In 2021, UPMC resolved a long-running lawsuit by paying $2.65 million. The lawsuit was submitted on behalf of 27,000 staff members impacted by a data breach in February 2014.

Meta Faces Lawsuit due to the Scraping of Patient Records from Hospital Web Pages

Meta is confronting a legal action alleging the social media company is knowingly getting patient data from hospital web pages by means of the Meta Pixel tracking application, and as a result has committed the privacy violation of millions of individuals.

The lawsuit was filed in the U.S. Northern District of California and states violations of state and federal government rules associated with the acquisition of patient details without permission. Last week, The Markup/STAT’s report on research regarding the 100 leading hospitals in the U.S.A. showed that a third employed the Meta Pixel code on their sites. The Meta Pixel tool is a bit of JavaScript code that is utilized to keep tabs on visitor behavior on websites, for example, the buttons they click and the choices they pick from dropdown menus. If the tool is integrated on healthcare organizations’ websites, it’s likely for the tool to send protected health information (PHI) to Meta/Facebook, for instance, IP address, whenever a patient has reserved a consultation and any details picked from menus, for instance, the health condition that the consultation is about.

The study found 7 hospital systems that had integrated Meta Pixel on their patient sites behind password security and the tool was transferring sensitive information for example patient ailments, which may be connected to the patients by means of their IP addresses. The research did not get any proof that Meta had signed a business associate agreement with the healthcare providers. There was likewise no permission to disclose patient information with Meta acquired from patients by the medical centers and healthcare networks that employed Meta Pixel.

The lawsuit was submitted on behalf of patient John Doe, who uses Facebook as well as a Maryland-based Medstar Health System patient. The plaintiff stated he utilizes the patient site for booking appointments, sending messages to providers, and checking laboratory examination results, and didn’t authorize the sharing of data with Meta/Facebook. Medstar Health mentioned all patient details are safe and it doesn’t employ any Facebook/Meta tech on its web pages. As per the lawsuit, no less than 664 healthcare systems in America have incorporated the Meta Pixel tool into their sites, which transmits sensitive information to Meta.

Meta claims on its site that whenever Meta’s signals filtering process finds Business Tools data that is classified as likely sensitive health-associated data, the filtering system is made to keep that information from being taken into our ads ranking and optimization models. Nonetheless, the lawsuit asserts that regardless of knowingly obtaining health-connected data from medical companies, Facebook failed to do anything to impose or verify its requirement that healthcare providers get enough authorization from patients prior to sharing patient data with Facebook. The legal action claims the usage of the tool on hospital web pages without acquiring permission violates the Health Insurance Portability and Accountability Act (HIPAA), as the information is obtained with no business associate agreement. It should be mentioned that HIPAA Rules do not limit Meta/Facebook; nonetheless, the hospitals that use the tool may violate HIPAA by disclosing the data with no authorization.

The lawsuit states a violation of the duty of good faith and fair dealing, and not complying with federal and state legislation, which include the federal Electronic Communications Privacy Act, Unfair Competition Law, and California’s Invasion of Privacy Act. The lawsuit wishes punitive and compensatory damages, class-action status, and attorneys’ service fees.

This isn’t the first legal action to be filed against Facebook due to the acquisition of details from hospital sites. The same lawyers got a case against Facebook sacked in 2018 – Smith et al v. Facebook – about the gathering of browsing information from hospital web pages. The judgment was upheld by the U.S. Court of Appeals for the 9th Circuit, which decided that the plaintiffs cannot file a case against Facebook because they had accepted Facebook’s contract terms.

Reclaim the Net obtained a copy of the legal case and shared it on this page.

Study Shows 33% of Top 100 U.S. Hospitals are Sharing Patient Information with Facebook

A study of hospitals’ websites has shown that 33% of the top 100 hospitals in America are sharing patient information with Facebook through a tracker known as Meta Pixel, without seemingly getting patient consent.

Meta Pixel is a JavaScript code snippet that is employed to trace the activity of a visitor on a website. According to Meta, tracked activity shows up in the Ads Manager and is used to gauge the performance of ads, determine custom viewers for ad targeting, for active ads campaigns, and to evaluate the performance of your site’s conversion funnels.

Meta Pixel can gather various information, such as details concerning the buttons clicked as well as the pages visited with the click of those buttons, and the information obtained is associated with the person through their IP address, which determines the device used by the visitor. That data is then instantly provided to Facebook. On the website of a hospital, the tracker can acquire a user’s IP address and associate it with sensitive information, for example when that person had clicked to book a consultation.

The Markup conducted the study and co-published the report with STAT. The Markup discovered that Meta Pixel tracking is used in one-third of the appointment scheduling pages of the hospital. For example, the researchers found that when visitors to the University Hospitals Cleveland Medical Center click on the ‘Schedule Online’ button on a physician’s page, Meta Pixel routed the text of the button to Meta, together with the physician’s name and the search phrase, which for that individual was pregnancy termination. It was the same story with a number of other websites, which provided details obtained from the choice made from dropdown menus that furnished data concerning the patient’s condition, for example, Alzheimer’s disease.

