Dedicated to providing the latest
HIPAA compliance news

Faxing Error Sees PHI Sent to Local Media Outlet
Feb16

Faxing Error Sees PHI Sent to Local Media Outlet

Seven doctors’ offices in the Fort Worth area of Texas accidentally faxed patients’ protected health information to the wrong fax number. The faxes contained a range of highly sensitive patient information including names, dates of birth, Social Security numbers, medical histories and much more. While such a mistake could potentially see patients’ health information fall into the hands of criminals, in this case the errors saw the...

Read More
South Fulton Mental Heath Center Discovers Dumped Medical Records
Feb15

South Fulton Mental Heath Center Discovers Dumped Medical Records

Late last week, South Fulton Mental Health Center in Georgia discovered highly sensitive patient health records had been improperly disposed of in a dumpster that was accessible by the public. A statement released by the clinic shortly after the records were discovered confirmed that an investigation had been launched into the HIPAA breach. “A preliminary review suggests that a staff member did not secure the files properly” during...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification...

Read More
Summary of January 2017 Healthcare Data Breaches Released
Feb14

Summary of January 2017 Healthcare Data Breaches Released

Protenus, in conjunction with databreaches.net, has released a summary of January 2017 healthcare data breaches. The report shows that 2017 started where 2016 left off, with similarly high numbers of healthcare data breach reported. January 2016 saw the lowest number of data breaches of any month in 2016 (21) and also the lowest number of records exposed of any month in the year (104,056 records). 2017 did not start nearly as well....

Read More
Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account
Feb09

Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account

Health Department officials in Multnomah County, OR, have discovered that an employee set up an automatic mail forwarder on an email account that sent all email correspondence to a personal Google email account for a period of around three months. The emails were forwarded to an account outside the control of Multnomah County, in violation of the Health Insurance Portability and Accountability Act. Since the employee works in the...

Read More
Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months
Feb09

Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months

A Singh and Arora Oncology Hematology breach is finally being communicated to individuals who had their electronic protected health information exposed, although it has taken 5 months for those letters to be sent. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered...

Read More
Hacker Gains Access to Records of 4,668 Princeton Pain Management Patients
Feb08

Hacker Gains Access to Records of 4,668 Princeton Pain Management Patients

Princeton Pain Management, a healthcare provider specializing in the management of chronic pain, has reported a hacking incident has impacted 4,668 of its patients. The breach affects individuals who visited its medical centers in New Jersey, Pennsylvania, and New York for treatment. It is not known for how long the hacker had access to Princeton Pain Management’s systems, although the breach was discovered on November 28, 2016. Upon...

Read More
WellCare Health Reports Security Breach Affecting 24,800 Patients
Feb08

WellCare Health Reports Security Breach Affecting 24,800 Patients

In August 2016, Summit Reinsurance Services experienced a data breach affecting a number of its healthcare clients. Highmark Blue Cross Blue Shield of Delaware was informed in early January that 19,000 of its members were impacted by the breach. Now, WellCare Health Plans has announced that 24,809 of its members have also been impacted by that security incident. Summit Reinsurance Services had previously been contracted by WellCare to...

Read More
Verity Health System Announces Details of 10K-Record Data Breach
Feb07

Verity Health System Announces Details of 10K-Record Data Breach

Verity Health System – A Redwood City-based Californian health system comprising six hospitals, the Verity Medical Foundation, and the Verity Physician Network – has discovered that one of its websites was breached by a hacker who gained access to the electronic protected health information (ePHI) of thousands of its former patients. The unauthorized individual accessed a Verity Medical Foundation (San Jose) Medical Group...

Read More
Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure
Feb06

Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure

Family Medicine East, Chartered of Wichita, KS, has reported the theft of a computer from its Rock Road facilities. Thieves broke into the locked clinic on December 8, 2016 and stole a desktop computer and a printer. The computer, which was unencrypted, contained the protected health information of almost 7,000 patients. Law enforcement was notified of the break-in and theft, although the individual(s) responsible have not been...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority...

Read More
Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed
Jan27

Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed

The Tacoma, WA-based MultiCare Health System has announced that the email account of one of its employees has been compromised by a hacker following a successful phishing attack. The five-hospital health system issued a statement yesterday about the email security breach confirming patients’ protected health information had been compromised. It is unclear when access to the email account was first gained, although the email security...

Read More
Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records
Jan26

Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records

Covenant HealthCare has notified more than 6,000 patients that their electronic medical records were inappropriately accessed by one of its employees. The improper access was discovered during a November 2016 audit of EMR access logs. The audit revealed an unusual pattern of medical record access by a single employee. Covenant HealthCare immediately ordered a full review of ePHI access by the employee to determine which medical...

