Dedicated to providing the latest
HIPAA compliance news

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients
Mar28

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment. The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing...

Read More
Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status
Mar24

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status. The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived. In contrast to many healthcare data breach lawsuits that are filed following...

Read More
Urology Austin Ransomware Attack Announced
Mar23

Urology Austin Ransomware Attack Announced

Urology Austin has started notifying 279,663 patients that some of their protected health information may have been impacted in a recent ransomware attack. Potentially, the attackers gained access to names, addresses, dates of birth, medical information and the Social Security numbers of patients. The attack occurred on January 22, 2017, although rapid detection of the incident limited the damage caused. Within minutes of the attack,...

Read More
UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI
Mar21

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake. Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in...

Read More
Snapshot of Healthcare Data Breaches in February 2017
Mar21

Snapshot of Healthcare Data Breaches in February 2017

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported. The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of...

Read More
Back Up Drive Stolen: PHI of 1,291 Patients Exposed
Mar20

Back Up Drive Stolen: PHI of 1,291 Patients Exposed

The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed. The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23,...

Read More
Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack
Mar17

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients. The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers. Metropolitan Urology Group contracted an...

Read More
Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records
Mar17

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017. On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this...

Read More
Zest Dental Solutions Alerts Customers to Payment Card Information Breach
Mar16

Zest Dental Solutions Alerts Customers to Payment Card Information Breach

Carlsbad, CA-based Zest Dental Solutions has discovered an unauthorized individual has gained access to its e-commerce system and potentially stole the credit card details of some of its customers. A number of customers reported receiving unusual emails containing information related to past Zest Dental Solutions purchases. The complaints prompted an investigation and an external cybersecurity firm was brought in to conduct a thorough...

Read More
Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants
Mar14

Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed after it was discovered that protocols for sending sensitive information securely had not been followed. No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers,...

Read More
Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group
Mar14

Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network. A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted. The breach report submitted to the Department...

Read More
Server Compromise at Tarleton Medical: PHI Potentially Accessed
Mar14

Server Compromise at Tarleton Medical: PHI Potentially Accessed

Hacking continues to be a leading cause of healthcare data breaches. There have been 55 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as of March 13, 2017, a quarter of which were attributed to hacking. While unauthorized access/disclosure is the leading cause of healthcare data breaches in 2017 with 44% of the total number of reported breaches, hacking incidents have exposed more...

Read More
Virginia Commonwealth University Health System Discovers 3-Year HIPAA Breach
Mar13

Virginia Commonwealth University Health System Discovers 3-Year HIPAA Breach

For the past three years, the electronic medical records of patients of Virginia Commonwealth University Health System have been inappropriately accessed by employees of physician groups. In total, around 2,700 individuals, many of whom were children, have had their medical records viewed and their privacy violated. VCU Health System provides access to patients’ medical records to community physician groups and contracted vendors....

Read More
Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients
Mar10

Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients

Saliba’s Extended Care Pharmacy in Phoenix, Arizona is alerting more than 6,500 patients to an accidental disclosure of some of their protected health information (PHI). Copies of invoices for December 2016 were sent via Saliba’s Pharmacy’s encrypted email platform to the wrong patients in January. While there is no chance that the emails could have been intercepted by unauthorized individuals, the emails were opened by three patients...

Read More
Sharp Healthcare Says Stolen Devices Contained PHI of Patients
Mar06

Sharp Healthcare Says Stolen Devices Contained PHI of Patients

A computer and an external storage drive have been discovered to have been stolen from San Diego-based healthcare provider Sharp Healthcare. The devices were taken from a locked cabinet in an access-controlled patient treatment area of the Sharp Memorial Outpatient Pavilion in Kearny Mesa in San Diego, CA. It is not known when the devices were taken, although they were discovered to be missing on February 6, 2017. The devices were...

Read More
Improper Disposal of PHI Discovered by Minneapolis Heart Institute
Mar06

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash. Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a...

Read More
Healthcare Employee Accessed ePHI Without Authorization for 5 Years
Mar06

Healthcare Employee Accessed ePHI Without Authorization for 5 Years

Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations. Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused. In many cases, improper access...