A lot more worrisome is that for 7 hospital networks, Meta Pixel was set up within password-protected patient websites. The researchers discovered that five of the hospitals were transmitting information to Meta regarding real patients who agreed to take part in the Pixel Hunt project, which The Markup and Mozilla Rally manage. Involvement in that project required sending the data to The Markup regarding the websites they visited, which exposed the information being sent to Meta such as patients’ prescription drugs, descriptions of their allergic responses, and details about their forthcoming physician’s consultations.

The Markup stated there seemed to be no business associate agreements signed by the hospitals and Meta, which is required to permit the data sharing as per the HIPAA Rules. Also, it seemed that permission from patients allowing the transmitting of information to Meta was not acquired, meaning probable HIPAA violations.

The 7 hospital systems affected were Edward-Elmhurst Health, Community Health Network, FastMed, Piedmont, Renown Health, Novant Health, and WakeMed. All except Renown Health and FastMed had taken away the Meta Pixel after knowing about the data transfer by The Markup when the report was published, together with 6 hospitals from the 33 that were found to have the Meta Pixel on their appointment reservation pages.

The Markup stated in its report that the 33 hospitals that got Meta Pixel installed on their appointment webpages have jointly reported over 26 million patient admissions and outpatient appointments in 2020, and this research just looked at the top 100 hospitals. More may likewise be sharing information with Facebook via Meta Pixel.

The Markup mentioned it could not figure out how Meta/Facebook utilized the information transmitted using Meta Pixel, including for giving targeted advertisements. Meta representative, Dale Hogan, released a statement based on the results of the study. When Meta’s indicators filter systems identify that a company is transmitting potentially sensitive health information from their application or website by using Meta Business Tools, which in some instances can occur by mistake, that potentially sensitive information will be taken out before it could be saved in their adverts systems.

HHS Offers Guidance for Healthcare Companies to Improve Their Cyber Posture

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has issued guidance for healthcare companies to aid them to strengthen their cyber posture. Cyber posture is the phrase used to refer to the overall toughness of an company’s cybersecurity, practices for forecasting and stopping cyber threats, and the capability to proceed to work while addressing cyber threats.

To abide by the HIPAA Security Rule, companies must employ safety measures to protect the integrity, availability, and confidentiality of electronic protected health information (ePHI), and minimize threats to a low and tolerable level.

Technical safety measures are necessary to keep ePHI secure and private and will make sure that ePHI could be retrieved in case of a detrimental cyberattack. A strong cybersecurity plan can assist to reduce the problems prompted in case of an attack, can stop the stealing of sensitive data like ePHI and intellectual property, restrict the chance of misuse of patient information, and will assist in improving customer trust.

HC3 specifies the number of steps that could be taken to enhance cyber posture for instance performing frequent security posture checks, constantly tracking networks and software programs for vulnerabilities, identifying which departments have problems and designating managers to particular challenges, and routinely examining breaks in security measures, identifying key security metrics, and making incident response and disaster rescue programs.

HC3 additionally advises adopting the cybersecurity protocols specified in CISA Insights for avoiding cyber threats. These guidelines can help limit the probability of a detrimental cyber intrusion from occurring, will help companies quickly identify attacks that are happening, will make it quicker to perform an effective breach response and increase the company’s toughness to detrimental cyberattacks.

HC3 focuses on the safety risk analysis, which is an element of compliance with the HIPAA Security Rule that continues to be troublesome for a lot of healthcare companies. The safety risk assessment involves figuring out sources of threat, dangerous events, and vulnerabilities, identifying the possibilities of exploitation and the potential effect, and assessing threat as a mix of chance and impact.

Healthcare companies can then utilize the data supplied by risk analysis to prioritize the management of risks. The Office for Civil Rights has lately launched a different version of its Security Risk Assessment program, to help small- and medium-sized healthcare companies do their safety risk analysis.

Aesto Health and Motion Picture Industry Health Plan Report Data Breaches

Software company Aesto Health based in Birmingham, AL provides services to assist healthcare companies and medical providers in sharing, organizing, and securing patient data. It has been reported that the company just encountered a cyberattack that resulted in disruption to some internal information technology systems.

Aesto Health discovered the security breach on March 8, 2022, and took steps right away to stop the unauthorized person from further accessing its systems. A third-party computer forensics firm helped with the investigation and confirmed that an unauthorized person acquired access to the impacted systems starting December 25, 2021 until March 8, 2022.

Throughout that time frame, selected files had been extracted from a backup storage unit that contain radiology reports originally from Osceola Medical Center (OMC) in Wisconsin. An evaluation of the impacted records affirmed they comprised the protected health information (PHI) of patients, such as names, birth dates, doctor names, and reports of results associated with radiology imaging done at OMC. There were no Social Security numbers or financial records accessed or stolen. The systems and electronic medical records of OMC were not affected. Aesto Health mentioned it implemented additional safety measures and technical security measures to give added protection and monitoring of its systems.

