Mailing Error Exposes PHI of PHP Health Plan Subscribers
Physicians Health Plan of Northern Indiana has alerted some of its Indigo members about a breach of a limited amount of their Protected Health Information (PHI) after an error was made mailing their billing statements. The breach involved multiple billing statements being sent on December 8, 2015, some of which were intended for other health plan subscribers. The mistake has been attributed to human error. Only members of the Indigo individual health plans who had purchased off-Marketplace coverage and had elected to receive billing statements in the mail were affected. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, 1,708 health plan members were affected, which is fewer than 5% of its subscribers. The PHI printed on the paper billing statements included subscribers’ names, addresses, monthly premium amounts, and PHP identification numbers. No other data were printed on the statements. Out of an abundance of caution Physicians Health Plan of Northern Indiana has sent breach notification letters to all patients...
Allina Health System Alerts 6,000 About Improper PHI Disposal
The Minneapolis Isles clinic run by Allina Health System has notified approximately 6,000 patients of a breach of their Protected Health Information (PHI). The clinic, located at 2800 Hennepin Avenue, discovered instances of improper PHI disposal had occurred after documents containing sensitive information were found in regular trash. HIPAA rules require all documents containing PHI to be rendered unreadable, indecipherable, and incapable of being reconstructed prior to disposal. The HIPAA breach is not understood to have resulted in any patient health information being viewed by unauthorized individuals, although the clinic is unable to guarantee that to be the case. According to a statement released by Allina Spokesman, David Kanihan, the incident is considered only to be a “technical breach of unsecured protected health information.” Because a risk does exist, out of an abundance of caution Allina Health System will be offering all affected patients a year of credit monitoring services without charge. The data potentially exposed include names of patients, their mailing...
Study Shows Value of Phishing Simulation Exercises
A recent report indicates the probability of members of staff responding to a phishing campaign can be effectively reduced to zero if phishing simulation exercises are completed regularly. The Growing Threat of Healthcare Phishing Attacks The Office for Civil Rights recently issued its first financial penalty to an organization that suffered a data breach after its employees responded to a phishing campaign. The case resulted in University of Washington Medicine agreeing to a $750,000 fine to settle potential HIPAA violations. UWM had already had to cover significant data breach resolution costs after suffering a 90,000-record breach. The fine and data breach costs could potentially have been avoided if staff members had been trained how to identify phishing emails. The healthcare industry is now being targeted by cybercriminals, and phishing is the most commonly used method of gaining access to patient data. Even when multi-million-dollar security defenses are employed to keep networks secure, a single response to a phishing email can be all it takes to compromise the records of...
HealthSouth Rehabilitation Hospital Announces 1,359-Record Data Breach
Only a few hours after the announcement of the theft of an unencrypted laptop computer from the vehicle of an employee of the New Mexico Department of Health comes news of another. The latest laptop theft affects 1,359 patients of the HealthSouth Rehabilitation Hospital in Round Rock, TX. An employee of the hospital left an unencrypted laptop computer in the trunk of a vehicle from where it was stolen. As with the NM Department of Health laptop theft, the incident occurred in October. Covered entities have up to two months to issue breach notification letters to patients and the Department of Health and Human Services’ Office for Civil Rights. The notification letters were sent on Tuesday 22, December and OCR has now been notified. The theft was discovered by HealthSouth on October 26, 2015, five days after the theft actually took place. Once the theft was discovered, the incident was reported to Austin law enforcement. It is not clear why it took five days for hospital staff and law enforcement officers to be notified. The laptop computer has not subsequently been recovered. The...
Pittsburgh Woman Arrested for $600K Medical Insurance Fraud
A counselor from the Pittsburgh area has been arrested on suspicion of fraudulently billing over $600,000 for counseling services which were never provided to patients. The investigation was launched after a tip off was received by the Pennsylvania Office of Attorney General’s Insurance Fraud Division by Highmark Blue Cross Blue Shield. Highmark claimed that Lisa A. Wally, 33, also known as Lisa A. Smith Wally from McKeesport, PA, had inflated billings for services she provided to her clients, and billed the insurer for services that were never actually provided. Office of Attorney General investigators discovered Wally had billed for 9,746 office visits for 22 patients between 2011 and 2015. However, investigators only found evidence that 1,987 visits had occurred. In total, Wally had received $601,280 in payments for services that were allegedly provided at her offices in Uniontown, Fayette County, but no evidence could be produced to prove that those sessions had ever taken place. Wally was unable to produce any evidence that the sessions occurred as no patient records were kept...