Read More
Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses
Jan26

Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses

A ‘software glitch’ has resulted in billing statements and other communications sent by TriHealth of Cincinnati being mailed to patients’ former addresses. The privacy breach was discovered in November 2016, and impacts 1,126 TriHealth patients. The glitch caused current addresses to be substituted with former addresses. In some cases, mail may have been forwarded on to the correct address, although TriHealth was unable to determine...

Read More
South Carolina Hospital Reports Loss of Camera Containing Babies’ PHI
Jan25

South Carolina Hospital Reports Loss of Camera Containing Babies’ PHI

Roper St. Francis Mount Pleasant Hospital in South Carolina has discovered that a digital camera used to take photographs of new born babies has been lost and potentially stolen. As is recommended by the National Center for Missing and Exploited Children, photographs of new born babies are taken by hospital staff for security reasons. In the event that a baby goes missing, the digital images can be used for identification purposes....

Read More
ePHI Improperly Accessed, Copied, and Lost by Employee
Jan25

ePHI Improperly Accessed, Copied, and Lost by Employee

The protected health information of 600 individuals who received treatment for mental health disorders and/or substance abuse at a Baltimore treatment center has been compromised. On November 28, 2016, Complete Wellness discovered that highly confidential information had been accessed and copied onto a flash drive without authorization. Even though the treatment center was able to identify the individual responsible, it was not...

Read More
Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI
Jan24

Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI

Los Angeles-based Wonderful Health and Wellness has notified patents that their electronic protected health information (ePHI) was exposed in early December, 2016 when an unencrypted laptop computer was stolen from the company’s Wonderful Center for Health Innovation. Staff at the Center discovered the laptop computer was missing on December 12 when they returned to work after the weekend, with the theft having occurred at some point...

Read More
Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft
Jan24

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi. The incident which led to the lawsuit occurred...

Read More
CoPilot Provider Support Services Alerts 220,000 Patients to Historic ePHI Incident
Jan23

CoPilot Provider Support Services Alerts 220,000 Patients to Historic ePHI Incident

An unauthorized individual has accessed and downloaded the highly sensitive information of approximately 220,000 osteoarthritis patients from a website database maintained by CoPilot Provider Support Services. The website is used by physicians to determine whether ORTHOVISC® and MONOVISC® injections are covered by patients’ health insurance. The information entered via the website is added to a database maintained by CoPilot. That...

Read More
Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during...

Read More
Protenus Releases 2016 Healthcare Data Breach Report
Jan20

Protenus Releases 2016 Healthcare Data Breach Report

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen. Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209...

Read More
Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients
Jan18

Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients

3,594 patients of Children’s Hospital Los Angeles (CHLA) and Children’s Hospital Los Angeles Medical Group (CHLAMG) are being notified of a potential breach of their electronic protected health information following the theft of an unencrypted, password-protected laptop computer. The laptop was stolen from the locked vehicle of a CHLAMG employee who practices at CHLA. The theft is understood to have occurred on October 18, 2016....

Read More
Sentara Healthcare Informs 5,454 Patients of ePHI Breach
Jan18

Sentara Healthcare Informs 5,454 Patients of ePHI Breach

Sentara Healthcare is notifying 5,454 patients that some of their electronic protected health information has been accessed by an unauthorized individual. It is unclear when the cybersecurity incident occurred, although law enforcement informed Sentara Healthcare of the security breach on November 17, 2016. Sentara Healthcare launched an investigation into the potential data breach in November and determined that the cybersecurity...

Read More
Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals
Jan17

Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Highmark BlueCross BlueShield of Delaware is investigating a data breach that has impacted 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation. Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted....

Read More
Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach
Jan17

Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach

Wilmington, DE-based healthcare provider Brandywine Pediatrics, P.A. has informed tens of thousands of its patients that some of their protected health information has potentially been accessed by an unknown individual. The security breach involved a computer virus, which was discovered on one of the organization’s file servers. While it has not been explicitly stated that the virus was ransomware, Brandywine Pediatrics has informed...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records
Jan12

Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records

A routine audit of PHI access logs has revealed that a former employee of Atmore Community Hospital in Alabama accessed the electronic health information of approximately 1,000 patients without authorization over a period of 13 months. The audit was conducted by Infirmary Management Services, Inc, which manages the hospital. The privacy violations were discovered to have occurred between October 3, 2015 and November 11, 2016....

Read More
Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted
Jan10

Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals. The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016. A computer server was attacked and infected...

Read More
Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks
Jan09

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return. Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health...

Read More