The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 17,400 patients were affected.

Motion Picture Industry Health Plan Notifies Members Regarding Unauthorized Disclosure of PHI

The Motion Picture Industry Health Plan (MPIHP) has reported an impermissible disclosure of the PHI of 16,838 plan members because of a mismailing incident. MPIHP discovered a mailing error on March 31, 2022. Because of that incident, the information of plan members was mailed to the wrong addresses. In all cases, the letter supposed to be received by one MPIHP member was mailed to the wrong MPIHP member.

The letters did not include any medical data or health claims data. They only included the name, address, hours worked, the last four numbers of the Social Security number of a member, and the latest dates of eligibility. MPIHP already sent the notification letters to inform all the impacted persons to the previous address given by those members. Impacted persons received offers of free one-year identity monitoring services. MPIHP mentioned that it found the specific cause of the error and took steps to avoid the same mismailing incident from happening again.

2 Million Patients Affected by Shields Health Care Group Cyberattack

The protected health information (PHI) of around 2 million people was potentially compromised in a cyberattack on Shields Health Care Group. Shields Health Care Group based in Massachusetts provides ambulatory surgical center management and medical imaging services all over New England. The group detected suspicious activity within its network on March 28, 2022. Fast action was done to secure its system and stop continuing unauthorized access. Third-party forensics professionals assisted with the investigation and confirmed the nature and magnitude of the security breach.

The forensic investigation revealed that an unauthorized individual got access to some Shields systems from March 7, 2022 to March 21, 2022. Shields stated that a security advisory was activated on March 18, 2022, which upon investigation did not appear to have been a data breach at the time. Since then, it was confirmed that throughout that period of access, selected data was taken from its systems. Shields mentioned it didn’t know of any instances of attempted or actual patient data misuse.

An analysis of the files that were extracted from its systems or may have been accessed by unauthorized persons revealed that the following types of information were impacted: Full name, Social Security number, birth date, home address, provider data, diagnosis, billing details, insurance number and details, medical record number, patient ID, and other medical or treatment data. Shields is still reviewing the affected data and will issue breach notifications to impacted people on behalf of all affected facility partners after that review is finished.

After the discovery of the attack, quick action was undertaken to protect its network and records, selected systems were rebuilt, and more safeguards were put in place to better secure patient information. Cybersecurity steps will be evaluated and improved for better, continuing information safety.

The breach is already listed on the HHS’ Office for Civil Rights Breach website as affecting 2,000,000 persons. Shields stated that those people had received treatment at the 56 facility partners listed below:

  • Cape Cod Imaging Services, LLC (a Falmouth Hospital Association, Inc business associate)
  • Cape Cod Radiation Therapy Service, LLC
  • Cape Cod PET/CT Services, LLC
  • Central Maine Medical Center
  • Emerson Hospital
  • Falmouth Hospital Association, Inc.
  • Fall River/New Bedford Regional MRI Limited Partnership
  • Franklin MRI Center, LLC
  • Lahey Clinic MRI Services, LLC
  • Mercy Imaging, Inc.
  • Massachusetts Bay MRI Limited Partnership
  • MRI/CT of Providence, LLC
  • Newton-Wellesley Imaging, PC
  • Newton Wellesley Orthopedic Associates, Inc.
  • Newton-Wellesley MRI Limited Partnership
  • NW Imaging Management Company, LLC (a Newton Wellesley Orthopedic Associates, Inc. business associate)
  • Northern MASS MRI Services, Inc.
  • PET-CT Services by Tufts Medical Center and Shields, LLC
  • Radiation Therapy of Winchester, LLC
  • Radiation Therapy of Southeastern Massachusetts, LLC
  • Shields CT of Brockton, LLC
  • Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a
  • SportsMedicine Atlantic Orthopaedics P.A. business associate)
  • Shields Imaging at Anna Jaques Hospital, LLC
  • Shields Healthcare of Cambridge, Inc.
  • Shields Imaging at University Hospital, LLC
  • Shields Imaging Management at Emerson Hospital, LLC (an Emerson Hospital business associate)
  • Shields Imaging at York Hospital, LLC
  • Shields Imaging of Eastern Mass, LLC
  • Shields Imaging of North Shore, LLC
  • Shields Imaging of Lowell General Hospital, LLC
  • Shields Imaging of Portsmouth, LLC
  • Shields Management Company, Inc.
  • Shields Imaging with Central Maine Health, LLC (a Central Maine Medical Center business associate)
  • Shields PET/CT at CMMC, LLC
  • Shields MRI & Imaging Center of Cape Cod, LLC
  • Shields PET-CT at Cooley Dickinson Hospital, LLC
  • Shields MRI of Framingham, LLC
  • Shields PET_CT at Berkshire Medical Center, LLC
  • Shields PET-CT at Emerson Hospital, LLC
  • Shields Signature Imaging, LLC
  • Shields Radiology Associates, PC
  • Shields Sturdy PET-CT, LLC
  • Shields-Tufts Medical Center Imaging Management, LLC (a Tufts Medical Center, Inc. business associate)
  • South Shore Regional MRI Limited Partnership
  • Southeastern Massachusetts Regional MRI Limited Partnership
  • South Suburban Oncology Center Limited Partnership
  • SportsMedicine Atlantic Orthopaedics P.A.
  • Tufts Medical Center, Inc.
  • UMass Memorial MRI – Marlborough, LLC
  • UMass Memorial HealthAlliance MRI Center, LLC
  • UMass Memorial MRI & Imaging Center, LLC
  • Winchester Hospital / Shields MRI, LLC

