Memorial Hermann Health System Announces 10K-Record HIPAA Breach
The Memorial Hermann Health System (MHHS) has discovered that a worker accessed the Protected Health Information of over 10,000 patients while employed at the hospital, with the HIPAA violations dating back some six and a half years. The offenses took place between December 2007 and July 2014, and during that time 10,604 patient records are understood to have been accessed. The information viewed by the unnamed employee included medical records and insurance details, medical record numbers, personally identifiable information including, dates of birth, names and addresses as well as some Social Security numbers. It is not clear why the employee accessed the information, but a spokesperson from the health system said there was “no indication it involved fraudulent purposes.” MHHS discovered the unauthorized access on July 7, 2014 and immediately blocked the employee’s access to patient records while an investigation was conducted. Outside experts in computer forensics were employed to determine which records had been accessed and the extent of the HIPAA violation. Breach...
Ohio Patients Suffer First Hacking-Related Data Breach
Members of the Huntington Bancshares’ wellness program in Ohio have been notified of a data breach in which their healthcare information was potentially compromised. Close to 4,500 state residents have been affected. This is the first large scale data breach to affect Ohio residents. The data breach did not occur at Huntington Bancshares, but was part of a data breach affecting a Business Associate (BA) of StayWell Health Management LLC, Onsite Health Diagnostics. The data breach exposed 60,652 records in total, with hacker’s first gaining access to the database on January 4 of this year. The data breach was discovered on March 25, although a breach notice was delayed and has only just been released. Hackers were able to gain access to a scheduling database of Onsite Health Diagnostics. The information was being used for health screening purposes. The data exposed was limited to Personally Identifiable Information (PII). No health, insurance or financial data was exposed, and neither were Social Security numbers. Patient names, addresses, dates of birth, gender, email addresses and...
Iron Mountain X-Ray Theft Causes HIPAA Breach
The Orthopaedic Specialty Institute Medical Group has recently reported that one of its Business Associates advised it of a theft from its facilities in the Inland Empire in which thieves managed to obtain 742 boxes of X-ray prints of its patients. The x-rays were being stored by Iron Mountain Record Management and were from old patient files from 10-15 years previously. The medical data exposed is confined to any information shown in the x-ray such as the body part and medical issue. Patient names, dates of birth and medical record numbers were also printed on the x-ray jackets, although there was no financial information or Social Security numbers present. Under HIPAA Privacy and Security Rules, a data breach involving Protected Health Information along with personal identifiers that can tie that information to a particular patient must be reported to the Department of Health and Human Services’ Office for Civil Rights. The organization affected must also send out breach notification letters to any individual whose information was exposed in the incident if they perceive there to...
Cloud Service Providers Must Comply with HIPAA Regulations
The growing data storage demands placed on healthcare organizations require frequent hardware updates and increasing amounts of space dedicated to servers and IT staff must be employed to manage hardware, update software and maintain networks. Many healthcare companies lack the space or resources to securely store data and outsource their data storage to cloud service providers. The recently introduced HIPAA Omnibus Rule – often referred to as the Megarule due to its extensive changes to existing legislation – updates the Health Insurance Portability and Accountability Act (1996) expanding its reach to include business associates of healthcare companies and their subcontractors. In order to do business in the healthcare sector, IT and data storage companies must now comply with HIPAA regulations and sign a business agreement with the healthcare provide for whom they are providing the service. In the case of cloud hosting companies it is clear that HIPAA regulations apply as the companies are required to store Protected Health Information, even if the data is not actually viewed....
Community Health Systems Cyber Attack Puts 4.5M Patients at Risk
Community Health Systems (CHS) has announced that it’s computer network has been infiltrated by hackers who have stolen the protected health information of 4.5 million of its patients. The data accessed includes identifying information such as names, Social Security numbers and contact telephone numbers. The data affects patients who were referred for treatment to doctors affiliated with the hospital in addition to those who were treated by CHS over the previous five years. CHS operates 206 hospitals across the United States with medical facilities in 29 states. CHS made a filing with the Securities and Exchange Commission on August 18, 2014 describing the targeted attack as being of a “highly sophisticated” nature and believed hackers accessed PHI on two occasions in April and June of this year; however the intrusion was not detected until July. CHS has now determined that the attack originated in China with a group of hackers gaining access to the CHS network. Theft of data is a serious crime and CHS is working with law enforcement agencies in an attempt to identify and...



