Investigation Launched into Main Life Health Spear Phishing Attack
Main Line Health has fallen victim to a spear phishing attack that has resulted in the data of employees being sent to a scammer. This is the fourth such case discovered in the past two weeks that has resulted in a breach of employee data. The spear phishing attack was discovered on Tuesday this week, although the spear phishing email was sent to a Main Line Health employee on February 16, 2016. The employee responded to the email request for data in the belief that the email was genuine. The incident went unnoticed until Main Line was made aware of the spate of recent healthcare phishing attacks when an alert was issued by the IRS. The attack prompted Main Line to conduct a review of internal policies and procedures to reduce the risk of future spear phishing attacks being successful, and the company will be enhancing its security procedures. All affected employees have been advised of the exposure of their data and are being offered credit monitoring and identity theft protection services to protect against fraud. Main Line Health CEO, Jack Lynch, issued a warning about the spear...
FHN Memorial Hospital Announces Hard Drive Theft and PHI Exposure
FHN Memorial Hospital in Freeport, IL., has announced that a computer hard drive was stolen from the hospital in December, 2015. Spreadsheets and internal reports were stored on the drive which contained the protected health information of many of its patients. No medical records were stored on the drive although a considerable amount of PHI was detailed in the reports and spreadsheets. Those data include patients’ name, address, telephone number, ethnicity, date of birth, medical record number, patient encounter number, patient ID number, dates of service, medical diagnoses, details of procedures and examinations performed at the hospital, prescription information, referring physician name, insurance details, and discharge date. Patients are in the process of being notified of the exposure of their PHI and are being advised of the procedures they can follow to reduce the risk of harm or loss as a result of the data exposure. It is not clear at this stage how many patients have been affected or if credit monitoring and identity theft protection services are to be offered to...
Cost of the Excellus BlueCross BlueShield Data Breach Reaches $17.3M
The cost of the Excellus BlueCross BlueShield data breach has reached $17.3 million, according to its latest financial filings. The Rochester-based health insurer suffered the third largest healthcare data breach of last year; more than twice the size of the largest reported healthcare data before the Anthem cyberattack was discovered. More than 10 million plan member and vendor records were exposed in the cyberattack discovered on September 9, 2015. The bulk of the initial cost has gone on providing all affected members with credit monitoring and protection services. That cost the insurer $13.5 million in the final quarter of 2015. All affected individuals were offered two years of complimentary credit monitoring and identity theft protection services following the exposure of their PHI. The data breach exposed highly sensitive data including Social Security numbers, medical data, and financial information. It has now been over 5 months since the discovery of the cyberattack, although Excellus has yet to uncover any evidence to suggest that the hackers responsible for the attack...
Deven McGraw Gives Update on OCR HIPAA Compliance Audits
Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month. Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol. According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule...
OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges
The Health Insurance Portability and Accountability Act’s Privacy Rule gives healthcare patients the right to obtain a copy of their personal health information from their healthcare providers. (45 CFR § 164.524) While HIPAA-covered entities should be aware of this aspect of the Privacy Rule, many patients have experienced difficulty obtaining a copy of their records. In some cases, patients have obtained a copy of their records but felt that they have not been provided with all information contained in their records. Some feel they have been unfairly charged for exercising their access rights. To address these and other issues, the Department of Health and Human Services’ Office for Civil Rights produced a fact sheet in January to clarify the responsibilities of HIPAA-covered entities to comply with this aspect of the Privacy Rule. The new guidance explained the general right of patients to obtain a copy of their health records, to inspect their records, or have a copy of those records sent to a nominated individual of their choosing. Provided that the healthcare provider...



