Dedicated to providing the latest
HIPAA compliance news

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health
May25

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO. The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or...

Read More
Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty
May24

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. In September 2014, OCR received a complaint about a potential privacy...

Read More
Leading Cause of Healthcare Data Breaches in April was Hacking
May23

Leading Cause of Healthcare Data Breaches in April was Hacking

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34. The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported...

Read More
Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and...

Read More
Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center
May18

Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center

An electronic survey can provide healthcare organizations with valuable information to improve patient services; however, in the case of Rutland Regional Medical Center, it has resulted in a privacy breach. According to the Burlington Free Press, Rutland Regional Medical Center sent emails to more than 700 patients asking for opinions on discharge paperwork in an effort to make improvements to patient discharges. Rather than using an...

Read More
Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI
May17

Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI

NYC Health + Hospitals has discovered a volunteer accessed the protected health information of almost 3,500 patients without official authorization. The unauthorized disclosure of PHI was discovered by NYC Health + Hospitals on March 10, 2017. The volunteer had worked in the phlebotomy department of Coney Island Hospital for a period of three months under direction of a supervisor. The supervisor arranged for the volunteer to perform...

Read More
Ransomware Attack Reported by Dallas Senior Living Community
May16

Ransomware Attack Reported by Dallas Senior Living Community

A ransomware attack on the Dallas Senior Living Community, Walnut Place, in February resulted in highly sensitive data being encrypted, including Social Security numbers, driver’s license numbers, birth dates, banking and credit card numbers, health insurance information, clinical information and patients’ and residents’ contact information. The ransomware was installed on its systems on January 25, 2017, with the issue remediated 8...

Read More
PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online
May12

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server. The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used...

Read More
Security Breach Highlights Need for Patient Portals to be Pen Tested
May11

Security Breach Highlights Need for Patient Portals to be Pen Tested

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information. The failure to implement appropriate...

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area....

Read More
New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised
May10

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual. The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed....

Read More
Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted
May09

Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted

Another healthcare provider has announced that an unencrypted device used to store electronic protected health information of patients has been stolen. The medical data of 2,200 patients of Louisiana State University Health New Orleans were stored on a portable hard drive that was stolen from the Department of Neurology Research in March. The theft occurred on or around March 6 and was immediately reported to law enforcement. A...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United...

Read More
Two Harrisburg Practices Report Potential ePHI Breach
May03

Two Harrisburg Practices Report Potential ePHI Breach

Two Harrisburg practices have discovered their systems have been accessed by an unauthorized individual who may have gained access to the electronic protected health information of their patients. Harrisburg Endoscopy and Surgery Center and Harrisburg Gastroenterology in Dauphin County, PA were alerted to a potential intrusion when suspicious system activity was detected on March 17, 2017. While the investigation revealed the system...

Read More
Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs
May02

Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs

Tampa, Florida-based practice management software and EHR vendor, Greenway Health, has experienced a ransomware attack that has affected around 5% of its client base – approximately 400 healthcare organizations. It is unclear whether the ransomware infection resulted in EHR data being encrypted, although clients were temporarily prevented from accessing the cloud-based Intergy EHR/medical management platform. Those clients were...

Read More
Hill Country Memorial Hospital Discovers Email Account Compromise
May01

Hill Country Memorial Hospital Discovers Email Account Compromise

An unauthorized individual has gained access to an email account of an employee of Hill Country Memorial Hospital and sent a number of fraudulent invoices, but potentially also accessed the protected heath information of certain patients. The Fredericksburg, TX hospital discovered the email account of an emergency room employee had been accessed on February 21, 2017. The attack is believed to have been conducted solely for the purpose...

Read More
PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack
Apr25

PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack

Somersworth, New Hampshire-based Atlantic Digestive Specialists is one of the latest healthcare organizations to report a ransomware attack that has potentially resulted in the protected health information of patients being accessed. The ransomware attack was discovered on February 20, 2017 although a subsequent investigation revealed that the ransomware was installed on February 18. The infection took two days to resolve, during...

Read More
Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen
Apr25

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee. This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week,...

Read More
Lifespan Laptop Theft Exposes ePHI of 20,000 Patients
Apr25

Lifespan Laptop Theft Exposes ePHI of 20,000 Patients

Lifespan has announced a laptop computer has been stolen from the vehicle of one of its employees. A thief stole a number of items from the employee’s car on February 25, 2017, including a MacBook laptop that contained the electronic protected health information of certain Lifespan patients. An investigation into the incident revealed the laptop was not encrypted, and neither was a password required to gain access to the device....

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote...

Read More
OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements
Apr21

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s...

Read More
Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients
Apr21

Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients

A recent Cardiology Center of Acadiana ransomware attack has resulted in the exposure of almost 9,700 patients’ protected health information. The ransomware attack occurred on February 7, 2017 and was discovered the following day. The attackers targeted a server used by the Lafayette, LA-based cardiology practice and deployed ransomware, which encrypted a range of files containing patients’ names, dates of birth, addresses, billing...

Read More
Employee Terminated for Improperly Dumping PHI
Apr21

Employee Terminated for Improperly Dumping PHI

An employee of New Jersey-based BioReference Laboratories has been terminated for failing to follow company protocols – and HIPAA Rules – regarding the secure disposal of documents containing the protected health information of patients. BioReference Laboratories is the third largest full service clinical diagnostic laboratory in the United States, with locations in New York, New Jersey, Maryland, Massachusetts, Rhode Island, Ohio,...

Read More
Amedisys Notifies Patients of Improper Disposal Incident
Apr18

Amedisys Notifies Patients of Improper Disposal Incident

The medical information of certain patients of Amedisys Home Health of Fayetteville, NC has been disposed of improperly, although all information is believed to have been retrieved. Amedisys ensures all paper copies of patients’ protected health information is shredded and rendered unreadable, indecipherable, and otherwise cannot be reconstructed, in accordance with HIPAA Rules. However, Baton Rouge, LA-based Amedisys was recently...

Read More
21 Employees Found to Have Accessed PHI Without Authorization
Apr17

21 Employees Found to Have Accessed PHI Without Authorization

A routine audit conducted by Virginia Mason Memorial has revealed employees have been accessing the protected health information of patients without authorization. Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21...

Read More
Protenus Publishes Healthcare Data Breach Report for March 2017
Apr14

Protenus Publishes Healthcare Data Breach Report for March 2017

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen. In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches....

Read More
Ashland Women’s Health Reports Ransomware Attack
Apr13

Ashland Women’s Health Reports Ransomware Attack

Since the start of 2016, cybercriminals have been increasingly turning to ransomware to attack healthcare organizations. Rather than attempting to steal the electronic protected health information of patients, malicious actors are blocking access to ePHI and are issuing ransom demands to restore access. While large healthcare organizations such as MedStar Health are major targets for cybercriminals, healthcare organizations of all...

Read More
Virus Infection at Erie County Medical Center Forces Computer System Shutdown
Apr12

Virus Infection at Erie County Medical Center Forces Computer System Shutdown

A computer virus sent via email to staff at Erie County Medical Center in Buffalo, New York – the main teaching hospital used by the University of Buffalo – has forced the hospital to shut down its entire computer system, parts of which remain out of action three days later. The incident occurred in the early hours of Sunday morning. IT staff reacted promptly and shut down email and took the entire computer system offline as a...

Read More
2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches
Apr07

2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches

2016 was a particularly bad year for healthcare data breaches. More data breaches were reported than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach summaries in 2009. In 2016, 329 breaches of more than 500 records were reported to the Office for Civil Rights and 16,655,952 healthcare records were exposed or stolen. 2017 looks set to be another...

Read More