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

A New York Federal Judge dismissed a class-action lawsuit filed against Alliance HealthCare Services and NorthEast Radiology PC because of a data breach that exposed the protected health information (PHI) of over 1.2 million people for lack of standing.

The lawsuit was submitted in July 2021 on behalf of plaintiffs Lisa Rosenberg and Jose Aponte II, whose PHI was compromised due to a wrong configuration of the firms’ Picture Archiving Communication System (PACS), which included medical images and related patient data. In late 2019, security researchers found the compromised information and informed the affected organizations — Northeast Radiology along with its vendor, Alliance HealthCare Services.

Based on the lawsuit, more than 61 million medical photos were exposed along with the sensitive data of 1.2 million individuals. Northeast Radiology submitted the breach report to the HHS’ Office for Civil Rights indicating that 298,532 persons were impacted. The lawsuit alleged the defendants had applied insufficient security safeguards to keep the privacy of patient information safe, which enabled unauthorized persons to access the medical pictures and other PHI from April 14, 2019 to January 7, 2020. The plaintiffs claimed that they are facing an ongoing and imminent danger of identity theft and fraud since protected health information cannot be canceled. They state they now have to continually keep track of their accounts and utilize credit and identity theft monitoring services, and expend more time and effort to avoid and mitigate against possible future losses.

It is common nowadays for lawsuits to be filed against healthcare companies subsequent to data breaches, however, the lawsuits usually do not succeed because of the failure to present proof of harm resulting from the compromise or theft of personal data, just like the case here. Federal Judge for the Southern District of New York, Judge Vincent L. Bricetti, dropped the legal case because the plaintiffs did not claim a cognizable injury. The judge made a decision that the mere exposure of sensitive information could not establish that the plaintiffs were harmed by the incident and that the threat of future harm from the exposure of their sensitive data was very assuming to make standing.

Although the data breach report was filed with the HHS’ Office for Rights stating that about 298,532 individuals were affected, NorthEast Radiology was just able to affirm that the information of 29 patients had certainly been subjected to unauthorized access, and the two victims named in the legal action were not included in that small group.

Judge Bricetti used as reference the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC. He used the three-factor test established for figuring out if allegations of harm related to a data breach resulted to a cognizable Article III injury-in-fact:

  1. whether the plaintiffs’ information was exposed because of a targeted attempt to acquire that data;
  2. whether any part of the dataset was misused, even though the plaintiffs themselves haven’t encountered identity theft or fraud; and
  3. whether the type of exposed information is sensitive such that the risk of identity theft or fraud is high.

Judge Bricetti turned down all of the plaintiffs’ claims for breach of contract, breach of implied contract, negligence, negligence per se, intrusion upon seclusion, and violations of New York General Business Law Section 349.

Former IT Consultant Charged with Deliberately Causing Harm to Healthcare Company’s Server

An information technology consultant who worked as a contractor at a suburban healthcare organization in Chicago has been charged with illegally getting access to the firm’s network and deliberately causing harm to a protected computer.

Aaron Lockner, age 35, resident of Downers Grove, IL, worked for an IT organization that had a contract with a healthcare firm to offer security and technology services. Lockner was given access to the network of the healthcare organization’s clinic in Oak Lawn, IL, to perform the contracted IT solutions.

In February 2018, Lockner applied for a work position with the healthcare company, however his application was rejected. Lockner was then laid off from the IT company in March 2018. A month afterwards, on or about April 16, 2018, Lockner is alleged to have remotely obtained access to the computer system of the healthcare organization without consent. Based on the indictment, Lockner intentionally brought on the transmission of a program, material, code, and command, and because of his actions, purposefully prompted ruin to a protected PC. The computer intrusion impaired medical tests, treatment, and the care of several people.

Locker is indicted on one count of deliberately causing ruin to a protected computer. The scheduled arraignment will be held on May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. In case convicted, Lockner might serve around 10 years in federal jail.

This case illustrates the dangers posed by insiders. The newly published 2022 Verizon Data Breach Investigations Report shows the danger of attacks by external hackers, which surpass insider attacks by 4 to 1, however, safeguards additionally must be put in place to safeguard against insider threats.

