Healthcare Email Phishing Scam Claims 946 Victims
Even robust data security controls can be easily undone, as discovered by Middlesex Hospital in Connecticut. An email phishing scam was sent to hospital employees and four members of staff responded. This potentially resulted in the perpetrator of the phishing scam being granted access to patient PHI via those email accounts. The security breach was discovered on October 9, 2015. An investigation into the incident revealed that 946 patients had been affected. No financial data or Social Security numbers were accessed as a result of the security breach, although it is possible that patient names, dates of birth, home addresses, medical record numbers, dates of service, prescription information, and medical diagnoses were accessed. According to a statement released by Middlesex Hospital, the data breach did not result in full access to patient medical records being obtained. All patients affected by the data breach have now been sent a breach notification letter advising them of the potential disclosure of their Protected Health Information, and all will be offered free credit...
UCHealth Employee Violates HIPAA Privacy Rule
The importance of conducting regular internal audits has been highlighted by University of Colorado Health (UCHealth). UCHealth regularly conducts audits of access logs to determine whether the Protected Health Information of patients is inappropriately accessed by members of staff. In its latest audit, UCHealth discovered this to be the case. An employee was discovered to have snooped on patient health records. Access logs showed the medical records of 827 patients had been inappropriately accessed since UCHealth conducted its last data access audit. The employee did not access Social Security numbers, financial or billing information, as those data were not viewable with the level of privileges the employee had been given. The privacy breach did result in patient names, phone numbers, addresses, dates of birth, health insurance information, and care/treatment plans being accessed. An investigation into the HIPAA privacy breach was conducted and the employee was questioned. It would appear that access to patient files had been gained purely out of curiosity, and not with any...
MaineGeneral Health Hacked
MaineGeneral Health has announced it has suffered a cyberattack that potentially affects patients of all of its subsidiaries, including MaineGeneral Community Care, MaineGeneral Medical Center, MaineGeneral Rehabilitation and Long Term Care & MaineGeneral Retirement Community. Patients who received radiology services from MaineGeneral Health after being referred by a specific physician have been affected. The name of that physician has not been disclosed, although a breach report submitted to OCR indicates 500 patients have been affected. MaineGeneral Health Cyberattack Affects Patients, Employees, and Emergency Contacts The data exposed in the security breach include dates of birth and emergency contact names, addresses, and telephone numbers. Certain employees have also been affected and have had their names, addresses, and telephone numbers exposed. According to a statement released by MaineHealth, some prospective donors have also been affected. At the present moment in time, the investigation into the security breach indicates that no further data have been exposed,...
NY Attorney General HIPAA Fine for URMC
An attorney general HIPAA fine of $15,000 has been issued to University of Rochester Medical Center for a breach of patient privacy that occurred in March, 2015. An OCR and Attorney General HIPAA Fine May Be Issued for a Breach of HIPAA Rules It is not only the Office for Civil Rights that is permitted to issue financial penalties for violations of HIPAA Rules. State attorneys general can also enforce HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general were given the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules following the introduction of the HITECH Act in 2009, although few state AGs have chosen to do so. Action is sometimes taken against healthcare organizations that have exposed the data of patients, but the decision is taken to prosecute under state consumer protection laws rather than HIPAA. The first attorney general HIPAA fine was issued by the Connecticut AG’s office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million...
Another HIPAA Breach Courtesy of a Printing Error
Over the course of the last three months, HIPAA covered entities have reported 54 data breaches to the Office for Civil Rights. The majority of those data breaches can be attributed to human error. 15% of the breaches have resulted from errors made when printing and mailing letters to patients and health plan members. While these privacy breaches do not affect anywhere near as many patients/plan members as hacking incidents (which have resulted in 10,134,208 records being stolen since September 9, 2015), they still require a breach response and result in considerable costs to the covered entity. The breach victims can be adversely affected, and the incidents tarnish the organizations’ reputations. They are also some of the easiest data breaches to prevent. On Friday last week, another covered entity, BlueCross Blue Shield of Nebraska, reported a printing error had been made during a patient mailing, and each month in its report to congress, the Department of Veteran Affairs lists numerous examples of errors made when sending letters/prescription information to veterans. Efforts...



