Dedicated to providing the latest
HIPAA compliance news

Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during...

Read More
Protenus Releases 2016 Healthcare Data Breach Report
Jan20

Protenus Releases 2016 Healthcare Data Breach Report

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen. Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of...

Read More
Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients
Jan18

Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients

3,600 patients of Children’s Hospital Los Angeles (CHLA) and Children’s Hospital Los Angeles Medical Group (CHLAMG) are being notified of a potential breach of their electronic protected health information following the theft of an unencrypted, password-protected laptop computer. The laptop was stolen from the locked vehicle of a CHLAMG employee who practices at CHLA. The theft is understood to have occurred on October 18, 2016....

Read More
Sentara Healthcare Informs 5,454 Patients of ePHI Breach
Jan18

Sentara Healthcare Informs 5,454 Patients of ePHI Breach

Sentara Healthcare is notifying 5,454 patients that some of their electronic protected health information has been accessed by an unauthorized individual. It is unclear when the cybersecurity incident occurred, although law enforcement informed Sentara Healthcare of the security breach on November 17, 2016. Sentara Healthcare launched an investigation into the potential data breach in November and determined that the cybersecurity...

Read More
Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals
Jan17

Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Highmark BlueCross BlueShield of Delaware is investigating a breach of 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation. Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted. Affected...

Read More
Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach
Jan17

Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach

Wilmington, DE-based healthcare provider Brandywine Pediatrics, P.A. has informed tens of thousands of its patients that some of their protected health information has potentially been accessed by an unknown individual. The security breach involved a computer virus, which was discovered on one of the organization’s file servers. While it has not been explicitly stated that the virus was ransomware, Brandywine Pediatrics has informed...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records
Jan12

Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records

A routine audit of PHI access logs has revealed that a former employee of Atmore Community Hospital in Alabama accessed the electronic health information of approximately 1,000 patients without authorization over a period of 13 months. The audit was conducted by Infirmary Management Services, Inc, which manages the hospital. The privacy violations were discovered to have occurred between October 3, 2015 and November 11, 2016....

Read More
Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted
Jan10

Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals. The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016. A computer server was attacked and infected...

Read More
Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks
Jan09

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return. Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health...

Read More
Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach
Jan08

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance. Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered....

Read More
Fetal Tissue Firms Guilty of Systemic HIPAA Violations
Jan06

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses. An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden. In 2015,...

Read More
Massachusetts Data Breach Notification Archive Now Available Online
Jan05

Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 16,586,112 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation...

Read More
Healthcare Pages Intercepted and Posted Online
Dec30

Healthcare Pages Intercepted and Posted Online

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual. Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room...

Read More
Regular PHI Access Log Audits Can Prevent Major PHI Breaches
Dec30

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused. The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe...

Read More
Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible
Dec29

Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible

Casa Grande, AZ-based Desert Care Family and Sports Medicine has alerted 500 patients to a potential breach of their protected health information (PHI) as a result of a ransomware infection. The ransomware was installed on a server used to store PHI in August this year; however, despite attempts to unlock the encryption, patient data have still not been decrypted and have remained inaccessible for more than three months. The...

Read More
Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online
Dec28

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website. The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient...

Read More
UCLA Medical Center Investigates Potential Breach of Kanye West’s Medical Records
Dec26

UCLA Medical Center Investigates Potential Breach of Kanye West’s Medical Records

UCLA Health Medical Center in Los Angeles is conducting an internal investigation into a potential HIPAA breach that occurred around Thanksgiving weekend. On November 21, 2016, Kanye West checked in to the hospital and stayed for 8 days. During his stay at the hospital, a number of nurses and other medical staff allegedly accessed his medical records without authorization. It would appear than the employees could not resist the...

Read More
Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data
Dec23

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60. The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of...

Read More
Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach
Dec22

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years. Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those...

Read More
Website Glitch Exposes Personal Information of KP Members
Dec22

Website Glitch Exposes Personal Information of KP Members

Kaiser Permanente is alerting certain members to the potential disclosure of a limited amount of their personal information to other KP members after a glitch was discovered in the company’s online ‘Estimates’ tool. On November 16, 2016, Kaiser Permanente updated the Estimates tool on the kp.org website; however, an error occurred during the update that potentially resulted in members’ name, address, age, copay information, deductible...

Read More
Community Health Plan of Washington Announces 400,000-Record Data Breach
Dec21

Community Health Plan of Washington Announces 400,000-Record Data Breach

An unplugged security vulnerability at a business associate of Community Health Plan of Washington has resulted in the exposure of the protected health information (PHI) of almost 400,000 plan members. Community Health Plan of Washington is now in the process of notifying all affected members that highly sensitive information including names, addresses, dates of birth, Social Security numbers, and health insurance information have...

Read More
Identity Thief Sentenced to 4 Years for Selling Stolen Rotech Healthcare Data
Dec19

Identity Thief Sentenced to 4 Years for Selling Stolen Rotech Healthcare Data

A Florida man has been sentenced to serve four years in federal jail for selling medical records obtained from the medical device firm, Rotech Healthcare. Vickie Lorenzo Bryant, 39, from Plant City, FL made contact with a government informant in May 2016 and offered to sell personally identifiable information of 957 individuals who had received medical devices from Rotech Healthcare. This was not the first time Bryant had attempted to...

Read More
Oak Cliff Orthopaedic Associates Alerts Patients to Potential PHI Breach
Dec19

Oak Cliff Orthopaedic Associates Alerts Patients to Potential PHI Breach

More than 1,000 current and former patients of Oak Cliff Orthopaedic Associates have been notified that unauthorized individuals may have viewed some of their protected health information. Boxes of paper business records and other items were stolen from an off-site storage facility used by the Dallas orthopedic firm. It is currently unclear when the theft occurred and how long the thieves had access to the information, although the...

Read More
November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported
Dec16

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR). The year is certainly not ending well. November saw the highest...

Read More
Princeton Medicine Ransomware Attack Reported
Dec14

Princeton Medicine Ransomware Attack Reported

Princeton Medicine physician Dr. Melissa D. Selke has alerted 4,200 patients to a potential breach of their electronic protected health information. An unauthorized individual gained access to a server containing ePHI and on October 6, 2016,  ransomware was installed. The ransomware encrypted a range of files on the server including an information system containing patients’ names, phone numbers, addresses, Social Security numbers,...

Read More
Quest Diagnostics Announces 34,000-Record ePHI Breach
Dec13

Quest Diagnostics Announces 34,000-Record ePHI Breach

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen. Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach. On November 26, 2016, an unknown individual gained access to the...

Read More