In this situation, the supposed access happened two months following the rejection of the application for employment and one month after termination from the IT firm. When people leave work, voluntarily or if dismissed, access rights to systems should be promptly terminated and tests of systems performed to identify any malware or backdoors that could have been installed.

There were several instances of dissatisfied IT contractors keeping remote access to networks after dismissal, with one particular case at a law firm finding an ex-IT worker setting up a backdoor and consequently accessing the system and purposefully causing harm after leaving work. In that instance, the individual was sentenced to 115 months in a federal penitentiary and was instructed to pay $1.7 million in reparation.

Data Security Incidents Reported by Parker-Hannifin Corporation, Behavioral Health Partners of Metrowest and Vail Health Services

Parker-Hannifin Corporation based in Cleveland, OH, a maker of motion and control technologies, lately reported that unauthorized persons have acquired access to parts of its IT systems and might have gotten files that contain the sensitive data of present and past employees, their dependents, and other persons associated with the organization.

The company detected suspicious activity inside its IT environment on March 14, 2022. It was confirmed by the forensic investigation that unauthorized individuals accessed its systems from March 11, 2022 to March 14, 2022. A thorough evaluation of the impacted files confirmed they included data like names, dates of birth, addresses, driver’s license numbers, Social Security numbers, passport numbers, financial account data like online account usernames and security passwords, bank account and routing numbers. The enrollment information of present and past members of the Parker Group Health Plan, as well as those of a health plan sponsored by an entity obtained by Parker, may have been exposed. Compromised information may include medical insurance dates of coverage and plan member ID number.

The breach report submitted to the HHS’ Office for Civil Rights indicated that 119,513 group health plan members were affected. The company already notified the affected persons and provided a free membership to Experian’s IdentityWorks identity theft protection and monitoring services for two years.

Data Theft Incident Reported by Behavioral Health Partners of Metrowest

Behavioral Health Partners of Metrowest (BHPMW) based in Framingham, MA has informed 11,288 persons that an unauthorized person copied some of their protected health information (PHI) from its systems. BHPMW discovered the data breach on October 1, 2022, and confirmed through the forensic investigation that the unauthorized person got access to its systems and extracted information from September 14 to September 18, 2021.

The stolen information pertained to the Behavioral Health Community Partner Program that BHPMW manages as per the agreement with MassHealth, together with the SMOC, Advocates, Family Continuity, Wayside Youth and Family Support provider agencies and Spectrum Health Systems. The compromised information included names, Social Security numbers, addresses, dates of birth, client ID numbers, medical insurance data, and medical diagnosis/treatment details. BHPMW did not receive any information regarding any actual or attempted misuse of the stolen data.

BHPMW sent notification letters to impacted persons on May 11, 2022, and those persons received offers of free credit monitoring and identity protection services.

17,000 Patients Affected by Vail Health Services Data Security Incident

Vail Health in Colorado experienced a data security incident that led to the compromise and possible theft of the PHI of 17,039 individuals. Vail Health stated when it began having trouble with its network systems, it started an investigation that showed on April 5, 2022 that an unauthorized person had acquired access to its network on February 11, 2022.

The breached systems had a limited number of files such as data regarding persons who got COVID-19 tests from Vail Health, including names, dates of birth, contact details, encounter numbers, and COVID-19 test data. There was no compromise of financial data, medical insurance data, or Social Security numbers.

The systems currently had controls that limited access to a small number of persons. Extra security measures were enforced to additionally limit access.

Data Breaches Reported by Refuah Health Center and Quantum Imaging Therapeutic Associates

Refuah Health Center located in New York has lately begun sending notifications to 260,740 patients regarding a security breach that happened about one year ago. Based on the April 29, 2022 notice on the healthcare company’s webpage, it recently found unauthorized access to its system took place from May 31, 2021 to June 1, 2021. Upon being aware of the breach, the health center started an investigation to find out the nature and extent of the cyberattack, and a thorough review was then performed on all files that were possibly accessed.

Refuah Health Center stated it found out on March 2, 2022, that the attackers had exfiltrated a number of files from its network that included “a limited amount” of patients’ protected health information (PHI), which include names and at least one of these data types: driver’s license numbers, state ID numbers, birth dates, Social Security numbers, bank/financial account data, debit/credit card details, healthcare treatment/diagnosis details, Medicaid/Medicare numbers, patient account numbers, medical record numbers, and/or health insurance policy numbers. The health center began sending notification letters to affected people on April 29, 2022 and offered free credit monitoring services to persons whose Social Security numbers were probably exposed.

Although Refuah Health Center didn’t make known more data concerning the character of the attack, databreaches.net stated that the attack seems to have been performed by the Lorenz ransomware group, which included Refuah Health Center to its listing of victims on its data leak website on June 11, 2021, though that entry is already deleted.

