The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

MFA Bypassed in Cyberattack on L.A. County Department of Mental Health

Posted By on Mar 29, 2024

Cyberattacks and data breaches have been reported by the L.A. County Department of Mental Health, Healthfirst, Wyndemere Senior Care, Risas Dental & Braces, and Baylor College of Medicine.

Los Angeles County Department of Mental Health

The Los Angeles County Department of Mental Health has recently notified the California Attorney General about a breach of an employee’s email account. The email account had multi-factor authentication (MFA) in place; however, MFA was bypassed. The cyber threat actors bypassed MFA using a technique known as push notification spamming, where a user is sent multiple MFA push notifications to their mobile device in the hope that they will eventually respond. The employee did respond, resulting in their email account being compromised.

According to the Department of Mental Health, the attack stemmed from a breach at the City of Gardena Police Department (GDP). “GPD’s email exchanges with the Department of Mental Health (DMH) allowed the malicious actor or actors to send an email to a DMH employee and get access to that employee’s Microsoft Office 365 account.” The account contained names, dates of birth, Social Security numbers, addresses, telephone numbers, and medical record numbers.

This is not the first attack of this kind to affect the Department of Mental Health. Similar attacks occurred on October 6, 2023, and October 24, 2023. The breach notices sent to the affected individuals on December 6, 2023, December 22, 2023, and March 22, 2024, all include the following statement, “We have also notified Microsoft of the vulnerability in the Microsoft Office 365 multifactor authentication that was exploited by the malicious actor or actors. We have since implemented new security controls to address this specific attack.” Only one report is currently showing on the HHS’ Office for Civil Rights breach portal – dated December 22, 2023 – indicating 1,284 individuals were affected. It is unclear how many individuals had their data exposed in the latest attack.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Risas Dental & Braces

Risas Dental & Braces in Phoenix, AZ, has recently notified patients about a cyberattack detected in July 2023 in which their protected health information was exposed. Unusual activity was identified in its computer systems on July 10, 2023, and immediate action was taken to secure its network. Third-party cybersecurity specialists were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. The digital forensics team determined that unauthorized individuals had gained access to the network and may have downloaded files containing patient data.

The review of those files was completed on January 26, 2024, and confirmed they contained protected health information such as names, contact information, high-level treatment information such as procedure names or notes, the initial date or dates of service, and/or insurance subscriber information.  The affected individuals were notified by mail on March 22, 2024. The HHS’ Office for Civil Rights breach portal indicates 618,189 individuals were affected.

Healthfirst

The New York health insurance provider, Healthfirst, has recently notified 6,836 of its 2 million members about unauthorized access to its member portal. Healthfirst, which provides health plans under the names Healthfirst PHSP, Inc., Healthfirst Health Plan, Inc., and Healthfirst Insurance Company, said member names, dates of birth, Healthfirst member ID numbers, and member zip codes were used to create unauthorized accounts. The accounts have now been disabled and internal protocols for digital member account validation have been updated to prevent similar incidents in the future. An investigation is ongoing into the source of the unauthorized activity. Healthfirst said it has no reason to believe that the unauthorized activity is linked to the Change Healthcare cyberattack. The affected individuals were notified on March 19, 2024.

Wyndemere Senior Care

Wyndemere Senior Care LLC, a Wheaton, IL-based provider of independent & assisted living neighborhoods, skilled nursing, & memory care, has notified 6,846 individuals that some of their personal information has been exposed in a cyberattack. Suspicious activity was detected in its computer systems on September 8, 2023, with the forensic investigation confirming there had been unauthorized network access between September 1, 2023, and September 8, 2023. A review of the files on the compromised parts of the network confirmed on February 21, 2024, that names and financial account numbers had been exposed. Individual notifications were mailed to the affected individuals on March 28, 2024. Wyndemere said it is implementing additional cybersecurity safeguards and is providing further training to its employees.

Baylor College of Medicine (Advarra)

Baylor College of Medicine in Houston, TX, has confirmed that the personal information of certain participants in breast cancer clinical trials has been exposed in a data breach at its vendor, Advarra. The data was present in the email account of an Advarra employee that was accessed by an unauthorized third party in October 2023. Baylor College of Medicine was first made aware of the email security incident in November 2023, with the Advarra investigation determining in February 2024 that research participants’ data had been exposed. Advarra reported the breach to the Maine Attorney General in February as affecting 4,656 individuals and involving names, other personal identifiers, and Social Security numbers. It is unclear whether that figure includes the research participants.

Baylor College of Medicine said the research participants’ data exposed in the attack related to breast cancer research and clinical trials at the Dan L Duncan Comprehensive Cancer Center between 1999 to 2013. Baylor College of Medicine said the breach names and dates of birth and that Advarra has offered affected individuals complimentary credit monitoring, fraud consultation, and identify theft restoration services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist