Dedicated to providing the latest
HIPAA compliance news

Our HIPAA breach news section covers incidents of HIPAA breaches in all areas of healthcare. Where known, we explain how the breach occurred, the consequences to patients that may have had their Protected Health Information (PHI) compromised, and the action being taken by the HHR Office for Civil Rights (OCR). Not all OCR action results in a fine being issued.

The HIPAA breach news section is of significant importance to professionals in the healthcare security industry. It illustrates the volume of breaches being conducted on an almost daily basis, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

For healthcare authorities, our HIPAA breach news is a vital source of information about potential security issues they should be looking for when conducting their own risk assessments. Many of the situations in our HIPAA breach news items could have been avoided if an assessment had identified the lapse in security that resulted in them occurring.

Elsewhere within our HIPAA breach news items, you will finds instances where potential breaches may have occurred, but there is no evidence to confirm it. This is often the case when hackers install malware to infect a computer system or lock it with encryption. Malware and ransomware arracks have become two of the biggest threats to HIPAA compliance in recent years.

Our goal for the news section of HIPAAJournal.com is for it to become the number one resource on all matters relating to HIPAA compliance. We believe that this particular news section goes a long way to achieving that goal. We aim to continue providing up-to-date and accurate HIPAA breach news in order that healthcare professionals make HIPAAJournal.com their first port of call to obtain the information they need to protect the privacy of their patients and avoid HIPAA violations.

NotPetya Attack Continues to Disrupt Nuance Communications’ Services
Jul20

NotPetya Attack Continues to Disrupt Nuance Communications’ Services

In late June, Nuance Communications, a provider of healthcare solutions and transcription services, was one of many organizations around the globe to have systems taken out of action by NotPetya ransomware. While most ransomware attacks are conducted with the intention of obtaining ransom payments in exchange for the keys to unlock data, NotPetya was different. The aim was sabotage. Infection resulted in permanent encryption of master...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that...

Read More
Ransomware Attack Investigation Reveals 15-Month Security Breach
Jul18

Ransomware Attack Investigation Reveals 15-Month Security Breach

A ransomware attack on Peachtree Neurological Clinic (PNC) in Atlanta, GA resulted in the encryption of sensitive data. Since PNC had backed up its data, it was possible to restore the affected files without paying the ransom. Following any ransomware attack it is important to conduct a forensic analysis of systems to ensure all traces of the ransomware have been removed and no backdoors have been installed. PNC performed scans of its...

Read More
Rosalind Franklin University of Medicine and Science Phishing Attack Sees PHI Compromised
Jul18

Rosalind Franklin University of Medicine and Science Phishing Attack Sees PHI Compromised

The protected health information of 859 patients of Rosalind Franklin University of Medicine and Science (RFU) has been compromised and potentially been viewed/stolen. The information was stored in two email accounts that were accessed by unauthorized individuals in May. Access to the email accounts was gained after employees responded to phishing emails. The phishing attack occurred on May 10, 2017 prompting a full investigation. The...

Read More
Detroit Medical Center Discovers Agency Employee Disclosed Patients’ PHI
Jul17

Detroit Medical Center Discovers Agency Employee Disclosed Patients’ PHI

Detroit Medical Center has discovered an employee has stolen the protected health information of as many as 1,529 patients and impermissibly disclosed that information to a third party. Detroit Medical Center became aware of the security breach when the staffing agency that supplied the employee contacted DMC to report that it had discovered protected health information had been obtained and provided to an third party. DMC is part of...

Read More
Ivinson Memorial Hospital Affected by FastHealth Security Breach
Jul14

Ivinson Memorial Hospital Affected by FastHealth Security Breach

A data breach experienced by FastHealth, a vendor of website services, has impacted more than 500 patients of Ivinson Memorial Hospital in Laramie, WY. Access was gained to a web server used by FastHealth and the attackers altered code on the website to capture billing and health information submitted by patients in online forms. The breach does not affect all patients, only those that used the online bill-pay platform or completed...

Read More
PHI of 15,000 UC Davis Health Patients Compromised in Phishing Attack
Jul14

PHI of 15,000 UC Davis Health Patients Compromised in Phishing Attack

University of California Davis Health is alerting almost 15,000 patients that their PHI may have been viewed as a result of an employee falling for a phishing scam. The incident occurred on May 15, 2017. A phishing email was sent to a UC Davis Health employee who responded and unwittingly gave the attacker login credentials to his/her email account. That email account was accessed by the attacker on May 17. It is possible that the...

Read More
University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years
Jul14

University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years

University of Iowa Health Care has discovered patient information has been accidentally exposed on the Internet for a period of around 2 years. The exposed data was limited and did not include any clinical data, financial information or Social Security numbers, only patients’ names, admission dates and medical record numbers. 5,292 patients of University of Iowa Hospitals and Clinics have been impacted by the incident. The data were...

Read More
Almost 12,000 Records Compromised in Two New Ransomware Attacks
Jul11

Almost 12,000 Records Compromised in Two New Ransomware Attacks

In the past two weeks, two further healthcare organizations have announced that they have experienced ransomware attacks that potentially resulted in the protected health information of patients being accessed by cybercriminals. A combined 11,843 patient records were exposed in the two attacks. The first incident affects PVHS-ICM Employee Health and Wellness, LLC. Ransomware was installed on a server at a single UCHealth walk-in...

Read More
Lost Backup Drive Contained PHI of More than 500 EEG Patients
Jul10

Lost Backup Drive Contained PHI of More than 500 EEG Patients

Baptist Medical Center South of Jacksonville, Florida has discovered a backup drive containing the electronic protected health information of 531 patients has gone missing. The portable storage drive was discovered to be missing on May 18, 2017. The device is believed to have been taken from an EEG room. A full search for the device was conducted but it could not be located. Baptist Medical Center South was unable to determine whether...

Read More
Indiana Medicaid Recipients Alerted to Potential Data Breach
Jul04

Indiana Medicaid Recipients Alerted to Potential Data Breach

Medicaid recipients in Indiana are being notified that some of their protected health information was accessible over the Internet between February and May this year. The fiscal agent for the Indiana Health Coverage Program (IHCP), DXC Technology, says a hyperlink to an IHCP report containing patient information was accessible online. The report was an internal document used for administrative functions. The information exposed was...

Read More
Tampa Bay Surgery Center Notifies 26,000 of PHI Theft
Jul04

Tampa Bay Surgery Center Notifies 26,000 of PHI Theft

Tampa Bay Surgery Center has started notifying almost 26,000 patients that some of their protected health information was stolen by an unauthorized individual who subsequently posted the information on a file sharing website. Law enforcement contacted Tampa Bay Surgery Center on May 5, 2017 alerting the healthcare provider to the data dump. The file had been uploaded to the file sharing website the previous day. The file contained...

Read More
White Blossom Care Center Notifies Residents of Improper PHI Access
Jul03

White Blossom Care Center Notifies Residents of Improper PHI Access

White Blossom Care Center in San Jose, CA has started notifying approximately 800 of its residents that some of their protected health information has been inappropriately accessed and acquired by a former employee. The care center was recently alerted to the potential data security incident and launched an investigation to determine whether a data breach had occurred. A third party technical security expert was brought in to assist...

Read More
Cleveland Medical Associates Attacked with Ransomware
Jun30

Cleveland Medical Associates Attacked with Ransomware

Another healthcare organization has experienced a ransomware attack in which the protected health information of patients was potentially accessed. Ransomware is typically installed for the purpose of extortion rather than the theft of data; however, even if data theft is not suspected, ransomware attacks are reportable security incidents under HIPAA Rules and patients must be notified per the HIPAA Breach Notification Rule. Cleveland...

Read More
Family Tree Health Clinic Announces Ransomware Attack
Jun29

Family Tree Health Clinic Announces Ransomware Attack

The Family Tree Health Clinic in League City, Texas is alerting 13,402 patients that their protected health information was potentially viewed by unauthorized individuals. The attackers gained access to the IT systems of the clinic and downloaded ransomware. The clinic reports that this was a ‘sophisticated ransomware-encryption’ attack that was quickly remediated. The attack occurred on April 24, 2017 preventing the clinic from...

Read More
Experian Health Accidentally Sends PHI to Incorrect Individuals
Jun27

Experian Health Accidentally Sends PHI to Incorrect Individuals

Experian Health has discovered the protected health information of some patients has been accidentally disclosed to incorrect individuals due to a technical error that occurred during a server migration. The disclosed data including names, addresses, genders, dates of birth, Medicare ID/HIC numbers, member ID numbers, insurance/payer company names, group numbers/group policy numbers and Medicaid case numbers. The data were shared with...

Read More
Aetna Error Sees PHI of 5,000 Individuals Exposed Online
Jun27

Aetna Error Sees PHI of 5,000 Individuals Exposed Online

Hartford, CT-based health insurer Aetna has discovered the protected health information of more than 5,000 plan members has been exposed online and was accessible through search engines. Aetna started investigating a security issue affecting two computer services on April 27, 2017. Those services were intended to show documents containing PHI to plan members and other authorized individuals, although it was discovered that the...

Read More
Airway Oxygen Inc. Ransomware Attack Impacts up to 500,000 Individuals
Jun26

Airway Oxygen Inc. Ransomware Attack Impacts up to 500,000 Individuals

A ransomware attack on the Wyoming, MI-based medical supply company Airway Oxygen Inc., in April 2017 has potentially resulted in the protected health information of 500,000 individuals being accessed by the attackers. No evidence of data access or theft was uncovered by Airway Oxygen, although it was not possible to rule out the possibility that information was compromised in the attack. The attackers gained access to the company’s...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that...

Read More
2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital
Jun22

2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital

This month, North Dakota Department of Human Services and Texas Health and Human Services have both reported that patients’ protected health information has been disposed of improperly. Today, another HIPAA-covered entity – Saint Thomas Rutherford Hospital in Murfreesboro, TN – has reported a similar incident. Documents containing the protected health information of almost 3,000 patients were discovered to have been...

Read More
Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records
Jun21

Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records

A box of paper forms has been discovered to have been improperly disposed of by the Texas Health and Human Services Commission. The Texas Health and Human Services Commission recently announced that the paperwork was discovered in a box next to a dumpster used by one of its eligibility offices in the E. 40th St. complex in Houston. An investigation into the improper disposal has been launched and steps are being taken to prevent...

Read More
Healthcare Data Breach Costs Fall to $380 Per Record
Jun21

Healthcare Data Breach Costs Fall to $380 Per Record

Healthcare data breach costs have fallen year-over-year according to the latest IBM Security/Ponemon Institute study.  While there was a slight decline, for the seventh straight year, healthcare data breach costs are still higher than any other industry sector. This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141,...

Read More
May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover
Jun20

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported. So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per...

Read More
Torrance Memorial Medical Center Reports Email Account Compromise
Jun20

Torrance Memorial Medical Center Reports Email Account Compromise

The danger of phishing has been highlighted by an incident reported by Torrance Memorial Medical Center in Claysburg, PA. The medical center discovered the email accounts of two staff members had been accessed by an unauthorized individual. The incident was detected rapidly, with third party forensic investigators brought in to investigate the breach. The investigation revealed the accounts were accessed on April 18 and April 19. The...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth,...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of...

Read More
Sound Community Services Discovers Email Account Breach
Jun14

Sound Community Services Discovers Email Account Breach

New London, CT-based Sound Community Services Inc., a not-for-profit provider of education, support and assistance for individuals with persistent mental illness and/or substance abuse disorders has discovered an unauthorized individual has gained access to an employee’s email account. Suspicious activity was detected on the email account on January 13, 2017. An investigation was immediately launched and access to the email account...

Read More
Double Burglary Sees Connecticut Patients’ PHI Exposed
Jun13

Double Burglary Sees Connecticut Patients’ PHI Exposed

SouthWest Community Health Center, a Bridgeport, CT network of health centers, has alerted patients that some of their protected health information has been exposed after burglars targeted two of its facilities. Several computers were stolen in a double burglary at its 1046 Fairfield Avenue and 10 Clinton Avenue sites. Thieves first broke into the Fairfield Avenue facility on Saturday 8, April and stole four desktop computers and a...

Read More
Austin Medical Center Discovers Patient Data Was Accessible Via Internet
Jun08

Austin Medical Center Discovers Patient Data Was Accessible Via Internet

An Austin, TX medical center has discovered patient data has been stolen and uploaded to the Internet and was accessible for 4 years. The information, which related to approximately 2,000 patients, could freely be found via search engines. Victory Medical Center was alerted to the data leak on April 5, 2017 by a patient who had found his or her personal information online while browsing the Internet. An investigation was launched by...

Read More
WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals
Jun06

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017. Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks...

Read More