Quantum Imaging Therapeutic Associates Patients’ PHI Compromised

Specialized diagnostic radiology services provider Quantum Imaging Therapeutic Associates based in Lewisberry, PA just sent breach notification letters to patients telling them about the compromise of their PHI. The data security breach was discovered and obstructed on October 7, 2021.

During the time of giving notification letters, there was no proof received that shows the viewing or theft of any patient information by the attackers, even though it wasn’t possible to exclude the probability. The breached areas of its system comprised patient information like names, dates of birth, addresses, Social Security numbers, and data associated with the radiology services given.

After preventing the attack, Quantum commenced an investigation with the assistance of third-party IT professionals, and has now analyzed its network setting and made enhancements to security. Quantum will additionally be tracking the threat landscape carefully and will take proactive steps to deal with new threats. Impacted people have been given complimentary identity theft protection services.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore it is not clear how many persons were impacted.

New Framework for Evaluating the Privacy, Security, and Safety of Digital Health Technologies

The American Telemedicine Association (ATA), the Organization for the Review of Care and Health Applications (ORCHA), and the American College of Physicians (ACP) have joined up to create a new framework for evaluating digital health technologies utilized by healthcare experts and patients.

Presently, over 86 million Americans make use of a fitness or health app. These digital health technologies including more than 365,000 individual products can gather, keep, process, and transfer personal and health information that would be categorized as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA); nevertheless, most of these technologies are not covered by HIPAA and aren’t covered by other rules, federal laws, and government instruction. The absence of guidance in this section blocks the usage of electronic health technologies, which have incredible potential for enhancing condition management, clinical risk evaluation, and decision assistance.

The creators of digital health technologies frequently share user information gathered by their products and apps with third parties however do not always disclose their data-sharing practices with consumers, and their privacy policies are often far from transparent. The use of these applications and technologies can place user privacy in danger. The technologies may additionally lack proper security controls and may be susceptible to cyberattacks that can expose sensitive user information.

The Digital Health Assessment Framework is meant to be an open system that anybody may access to use, to help adopt high-quality digital health technologies and guide healthcare specialists and patients in making better choices regarding which digital health solutions best match their needs, as explained by the ATA in a PR release.

The framework consists of elements that healthcare specialists and consumers could utilize to evaluate data and privacy, clinical assurance and safety, usability and accessibility, and technical security and stability, and was created to help U.S. rules, regulations, and protocols for electronic health practices.

Digital health technologies can provide safe, effective, and engaging access to personalized health and support, give more convenient care, increase patient and healthcare provider satisfaction, and accomplish better clinical outcomes. Ann Mond Johnson, the ATA CEO, further mentioned that there are actually hundreds of health apps and devices for patients and physicians to select from, and our objective is to win the confidence that the health and wellness resources examined in this Framework meet quality, privacy and clinical assurance requirements in the U.S.

ACP is performing a pilot study of health applications that will be analyzed against the system to produce an extensive collection of acceptable digital health solutions. The framework will be updated regularly depending on responses from digital health technology firms, healthcare experts, consumers, and other stakeholders to reveal changes in clinical practice, and the most recent guidelines and recommendations, and best practices.

HHS Information Security Program ‘Not Effective’ According to Audit

The Department of Health and Human Services performed an audit for the HHS’ Office of Inspector General (OIG) to evaluate adherence to the Federal Information Security Modernization Act of 2014 (FISMA) for the 2021 fiscal year. It has rated the security program of the agency as ‘not effective’, just like in fiscal years 2018, 2019, and 2020. Five of the 12 operating divisions of the HHS were subjected to an audit, though OIG didn’t mention which five divisions were selected.

To be given an effective rating, the HHS needs to get to the ‘Managed and Measurable’ maturity level for the function areas of Identify, Protect, Detect, Respond, and Recover. This is a requirement by the FY 2021 Inspector General FISMA Reporting Metrics and the DHS guidance.

It is stated in the OIG report that the HHS is still making adjustments to boost the maturity of its company-wide cybersecurity program and that it is working towards more sustainable cybersecurity in all FISMA domains.

The HHS security program fortified the maturity of controls for a number of  FISMA metrics, though there was no progress in certain areas because full enforcement of Information Security Continuous Monitoring (ISCM) efforts is lacking in its operating divisions. This is crucial as reliable information and metrics are needed in order to make good risk management judgments.

The HHS has partly imposed its Continuous Diagnostics and Mitigation (CDM) method, which has enhanced insight into certain assets, and consciousness of vulnerabilities and threat data is better by using RSA Archer and Splunk. There is the progress made in the implementation of a complete department-wide CDM program to make sure non-stop tracking of HHS networks and systems, give an accurate report of the status of operating divisions, and progress to handle and enforce methods that fight risk, prioritize concerns utilizing tested risk criteria, and enhance its cybersecurity response functions.

