Medical Records Used for Telephone Phishing Scam in Chicago
Cybercriminals are breaking into healthcare IT systems and stealing equipment to gain access to highly valuable Protected Health Information (PHI). With this data criminals can make bogus insurance claims, apply for credit, and obtain medical prescriptions and services. This is not the only way that data is obtained to commit fraud. In Chicago this week, a new telephone phishing scam has been uncovered. As with spear phishing, the perpetrators can be very convincing. With a limited amount of personal information about a person, they are able to obtain much more valuable data, provided they can convince the potential victim to divulge it. The latest scam appears to involve a HIPAA breach, as the criminals have highly intimate knowledge of the victims and information that could only be found in health records. With the latest scam, two patients who have reported being called claim the callers had information that only a hospital or their doctor would know. Not all data breaches provide criminals will a full set of data with which they can use to commit any number of crimes. Sometimes...
Department of Veteran Affairs Reports 158% Hike in Data Breaches
The Department of Veteran Affairs has issued its monthly data breach report to congress. Over the past few months the number of breach victims has been falling; however the latest figures show a marked increase in the number of data breach victims. There was also a noticeable decrease in the number of security incidents the DVA was able to prevent. In March, 383 veterans were reported to have been affected by data breaches. The number of breach victims reported for April was 987; a percentage increase of almost 158%. 738 of those incidents involved the exposure of Protected Health Information (PHI); almost 75%. What Caused the Increase in PHI Breaches in April? There was a slight increase in the number of mishandling incidents in April, but the biggest cause of the increase, by far, were mis-mailing incidents, which rose by 19 percent. Errors made by pharmacies increased substantially, although there was a slight drop in lost/stolen devices and PIV cards. Information Security – Monthly Activity Report – April 2015 Lost and stolen device incidents: 47 Lost PIV...
65 Boxes of Improperly Dumped Medical Records Discovered
A resident of Madison County, Richmond, Ky. recently discovered a dumpster full of medical records, with the boxes of paper files understood to contain highly sensitive Protected Health Information (PHI) covered under the Health Insurance Portability and Accountability Act (HIPAA). According to a news report on WTVQ, Carl Swanger discovered the files on Saturday, May 31. After a quick inspection he “immediately he knew something wasn’t right,” and took the boxes to Baptist Health as he thought there must have been an error made. However the records did not belong to the healthcare provider, instead, they were from a company called Richmond Radiology which closed for business many years previously. The dumpster was located in AAA Rent-A-Space in Richmond and contained 65 boxes of medical records. The files had been cleared out of the storage facility by the manager as he needed the space for a new customer. The manager was unaware of the contents of the boxes and an employee was told to clear out the storage unit. According to the manager of the facility, that employee can’t have...
Alaskan Drug Kingpin and Aide Jailed for HIPAA Violations
The land of the midnight sun may not be a hot spot of HIPAA violations, although one incident has recently made the news. The story involves an Anchorage drug kingpin, two hospitalized victims, a financial counselor, and the first felony convictions for HIPAA violations in Alaska. HIPAA Rules Regarding Accessing PHI The Health Insurance Portability and Accountability Act introduced a number of changes to protect the privacy of patients, and the legislation has gone a long way toward ensuring that Protected Health Information (PHI) remains private and confidential. Access to patient health information is restricted to a need-to-know basis. Information can only be accessed for the treatment and care of the patient, or for billing and other essential administrative purposes. Medical professionals cannot simply look at the medical records of any patient. There must be a justifiable reason for doing so. Friend of Anchorage Drug Kingpin Violates HIPAA Rules Anchorage resident, Stacy Laulu, 33, was arrested, charged, and convicted of two violations of the Health Insurance Portability and...
U.S HealthWorks HIPAA Breach Raises Issue of Data Encryption
U.S. HealthWorks, a healthcare provider based in Valencia, California, has reported a breach of PHI and PII after an unencrypted laptop computer was stolen from the vehicle of a company employee. Theft of Laptop Computer from Unattended Vehicle The incident occurred on April 21, 2015, and was discovered by the healthcare provider the following day. The sample breach notification letter – posted on the State of California DoJ Attorney General’s website – explains that a company employee had taken a laptop computer and left it in a vehicle from where it was stolen. Upon discovering the theft, the incident was reported to law enforcement officers, and an investigation was commenced. U.S HealthWorks started an internal investigation to determine the exact nature of the data stored on the laptop; a process which has taken some time to complete. According to the breach notification letter – dated May 30, 2015 – it took until May 5, 2015, to determine that the laptop computer was password protected but lacked data encryption software. The healthcare provider was able to determine that...



