Close Call but VA Hospital Thwarts Attempted Cyberattack
A VA hospital has contained a cyberattack that could potentially have exposed the records of 100,000 patients and 5,000 hospital staff. The security breach is believed to have been caused by a member of the hospital staff responding to a phishing campaign. Trojan Virus Discovered on Computer Drive Shared by 4,000 Employees The James A. Haley VA Medical Center (JAHMC) had a particularly close call last week when a virus was discovered to have infected a number of the hospital’s files. Only the fast action of the hospital’s IT staff prevented the exposure of over 100,000 patient and employee records. The virus was discovered on a JAHMC computer drive used by 4,000 hospital employees. The Trojan is believed to have been installed as a result of a member of staff responding to a phishing campaign. Hackers send out emails containing links to malware and virus-infected websites, which if visited, download malicious software onto computers and shared drives. Emails containing virus-infected attachments are also sent to healthcare employees. Should those attachments be opened, viruses...
LSU Health Laptop Theft Exposes PHI of at Least 5,000 Minors
A laptop computer issued to Dr. Christopher Roth by the LSU Health New Orleans School of Medicine has been reported stolen, and along with it, the electronic Protected Health Information (PHI) of approximately 5,000 patients. The majority of patients affected by the breach were minors. The computer was left in a vehicle that was parked in front of the physician’s home on July 16. The theft was discovered the following morning and was immediately reported to law enforcement officers. Physician Breached Hospital Data Security Policies LSU Health New Orleans School of Medicine has data security policies in place which forbid staff from leaving electronic devices unattended. All members of staff were also instructed to take extra care of devices containing PHI. Dr. Roth therefore violated the School of Medicine’s data security policies by leaving the laptop computer in his vehicle, and will be disciplined by LSU Health for the infraction once the investigation is completed. That investigation has proved complicated, as patient data were stored on the laptop’s hard drive, not on...
Burglary of Vermont Medical Practice Reported: PHI of 2,000 Patients Exposed
The offices of Vermont-based physician, Max. M. Bayard, MD PC, have been burglarized and a number of electronic devices have been stolen, resulting in the Protected Health Information (PHI) of approximately 2,000 patients being exposed. According to a breach notice posted on the website of the Vermont Attorney General, the burglary occurred on August 5, 2015. By today’s standards, the data breach exposed a relatively small number of patient records; however the breach is particularly serious as patient names, dates of birth, Social Security numbers and Medicare/Medicaid numbers were stored on the computers. The exact information needed by identity thieves to commit fraud. Other data exposed varies from patient to patient, and includes health information such as medical diagnoses, treatment information, and treatment dates. Patients face a high risk of fraud and identity theft. To reduce the risk of harm and loss, all affected patients have been offered a year of free credit monitoring and identity theft repair services. Patients are also covered by a $1 million identity theft...
Sutter Health Discovers 2013 HIPAA Breach Affecting 2.5K Patients
Sutter Health, a Northern California not-for-profit health system, has recently discovered a HIPAA breach that occurred on April 26, 2013. A former employee of the healthcare provider was discovered to have emailed company billing documents to a personal email account, which was against company regulations and was in violation of the Health Insurance Portability and Accountability Act (HIPAA). Those documents contained the Protected Health Information (PHI) of 2,582 patients, the vast majority of whom had been patients of the Sacramento-based Sutter Medical Foundation. The ex-employee had previously worked for Sutter Physician Services, which provides billing services for the healthcare provider’s medical foundations. Sutter Health received a tip-off about inappropriate use of a company computer by the former employee, who had left the company in November 2014. An investigation was immediately launched to determine whether the complaint had any foundation and to determine whether HIPAA Rules had in fact been violated. Bill Gleeson, a spokesperson for Sutter Health, said that...
WEDI Issues New Resources to Assist with ICD-10 Transition
The Workgroup for Electronic Data Interchange (WEDI), the country’s leading authority on the use of IT in healthcare to improve health information exchange, has developed two new resources to assist organizations implementing the new ICD-10 codes required by the Health Insurance Portability and Accountability Act (HIPAA). The new resources, ICD-10 State Workers’ Compensation Readiness List and the List of State Medicaid Sites with ICD-10 Information, have been developed with the aim of “Ensuring that all entities are adopting and or are aligning with ICD-10”. The resources will “help further [the health] industry’s movement towards streamlining and automating end-to-end workflow processes.” The new ICD-10 codes must be adopted by HIPAA-covered entities under federal law, but the new codes do not need to be adopted by the workers’ compensation industry. The industry is now becoming more aligned with HIPAA Transaction and Code Set rules, but rather than being covered by a national mandate, the industry is instead subject to state laws. A number of states will be adopting ICD-10...