The HHS has improved its enforcement of CDM tools and procedures but doesn’t have a specific timetable for completely enforcing the CDM program throughout all operating divisions.  Unless the HHS completely follows its CDM technique, the HHS cannot possibly identify cybersecurity risks on a continuous basis, highlight efforts to deal with risks according to their probable effects and mitigate the most serious vulnerabilities first.

OIG has given a number of recommendations for enhancing the maturity of the HHS information security program. The HHS ought to continue implementing an automated CDM solution to have a centralized, company-wide oversight of risks throughout HHS. The ISCM strategy must be updated to have a more accurate roadmap, having target dates particular for ISCM deployment throughout the HHS operating divisions. A company risk evaluation of identified control weaknesses must be done and a proper risk response ought to be recorded, and the HHS should create a process to keep track of information system contingency plans to make sure they are created, maintained, and incorporated with other continuity criteria by IT systems.

The HHS agreed with all the recommendations of OIG.

WEDI Gives Healthcare-Specific Advice for Enhancing the NIST Cybersecurity Framework

The Workgroup for Electronic Data Interchange (WEDI) has replied to the query for data from the National Institute of Standards and Technology (NIST) and has produced a number of tips for enhancing the NIST cybersecurity framework and supply chain risk management advice to assist healthcare companies to handle a few of the most urgent threats confronting the industry.

Ransomware is considered one of the major threats affecting the healthcare sector, and that will probably not change in the near future. To aid healthcare companies manage the risk, WEDI has advised NIST to give attention to ransomware and deal with the concern of ransomware specifically in the cybersecurity system. NIST released a new ransomware resource in February 2022, which includes important tips on avoiding, detecting, answering, and dealing with ransomware attacks. WEDI feels the introduction of ransomware inside the cybersecurity platform will increase the reach and effect of the resource.

WEDI has additionally advised the addition of particular case studies of healthcare companies that have encountered a ransomware attack, updating the platform to determine contingency planning techniques in line with the kind of healthcare company and giving guidance with emphasis on contingency preparation, setup, and recovery. Ransomware attacks on healthcare companies have risks that do not apply to other entities. More information in this section is of great advantage to healthcare companies and can help reduce interruption and patient safety concerns.

Healthcare companies are creating patient access Application Programming Interfaces (APIs) and applications (apps) that are under HIPAA, and are consequently necessary to integrate safety measures to make sure the privacy and security of any healthcare information they have, however, WEDI has driven attention to the absence of strong privacy requirements that are appropriate to third party health applications that aren’t covered by HIPAA. WEDI states there’s a requirement for a national security framework to make sure that medical information acquired by third-party applications has proper privacy and security criteria.

The amount of risks and vulnerabilities to mobile and implantable healthcare devices has exploded at an unbelievable level lately and those dangers will probably grow significantly in the many years. WEDI has advised NIST to deal with cybersecurity problems associated with these devices specifically in the cybersecurity system, and in addition, tackle the problem of insider threats. Numerous healthcare data breaches are the result of insider threats including missing electronic devices, social engineering, and phishing attacks. WEDI addresses these problems and security awareness training ought to be satisfied in the cybersecurity system.

WEDI has additionally recommended NIST create a version of its cybersecurity system that is directed at smaller healthcare companies, which do not have the means accessible to remain up to date concerning the most recent security improvements and carry out the most recent security steps and protocols. A framework version that is more targeted at the threats experienced by smaller companies will be very beneficial and ought to consist of practical proactive actions that can be undertaken by small healthcare companies to offset risks.

Data Breaches Reported by Smile Brands Ransomware Attack , Arcare and Onehome Health Solutions

Smile Brands based in Irvine, CA provides support services for dental offices. It recently presented an update on the number of people affected by a ransomware attack that was identified on April 24, 2021. The attackers acquired access to areas of its network on April 23, 2021, that kept files that contained the protected health information (PHI) of individuals, including names, telephone numbers, addresses, birth dates, Social Security numbers, financial data, government-issued ID numbers, and health information.

The breach report was initially submitted to the HHS’ Office for Civil Rights last June 2021 as having 1,200 victims, but the breach report was afterward corrected to state as many as 199,683 persons were impacted. Nonetheless, in the most recent notification to the Maine attorney general, the breach was reported as impacting around 2,592,494 individuals. The preliminary notice to the Maine attorney general was sent on October 8, 2021.

Smile Brands stated that affected persons were provided a complimentary 12-month membership to a credit tracking service, which involves identity theft assistance services and coverage of a $1 million identity theft insurance policy.

Malware Possibly Permitted Hackers Access ArCare Patient Information

Arcare, a firm providing primary care and behavioral health services within Kentucky, Arkansas, and Mississippi, has reported that patient information was possibly accessed by unauthorized people in a cyberattack that was identified on February 24, 2022. Because of the malware found on its system, there was a temporary disruption of its services. ArCare took immediate action to stop continuing unauthorized access and launched an investigation to find out the nature and scope of the incident.