Read More
Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI
Mar06

Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI

A major breach of electronic protected health information has been discovered by Universal Care, dba, Brand New Day – A Medicare approved health plan. On December 28, 2016, Brand New Day became aware that an unauthorized individual had gained access to ePHI provided to one of its HIPAA business associates. Access to ePHI was gained via a third-party vendor system used by Brand New Day’s contracting provider six days previously on...

Read More
North Carolina Department of Health and Human Services Email Breach Impacts 12,700
Feb28

North Carolina Department of Health and Human Services Email Breach Impacts 12,700

The North Carolina Department of Health and Human Services has announced that the names, addresses, and Medicaid numbers of 12,731 patients were exposed as a result of an email error. The data were sent via email to adult care homes last year, but the emails were not encrypted. Potentially, the emails could have been intercepted and the data obtained by individuals unauthorized to view the information. The emails were sent on November...

Read More
Vanderbilt University Medical Center Employees Inappropriately Accessed 3,000 Patients’ PHI
Feb27

Vanderbilt University Medical Center Employees Inappropriately Accessed 3,000 Patients’ PHI

Two employees of Vanderbilt University Medical Center have been discovered to have inappropriately accessed the medical records of more than 3,000 patients. The inappropriate ePHI access was discovered during a routine audit of access logs: A requirement of the Health Insurance Portability and Accountability Act (HIPAA). While the HIPAA Security Rule requires audit logs to be regularly reviewed by HIPAA-covered entities, in this case...

Read More
Berkeley Medical Center Employee Inappropriately Accessed 7,445 Patients’ Records
Feb27

Berkeley Medical Center Employee Inappropriately Accessed 7,445 Patients’ Records

A Berkeley Medical Center employee has been discovered to have inappropriately accessed the electronic protected health information of more than 7,400 patients over a period of 10 months. WVU Medicine University Healthcare discovered the inappropriate accessing of ePHI by an employee of the Berkeley Medical Center on January 17, 2017 after being alerted to potential data theft by law enforcement. A joint investigation into the...

Read More
Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles
Feb23

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported. St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees...

Read More
Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation
Feb21

Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation

The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI...

Read More
Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals
Feb20

Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals

Three healthcare organizations have recently reported security breaches involving the theft/exposure of physical protected health information. While it is currently unclear exactly how many healthcare patients have been impacted, at least 4,100 individuals are known to have been affected. According to police reports, the total could be as high as 8,000 individuals. The largest confirmed breach has impacted 2,953 employees and...

Read More
Faxing Error Sees PHI Sent to Local Media Outlet
Feb16

Faxing Error Sees PHI Sent to Local Media Outlet

Seven doctors’ offices in the Fort Worth area of Texas accidentally faxed patients’ protected health information to the wrong fax number. The faxes contained a range of highly sensitive patient information including names, dates of birth, Social Security numbers, medical histories and much more. While such a mistake could potentially see patients’ health information fall into the hands of criminals, in this case the errors saw the...

Read More
South Fulton Mental Heath Center Discovers Dumped Medical Records
Feb15

South Fulton Mental Heath Center Discovers Dumped Medical Records

Late last week, South Fulton Mental Health Center in Georgia discovered highly sensitive patient health records had been improperly disposed of in a dumpster that was accessible by the public. A statement released by the clinic shortly after the records were discovered confirmed that an investigation had been launched into the HIPAA breach. “A preliminary review suggests that a staff member did not secure the files properly” during...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification...

Read More
Summary of January 2017 Healthcare Data Breaches Released
Feb14

Summary of January 2017 Healthcare Data Breaches Released

Protenus, in conjunction with databreaches.net, has released a summary of January 2017 healthcare data breaches. The report shows that 2017 started where 2016 left off, with similarly high numbers of healthcare data breach reported. January 2016 saw the lowest number of data breaches of any month in 2016 (21) and also the lowest number of records exposed of any month in the year (104,056 records). 2017 did not start nearly as well....

Read More
Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account
Feb09

Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account

Health Department officials in Multnomah County, OR, have discovered that an employee set up an automatic mail forwarder on an email account that sent all email correspondence to a personal Google email account for a period of around three months. The emails were forwarded to an account outside the control of Multnomah County, in violation of the Health Insurance Portability and Accountability Act. Since the employee works in the...

Read More
Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months
Feb09

Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months

A Singh and Arora Oncology Hematology breach is finally being communicated to individuals who had their electronic protected health information exposed, although it has taken 5 months for those letters to be sent. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered...

Read More