Data Breach Discovered by the Eye Institute of Corpus Christi
The Eye Institute of Corpus Christi, a full service eye care, diagnosis, and treatment clinic in Texas, has discovered that individuals gained access to the records of all of its patients, downloaded their protected health information from the EHR, copied those data, and provided them to two physicians formerly employed by the eye clinic. The disclosed data include the names of patients, their addresses, contact telephone numbers, Social Security numbers, dates of birth, medical diagnoses, details of treatment, and health insurance details. The Eye Institute became aware of the patient privacy breach on January 6, 2016., and has since discovered that data provided to the physicians have been used to contact patients in an attempt to solicit business. The physicians in question had been employed at The Eye Institute of Corpus Christi until recently. The Eye Institute of Corpus Christi has been in touch with the physicians concerned and has instructed them to return the stolen data. It is not clear from the breach report whether the data have been returned and are now secured. While...
Investigation Launched into Main Life Health Spear Phishing Attack
Main Line Health has fallen victim to a spear phishing attack that has resulted in the data of employees being sent to a scammer. This is the fourth such case discovered in the past two weeks that has resulted in a breach of employee data. The spear phishing attack was discovered on Tuesday this week, although the spear phishing email was sent to a Main Line Health employee on February 16, 2016. The employee responded to the email request for data in the belief that the email was genuine. The incident went unnoticed until Main Line was made aware of the spate of recent healthcare phishing attacks when an alert was issued by the IRS. The attack prompted Main Line to conduct a review of internal policies and procedures to reduce the risk of future spear phishing attacks being successful, and the company will be enhancing its security procedures. All affected employees have been advised of the exposure of their data and are being offered credit monitoring and identity theft protection services to protect against fraud. Main Line Health CEO, Jack Lynch, issued a warning about the spear...
FHN Memorial Hospital Announces Hard Drive Theft and PHI Exposure
FHN Memorial Hospital in Freeport, IL., has announced that a computer hard drive was stolen from the hospital in December, 2015. Spreadsheets and internal reports were stored on the drive which contained the protected health information of many of its patients. No medical records were stored on the drive although a considerable amount of PHI was detailed in the reports and spreadsheets. Those data include patients’ name, address, telephone number, ethnicity, date of birth, medical record number, patient encounter number, patient ID number, dates of service, medical diagnoses, details of procedures and examinations performed at the hospital, prescription information, referring physician name, insurance details, and discharge date. Patients are in the process of being notified of the exposure of their PHI and are being advised of the procedures they can follow to reduce the risk of harm or loss as a result of the data exposure. It is not clear at this stage how many patients have been affected or if credit monitoring and identity theft protection services are to be offered to...
Cost of the Excellus BlueCross BlueShield Data Breach Reaches $17.3M
The cost of the Excellus BlueCross BlueShield data breach has reached $17.3 million, according to its latest financial filings. The Rochester-based health insurer suffered the third largest healthcare data breach of last year; more than twice the size of the largest reported healthcare data before the Anthem cyberattack was discovered. More than 10 million plan member and vendor records were exposed in the cyberattack discovered on September 9, 2015. The bulk of the initial cost has gone on providing all affected members with credit monitoring and protection services. That cost the insurer $13.5 million in the final quarter of 2015. All affected individuals were offered two years of complimentary credit monitoring and identity theft protection services following the exposure of their PHI. The data breach exposed highly sensitive data including Social Security numbers, medical data, and financial information. It has now been over 5 months since the discovery of the cyberattack, although Excellus has yet to uncover any evidence to suggest that the hackers responsible for the attack...
Deven McGraw Gives Update on OCR HIPAA Compliance Audits
Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month. Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol. According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule...