The investigation affirmed on March 14, 2022, that the hackers may have accessed sensitive data from January 18, 2022 to February 24, 2022. An analysis of the impacted records was done on April 4, 2022, and established they included names, driver’s license or state ID numbers, Social Security numbers, dates of birth, financial account details, medical treatment data, prescription details, medical diagnosis or condition details, and medical insurance information.

Although data was exposed, there was no evidence found that suggests actual or attempted misuse of patient information. ARcare mentioned it has revised its policies and procedures associated with data protection and security and mailed notification letters to affected persons on April 25, 0222.

The incident is not yet posted on the HHS’ Office for Civil Rights breach portal therefore it is currently uncertain how many people were impacted.

Theft of Unencrypted Laptops from the Home of Onehome Health Solutions Employee

Two unencrypted laptop computers were stolen from the house of a Onehome Health Solutions employee. The healthcare provider based in Miramar, FL discovered the theft on March 3, 2021 and reported the incident to authorities.

A forensic investigation confirmed that the laptop computers stored the PHI of approximately 15,401 patients, such as names, addresses, telephone numbers, health data, medical insurance data, and the last four numbers of Social Security numbers.

Onehome stated all impacted persons were informed regarding the compromise of their data and free identity theft protection services were provided to people who had their Social Security numbers partially exposed.

Solara Medical Supplies Offers to Pay $5 Million to Resolve Class Action Data Breach Lawsuit

A California Federal court recently approved a preliminary settlement to take care of a consolidated class action lawsuit versus Solara Medical Supplies.

Solara Medical Supplies based in Chula Vista, California is a direct-to-consumer company selling medical devices and disposable medical merchandise as well as a registered pharmacy. Solara Medical discovered suspicious activity in the email account of an employee on June 28, 2019. The succeeding investigation affirmed that unauthorized people had acquired access to several Office 365 email accounts from April 2, 2019 to June 20, 2019, due to staff members replying to phishing emails.

Based on forensic investigation, the sensitive data of 114,007 customers wee compromised and possibly stolen, such as names, birth dates, driver’s license numbers, Social Security numbers, medical insurance data, and financial details. Impacted patients received one-year free credit monitoring and identity theft protection services.

Four class-action lawsuits had been submitted on behalf of the impacted clients, and those legal cases were combined into one lawsuit. Solara Medical offered the settlement to take care of the lawsuit to steer clear of regular legal expenses; nonetheless, did not admit any wrongdoing. The settlement terminates the lawsuit with prejudice and doesn’t signify any admission of wrongdoing, fault or liability.

As per the conditions of the settlement, Solar Medical has decided to spend $5,060,000 to handle the plaintiffs’ and class members’ claims and will do what is necessary to enhance data security to avoid other security breaches. The six plaintiffs who filed the lawsuits will get $4,000 each as compensation, and all class members who submit prompt claims will get $100, in addition to a pro-rata payment of approximately $1,000 if there are remaining funds after paying $100 cash payments. Included in the settlement amount are the $2.3 million attorneys’ charges. In case there are funds left, they will be contributed to the Juvenile Diabetes Research Foundation.

In the following two years, Solara Medical will go through a recurrent SOC 2 Type 2 review until it is passed, have a third party conduct a HIPAA IT evaluation, carry out a minimum of one cybersecurity incident response test per year, go through third-party phishing and external-facing vulnerability tests for a minimum of two times a year. Solara Medical will additionally have a security information event and management (SIEM) tool having a 400-day lookback on activity records. Enhanced versions of the remedial actions or similar actions will be done on new industry criteria for the following 3 years.

Over 510,000 Individuals Affected by Adaptive Health Integrations Data Breach

An Adaptive Health Integrations lately reported a data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR) that affected 510,574 individuals’ protected health information (PHI).

Adaptive Health Integrations based in Williston, North Dakota provides LIS software services and billing/revenue services to labs, doctor offices, as well as other healthcare organizations. A copy of the notification letters posted on the Montana Attorney General webpage says that Adaptive Health Integrations recently discovered that an unauthorized person had acquired access to its system on or about October 17, 2021, and potentially accessed some information kept on its network.

The letters mentioned that upon discovery of the unauthorized access, the company immediately controlled the threat, and launched an investigation. A detailed àudit of breached files was performed, and that process ended on February 23, 2022. As per the notification letters, free credit monitoring, fraud assessment, and identity theft restoration services are being provided via Kroll for one year.

The notification letters did not give any details regarding who Adaptive Health Integrations is or the reason why it retains the PHI of individuals. Some people who got a notification letter have published on the internet asking about the genuineness of the breach notification letters, which were penned on paper and having a copied image of the company logo. After looking at the company web page some have commented that maybe this is a fraud.

If searching the company on Google, the search engine results page leads to a two-page site of the company with a placeholder for the contact page including a dummy message. It was not mentioned on the company webpage that there was a data breach during the time of sending notifications.

The law company Migliaccio & Rathod LLP states it is investigating the data breach at Adaptive Health Integrations.